ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-25 10:17:47 +02:00 committed by GitHub
parent 015d52d020
commit 70a36b6279
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Indian/APT/Donot/17-09-19/Malware analysis.md
View File

@ -20,7 +20,7 @@
### 86ccedaa93743e83787f53e09e376713.docx <a name="malware1"></a>
###### The first sample of the campaign is a maldoc file using cve-2017-0199 (Template injection) for requests and executed the next stage of the infection.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/InjTemp.PNG "")
###### This use RTF file with the cve-2018-0802 for execute embedded excel object by the CLSID of the Excel COM object.
###### This use RTF file with the cve-2018-0802 for execute embedded excel object by the CLSID of the Excel COM object. This push the persistence by lnk file for reload the infection on the Start Menu.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/RTFInfo.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/CLSID.png "")
###### This extract and execute the zip archive from the RTF file.
@ -37,18 +37,17 @@
###### This can save and execute a stream from the C2.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod1.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod2.PNG "")
### d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc <a name="malware2"></a>
###### The second samples use the same TTPs and use Template injection.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/Template.png "")
###### The RTF file download and executed to drop the same backdoor.
###### The RTF file download and executed to drop the same backdoor and same method of persistence by the Start Menu.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/RTFInfo.png "")
### 01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx <a name="malware3"></a>
###### The next sample uses Template injection too for download and executed to drop the RTF file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Inj.PNG "")
###### The RTF file pushes a persistence with an LNK file, extracts the backdoor and executes on another instance of explorer.
###### The first RTF perform a redirection by template injection to the second RTF file extracts the backdoor and executes on another instance of explorer.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/RTFInfo.PNG "")
###### The backdoor uses a timer for as anti-sandbox method and check the features.
###### The backdoor uses a timer for as anti-sandbox method and check the features. Again add a persistence in Start Menu.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Main.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Anti-sandbox.PNG "")
###### This push in memory the backdoor and check the system informations.
@ -59,7 +58,7 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/connect.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/WriteFile.PNG "")
### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc <a name="malware4"></a>
###### This continues to use Template injection.
###### This continues to use Template injection and to push the persistence by Start Menu.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/inj.PNG "")
###### The RTF file dropped extract a js file, a dll and an exe file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/rtfinfos.PNG "")