From 5b2e052109275cfd83db4acab6fdc7a3c4a4d45b Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Sun, 6 Oct 2019 23:58:20 +0200 Subject: [PATCH] Update Malware Analysis 04-10-2019.md --- .../04-10-2019/Malware Analysis 04-10-2019.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md b/cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md index e23a158..73ee002 100644 --- a/cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md +++ b/cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md @@ -10,6 +10,7 @@ + [Documents](#Documents) ## Malware analysis +### Current loader used by the group ###### The inital vector is a malicious excel file who used a XLM macro (macro v4). This use an function for launch the payload when the excel windows is active (selected as primary window). As first action, this execute the module 1. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Autoopen.PNG) ###### The function call in Module 1 create a Wscript object for change the current directory, show the fake message and push debug messages. @@ -22,7 +23,38 @@ ###### As anti-forensic technique, this delete the files by call of kill functions. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module2-2.PNG) ###### We can note that a function is unused and seem to be a rest of the development of the macro. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Test.PNG) +###### The implant executed push all in memory with a call of VirtualAlloc function. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/implant/pushmemory.PNG) +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/implant/virt.PNG) +###### Once this, this check the system informations, the process executed on the computer and try to detect if this run in a sandbox (low size of the disk). +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/implant/getinfos.PNG) +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/implant/detectsize.PNG) +###### This send the informations to the C2 and wait the next instruction of the group. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/implant/connect.PNG) +###### We can list the informations send in the following variables : +|Variables|Description| +|:-------------:|:-------------| +|&D=|Name of the computer| +|&U=|Name of the user| +|&OS=|Version of the OS| +|&PR=|List of process (separed by %7C)| + +###### And is presented this way (extracted from sandbox): + +``&D=User-PC&U=admin&OS=6.1&PR=Dwm.exe%7CEXCEL.EXE%7CExplorer.EXE%7Ctaskhost.exe%7Cwindanr.exe%7C`` + +###### That interesting to note that the group get only the process for see if the victim have security messures (AV, endpoint...) before launch the next step, that can be in the logic of the lastest analysis of the group to used clop ransomware. +The change currently the trust certificate for bypass the security messures, we can observed on the analysis of [VK_Intel](https://twitter.com/vk_intel) : +* [https://twitter.com/VK_Intel/status/1162810558774747137](https://twitter.com/VK_Intel/status/1162810558774747137) +* [https://twitter.com/VK_Intel/status/1157761784582983685](https://twitter.com/VK_Intel/status/1157761784582983685) +* [https://twitter.com/VK_Intel/status/1157742218549039105](https://twitter.com/VK_Intel/status/1157742218549039105) +* [https://twitter.com/VK_Intel/status/1155381658746589185](https://twitter.com/VK_Intel/status/1155381658746589185) +* [https://twitter.com/VK_Intel/status/1145041163839266823](https://twitter.com/VK_Intel/status/1145041163839266823) +* [https://twitter.com/VK_Intel/status/1136069755222335490](https://twitter.com/VK_Intel/status/1136069755222335490) + +### ## Cyber kill chain ###### The process graphs resume all the cyber kill chains used by the attacker. ![alt text]()