ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-23 15:27:31 +02:00 committed by GitHub
parent 3fae04de70
commit 59078fd8ad
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Indian/APT/Donot/17-09-19/Malware analysis.md
View File

@ -5,7 +5,9 @@
+ [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](#malware2)
+ [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](#malware3)
+ [pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](#malware4)
+ [A1719.docx, INGOs Spending on Rohingyas.doc, Scan0012.docx](#malware5)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
+ [Opendir analysis](#opendir)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
@ -55,7 +57,7 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Hijack.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/connect.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/WriteFile.PNG "")
### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc <a name="malware74"></a>
### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc <a name="malware4"></a>
###### This continue to use Template injection.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/inj.PNG "")
###### The RTF file dropped extract a js file, a dll and an exe file.
@ -63,11 +65,19 @@
###### The js file execute the dll and the exe file for bypass the UAC by the UACme tool. The backdoor is the same that the first sample.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/js.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/UAC.PNG "")
### A1719.docx, INGOs Spending on Rohingyas.doc, Scan0012.docx <a name="malware5"></a>
###### The TTPs is the same that the second sample for the last samples.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/5/Inj.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/5/RTFinfos.png "")
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
### Opendir analysis <a name="opendir"></a>
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
![alt text]()
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix
@ -100,7 +110,7 @@
* [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](https://app.any.run/tasks/43bb63ce-4c78-4c1c-ae1d-a85b0106d983)
* [17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](https://app.any.run/tasks/e194a69c-9e4e-4c7b-9e73-f6b144af95e1)
* [A1719.docx](https://app.any.run/tasks/524aff0c-2f82-4f03-8ad0-16928adcf1f2)
* [57ecda52cfb12afa08e84fe86cd61a95.zip](https://app.any.run/tasks/411a27d8-9b47-4f87-bd06-35d813ab1457)
* [INGOs Spending on Rohingyas.doc](https://app.any.run/tasks/411a27d8-9b47-4f87-bd06-35d813ab1457)
* [Scan0012.docx](https://app.any.run/tasks/f3397ba6-f8a0-46c5-b40f-f91bdfddc5db)
###### Opendir:
* [SecurityM Opendir](https://app.any.run/tasks/793250a3-e767-47a8-9042-fce7c89a0471)