Malware: FlawedAmmyy

Description

[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)

External References

• mitre-attack
• Proofpoint TA505 Mar 2018

Techniques Used by This Malware

• T1001 — Data Obfuscation
• T1005 — Data from Local System
• T1033 — System Owner/User Discovery
• T1041 — Exfiltration Over C2 Channel
• T1047 — Windows Management Instrumentation
• T1056 — Input Capture
• T1056.001 — Keylogging
• T1059.001 — PowerShell
• T1059.003 — Windows Command Shell
• T1069.001 — Local Groups
• T1070.004 — File Deletion
• T1071.001 — Web Protocols
• T1082 — System Information Discovery
• T1105 — Ingress Tool Transfer
• T1113 — Screen Capture
• T1115 — Clipboard Data
• T1120 — Peripheral Device Discovery
• T1218.007 — Msiexec
• T1218.011 — Rundll32
• T1518.001 — Security Software Discovery
• T1547.001 — Registry Run Keys / Startup Folder
• T1573.001 — Symmetric Cryptography

APT Groups Using This Malware

• TA505
• FIN6