CyberThreatIntel/Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md

# [Update] New samples, same TTPs and accounts
## Table of Contents
* [Malware analysis](#Malware-analysis)
  + [Initial vector](#Initial-vector)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
  + [Original Tweet](#Original-Tweet)
  + [Link Anyrun](#Links-Anyrun)
  + [Documents](#Documents)

## Malware analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a>
###### The initial vector is an VBA macro from an Maldoc, this use two functions for obfuscated the main command.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/macro1.png "")
###### Once this removed, we can see that use the only command is  mshta for invoke the loader.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Macro2.PNG "")
###### This web page use unescape (4 times) for use again mshta and redirect on the first pastebin.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/site.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect1.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect2.PNG "")
###### The first pastebin use again the escape function (and like all at pastebin shares).The first command of the Visual Basic script is to kill the following process (Word, Excel, Publisher and Powerpoint).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1.PNG "")
###### The second command create a persistence using another mshta for initate to to close the hidden window.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1close.PNG "")
###### The third command execute a loader with two new pastebins. 
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P.png "")
###### The first share is a script using an array and the getbytes function for obfuscate the payload on two layers.
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-1.png "")
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2.png "")
###### This execute a dll for load the second PE. This dll is the same than the last analysis and is  use as protector ConfuserEx.
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2C.png "")
###### The second Pastebin content the data to split for the second PE.
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P2-1.png "")
###### The second PE load the old Delphi Azorult Stealer. We can confirm it in seeing quickly some features, here read the ihformations about the keyboard :
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/Bin-Keyboard.PNG "")


## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Cyberkillchain.png "")
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix

|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
||||
||||
||||

## Indicators Of Compromise (IOC) <a name="IOC"></a>

###### List of all the Indicators Of Compromise (IOC)

| Indicator     | Description|
| ------------- |:-------------:|
|||
||Domain requested|
||IP requested|
||HTTP/HTTPS requests||
||IP C2|
||Domain C2|
###### This can be exported as JSON format [Export in JSON]()	

## Links <a name="Links"></a>
###### Original tweet: [https://twitter.com/Rmy_Reserve/status/1171381881461338112](https://twitter.com/Rmy_Reserve/status/1171381881461338112) <a name="Original-Tweet"></a>
* [Ref previous analysis:](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/23-08-19/Malware%20analysis%2025-08-19.md)
###### Links Anyrun: <a name="Links-Anyrun"></a>
* [0ec07af14a5338805ed45bcc0a90b20811fd0c9b57ab0f5e1cfd97cd1696c1c2.xls](https://app.any.run/tasks/bb1279af-7fff-4b37-8439-7b303f113082)
* [PO # 8872521.xlt](https://app.any.run/tasks/ff27dd57-9484-4c1c-9a13-6eedf3ede657)
###### Documents: <a name="Documents"></a>
* [AZORult++: Rewriting history](https://securelist.com/azorult-analysis-history/89922/)
* [The AZORult Legacy Lives On. Hello AZORult++!](https://www.bleepingcomputer.com/news/security/the-azorult-legacy-lives-on-hello-azorult-/)
Update Malware analysis 09-09-19.md 2019-09-12 16:31:50 +00:00			`# [Update] New samples, same TTPs and accounts`
Create 09-09-19Malware analysis 09-09-19.md 2019-09-10 15:27:17 +00:00			`## Table of Contents`
			`* [Malware analysis](#Malware-analysis)`
			`+ [Initial vector](#Initial-vector)`
			`* [Cyber Threat Intel](#Cyber-Threat-Intel)`
			`* [Indicators Of Compromise (IOC)](#IOC)`
			`* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)`
			`* [Links](#Links)`
			`+ [Original Tweet](#Original-Tweet)`
			`+ [Link Anyrun](#Links-Anyrun)`
			`+ [Documents](#Documents)`

			`## Malware analysis <a name="Malware-analysis"></a>`
			`### Initial vector <a name="Initial-vector"></a>`
Update Malware analysis 09-09-19.md 2019-09-12 16:31:50 +00:00			`###### The initial vector is an VBA macro from an Maldoc, this use two functions for obfuscated the main command.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/macro1.png "")`
			`###### Once this removed, we can see that use the only command is mshta for invoke the loader.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Macro2.PNG "")`
			`###### This web page use unescape (4 times) for use again mshta and redirect on the first pastebin.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/site.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect1.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect2.PNG "")`
			`###### The first pastebin use again the escape function (and like all at pastebin shares).The first command of the Visual Basic script is to kill the following process (Word, Excel, Publisher and Powerpoint).`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1.PNG "")`
			`###### The second command create a persistence using another mshta for initate to to close the hidden window.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1close.PNG "")`
			`###### The third command execute a loader with two new pastebins.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P.png "")`
			`###### The first share is a script using an array and the getbytes function for obfuscate the payload on two layers.`
			`![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-1.png "")`
			`![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2.png "")`
			`###### This execute a dll for load the second PE. This dll is the same than the last analysis and is use as protector ConfuserEx.`
			`![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2C.png "")`
			`###### The second Pastebin content the data to split for the second PE.`
			`![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P2-1.png "")`
			`###### The second PE load the old Delphi Azorult Stealer. We can confirm it in seeing quickly some features, here read the ihformations about the keyboard :`
			`![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/Bin-Keyboard.PNG "")`

Create 09-09-19Malware analysis 09-09-19.md 2019-09-10 15:27:17 +00:00
			`## Cyber kill chain <a name="Cyber-kill-chain"></a>`
			`###### The process graph resume the cyber kill chain used by the attacker.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Cyberkillchain.png "")`
			`## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>`
			`## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>`
			`###### List of all the references with MITRE ATT&CK Matrix`

			`\|Enterprise tactics\|Technics used\|Ref URL\|`
			`\| :---------------: \|:-------------\| :------------- \|`
			`\|\|\|\|`
			`\|\|\|\|`
			`\|\|\|\|`

			`## Indicators Of Compromise (IOC) <a name="IOC"></a>`

			`###### List of all the Indicators Of Compromise (IOC)`

			`\| Indicator \| Description\|`
			`\| ------------- \|:-------------:\|`
			`\|\|\|`
			`\|\|Domain requested\|`
			`\|\|IP requested\|`
			`\|\|HTTP/HTTPS requests\|\|`
			`\|\|IP C2\|`
			`\|\|Domain C2\|`
			`###### This can be exported as JSON format [Export in JSON]()`

			`## Links <a name="Links"></a>`
			`###### Original tweet: [https://twitter.com/Rmy_Reserve/status/1171381881461338112](https://twitter.com/Rmy_Reserve/status/1171381881461338112) <a name="Original-Tweet"></a>`
			`* [Ref previous analysis:](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/23-08-19/Malware%20analysis%2025-08-19.md)`
			`###### Links Anyrun: <a name="Links-Anyrun"></a>`
			`* [0ec07af14a5338805ed45bcc0a90b20811fd0c9b57ab0f5e1cfd97cd1696c1c2.xls](https://app.any.run/tasks/bb1279af-7fff-4b37-8439-7b303f113082)`
			`* [PO # 8872521.xlt](https://app.any.run/tasks/ff27dd57-9484-4c1c-9a13-6eedf3ede657)`
			`###### Documents: <a name="Documents"></a>`
Update Malware analysis 09-09-19.md 2019-09-12 16:31:50 +00:00			`* [AZORult++: Rewriting history](https://securelist.com/azorult-analysis-history/89922/)`
			`* [The AZORult Legacy Lives On. Hello AZORult++!](https://www.bleepingcomputer.com/news/security/the-azorult-legacy-lives-on-hello-azorult-/)`