ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware Analysis 04-10-2019.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-10-07 14:58:15 +02:00 committed by GitHub
parent 4f59c07800
commit 75e062906e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md
View File

@ -1,16 +1,13 @@
# Analysis of the new TA505 campaign
## Table of Contents
* [Malware analysis](#Malware-analysis)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#Original-Tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Documents](#Documents)
## Malware analysis <a name="Malware-analysis"></a>
### Current loader used by the group
###### The inital vector is a malicious excel file who used a XLM macro (macro v4). This use an function for launch the payload when the excel windows is active (selected as primary window). As first action, this execute the module 1.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Autoopen.PNG)
###### The function call in Module 1 create a Wscript object for change the current directory, show the fake message and push debug messages.
@ -58,27 +55,56 @@ The change currently the trust certificate for bypass the security messures, we
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graphs resume all the cyber kill chains used by the attacker.
![alt text]()
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|||
|Execution|Execution through Module Load|https://attack.mitre.org/techniques/T1129/|
|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012/|
## Indicators Of Compromise (IOC) <a name="IOC"></a>
###### List of all the Indicators Of Compromise (IOC)
| Indicator | Description|
|Indicator|Description|
| ------------- |:-------------:|
|||
||Domain requested|
||IP requested|
||HTTP/HTTPS requests|
||Domain C2|
||IP C2|
|104.19.197.151|IP Requested|
|104.19.199.151|IP Requested|
|147.135.204.64|IP C2|
|18.194.14.44|IP Requested|
|183.111.138.244|IP Requested|
|185.33.87.27|IP Requested|
|192.99.211.205|IP C2|
|3ee37a570cc968ca2ad5a99f920c9332|D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6CB36053039A839DFBB7097C|
|44a20233b3c3b1defcd7484d241c5be6|09A887F08C7F252E642805DDFF5F1FDC390F675E603C994C3C06C055C55B0637|
|53b2c9d906fc9075fa375295c5bdcf5b|0776289CAC9F64211D5E5DDF14973157160DDCFBE2979D2E40638C4E03238558|
|89c3a79864a0f0fa5a6cd3f87e8bd3271d1265b4d632bb32bb6be02425b4fe78|89C3A79864A0F0FA5A6CD3F87E8BD3271D1265B4D632BB32BB6BE02425B4FE78|
|C:\Users\admin\AppData\Roaming\{97B34601-5B4A-40AF-8963-D8C75594998B} - 1.dll|0AF713AB3D6D17CD6B96D78FAC2677FE3B5B0051CF8B673478BD767E7553C238|
|C:\Users\admin\AppData\Roaming\module_p1.dll|57D29E8BA4D1C0ECAD75F2B9EEBEF757D872169C3270DABAF326D9057019CF68|
|C:\Users\admin\AppData\Roaming\module_p2.dll|C16D2A23A27C1E9EAE34D01613C4BAB0FE4871F1D8A72D5C5B40E43B0F24D95C|
|c6d17efb69bd4a7ac8f9dc11f810c30b|77D8E6C621EA96AF5A677397FE367DC60689D7F4F40B0A60A198F1D117A9A47A|
|Cheque.xls|375159A45823FF4EAFBA0C364209EB7C35B353E3C64B69978C136CF41B67D570|
|chogoon.com|Domain Requested|
|doc 6172.xls|564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F9B8FD91FF6505C|
|ed0cde28ce66713974e339715bdde62b|CBAAB49338F8F2A9F56575702D9943A3DAFD78EF7812FABFF3B2E2899A460A12|
|f46e2c2925e6196fae3112fd0bcbb8c2|AD5910E44A63C0FC02376277D28D306A236CB87BCC0FA08B3569069BB5D58A6B|
|hxxps://chogoon[.]com/srt/gedp4|HTTP/HTTPS requests|
|hxxps://windows-wsus-en[.]com/version|HTTP/HTTPS requests|
|Invoice 7173.xls|BAEE4D4F8838CD7107977D960E4478279E9F321D21CB15126C38AA8204629561|
|J_280586|D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6CB36053039A839DFBB7097C|
|LET 7833.xls|544154ED4B0495EBD44210AC6EAC4B5D7B9C9BE36B61D21482616433BE1915DD|
|Letter 7711.xls|E7379BB7A4B46E2378D5722FD2C8F4AE31A2AE15D5A9006609EE3E8D26199D89|
|office365-update-eu.com|Domain C2|
|Receipt 0787.xls|564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F9B8FD91FF6505C|
|Receipt 4685 YJLJ.xls|564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F9B8FD91FF6505C|
|sample1.xls|6118EC7C0F06B45368DBD85B8F83958FC1F02F85E743F9CD82A1B877FBCCC140|
|sample4.XLS|566745CE483F3DC1744C757DD7348CE0844BAF5DB8CDF28F242CCD86B91496C0|
|windows-wsus-en.com|Domain C2|
|Xerox Scan_84676113847687.XLS|8741346FB8D6C2F4CA80FA2B176F162AF620F86C5FFC895C84346BE22BDAA976|
|Xerox.csv|566745CE483F3DC1744C757DD7348CE0844BAF5DB8CDF28F242CCD86B91496C0|
###### This can be exported as JSON format [Export in JSON]()
###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/IOC_TA505_07-10-19.json)
## Links <a name="Links"></a>
###### Original tweet:
@ -89,5 +115,3 @@ The change currently the trust certificate for bypass the security messures, we
###### Samples :
* [Letter 7711.xls](https://app.any.run/tasks/d3699368-76cb-4c9f-b5c5-c4e25eb2e318)
* [REP 7072.xls](https://app.any.run/tasks/ae70ad41-d5d7-4dca-98d2-b72bfbae45fa)
###### Documents: <a name="Documents"></a>
* []()