Analytics Story: Amadey

Date: 2023-06-16 ID: a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.

Why it matters

Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Outlook exe writing a zip file Phishing, Spearphishing Attachment TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Suspicious Process Executed From Container File Malicious File, Masquerade File Type TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Files and Dirs Access Rights Modification Via Icacls Windows File and Directory Permissions Modification, File and Directory Permissions Modification TTP
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Powershell RemoteSigned File PowerShell, Command and Scripting Interpreter Anomaly
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References

Source: GitHub | Version: 1