From 938f8846bf808d513fbb99ddadf71a9e77c205d7 Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Thu, 23 Jan 2020 00:55:52 +0100 Subject: [PATCH] Update analysis.md --- .../Transparent Tribe/22-01-20/analysis.md | 55 ++++++++++++++++++- 1 file changed, 53 insertions(+), 2 deletions(-) diff --git a/Pakistan/APT/Transparent Tribe/22-01-20/analysis.md b/Pakistan/APT/Transparent Tribe/22-01-20/analysis.md index ca69bf1..e0f83b8 100644 --- a/Pakistan/APT/Transparent Tribe/22-01-20/analysis.md +++ b/Pakistan/APT/Transparent Tribe/22-01-20/analysis.md @@ -214,11 +214,62 @@ public static string ulhtagniasOsname()

-
Can read the Operation System version
+
On the RAT, one of two byte array is used for triggered the detection of a sensible AV
+```csharp +public static byte[] encAvs = new byte[]{98,100,115,115,61,66,105,116,32,68,101,102,101,110,100,101,114,44,111,110,108,105,110,101,110,116,61,81,46,72,101,97,108,44,98,100,97,103,101,110,116,61,66,105,116,32,68,101,102,101,110,100,101,114,32,65,103,101,110,116,44,109,115,115,101,99,101,115,61,77,83,32,69,115,115,101,110,116,105,97,108,115,44,102,115,115,109,51,50,61,70,83,101,99,117,114,101,44,97,118,112,61,75,97,115,112,101,114,115,107,121,44,97,118,103,110,116,61,65,118,105,114,97,44,115,112,98,98,99,115,118,99,61,83,121,109,97,110,116,101,99,44,117,112,100,97,116,101,114,117,105,61,77,99,65,102,101,101,44,97,118,103,117,105,61,65,86,71,44,97,118,103,99,99,61,65,86,71,44,109,98,97,109,61,65,110,116,32,77,97,108,119,97,114,101,44,97,118,97,115,116,117,105,61,65,118,97,115,116,44,97,118,97,115,116,61,65,118,97,115,116}; +``` +
This can easily viewable in oneliner (UTF8 + Getstring) and show the list of sensible AV to detect
+ +```csharp +PS> ([System.Text.Encoding]::UTF8.GetString($encAvs)).split(",") +bdss=Bit Defender +onlinent=Q.Heal +bdagent=Bit Defender Agent +msseces=MS Essentials +fssm32=FSecure +avp=Kaspersky +avgnt=Avira +spbbcsvc=Symantec +updaterui=McAfee +avgui=AVG +avgcc=AVG +mbam=Ant Malware +avastui=Avast +avast=Avast + ``` + +
With the same logic, we can get the content of the second array which get the IP of the C2 to contact
-
+```csharp +PS> ([System.Text.Encoding]::UTF8.GetString($tab)).split(",") +198.46.177.73 +``` +
Some identifiers like name of user, defaultIP and logname can be found
+ +```csharp +public static string ulhtagniasmainApp = "ulhtagnias|ulhtagnias".Split(new char[]{'|'})[0]; +public static string ulhtagniaspc_id = "vhldsp|ulhtagnias".Split(new char[]{'|'})[0]; +public static string ulhtagniasremvUser = "drlarmn|ulhtagnias".Split(new char[]{'|'})[0]; +public static string ulhtagniasfilesLogs = "rndlbes".Split(new char[]{'|'})[0];} +public static string ulhtagniasdefaultP = "122.200.110.101|ulhtagnias".Split(new char[]{'|'})[0]; +``` +
This connect on the default port (6421) and can switch depending on the needs of the operations
+ +```csharp +public static int[] ports = new int[]{6421,4920,10422,14823,16824}; +public void ulhtagniasports_switch() + { + try + { + this.port_sn++; + ulhtagniasCONF.ulhtagniasport = ulhtagniasCONF.ports[this.port_sn]; + if (this.port_sn >= ulhtagniasCONF.ports.Length - 1){this.port_sn = 0;} + } + catch{this.port_sn = 0;} + } +```

Threat Intelligence

Cyber kill chain