From 9d926573a33de514f64eac13fb8a06251ca2aaa8 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Sun, 25 Aug 2019 02:00:36 +0200
Subject: [PATCH] Create Malware analysis 25-08-19.md

---
 .../23-08-19/Malware analysis 25-08-19.md     | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md

diff --git a/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md b/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md
new file mode 100644
index 0000000..387f4f9
--- /dev/null
+++ b/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md	
@@ -0,0 +1,50 @@
+# Malware analysis on Gorgon APT campaign (23-08-19)
+## Table of Contents
+* [Malware analysis](#Malware-analysis)
+  + [Initial vector](#Initial-vector)
+  + [First stage](#First)
+  + [Second stage](#Second)
+  + [Cyber kill chain](#Cyber-kill-chain)
+* [Cyber Threat Intel](#Cyber-Threat-Intel)
+* [IOC](#IOC)
+* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
+* [Links](#Links)
+  + [Original Tweet](#Original-Tweet)
+  + [Link Anyrun](#Links-Anyrun)
+  + [Ref previous analysis](#Documents)
+  
+## Malware-analysis <a name="Malware-analysis"></a>
+### Initial vector <a name="Initial-vector"></a>
+###### Use a document with a macro as initial vector. On the code of the macro, some functions with differents names are used with the same code inside for obfuscate and make more harder the analysis. 
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Macro/Samefunctions.PNG "")
+###### Use in more at the function, strReverse for reverse the data. Finally, combine it and execute it with a Shell request.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Macro/macroCode.png "")
+###### This use mshta command for download and execute the external content. The bitly URL go on the pastebin share and is the first stage.
+### First stage
+
+## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
+###### List of all the references with MITRE ATT&CK Matrix
+
+|Enterprise tactics|Technics used|Ref URL|
+| :---------------: |:-------------| :------------- |
+|||
+|||
+|||
+|||
+## Indicators Of Compromise (IOC) <a name="IOC"></a>
+
+###### List of all the Indicators Of Compromise (IOC)
+| Indicator     | Description|
+| ------------- |:-------------|
+|||
+||IP C2|
+|http[:]//|URL request|	
+||Domain C2|
+
+###### This can be exported as JSON format [Export in JSON]()	
+
+## Links <a name="Links"></a>
+
+* Original tweet: https://twitter.com/Rmy_Reserve/status/1164405054746460161 <a name="Original-Tweet"></a>
+* Anyrun Link: [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b)<a name="Links-Anyrun"></a>
+* Docs : [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/) <a name="Documents"></a>