ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 27-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-09 03:24:42 +02:00 committed by GitHub
parent b321ab5199
commit 02a4233605
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Indian/APT/Patchwork/27-08-19/Malware analysis 27-08-19.md
View File

@ -17,11 +17,33 @@
###### We can see on the string on the dll, what extract the file in the temp folder in the create a thread for the second PE. file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin1-String.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin1-CreateThread.png "")
###### On the entrypoint of the second PE, we can see the first action is to check the environnement in using the anti-forensic technic by the CheckRemoteDebuggerPresent function.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-Entrypoint.png "")
###### Before go on the others function, we can see that the PE get the name of the user and create their pesistence by an RunOnce key in the registry.
###### After this, this use the CreateToolhelp32snapshot function for get a snapshot of all the process an parsed it until this fall on the explorer process
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-Explorer.png "")
###### We can note this check with the IsProcessorFeaturePresent function, for check if and raise an exception for close the program.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-call.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-CheckDebug.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-CheckException.png "")
###### Once the check, this inject it and create a process for communicate with the C2 and wait to loader the next malware.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-AllocProcess.png "")
###### At the date of the submission in VT, the C2 is down and the next step can't be analysed.
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
![alt text]()
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
###### Firstly, we can observe that the payload seem be with the Professional version of Inpage (2.21). Inpage is currently used in Pakistan which is consistent with the fact that Patchwork is an Indian APT.
###### The C2 is hosted on Amazon CloudFront :
|IP|Hostname|Route|ASN|Organization|Country|City|Region|Coordinates|
|:---------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|
|99.84.194.39|server-99-84-194-39.lax3.r.cloudfront.net|99.84.194.0/23|AS16509|Amazon.com, Inc.|United States| Seattle| Washington|47.5400,-122.3030|
###### This payload is linked at one of recent events:
* A Delegation of Pakistan Naval Academy visits Azerbaijan (5 April 2019)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/Event1.png "")
* The visit of Pakistan Air Force Academy delegation in Azerbaijan (20 June 2019)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/Event2.PNG "")
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix
@ -53,3 +75,4 @@
* [Recent InPage Exploits Lead to Multiple Malware Families](https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/)
* [InPage zero-day exploit used to attack financial institutions in Asia](https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/)
* [Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups](https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/)
* [The CheckRemoteDebuggerPresent() anti-debugging technique](https://xorl.wordpress.com/2017/12/09/the-checkremotedebuggerpresent-anti-debugging-technique/)