Update Analysis_2020-02-08.md

This commit is contained in:
StrangerealIntel 2020-02-12 23:33:08 +01:00 committed by GitHub
parent a7423a9db2
commit 618e617ec8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -3,8 +3,7 @@
* [Malware analysis](#Malware-analysis)
+ [The initial vector](#Initial)
+ [Loader](#loader)
* [Threat Intelligence](#Intel)
+ [](#Sub_Intel)
+ [Final Implant](#Final)
* [Cyber kill chain](#Cyber-kill-chain)
* [Indicators Of Compromise (IOC)](#IOC)
* [Yara Rules](#Yara)
@ -239,15 +238,68 @@ Sub Exec(Name_Payload0 As String)
End Sub
```
<h3>The loader<a name="loader"></a></h3>
<h6>The loader creates a mutex with a name that is hardcoded in the binary:"Z0BAZwxx" ,we can note too that the loader add two rules in the firewall on the victim.</h6>
```asm
0x00404e3e jb 0x404e4d
0x00404e40 push eax
0x00404e41 push str.Z0BAZwxx ; 0x407098 ; u"Z0BAZwxx"
0x00404e46 push str.netsh_advfirewall_firewall_add_rule_name___s__dir_in_action_allow_program___s ; 0x407138 ; u"netsh advfirewall firewall add rule name=\"%s\" dir=in action=allow program=\"%s\""
0x00404e4b jmp 0x404e58
0x00404e4d push str.Z0BAZwxx ; 0x407098 ; u"Z0BAZwxx"
0x00404e52 push eax
0x00404e53 push str.netsh_firewall_add_allowedprogram___s___s_ENABLE ; 0x4070d0 ; u"netsh firewall add allowedprogram \"%s\" %s ENABLE"
0x00404e58 push esi
0x00404e59 call ebx
0x00404e5b add esp, 0x10
0x00404e5e push esi
```
<h6>This push a run key for the persistence for the implant :<br/><br/>
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run<br/>
Name: [a-z]{5}_32.exe/[a-z]{5}.exe [x86/x64]<br/>
Path: C:\Users\admin\AppData\Roaming\Z0BAZwxx\{Filename}<br/><br/>
The name of the mutex is also used for the name of folder in Appdata.</h6>
<h6>The loader use a xor for get the final implant.</h6>
```asm
0x004066db xor word [eax], 0xff ; 255
0x004066e0 add eax, 2
0x004066e3 cmp word [eax], 0
0x004066e7 jne 0x4066db
```
<h6> Once the data extracted, this create a new process if rights is high, this use runas by wmi call instead it</h6>
```asm
0x00405e2e push str.ComSpec ; 0x4070ac ; u"ComSpec"
0x00405e33 call eax
0x00405e5a push str.a__c__s ; 0x4070bc ; u" /a /c %s"
0x00405e5f push esi
0x00405e60 call dword [ebp - 0x28]
0x00405e63 push 0x3c7bf3ff
0x00405e68 push ebx
0x00405eef push str.process_call_create__s ; 0x4071f8 ; u"process call create %s"
0x00405ef4 push eax
0x00405ef5 call esi
0x00405ef7 add esp, 0x10
0x00405efa test eax, eax
0x00405f18 push 0xb289d372
0x00405f1d push 8 ; 8
0x00405f1f mov dword [ebp - 0x44], 0x3c ; '<' ; 60
0x00405f26 mov dword [ebp - 0x38], str.runas ; 0x407228 ; u"runas"
0x00405f2d mov dword [ebp - 0x34], str.wmic ; 0x407234 ; u"wmic"
0x00405f34 mov dword [ebp - 0x30], eax
```
<h3>Final Implant<a name="Final"></a></h3>
<h2>Threat Intelligence</h2><a name="Intel"></a></h2>
<p align="center">
<img src="">
</p>
<p align="center">
<h2> Cyber kill chain <a name="Cyber-kill-chain"></a></h2>
<h6>The process graph resume cyber kill chains used by the attacker :</h6>
<p align="center">