CyberThreatIntel/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md

# Malware analysis about unknown Israel APT campaign
## Table of Contents
* [Malware analysis](#Malware-analysis)
  + [Initial vector](#Initial-vector)
  + [JS Backdoor](#Backdoor)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
  + [Original Tweet](#Original-Tweet)
  + [Link Anyrun](#Links-Anyrun)
  + [Documents](#Documents)

## Malware analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a>
###### The initial vector use an SFX executable, who drop a lnk file for the persistence, a vbs file and the docx file for decoys the victim. 
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/strings.png "")
###### We can also note the multiples possiblities for push the persisitence and options.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnkfile.png "")
###### This execute the vbs file for push the persistence in the startup menu, hide it in changing these atributes and launch the persistence (lnk file)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/VBScode.png "")
###### This download the VB script and execute it by mshta call.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnk.PNG "")
###### On the VB code, we can observed that use BITS fonctionality for download by a job the JS script to execute on the victim. Secondly, this check the architecture of the system and execute the correct path of wscript and push the windows out the screen. 
### JS Backdoor <a name="Backdoor"></a>
###### We can see that use function for decode the commands  with a array of bytes.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/encodeJS.png "")
###### For decode the string , we use the next function used by the backdoor for decode the commands.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/decodeJS.png "")
###### You can now change the encoded commands.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/decStr.png "")
###### Once the encoded strings removed, we have the following code :
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lay1dec.png "")
As anti-forensic method, a method which can know if determiner if a debugger is present.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/zoomdebug.PNG "")	
###### Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call.
###### By the following PowerShell script, we can get the second layer.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/layer2.png "")	
### Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/cyber.PNG "")
### Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix

|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
||||
||||
||||

## Indicators Of Compromise (IOC) <a name="IOC"></a>

###### List of all the Indicators Of Compromise (IOC)

| Indicator     | Description|
| ------------- |:-------------:|
|||
||Domain requested|
||IP requested|
||HTTP/HTTPS requests||
||IP C2|
||Domain C2|
## Links <a name="Links"></a>
###### Original tweet: [https://twitter.com/Timele9527/status/1166188375109296128](https://twitter.com/Timele9527/status/1166188375109296128) <a name="Original-Tweet"></a>
###### Links Anyrun: <a name="Links-Anyrun"></a>
* [فضيحة جديدة لأحد قيادات حماس.zip (A new scandal of one of the leaders of Hamas.zip)](https://app.any.run/tasks/59ed8062-cf77-4d73-81bd-19cb26b7c7c6/)
###### Documents: <a name="Documents"></a>
* [link]()
Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00			`# Malware analysis about unknown Israel APT campaign`
			`## Table of Contents`
			`* [Malware analysis](#Malware-analysis)`
			`+ [Initial vector](#Initial-vector)`
Update Malware analysis 26-08-19.md 2019-09-03 20:36:27 +00:00			`+ [JS Backdoor](#Backdoor)`
Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00			`* [Cyber Threat Intel](#Cyber-Threat-Intel)`
			`* [Indicators Of Compromise (IOC)](#IOC)`
			`* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)`
			`* [Links](#Links)`
			`+ [Original Tweet](#Original-Tweet)`
			`+ [Link Anyrun](#Links-Anyrun)`
			`+ [Documents](#Documents)`

			`## Malware analysis <a name="Malware-analysis"></a>`
			`### Initial vector <a name="Initial-vector"></a>`
Update Malware analysis 26-08-19.md 2019-09-03 20:36:27 +00:00			`###### The initial vector use an SFX executable, who drop a lnk file for the persistence, a vbs file and the docx file for decoys the victim.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/strings.png "")`
			`###### We can also note the multiples possiblities for push the persisitence and options.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnkfile.png "")`
			`###### This execute the vbs file for push the persistence in the startup menu, hide it in changing these atributes and launch the persistence (lnk file)`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/VBScode.png "")`
			`###### This download the VB script and execute it by mshta call.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnk.PNG "")`
			`###### On the VB code, we can observed that use BITS fonctionality for download by a job the JS script to execute on the victim. Secondly, this check the architecture of the system and execute the correct path of wscript and push the windows out the screen.`
			`### JS Backdoor <a name="Backdoor"></a>`
Update Malware analysis 26-08-19.md 2019-09-03 22:45:29 +00:00			`###### We can see that use function for decode the commands with a array of bytes.`
Update Malware analysis 26-08-19.md 2019-09-03 20:36:27 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/encodeJS.png "")`
			`###### For decode the string , we use the next function used by the backdoor for decode the commands.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/decodeJS.png "")`
			`###### You can now change the encoded commands.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/decStr.png "")`
Update Malware analysis 26-08-19.md 2019-09-03 22:45:29 +00:00			`###### Once the encoded strings removed, we have the following code :`
Update Malware analysis 26-08-19.md 2019-09-03 20:36:27 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lay1dec.png "")`
Update Malware analysis 26-08-19.md 2019-09-03 22:45:29 +00:00			`As anti-forensic method, a method which can know if determiner if a debugger is present.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/zoomdebug.PNG "")`
			`###### Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call.`
			`###### By the following PowerShell script, we can get the second layer.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/layer2.png "")`
Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00			`### Cyber kill chain <a name="Cyber-kill-chain"></a>`
			`###### The process graph resume the cyber kill chain used by the attacker.`
Update Malware analysis 26-08-19.md 2019-09-03 22:45:29 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/cyber.PNG "")`
Create Malware analysis 26-08-19.md 2019-09-03 09:27:10 +00:00			`### Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>`
			`## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>`
			`###### List of all the references with MITRE ATT&CK Matrix`

			`\|Enterprise tactics\|Technics used\|Ref URL\|`
			`\| :---------------: \|:-------------\| :------------- \|`
			`\|\|\|\|`
			`\|\|\|\|`
			`\|\|\|\|`

			`## Indicators Of Compromise (IOC) <a name="IOC"></a>`

			`###### List of all the Indicators Of Compromise (IOC)`

			`\| Indicator \| Description\|`
			`\| ------------- \|:-------------:\|`
			`\|\|\|`
			`\|\|Domain requested\|`
			`\|\|IP requested\|`
			`\|\|HTTP/HTTPS requests\|\|`
			`\|\|IP C2\|`
			`\|\|Domain C2\|`
			`## Links <a name="Links"></a>`
			`###### Original tweet: [https://twitter.com/Timele9527/status/1166188375109296128](https://twitter.com/Timele9527/status/1166188375109296128) <a name="Original-Tweet"></a>`
			`###### Links Anyrun: <a name="Links-Anyrun"></a>`
			`* [فضيحة جديدة لأحد قيادات حماس.zip (A new scandal of one of the leaders of Hamas.zip)](https://app.any.run/tasks/59ed8062-cf77-4d73-81bd-19cb26b7c7c6/)`
			`###### Documents: <a name="Documents"></a>`
			`* [link]()`