Update Malware analysis 25-08-19.md

2019-08-25 18:17:41 +02:00 · 2019-08-25 18:17:41 +02:00 · 198c8b19d4
commit 198c8b19d4
parent 6a38c7813d
1 changed files with 16 additions and 2 deletions
--- a/Pakistan/APT/Gorgon/23-08-19/Malware
+++ b/Pakistan/APT/Gorgon/23-08-19/Malware
@ -4,6 +4,7 @@
  + [Initial vector](#Initial-vector)
  + [First stage](#First)
  + [Second stage](#Second)
  + [Loader + Frombook](#Loader)
  + [Cyber kill chain](#Cyber-kill-chain)
 * [Cyber Threat Intel](#Cyber-Threat-Intel)
 * [IOC](#IOC)
@ -32,8 +33,19 @@
 ### Second stage <a name="Second"></a>
 ###### The first pastebin use too a js script with with 3 layers of unescape and the previous obfuscating methods.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/Unescape3.PNG "")
-###### 
+###### we can observe two additionnal requested pastebin links, the first use the LoadWithPartialName funcion by Reflection Assembly in NET framework for download and execute raw hex data in memory, in addition, this execute an array of byte of the PE downloaded by a hijack of the calc program. The second pastebin link close the hidden window.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/VBcodefinal.PNG "")
 ### Loader + Frombook <a name="Loader"></a>
 #### Loader
 ###### The loader have one layer of obfuscation in using the getstring method for have the command and the data of the future dll.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/tab.PNG "")
 ###### After this replace the caracters %_ by 0x with the replace function for get a valid array of hex bytes and execute it in memory.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/layer2tab.PNG "")
 ###### The dll is protected with the ConfuserEx (1.0.0.0) protector, we can see the escaped caracters and the reference module.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confuserExref.png "")
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "")
 ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
 ###### List of all the references with MITRE ATT&CK Matrix
@ -59,4 +71,6 @@
 * Original tweet: https://twitter.com/Rmy_Reserve/status/1164405054746460161 <a name="Original-Tweet"></a>
 * Anyrun Link: [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b)<a name="Links-Anyrun"></a>
-* Docs : [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/) <a name="Documents"></a>
+* Docs :  <a name="Documents"></a>
 + [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/)
 + [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html)