Ammyy Admin
Ammyy Admin is a remote monitoring and management (RMM) tool. Ammyy admin has been used by scammers to gain remote access to victims' computers. The tool is legitimate and is used by IT professionals for remote management. However, it has been abused by scammers to gain unauthorized access to victims' computers. The tool is free for personal use, but a license is required for commercial use. The tool allows for remote desktop control, file transfer, voice chat, and more. The tool is available for Windows only. will be added as it becomes available.
Details
- Author
- @kostsatsale
- Category
- --
- Created
- 2024/05/08
- Last Modified
- None
- Website
- https://www.ammyy.com
- Privileges
- Curent User
- Pricing
- Unknown
- Verification
Installation Paths
C:\\ProgramData\\AMMYY\\*
AMMYY_Admin.exe
aa_v*.exe
C:\Users\*\Downloads\AMMYY_Admin.exe
*\AMMYY_Admin.exeSupported OS
Windows
Capabilities
Remote Management session
RDP Connection
File Transfer
Voice Chat
Known Vulnerabilities
Forensic Artifacts
Disk Artifacts
- File Name
%programdata%\\AMMYY\\access.log- Description
- Ammyy Admin access log file. Contains information about the remote IP address, the time of connection, bytes recv/send, and the ID of the remote machine.
- Example
20240805-22:20:45.962000 00000D98 - [0] PASSED authorization remoteId=XXXXXXXX; TCP by router 136.243.104.235:443 20240805-22:22:34.139000 00000710 - [1] FAILED authorization remoteId=XXXXXXXX; TCP by router 136.243.104.235:443 20240805-22:23:10.648000 00000D98 - [0] ENDED authorized session, bytes recv/send = 1164 / 115378
- File Name
%Binary_path%\\AA_v3.log- Description
- Ammyy Admin log file. Contains application related logs.
- Example
20240805-22:19:52.455000 00001318 - ERROR: ERROR: 2 RLEvent::TryToOpen(Global\AANS_FvwjZ_CHI) 20240805-22:23:10.648000 00000D98 - ERROR: ERROR SetThreadDesktop(200) 170
Event Log Artifacts
Event ID | Provider Name | Log File | Service Name | Image Path | Description |
|---|---|---|---|---|---|
4688 | Microsoft-Security-Auditing | Security.evtx | Execution of Ammyy Admin | ||
7045 | Service Control Manager | System.evtx | Ammyy Admin | Ammyy Admin service installation event |
Registry Artifacts
Path | Description |
|---|---|
HKU\.DEFAULT\Software\Ammyy\Admin | Writing the hr3 binary in the registry. The hr3 is likely used to store admin-related information. |
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\AmmyyAdmin | Ammyy Admin service allows AMMYY admin to run in safe mode. |
Network Artifacts
Description | Domains | Ports |
|---|---|---|
Known remote domains | ammyy.com*ammyy.com136.243.104.235136.243.104.242136.243.18.122 | 5931804438080 |
Detections
- Detects the execution of the Ammy Admin RMM agent for remote management.
- Sigma Rule (opens in a new tab)
- Detecting Ammy Admin RMM Agent Execution
References
- https://www.ammyy.com/en/admin_security.html (opens in a new tab)
- https://www.ammyy.com/en/admin_mu.html (opens in a new tab)
Acknowledgements
- Kostas (@kostastsale)