FlawedAmmyy

FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[1]

ID: S0381
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1043 Commonly Used Port

FlawedAmmyy has used port 443 for C2.[1]

Enterprise T1001 Data Obfuscation

FlawedAmmyy may obfuscate portions of the initial C2 handshake.[1]

Enterprise T1120 Peripheral Device Discovery

FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.[1]

Enterprise T1069 Permission Groups Discovery

FlawedAmmyy enumerates the privilege level of the victim during the initial infection.[1]

Enterprise T1063 Security Software Discovery

FlawedAmmyy will attempt to detect anti-virus products during the initial infection.[1]

Enterprise T1071 Standard Application Layer Protocol

FlawedAmmyy has used HTTP for C2.[1]

Enterprise T1032 Standard Cryptographic Protocol

FlawedAmmyy has used SEAL encryption during the initial C2 handshake.[1]

Enterprise T1082 System Information Discovery

FlawedAmmyy beacons out the victim operating system and computer name during the initial infection.[1]

Enterprise T1033 System Owner/User Discovery

FlawedAmmyy enumerates the current user during the initial infection.[1]

Enterprise T1047 Windows Management Instrumentation

FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.[1]

Groups That Use This Software

ID Name References
G0092 TA505 [1]

References