Update Analysis_29-09-2019.md

2019-09-30 11:09:13 +02:00 · 2019-09-30 11:09:13 +02:00 · 8810f2bd28
commit 8810f2bd28
parent f9503a3b9c
1 changed files with 10 additions and 2 deletions
--- a/group/Analysis_29-09-2019.md
+++ b/group/Analysis_29-09-2019.md
@ -12,8 +12,16 @@

 ## Malware analysis <a name="Malware-analysis"></a>
 ### Initial vector <a name="Initial-vector"></a>
-###### The initial vector 
-![alt text](link "")
+###### The initial vector is a spear phishing who usurp the brand TNT to incite the victim to download and execute the payload.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/mail.png "")
+###### On the JS payload, an array "tankew" is edited by a replace characters of the first layer of obfucation and execute the JS backdoor by an eval call.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/TNT%20layer%201.png "")
+###### The first action perform on the system is to self extract in APPDATA folder as js file and run as another instance.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence_pay.png "")
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence.png "")
+
+
+
 ###### Liste des commands :
 |Command|Description|
 |:-------------:| :------------- |