From b15825bc68b8d5aa4999b59adcd1bfaba45ead3b Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Wed, 16 Oct 2019 14:26:03 +0200 Subject: [PATCH] Create Analysis.md --- .../FIN7/16-10-19/Analysis.md | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 Russia/Cybercriminal group/FIN7/16-10-19/Analysis.md diff --git a/Russia/Cybercriminal group/FIN7/16-10-19/Analysis.md b/Russia/Cybercriminal group/FIN7/16-10-19/Analysis.md new file mode 100644 index 0000000..8f5e366 --- /dev/null +++ b/Russia/Cybercriminal group/FIN7/16-10-19/Analysis.md @@ -0,0 +1,50 @@ +# The campaign of FIN7 group continue +## Table of Contents +* [Malware analysis](#Malware-analysis) +* [Cyber kill chain](#Cyber-kill-chain) +* [Indicators Of Compromise (IOC)](#IOC) +* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) +* [Links](#Links) + + [Originals Tweets](#Original-Tweet) + + [Link Anyrun](#Links-Anyrun) + + [Documents](#Documents) +## Malware analysis + +## Cyber kill chain +###### The process graphs resume all the cyber kill chains used by the attacker. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/CyberKill.png) + +## Indicators Of Compromise (IOC) +###### List of all the Indicators Of Compromise (IOC) + +|Indicator|Description| +| ------------- |:-------------| +|order.xlsb|2ba6709be053eb456c7fbe0c7e19196fefc7fe93afaea1e008c417aa6faeeeb3| +|umyhpakixg.txt|980b6ec3e3fc3d25af8273e8c85142c551875a472cc900e427b9c4cb87e59d39| +|e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790.xls|e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790| +|moviedvdpower.com|Domain requested| +|31.3.232.105|IP requested| +|185.231.153.21|IP C2| + +###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/IOC-FIN7-16-10-19.json) + +## References MITRE ATT&CK Matrix +###### List of all the references with MITRE ATT&CK Matrix + +|Enterprise tactics|Technics used|Ref URL| +| :---------------: |:-------------| :------------- | +|Defense Evasion|Scripting|https://attack.mitre.org/techniques/T1064/| +|Execution|Scripting|https://attack.mitre.org/techniques/T1064/| +|Defense Evasion|Install Root Certificate|https://attack.mitre.org/techniques/T1130/| +|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012/| + +## Links +###### Original tweet: +* [https://twitter.com/Rmy_Reserve/status/1184142117284667393](https://twitter.com/Rmy_Reserve/status/1184142117284667393) +###### Links Anyrun: +* [e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790.xls](https://app.any.run/tasks/f2454e33-3d31-48a4-b49a-1b5c50eb7182) +* [order.xlsb](https://app.any.run/tasks/43371f0f-35d0-4d1d-a0f3-4c8e41cd31c8) +###### Documents: +* [FIN7.5: the infamous cybercrime rig “FIN7” continues its activities](https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/) +* [Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques](https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html) +