Update Malware analysis 25-08-19.md

This commit is contained in:
StrangerealIntel 2019-08-26 01:10:49 +02:00 committed by GitHub
parent 53fd7ebd5e
commit ab7818ad2a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -46,8 +46,43 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "")
###### Once the protection removed, we can see the functions used by the dll. ###### Once the protection removed, we can see the functions used by the dll.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/unpack.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/unpack.png "")
###### The run method get the payload string push by the second PE and execute it. ###### The run method get the payload string push by the second PE, decode it and execute it.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/run.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/run.png "")
#### Frombook
###### We can observe on the structure, the encoding for scale the data and add junk code on the PE for avoid the detection of the AV (here, in the "Currentversion" string.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/dec.png "")
###### This sample is programming in C++ (Frombook is available in many language : VB, C, C++, C#...) and check the PE structure.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/CheckPE.png "")
###### This continue to detect and steal the data from the navigators.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/choicenav.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/chrome.png "")
##### This parsed and steal the passwords.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/config.png "")
##### We can observe the useragent settings who send the data to the C2.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/useragent.png "")
##### This use a run key as persistence for the frombook module.
##### Some features of Frombook form the cyberbit analysis can be observed in this analysis and the execution on the anyrun sandbox :
* ###### Keystroke logging
* ###### Clipboard monitoring
* ###### HTTP/HTTPS/SPDY/HTTP2 form and network request grabbing
* ###### Browser and email client password grabbing
* ###### Capturing screenshots
* ###### Bot updating
* ###### Downloading and executing files
* ###### Bot removing
* ###### Launching commands via ShellExecute
* ###### Clear browser cookies
* ###### Reboot the system
* ###### Shutdown the system
* ###### Download and unpack ZIP archive
### Cyber kill chain <a name="Cyber-kill-chain"></a>
###### These process graphs represents the cyber kill chain of the initial vector and the Frombook module.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyber.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyberfrom.PNG "")
### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a> ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix
@ -72,7 +107,10 @@
## Links <a name="Links"></a> ## Links <a name="Links"></a>
* Original tweet: https://twitter.com/Rmy_Reserve/status/1164405054746460161 <a name="Original-Tweet"></a> * Original tweet: https://twitter.com/Rmy_Reserve/status/1164405054746460161 <a name="Original-Tweet"></a>
* Anyrun Link: [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b)<a name="Links-Anyrun"></a> * Anyrun Link: <a name="Links-Anyrun"></a>
+ [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b)
+ [inj2.exe](https://app.any.run/tasks/d7365b93-470c-4e2e-bc6d-5e43c711d72e)
* Docs : <a name="Documents"></a> * Docs : <a name="Documents"></a>
+ [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/) + [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/)
+ [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html) + [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html)
+ [Frombook analysis from cyberbit (June 2019)](https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/)