{"description": "Enterprise techniques used by Amadey, ATT&CK software S1025 (v1.1)", "name": "Amadey (S1025)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has used HTTP for C2 communications.(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has changed the Startup folder to the one containing its executable by overwriting the registry keys.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Amadey](https://attack.mitre.org/software/S1025) can collect information from a compromised host.(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has decoded antivirus name strings.(Citation: Korean FSI TA505 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.001", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has used fast flux DNS for its C2.(Citation: Korean FSI TA505 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has sent victim data to its C2 servers.(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has searched for folders associated with antivirus software.(Citation: Korean FSI TA505 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Amadey](https://attack.mitre.org/software/S1025) can download and execute files to further infect a host machine with additional malware.(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has overwritten registry keys for persistence.(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has used a variety of Windows API calls, including `GetComputerNameA`, `GetUserNameA`, and `CreateProcessA`.(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has obfuscated strings such as antivirus vendor names, domains, files, and others.(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has checked for a variety of antivirus products.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.005", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has modified the `:Zone.Identifier` in the ADS area to zero.(Citation: Korean FSI TA505 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has collected the computer name and OS version from a compromised machine.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[Amadey](https://attack.mitre.org/software/S1025) does not run any tasks or install additional malware if the victim machine is based in Russia.(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Amadey](https://attack.mitre.org/software/S1025) can identify the IP address of a victim machine.(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Amadey](https://attack.mitre.org/software/S1025) has collected the user name from a compromised host using `GetUserNameA`.(Citation: BlackBerry Amadey 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Amadey", "color": "#66b1ff"}]}