ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Analysis.md

Browse Source
This commit is contained in:
StrangerealIntel 2020-01-03 12:25:12 +01:00 committed by GitHub
parent f3c766a77a
commit 2911c117a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Additional Analysis/Terraloader/02-01-20/Analysis.md
View File

@ -15,7 +15,7 @@
<h2>Malware analysis <a name="Malware-analysis"></a></h2> <h2>Malware analysis <a name="Malware-analysis"></a></h2>
<h3>First layer<a name="first"></a></h3> <h3>First layer<a name="first"></a></h3>
<h6>This analysis presents a JavaScript loader (Terraloader) using many arrays, calculations and variables in memory for making harder the analysis and lowering the detection rate on antivirus. This loader has two stagers.</h6> <h6>This analysis presents a JavaScript loader (Terraloader) using many arrays, calculations and variables in memory for making harder the analysis and lowering the detection rate on antivirus. This loader has two stagers. this follows the analysis of <a href="https://twitter.com/VK_Intel">Vitali Kremez</a>(cf links [tweet + anyrun]).</h6>
<h6>The first block of the payload is the globals values used for decode the first layer, this gives the tab of values as key, the offset, the base of characters and the rest for initialized the variables used for the second stage.</h6> <h6>The first block of the payload is the globals values used for decode the first layer, this gives the tab of values as key, the offset, the base of characters and the rest for initialized the variables used for the second stage.</h6>
```javascript ```javascript
@ -653,7 +653,7 @@ function main()
|index|18| |index|18|
|offset|21| |offset|21|
|tab|[98,72,102,109,106,112,83,117,101,117,65,79,115,68,88,116,104,108,49,57,57]| |tab|[98,72,102,109,106,112,83,117,101,117,65,79,115,68,88,116,104,108,49,57,57]|
<h6>Once this done, this check again for be ensure that the process have been done and launch the second layer.</h6> <h6>Once this done, this check again for be ensure that the process have been done and launch the second layer.</h6>
```javascript ```javascript
@ -680,7 +680,7 @@ main();
``` ```
<h6>List of the main objects used for the second layer : </h6> <h6>List of the main objects used for the second layer : </h6>
|Variable|Role| |Variable|Role|
| :-------------: |:-------------:| | :-------------: |:-------------:|
|blawp868|Second layer payload| |blawp868|Second layer payload|
@ -1013,7 +1013,7 @@ CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US 259e2142575482b958a102a
<h6> Links Anyrun: <a name="Links-Anyrun"></a></h6> <h6> Links Anyrun: <a name="Links-Anyrun"></a></h6>
* [Job Description.js](https://app.any.run/tasks/1b909852-114b-4a4c-8b90-f36016501d6d) * [Job Description.js](https://app.any.run/tasks/1b909852-114b-4a4c-8b90-f36016501d6d)
* [frexjobs malicious site](https://app.any.run/tasks/d562b62c-3b2f-4cc1-b4df-29bd0d977c44)
<h6> Resources : </h6><a name="Ressources"></a> <h6> Resources : </h6><a name="Ressources"></a>
* [Analysis of TerraLoader sample from Vitali Kremez](https://twitter.com/VK_Intel/status/1211758023376592896) * [Analysis of TerraLoader sample from Vitali Kremez](https://twitter.com/VK_Intel/status/1211758023376592896)