ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 26-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-04 17:18:32 +02:00 committed by GitHub
parent 6844a9add6
commit 0b5f974965
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md
View File

@ -35,9 +35,9 @@
As anti-forensic method, a method which can know if determiner if a debugger is present. As anti-forensic method, a method which can know if determiner if a debugger is present.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/zoomdebug.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/zoomdebug.PNG "")
###### Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call. ###### Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call.
### JS Backdoor <a name="Backdoor"></a>
###### By the following PowerShell script, we can get the second layer that is the JS Backdoor. ###### By the following PowerShell script, we can get the second layer that is the JS Backdoor.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/layer2.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/declayer.png "")
### JS Backdoor <a name="Backdoor"></a>
###### Firstly, the script get the system informations about the system of the victim and send to one the list of C2 in the logical sense (not random call on the list of C2) with the suffix "/is-ready". The backdoor use a while loop for rest in communication with C2 by send pulse with the system information of the victim. ###### Firstly, the script get the system informations about the system of the victim and send to one the list of C2 in the logical sense (not random call on the list of C2) with the suffix "/is-ready". The backdoor use a while loop for rest in communication with C2 by send pulse with the system information of the victim.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/FirstAnal.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/FirstAnal.png "")
###### This send the data with the following structure to the C2 (Here from the Anyrun sandbox) : ###### This send the data with the following structure to the C2 (Here from the Anyrun sandbox) :