ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-23 17:13:12 +02:00 committed by GitHub
parent 55d872bab3
commit 5ff7dceef7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Indian/APT/Donot/17-09-19/Malware analysis.md
View File

@ -72,6 +72,34 @@
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
### Opendir analysis <a name="opendir"></a>
###### We can note that the server are main hosted by DigitalOcean cloud provider.
|IP|URL|Opendir|ASN|Organization|Route|Coordinates|Country|
| :---------------: | :--------------- | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: |:---------------: |
|178.62.188.63|hxxp[:]//en-content.com/SecurityM/EFILE|Yes|AS14061|DigitalOcean Amsterdam|178.62.128.0/18|52.3740,4.8897|Netherlands|
|178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/XLSSN|Yes|AS14061|DigitalOcean Amsterdam|178.62.128.0/18|52.3740,4.8897|Netherlands|
|156.67.222.128|hxxp[:]//noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl|No|AS47583|Hostinger International Limited|156.67.208.0/20|1.3667,103.8000|Singapore|
|159.89.104.38|hxxp[:]//plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC|No|AS14061|DigitalOcean, LLC|159.89.96.0/20|50.1155,8.6842|Germany|
|157.230.213.81|hxxp[:]//mscheck.icu/SecurityScan/XLSS|No|AS14061|DigitalOcean, LLC|157.230.208.0/20|40.8043,-74.0121|United States|
|146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X|No|AS14061|DigitalOcean Amsterdam|146.185.128.0/19|52.3740,4.8897|Netherlands|
|146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F|No|AS14061|DigitalOcean Amsterdam|146.185.128.0/19|52.3740,4.8897|Netherlands|
###### The group use multiple OS and Web Servers, this can be explained by two possible reasons. First, Donot can be multiple groups with differents levels of skills or the attacker have don't protect some servers due this used for weak interest targets.
|IP|URL|Opendir|Webserver|OS|
| :---------------: | :---------------: | :---------------: | :---------------: | :---------------: |
|178.62.188.63|hxxp[:]//en-content.com/SecurityM/EFILE|Yes|Apache|CentOS|
|178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/XLSSN|Yes|Apache|CentOS|
|156.67.222.128|hxxp[:]//noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl|No|LiteSpeed|CentOS|
|159.89.104.38|hxxp[:]//plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC|No|Apache|CentOS|
|157.230.213.81|hxxp[:]//mscheck.icu/SecurityScan/XLSS|No|Nginx ?|Ubuntu ?|
|146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X|No|Nginx|Ubuntu|
|146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F|No|Nginx|Ubuntu|
###### List of files on the opendir :
|IP|URL|Files|Date (Last modified)|Size|
| :---------------: | :---------------: | :---------------: | :---------------: |:---------------: |
|178.62.188.63|hxxp[:]//en-content.com/SecurityM/|DFILE<br>DFILE-<br>EFILE<br>EFILE-<br>LIN|2019-08-30 12:46<br>2019-08-29 12:05<br>2019-08-30 12:49<br>2019-08-29 12:19<br>2019-08-30 12:49|1.1M<br>1.1M<br>685K<br>685K<br>685K|
|178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/|DOCS<br>DOCSN<br>DOCSN-1<br>XLSS<br>XLSSN<br>XLSSN-1|2019-08-16 08:17<br>2019-08-27 07:03<br>2019-08-22 08:52<br>2019-08-16 08:26<br>2019-08-28 06:39<br>2019-08-22 08:59|1.1M<br>1.1M<br>1.7M<br>697K<br>685K<br>885K|
###### We can confirm that the campaign have begin early August 2019 and reuse old tools.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/date.png "")
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.