From 59078fd8ada1751cc38cf4ad06545d4b9eab523e Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Mon, 23 Sep 2019 15:27:31 +0200 Subject: [PATCH] Update Malware analysis.md --- Indian/APT/Donot/17-09-19/Malware analysis.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/Indian/APT/Donot/17-09-19/Malware analysis.md b/Indian/APT/Donot/17-09-19/Malware analysis.md index f4d9c82..b54652f 100644 --- a/Indian/APT/Donot/17-09-19/Malware analysis.md +++ b/Indian/APT/Donot/17-09-19/Malware analysis.md @@ -5,7 +5,9 @@ + [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](#malware2) + [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](#malware3) + [pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](#malware4) + + [A1719.docx, INGOs Spending on Rohingyas.doc, Scan0012.docx](#malware5) * [Cyber Threat Intel](#Cyber-Threat-Intel) + + [Opendir analysis](#opendir) * [Indicators Of Compromise (IOC)](#IOC) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) * [Links](#Links) @@ -55,7 +57,7 @@ ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Hijack.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/connect.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/WriteFile.PNG "") -### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc +### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc ###### This continue to use Template injection. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/inj.PNG "") ###### The RTF file dropped extract a js file, a dll and an exe file. @@ -63,11 +65,19 @@ ###### The js file execute the dll and the exe file for bypass the UAC by the UACme tool. The backdoor is the same that the first sample. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/js.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/UAC.PNG "") +### A1719.docx, INGOs Spending on Rohingyas.doc, Scan0012.docx +###### The TTPs is the same that the second sample for the last samples. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/5/Inj.png "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/5/RTFinfos.png "") + +## Cyber Threat Intel +### Opendir analysis ## Cyber kill chain ###### The process graph resume the cyber kill chain used by the attacker. ![alt text]() -## Cyber Threat Intel + + ## References MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix @@ -100,7 +110,7 @@ * [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](https://app.any.run/tasks/43bb63ce-4c78-4c1c-ae1d-a85b0106d983) * [17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](https://app.any.run/tasks/e194a69c-9e4e-4c7b-9e73-f6b144af95e1) * [A1719.docx](https://app.any.run/tasks/524aff0c-2f82-4f03-8ad0-16928adcf1f2) -* [57ecda52cfb12afa08e84fe86cd61a95.zip](https://app.any.run/tasks/411a27d8-9b47-4f87-bd06-35d813ab1457) +* [INGOs Spending on Rohingyas.doc](https://app.any.run/tasks/411a27d8-9b47-4f87-bd06-35d813ab1457) * [Scan0012.docx](https://app.any.run/tasks/f3397ba6-f8a0-46c5-b40f-f91bdfddc5db) ###### Opendir: * [SecurityM Opendir](https://app.any.run/tasks/793250a3-e767-47a8-9042-fce7c89a0471)