In this lab, you will step into the role of a cybersecurity analyst tasked with investigating a security incident involving the Amadey Trojan Stealer. Following an after-hours alert from the Endpoint Detection and Response (EDR) system, you are provided with a memory dump of the affected Windows workstation. Your objective is to uncover the details of the malicious activity, assess the malware’s behavior, and determine the extent of the compromise.
The Amadey Trojan Stealer is a well-known malware strain that specializes in reconnaissance, data collection, credential harvesting, and establishing persistent connections with remote servers. Its modular design often allows it to download additional payloads, enabling it to expand its capabilities based on attacker objectives. Because of its ability to operate in memory, identifying its traces requires in-depth forensic techniques.
This walkthrough will guide you through the process of analyzing the provided memory dump using Volatility3, a powerful memory forensics framework. You will investigate running processes, trace network activity, locate suspicious files, and uncover mechanisms the malware uses to establish persistence. Along the way, you'll apply various Volatility3 plugins to extract critical information and build a comprehensive understanding of the attack.
By the end of this lab, you will have practiced key skills in endpoint forensics, including memory analysis, identifying malicious processes, investigating network connections, and detecting persistence mechanisms. These skills