From 2c38c3c1249af3a8c3f4aaa00291c2f97987eda4 Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Sat, 31 Aug 2019 17:04:57 +0200 Subject: [PATCH] Update Malware analysis 31-08-19.md --- .../27-08-19/Malware analysis 31-08-19.md | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md index b17e114..4bd7d19 100644 --- a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md +++ b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md @@ -2,6 +2,7 @@ ## Table of Contents * [Malware analysis](#Malware-analysis) + [Initial vector](#Initial-vector) + + [ArtraDownloader](#ArtraDownloader) * [Cyber Threat Intel](#Cyber-Threat-Intel) * [Indicators Of Compromise (IOC)](#IOC) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) @@ -13,11 +14,27 @@ ## Malware-analysis ### Initial vector -###### Use a document with a remote template injection as initial vector. This download the +###### Use a document with a remote template injection as initial vector. This request http[:]//maq.com.pk/ for be redirected on the next URL. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Extref.png "") - +###### This second URL (http[:]//maq.com.pk/wehsd) send a RTF exploit. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/HexRTF.png "") +###### This exploit execute firstly a request by WebDAV and after by WebClient service for download the backdoor on the final address (http[:]//maq.com.pk/wehs) and execute it. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/redirect.png "") +###### Here we can see the redirection and the data sended on the victim. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/trace.png "") +### ArtraDownloader +###### In the first, we can see some encoded string pushed on a function and the result is moved on another registry as storage for be used by the backdoor. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/str.png "") +###### In observing this function we can resume by the folowing algorithm used for decode these strings : for each byte of the string -> value of the byte -1 -> get Unicode value -> convert to char. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/dec.png "") +###### We can edit a script for decode the encoded string. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/algo.png "") +###### Now we can see the actions did by the malware. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/res.png "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/decstr.png "") ### Cyber kill chain ###### This process graph represents the cyber kill chain of Bitter sample. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Cyber.png "") ### Cyber Threat Intel ## References MITRE ATT&CK Matrix