Template + modif
This commit is contained in:
parent
a190109b4a
commit
ab0ac432e0
@ -0,0 +1,83 @@
|
|||||||
|
# Malware analysis on Bitter APT campaign (31-08-19)
|
||||||
|
## Table of Contents
|
||||||
|
* [Malware analysis](#Malware-analysis)
|
||||||
|
+ [Initial vector](#Initial-vector)
|
||||||
|
* [Cyber Threat Intel](#Cyber-Threat-Intel)
|
||||||
|
* [Indicators Of Compromise (IOC)](#IOC)
|
||||||
|
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
|
||||||
|
* [Links](#Links)
|
||||||
|
+ [Original Tweet](#Original-Tweet)
|
||||||
|
+ [Link Anyrun](#Links-Anyrun)
|
||||||
|
+ [Documents](#Documents)
|
||||||
|
|
||||||
|
## Malware-analysis <a name="Malware-analysis"></a>
|
||||||
|
### Initial vector <a name="Initial-vector"></a>
|
||||||
|
|
||||||
|
###### Use a document with a remote template injection as initial vector. This download the
|
||||||
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Extref.png "")
|
||||||
|
|
||||||
|
### Cyber kill chain <a name="Cyber-kill-chain"></a>
|
||||||
|
###### This process graph represents the cyber kill chain of Bitter sample.
|
||||||
|
### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
|
||||||
|
|
||||||
|
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
|
||||||
|
###### List of all the references with MITRE ATT&CK Matrix
|
||||||
|
|
||||||
|
|Enterprise tactics|Technics used|Ref URL|
|
||||||
|
| :---------------: |:-------------| :------------- |
|
||||||
|
|Execution|T1059 - Command-Line Interface<br>T1106 - Execution through API<br> T1170 - Mshta<br>T1086 - PowerShell<br>T1053 - Scheduled Task<br>T1064 - Scripting<br>T1059 - Command-Line Interface|https://attack.mitre.org/techniques/T1059<br>https://attack.mitre.org/techniques/T1106<br>https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1086<br>https://attack.mitre.org/techniques/T1053<br>https://attack.mitre.org/techniques/T1064<br>https://attack.mitre.org/techniques/T1059|
|
||||||
|
|Persistence|T1060 - Registry Run Keys / Startup Folder<br>T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060<br>https://attack.mitre.org/techniques/T1053|
|
||||||
|
|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053|
|
||||||
|
|Defense Evasion|T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064|
|
||||||
|
|Credential Access|T1081 - Credentials in Files|https://attack.mitre.org/techniques/T1081|
|
||||||
|
|Collection|T1113 - Screen Capture<br>T1114 - Email Collection|https://attack.mitre.org/techniques/T1113<br>https://attack.mitre.org/techniques/T1114|
|
||||||
|
## Indicators Of Compromise (IOC) <a name="IOC"></a>
|
||||||
|
|
||||||
|
###### List of all the Indicators Of Compromise (IOC)
|
||||||
|
| Indicator | Description|
|
||||||
|
| ------------- |:-------------|
|
||||||
|
|IMG76329797.xls|e66181155a9cd827def409135334ecf173459e001e79853e1b38f2b8e5d8cc59|
|
||||||
|
|Inj.dll|84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6|
|
||||||
|
|mse60dc.exe|de314d038d9b0f8ff32cfe3391c4eec53a3e453297978e46c9b90df2542ed592|
|
||||||
|
|bitly.com|domain requested|
|
||||||
|
|xaasxasxasx.blogspot.com|domain requested|
|
||||||
|
|resources.blogblog.com domain requested|
|
||||||
|
|pastebin.com domain requested|
|
||||||
|
|67.199.248.14|ip requested|
|
||||||
|
|67.199.248.15|ip requested|
|
||||||
|
|104.20.208.21|ip requested|
|
||||||
|
|http[:]//www[.]bitly[.]com/aswoesx8sxwxxd |HTTP/HTTPS requests|
|
||||||
|
|https[:]//pastebin[.]com/raw/rjfk3j9m |HTTP/HTTPS requests|
|
||||||
|
|https[:]///pastebin[.]com/raw/tgP7S1Qe |HTTP/HTTPS requests|
|
||||||
|
|https[:]//pastebin[.]com/raw/0rhAppFq |HTTP/HTTPS requests|
|
||||||
|
|https[:]//pastebin[.]com/raw/c3V923PW |HTTP/HTTPS requests|
|
||||||
|
|https[:]//pastebin[.]com/raw/VFUXDF7C |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]ichoubyou[.]net/ao/?3f9L=Lo3E2+YBaBWDL2bUvw2B2SYfQBwPkMAIH1i2HT9ocxT5reT2XuVh6G9ligbLGsBAAwhLuQ==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]grupomsi[.]com/ao/?3f9L=Kbq++Y0aAgDxGCx7fxZFucXlrMdtuSyVttVG37Ejsga78k8ZP/EpUCryDr6PmBWAbaydAw==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]grupomsi[.]com/ao/ |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]theaterloops[.]com/ao/?3f9L=M0MA2fUiqMbVb6H3GNVaAqJS8mhIciwdMXRISKDsKJcWUJLkZY1j+YIFBEd9s0Uz5tYaIQ==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]theaterloops[.]com/ao/ |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]sukfat[.]com/ao/ |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]sukfat[.]com/ao/?3f9L=i08SS1jJNzlL2PYEM5jjY78DODQHD8SSq/VJ1wVBwRJ7J5CmvaFz3C5neJ7p21NB5nPOdg==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests|
|
||||||
|
|www[.]hongmenwenhua[.]com |Domain C2|
|
||||||
|
|www[.]ichoubyou[.]net |Domain C2|
|
||||||
|
|www[.]grupomsi[.]com |Domain C2|
|
||||||
|
|www[.]sukfat[.]com |Domain C2|
|
||||||
|
|www[.]theaterloops[.]com |Domain C2|
|
||||||
|
|210.188.195.164|IP C2|
|
||||||
|
|23.20.239.12|IP C2|
|
||||||
|
|185.68.16.122|IP C2|
|
||||||
|
|199.192.23.220|IP C2|
|
||||||
|
|
||||||
|
###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/IOC_Gorgon_25-08-19.json)
|
||||||
|
|
||||||
|
## Links <a name="Links"></a>
|
||||||
|
|
||||||
|
* Original tweet: https://twitter.com/RedDrip7/status/1164855381052416002 <a name="Original-Tweet"></a>
|
||||||
|
* Anyrun Link: <a name="Links-Anyrun"></a>
|
||||||
|
+ [Urgent Action.docx](https://app.any.run/tasks/27a486be-50cc-4c75-ac00-b5009582d4ff)
|
||||||
|
+ [inj2.exe](https://app.any.run/tasks/d7365b93-470c-4e2e-bc6d-5e43c711d72e)
|
||||||
|
* Docs : <a name="Documents"></a>
|
||||||
|
+ [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/)
|
||||||
|
+ [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html)
|
||||||
|
+ [Frombook analysis from cyberbit (June 2019)](https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/)
|
Loading…
Reference in New Issue
Block a user