From 2911c117a536eccc3d69dfac304eddcb1127730c Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Fri, 3 Jan 2020 12:25:12 +0100
Subject: [PATCH] Update Analysis.md
---
Additional Analysis/Terraloader/02-01-20/Analysis.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Additional Analysis/Terraloader/02-01-20/Analysis.md b/Additional Analysis/Terraloader/02-01-20/Analysis.md
index fb5b82c..9be7aa6 100644
--- a/Additional Analysis/Terraloader/02-01-20/Analysis.md
+++ b/Additional Analysis/Terraloader/02-01-20/Analysis.md
@@ -15,7 +15,7 @@
Malware analysis
First layer
-This analysis presents a JavaScript loader (Terraloader) using many arrays, calculations and variables in memory for making harder the analysis and lowering the detection rate on antivirus. This loader has two stagers.
+This analysis presents a JavaScript loader (Terraloader) using many arrays, calculations and variables in memory for making harder the analysis and lowering the detection rate on antivirus. This loader has two stagers. this follows the analysis of Vitali Kremez(cf links [tweet + anyrun]).
The first block of the payload is the globals values used for decode the first layer, this gives the tab of values as key, the offset, the base of characters and the rest for initialized the variables used for the second stage.
```javascript
@@ -653,7 +653,7 @@ function main()
|index|18|
|offset|21|
|tab|[98,72,102,109,106,112,83,117,101,117,65,79,115,68,88,116,104,108,49,57,57]|
-
+
Once this done, this check again for be ensure that the process have been done and launch the second layer.
```javascript
@@ -680,7 +680,7 @@ main();
```
List of the main objects used for the second layer :
-
+
|Variable|Role|
| :-------------: |:-------------:|
|blawp868|Second layer payload|
@@ -1013,7 +1013,7 @@ CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US 259e2142575482b958a102a
Links Anyrun:
* [Job Description.js](https://app.any.run/tasks/1b909852-114b-4a4c-8b90-f36016501d6d)
-
+* [frexjobs malicious site](https://app.any.run/tasks/d562b62c-3b2f-4cc1-b4df-29bd0d977c44)
Resources :
* [Analysis of TerraLoader sample from Vitali Kremez](https://twitter.com/VK_Intel/status/1211758023376592896)