CyberThreatIntel/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md

# Malware analysis about unknown Israel APT campaign
## Table of Contents
* [Malware analysis](#Malware-analysis)
  + [Initial vector](#Initial-vector)
  + [Loader](#loader)
  + [JS Backdoor](#Backdoor)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
  + [Original Tweet](#Original-Tweet)
  + [Link Anyrun](#Links-Anyrun)
  + [Documents](#Documents)

## Malware analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a>
###### The initial vector use an SFX executable, who drop a lnk file for the persistence, a vbs file and the docx file for decoys the victim. 
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/strings.png "")
###### We can also note the multiples possiblities for push the persisitence and options.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnkfile.png "")
###### This execute the vbs file for push the persistence in the startup menu, hide it in changing these atributes and launch the persistence (lnk file)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/VBScode.png "")
###### This download the VB script and execute it by mshta call.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnk.PNG "")
###### On the VB code, we can observed that use BITS fonctionality for download by a job the JS script to execute on the victim. Secondly, this check the architecture of the system and execute the correct path of wscript and push the windows out the screen. 
### Loader <a name="loader"></a>
###### We can see that use function for decode the commands  with a array of bytes.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/encodeJS.png "")
###### For decode the string , we use the next function used by the backdoor for decode the commands.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/decodeJS.png "")
###### You can now change the encoded commands.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/decStr.png "")
###### Once the encoded strings removed, we have the following code :
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lay1dec.png "")
As anti-forensic method, a method which can know if determiner if a debugger is present.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/zoomdebug.PNG "")	
###### Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call.
###### By the following PowerShell script, we can get the second layer that is the JS Backdoor.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/declayer.png "")	
### JS Backdoor <a name="Backdoor"></a>
###### Firstly, the script get the system informations about the system of the victim and send to one the list of C2 in the logical sense (not random call on the list of C2) with the suffix "/is-ready". The backdoor use a while loop for rest in communication with C2 by send pulse with the system information of the victim.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/FirstAnal.png "")	
###### This send the data with the following structure to the C2 (Here from the Anyrun sandbox) :
`C4BA3647<|>USER-PC<|>admin<|>Microsoft Windows 7 Professional <|>plus<|>nan-av<|>` 
###### We can note that the USB spread option isn't used on this sample. The structure of the reply to the C2 is the next :
`[volumeserialnumber]<|>[computername]<|>[username]<|>plus<|>[AV product (yes -> name or no ->nan-av)]<|>[usbspreading option (= "")]<|>`
###### In a second time, when a response of the C2 was given and use a swith structure for execute the command.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/secAnal.png "")
###### Now, we analyse all functions used by this switch. As first function, we can see a function used by others functions of the script and used for send the data to the C2.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/postfunc.PNG "")
###### We can observe after a group of functions who use the wql queries by the WMI for get the system informations, this is used by the attacker as profiling the victim.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/infofunc.PNG "")
###### After, a function is used by the attacker for download an executable file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/downfunc.PNG "")
###### In the same idea for the attacker, a fonction which give the possiblity to read the bytes of files in a buffer and send it to the C2 is present.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/upfunc.PNG "")
###### The next function give to the attacker to have the list drives on the computer.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/listdrivesfunc.PNG "")
###### Another function can emumerate the paths of folders, files and  to give in more the attributes of them.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/dirfunc.PNG "")
###### And third function is used for get the list of the process running in the computer.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/processfunc.PNG "")
###### The last function exit the process with a kill signal by taskkill call.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/exitfunc.PNG "")

###### We can resume the list of commands of the backdoor :
|Command|Description|
| :---------------: |:-------------|
|execute| execute a command DOS/Powershell|
|send|Download a file to execute|
|site-send|Function don't exist but have the same arg that send command, seems be edited function of site-send and not deleted ?|
|recv|Read a file, put in a buffer and send to the C2|
|enum-driver|Send the list of drives to the C2|
|enum-faf|Get list of the folders, files and attributes and send it to the C2|
|enum-process|Get list of the process (name, id, path of the executable) and send it on the C2|
|delete|Function don't exist but by the params seems give to the attacker to delete folders or files|
|exit-process|Kill the backdoor process but can't remove the persistence, an "execute" command must be performed before for delete it in the registry|

###### All the IP are hosted on differents cloud provider.
|IP|Route|ASN|Organization|Country|City|Region|Coordinates|
|:---------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|
|66.154.103.156|66.154.102.0/23|AS8100|QuadraNet Enterprises LLC|United States|Secaucus|New Jersey| 40.7895,-74.0565|
|37.48.111.5|37.48.64.0/18|AS60781|LeaseWeb Netherlands B.V.|Netherlands|Noord-Holland|Amsterdam|52.3824,4.8995|
|85.17.26.65|85.17.0.0/16|AS60781|LeaseWeb Netherlands B.V.|Netherlands|Noord-Holland|Amsterdam|52.3824,4.8995|

## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/cyber.PNG "")

## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
### Origin of the method for the JS Backdoor
###### Firstly, the method for load the JS Backdoor is edited from a post published in 2015 on a forum for show a method for the both architecture for the developpment of a worm.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/Post.PNG "")
###### We can see that the name of the instance is changed and the html tags are removed.If we add the notes from the malware analysis, we can conclude that the malware has been edited in emergency.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/matchcode.PNG "")
### A army in perdition, an difficult situation
###### Since the last decade, the inexperience of the army on military issues, rigid doctrine, misunderstanding of the adversary, over-reliance on air and all-technological operations, loss of skills in the IDF, hesitations of unit commanders, the belief - erroneous - that the Israeli population would not accept the possible losses, a reorganized but deficient logistics, the non-mastery of communication. If we add the syria situation and result of the confrontation in 2006 who have add new emmenies against Israel, this create a difficult situation for these leaders. 
###### Actually in election period, each valuable action or opportunities can be used for this or for expend doctrine like the creation of housing in the colonies.
### A war of misinformation
###### Like all recents conflits, the networks of communications are used for send wrong news and propaganda or create it due to the people can't understand the situation. For exemple, recently we can heard that a false evacuation of wounded have been do for decoy the Hezbollah for push to stop shooting but this isn't know guerilla and the result of the latest conficts whre this isn't the rockets which dettroyed the military equipement but the Israel's forces who have sabotage their own equipment by the fear of the new rescuits and their inexperiences. In same reflexion, the fear of rockets launch on a city can't be realitic by the fact that the priority is the border army garrisons, infrastructure are better choice due to this the means used Hezbollah against the priority , this argument is apply in Israel for prepare the people to possibilities to claim the war.

###### In this way, some pictures have be send in the both side for used this factor as propaganda vector.By example, a picture taken with a drone of the feneter of netanyahou have been released in the social medias for show the capacities of reprisals. If we see the picture with the naked eye, we can see that the shadow of drone isn't report in the wall inside the room, the facade is an decor, fake coordonnates and blur is applied to all photo. 
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/c654ede55e275431042d32334f8cfd3a5526cb72.196671-600.png "")
###### With the ELA algorithm, we can see the last modifications on the pictures. In using this it, we can see all the precedants elements  are added at the original picture (probably a meeting with members of government).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/c654ede55e275431042d32334f8cfd3a5526cb72.196671-ela.png "")

###### In same time, other pictures are released about decoy targets, with the ELA algoritm, we can see that the multiple compressions by the algorithms, the picture is very dark and the pictures are only modify for write the indicators of interest.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/EDOYGiAXsAEA4Kq.jpg%20large.jpg "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/aa18205de56e2cbe15471c3cc1530e587ab975a0.35923-ela-600.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/EDOYGWjWsAAsfM1.jpg%20large.jpg "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/3fb1c19ecfe9c11d779b8dae397cd781b64c56ef.21349-ela.png "")
###### Recently, in the same way for develop the feeling of fear, Israel gouverment have claimed that Iran build precision missiles , this rest to prove it but the scheme of reflexion is the same, a war of fear and misinformation.
### The drone attack, a result of the information campaign ?

## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix

|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|Execution|T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064|
|Persistence|T1197 - BITS Jobs<br>T1060 - Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1197<br>https://attack.mitre.org/techniques/T1060|
|Defense Evasion|T1197 - BITS Jobs<br>T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1197<br>https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064|
|Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012|
|Lateral Movement|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
|C2|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|

## Indicators Of Compromise (IOC) <a name="IOC"></a>

###### List of all the Indicators Of Compromise (IOC)

| Indicator     | Description|
| ------------- |:-------------:|
|فضيحة جديدة لأحد قيادات حماس.exe|03d82852bbb28d1740e50206e7726c006b9b984a8309e2f203e65a67d7d3bcad|
|History.lnk|3853e0bf00d6dbfc574bc0564f0c90b93a66d644dd4dc8b8c00564f0b6edf581|
|ss.vbs|2e5f9bb1cef985eab15ad8d9072e51c71be2810fea789836b401b96bc898943b|
|news.docx|08fa35e25f4c7a6279a84b337d541989498d74f2c5e84cc4039d667fedc725c7|
|xyx.jse|32e216942f995f285947c7e7ee8cf438440c8a1e033bb27517f5e5361dafa8e8|
|adamnews.for.ug|Domain requested|
|israanews.zz.com.ve|Domain requested|
|mmksba.dyndns.org|Domain C2|
|webhoptest.webhop.info|Domain C2|
|mmksba.simple-url.com|Domain C2|
|85.17.26.65|IP requested|
|66.154.103.156|IP C2|
|37.48.111.5|IP C2|
|http[:]//israanews.zz.com.ve/hw.zip.zip|HTTP/HTTPS requests|
|http[:]//adamnews.for.ug/hwdownhww|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-ready|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-ready|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-ready|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-sending|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-sending|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-sending|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-recving|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-recving|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-recving|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-enum-driver|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-enum-driver|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-enum-driver|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-enum-faf|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-enum-faf|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-enum-faf|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-enum-process|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-enum-process|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-enum-process|HTTP/HTTPS requests|

###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/IOC_Israel_04-09-19.json)	

## Links <a name="Links"></a>
###### Original tweet: [https://twitter.com/Timele9527/status/1166188375109296128](https://twitter.com/Timele9527/status/1166188375109296128) <a name="Original-Tweet"></a>
###### Links Anyrun: <a name="Links-Anyrun"></a>
* [فضيحة جديدة لأحد قيادات حماس.zip (A new scandal of one of the leaders of Hamas.zip)](https://app.any.run/tasks/59ed8062-cf77-4d73-81bd-19cb26b7c7c6/)
* [xyx.jse](https://app.any.run/tasks/baa4f59c-969b-4617-b926-2d41da5e18b0/)
###### Documents: <a name="Documents"></a>
* [Evaluating ELA](http://fotoforensics.com/tutorial-ela.php)
Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00			`# Malware analysis about unknown Israel APT campaign`
			`## Table of Contents`
			`* [Malware analysis](#Malware-analysis)`
			`+ [Initial vector](#Initial-vector)`
Update Malware analysis 26-08-19.md 2019-09-04 00:55:56 +00:00			`+ [Loader](#loader)`
Update Malware analysis 26-08-19.md 2019-09-03 20:36:27 +00:00			`+ [JS Backdoor](#Backdoor)`
Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00			`* [Cyber Threat Intel](#Cyber-Threat-Intel)`
			`* [Indicators Of Compromise (IOC)](#IOC)`
			`* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)`
			`* [Links](#Links)`
			`+ [Original Tweet](#Original-Tweet)`
			`+ [Link Anyrun](#Links-Anyrun)`
			`+ [Documents](#Documents)`

			`## Malware analysis <a name="Malware-analysis"></a>`
			`### Initial vector <a name="Initial-vector"></a>`
Update Malware analysis 26-08-19.md 2019-09-03 20:36:27 +00:00			`###### The initial vector use an SFX executable, who drop a lnk file for the persistence, a vbs file and the docx file for decoys the victim.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/strings.png "")`
			`###### We can also note the multiples possiblities for push the persisitence and options.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnkfile.png "")`
			`###### This execute the vbs file for push the persistence in the startup menu, hide it in changing these atributes and launch the persistence (lnk file)`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/VBScode.png "")`
			`###### This download the VB script and execute it by mshta call.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnk.PNG "")`
			`###### On the VB code, we can observed that use BITS fonctionality for download by a job the JS script to execute on the victim. Secondly, this check the architecture of the system and execute the correct path of wscript and push the windows out the screen.`
Update Malware analysis 26-08-19.md 2019-09-04 00:55:56 +00:00			`### Loader <a name="loader"></a>`
Update Malware analysis 26-08-19.md 2019-09-03 22:45:29 +00:00			`###### We can see that use function for decode the commands with a array of bytes.`
Update Malware analysis 26-08-19.md 2019-09-03 20:36:27 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/encodeJS.png "")`
			`###### For decode the string , we use the next function used by the backdoor for decode the commands.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/decodeJS.png "")`
			`###### You can now change the encoded commands.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/decStr.png "")`
Update Malware analysis 26-08-19.md 2019-09-03 22:45:29 +00:00			`###### Once the encoded strings removed, we have the following code :`
Update Malware analysis 26-08-19.md 2019-09-03 20:36:27 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lay1dec.png "")`
Update Malware analysis 26-08-19.md 2019-09-03 22:45:29 +00:00			`As anti-forensic method, a method which can know if determiner if a debugger is present.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/zoomdebug.PNG "")`
			`###### Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call.`
Update Malware analysis 26-08-19.md 2019-09-04 00:55:56 +00:00			`###### By the following PowerShell script, we can get the second layer that is the JS Backdoor.`
Update Malware analysis 26-08-19.md 2019-09-04 15:18:32 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/declayer.png "")`
			`### JS Backdoor <a name="Backdoor"></a>`
Update Malware analysis 26-08-19.md 2019-09-04 15:13:40 +00:00			`###### Firstly, the script get the system informations about the system of the victim and send to one the list of C2 in the logical sense (not random call on the list of C2) with the suffix "/is-ready". The backdoor use a while loop for rest in communication with C2 by send pulse with the system information of the victim.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/FirstAnal.png "")`
			`###### This send the data with the following structure to the C2 (Here from the Anyrun sandbox) :`
			`C4BA3647<\|>USER-PC<\|>admin<\|>Microsoft Windows 7 Professional <\|>plus<\|>nan-av<\|>`
			`###### We can note that the USB spread option isn't used on this sample. The structure of the reply to the C2 is the next :`
Update Malware analysis 26-08-19.md 2019-09-04 00:55:56 +00:00			`[volumeserialnumber]<\|>[computername]<\|>[username]<\|>plus<\|>[AV product (yes -> name or no ->nan-av)]<\|>[usbspreading option (= "")]<\|>`
Update Malware analysis 26-08-19.md 2019-09-04 15:13:40 +00:00			`###### In a second time, when a response of the C2 was given and use a swith structure for execute the command.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/secAnal.png "")`
			`###### Now, we analyse all functions used by this switch. As first function, we can see a function used by others functions of the script and used for send the data to the C2.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/postfunc.PNG "")`
			`###### We can observe after a group of functions who use the wql queries by the WMI for get the system informations, this is used by the attacker as profiling the victim.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/infofunc.PNG "")`
			`###### After, a function is used by the attacker for download an executable file.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/downfunc.PNG "")`
			`###### In the same idea for the attacker, a fonction which give the possiblity to read the bytes of files in a buffer and send it to the C2 is present.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/upfunc.PNG "")`
			`###### The next function give to the attacker to have the list drives on the computer.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/listdrivesfunc.PNG "")`
			`###### Another function can emumerate the paths of folders, files and to give in more the attributes of them.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/dirfunc.PNG "")`
			`###### And third function is used for get the list of the process running in the computer.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/processfunc.PNG "")`
			`###### The last function exit the process with a kill signal by taskkill call.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/exitfunc.PNG "")`
Update Malware analysis 26-08-19.md 2019-09-04 00:55:56 +00:00
			`###### We can resume the list of commands of the backdoor :`
			`\|Command\|Description\|`
			`\| :---------------: \|:-------------\|`
			`\|execute\| execute a command DOS/Powershell\|`
			`\|send\|Download a file to execute\|`
			`\|site-send\|Function don't exist but have the same arg that send command, seems be edited function of site-send and not deleted ?\|`
			`\|recv\|Read a file, put in a buffer and send to the C2\|`
			`\|enum-driver\|Send the list of drives to the C2\|`
			`\|enum-faf\|Get list of the folders, files and attributes and send it to the C2\|`
			`\|enum-process\|Get list of the process (name, id, path of the executable) and send it on the C2\|`
			`\|delete\|Function don't exist but by the params seems give to the attacker to delete folders or files\|`
			`\|exit-process\|Kill the backdoor process but can't remove the persistence, an "execute" command must be performed before for delete it in the registry\|`

Update Malware analysis 26-08-19.md 2019-09-04 22:42:11 +00:00			`###### All the IP are hosted on differents cloud provider.`
			`\|IP\|Route\|ASN\|Organization\|Country\|City\|Region\|Coordinates\|`
			`\|:---------------:\|:-------------:\|:-------------:\|:-------------:\|:-------------:\|:-------------:\|:-------------:\|:-------------:\|`
			`\|66.154.103.156\|66.154.102.0/23\|AS8100\|QuadraNet Enterprises LLC\|United States\|Secaucus\|New Jersey\| 40.7895,-74.0565\|`
			`\|37.48.111.5\|37.48.64.0/18\|AS60781\|LeaseWeb Netherlands B.V.\|Netherlands\|Noord-Holland\|Amsterdam\|52.3824,4.8995\|`
			`\|85.17.26.65\|85.17.0.0/16\|AS60781\|LeaseWeb Netherlands B.V.\|Netherlands\|Noord-Holland\|Amsterdam\|52.3824,4.8995\|`

Update Malware analysis 26-08-19.md 2019-09-04 16:11:37 +00:00			`## Cyber kill chain <a name="Cyber-kill-chain"></a>`
Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00			`###### The process graph resume the cyber kill chain used by the attacker.`
Update Malware analysis 26-08-19.md 2019-09-03 22:45:29 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/cyber.PNG "")`
Update Malware analysis 26-08-19.md 2019-09-04 00:55:56 +00:00
Update Malware analysis 26-08-19.md 2019-09-04 16:11:37 +00:00			`## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>`
Update Malware analysis 26-08-19.md 2019-09-04 22:42:11 +00:00			`### Origin of the method for the JS Backdoor`
			`###### Firstly, the method for load the JS Backdoor is edited from a post published in 2015 on a forum for show a method for the both architecture for the developpment of a worm.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/Post.PNG "")`
			`###### We can see that the name of the instance is changed and the html tags are removed.If we add the notes from the malware analysis, we can conclude that the malware has been edited in emergency.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/matchcode.PNG "")`
			`### A army in perdition, an difficult situation`
			###### Since the last decade, the inexperience of the army on military issues, rigid doctrine, misunderstanding of the adversary, over-reliance on air and all-technological operations, loss of skills in the IDF, hesitations of unit commanders, the belief - erroneous - that the Israeli population would not accept the possible losses, a reorganized but deficient logistics, the non-mastery of communication. If we add the syria situation and result of the confrontation in 2006 who have add new emmenies against Israel, this create a difficult situation for these leaders.
			`###### Actually in election period, each valuable action or opportunities can be used for this or for expend doctrine like the creation of housing in the colonies.`
			`### A war of misinformation`
			###### Like all recents conflits, the networks of communications are used for send wrong news and propaganda or create it due to the people can't understand the situation. For exemple, recently we can heard that a false evacuation of wounded have been do for decoy the Hezbollah for push to stop shooting but this isn't know guerilla and the result of the latest conficts whre this isn't the rockets which dettroyed the military equipement but the Israel's forces who have sabotage their own equipment by the fear of the new rescuits and their inexperiences. In same reflexion, the fear of rockets launch on a city can't be realitic by the fact that the priority is the border army garrisons, infrastructure are better choice due to this the means used Hezbollah against the priority , this argument is apply in Israel for prepare the people to possibilities to claim the war.

			`###### In this way, some pictures have be send in the both side for used this factor as propaganda vector.By example, a picture taken with a drone of the feneter of netanyahou have been released in the social medias for show the capacities of reprisals. If we see the picture with the naked eye, we can see that the shadow of drone isn't report in the wall inside the room, the facade is an decor, fake coordonnates and blur is applied to all photo.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/c654ede55e275431042d32334f8cfd3a5526cb72.196671-600.png "")`
			`###### With the ELA algorithm, we can see the last modifications on the pictures. In using this it, we can see all the precedants elements are added at the original picture (probably a meeting with members of government).`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/c654ede55e275431042d32334f8cfd3a5526cb72.196671-ela.png "")`

			`###### In same time, other pictures are released about decoy targets, with the ELA algoritm, we can see that the multiple compressions by the algorithms, the picture is very dark and the pictures are only modify for write the indicators of interest.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/EDOYGiAXsAEA4Kq.jpg%20large.jpg "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/aa18205de56e2cbe15471c3cc1530e587ab975a0.35923-ela-600.png "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/EDOYGWjWsAAsfM1.jpg%20large.jpg "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/3fb1c19ecfe9c11d779b8dae397cd781b64c56ef.21349-ela.png "")`
			`###### Recently, in the same way for develop the feeling of fear, Israel gouverment have claimed that Iran build precision missiles , this rest to prove it but the scheme of reflexion is the same, a war of fear and misinformation.`
			`### The drone attack, a result of the information campaign ?`

Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00			`## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>`
			`###### List of all the references with MITRE ATT&CK Matrix`

			`\|Enterprise tactics\|Technics used\|Ref URL\|`
			`\| :---------------: \|:-------------\| :------------- \|`
Update Malware analysis 26-08-19.md 2019-09-04 16:11:37 +00:00			`\|Execution\|T1170 - Mshta<br>T1064 - Scripting\|https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064\|`
			`\|Persistence\|T1197 - BITS Jobs<br>T1060 - Registry Run Keys / Startup Folder\|https://attack.mitre.org/techniques/T1197<br>https://attack.mitre.org/techniques/T1060\|`
			`\|Defense Evasion\|T1197 - BITS Jobs<br>T1170 - Mshta<br>T1064 - Scripting\|https://attack.mitre.org/techniques/T1197<br>https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064\|`
			`\|Discovery\|T1012 - Query Registry\|https://attack.mitre.org/techniques/T1012\|`
			`\|Lateral Movement\|T1105 - Remote File Copy\|https://attack.mitre.org/techniques/T1105\|`
			`\|C2\|T1105 - Remote File Copy\|https://attack.mitre.org/techniques/T1105\|`
Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00
			`## Indicators Of Compromise (IOC) <a name="IOC"></a>`

			`###### List of all the Indicators Of Compromise (IOC)`

			`\| Indicator \| Description\|`
			`\| ------------- \|:-------------:\|`
Update Malware analysis 26-08-19.md 2019-09-04 16:11:37 +00:00			`\|فضيحة جديدة لأحد قيادات حماس.exe\|03d82852bbb28d1740e50206e7726c006b9b984a8309e2f203e65a67d7d3bcad\|`
			`\|History.lnk\|3853e0bf00d6dbfc574bc0564f0c90b93a66d644dd4dc8b8c00564f0b6edf581\|`
			`\|ss.vbs\|2e5f9bb1cef985eab15ad8d9072e51c71be2810fea789836b401b96bc898943b\|`
			`\|news.docx\|08fa35e25f4c7a6279a84b337d541989498d74f2c5e84cc4039d667fedc725c7\|`
			`\|xyx.jse\|32e216942f995f285947c7e7ee8cf438440c8a1e033bb27517f5e5361dafa8e8\|`
			`\|adamnews.for.ug\|Domain requested\|`
			`\|israanews.zz.com.ve\|Domain requested\|`
			`\|mmksba.dyndns.org\|Domain C2\|`
			`\|webhoptest.webhop.info\|Domain C2\|`
			`\|mmksba.simple-url.com\|Domain C2\|`
			`\|85.17.26.65\|IP requested\|`
			`\|66.154.103.156\|IP C2\|`
			`\|37.48.111.5\|IP C2\|`
			`\|http[:]//israanews.zz.com.ve/hw.zip.zip\|HTTP/HTTPS requests\|`
			`\|http[:]//adamnews.for.ug/hwdownhww\|HTTP/HTTPS requests\|`
			`\|http[:]//webhoptest.webhop.info:4433/is-ready\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.simple-url.com:4422/is-ready\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.dyndns.org:4455/is-ready\|HTTP/HTTPS requests\|`
			`\|http[:]//webhoptest.webhop.info:4433/is-sending\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.simple-url.com:4422/is-sending\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.dyndns.org:4455/is-sending\|HTTP/HTTPS requests\|`
			`\|http[:]//webhoptest.webhop.info:4433/is-recving\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.simple-url.com:4422/is-recving\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.dyndns.org:4455/is-recving\|HTTP/HTTPS requests\|`
			`\|http[:]//webhoptest.webhop.info:4433/is-enum-driver\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.simple-url.com:4422/is-enum-driver\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.dyndns.org:4455/is-enum-driver\|HTTP/HTTPS requests\|`
			`\|http[:]//webhoptest.webhop.info:4433/is-enum-faf\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.simple-url.com:4422/is-enum-faf\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.dyndns.org:4455/is-enum-faf\|HTTP/HTTPS requests\|`
			`\|http[:]//webhoptest.webhop.info:4433/is-enum-process\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.simple-url.com:4422/is-enum-process\|HTTP/HTTPS requests\|`
			`\|http[:]//mmksba.dyndns.org:4455/is-enum-process\|HTTP/HTTPS requests\|`

			`###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/IOC_Israel_04-09-19.json)`

Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00			`## Links <a name="Links"></a>`
			`###### Original tweet: [https://twitter.com/Timele9527/status/1166188375109296128](https://twitter.com/Timele9527/status/1166188375109296128) <a name="Original-Tweet"></a>`
			`###### Links Anyrun: <a name="Links-Anyrun"></a>`
			`* [فضيحة جديدة لأحد قيادات حماس.zip (A new scandal of one of the leaders of Hamas.zip)](https://app.any.run/tasks/59ed8062-cf77-4d73-81bd-19cb26b7c7c6/)`
Update Malware analysis 26-08-19.md 2019-09-04 16:11:37 +00:00			`* [xyx.jse](https://app.any.run/tasks/baa4f59c-969b-4617-b926-2d41da5e18b0/)`
Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00			`###### Documents: <a name="Documents"></a>`
Update Malware analysis 26-08-19.md 2019-09-04 22:42:11 +00:00			`* [Evaluating ELA](http://fotoforensics.com/tutorial-ela.php)`