ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 26-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-04 02:55:56 +02:00 committed by GitHub
parent 3d0d1266a3
commit 8ef6f7d3bc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md
View File

@ -2,6 +2,7 @@
## Table of Contents ## Table of Contents
* [Malware analysis](#Malware-analysis) * [Malware analysis](#Malware-analysis)
+ [Initial vector](#Initial-vector) + [Initial vector](#Initial-vector)
+ [Loader](#loader)
+ [JS Backdoor](#Backdoor) + [JS Backdoor](#Backdoor)
* [Cyber Threat Intel](#Cyber-Threat-Intel) * [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC) * [Indicators Of Compromise (IOC)](#IOC)
@ -22,7 +23,7 @@
###### This download the VB script and execute it by mshta call. ###### This download the VB script and execute it by mshta call.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnk.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/lnk.PNG "")
###### On the VB code, we can observed that use BITS fonctionality for download by a job the JS script to execute on the victim. Secondly, this check the architecture of the system and execute the correct path of wscript and push the windows out the screen. ###### On the VB code, we can observed that use BITS fonctionality for download by a job the JS script to execute on the victim. Secondly, this check the architecture of the system and execute the correct path of wscript and push the windows out the screen.
### JS Backdoor <a name="Backdoor"></a> ### Loader <a name="loader"></a>
###### We can see that use function for decode the commands with a array of bytes. ###### We can see that use function for decode the commands with a array of bytes.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/encodeJS.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/encodeJS.png "")
###### For decode the string , we use the next function used by the backdoor for decode the commands. ###### For decode the string , we use the next function used by the backdoor for decode the commands.
@ -34,11 +35,31 @@
As anti-forensic method, a method which can know if determiner if a debugger is present. As anti-forensic method, a method which can know if determiner if a debugger is present.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/zoomdebug.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/zoomdebug.PNG "")
###### Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call. ###### Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call.
###### By the following PowerShell script, we can get the second layer. ### JS Backdoor <a name="Backdoor"></a>
###### By the following PowerShell script, we can get the second layer that is the JS Backdoor.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/layer2.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/layer2.png "")
###### Firstly,
`C4BA3647<|>USER-PC<|>admin<|>Microsoft Windows 7 Professional <|>plus<|>nan-av<|>` (Here from the Anyrun sandbox)
###### We can note that the USB spread option isn't used on this sample.The structure of the reply to the C2 is the next :
`[volumeserialnumber]<|>[computername]<|>[username]<|>plus<|>[AV product (yes -> name or no ->nan-av)]<|>[usbspreading option (= "")]<|>`
###### We can resume the list of commands of the backdoor :
|Command|Description|
| :---------------: |:-------------|
|execute| execute a command DOS/Powershell|
|send|Download a file to execute|
|site-send|Function don't exist but have the same arg that send command, seems be edited function of site-send and not deleted ?|
|recv|Read a file, put in a buffer and send to the C2|
|enum-driver|Send the list of drives to the C2|
|enum-faf|Get list of the folders, files and attributes and send it to the C2|
|enum-process|Get list of the process (name, id, path of the executable) and send it on the C2|
|delete|Function don't exist but by the params seems give to the attacker to delete folders or files|
|exit-process|Kill the backdoor process but can't remove the persistence, an "execute" command must be performed before for delete it in the registry|
### Cyber kill chain <a name="Cyber-kill-chain"></a> ### Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker. ###### The process graph resume the cyber kill chain used by the attacker.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/cyber.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/cyber.PNG "")
### Cyber Threat Intel <a name="Cyber-Threat-Intel"></a> ### Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a> ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix