ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 25-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-08-25 16:46:10 +02:00 committed by GitHub
parent 9d926573a3
commit 51d03633f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md
View File

@ -20,8 +20,20 @@
###### Use in more at the function, strReverse for reverse the data. Finally, combine it and execute it with a Shell request. ###### Use in more at the function, strReverse for reverse the data. Finally, combine it and execute it with a Shell request.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Macro/macroCode.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Macro/macroCode.png "")
###### This use mshta command for download and execute the external content. The bitly URL go on the pastebin share and is the first stage. ###### This use mshta command for download and execute the external content. The bitly URL go on the pastebin share and is the first stage.
### First stage ### First stage <a name="First"></a>
###### The first stage executed on the computer is a js script who use nested unescape (3 times).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%201/Unescape1.PNG "")
###### At the 3th layer, we can see a vb script using some obfuscating methods (StrReverse, splited variables, multiples Wscript objects)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%201/Unescape3.PNG "")
###### Finally, the script kills the word, excel, publisher and powerpoint instances, add a persistence for re-executes this script for reinfecting the computer and create two schedule task for the second stage and close the hidden window. The persistence by Run key can look like useless but it used like an updating vector for change the TTPs or executing a kill switch on the operation.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%201/VBcodefinal.PNG "")
### Second stage <a name="Second"></a>
###### The first pastebin use too a js script with with 3 layers of unescape and the previous obfuscating methods.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/Unescape3.PNG "")
######
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/VBcodefinal.PNG "")
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a> ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix