From 61eaa61281532be1faee43e5527d81bed4e10e2c Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Sun, 22 Sep 2019 02:26:50 +0200
Subject: [PATCH] Update APT-C-37 analysis.md
---
Unknown/APT-C-37/26-08-19/APT-C-37 analysis.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Unknown/APT-C-37/26-08-19/APT-C-37 analysis.md b/Unknown/APT-C-37/26-08-19/APT-C-37 analysis.md
index 9a433b6..026ab63 100644
--- a/Unknown/APT-C-37/26-08-19/APT-C-37 analysis.md
+++ b/Unknown/APT-C-37/26-08-19/APT-C-37 analysis.md
@@ -3,7 +3,7 @@
* [Malware analysis](#Malware-analysis)
+ [Initial vector](#Initial-vector)
+ [Loader](#loader)
- + [JS Backdoor](#Backdoor)
+ + [VB Backdoor](#Backdoor)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
+ [Origin of the method for the JS Backdoor](#Origin)
+ [APT-C-37 Campaign](#APT)
@@ -46,9 +46,9 @@
###### As anti-forensic method, a method which can know if determiner if a debugger is present.
###### Finally, we can observe a Wscript execution with a function splter which split for getting an array of bytes, convert to ASCII and after execute the script with execute call.
-###### By the following PowerShell script, we can get the second layer that is the JS Backdoor.
+###### By the following PowerShell script, we can get the second layer that is the VB Backdoor.
-### JS Backdoor
+### VB Backdoor
###### Firstly, the script get the system informations about the system of the victim and send to one the list of C2 in the logical sense (not random call on the list of C2) with the suffix "/is-ready". The backdoor uses a while loop for rest in communication with C2 by sending a pulse with the system information of the victim.
###### This send the data with the following structure to the C2 (Here from the Anyrun sandbox) :