Update Analysis.md

Russia/Cybercriminal group/FIN7/16-10-19/Analysis.md

@@ -9,7 +9,27 @@
   + [Link Anyrun](#Links-Anyrun)
   + [Documents](#Documents)
 ## Malware analysis <a name="Malware-analysis"></a>
+###### The initial vector is a malicious xls which a macro, this extracts the string on the document and execute it.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/Macro.png)
+###### The first layer of the JS backdoor is a series of arrays where the second elements are used for giving the second layer of the backdoor.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/layer1.png)
+###### The first functions executed in the second layer is encoding the data to send at the C2.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/layer2%20-%20decode.png)
+##### The main sends a pulse to the C2 and wait for the instructions to perform.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/layer2%20-%20main.png)
+###### The backdoor performs a discover action for list the DNS host of the list active network cards. This helps to prepare the DNS extraction for sending the data in the C2.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/layer2%20-%20id.png)
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/layer2%20-%20id.png)
 
+###### This use after a function for randomizing (4 letters or numbers) the sub part of the URL to domain the contact and the name of file for storage temporary the data in waiting to send it(as tmp file in the disk).
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/layer2%20-%20ns.png)
+###### In function of the hard-coded mode in backdoor, this sends the data via a DNS extraction or via HTTP.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/layer2%20-%20send.png)
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/layer2%20-%20dnsext.png)
+###### The IP used as C2 rest the same that the samples spotted early September.
+|IP|Route|ASN|Organization|Country|City|Coordinates|
+| :---------------: | :---------------: | :---------------: |:---------------: |:---------------: |:---------------: |:---------------: |
+|185.231.153.21| 185.231.153.0/24|AS48282|VDSINA VDS Hosting|Russia|Moscow|55.7386,37.6068|
 ## Cyber kill chain <a name="Cyber-kill-chain"></a>
 ###### The process graphs resume all the cyber kill chains used by the attacker. 
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/CyberKill.png)
@@ -44,7 +64,7 @@
 ###### Links Anyrun: <a name="Links-Anyrun"></a>
 * [e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790.xls](https://app.any.run/tasks/f2454e33-3d31-48a4-b49a-1b5c50eb7182)
 * [order.xlsb](https://app.any.run/tasks/43371f0f-35d0-4d1d-a0f3-4c8e41cd31c8)
-###### Documents:
+###### Documents:<a name="Documents"></a>
 * [FIN7.5: the infamous cybercrime rig “FIN7” continues its activities](https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/)
 * [Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques](https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html)
-
+* [FIN7 JS Backdoor](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Code/FIN7.js)