Amadey
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1112 | 修改注册表 | ||
| Enterprise | T1568 | .001 | 动态解析: Fast Flux DNS | |
| Enterprise | T1140 | 反混淆/解码文件或信息 | ||
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Amadey has changed the Startup folder to the one containing its executable by overwriting the registry keys.[1][2] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1083 | 文件和目录发现 |
Amadey has searched for folders associated with antivirus software.[1] |
|
| Enterprise | T1106 | 本机API |
Amadey has used a variety of Windows API calls, including |
|
| Enterprise | T1027 | 混淆文件或信息 |
Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.[2] |
|
| Enterprise | T1614 | 系统位置发现 |
Amadey does not run any tasks or install additional malware if the victim machine is based in Russia.[2] |
|
| Enterprise | T1082 | 系统信息发现 |
Amadey has collected the computer name and OS version from a compromised machine.[1][2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Amadey has collected the user name from a compromised host using |
|
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Amadey has checked for a variety of antivirus products.[1][2] |
| Enterprise | T1105 | 输入工具传输 |
Amadey can download and execute files to further infect a host machine with additional malware.[2] |
|
| Enterprise | T1041 | 通过C2信道渗出 | ||
| Enterprise | T1553 | .005 | 颠覆信任控制: Mark-of-the-Web Bypass |
Amadey has modified the |