From 198c8b19d461c3ceb733843a0782332bd1c2eed7 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Sun, 25 Aug 2019 18:17:41 +0200
Subject: [PATCH] Update Malware analysis 25-08-19.md

---
 .../23-08-19/Malware analysis 25-08-19.md      | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md b/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md
index 8e13f1d..6ae93d2 100644
--- a/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md	
+++ b/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md	
@@ -4,6 +4,7 @@
   + [Initial vector](#Initial-vector)
   + [First stage](#First)
   + [Second stage](#Second)
+  + [Loader + Frombook](#Loader)
   + [Cyber kill chain](#Cyber-kill-chain)
 * [Cyber Threat Intel](#Cyber-Threat-Intel)
 * [IOC](#IOC)
@@ -32,8 +33,19 @@
 ### Second stage <a name="Second"></a>
 ###### The first pastebin use too a js script with with 3 layers of unescape and the previous obfuscating methods.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/Unescape3.PNG "")
-###### 
+###### we can observe two additionnal requested pastebin links, the first use the LoadWithPartialName funcion by Reflection Assembly in NET framework for download and execute raw hex data in memory, in addition, this execute an array of byte of the PE downloaded by a hijack of the calc program. The second pastebin link close the hidden window.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/VBcodefinal.PNG "")
+### Loader + Frombook <a name="Loader"></a>
+#### Loader
+###### The loader have one layer of obfuscation in using the getstring method for have the command and the data of the future dll.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/tab.PNG "")
+###### After this replace the caracters %_ by 0x with the replace function for get a valid array of hex bytes and execute it in memory.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/layer2tab.PNG "")
+
+###### The dll is protected with the ConfuserEx (1.0.0.0) protector, we can see the escaped caracters and the reference module.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confuserExref.png "")
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "")
+
 ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
 ###### List of all the references with MITRE ATT&CK Matrix
 
@@ -59,4 +71,6 @@
 
 * Original tweet: https://twitter.com/Rmy_Reserve/status/1164405054746460161 <a name="Original-Tweet"></a>
 * Anyrun Link: [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b)<a name="Links-Anyrun"></a>
-* Docs : [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/) <a name="Documents"></a>
+* Docs :  <a name="Documents"></a>
++ [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/)
++ [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html)