CyberThreatIntel/Russia/APT/Gamaredon/06-08-19/Malware analysis 06-08-19.md

# Malware analysis on Gamaredon APT campaign (06-08-19)
## Table of Contents
* [Malware analysis](#Malware-analysis)
  + [Initial vector](#Initial-vector)
  + [Bat and powershell script](#Bat)
  + [Final PE](#PE)
  + [Cyber kill chain](#Cyber-kill-chain)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [IOC](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
  + [Original Tweet](#Original-Tweet)
  + [Link Anyrun](#Links-Anyrun)
  + [Ref previous analysis](#Documents)
  
## Malware-analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a>
###### The SFX archive executes for get system informations and the architecture in using the function GetNativeSystemInfo and Getsysteminfo who are using for know the good parameters for the SFX installer.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/Info.PNG "Get the native informations on the computer")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/InfoSys.PNG "Get the system informations on the computer")

###### Once this done, this show a fake window of Word in using riche020.dll method. Define the language of thread in Russian.The execution of the code is do in another thread who run the malicious parts in the background.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/Window.png "Window details")

###### We can observe a trace of a capacity to extract a lnk file which are used in a similar sample.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/LNKFILE.png "lnk")

###### This drops the cmd file and PE file as txt file in the temp folder with a random name.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/CMDextractfile.png "Extract cmd file")

##### Finally, this execute by call shell and runas the cmd file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/runas.png "Runas capacity")
 
### Bat and powershell script <a name="Bat"></a>

###### Its create the vbs and ps1 file by redirection of the console output, a schedule task as persistence and execute the files.

###### We can see on the obfuscated strings, that some patterns have been generated and randomized by a DOS obfuscate tool. The vbs file check the version of Word and disable some security features. The powershell file send the reconnaissance informations on the C2.
###### Like observed with muddywater, this repeats until the group edit a URL with  the next payload if the target is interesting. 

### Final PE <a name="PE"></a>
###### This check the connectivity to internet by requesting the DNS of Google and use the shellscript.exe for try to download by the edited URL.
###### This PE file uses the OpenSSL, SMTP, FTP and various algorithms libraries in C, this a compiled version of Wget. 
###### This version of Wget is used on many campaigns of this group since 2017.

### Cyber kill chain <a name="Cyber-kill-chain"></a>

###### The process graph resume the cyber kill chain used by the attacker.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/cyber.png "Cyber kill chain")

## Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>

###### The C2 is host by a provider in Russia.This seems be a sample of the campaign of Gamaredon group in June 2018 by the very similar TTPs.
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix

|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|Execution|T1059 - Starts CMD.EXE for commands execution<br>T1106 - Execution through API<br>T1053 - Scheduled Task<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1059<br>https://attack.mitre.org/techniques/T1106<br>https://attack.mitre.org/techniques/T1053<br>https://attack.mitre.org/techniques/T1064|
|Persistence|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053|
|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053|
|Defense Evasion|T1112 - Modify Registry<br> T1064 - Scripting|https://attack.mitre.org/techniques/T1112<br>https://attack.mitre.org/techniques/T1064|
|Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012|

## Indicators Of Compromise (IOC) <a name="IOC"></a>

###### List of all the Indicators Of Compromise (IOC)
| Indicator     | Description|
| ------------- |:-------------:|
|02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c.scr|02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c|
|9856.txt|a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599|
|176.57.215.22|IP C2|
|http[:]//shell-create.ddns.net/|URL request|	
|shell-create.ddns.net|Domain C2|

## Links <a name="Links"></a>

* Original tweet: https://twitter.com/Timele9527/status/1157458188792262656 <a name="Original-Tweet"></a>
* Anyrun Link: [02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c.scr](https://app.any.run/tasks/b5a3d531-d95a-4971-a57b-eb881ca3a790)<a name="Links-Anyrun"></a>
* Ref previous analysis : [gamaredon eastern europe attacks](https://securityaffairs.co/wordpress/86561/apt/gamaredon-eastern-europe-attacks.html) <a name="Documents"></a>
Create Malware analysis 06-08-19.md 2019-08-23 13:30:19 +00:00			`# Malware analysis on Gamaredon APT campaign (06-08-19)`
			`## Table of Contents`
			`* [Malware analysis](#Malware-analysis)`
			`+ [Initial vector](#Initial-vector)`
			`+ [Bat and powershell script](#Bat)`
			`+ [Final PE](#PE)`
			`+ [Cyber kill chain](#Cyber-kill-chain)`
			`* [Cyber Threat Intel](#Cyber-Threat-Intel)`
			`* [IOC](#IOC)`
			`* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)`
			`* [Links](#Links)`
			`+ [Original Tweet](#Original-Tweet)`
			`+ [Link Anyrun](#Links-Anyrun)`
			`+ [Ref previous analysis](#Documents)`
Update Malware analysis 06-08-19.md 2019-08-23 14:58:41 +00:00
Create Malware analysis 06-08-19.md 2019-08-23 13:30:19 +00:00			`## Malware-analysis <a name="Malware-analysis"></a>`
Update Malware analysis 06-08-19.md 2019-08-23 14:58:41 +00:00			`### Initial vector <a name="Initial-vector"></a>`
			`###### The SFX archive executes for get system informations and the architecture in using the function GetNativeSystemInfo and Getsysteminfo who are using for know the good parameters for the SFX installer.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/Info.PNG "Get the native informations on the computer")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/InfoSys.PNG "Get the system informations on the computer")`

			`###### Once this done, this show a fake window of Word in using riche020.dll method. Define the language of thread in Russian.The execution of the code is do in another thread who run the malicious parts in the background.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/Window.png "Window details")`

			`###### We can observe a trace of a capacity to extract a lnk file which are used in a similar sample.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/LNKFILE.png "lnk")`

			`###### This drops the cmd file and PE file as txt file in the temp folder with a random name.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/CMDextractfile.png "Extract cmd file")`

			`##### Finally, this execute by call shell and runas the cmd file.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/runas.png "Runas capacity")`

			`### Bat and powershell script <a name="Bat"></a>`

			`###### Its create the vbs and ps1 file by redirection of the console output, a schedule task as persistence and execute the files.`

			`###### We can see on the obfuscated strings, that some patterns have been generated and randomized by a DOS obfuscate tool. The vbs file check the version of Word and disable some security features. The powershell file send the reconnaissance informations on the C2.`
			`###### Like observed with muddywater, this repeats until the group edit a URL with the next payload if the target is interesting.`

			`### Final PE <a name="PE"></a>`
			`###### This check the connectivity to internet by requesting the DNS of Google and use the shellscript.exe for try to download by the edited URL.`
			`###### This PE file uses the OpenSSL, SMTP, FTP and various algorithms libraries in C, this a compiled version of Wget.`
			`###### This version of Wget is used on many campaigns of this group since 2017.`
Create Malware analysis 06-08-19.md 2019-08-23 13:30:19 +00:00
			`### Cyber kill chain <a name="Cyber-kill-chain"></a>`
Update Malware analysis 06-08-19.md 2019-08-23 14:58:41 +00:00
Create Malware analysis 06-08-19.md 2019-08-23 13:30:19 +00:00			`###### The process graph resume the cyber kill chain used by the attacker.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/cyber.png "Cyber kill chain")`

Update Malware analysis 06-08-19.md 2019-08-23 14:58:41 +00:00			`## Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>`

			`###### The C2 is host by a provider in Russia.This seems be a sample of the campaign of Gamaredon group in June 2018 by the very similar TTPs.`
Create Malware analysis 06-08-19.md 2019-08-23 13:30:19 +00:00			`## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>`
			`###### List of all the references with MITRE ATT&CK Matrix`

			`\|Enterprise tactics\|Technics used\|Ref URL\|`
			`\| :---------------: \|:-------------\| :------------- \|`
			`\|Execution\|T1059 - Starts CMD.EXE for commands execution<br>T1106 - Execution through API<br>T1053 - Scheduled Task<br>T1064 - Scripting\|https://attack.mitre.org/techniques/T1059<br>https://attack.mitre.org/techniques/T1106<br>https://attack.mitre.org/techniques/T1053<br>https://attack.mitre.org/techniques/T1064\|`
			`\|Persistence\|T1053 - Scheduled Task\|https://attack.mitre.org/techniques/T1053\|`
			`\|Privilege Escalation\|T1053 - Scheduled Task\|https://attack.mitre.org/techniques/T1053\|`
			`\|Defense Evasion\|T1112 - Modify Registry<br> T1064 - Scripting\|https://attack.mitre.org/techniques/T1112<br>https://attack.mitre.org/techniques/T1064\|`
			`\|Discovery\|T1012 - Query Registry\|https://attack.mitre.org/techniques/T1012\|`

			`## Indicators Of Compromise (IOC) <a name="IOC"></a>`

			`###### List of all the Indicators Of Compromise (IOC)`
			`\| Indicator \| Description\|`
			`\| ------------- \|:-------------:\|`
			`\|02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c.scr\|02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c\|`
			`\|9856.txt\|a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599\|`
			`\|176.57.215.22\|IP C2\|`
			`\|http[:]//shell-create.ddns.net/\|URL request\|`
			`\|shell-create.ddns.net\|Domain C2\|`

			`## Links <a name="Links"></a>`

			`* Original tweet: https://twitter.com/Timele9527/status/1157458188792262656 <a name="Original-Tweet"></a>`
			`* Anyrun Link: [02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c.scr](https://app.any.run/tasks/b5a3d531-d95a-4971-a57b-eb881ca3a790)<a name="Links-Anyrun"></a>`
			`* Ref previous analysis : [gamaredon eastern europe attacks](https://securityaffairs.co/wordpress/86561/apt/gamaredon-eastern-europe-attacks.html) <a name="Documents"></a>`