# Amadey Lab

Q1) In the memory dump analysis, determining the root of the malicious activity is essential for comprehending the extent of the intrusion. What is the name of the parent process that triggered this malicious behavior?

```bash
python3 vol.py -f memdmp.vmem windows.pslist
```

<figure><img src="/files/1kVrDh4d8Gtg4dSor4GI" alt=""><figcaption></figcaption></figure>

If the process name is misspelled ( **`lsaas.exe`->** **`lssass.exe`**, or similar), it is almost certainly malicious.

```bash
python3 vol.py -f memdmp.vmem windows.pstree
```

<figure><img src="/files/CBfuTSL4YGZuhkW8Qedg" alt=""><figcaption></figcaption></figure>

it is **not normal** for `lsass.exe` to execute `rundll32.exe`. This behavior is suspicious and could indicate malicious activity, such as process injection or a technique used by malware to execute malicious code using `rundll32.exe`.

Answer:  lssass.exe

Q2) Once the rogue process is identified, its exact location on the device can reveal more about its nature and source. Where is this process housed on the workstation?

```bash
python3 vol.py -f memdmp.vmem windows.cmdline | grep "2748"
```

<figure><img src="/files/5CbVVaU2D2AUEP2cUUOa" alt=""><figcaption></figcaption></figure>

Answer: C:\Users\0XSH3R\~1\AppData\Local\Temp\925e7e99c5\lssass.exe

Q3) Persistent external communications suggest the malware's attempts to reach out C2C server. Can you identify the Command and Control (C2C) server IP that the process interacts with?

```bash
python3 vol.py -f memdmp.vmem windows.netscan | grep "2748"
```

<figure><img src="/files/31IrSwfh7ydbJboZuY8L" alt=""><figcaption></figcaption></figure>

Answer:  41.75.84.12

Q4) Following the malware link with the C2C, the malware is likely fetching additional tools or modules. How many distinct files is it trying to bring onto the compromised workstation?

```bash
strings memdmp.vmem | grep 'GET '
```

<figure><img src="/files/DIiUmoEDSi7iBoKUcPLx" alt=""><figcaption></figcaption></figure>

Answer:  2

Q5) Identifying the storage points of these additional components is critical for containment and cleanup. What is the full path of the file downloaded and used by the malware in its malicious activity?

```bash
python3 vol.py -f memdmp.vmem windows.cmdline | grep "clip64.dll"
#OR
python3 vol.py -f memdmp.vmem windows.filescan | grep "clip64.dll"
```

<figure><img src="/files/7o9eZTIIrvubkAmUq5Ug" alt=""><figcaption></figcaption></figure>

Answer:  C:\Users\0xSh3rl0ck\AppData\Roaming\116711e5a2ab05\clip64.dll

Q6) Once retrieved, the malware aims to activate its additional components. Which child process is initiated by the malware to execute these files?

```bash
python3 vol.py -f memdmp.vmem windows.pstree
```

<figure><img src="/files/SaQrkLAuNrzneFzLGRgL" alt=""><figcaption></figcaption></figure>

Answer:  rundll32.exe

Q7) Understanding the full range of Amadey's persistence mechanisms can help in an effective mitigation. Apart from the locations already spotlighted, where else might the malware be ensuring its consistent presence?

```bash
python3 vol.py -f memdmp.vmem windows.filescan | grep "lssass.exe"
```

<figure><img src="/files/V3cjY9XaSJVGDOoIpEjC" alt=""><figcaption></figcaption></figure>

Answer:  C:\Windows\System32\Tasks\lssass.exe


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/amadey-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.