2019-10-11 14:26:26 +00:00
# The SideWinder campaign continue
2019-10-11 13:55:39 +00:00
## Table of Contents
* [Malware analysis ](#Malware-analysis )
* [Cyber Threat Intel ](#Cyber-Threat-Intel )
* [Cyber kill chain ](#Cyber-kill-chain )
* [Indicators Of Compromise (IOC) ](#IOC )
* [References MITRE ATT&CK Matrix ](#Ref-MITRE-ATTACK )
* [Links ](#Links )
+ [Original Tweet ](#Original-Tweet )
+ [Link Anyrun ](#Links-Anyrun )
## Malware analysis <a name="Malware-analysis"></a>
###### The initial vector is a malicious excel file which used an XLM macro (macro v4). This uses a function for launch the payload when the excel windows is active (selected as primary window). As first action, this executes the module 1.
2019-10-11 14:26:26 +00:00
![alt text]()
2019-10-11 13:55:39 +00:00
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
######
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graphs resume all the cyber kill chains used by the attacker.
![alt text]()
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
||||
## Indicators Of Compromise (IOC) <a name="IOC"></a>
###### List of all the Indicators Of Compromise (IOC)
|Indicator|Description|
| ------------- |:-------------:|
|||
###### This can be exported as JSON format [Export in JSON]()
## Links <a name="Links"></a>
###### Original tweet:
* [https://twitter.com/Timele9527/status/1182587382626996224 ](https://twitter.com/Timele9527/status/1182587382626996224 ) < a name = "Original-Tweet" ></ a >
###### Links Anyrun: <a name="Links-Anyrun"></a>
2019-10-11 14:26:26 +00:00
* [zhengce.doc ](https://app.any.run/tasks/7cdd1bfc-f0a3-4dd6-a29c-5ed70a77e76c )
2019-10-11 13:55:39 +00:00
###### Ressources:
* [DotNetToJScript ](https://github.com/tyranid/DotNetToJScript )