ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Analysis_29-09-2019.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-30 11:09:13 +02:00 committed by GitHub
parent f9503a3b9c
commit 8810f2bd28
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Unknown/Unknown phishing group/Analysis_29-09-2019.md
View File

@ -12,8 +12,16 @@
## Malware analysis <a name="Malware-analysis"></a> ## Malware analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a> ### Initial vector <a name="Initial-vector"></a>
###### The initial vector ###### The initial vector is a spear phishing who usurp the brand TNT to incite the victim to download and execute the payload.
![alt text](link "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/mail.png "")
###### On the JS payload, an array "tankew" is edited by a replace characters of the first layer of obfucation and execute the JS backdoor by an eval call.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/TNT%20layer%201.png "")
###### The first action perform on the system is to self extract in APPDATA folder as js file and run as another instance.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence_pay.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence.png "")
###### Liste des commands : ###### Liste des commands :
|Command|Description| |Command|Description|
|:-------------:| :------------- | |:-------------:| :------------- |