diff --git a/cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md b/cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md index 1fd2641..17fe72d 100644 --- a/cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md +++ b/cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md @@ -1,16 +1,13 @@ # Analysis of the new TA505 campaign ## Table of Contents * [Malware analysis](#Malware-analysis) -* [Cyber Threat Intel](#Cyber-Threat-Intel) * [Indicators Of Compromise (IOC)](#IOC) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) * [Links](#Links) + [Original Tweet](#Original-Tweet) + [Link Anyrun](#Links-Anyrun) - + [Documents](#Documents) ## Malware analysis -### Current loader used by the group ###### The inital vector is a malicious excel file who used a XLM macro (macro v4). This use an function for launch the payload when the excel windows is active (selected as primary window). As first action, this execute the module 1. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Autoopen.PNG) ###### The function call in Module 1 create a Wscript object for change the current directory, show the fake message and push debug messages. @@ -58,27 +55,56 @@ The change currently the trust certificate for bypass the security messures, we ## Cyber kill chain ###### The process graphs resume all the cyber kill chains used by the attacker. ![alt text]() + ## References MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix |Enterprise tactics|Technics used|Ref URL| | :---------------: |:-------------| :------------- | -||| +|Execution|Execution through Module Load|https://attack.mitre.org/techniques/T1129/| +|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012/| ## Indicators Of Compromise (IOC) - ###### List of all the Indicators Of Compromise (IOC) - -| Indicator | Description| +|Indicator|Description| | ------------- |:-------------:| -||| -||Domain requested| -||IP requested| -||HTTP/HTTPS requests| -||Domain C2| -||IP C2| +|104.19.197.151|IP Requested| +|104.19.199.151|IP Requested| +|147.135.204.64|IP C2| +|18.194.14.44|IP Requested| +|183.111.138.244|IP Requested| +|185.33.87.27|IP Requested| +|192.99.211.205|IP C2| +|3ee37a570cc968ca2ad5a99f920c9332|D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6CB36053039A839DFBB7097C| +|44a20233b3c3b1defcd7484d241c5be6|09A887F08C7F252E642805DDFF5F1FDC390F675E603C994C3C06C055C55B0637| +|53b2c9d906fc9075fa375295c5bdcf5b|0776289CAC9F64211D5E5DDF14973157160DDCFBE2979D2E40638C4E03238558| +|89c3a79864a0f0fa5a6cd3f87e8bd3271d1265b4d632bb32bb6be02425b4fe78|89C3A79864A0F0FA5A6CD3F87E8BD3271D1265B4D632BB32BB6BE02425B4FE78| +|C:\Users\admin\AppData\Roaming\{97B34601-5B4A-40AF-8963-D8C75594998B} - 1.dll|0AF713AB3D6D17CD6B96D78FAC2677FE3B5B0051CF8B673478BD767E7553C238| +|C:\Users\admin\AppData\Roaming\module_p1.dll|57D29E8BA4D1C0ECAD75F2B9EEBEF757D872169C3270DABAF326D9057019CF68| +|C:\Users\admin\AppData\Roaming\module_p2.dll|C16D2A23A27C1E9EAE34D01613C4BAB0FE4871F1D8A72D5C5B40E43B0F24D95C| +|c6d17efb69bd4a7ac8f9dc11f810c30b|77D8E6C621EA96AF5A677397FE367DC60689D7F4F40B0A60A198F1D117A9A47A| +|Cheque.xls|375159A45823FF4EAFBA0C364209EB7C35B353E3C64B69978C136CF41B67D570| +|chogoon.com|Domain Requested| +|doc 6172.xls|564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F9B8FD91FF6505C| +|ed0cde28ce66713974e339715bdde62b|CBAAB49338F8F2A9F56575702D9943A3DAFD78EF7812FABFF3B2E2899A460A12| +|f46e2c2925e6196fae3112fd0bcbb8c2|AD5910E44A63C0FC02376277D28D306A236CB87BCC0FA08B3569069BB5D58A6B| +|hxxps://chogoon[.]com/srt/gedp4|HTTP/HTTPS requests| +|hxxps://windows-wsus-en[.]com/version|HTTP/HTTPS requests| +|Invoice 7173.xls|BAEE4D4F8838CD7107977D960E4478279E9F321D21CB15126C38AA8204629561| +|J_280586|D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6CB36053039A839DFBB7097C| +|LET 7833.xls|544154ED4B0495EBD44210AC6EAC4B5D7B9C9BE36B61D21482616433BE1915DD| +|Letter 7711.xls|E7379BB7A4B46E2378D5722FD2C8F4AE31A2AE15D5A9006609EE3E8D26199D89| +|office365-update-eu.com|Domain C2| +|Receipt 0787.xls|564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F9B8FD91FF6505C| +|Receipt 4685 YJLJ.xls|564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F9B8FD91FF6505C| +|sample1.xls|6118EC7C0F06B45368DBD85B8F83958FC1F02F85E743F9CD82A1B877FBCCC140| +|sample4.XLS|566745CE483F3DC1744C757DD7348CE0844BAF5DB8CDF28F242CCD86B91496C0| +|windows-wsus-en.com|Domain C2| +|Xerox Scan_84676113847687.XLS|8741346FB8D6C2F4CA80FA2B176F162AF620F86C5FFC895C84346BE22BDAA976| +|Xerox.csv|566745CE483F3DC1744C757DD7348CE0844BAF5DB8CDF28F242CCD86B91496C0| -###### This can be exported as JSON format [Export in JSON]() + +###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/IOC_TA505_07-10-19.json) ## Links ###### Original tweet: @@ -89,5 +115,3 @@ The change currently the trust certificate for bypass the security messures, we ###### Samples : * [Letter 7711.xls](https://app.any.run/tasks/d3699368-76cb-4c9f-b5c5-c4e25eb2e318) * [REP 7072.xls](https://app.any.run/tasks/ae70ad41-d5d7-4dca-98d2-b72bfbae45fa) -###### Documents: -* []()