Update Malware analysis 09-09-19.md
This commit is contained in:
parent
b1e000cada
commit
77b0c68ab2
@ -1,4 +1,4 @@
|
|||||||
# New samples, same TTPs and accounts
|
# [Update] New samples, same TTPs and accounts
|
||||||
## Table of Contents
|
## Table of Contents
|
||||||
* [Malware analysis](#Malware-analysis)
|
* [Malware analysis](#Malware-analysis)
|
||||||
+ [Initial vector](#Initial-vector)
|
+ [Initial vector](#Initial-vector)
|
||||||
@ -12,8 +12,30 @@
|
|||||||
|
|
||||||
## Malware analysis <a name="Malware-analysis"></a>
|
## Malware analysis <a name="Malware-analysis"></a>
|
||||||
### Initial vector <a name="Initial-vector"></a>
|
### Initial vector <a name="Initial-vector"></a>
|
||||||
###### The initial vector
|
###### The initial vector is an VBA macro from an Maldoc, this use two functions for obfuscated the main command.
|
||||||
![alt text](link "")
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/macro1.png "")
|
||||||
|
###### Once this removed, we can see that use the only command is mshta for invoke the loader.
|
||||||
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Macro2.PNG "")
|
||||||
|
###### This web page use unescape (4 times) for use again mshta and redirect on the first pastebin.
|
||||||
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/site.PNG "")
|
||||||
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect1.PNG "")
|
||||||
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect2.PNG "")
|
||||||
|
###### The first pastebin use again the escape function (and like all at pastebin shares).The first command of the Visual Basic script is to kill the following process (Word, Excel, Publisher and Powerpoint).
|
||||||
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1.PNG "")
|
||||||
|
###### The second command create a persistence using another mshta for initate to to close the hidden window.
|
||||||
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1close.PNG "")
|
||||||
|
###### The third command execute a loader with two new pastebins.
|
||||||
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P.png "")
|
||||||
|
###### The first share is a script using an array and the getbytes function for obfuscate the payload on two layers.
|
||||||
|
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-1.png "")
|
||||||
|
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2.png "")
|
||||||
|
###### This execute a dll for load the second PE. This dll is the same than the last analysis and is use as protector ConfuserEx.
|
||||||
|
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2C.png "")
|
||||||
|
###### The second Pastebin content the data to split for the second PE.
|
||||||
|
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P2-1.png "")
|
||||||
|
###### The second PE load the old Delphi Azorult Stealer. We can confirm it in seeing quickly some features, here read the ihformations about the keyboard :
|
||||||
|
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/Bin-Keyboard.PNG "")
|
||||||
|
|
||||||
|
|
||||||
## Cyber kill chain <a name="Cyber-kill-chain"></a>
|
## Cyber kill chain <a name="Cyber-kill-chain"></a>
|
||||||
###### The process graph resume the cyber kill chain used by the attacker.
|
###### The process graph resume the cyber kill chain used by the attacker.
|
||||||
@ -49,4 +71,5 @@
|
|||||||
* [0ec07af14a5338805ed45bcc0a90b20811fd0c9b57ab0f5e1cfd97cd1696c1c2.xls](https://app.any.run/tasks/bb1279af-7fff-4b37-8439-7b303f113082)
|
* [0ec07af14a5338805ed45bcc0a90b20811fd0c9b57ab0f5e1cfd97cd1696c1c2.xls](https://app.any.run/tasks/bb1279af-7fff-4b37-8439-7b303f113082)
|
||||||
* [PO # 8872521.xlt](https://app.any.run/tasks/ff27dd57-9484-4c1c-9a13-6eedf3ede657)
|
* [PO # 8872521.xlt](https://app.any.run/tasks/ff27dd57-9484-4c1c-9a13-6eedf3ede657)
|
||||||
###### Documents: <a name="Documents"></a>
|
###### Documents: <a name="Documents"></a>
|
||||||
* [link]()
|
* [AZORult++: Rewriting history](https://securelist.com/azorult-analysis-history/89922/)
|
||||||
|
* [The AZORult Legacy Lives On. Hello AZORult++!](https://www.bleepingcomputer.com/news/security/the-azorult-legacy-lives-on-hello-azorult-/)
|
||||||
|
Loading…
Reference in New Issue
Block a user