An after-hours alert from the Endpoint Detection and Response (EDR) system flags suspicious activity on a Windows workstation. The flagged malware aligns with the Amadey Trojan Stealer. Your job is to analyze the presented memory dump and create a detailed report for actions taken by the malware.
https://cyberdefenders.org/blueteam-ctf-challenges/amadey/
First, I ran the pstree plugin, and from the output, I noticed a process named lssass.exe, which is suspicious for several reasons. First, the name is misspelledlikely a form of masquerading. Second, the legitimate lsass.exe process should not spawn any child processes. However, here it spawned rundll32.exe, a tool commonly abused by attackers to execute malicious code via DLL files.
We can obtain this information using either the filescan or cmdline plugin. The executable is located in the Temp directory, which immediately raises red flags. This location is commonly abused by malware to drop payloads because temporary folders are usually writable by standard users, making them an ideal target for attackers trying to bypass administrative privileges.
Using the netscan plugin and filtering either by the PID 2478 of lssass.exe or by the process name itself, we can observe two closed connections—both made to 41.75.84.12 over port 80, which is typically used for HTTP traffic. The use of port 80 suggests an attempt to blend malicious communication with regular web traffic, making it harder for firewalls and intrusion detection systems to detect the activity.