ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 31-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-01 19:08:16 +02:00 committed by GitHub
parent f140997934
commit 96c4f4bc9a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
View File

@ -42,10 +42,13 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/GetProcname.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/GetProcname.PNG "")
###### This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values). ###### This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/PointerDATA.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/PointerDATA.png "")
###### After perform the reconnaissance actions, this can send a query as pulse with the informations to the C2. ###### After perform the reconnaissance actions, this can send a query as pulse with the informations to the C2, the URL to send is decoded and an additionnal operation give the final URL.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/send.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/send.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/query.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/query.png "")
###### The data are encoded by the algoritm too, with the script, we can decode the strings and see that the roles and data send to the C2. ###### The data are encoded by the algoritm too, with the script, we can decode the strings and see that the roles and data send to the C2.
`SNI=VTFS.QD&UME=Xjoepxt!8!Qspgfttjpobm&OPQ=benjo&IVR=VTFS.QD$$benjoAA11482.572.3314613.96675&st=0` (Here from the Anyrun sandbox)
###### We can resume all the variables used and the type of the informations sended in the C2.
|Variable|Description| |Variable|Description|
| ------------- |:-------------| | ------------- |:-------------|
|SNI|Computer name| |SNI|Computer name|
@ -65,21 +68,21 @@
|Enterprise tactics|Technics used|Ref URL| |Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- | | :---------------: |:-------------| :------------- |
|Execution|T1059 - Command-Line Interface<br>T1106 - Execution through API<br> T1170 - Mshta<br>T1086 - PowerShell<br>T1053 - Scheduled Task<br>T1064 - Scripting<br>T1059 - Command-Line Interface|https://attack.mitre.org/techniques/T1059<br>https://attack.mitre.org/techniques/T1106<br>https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1086<br>https://attack.mitre.org/techniques/T1053<br>https://attack.mitre.org/techniques/T1064<br>https://attack.mitre.org/techniques/T1059| |Execution|T1203 - Exploitation for Client Execution|https://attack.mitre.org/techniques/T1203|
|Persistence|T1060 - Registry Run Keys / Startup Folder<br>T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060<br>https://attack.mitre.org/techniques/T1053| |Persistence|T1060 - Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060|
|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053| |Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012|
|Defense Evasion|T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064| |Lateral Movement|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
|Credential Access|T1081 - Credentials in Files|https://attack.mitre.org/techniques/T1081| |C & C|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
|Collection|T1113 - Screen Capture<br>T1114 - Email Collection|https://attack.mitre.org/techniques/T1113<br>https://attack.mitre.org/techniques/T1114|
## Indicators Of Compromise (IOC) <a name="IOC"></a> ## Indicators Of Compromise (IOC) <a name="IOC"></a>
###### List of all the Indicators Of Compromise (IOC) ###### List of all the Indicators Of Compromise (IOC)
| Indicator | Description| | Indicator | Description|
| ------------- |:-------------| | ------------- |:-------------|
|Urgent Action.docx]|34b53cd683f60800ac4057d25b24d8f083f759d024d22b4e5f2a464bc85de65a| |Urgent Action.docx|34b53cd683f60800ac4057d25b24d8f083f759d024d22b4e5f2a464bc85de65a|
|smss.exe|dcb8531b0879d46949dd63b1ac094f5588c26867805d0795e244f4f9b8077ed1| |smss.exe|dcb8531b0879d46949dd63b1ac094f5588c26867805d0795e244f4f9b8077ed1|
|maq.com.pk|domain requested| |maq.com.pk|Domain requested|
|203.124.43.227|ip requested| |203.124.43.227|IP requested|
|http[:]//maq.com.pk/|HTTP/HTTPS requests| |http[:]//maq.com.pk/|HTTP/HTTPS requests|
|http[:]//maq.com.pk/wehsd|HTTP/HTTPS requests| |http[:]//maq.com.pk/wehsd|HTTP/HTTPS requests|
|http[:]//maq.com.pk/wehs|HTTP/HTTPS requests| |http[:]//maq.com.pk/wehs|HTTP/HTTPS requests|