CyberThreatIntel/Unknown/Unknown phishing group/Analysis_29-09-2019.md

# Analysis about campaign of unknown phishing group (29-09-2019)
## Table of Contents
* [Malware analysis](#Malware-analysis)
  + [Initial vector](#Initial-vector)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
  + [Original Tweet](#Original-Tweet)
  + [Link Anyrun](#Links-Anyrun)
  + [Documents](#Documents)

## Malware analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a>
###### The initial vector 
![alt text](link "")
###### Liste des commands :
|Command|Description|
|:-------------:| :------------- |
|disconnect|Disconnect reverse shell|
|reboot|Reboot the computer|
|shutdown|Shutdown the computer|
|execute|Execute commands (cmd + PowerShell)|
|install-sdk|Install sdk tool for grabbing password for browser|
|get-pass|Grabbing the password of specific browser chosen by the attacker|
|get-pass-offline|Grabbing the password off all current browser|
|update|run update the version of the script|
|uninstall|Remove persistence +  close process|
|up-n-exec|"Download and execute an executable file (Fixed URL ->""send-to-me"")"|
|bring-log|upload the log of the js backdoor|
|down-n-exec|Download and execute an executable file (Custom URL )|
|filemanager|Kill the backdoor process + download an executable file (Custom URL)|
|rdp|Start rdp module|
|rev-proxy|Start reverse proxy module|
|exit-proxy|kill reverse proxy process|
|keylogger|Start keylogger module|
|offline-keylogger|Launch keylogger module with mod|
|browse-logs|Send the logs do by the backdoor|
|cmd-shell|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]|
|get-processes|Enumerates processes|
|disable-uac|Disable security settings (UAC + Defender)|
|check-eligible|Check existence of the file verified by the attacker|
|force-eligible|Check existence of the file verified by the attacker + elevated rights|
|elevate|Check elevated rights + runas for elevated the rights|
|if-elevate|Check elevated rights|
|kill-process|Kill a specific process (by taskkill)|
|Sleep|Hibernate process via a duration chosen by the attacker|


###### Liste des commands :

|Command|Description|
|:-------------:| :------------- |
|disconnect|Disconnect reverse shell|
|reboot|Reboot the computer|
|shutdown|Shutdown the computer|
|execute|Execute commands (cmd + PowerShell)|
|get-pass|Grabbing the password of specific browser chosen by the attacker|
|get-pass-offline|Grabbing the password off all current browser|
|update|run update the version of the script|
|uninstall|Remove persistence +  close process|
|up-n-exec|Download and execute an executable file (Fixed URL ->"send-to-me")|
|bring-log|upload the log of the js backdoor|
|down-n-exec|Download and execute an executable file (Custom URL )|
|filemanager|Kill the backdoor process + download an executable file (Custom URL)|
|rdp|Start rdp module|
|keylogger|Start keylogger module|
|offline-keylogger|Launch keylogger module with mod|
|browse-logs|Send the logs do by the backdoor|
|cmd-shell|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]|
|get-processes|Enumerates processes|
|disable-uac|Disable security settings (UAC + Defender)|
|elevate|Check elevated rights + runas for elevated the rights|
|if-elevate|Check elevated rights|
|kill-process|Kill a specific process (by taskkill)|
|Sleep|Hibernate process via a duration chosen by the attacker|


## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
![alt text]()
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix

|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
||||
||||
||||

## Indicators Of Compromise (IOC) <a name="IOC"></a>

###### List of all the Indicators Of Compromise (IOC)

| Indicator     | Description|
| ------------- |:-------------:|
|||
||Domain requested|
||IP requested|
||HTTP/HTTPS requests||
||IP C2|
||Domain C2|
###### This can be exported as JSON format [Export in JSON]()	

## Links <a name="Links"></a>
###### Original tweet: [https://twitter.com/dvk01uk/status/1176483058058440705](https://twitter.com/dvk01uk/status/1176483058058440705) <a name="Original-Tweet"></a>
###### Links Anyrun: <a name="Links-Anyrun"></a>
* [TNT Collection Request BH7 297745.js](https://app.any.run/tasks/62990e45-e920-48b0-a3b3-9ce2e83f99dc)
* [BANK DETAILS CONFIRMATION_PDF.js](https://app.any.run/tasks/ec7c360a-5cd0-4cfc-b123-2f43fda77423)
* [vvvv.js](https://app.any.run/tasks/26647b54-0c71-4461-adee-765e926ab5fc)
###### Documents: <a name="Documents"></a>
* [Houdini Worm Transformed in New Phishing Attack - June 2019](https://cofense.com/houdini-worm-transformed-new-phishing-attack/)
Create Analysis_29-09-2019.md 2019-09-29 14:21:03 +00:00			`# Analysis about campaign of unknown phishing group (29-09-2019)`
			`## Table of Contents`
			`* [Malware analysis](#Malware-analysis)`
			`+ [Initial vector](#Initial-vector)`
			`* [Cyber Threat Intel](#Cyber-Threat-Intel)`
			`* [Indicators Of Compromise (IOC)](#IOC)`
			`* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)`
			`* [Links](#Links)`
			`+ [Original Tweet](#Original-Tweet)`
			`+ [Link Anyrun](#Links-Anyrun)`
			`+ [Documents](#Documents)`

			`## Malware analysis <a name="Malware-analysis"></a>`
			`### Initial vector <a name="Initial-vector"></a>`
Update Analysis_29-09-2019.md 2019-09-29 15:04:17 +00:00			`###### The initial vector`
Create Analysis_29-09-2019.md 2019-09-29 14:21:03 +00:00			`![alt text](link "")`
Update Analysis_29-09-2019.md 2019-09-29 22:29:36 +00:00			`###### Liste des commands :`
			`\|Command\|Description\|`
			`\|:-------------:\| :------------- \|`
			`\|disconnect\|Disconnect reverse shell\|`
			`\|reboot\|Reboot the computer\|`
			`\|shutdown\|Shutdown the computer\|`
			`\|execute\|Execute commands (cmd + PowerShell)\|`
			`\|install-sdk\|Install sdk tool for grabbing password for browser\|`
			`\|get-pass\|Grabbing the password of specific browser chosen by the attacker\|`
			`\|get-pass-offline\|Grabbing the password off all current browser\|`
			`\|update\|run update the version of the script\|`
			`\|uninstall\|Remove persistence + close process\|`
			`\|up-n-exec\|"Download and execute an executable file (Fixed URL ->""send-to-me"")"\|`
			`\|bring-log\|upload the log of the js backdoor\|`
			`\|down-n-exec\|Download and execute an executable file (Custom URL )\|`
			`\|filemanager\|Kill the backdoor process + download an executable file (Custom URL)\|`
			`\|rdp\|Start rdp module\|`
			`\|rev-proxy\|Start reverse proxy module\|`
			`\|exit-proxy\|kill reverse proxy process\|`
			`\|keylogger\|Start keylogger module\|`
			`\|offline-keylogger\|Launch keylogger module with mod\|`
			`\|browse-logs\|Send the logs do by the backdoor\|`
			`\|cmd-shell\|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]\|`
			`\|get-processes\|Enumerates processes\|`
			`\|disable-uac\|Disable security settings (UAC + Defender)\|`
			`\|check-eligible\|Check existence of the file verified by the attacker\|`
			`\|force-eligible\|Check existence of the file verified by the attacker + elevated rights\|`
			`\|elevate\|Check elevated rights + runas for elevated the rights\|`
			`\|if-elevate\|Check elevated rights\|`
			`\|kill-process\|Kill a specific process (by taskkill)\|`
			`\|Sleep\|Hibernate process via a duration chosen by the attacker\|`


			`###### Liste des commands :`

			`\|Command\|Description\|`
			`\|:-------------:\| :------------- \|`
			`\|disconnect\|Disconnect reverse shell\|`
			`\|reboot\|Reboot the computer\|`
			`\|shutdown\|Shutdown the computer\|`
			`\|execute\|Execute commands (cmd + PowerShell)\|`
			`\|get-pass\|Grabbing the password of specific browser chosen by the attacker\|`
			`\|get-pass-offline\|Grabbing the password off all current browser\|`
			`\|update\|run update the version of the script\|`
			`\|uninstall\|Remove persistence + close process\|`
			`\|up-n-exec\|Download and execute an executable file (Fixed URL ->"send-to-me")\|`
			`\|bring-log\|upload the log of the js backdoor\|`
			`\|down-n-exec\|Download and execute an executable file (Custom URL )\|`
			`\|filemanager\|Kill the backdoor process + download an executable file (Custom URL)\|`
			`\|rdp\|Start rdp module\|`
			`\|keylogger\|Start keylogger module\|`
			`\|offline-keylogger\|Launch keylogger module with mod\|`
			`\|browse-logs\|Send the logs do by the backdoor\|`
			`\|cmd-shell\|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]\|`
			`\|get-processes\|Enumerates processes\|`
			`\|disable-uac\|Disable security settings (UAC + Defender)\|`
			`\|elevate\|Check elevated rights + runas for elevated the rights\|`
			`\|if-elevate\|Check elevated rights\|`
			`\|kill-process\|Kill a specific process (by taskkill)\|`
			`\|Sleep\|Hibernate process via a duration chosen by the attacker\|`

Create Analysis_29-09-2019.md 2019-09-29 14:21:03 +00:00
			`## Cyber kill chain <a name="Cyber-kill-chain"></a>`
			`###### The process graph resume the cyber kill chain used by the attacker.`
			`![alt text]()`
			`## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>`
			`## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>`
			`###### List of all the references with MITRE ATT&CK Matrix`

			`\|Enterprise tactics\|Technics used\|Ref URL\|`
			`\| :---------------: \|:-------------\| :------------- \|`
			`\|\|\|\|`
			`\|\|\|\|`
			`\|\|\|\|`

			`## Indicators Of Compromise (IOC) <a name="IOC"></a>`

			`###### List of all the Indicators Of Compromise (IOC)`

			`\| Indicator \| Description\|`
			`\| ------------- \|:-------------:\|`
			`\|\|\|`
			`\|\|Domain requested\|`
			`\|\|IP requested\|`
			`\|\|HTTP/HTTPS requests\|\|`
			`\|\|IP C2\|`
			`\|\|Domain C2\|`
			`###### This can be exported as JSON format [Export in JSON]()`

			`## Links <a name="Links"></a>`
			`###### Original tweet: [https://twitter.com/dvk01uk/status/1176483058058440705](https://twitter.com/dvk01uk/status/1176483058058440705) <a name="Original-Tweet"></a>`
			`###### Links Anyrun: <a name="Links-Anyrun"></a>`
Update Analysis_29-09-2019.md 2019-09-29 22:29:36 +00:00			`* [TNT Collection Request BH7 297745.js](https://app.any.run/tasks/62990e45-e920-48b0-a3b3-9ce2e83f99dc)`
			`* [BANK DETAILS CONFIRMATION_PDF.js](https://app.any.run/tasks/ec7c360a-5cd0-4cfc-b123-2f43fda77423)`
			`* [vvvv.js](https://app.any.run/tasks/26647b54-0c71-4461-adee-765e926ab5fc)`
Create Analysis_29-09-2019.md 2019-09-29 14:21:03 +00:00			`###### Documents: <a name="Documents"></a>`
Update Analysis_29-09-2019.md 2019-09-29 22:29:36 +00:00			`* [Houdini Worm Transformed in New Phishing Attack - June 2019](https://cofense.com/houdini-worm-transformed-new-phishing-attack/)`