Update Malware analysis 31-08-19.md
This commit is contained in:
StrangerealIntel
GitHub
parent
f140997934
commit
96c4f4bc9a
@ -42,10 +42,13 @@
|
||||
|
||||
###### This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values).
|
||||
|
||||
###### After perform the reconnaissance actions, this can send a query as pulse with the informations to the C2.
|
||||
###### After perform the reconnaissance actions, this can send a query as pulse with the informations to the C2, the URL to send is decoded and an additionnal operation give the final URL.
|
||||
|
||||
|
||||
###### The data are encoded by the algoritm too, with the script, we can decode the strings and see that the roles and data send to the C2.
|
||||
`SNI=VTFS.QD&UME=Xjoepxt!8!Qspgfttjpobm&OPQ=benjo&IVR=VTFS.QD$$benjoAA11482.572.3314613.96675&st=0` (Here from the Anyrun sandbox)
|
||||
###### We can resume all the variables used and the type of the informations sended in the C2.
|
||||
|
||||
|Variable|Description|
|
||||
| ------------- |:-------------|
|
||||
|SNI|Computer name|
|
||||
@ -65,21 +68,21 @@
|
||||
|
||||
|Enterprise tactics|Technics used|Ref URL|
|
||||
| :---------------: |:-------------| :------------- |
|
||||
|Execution|T1059 - Command-Line Interface<br>T1106 - Execution through API<br> T1170 - Mshta<br>T1086 - PowerShell<br>T1053 - Scheduled Task<br>T1064 - Scripting<br>T1059 - Command-Line Interface|https://attack.mitre.org/techniques/T1059<br>https://attack.mitre.org/techniques/T1106<br>https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1086<br>https://attack.mitre.org/techniques/T1053<br>https://attack.mitre.org/techniques/T1064<br>https://attack.mitre.org/techniques/T1059|
|
||||
|Persistence|T1060 - Registry Run Keys / Startup Folder<br>T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060<br>https://attack.mitre.org/techniques/T1053|
|
||||
|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053|
|
||||
|Defense Evasion|T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064|
|
||||
|Credential Access|T1081 - Credentials in Files|https://attack.mitre.org/techniques/T1081|
|
||||
|Collection|T1113 - Screen Capture<br>T1114 - Email Collection|https://attack.mitre.org/techniques/T1113<br>https://attack.mitre.org/techniques/T1114|
|
||||
|Execution|T1203 - Exploitation for Client Execution|https://attack.mitre.org/techniques/T1203|
|
||||
|Persistence|T1060 - Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060|
|
||||
|Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012|
|
||||
|Lateral Movement|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
|
||||
|C & C|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
|
||||
|
||||
## Indicators Of Compromise (IOC) <a name="IOC"></a>
|
||||
|
||||
###### List of all the Indicators Of Compromise (IOC)
|
||||
| Indicator | Description|
|
||||
| ------------- |:-------------|
|
||||
|Urgent Action.docx]|34b53cd683f60800ac4057d25b24d8f083f759d024d22b4e5f2a464bc85de65a|
|
||||
|Urgent Action.docx|34b53cd683f60800ac4057d25b24d8f083f759d024d22b4e5f2a464bc85de65a|
|
||||
|smss.exe|dcb8531b0879d46949dd63b1ac094f5588c26867805d0795e244f4f9b8077ed1|
|
||||
|maq.com.pk|domain requested|
|
||||
|203.124.43.227|ip requested|
|
||||
|maq.com.pk|Domain requested|
|
||||
|203.124.43.227|IP requested|
|
||||
|http[:]//maq.com.pk/|HTTP/HTTPS requests|
|
||||
|http[:]//maq.com.pk/wehsd|HTTP/HTTPS requests|
|
||||
|http[:]//maq.com.pk/wehs|HTTP/HTTPS requests|
|
||||
|
||||
Loading…
Reference in New Issue
Block a user