ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 26-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-05 00:42:11 +02:00 committed by GitHub
parent 9cbc0cd2ca
commit 70380217ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md
View File

@ -76,11 +76,42 @@ As anti-forensic method, a method which can know if determiner if a debugger is
|delete|Function don't exist but by the params seems give to the attacker to delete folders or files|
|exit-process|Kill the backdoor process but can't remove the persistence, an "execute" command must be performed before for delete it in the registry|
###### All the IP are hosted on differents cloud provider.
|IP|Route|ASN|Organization|Country|City|Region|Coordinates|
|:---------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|
|66.154.103.156|66.154.102.0/23|AS8100|QuadraNet Enterprises LLC|United States|Secaucus|New Jersey| 40.7895,-74.0565|
|37.48.111.5|37.48.64.0/18|AS60781|LeaseWeb Netherlands B.V.|Netherlands|Noord-Holland|Amsterdam|52.3824,4.8995|
|85.17.26.65|85.17.0.0/16|AS60781|LeaseWeb Netherlands B.V.|Netherlands|Noord-Holland|Amsterdam|52.3824,4.8995|
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/cyber.PNG "")
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
### Origin of the method for the JS Backdoor
###### Firstly, the method for load the JS Backdoor is edited from a post published in 2015 on a forum for show a method for the both architecture for the developpment of a worm.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/Post.PNG "")
###### We can see that the name of the instance is changed and the html tags are removed.If we add the notes from the malware analysis, we can conclude that the malware has been edited in emergency.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/matchcode.PNG "")
### A army in perdition, an difficult situation
###### Since the last decade, the inexperience of the army on military issues, rigid doctrine, misunderstanding of the adversary, over-reliance on air and all-technological operations, loss of skills in the IDF, hesitations of unit commanders, the belief - erroneous - that the Israeli population would not accept the possible losses, a reorganized but deficient logistics, the non-mastery of communication. If we add the syria situation and result of the confrontation in 2006 who have add new emmenies against Israel, this create a difficult situation for these leaders.
###### Actually in election period, each valuable action or opportunities can be used for this or for expend doctrine like the creation of housing in the colonies.
### A war of misinformation
###### Like all recents conflits, the networks of communications are used for send wrong news and propaganda or create it due to the people can't understand the situation. For exemple, recently we can heard that a false evacuation of wounded have been do for decoy the Hezbollah for push to stop shooting but this isn't know guerilla and the result of the latest conficts whre this isn't the rockets which dettroyed the military equipement but the Israel's forces who have sabotage their own equipment by the fear of the new rescuits and their inexperiences. In same reflexion, the fear of rockets launch on a city can't be realitic by the fact that the priority is the border army garrisons, infrastructure are better choice due to this the means used Hezbollah against the priority , this argument is apply in Israel for prepare the people to possibilities to claim the war.
###### In this way, some pictures have be send in the both side for used this factor as propaganda vector.By example, a picture taken with a drone of the feneter of netanyahou have been released in the social medias for show the capacities of reprisals. If we see the picture with the naked eye, we can see that the shadow of drone isn't report in the wall inside the room, the facade is an decor, fake coordonnates and blur is applied to all photo.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/c654ede55e275431042d32334f8cfd3a5526cb72.196671-600.png "")
###### With the ELA algorithm, we can see the last modifications on the pictures. In using this it, we can see all the precedants elements are added at the original picture (probably a meeting with members of government).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/c654ede55e275431042d32334f8cfd3a5526cb72.196671-ela.png "")
###### In same time, other pictures are released about decoy targets, with the ELA algoritm, we can see that the multiple compressions by the algorithms, the picture is very dark and the pictures are only modify for write the indicators of interest.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/EDOYGiAXsAEA4Kq.jpg%20large.jpg "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/aa18205de56e2cbe15471c3cc1530e587ab975a0.35923-ela-600.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/EDOYGWjWsAAsfM1.jpg%20large.jpg "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/3fb1c19ecfe9c11d779b8dae397cd781b64c56ef.21349-ela.png "")
###### Recently, in the same way for develop the feeling of fear, Israel gouverment have claimed that Iran build precision missiles , this rest to prove it but the scheme of reflexion is the same, a war of fear and misinformation.
### The drone attack, a result of the information campaign ?
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix
@ -141,4 +172,4 @@ As anti-forensic method, a method which can know if determiner if a debugger is
* [فضيحة جديدة لأحد قيادات حماس.zip (A new scandal of one of the leaders of Hamas.zip)](https://app.any.run/tasks/59ed8062-cf77-4d73-81bd-19cb26b7c7c6/)
* [xyx.jse](https://app.any.run/tasks/baa4f59c-969b-4617-b926-2d41da5e18b0/)
###### Documents: <a name="Documents"></a>
* [link]()
* [Evaluating ELA](http://fotoforensics.com/tutorial-ela.php)