ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 26-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-04 18:11:37 +02:00 committed by GitHub
parent 0b5f974965
commit ad21d1e284
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 47 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md
View File

@ -76,19 +76,22 @@ As anti-forensic method, a method which can know if determiner if a debugger is
|delete|Function don't exist but by the params seems give to the attacker to delete folders or files|
|exit-process|Kill the backdoor process but can't remove the persistence, an "execute" command must be performed before for delete it in the registry|
### Cyber kill chain <a name="Cyber-kill-chain"></a>
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/cyber.PNG "")
### Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
||||
||||
||||
|Execution|T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064|
|Persistence|T1197 - BITS Jobs<br>T1060 - Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1197<br>https://attack.mitre.org/techniques/T1060|
|Defense Evasion|T1197 - BITS Jobs<br>T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1197<br>https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064|
|Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012|
|Lateral Movement|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
|C2|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
## Indicators Of Compromise (IOC) <a name="IOC"></a>
@ -96,15 +99,48 @@ As anti-forensic method, a method which can know if determiner if a debugger is
| Indicator | Description|
| ------------- |:-------------:|
|||
||Domain requested|
||IP requested|
||HTTP/HTTPS requests||
||IP C2|
||Domain C2|
|فضيحة جديدة لأحد قيادات حماس.exe|03d82852bbb28d1740e50206e7726c006b9b984a8309e2f203e65a67d7d3bcad|
|History.lnk|3853e0bf00d6dbfc574bc0564f0c90b93a66d644dd4dc8b8c00564f0b6edf581|
|ss.vbs|2e5f9bb1cef985eab15ad8d9072e51c71be2810fea789836b401b96bc898943b|
|news.docx|08fa35e25f4c7a6279a84b337d541989498d74f2c5e84cc4039d667fedc725c7|
|xyx.jse|32e216942f995f285947c7e7ee8cf438440c8a1e033bb27517f5e5361dafa8e8|
|JS Backdoor|32e216942f995f285947c7e7ee8cf438440c8a1e033bb27517f5e5361dafa8e8|
|adamnews.for.ug|Domain requested|
|israanews.zz.com.ve|Domain requested|
|mmksba.dyndns.org|Domain C2|
|webhoptest.webhop.info|Domain C2|
|mmksba.simple-url.com|Domain C2|
|85.17.26.65|IP requested|
|66.154.103.156|IP C2|
|37.48.111.5|IP C2|
|http[:]//israanews.zz.com.ve/hw.zip.zip|HTTP/HTTPS requests|
|http[:]//adamnews.for.ug/hwdownhww|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-ready|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-ready|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-ready|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-ready|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-sending|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-sending|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-sending|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-recving|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-recving|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-recving|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-enum-driver|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-enum-driver|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-enum-driver|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-enum-faf|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-enum-faf|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-enum-faf|HTTP/HTTPS requests|
|http[:]//webhoptest.webhop.info:4433/is-enum-process|HTTP/HTTPS requests|
|http[:]//mmksba.simple-url.com:4422/is-enum-process|HTTP/HTTPS requests|
|http[:]//mmksba.dyndns.org:4455/is-enum-process|HTTP/HTTPS requests|
###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/IOC_Israel_04-09-19.json)
## Links <a name="Links"></a>
###### Original tweet: [https://twitter.com/Timele9527/status/1166188375109296128](https://twitter.com/Timele9527/status/1166188375109296128) <a name="Original-Tweet"></a>
###### Links Anyrun: <a name="Links-Anyrun"></a>
* [فضيحة جديدة لأحد قيادات حماس.zip (A new scandal of one of the leaders of Hamas.zip)](https://app.any.run/tasks/59ed8062-cf77-4d73-81bd-19cb26b7c7c6/)
* [xyx.jse](https://app.any.run/tasks/baa4f59c-969b-4617-b926-2d41da5e18b0/)
###### Documents: <a name="Documents"></a>
* [link]()