Skip to content

S0381 FlawedAmmyy

FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.1

Item Value
ID S0381
Associated Names
Type MALWARE
Version 1.1
Created 28 May 2019
Last Modified 20 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols FlawedAmmyy has used HTTP for C2.1
enterprise T1001 Data Obfuscation FlawedAmmyy may obfuscate portions of the initial C2 handshake.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography FlawedAmmyy has used SEAL encryption during the initial C2 handshake.1
enterprise T1120 Peripheral Device Discovery FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups FlawedAmmyy enumerates the privilege level of the victim during the initial infection.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery FlawedAmmyy will attempt to detect anti-virus products during the initial infection.1
enterprise T1082 System Information Discovery FlawedAmmyy beacons out the victim operating system and computer name during the initial infection.1
enterprise T1033 System Owner/User Discovery FlawedAmmyy enumerates the current user during the initial infection.1
enterprise T1047 Windows Management Instrumentation FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.1

Groups That Use This Software

ID Name References
G0092 TA505 123
G0037 FIN6 4

References

Back to top