From 8810f2bd284e6b164e4b2d8612236ec7d3055ef7 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Mon, 30 Sep 2019 11:09:13 +0200
Subject: [PATCH] Update Analysis_29-09-2019.md

---
 .../Unknown phishing group/Analysis_29-09-2019.md    | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/Unknown/Unknown phishing group/Analysis_29-09-2019.md b/Unknown/Unknown phishing group/Analysis_29-09-2019.md
index ed1da7a..2311f0e 100644
--- a/Unknown/Unknown phishing group/Analysis_29-09-2019.md	
+++ b/Unknown/Unknown phishing group/Analysis_29-09-2019.md	
@@ -12,8 +12,16 @@
 
 ## Malware analysis <a name="Malware-analysis"></a>
 ### Initial vector <a name="Initial-vector"></a>
-###### The initial vector 
-![alt text](link "")
+###### The initial vector is a spear phishing who usurp the brand TNT to incite the victim to download and execute the payload.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/mail.png "")
+###### On the JS payload, an array "tankew" is edited by a replace characters of the first layer of obfucation and execute the JS backdoor by an eval call.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/TNT%20layer%201.png "")
+###### The first action perform on the system is to self extract in APPDATA folder as js file and run as another instance.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence_pay.png "")
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence.png "")
+
+
+
 ###### Liste des commands :
 |Command|Description|
 |:-------------:| :------------- |