From 0b5f9749653de8a049ec95453ca48794c41ef9e8 Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Wed, 4 Sep 2019 17:18:32 +0200 Subject: [PATCH] Update Malware analysis 26-08-19.md --- Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md b/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md index 56c680d..32cb3fc 100644 --- a/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md +++ b/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md @@ -35,9 +35,9 @@ As anti-forensic method, a method which can know if determiner if a debugger is present. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/zoomdebug.PNG "") ###### Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call. -### JS Backdoor ###### By the following PowerShell script, we can get the second layer that is the JS Backdoor. -![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/layer2.png "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/declayer.png "") +### JS Backdoor ###### Firstly, the script get the system informations about the system of the victim and send to one the list of C2 in the logical sense (not random call on the list of C2) with the suffix "/is-ready". The backdoor use a while loop for rest in communication with C2 by send pulse with the system information of the victim. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/FirstAnal.png "") ###### This send the data with the following structure to the C2 (Here from the Anyrun sandbox) :