ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Analysis_2020-02-08.md

Browse Source
This commit is contained in:
StrangerealIntel 2020-02-13 00:49:44 +01:00 committed by GitHub
parent 618e617ec8
commit 0496b0931c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 79 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
Additional Analysis/Neutrino/Analysis_2020-02-08.md
View File

@ -240,6 +240,12 @@ End Sub
<h3>The loader<a name="loader"></a></h3> <h3>The loader<a name="loader"></a></h3>
<h6>After loaded in memory, this delete himself by a concated command with a ping command</h6>
```winbatch
cmd.exe /a /c ping 127.0.0.1 -n 3&del "%PROGRAMFILES(X86)%\Memsys\ms.exe"
```
<h6>The loader creates a mutex with a name that is hardcoded in the binary:"Z0BAZwxx" ,we can note too that the loader add two rules in the firewall on the victim.</h6> <h6>The loader creates a mutex with a name that is hardcoded in the binary:"Z0BAZwxx" ,we can note too that the loader add two rules in the firewall on the victim.</h6>
```asm ```asm
@ -257,12 +263,15 @@ End Sub
0x00404e5e push esi 0x00404e5e push esi
``` ```
<h6>This push a run key for the persistence for the implant :<br/><br/> <h6>This push a run key for the persistence for the implant :</h6>
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run<br/>
Name: [a-z]{5}_32.exe/[a-z]{5}.exe [x86/x64]<br/>
Path: C:\Users\admin\AppData\Roaming\Z0BAZwxx\{Filename}<br/><br/>
The name of the mutex is also used for the name of folder in Appdata.</h6>
```winbatch
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Name: [a-z]{5}_32.exe/[a-z]{5}.exe [x86/x64]<br/>
Path: C:\Users\admin\AppData\Roaming\Z0BAZwxx\{Filename}
```
<h6>The name of the mutex is also used for the name of folder in Appdata.</h6>
<h6>The loader use a xor for get the final implant.</h6> <h6>The loader use a xor for get the final implant.</h6>
```asm ```asm
@ -300,6 +309,70 @@ The name of the mutex is also used for the name of folder in Appdata.</h6>
<h3>Final Implant<a name="Final"></a></h3> <h3>Final Implant<a name="Final"></a></h3>
<h6>The implant use multiples method for anti-VM and sandbox :</h6>
<ul>
<li><h6>Use the couple of functions {CreateToolhelp32Snapshot Process32First Process32Next} for list the processs and compare to a blacklist. In addition this check the list with checksum </h6></li>
``` asm
0xB1CBC652
0x46EE4F10
0x583EB7E8
0xC03EAA65
0x6D3E6FDD
0x47000343
0xC608982D
0x6169078A
0xF6EC4B30
```
<li><h6>Use the couple of functions {CreateToolhelp32Snapshot Process32First Process32Next} for list of the modules of the processs and compare to another blacklist.</h6></li>
``` asm
0xAC12B9FB
0x5B747561
0x53309C85
0xE53ED522
0xC106E17B
0x5608BCC4
0x6512F9D0
0xC604D52A
0x4D0651A5
0x1C669D6A
0xC2F56A18
```
<li><h6>Check if the VboxGuest is present in using QueryDosDevices</h6></li>
<li><h6>Check if the debugger is present by the couple of function {IsDebuggerPresent - CheckRemoteDebuggerPresent}</h6></li>
<li><h6>Check the delta of the time by {GetTickCount Sleep GetTickCount}</h6></li>
<li><h6>Use GetClassName of each result of EnumWindows (Enumate all windows in the screen) for check the blacklist class</h6></li>
``` asm
0xCF388E01
0xD486D951
0x39177889
0x6689BB92
0x3C5FF312
0xFE9EA0D5
0x6D3FA1CA
0x9B5A88D9
0x4B4576B5
0xAED304FC
0x225FD98F
```
</ul>
<h6>The list of the IP to contact are hardcoded in base64.</h6>
<h6>This can perform the following actions :</h6>
<ul>
<li><h6>Take screenshot</h6></li>
<li><h6>Capture keystrokes</h6></li>
<li><h6>Download and execute additionnal payload</h6></li>
<li><h6>DDoS attacks</h6></li>
<li><h6>Spoof the DNS requests</h6></li>
</ul>
<h2> Cyber kill chain <a name="Cyber-kill-chain"></a></h2> <h2> Cyber kill chain <a name="Cyber-kill-chain"></a></h2>
<h6>The process graph resume cyber kill chains used by the attacker :</h6> <h6>The process graph resume cyber kill chains used by the attacker :</h6>
<p align="center"> <p align="center">
@ -334,5 +407,6 @@ The name of the mutex is also used for the name of folder in Appdata.</h6>
* [Encode64 / Decode64 in VB.NET](https://stackoverflow.com/questions/12879661/encode64-decode64-in-vb-net) * [Encode64 / Decode64 in VB.NET](https://stackoverflow.com/questions/12879661/encode64-decode64-in-vb-net)
* [New Neutrino Bot comes in a protective loader](https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/) * [New Neutrino Bot comes in a protective loader](https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/)
* [Checksum calculator (from NeutrinoBot Loader)](https://gist.github.com/hasherezade/aefabdb9a67193ef05c93228a78c20c6#file-checksum-cpp)
* [URLhaus Neutrino](https://urlhaus.abuse.ch/browse/tag/Neutrino/) * [URLhaus Neutrino](https://urlhaus.abuse.ch/browse/tag/Neutrino/)
* [VB2019 paper: Rich Headers: leveraging this mysterious artifact of the PE format](https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/) * [VB2019 paper: Rich Headers: leveraging this mysterious artifact of the PE format](https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/)