CyberThreatIntel/Indian/APT/Patchwork/27-08-19/Malware analysis 27-08-19.md

# Malware analysis about sample of APT Patchwork
## Table of Contents
* [Malware analysis](#Malware-analysis)
  + [Initial vector](#Initial-vector)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
  + [Original Tweet](#Original-Tweet)
  + [Link Anyrun](#Links-Anyrun)
  + [Documents](#Documents)

## Malware analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a>
###### The initial vector is an INP file (format used for the software InPage) with the exploit cve-2017-12824, we can see here the 0x7E and 0x72 represent a class of type in the stream for use, an ole stream for launch the first binary file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/Exploit.png "")
###### We can see on the strings on the dll, what extract the file in the temp folder and create a thread for the second PE file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin1-String.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin1-CreateThread.png "")
###### On the entrypoint of the second PE, we can see the first action is to check the environment in using the anti-forensic technique by the CheckRemoteDebuggerPresent function.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-Entrypoint.png "")
###### Before go on the others function. We can see that the PE get the name of the user and create their persistence by an RunOnce key in the registry. (\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Putty explorer.exe CurrentUser C:\file.exe)

###### After this, this uses the CreateToolhelp32snapshot function for getting a snapshot of all the process an parsed it until this fall on the explorer process.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-Explorer.png "")
###### We can note this check with the IsProcessorFeaturePresent function, for check if and raise an exception for close the program.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-call.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-CheckDebug.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-CheckException.png "")
###### Once the check, this injects with a Process Hollowing for create a process for communicate with the C2 and wait to loader the next malware.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-AllocProcess.png "")
###### At the date of the submission in VT, the C2 is down and the next step can't be analysed.
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
![alt text]()
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
###### Firstly, we can observe that the payload seems be with the Professional version of Inpage (2.21). Inpage is currently used in Pakistan which is consistent with the fact that Patchwork is an Indian APT.
###### Secondly, we can note the same pdb path what the 360TI analysis.
###### The C2 is hosted on Amazon CloudFront :
|IP|Hostname|Route|ASN|Organization|Country|City|Region|Coordinates|
|:---------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|
|99.84.194.39|server-99-84-194-39.lax3.r.cloudfront.net|99.84.194.0/23|AS16509|Amazon.com, Inc.|United States| Seattle| Washington|47.5400,-122.3030|
###### This payload is linked at one of the recent events :
* A Delegation of Pakistan Naval Academy visits Azerbaijan (5 April 2019)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/Event1.png "")
* The visit of Pakistan Air Force Academy delegation in Azerbaijan (20 June 2019)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/Event2.PNG "")
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix

|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|Execution|T1064 - Scripting|https://attack.mitre.org/techniques/T1064|
|Persistence|T1060 - Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060|
|Defense Evasion|T1093 - Process Hollowing|https://attack.mitre.org/techniques/T1093|
|Discovery|T1087 - Account Discovery|https://attack.mitre.org/techniques/T1087|
##### Note: INP exploit hasn't a current category, the most near category found matching with it is Scripting.
## Indicators Of Compromise (IOC) <a name="IOC"></a>

###### List of all the Indicators Of Compromise (IOC)

| Indicator     | Description|
| ------------- |:-------------:|
|Azerbaijan delegation to pakistan.inp|c0eeddccddbf23844c5e479a3dcc30713b697fa83d7c13feb79ecff6603c1181|
|bin1.dll|078e316440a540ed8095d12f154770118e28ca67a32c0fcc514564982f79eaa2|
|bin2.exe|67923d0e9717aec0930ed0e4a3f84b5ba00dee9fc64774be452cee5aa782fbac|
|go.affec.tv|Domain requested|
|99.84.194.39|IP C2|
|go.affec.tv|Domain C2|
###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/IOC_Patchwork_09-09-19.json)	

## Links <a name="Links"></a>
###### Original tweet: [https://twitter.com/_jsoo_/status/1166353584923041798](https://twitter.com/_jsoo_/status/1166353584923041798) <a name="Original-Tweet"></a>
###### Links Anyrun: <a name="Links-Anyrun"></a>
* [Azerbaijan delegation to pakistan.inp](https://app.any.run/tasks/9a133077-a806-4e11-9e4a-711b8764b153/)
###### Documents: <a name="Documents"></a>
* [Recent InPage Exploits Lead to Multiple Malware Families](https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/)
* [InPage zero-day exploit used to attack financial institutions in Asia](https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/)
* [Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups](https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/)
* [The CheckRemoteDebuggerPresent() anti-debugging technique](https://xorl.wordpress.com/2017/12/09/the-checkremotedebuggerpresent-anti-debugging-technique/)
Create Malware analysis 27-08-19.md 2019-09-06 22:04:29 +00:00			`# Malware analysis about sample of APT Patchwork`
			`## Table of Contents`
			`* [Malware analysis](#Malware-analysis)`
			`+ [Initial vector](#Initial-vector)`
			`* [Cyber Threat Intel](#Cyber-Threat-Intel)`
			`* [Indicators Of Compromise (IOC)](#IOC)`
			`* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)`
			`* [Links](#Links)`
			`+ [Original Tweet](#Original-Tweet)`
			`+ [Link Anyrun](#Links-Anyrun)`
			`+ [Documents](#Documents)`

			`## Malware analysis <a name="Malware-analysis"></a>`
			`### Initial vector <a name="Initial-vector"></a>`
Update Malware analysis 27-08-19.md 2019-09-09 13:05:33 +00:00			`###### The initial vector is an INP file (format used for the software InPage) with the exploit cve-2017-12824, we can see here the 0x7E and 0x72 represent a class of type in the stream for use, an ole stream for launch the first binary file.`
Update Malware analysis 27-08-19.md 2019-09-08 21:29:24 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/Exploit.png "")`
Update Malware analysis 27-08-19.md 2019-09-09 13:05:33 +00:00			`###### We can see on the strings on the dll, what extract the file in the temp folder and create a thread for the second PE file.`
Update Malware analysis 27-08-19.md 2019-09-08 21:29:24 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin1-String.PNG "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin1-CreateThread.png "")`
Update Malware analysis 27-08-19.md 2019-09-09 13:05:33 +00:00			`###### On the entrypoint of the second PE, we can see the first action is to check the environment in using the anti-forensic technique by the CheckRemoteDebuggerPresent function.`
Update Malware analysis 27-08-19.md 2019-09-09 01:24:42 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-Entrypoint.png "")`
Update Malware analysis 27-08-19.md 2019-09-09 13:05:33 +00:00			`###### Before go on the others function. We can see that the PE get the name of the user and create their persistence by an RunOnce key in the registry. (\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Putty explorer.exe CurrentUser C:\file.exe)`
Create Malware analysis 27-08-19.md 2019-09-06 22:04:29 +00:00
Update Malware analysis 27-08-19.md 2019-09-09 13:05:33 +00:00			`###### After this, this uses the CreateToolhelp32snapshot function for getting a snapshot of all the process an parsed it until this fall on the explorer process.`
Update Malware analysis 27-08-19.md 2019-09-09 01:24:42 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-Explorer.png "")`
			`###### We can note this check with the IsProcessorFeaturePresent function, for check if and raise an exception for close the program.`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-call.png "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-CheckDebug.png "")`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-CheckException.png "")`
Update Malware analysis 27-08-19.md 2019-09-09 13:05:33 +00:00			`###### Once the check, this injects with a Process Hollowing for create a process for communicate with the C2 and wait to loader the next malware.`
Update Malware analysis 27-08-19.md 2019-09-09 01:24:42 +00:00			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-AllocProcess.png "")`
			`###### At the date of the submission in VT, the C2 is down and the next step can't be analysed.`
Create Malware analysis 27-08-19.md 2019-09-06 22:04:29 +00:00			`## Cyber kill chain <a name="Cyber-kill-chain"></a>`
			`###### The process graph resume the cyber kill chain used by the attacker.`
			`![alt text]()`
			`## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>`
Update Malware analysis 27-08-19.md 2019-09-09 13:05:33 +00:00			`###### Firstly, we can observe that the payload seems be with the Professional version of Inpage (2.21). Inpage is currently used in Pakistan which is consistent with the fact that Patchwork is an Indian APT.`
			`###### Secondly, we can note the same pdb path what the 360TI analysis.`
Update Malware analysis 27-08-19.md 2019-09-09 01:24:42 +00:00			`###### The C2 is hosted on Amazon CloudFront :`
			`\|IP\|Hostname\|Route\|ASN\|Organization\|Country\|City\|Region\|Coordinates\|`
			`\|:---------------:\|:-------------:\|:-------------:\|:-------------:\|:-------------:\|:-------------:\|:-------------:\|:-------------:\|:-------------:\|`
			`\|99.84.194.39\|server-99-84-194-39.lax3.r.cloudfront.net\|99.84.194.0/23\|AS16509\|Amazon.com, Inc.\|United States\| Seattle\| Washington\|47.5400,-122.3030\|`
Update Malware analysis 27-08-19.md 2019-09-09 13:05:33 +00:00			`###### This payload is linked at one of the recent events :`
Update Malware analysis 27-08-19.md 2019-09-09 01:24:42 +00:00			`* A Delegation of Pakistan Naval Academy visits Azerbaijan (5 April 2019)`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/Event1.png "")`
			`* The visit of Pakistan Air Force Academy delegation in Azerbaijan (20 June 2019)`
			`![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/Event2.PNG "")`
Create Malware analysis 27-08-19.md 2019-09-06 22:04:29 +00:00			`## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>`
			`###### List of all the references with MITRE ATT&CK Matrix`

			`\|Enterprise tactics\|Technics used\|Ref URL\|`
			`\| :---------------: \|:-------------\| :------------- \|`
Update Malware analysis 27-08-19.md 2019-09-09 13:05:33 +00:00			`\|Execution\|T1064 - Scripting\|https://attack.mitre.org/techniques/T1064\|`
			`\|Persistence\|T1060 - Registry Run Keys / Startup Folder\|https://attack.mitre.org/techniques/T1060\|`
			`\|Defense Evasion\|T1093 - Process Hollowing\|https://attack.mitre.org/techniques/T1093\|`
			`\|Discovery\|T1087 - Account Discovery\|https://attack.mitre.org/techniques/T1087\|`
			`##### Note: INP exploit hasn't a current category, the most near category found matching with it is Scripting.`
Create Malware analysis 27-08-19.md 2019-09-06 22:04:29 +00:00			`## Indicators Of Compromise (IOC) <a name="IOC"></a>`

			`###### List of all the Indicators Of Compromise (IOC)`

			`\| Indicator \| Description\|`
			`\| ------------- \|:-------------:\|`
Update Malware analysis 27-08-19.md 2019-09-09 13:05:33 +00:00			`\|Azerbaijan delegation to pakistan.inp\|c0eeddccddbf23844c5e479a3dcc30713b697fa83d7c13feb79ecff6603c1181\|`
			`\|bin1.dll\|078e316440a540ed8095d12f154770118e28ca67a32c0fcc514564982f79eaa2\|`
			`\|bin2.exe\|67923d0e9717aec0930ed0e4a3f84b5ba00dee9fc64774be452cee5aa782fbac\|`
			`\|go.affec.tv\|Domain requested\|`
			`\|99.84.194.39\|IP C2\|`
			`\|go.affec.tv\|Domain C2\|`
			`###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/IOC_Patchwork_09-09-19.json)`
Create Malware analysis 27-08-19.md 2019-09-06 22:04:29 +00:00
			`## Links <a name="Links"></a>`
			`###### Original tweet: [https://twitter.com/_jsoo_/status/1166353584923041798](https://twitter.com/_jsoo_/status/1166353584923041798) <a name="Original-Tweet"></a>`
			`###### Links Anyrun: <a name="Links-Anyrun"></a>`
			`* [Azerbaijan delegation to pakistan.inp](https://app.any.run/tasks/9a133077-a806-4e11-9e4a-711b8764b153/)`
			`###### Documents: <a name="Documents"></a>`
			`* [Recent InPage Exploits Lead to Multiple Malware Families](https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/)`
			`* [InPage zero-day exploit used to attack financial institutions in Asia](https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/)`
Update Malware analysis 27-08-19.md 2019-09-08 15:27:48 +00:00			`* [Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups](https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/)`
Update Malware analysis 27-08-19.md 2019-09-09 01:24:42 +00:00			`* [The CheckRemoteDebuggerPresent() anti-debugging technique](https://xorl.wordpress.com/2017/12/09/the-checkremotedebuggerpresent-anti-debugging-technique/)`