From 618e617ec86d2ad268908bf03261df39012e5671 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Wed, 12 Feb 2020 23:33:08 +0100
Subject: [PATCH] Update Analysis_2020-02-08.md

---
 .../Neutrino/Analysis_2020-02-08.md           | 68 ++++++++++++++++---
 1 file changed, 60 insertions(+), 8 deletions(-)

diff --git a/Additional Analysis/Neutrino/Analysis_2020-02-08.md b/Additional Analysis/Neutrino/Analysis_2020-02-08.md
index 3c1dee5..692032f 100644
--- a/Additional Analysis/Neutrino/Analysis_2020-02-08.md	
+++ b/Additional Analysis/Neutrino/Analysis_2020-02-08.md	
@@ -3,8 +3,7 @@
 * [Malware analysis](#Malware-analysis)
   + [The initial vector](#Initial)
   + [Loader](#loader)
-* [Threat Intelligence](#Intel)
-  + [](#Sub_Intel)
+  + [Final Implant](#Final)
 * [Cyber kill chain](#Cyber-kill-chain)
 * [Indicators Of Compromise (IOC)](#IOC)
 * [Yara Rules](#Yara)
@@ -239,15 +238,68 @@ Sub Exec(Name_Payload0 As String)
 End Sub
 ```
 
+<h3>The loader<a name="loader"></a></h3>
 
+<h6>The loader creates a mutex with a name that is hardcoded in the binary:"Z0BAZwxx" ,we can note too that the loader add two rules in the firewall on the victim.</h6>
 
-    
+```asm
+0x00404e3e      jb 0x404e4d
+0x00404e40      push eax
+0x00404e41      push str.Z0BAZwxx  ; 0x407098 ; u"Z0BAZwxx"
+0x00404e46      push str.netsh_advfirewall_firewall_add_rule_name___s__dir_in_action_allow_program___s ; 0x407138 ; u"netsh advfirewall firewall add rule name=\"%s\" dir=in action=allow program=\"%s\""
+0x00404e4b      jmp 0x404e58
+0x00404e4d      push str.Z0BAZwxx  ; 0x407098 ; u"Z0BAZwxx"
+0x00404e52      push eax
+0x00404e53      push str.netsh_firewall_add_allowedprogram___s___s_ENABLE ; 0x4070d0 ; u"netsh firewall add allowedprogram \"%s\" %s ENABLE"
+0x00404e58      push esi
+0x00404e59      call ebx
+0x00404e5b      add esp, 0x10
+0x00404e5e      push esi        
+```
+
+<h6>This push a run key for the persistence for the implant :<br/><br/>
+Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run<br/>
+Name: [a-z]{5}_32.exe/[a-z]{5}.exe [x86/x64]<br/>
+Path: C:\Users\admin\AppData\Roaming\Z0BAZwxx\{Filename}<br/><br/>
+The name of the mutex is also used for the name of folder in Appdata.</h6>
+
+<h6>The loader use a xor for get the final implant.</h6>
+
+```asm
+0x004066db      xor word [eax], 0xff ; 255
+0x004066e0      add eax, 2
+0x004066e3      cmp word [eax], 0
+0x004066e7      jne 0x4066db
+```
+
+<h6> Once the data extracted, this create a new process if rights is high, this use runas by wmi call instead it</h6>
+
+```asm
+0x00405e2e      push str.ComSpec   ; 0x4070ac ; u"ComSpec"
+0x00405e33      call eax
+
+0x00405e5a      push str.a__c__s   ; 0x4070bc ; u" /a /c %s"
+0x00405e5f      push esi
+0x00405e60      call dword [ebp - 0x28]
+0x00405e63      push 0x3c7bf3ff
+0x00405e68      push ebx
+
+0x00405eef      push str.process_call_create__s ; 0x4071f8 ; u"process call create %s"
+0x00405ef4      push eax
+0x00405ef5      call esi
+0x00405ef7      add esp, 0x10
+0x00405efa      test eax, eax 
+
+0x00405f18      push 0xb289d372
+0x00405f1d      push 8             ; 8
+0x00405f1f      mov dword [ebp - 0x44], 0x3c ; '<' ; 60
+0x00405f26      mov dword [ebp - 0x38], str.runas ; 0x407228 ; u"runas"
+0x00405f2d      mov dword [ebp - 0x34], str.wmic ; 0x407234 ; u"wmic"
+0x00405f34      mov dword [ebp - 0x30], eax
+```
+
+<h3>Final Implant<a name="Final"></a></h3>
 
-<h2>Threat Intelligence</h2><a name="Intel"></a></h2>
-<p align="center">
-  <img src="">
-</p>
-<p align="center">
 <h2> Cyber kill chain <a name="Cyber-kill-chain"></a></h2>
 <h6>The process graph resume cyber kill chains used by the attacker :</h6>
 <p align="center">