Update Malware analysis.md

2019-09-23 17:13:12 +02:00 · 2019-09-23 17:13:12 +02:00 · 5ff7dceef7
commit 5ff7dceef7
parent 55d872bab3
1 changed files with 28 additions and 0 deletions
--- a/Indian/APT/Donot/17-09-19/Malware
+++ b/Indian/APT/Donot/17-09-19/Malware
@ -72,6 +72,34 @@
 ## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
 ### Opendir analysis <a name="opendir"></a>
 ###### We can note that the server are main hosted by DigitalOcean cloud provider.
 |IP|URL|Opendir|ASN|Organization|Route|Coordinates|Country|
 | :---------------: | :--------------- | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: |:---------------: |
 |178.62.188.63|hxxp[:]//en-content.com/SecurityM/EFILE|Yes|AS14061|DigitalOcean Amsterdam|178.62.128.0/18|52.3740,4.8897|Netherlands|
 |178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/XLSSN|Yes|AS14061|DigitalOcean Amsterdam|178.62.128.0/18|52.3740,4.8897|Netherlands|
 |156.67.222.128|hxxp[:]//noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl|No|AS47583|Hostinger International Limited|156.67.208.0/20|1.3667,103.8000|Singapore|
 |159.89.104.38|hxxp[:]//plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC|No|AS14061|DigitalOcean, LLC|159.89.96.0/20|50.1155,8.6842|Germany|
 |157.230.213.81|hxxp[:]//mscheck.icu/SecurityScan/XLSS|No|AS14061|DigitalOcean, LLC|157.230.208.0/20|40.8043,-74.0121|United States|
 |146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X|No|AS14061|DigitalOcean Amsterdam|146.185.128.0/19|52.3740,4.8897|Netherlands|
 |146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F|No|AS14061|DigitalOcean Amsterdam|146.185.128.0/19|52.3740,4.8897|Netherlands|
 ###### The group use multiple OS and Web Servers, this can be explained by two possible reasons. First, Donot can be multiple groups with differents levels of skills or the attacker have don't protect some servers due this used for weak interest targets.
 |IP|URL|Opendir|Webserver|OS|
 | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: |
 |178.62.188.63|hxxp[:]//en-content.com/SecurityM/EFILE|Yes|Apache|CentOS|
 |178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/XLSSN|Yes|Apache|CentOS|
 |156.67.222.128|hxxp[:]//noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl|No|LiteSpeed|CentOS|
 |159.89.104.38|hxxp[:]//plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC|No|Apache|CentOS|
 |157.230.213.81|hxxp[:]//mscheck.icu/SecurityScan/XLSS|No|Nginx ?|Ubuntu ?|
 |146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X|No|Nginx|Ubuntu|
 |146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F|No|Nginx|Ubuntu|
 ###### List of files on the opendir :
 |IP|URL|Files|Date (Last modified)|Size|
 | :---------------: | :---------------: | :---------------: | :---------------: |:---------------: |
 |178.62.188.63|hxxp[:]//en-content.com/SecurityM/|DFILE<br>DFILE-<br>EFILE<br>EFILE-<br>LIN|2019-08-30 12:46<br>2019-08-29 12:05<br>2019-08-30 12:49<br>2019-08-29 12:19<br>2019-08-30 12:49|1.1M<br>1.1M<br>685K<br>685K<br>685K|
 |178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/|DOCS<br>DOCSN<br>DOCSN-1<br>XLSS<br>XLSSN<br>XLSSN-1|2019-08-16 08:17<br>2019-08-27 07:03<br>2019-08-22 08:52<br>2019-08-16 08:26<br>2019-08-28 06:39<br>2019-08-22 08:59|1.1M<br>1.1M<br>1.7M<br>697K<br>685K<br>885K|
 ###### We can confirm that the campaign have begin early August 2019 and reuse old tools.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/date.png "")
 ## Cyber kill chain <a name="Cyber-kill-chain"></a>
 ###### The process graph resume the cyber kill chain used by the attacker.