From 02a4233605686a66f9666265ef73f13da1db7566 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Mon, 9 Sep 2019 03:24:42 +0200
Subject: [PATCH] Update Malware analysis 27-08-19.md
---
.../27-08-19/Malware analysis 27-08-19.md | 23 +++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/Indian/APT/Patchwork/27-08-19/Malware analysis 27-08-19.md b/Indian/APT/Patchwork/27-08-19/Malware analysis 27-08-19.md
index e58608c..f2806a3 100644
--- a/Indian/APT/Patchwork/27-08-19/Malware analysis 27-08-19.md
+++ b/Indian/APT/Patchwork/27-08-19/Malware analysis 27-08-19.md
@@ -17,11 +17,33 @@
###### We can see on the string on the dll, what extract the file in the temp folder in the create a thread for the second PE. file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin1-String.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin1-CreateThread.png "")
+###### On the entrypoint of the second PE, we can see the first action is to check the environnement in using the anti-forensic technic by the CheckRemoteDebuggerPresent function.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-Entrypoint.png "")
+###### Before go on the others function, we can see that the PE get the name of the user and create their pesistence by an RunOnce key in the registry.
+###### After this, this use the CreateToolhelp32snapshot function for get a snapshot of all the process an parsed it until this fall on the explorer process
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-Explorer.png "")
+###### We can note this check with the IsProcessorFeaturePresent function, for check if and raise an exception for close the program.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-call.png "")
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-CheckDebug.png "")
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-CheckException.png "")
+###### Once the check, this inject it and create a process for communicate with the C2 and wait to loader the next malware.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/bin2-AllocProcess.png "")
+###### At the date of the submission in VT, the C2 is down and the next step can't be analysed.
## Cyber kill chain
###### The process graph resume the cyber kill chain used by the attacker.
![alt text]()
## Cyber Threat Intel
+###### Firstly, we can observe that the payload seem be with the Professional version of Inpage (2.21). Inpage is currently used in Pakistan which is consistent with the fact that Patchwork is an Indian APT.
+###### The C2 is hosted on Amazon CloudFront :
+|IP|Hostname|Route|ASN|Organization|Country|City|Region|Coordinates|
+|:---------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|
+|99.84.194.39|server-99-84-194-39.lax3.r.cloudfront.net|99.84.194.0/23|AS16509|Amazon.com, Inc.|United States| Seattle| Washington|47.5400,-122.3030|
+###### This payload is linked at one of recent events:
+* A Delegation of Pakistan Naval Academy visits Azerbaijan (5 April 2019)
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/Event1.png "")
+* The visit of Pakistan Air Force Academy delegation in Azerbaijan (20 June 2019)
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/Images/Event2.PNG "")
## References MITRE ATT&CK Matrix
###### List of all the references with MITRE ATT&CK Matrix
@@ -53,3 +75,4 @@
* [Recent InPage Exploits Lead to Multiple Malware Families](https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/)
* [InPage zero-day exploit used to attack financial institutions in Asia](https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/)
* [Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups](https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/)
+* [The CheckRemoteDebuggerPresent() anti-debugging technique](https://xorl.wordpress.com/2017/12/09/the-checkremotedebuggerpresent-anti-debugging-technique/)