ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 26-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-03 22:36:27 +02:00 committed by GitHub
parent dacc3c1927
commit 3f00bed01d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md
View File

@ -2,6 +2,7 @@
## Table of Contents
* [Malware analysis](#Malware-analysis)
+ [Initial vector](#Initial-vector)
+ [JS Backdoor](#Backdoor)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
@ -12,8 +13,24 @@
## Malware analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a>
###### The initial
![alt text](link "")
###### The initial vector use an SFX executable, who drop a lnk file for the persistence, a vbs file and the docx file for decoys the victim.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/strings.png "")
###### We can also note the multiples possiblities for push the persisitence and options.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnkfile.png "")
###### This execute the vbs file for push the persistence in the startup menu, hide it in changing these atributes and launch the persistence (lnk file)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/VBScode.png "")
###### This download the VB script and execute it by mshta call.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnk.PNG "")
###### On the VB code, we can observed that use BITS fonctionality for download by a job the JS script to execute on the victim. Secondly, this check the architecture of the system and execute the correct path of wscript and push the windows out the screen.
### JS Backdoor <a name="Backdoor"></a>
###### We can observer that use function for decode the commands with a array of bytes.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/encodeJS.png "")
###### For decode the string , we use the next function used by the backdoor for decode the commands.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/decodeJS.png "")
###### You can now change the encoded commands.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/decStr.png "")
######
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lay1dec.png "")
### Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.