From ad21d1e284c3e3002535d8a892ee06f86bb6ef7c Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Wed, 4 Sep 2019 18:11:37 +0200
Subject: [PATCH] Update Malware analysis 26-08-19.md

---
 .../26-08-19/Malware analysis 26-08-19.md     | 58 +++++++++++++++----
 1 file changed, 47 insertions(+), 11 deletions(-)

diff --git a/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md b/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md
index 32cb3fc..63393d0 100644
--- a/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md	
+++ b/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md	
@@ -76,19 +76,22 @@ As anti-forensic method, a method which can know if determiner if a debugger is
 |delete|Function don't exist but by the params seems give to the attacker to delete folders or files|
 |exit-process|Kill the backdoor process but can't remove the persistence, an "execute" command must be performed before for delete it in the registry|
 
-### Cyber kill chain <a name="Cyber-kill-chain"></a>
+## Cyber kill chain <a name="Cyber-kill-chain"></a>
 ###### The process graph resume the cyber kill chain used by the attacker.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/cyber.PNG "")
 
-### Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
+## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
 ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
 ###### List of all the references with MITRE ATT&CK Matrix
 
 |Enterprise tactics|Technics used|Ref URL|
 | :---------------: |:-------------| :------------- |
-||||
-||||
-||||
+|Execution|T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064|
+|Persistence|T1197 - BITS Jobs<br>T1060 - Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1197<br>https://attack.mitre.org/techniques/T1060|
+|Defense Evasion|T1197 - BITS Jobs<br>T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1197<br>https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064|
+|Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012|
+|Lateral Movement|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
+|C2|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
 
 ## Indicators Of Compromise (IOC) <a name="IOC"></a>
 
@@ -96,15 +99,48 @@ As anti-forensic method, a method which can know if determiner if a debugger is
 
 | Indicator     | Description|
 | ------------- |:-------------:|
-|||
-||Domain requested|
-||IP requested|
-||HTTP/HTTPS requests||
-||IP C2|
-||Domain C2|
+|فضيحة جديدة لأحد قيادات حماس.exe|03d82852bbb28d1740e50206e7726c006b9b984a8309e2f203e65a67d7d3bcad|
+|History.lnk|3853e0bf00d6dbfc574bc0564f0c90b93a66d644dd4dc8b8c00564f0b6edf581|
+|ss.vbs|2e5f9bb1cef985eab15ad8d9072e51c71be2810fea789836b401b96bc898943b|
+|news.docx|08fa35e25f4c7a6279a84b337d541989498d74f2c5e84cc4039d667fedc725c7|
+|xyx.jse|32e216942f995f285947c7e7ee8cf438440c8a1e033bb27517f5e5361dafa8e8|
+|JS Backdoor|32e216942f995f285947c7e7ee8cf438440c8a1e033bb27517f5e5361dafa8e8|
+|adamnews.for.ug|Domain requested|
+|israanews.zz.com.ve|Domain requested|
+|mmksba.dyndns.org|Domain C2|
+|webhoptest.webhop.info|Domain C2|
+|mmksba.simple-url.com|Domain C2|
+|85.17.26.65|IP requested|
+|66.154.103.156|IP C2|
+|37.48.111.5|IP C2|
+|http[:]//israanews.zz.com.ve/hw.zip.zip|HTTP/HTTPS requests|
+|http[:]//adamnews.for.ug/hwdownhww|HTTP/HTTPS requests|
+|http[:]//mmksba.dyndns.org:4455/is-ready|HTTP/HTTPS requests|
+|http[:]//webhoptest.webhop.info:4433/is-ready|HTTP/HTTPS requests|
+|http[:]//mmksba.simple-url.com:4422/is-ready|HTTP/HTTPS requests|
+|http[:]//mmksba.dyndns.org:4455/is-ready|HTTP/HTTPS requests|
+|http[:]//webhoptest.webhop.info:4433/is-sending|HTTP/HTTPS requests|
+|http[:]//mmksba.simple-url.com:4422/is-sending|HTTP/HTTPS requests|
+|http[:]//mmksba.dyndns.org:4455/is-sending|HTTP/HTTPS requests|
+|http[:]//webhoptest.webhop.info:4433/is-recving|HTTP/HTTPS requests|
+|http[:]//mmksba.simple-url.com:4422/is-recving|HTTP/HTTPS requests|
+|http[:]//mmksba.dyndns.org:4455/is-recving|HTTP/HTTPS requests|
+|http[:]//webhoptest.webhop.info:4433/is-enum-driver|HTTP/HTTPS requests|
+|http[:]//mmksba.simple-url.com:4422/is-enum-driver|HTTP/HTTPS requests|
+|http[:]//mmksba.dyndns.org:4455/is-enum-driver|HTTP/HTTPS requests|
+|http[:]//webhoptest.webhop.info:4433/is-enum-faf|HTTP/HTTPS requests|
+|http[:]//mmksba.simple-url.com:4422/is-enum-faf|HTTP/HTTPS requests|
+|http[:]//mmksba.dyndns.org:4455/is-enum-faf|HTTP/HTTPS requests|
+|http[:]//webhoptest.webhop.info:4433/is-enum-process|HTTP/HTTPS requests|
+|http[:]//mmksba.simple-url.com:4422/is-enum-process|HTTP/HTTPS requests|
+|http[:]//mmksba.dyndns.org:4455/is-enum-process|HTTP/HTTPS requests|
+
+###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/IOC_Israel_04-09-19.json)	
+
 ## Links <a name="Links"></a>
 ###### Original tweet: [https://twitter.com/Timele9527/status/1166188375109296128](https://twitter.com/Timele9527/status/1166188375109296128) <a name="Original-Tweet"></a>
 ###### Links Anyrun: <a name="Links-Anyrun"></a>
 * [فضيحة جديدة لأحد قيادات حماس.zip (A new scandal of one of the leaders of Hamas.zip)](https://app.any.run/tasks/59ed8062-cf77-4d73-81bd-19cb26b7c7c6/)
+* [xyx.jse](https://app.any.run/tasks/baa4f59c-969b-4617-b926-2d41da5e18b0/)
 ###### Documents: <a name="Documents"></a>
 * [link]()