Register to stream ATT&CKcon 2.0 October 29-30

FlawedAmmyy

FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[1]

ID: S0381
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1043 Commonly Used Port FlawedAmmyy has used port 443 for C2. [1]
Enterprise T1001 Data Obfuscation FlawedAmmyy may obfuscate portions of the initial C2 handshake. [1]
Enterprise T1120 Peripheral Device Discovery FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader. [1]
Enterprise T1069 Permission Groups Discovery FlawedAmmyy enumerates the privilege level of the victim during the initial infection. [1]
Enterprise T1063 Security Software Discovery FlawedAmmyy will attempt to detect anti-virus products during the initial infection. [1]
Enterprise T1071 Standard Application Layer Protocol FlawedAmmyy has used HTTP for C2. [1]
Enterprise T1032 Standard Cryptographic Protocol FlawedAmmyy has used SEAL encryption during the initial C2 handshake. [1]
Enterprise T1082 System Information Discovery FlawedAmmyy beacons out the victim operating system and computer name during the initial infection. [1]
Enterprise T1033 System Owner/User Discovery FlawedAmmyy enumerates the current user during the initial infection. [1]
Enterprise T1047 Windows Management Instrumentation FlawedAmmyy leverages WMI to enumerate anti-virus on the victim. [1]

Groups That Use This Software

ID Name References
G0092 TA505 [1]

References