CyberThreatIntel/Indian/APT/SideWinder/11-10-2019/Analysis.md

43 lines
1.7 KiB
Markdown
Raw Normal View History

2019-10-11 14:26:26 +00:00
# The SideWinder campaign continue
2019-10-11 13:55:39 +00:00
## Table of Contents
* [Malware analysis](#Malware-analysis)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Cyber kill chain](#Cyber-kill-chain)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#Original-Tweet)
+ [Link Anyrun](#Links-Anyrun)
## Malware analysis <a name="Malware-analysis"></a>
###### The initial vector is a malicious excel file which used an XLM macro (macro v4). This uses a function for launch the payload when the excel windows is active (selected as primary window). As first action, this executes the module 1.
2019-10-11 14:26:26 +00:00
![alt text]()
2019-10-11 13:55:39 +00:00
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
######
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graphs resume all the cyber kill chains used by the attacker.
![alt text]()
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
||||
## Indicators Of Compromise (IOC) <a name="IOC"></a>
###### List of all the Indicators Of Compromise (IOC)
|Indicator|Description|
| ------------- |:-------------:|
|||
###### This can be exported as JSON format [Export in JSON]()
## Links <a name="Links"></a>
###### Original tweet:
* [https://twitter.com/Timele9527/status/1182587382626996224](https://twitter.com/Timele9527/status/1182587382626996224) <a name="Original-Tweet"></a>
###### Links Anyrun: <a name="Links-Anyrun"></a>
2019-10-11 14:26:26 +00:00
* [zhengce.doc](https://app.any.run/tasks/7cdd1bfc-f0a3-4dd6-a29c-5ed70a77e76c)
2019-10-11 13:55:39 +00:00
###### Ressources:
* [DotNetToJScript](https://github.com/tyranid/DotNetToJScript)