CyberThreatIntel/Indian/APT/Donot/17-09-19/Malware analysis.md

# Analysis of the Donot APT campaign
## Table of Contents
* [Malware analysis](#Malware-analysis)
  + [86ccedaa93743e83787f53e09e376713.docx](#malware1)
  + [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](#malware2)
  + [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](#malware3)  
  + [pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](#malware4) 
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
  + [Original Tweet](#Original-Tweet)
  + [Link Anyrun](#Links-Anyrun)
  + [Documents](#Documents)

## Malware analysis <a name="Malware-analysis"></a>
### 86ccedaa93743e83787f53e09e376713.docx <a name="malware1"></a>
###### The first sample of the campaign is a maldoc file using cve-2017-0199 (Template injection) for request and executed the next stage of the infection.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/InjTemp.PNG "")
###### This use RTF file with the cve-2018-0802 for execute embedded excel object by the CLSID of the Excel COM object.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/RTFInfo.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/CLSID.png "")
###### This extract and execute the zip archive from the RTF file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/HexPK.PNG "")
###### On the backdoor, we can see that can push an environnement variable and create the "Mknyh" Mutex.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-EnvVar.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mutex.PNG "")
###### After perform this, this install the let's encrypt certificate and collect the informations about the system and send it in the C2.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos1.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos2.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos3.PNG "")
###### This collect the list of disks and the types of this.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Disk1.png "")
###### This can save and execute a stream from the C2.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod1.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod2.PNG "")

### d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc <a name="malware2"></a>
###### The second samples use the same TTPs and use Template injection.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/Template.png "")
###### The RTF file download and executed drop the same backdoor.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/RTFInfo.png "")
### 01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx <a name="malware3"></a>
###### The next sample use Template injection too for download and executed drop the RTF file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Inj.PNG "")
###### The RTF file push a persistence with a LNK file, extract the backdoor and execute on another instance of explorer.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/RTFInfo.PNG "")
###### The backdoor use a timer for as anti-sandbox method and check the features.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Main.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Anti-sandbox.PNG "")
###### This push in memory the backdoor and check the system informations.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/VirtualProtect.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Infos.PNG "")
###### This have the capacity to hijack the AVAST AV, send the informations and request to the C2 for commands. This can save a file and execute it on the computer.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Hijack.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/connect.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/WriteFile.PNG "")
### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc <a name="malware74"></a>
###### This continue to use Template injection.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/inj.PNG "")
###### The RTF file dropped extract a js file, a dll and an exe file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/rtfinfos.PNG "")
###### The js file execute the dll and the exe file for bypass the UAC by the UACme tool. The backdoor is the same that the first sample.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/js.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/UAC.PNG "")

## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
![alt text]()
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix

|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
||||
||||
||||

## Indicators Of Compromise (IOC) <a name="IOC"></a>

###### List of all the Indicators Of Compromise (IOC)

| Indicator     | Description|
| ------------- |:-------------:|
|||
||Domain requested|
||IP requested|
||HTTP/HTTPS requests||
||IP C2|
||Domain C2|
###### This can be exported as JSON format [Export in JSON]()	

## Links <a name="Links"></a>
###### Original tweet: [https://twitter.com/Timele9527/status/1173431630171492352](https://twitter.com/Timele9527/status/1173431630171492352) <a name="Original-Tweet"></a>
###### Links Anyrun: <a name="Links-Anyrun"></a>
###### Samples :
* [86ccedaa93743e83787f53e09e376713.docx](https://app.any.run/tasks/0df3deaf-e8e9-4b23-8b64-fed49b85811f)
* [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](https://app.any.run/tasks/63251738-19fb-4155-ae23-0a8d4d780682)
* [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](https://app.any.run/tasks/43bb63ce-4c78-4c1c-ae1d-a85b0106d983)
* [17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](https://app.any.run/tasks/e194a69c-9e4e-4c7b-9e73-f6b144af95e1)
* [A1719.docx](https://app.any.run/tasks/524aff0c-2f82-4f03-8ad0-16928adcf1f2)
* [57ecda52cfb12afa08e84fe86cd61a95.zip](https://app.any.run/tasks/411a27d8-9b47-4f87-bd06-35d813ab1457)
* [Scan0012.docx](https://app.any.run/tasks/f3397ba6-f8a0-46c5-b40f-f91bdfddc5db)
###### Opendir:
* [SecurityM Opendir](https://app.any.run/tasks/793250a3-e767-47a8-9042-fce7c89a0471)
* [ScanSecurity Opendir](https://app.any.run/tasks/ae0325de-4aa2-40f0-8b17-1ca540cf2b9f)
###### Documents: <a name="Documents"></a>
* [UACme](https://github.com/hfiref0x/UACME)
Update Malware analysis.md 2019-09-22 22:51:00 +00:00			`# Analysis of the Donot APT campaign`
Create Malware analysis.md 2019-09-17 21:35:44 +00:00			`## Table of Contents`
			`* [Malware analysis](#Malware-analysis)`
Update Malware analysis.md 2019-09-22 22:51:00 +00:00			`+ [86ccedaa93743e83787f53e09e376713.docx](#malware1)`
			`+ [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](#malware2)`
Update Malware analysis.md 2019-09-23 00:18:05 +00:00			`+ [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](#malware3)`
			`+ [pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](#malware4)`
Create Malware analysis.md 2019-09-17 21:35:44 +00:00			`* [Cyber Threat Intel](#Cyber-Threat-Intel)`
			`* [Indicators Of Compromise (IOC)](#IOC)`
			`* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)`
			`* [Links](#Links)`
			`+ [Original Tweet](#Original-Tweet)`
			`+ [Link Anyrun](#Links-Anyrun)`
			`+ [Documents](#Documents)`

			`## Malware analysis <a name="Malware-analysis"></a>`
Update Malware analysis.md 2019-09-22 22:51:00 +00:00			`### 86ccedaa93743e83787f53e09e376713.docx <a name="malware1"></a>`
			`###### The first sample of the campaign is a maldoc file using cve-2017-0199 (Template injection) for request and executed the next stage of the infection.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/InjTemp.PNG "")`
			`###### This use RTF file with the cve-2018-0802 for execute embedded excel object by the CLSID of the Excel COM object.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/RTFInfo.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/CLSID.png "")`
			`###### This extract and execute the zip archive from the RTF file.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/HexPK.PNG "")`
			`###### On the backdoor, we can see that can push an environnement variable and create the "Mknyh" Mutex.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-EnvVar.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mutex.PNG "")`
			`###### After perform this, this install the let's encrypt certificate and collect the informations about the system and send it in the C2.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos1.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos2.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos3.PNG "")`
			`###### This collect the list of disks and the types of this.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Disk1.png "")`
			`###### This can save and execute a stream from the C2.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod1.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod2.PNG "")`

			`### d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc <a name="malware2"></a>`
			`###### The second samples use the same TTPs and use Template injection.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/Template.png "")`
			`###### The RTF file download and executed drop the same backdoor.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/RTFInfo.png "")`
			`### 01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx <a name="malware3"></a>`
Update Malware analysis.md 2019-09-23 00:18:05 +00:00			`###### The next sample use Template injection too for download and executed drop the RTF file.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Inj.PNG "")`
			`###### The RTF file push a persistence with a LNK file, extract the backdoor and execute on another instance of explorer.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/RTFInfo.PNG "")`
			`###### The backdoor use a timer for as anti-sandbox method and check the features.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Main.png "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Anti-sandbox.PNG "")`
			`###### This push in memory the backdoor and check the system informations.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/VirtualProtect.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Infos.PNG "")`
			`###### This have the capacity to hijack the AVAST AV, send the informations and request to the C2 for commands. This can save a file and execute it on the computer.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Hijack.png "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/connect.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/WriteFile.PNG "")`
			`### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc <a name="malware74"></a>`
			`###### This continue to use Template injection.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/inj.PNG "")`
			`###### The RTF file dropped extract a js file, a dll and an exe file.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/rtfinfos.PNG "")`
			`###### The js file execute the dll and the exe file for bypass the UAC by the UACme tool. The backdoor is the same that the first sample.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/js.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/UAC.PNG "")`
Create Malware analysis.md 2019-09-17 21:35:44 +00:00
			`## Cyber kill chain <a name="Cyber-kill-chain"></a>`
			`###### The process graph resume the cyber kill chain used by the attacker.`
			`![alt text]()`
			`## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>`
			`## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>`
			`###### List of all the references with MITRE ATT&CK Matrix`

			`\|Enterprise tactics\|Technics used\|Ref URL\|`
			`\| :---------------: \|:-------------\| :------------- \|`
			`\|\|\|\|`
			`\|\|\|\|`
			`\|\|\|\|`

			`## Indicators Of Compromise (IOC) <a name="IOC"></a>`

			`###### List of all the Indicators Of Compromise (IOC)`

			`\| Indicator \| Description\|`
			`\| ------------- \|:-------------:\|`
			`\|\|\|`
			`\|\|Domain requested\|`
			`\|\|IP requested\|`
			`\|\|HTTP/HTTPS requests\|\|`
			`\|\|IP C2\|`
			`\|\|Domain C2\|`
			`###### This can be exported as JSON format [Export in JSON]()`

			`## Links <a name="Links"></a>`
			`###### Original tweet: [https://twitter.com/Timele9527/status/1173431630171492352](https://twitter.com/Timele9527/status/1173431630171492352) <a name="Original-Tweet"></a>`
			`###### Links Anyrun: <a name="Links-Anyrun"></a>`
Update Malware analysis.md 2019-09-22 22:51:00 +00:00			`###### Samples :`
			`* [86ccedaa93743e83787f53e09e376713.docx](https://app.any.run/tasks/0df3deaf-e8e9-4b23-8b64-fed49b85811f)`
Update Malware analysis.md 2019-09-17 23:09:38 +00:00			`* [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](https://app.any.run/tasks/63251738-19fb-4155-ae23-0a8d4d780682)`
Update Malware analysis.md 2019-09-22 22:51:00 +00:00			`* [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](https://app.any.run/tasks/43bb63ce-4c78-4c1c-ae1d-a85b0106d983)`
Update Malware analysis.md 2019-09-17 23:09:38 +00:00			`* [17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](https://app.any.run/tasks/e194a69c-9e4e-4c7b-9e73-f6b144af95e1)`
			`* [A1719.docx](https://app.any.run/tasks/524aff0c-2f82-4f03-8ad0-16928adcf1f2)`
			`* [57ecda52cfb12afa08e84fe86cd61a95.zip](https://app.any.run/tasks/411a27d8-9b47-4f87-bd06-35d813ab1457)`
			`* [Scan0012.docx](https://app.any.run/tasks/f3397ba6-f8a0-46c5-b40f-f91bdfddc5db)`
Update Malware analysis.md 2019-09-22 22:51:00 +00:00			`###### Opendir:`
			`* [SecurityM Opendir](https://app.any.run/tasks/793250a3-e767-47a8-9042-fce7c89a0471)`
			`* [ScanSecurity Opendir](https://app.any.run/tasks/ae0325de-4aa2-40f0-8b17-1ca540cf2b9f)`
Create Malware analysis.md 2019-09-17 21:35:44 +00:00			`###### Documents: <a name="Documents"></a>`
Update Malware analysis.md 2019-09-23 00:18:05 +00:00			`* [UACme](https://github.com/hfiref0x/UACME)`