ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 26-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-04 17:13:40 +02:00 committed by GitHub
parent 38d90b5106
commit 5606509e5c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md
View File

@ -37,11 +37,31 @@ As anti-forensic method, a method which can know if determiner if a debugger is
###### Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call.
### JS Backdoor <a name="Backdoor"></a>
###### By the following PowerShell script, we can get the second layer that is the JS Backdoor.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/layer2.png "")
###### Firstly,
`C4BA3647<|>USER-PC<|>admin<|>Microsoft Windows 7 Professional <|>plus<|>nan-av<|>` (Here from the Anyrun sandbox)
###### We can note that the USB spread option isn't used on this sample.The structure of the reply to the C2 is the next :
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/layer2.png "")
###### Firstly, the script get the system informations about the system of the victim and send to one the list of C2 in the logical sense (not random call on the list of C2) with the suffix "/is-ready". The backdoor use a while loop for rest in communication with C2 by send pulse with the system information of the victim.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/FirstAnal.png "")
###### This send the data with the following structure to the C2 (Here from the Anyrun sandbox) :
`C4BA3647<|>USER-PC<|>admin<|>Microsoft Windows 7 Professional <|>plus<|>nan-av<|>`
###### We can note that the USB spread option isn't used on this sample. The structure of the reply to the C2 is the next :
`[volumeserialnumber]<|>[computername]<|>[username]<|>plus<|>[AV product (yes -> name or no ->nan-av)]<|>[usbspreading option (= "")]<|>`
###### In a second time, when a response of the C2 was given and use a swith structure for execute the command.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/secAnal.png "")
###### Now, we analyse all functions used by this switch. As first function, we can see a function used by others functions of the script and used for send the data to the C2.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/postfunc.PNG "")
###### We can observe after a group of functions who use the wql queries by the WMI for get the system informations, this is used by the attacker as profiling the victim.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/infofunc.PNG "")
###### After, a function is used by the attacker for download an executable file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/downfunc.PNG "")
###### In the same idea for the attacker, a fonction which give the possiblity to read the bytes of files in a buffer and send it to the C2 is present.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/upfunc.PNG "")
###### The next function give to the attacker to have the list drives on the computer.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/listdrivesfunc.PNG "")
###### Another function can emumerate the paths of folders, files and to give in more the attributes of them.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/dirfunc.PNG "")
###### And third function is used for get the list of the process running in the computer.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/processfunc.PNG "")
###### The last function exit the process with a kill signal by taskkill call.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/exitfunc.PNG "")
###### We can resume the list of commands of the backdoor :
|Command|Description|