diff --git a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md index f0c1905..4cb72bb 100644 --- a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md +++ b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md @@ -42,10 +42,13 @@ ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/GetProcname.PNG "") ###### This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values). ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/PointerDATA.png "") -###### After perform the reconnaissance actions, this can send a query as pulse with the informations to the C2. +###### After perform the reconnaissance actions, this can send a query as pulse with the informations to the C2, the URL to send is decoded and an additionnal operation give the final URL. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/send.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/query.png "") ###### The data are encoded by the algoritm too, with the script, we can decode the strings and see that the roles and data send to the C2. +`SNI=VTFS.QD&UME=Xjoepxt!8!Qspgfttjpobm&OPQ=benjo&IVR=VTFS.QD$$benjoAA11482.572.3314613.96675&st=0` (Here from the Anyrun sandbox) +###### We can resume all the variables used and the type of the informations sended in the C2. + |Variable|Description| | ------------- |:-------------| |SNI|Computer name| @@ -65,21 +68,21 @@ |Enterprise tactics|Technics used|Ref URL| | :---------------: |:-------------| :------------- | -|Execution|T1059 - Command-Line Interface
T1106 - Execution through API
T1170 - Mshta
T1086 - PowerShell
T1053 - Scheduled Task
T1064 - Scripting
T1059 - Command-Line Interface|https://attack.mitre.org/techniques/T1059
https://attack.mitre.org/techniques/T1106
https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1086
https://attack.mitre.org/techniques/T1053
https://attack.mitre.org/techniques/T1064
https://attack.mitre.org/techniques/T1059| -|Persistence|T1060 - Registry Run Keys / Startup Folder
T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060
https://attack.mitre.org/techniques/T1053| -|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053| -|Defense Evasion|T1170 - Mshta
T1064 - Scripting|https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1064| -|Credential Access|T1081 - Credentials in Files|https://attack.mitre.org/techniques/T1081| -|Collection|T1113 - Screen Capture
T1114 - Email Collection|https://attack.mitre.org/techniques/T1113
https://attack.mitre.org/techniques/T1114| +|Execution|T1203 - Exploitation for Client Execution|https://attack.mitre.org/techniques/T1203| +|Persistence|T1060 - Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060| +|Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012| +|Lateral Movement|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105| +|C & C|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105| + ## Indicators Of Compromise (IOC) ###### List of all the Indicators Of Compromise (IOC) | Indicator | Description| | ------------- |:-------------| -|Urgent Action.docx]|34b53cd683f60800ac4057d25b24d8f083f759d024d22b4e5f2a464bc85de65a| +|Urgent Action.docx|34b53cd683f60800ac4057d25b24d8f083f759d024d22b4e5f2a464bc85de65a| |smss.exe|dcb8531b0879d46949dd63b1ac094f5588c26867805d0795e244f4f9b8077ed1| -|maq.com.pk|domain requested| -|203.124.43.227|ip requested| +|maq.com.pk|Domain requested| +|203.124.43.227|IP requested| |http[:]//maq.com.pk/|HTTP/HTTPS requests| |http[:]//maq.com.pk/wehsd|HTTP/HTTPS requests| |http[:]//maq.com.pk/wehs|HTTP/HTTPS requests|