ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create Malware analysis 25-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-08-25 02:00:36 +02:00 committed by GitHub
parent 6f5b3c645f
commit 9d926573a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md Normal file
View File

@ -0,0 +1,50 @@
# Malware analysis on Gorgon APT campaign (23-08-19)
## Table of Contents
* [Malware analysis](#Malware-analysis)
+ [Initial vector](#Initial-vector)
+ [First stage](#First)
+ [Second stage](#Second)
+ [Cyber kill chain](#Cyber-kill-chain)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [IOC](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#Original-Tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Ref previous analysis](#Documents)
## Malware-analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a>
###### Use a document with a macro as initial vector. On the code of the macro, some functions with differents names are used with the same code inside for obfuscate and make more harder the analysis.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Macro/Samefunctions.PNG "")
###### Use in more at the function, strReverse for reverse the data. Finally, combine it and execute it with a Shell request.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Macro/macroCode.png "")
###### This use mshta command for download and execute the external content. The bitly URL go on the pastebin share and is the first stage.
### First stage
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|||
|||
|||
|||
## Indicators Of Compromise (IOC) <a name="IOC"></a>
###### List of all the Indicators Of Compromise (IOC)
| Indicator | Description|
| ------------- |:-------------|
|||
||IP C2|
|http[:]//|URL request|
||Domain C2|
###### This can be exported as JSON format [Export in JSON]()
## Links <a name="Links"></a>
* Original tweet: https://twitter.com/Rmy_Reserve/status/1164405054746460161 <a name="Original-Tweet"></a>
* Anyrun Link: [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b)<a name="Links-Anyrun"></a>
* Docs : [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/) <a name="Documents"></a>