ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 25-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-08-26 16:55:12 +02:00 committed by GitHub
parent 335f1032b4
commit 5381150a63
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md
View File

@ -64,6 +64,7 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/useragent.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/useragent.png "")
##### This use a run key as persistence for the frombook module. ##### This use a run key as persistence for the frombook module.
##### Some features of Frombook form the cyberbit analysis can be observed in this analysis and the execution on the anyrun sandbox : ##### Some features of Frombook form the cyberbit analysis can be observed in this analysis and the execution on the anyrun sandbox :
* ###### Process Hollowing
* ###### Keystroke logging * ###### Keystroke logging
* ###### Clipboard monitoring * ###### Clipboard monitoring
* ###### HTTP/HTTPS/SPDY/HTTP2 form and network request grabbing * ###### HTTP/HTTPS/SPDY/HTTP2 form and network request grabbing
@ -82,6 +83,34 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyber.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyber.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyberfrom.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyberfrom.PNG "")
### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a> ### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
###### In the first time, we can note that all domains used as C2 contacts can be resolved.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/FakeC2domains.png "")
###### In the second time, if we reported all the domains for see if this registered in the WHOIS, we note again that some domains aren't be registered and used as fake domains. All the active domains are active in the last three months, that is match with the recent campaign since the June month.
|Domain|Status|
|:--------------- |:-------------|
|www.thedip.zone | not been registered yet|
|www.ycsfuoabdicating.review | not been registered yet|
|www.hongmenwenhua.com | registered but inused [Link](https://www.whois.com/whois/hongmenwenhua.com)|
|www.41230077.net | not been registered yet|
|www.1688jtn.com | not been registered yet|
|www.ichoubyou.net | registered and used [Link](https://www.whois.com/whois/ichoubyou.net) |
|www.grupomsi.com | unregistered / Domain to sale [Link](https://www.whois.com/whois/grupomsi.com)|
|www.qp0o1j3-dmv4kwncw8e.win | not been registered yet|
|www.klapki.online | not been registered yet|
|www.tourismmanagement.mba | not been registered yet|
|www.6474sss.com | not been registered yet|
|www.theaterloops.com | clientTransferProhibited [Link](https://www.whois.com/whois/theaterloops.com)|
|www.sukfat.com| clientTransferProhibited [Link](https://www.whois.com/whois/sukfat.com)|
#### The troubling case of the Hagga account
###### Like reported by me, the 15th May 2019 [(Link)](https://twitter.com/Arkbird_SOLG/status/1128696982783123457) after analysing the sample request of [JAMESWT_MHT](https://twitter.com/JAMESWT_MHT), this recurrent account have use pastebin as malware provider and drop many times different RAT and used each times the same tool obfuscating the strings with escape function and the "MySexoPhone" reference.
###### As reported by [Dodge This Security](https://twitter.com/shotgunner101) in this tweet [(link)](https://twitter.com/shotgunner101/status/1128753406259138560) and by cyberbit analysis some troubling timeline and malware used in the campaign and hosted by Hagga account. This can be proved this involvement in the Gorgon group.
###### Additionnal references :
* [HONKONE_K tweet about Gorgon group](https://twitter.com/HONKONE_K/status/1141181664296501252)
* [Revenge RAT dropped by Hagga account](https://twitter.com/Arkbird_SOLG/status/1159862633916506112)
* [Excel macro -> mshta bitly link -> AgentTesla dropped by Hagga account](https://twitter.com/jcarndt/status/1153678656784482304)
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a> ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix