CyberThreatIntel/Russia/APT/Gamaredon/16-08-19/Malware analysis 16-08-19.md

# [Update] Malware analysis on Gamaredon APT campaign (06-08-19)
## Table of Contents
* [Malware analysis](#Malware-analysis)
  + [Analysis of the TTPs](#Initial-vector)
  + [Cyber kill chain](#Initial-vector)
* [Cyber Threat Intel](#Cyber-Kill-Chain)
* [IOC](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
  + [Original Tweet](#Original-Tweet)
  + [Ref previous analysis](#Documents)
  + [Link Anyrun](#Links-Anyrun)

## Malware-analysis <a name="Malware-analysis"></a>
### Analysis of the TTPs <a name="Initial-vector"></a>
###### Like the last sample analysed, the new samples uses an SFX archive for extract the files and execute the fake document and the payload.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/SFX.png "SFX startup")
###### We can see again the cmd file extracted by the SFX archive. The randomization of the obfuscated strings has been by the algorithm in the archive.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/CMD.PNG "Extraction cmd file")
###### Also this use the function GetCommandLineA for getting a pointer to the command-line string for the current process.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/command.PNG "Commandline function")

### Cyber kill chain <a name="Cyber-Kill-Chain"></a>

###### The process graph resume the cyber kill chain used by the attacker. We can observe that the TTPs are the same.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/cyber.PNG "Cyber kill chain")
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>

###### Both latest spotted samples have the same C2 hosted in a Russia provider.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/IP.png "IP informations")
###### The domain seems don't be registered on list of the domain added.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/query.PNG "Query WHOIS")
###### Like the last sample, this comes at a crisis period between Russia and Ukraine, Ukraine rest the main target of Gamaredon group.
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix

|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|Execution|T1059 - Starts CMD.EXE for commands execution<br>T1106 - Execution through API<br>T1053 - Scheduled Task<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1059<br>https://attack.mitre.org/techniques/T1106<br>https://attack.mitre.org/techniques/T1053<br>https://attack.mitre.org/techniques/T1064|
|Persistence|T1060 - Registry Run Keys / Startup Folder<br>T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060<br>https://attack.mitre.org/techniques/T1053|
|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053|
|Defense Evasion|T1112 - Modify Registry<br> T1064 - Scripting|https://attack.mitre.org/techniques/T1112<br>https://attack.mitre.org/techniques/T1064|
|Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012|

## Indicators Of Compromise (IOC) <a name="IOC"></a>

###### List of all the Indicators Of Compromise (IOC)
| Indicator     | Description|
| ------------- |:-------------|
|1426f88edaf207d2c62422f343209fae|204da6b16288cf94890ab036836a27a8163bef259092b3eb21c99e52144256e8|
|a.exe|a94b4e7ecd9482b0e610b2521727715d1d401d775617512514bdd2e0b9351e06|
|23379.txt|a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599|
|18535.cmd|29389990ce789001c337e98abd3ff49b3c80dd34e66033c62732e4af89e13f4f|
|21826.cmd|825deff8a0d7635b2e45ac2d7ad09c80e45cd380a0e54831910e0bb62063d20b|	
|QoceoIJ.vbs|37b05d4273e3e0a558d431ed3cc443d2a93001b121c4aae9fc8f9778a5578316|
|zZBwUAc.vbs|f29d970f4ace8516a254515be3b3adf14ebf9651c0ee1aecaddd68a3d12c0315|
|PowerShellCertificates_C4BA3647.ps1|6de997b9bbfa09def80109108def78a42bc16820c681d12210011ea5d1a86321|
|Document.docx|2a5c7e6e9347f74e8a5d288274117cb638ff0305a3e46813d64316f869d5e7ec|
|document-listing.ddns.net|Domain C2|	
|188.225.24.161|IP C2|
|http[:]//document-listing.ddns.net/|URL request|

###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/IOC_Gamaredon_16-08-19.json)	

## Links <a name="Links"></a>

* Original tweet: https://twitter.com/RedDrip7/status/1161900271477252101 <a name="Original-Tweet"></a>
* Ref previous analysiss: [Gamaradon sample analysis 06-08-19](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Russia/APT/Gamaredon/06-08-19/Malware%20analysis%2006-08-19.md)<a name="Documents"></a>
* Anyrun Links: <a name="Links-Anyrun"></a>
  + [1426f88edaf207d2c62422f343209fae](https://app.any.run/tasks/8b718d6a-04c4-44fc-9afd-e0cffd1b626a) 
  + [a.exe](https://app.any.run/tasks/58d83fbe-36c9-4fad-9e21-9140207b6152)
Create Malware analysis 16-08-19.md 2019-08-24 13:59:09 +00:00			`# [Update] Malware analysis on Gamaredon APT campaign (06-08-19)`
			`## Table of Contents`
			`* [Malware analysis](#Malware-analysis)`
			`+ [Analysis of the TTPs](#Initial-vector)`
Update Malware analysis 16-08-19.md 2019-08-24 14:15:14 +00:00			`+ [Cyber kill chain](#Initial-vector)`
			`* [Cyber Threat Intel](#Cyber-Kill-Chain)`
Create Malware analysis 16-08-19.md 2019-08-24 13:59:09 +00:00			`* [IOC](#IOC)`
			`* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)`
			`* [Links](#Links)`
			`+ [Original Tweet](#Original-Tweet)`
			`+ [Ref previous analysis](#Documents)`
			`+ [Link Anyrun](#Links-Anyrun)`

Update Malware analysis 16-08-19.md 2019-08-24 14:15:14 +00:00			`## Malware-analysis <a name="Malware-analysis"></a>`
			`### Analysis of the TTPs <a name="Initial-vector"></a>`
Create Malware analysis 16-08-19.md 2019-08-24 13:59:09 +00:00			`###### Like the last sample analysed, the new samples uses an SFX archive for extract the files and execute the fake document and the payload.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/SFX.png "SFX startup")`
			`###### We can see again the cmd file extracted by the SFX archive. The randomization of the obfuscated strings has been by the algorithm in the archive.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/CMD.PNG "Extraction cmd file")`
			`###### Also this use the function GetCommandLineA for getting a pointer to the command-line string for the current process.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/command.PNG "Commandline function")`

Update Malware analysis 16-08-19.md 2019-08-24 14:15:14 +00:00			`### Cyber kill chain <a name="Cyber-Kill-Chain"></a>`
Create Malware analysis 16-08-19.md 2019-08-24 13:59:09 +00:00
			`###### The process graph resume the cyber kill chain used by the attacker. We can observe that the TTPs are the same.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/cyber.PNG "Cyber kill chain")`
Update Malware analysis 16-08-19.md 2019-08-24 14:15:14 +00:00			`## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>`
Create Malware analysis 16-08-19.md 2019-08-24 13:59:09 +00:00
			`###### Both latest spotted samples have the same C2 hosted in a Russia provider.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/IP.png "IP informations")`
			`###### The domain seems don't be registered on list of the domain added.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/query.PNG "Query WHOIS")`
			`###### Like the last sample, this comes at a crisis period between Russia and Ukraine, Ukraine rest the main target of Gamaredon group.`
			`## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>`
			`###### List of all the references with MITRE ATT&CK Matrix`

			`\|Enterprise tactics\|Technics used\|Ref URL\|`
			`\| :---------------: \|:-------------\| :------------- \|`
			`\|Execution\|T1059 - Starts CMD.EXE for commands execution<br>T1106 - Execution through API<br>T1053 - Scheduled Task<br>T1064 - Scripting\|https://attack.mitre.org/techniques/T1059<br>https://attack.mitre.org/techniques/T1106<br>https://attack.mitre.org/techniques/T1053<br>https://attack.mitre.org/techniques/T1064\|`
			`\|Persistence\|T1060 - Registry Run Keys / Startup Folder<br>T1053 - Scheduled Task\|https://attack.mitre.org/techniques/T1060<br>https://attack.mitre.org/techniques/T1053\|`
			`\|Privilege Escalation\|T1053 - Scheduled Task\|https://attack.mitre.org/techniques/T1053\|`
			`\|Defense Evasion\|T1112 - Modify Registry<br> T1064 - Scripting\|https://attack.mitre.org/techniques/T1112<br>https://attack.mitre.org/techniques/T1064\|`
			`\|Discovery\|T1012 - Query Registry\|https://attack.mitre.org/techniques/T1012\|`

			`## Indicators Of Compromise (IOC) <a name="IOC"></a>`

			`###### List of all the Indicators Of Compromise (IOC)`
			`\| Indicator \| Description\|`
			`\| ------------- \|:-------------\|`
Update Malware analysis 16-08-19.md 2019-08-24 14:15:14 +00:00			`\|1426f88edaf207d2c62422f343209fae\|204da6b16288cf94890ab036836a27a8163bef259092b3eb21c99e52144256e8\|`
			`\|a.exe\|a94b4e7ecd9482b0e610b2521727715d1d401d775617512514bdd2e0b9351e06\|`
			`\|23379.txt\|a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599\|`
			`\|18535.cmd\|29389990ce789001c337e98abd3ff49b3c80dd34e66033c62732e4af89e13f4f\|`
			`\|21826.cmd\|825deff8a0d7635b2e45ac2d7ad09c80e45cd380a0e54831910e0bb62063d20b\|`
			`\|QoceoIJ.vbs\|37b05d4273e3e0a558d431ed3cc443d2a93001b121c4aae9fc8f9778a5578316\|`
			`\|zZBwUAc.vbs\|f29d970f4ace8516a254515be3b3adf14ebf9651c0ee1aecaddd68a3d12c0315\|`
			`\|PowerShellCertificates_C4BA3647.ps1\|6de997b9bbfa09def80109108def78a42bc16820c681d12210011ea5d1a86321\|`
			`\|Document.docx\|2a5c7e6e9347f74e8a5d288274117cb638ff0305a3e46813d64316f869d5e7ec\|`
			`\|document-listing.ddns.net\|Domain C2\|`
			`\|188.225.24.161\|IP C2\|`
			`\|http[:]//document-listing.ddns.net/\|URL request\|`
Create Malware analysis 16-08-19.md 2019-08-24 13:59:09 +00:00
Update Malware analysis 16-08-19.md 2019-08-24 20:36:36 +00:00			`###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/IOC_Gamaredon_16-08-19.json)`
Create Malware analysis 16-08-19.md 2019-08-24 13:59:09 +00:00
			`## Links <a name="Links"></a>`

			`* Original tweet: https://twitter.com/RedDrip7/status/1161900271477252101 <a name="Original-Tweet"></a>`
			`* Ref previous analysiss: [Gamaradon sample analysis 06-08-19](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Russia/APT/Gamaredon/06-08-19/Malware%20analysis%2006-08-19.md)<a name="Documents"></a>`
			`* Anyrun Links: <a name="Links-Anyrun"></a>`
			`+ [1426f88edaf207d2c62422f343209fae](https://app.any.run/tasks/8b718d6a-04c4-44fc-9afd-e0cffd1b626a)`
			`+ [a.exe](https://app.any.run/tasks/58d83fbe-36c9-4fad-9e21-9140207b6152)`