diff --git a/Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md b/Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md index 8fa51d0..6c94302 100644 --- a/Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md +++ b/Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md @@ -1,4 +1,4 @@ -# New samples, same TTPs and accounts +# [Update] New samples, same TTPs and accounts ## Table of Contents * [Malware analysis](#Malware-analysis) + [Initial vector](#Initial-vector) @@ -12,8 +12,30 @@ ## Malware analysis ### Initial vector -###### The initial vector -![alt text](link "") +###### The initial vector is an VBA macro from an Maldoc, this use two functions for obfuscated the main command. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/macro1.png "") +###### Once this removed, we can see that use the only command is mshta for invoke the loader. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Macro2.PNG "") +###### This web page use unescape (4 times) for use again mshta and redirect on the first pastebin. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/site.PNG "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect1.PNG "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect2.PNG "") +###### The first pastebin use again the escape function (and like all at pastebin shares).The first command of the Visual Basic script is to kill the following process (Word, Excel, Publisher and Powerpoint). +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1.PNG "") +###### The second command create a persistence using another mshta for initate to to close the hidden window. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1close.PNG "") +###### The third command execute a loader with two new pastebins. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P.png "") +###### The first share is a script using an array and the getbytes function for obfuscate the payload on two layers. +![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-1.png "") +![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2.png "") +###### This execute a dll for load the second PE. This dll is the same than the last analysis and is use as protector ConfuserEx. +![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2C.png "") +###### The second Pastebin content the data to split for the second PE. +![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P2-1.png "") +###### The second PE load the old Delphi Azorult Stealer. We can confirm it in seeing quickly some features, here read the ihformations about the keyboard : +![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/Bin-Keyboard.PNG "") + ## Cyber kill chain ###### The process graph resume the cyber kill chain used by the attacker. @@ -49,4 +71,5 @@ * [0ec07af14a5338805ed45bcc0a90b20811fd0c9b57ab0f5e1cfd97cd1696c1c2.xls](https://app.any.run/tasks/bb1279af-7fff-4b37-8439-7b303f113082) * [PO # 8872521.xlt](https://app.any.run/tasks/ff27dd57-9484-4c1c-9a13-6eedf3ede657) ###### Documents: -* [link]() +* [AZORult++: Rewriting history](https://securelist.com/azorult-analysis-history/89922/) +* [The AZORult Legacy Lives On. Hello AZORult++!](https://www.bleepingcomputer.com/news/security/the-azorult-legacy-lives-on-hello-azorult-/)