ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 09-09-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-12 18:31:50 +02:00 committed by GitHub
parent b1e000cada
commit 77b0c68ab2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md
View File

@ -1,4 +1,4 @@
# New samples, same TTPs and accounts
# [Update] New samples, same TTPs and accounts
## Table of Contents
* [Malware analysis](#Malware-analysis)
+ [Initial vector](#Initial-vector)
@ -12,8 +12,30 @@
## Malware analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a>
###### The initial vector
![alt text](link "")
###### The initial vector is an VBA macro from an Maldoc, this use two functions for obfuscated the main command.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/macro1.png "")
###### Once this removed, we can see that use the only command is mshta for invoke the loader.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Macro2.PNG "")
###### This web page use unescape (4 times) for use again mshta and redirect on the first pastebin.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/site.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect1.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect2.PNG "")
###### The first pastebin use again the escape function (and like all at pastebin shares).The first command of the Visual Basic script is to kill the following process (Word, Excel, Publisher and Powerpoint).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1.PNG "")
###### The second command create a persistence using another mshta for initate to to close the hidden window.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1close.PNG "")
###### The third command execute a loader with two new pastebins.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P.png "")
###### The first share is a script using an array and the getbytes function for obfuscate the payload on two layers.
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-1.png "")
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2.png "")
###### This execute a dll for load the second PE. This dll is the same than the last analysis and is use as protector ConfuserEx.
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2C.png "")
###### The second Pastebin content the data to split for the second PE.
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P2-1.png "")
###### The second PE load the old Delphi Azorult Stealer. We can confirm it in seeing quickly some features, here read the ihformations about the keyboard :
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/Bin-Keyboard.PNG "")
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
@ -49,4 +71,5 @@
* [0ec07af14a5338805ed45bcc0a90b20811fd0c9b57ab0f5e1cfd97cd1696c1c2.xls](https://app.any.run/tasks/bb1279af-7fff-4b37-8439-7b303f113082)
* [PO # 8872521.xlt](https://app.any.run/tasks/ff27dd57-9484-4c1c-9a13-6eedf3ede657)
###### Documents: <a name="Documents"></a>
* [link]()
* [AZORult++: Rewriting history](https://securelist.com/azorult-analysis-history/89922/)
* [The AZORult Legacy Lives On. Hello AZORult++!](https://www.bleepingcomputer.com/news/security/the-azorult-legacy-lives-on-hello-azorult-/)