ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware Analysis 04-10-2019.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-10-06 00:30:19 +02:00 committed by GitHub
parent f3c27a6ac2
commit 7e37181760
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md
View File

@ -1,10 +1,7 @@
# Analysis of the new TA505 campaign
## Table of Contents
* [Malware analysis](#Malware-analysis)
+ [86ccedaa93743e83787f53e09e376713.docx](#malware1)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
+ [Opendir analysis](#opendir)
+ [Victimology](#Victimology)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
@ -13,9 +10,18 @@
+ [Documents](#Documents)
## Malware analysis <a name="Malware-analysis"></a>
### 86ccedaa93743e83787f53e09e376713.docx <a name="malware1"></a>
###### The first sample
![alt text]()
###### The inital vector is a malicious excel file who used a XLM macro (macro v4). This use an function for launch the payload when the excel windows is active (selected as primary window). As first action, this execute the module 1.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Autoopen.PNG)
###### The function call in Module 1 create a Wscript object for change the current directory, show the fake message and push debug messages.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module1-1.PNG)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module2-1.PNG)
###### The userform execute the extract and execute a different PE instead of the architecture of the victim (x86 and x64).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/userform.PNG)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module3.PNG)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module1-2.PNG)
###### As anti-forensic technique, this delete the files by call of kill functions.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module2-2.PNG)
###### We can note that a function is unused and seem to be a rest of the development of the macro.
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graphs resume all the cyber kill chains used by the attacker.