Scenario

An after-hours alert from the Endpoint Detection and Response (EDR) system flags suspicious activity on a Windows workstation. The flagged malware aligns with the Amadey Trojan Stealer. Your job is to analyze the presented memory dump and create a detailed report for actions taken by the malware.

Questions

1. In the memory dump analysis, determining the root of the malicious activity is essential for comprehending the extent of the intrusion. What is the name of the parent process that triggered this malicious behavior?

R= lssass.exe

Taking a look, using the command python3 vol.py -f "../../Artifacts/Windows 7 x64-Snapshot4.vmem" windows.pstree, we observe that there are two processes that look off to me, PID 1604 and 2748. 1604 is a VMWare Tools core component which handlex background tasks, to my knowledge, it should be straight up executing a cmd.exe which calls for ipconfig.exe. The other process that looks very off is lssass.exe (PID 2748), as you can tell by simply looking at the name, it is trying to make the user believe that it is the core process lsass.exe (which we can see it seven processes above [PID 508]).

image

Now, using the plugin windows.cmdline to look at the commandline that was executed for each of the processes, we can see that lssass.exe is located in the publicly writable %TEMP% folder, which is a well-known location that threat actors leverage to put their malicious payloads in. Also, if we look one line under, its child rundll.exe (PID 3064) is executing a dll called clip64.dll. Googling up this dll, it is referenced in the Data Collection And Exfiltration (.DLL Plugins) section in a blog of the Splunk Threat Research Team. According to them, clip64.dll is one of two dlls that “…play a crucial role in collecting sensitive information…

image

With the previous evidence, we have more than enough to state that lssass.exe is the disguised Amadey Trojan Stealer.

2. Once the rogue process is identified, its exact location on the device can reveal more about its nature and source. Where is this process housed on the workstation?

R= C:\Users\0XSH3R~1\AppData\Local\Temp\925e7e99c5\lssass.exe

As we saw in the evidence provided in last’s question answer, the file is located in C:\Users\0XSH3R~1\AppData\Local\Temp\925e7e99c5\

3. Persistent external communications suggest the malware’s attempts to reach out C2C server. Can you identify the Command and Control (C2C) server IP that the process interacts with?

R= 41.75.84.1

Leveraging the plugin windows.netscan, it’s notorious that the information in the first entry is malformed, lacking values in source ip/source port and the destination port is 0. On the other side, there were two connection attempts to 41.75.84.12 - both which have logical information.

image

R= 2

By looking for GET requests, we can see that it has two GET requests for /rock/Plugins/cred64.dll and /rock/Plugins/clip64.dll.

image

5. Identifying the storage points of these additional components is critical for containment and cleanup. What is the full path of the file downloaded and used by the malware in its malicious activity?

R= C:\Users\0xSh3rl0ck\AppData\Roaming\116711e5a2ab05\clip64.dll

Leveraging the windows.cmdline plugin, the file path is C:\Users\0xSh3rl0ck\AppData\Roaming\116711e5a2ab05\clip64.dll

image

6. Once retrieved, the malware aims to activate its additional components. Which child process is initiated by the malware to execute these files?

R= rundll32.exe

From the screenshot in Q5, we can observe rundll32.exe was the process that executed clip64.dll

7. Understanding the full range of Amadey’s persistence mechanisms can help in an effective mitigation. Apart from the locations already spotlighted, where else might the malware be ensuring its consistent presence?

R= C:\Windows\System32\Tasks\lssass.exe

Scanning the filesystem for files that have been recently accessed, we can see that there’s another location where lssass.exe was written in. image