From ab7818ad2a95899e52ecf2cf731f1c4991b7aaa1 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Mon, 26 Aug 2019 01:10:49 +0200
Subject: [PATCH] Update Malware analysis 25-08-19.md

---
 .../23-08-19/Malware analysis 25-08-19.md     | 46 +++++++++++++++++--
 1 file changed, 42 insertions(+), 4 deletions(-)

diff --git a/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md b/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md
index 577a750..2c19eb4 100644
--- a/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md	
+++ b/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md	
@@ -46,8 +46,43 @@
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "")
 ###### Once the protection removed, we can see the functions used by the dll.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/unpack.png "")
-###### The run method get the payload string push by the second PE and execute it.
+###### The run method get the payload string push by the second PE, decode it and execute it.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/run.png "")
+#### Frombook
+###### We can observe on the structure, the encoding for scale the data and add junk code on the PE for avoid the detection of the AV (here, in the "Currentversion" string.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/dec.png "")
+###### This sample is programming in C++ (Frombook is available in many language : VB, C, C++, C#...) and check the PE structure.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/CheckPE.png "")
+
+###### This continue to detect and steal the data from the navigators.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/choicenav.png "")
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/chrome.png "")
+
+##### This parsed and steal the passwords.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/config.png "")
+##### We can observe the useragent settings who send the data to the C2.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/useragent.png "")
+##### This use a run key as persistence for the frombook module.
+##### Some features of Frombook form the cyberbit analysis can be observed in this analysis and the execution on the anyrun sandbox :
+* ###### Keystroke logging
+* ###### Clipboard monitoring
+* ###### HTTP/HTTPS/SPDY/HTTP2 form and network request grabbing
+* ###### Browser and email client password grabbing
+* ###### Capturing screenshots
+* ###### Bot updating
+* ###### Downloading and executing files
+* ###### Bot removing
+* ###### Launching commands via ShellExecute
+* ###### Clear browser cookies
+* ###### Reboot the system
+* ###### Shutdown the system
+* ###### Download and unpack ZIP archive
+### Cyber kill chain <a name="Cyber-kill-chain"></a>
+###### These process graphs represents the cyber kill chain of the initial vector and the Frombook module.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyber.PNG "")
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyberfrom.PNG "")
+### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
+
 ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
 ###### List of all the references with MITRE ATT&CK Matrix
 
@@ -72,7 +107,10 @@
 ## Links <a name="Links"></a>
 
 * Original tweet: https://twitter.com/Rmy_Reserve/status/1164405054746460161 <a name="Original-Tweet"></a>
-* Anyrun Link: [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b)<a name="Links-Anyrun"></a>
+* Anyrun Link: <a name="Links-Anyrun"></a>
+  + [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b)
+  + [inj2.exe](https://app.any.run/tasks/d7365b93-470c-4e2e-bc6d-5e43c711d72e)
 * Docs :  <a name="Documents"></a>
-+ [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/)
-+ [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html)
+  + [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/)
+  + [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html)
+  + [Frombook analysis from cyberbit (June 2019)](https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/)