Update Malware analysis 06-08-19.md

Russia/APT/Gamaredon/06-08-19/Malware analysis 06-08-19.md

@@ -2,7 +2,7 @@
 ## Table of Contents
 * [Malware analysis](#Malware-analysis)
   + [Initial vector](#Initial-vector)
-  + [Bat and powershell script](#Bat)
+  + [VBS and Powershell script](#Vbs)
   + [Final PE](#PE)
   + [Cyber kill chain](#Cyber-kill-chain)
 * [Cyber Threat Intel](#Cyber-Threat-Intel)
@@ -31,17 +31,33 @@
 ##### Finally, this execute by call shell and runas the cmd file.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/RAR/runas.png "Runas capacity")
  
-### Bat and powershell script <a name="Bat"></a>
+### VBS and Powershell script <a name="Vbs"></a>
 
-###### Its create the vbs and ps1 file by redirection of the console output, a schedule task as persistence and execute the files.
-
-###### We can see on the obfuscated strings, that some patterns have been generated and randomized by a DOS obfuscate tool. The vbs file check the version of Word and disable some security features. The powershell file send the reconnaissance informations on the C2.
-###### Like observed with muddywater, this repeats until the group edit a URL with  the next payload if the target is interesting. 
+###### Its create the vbs and ps1 file by redirection of the console output. By the DOS commands, this create a schedule task as persistence, modify the proxy settings, execute the files, launch the fake document and delete all the files  as anti-forensic method. 
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/CMDdetails.png "cmd file")
+###### The vbs file check the version of Word and disable some security features. 
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/VBS.png "vbs file")
+###### The powershell script collect the system informations and edit the proxy seetings and the url send to the C2 with the GUID of the computer.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/powershell.png "powershell file")
+###### We can see on the obfuscated strings, that some patterns have been generated and randomized by a DOS obfuscate tool.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/obstool.png "Obfuscate strings")
+###### Like observed with muddywater group, this repeats until the group edit a URL with the next payload if the target is interesting. 
 
 ### Final PE <a name="PE"></a>
-###### This check the connectivity to internet by requesting the DNS of Google and use the shellscript.exe for try to download by the edited URL.
+###### We can see that the file have the capacity to parse a FTP share and perform the current action (upload/download)
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/WGET/FTP.png "FTP Capacity")
+###### We can observe too that the payload can receive a proxy configuration and parse it too.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/WGET/Proxy.png "Proxy Capacity")
+###### A progress bar can be observe wh o indicate that the PE can show the status of the operations
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/WGET/Progressbar.png "Progress bar") 
+
 ###### This PE file uses the OpenSSL, SMTP, FTP and various algorithms libraries in C, this a compiled version of Wget. 
-###### This version of Wget is used on many campaigns of this group since 2017.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/WGET/strings.png "List of crypto files")
+
+###### We can parse and see all the algoritms available for Wget
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/WGET/listalogo.png "List of algoritms")
+
+###### This check the connectivity to internet by requesting the DNS of Google and use the shellscript.exe for try to download by the edited URL. This version of Wget is used on many campaigns of this group since 2017.
 
 ### Cyber kill chain <a name="Cyber-kill-chain"></a>
 
@@ -51,6 +67,8 @@
 ## Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
 
 ###### The C2 is host by a provider in Russia.This seems be a sample of the campaign of Gamaredon group in June 2018 by the very similar TTPs.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/Images/ip.png "Ip infos")
+ip.png
 ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
 ###### List of all the references with MITRE ATT&CK Matrix
 
@@ -66,13 +84,17 @@
 
 ###### List of all the Indicators Of Compromise (IOC)
 | Indicator     | Description|
-| ------------- |:-------------:|
+| ------------- |:-------------|
 |02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c.scr|02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c|
+|FDGSKGN.vbs|630c0c86faf828bc4645526ca58b855d1a2db57cca0e406c1d5b7e2de88a1322|
+|PowerShellCertificates_C4BA3647.ps1|8f33ce796ee08525d32f5794ebd355914140e43e4b63e09b384dabda93a8b22c|
 |9856.txt|a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599|
 |176.57.215.22|IP C2|
 |http[:]//shell-create.ddns.net/|URL request|	
 |shell-create.ddns.net|Domain C2|
 
+###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/IOC_Gamaredon_06-08-19.json)	
+
 ## Links <a name="Links"></a>
 
 * Original tweet: https://twitter.com/Timele9527/status/1157458188792262656 <a name="Original-Tweet"></a>