Update Malware analysis.md
This commit is contained in:
StrangerealIntel
GitHub
parent
b1ad533826
commit
b78fa16c9b
@ -8,6 +8,7 @@
|
||||
+ [A1719.docx, INGOs Spending on Rohingyas.doc, Scan0012.docx](#malware5)
|
||||
* [Cyber Threat Intel](#Cyber-Threat-Intel)
|
||||
+ [Opendir analysis](#opendir)
|
||||
+ [Victimology](#Victimology)
|
||||
* [Indicators Of Compromise (IOC)](#IOC)
|
||||
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
|
||||
* [Links](#Links)
|
||||
@ -17,21 +18,21 @@
|
||||
|
||||
## Malware analysis <a name="Malware-analysis"></a>
|
||||
### 86ccedaa93743e83787f53e09e376713.docx <a name="malware1"></a>
|
||||
###### The first sample of the campaign is a maldoc file using cve-2017-0199 (Template injection) for request and executed the next stage of the infection.
|
||||
###### The first sample of the campaign is a maldoc file using cve-2017-0199 (Template injection) for requests and executed the next stage of the infection.
|
||||
|
||||
###### This use RTF file with the cve-2018-0802 for execute embedded excel object by the CLSID of the Excel COM object.
|
||||
|
||||
|
||||
###### This extract and execute the zip archive from the RTF file.
|
||||
|
||||
###### On the backdoor, we can see that can push an environnement variable and create the "Mknyh" Mutex.
|
||||
###### On the backdoor, we can see that can push an environment variable and create the "Mknyh" Mutex.
|
||||
|
||||
|
||||
###### After perform this, this install the let's encrypt certificate and collect the informations about the system and send it in the C2.
|
||||
###### After performing the action, this install the let's encrypt certificate and collect the informations about the system and send it in the C2.
|
||||
|
||||
|
||||
|
||||
###### This collect the list of disks and the types of this.
|
||||
###### This collects the list of disks and the types of this.
|
||||
|
||||
###### This can save and execute a stream from the C2.
|
||||
|
||||
@ -40,29 +41,29 @@
|
||||
### d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc <a name="malware2"></a>
|
||||
###### The second samples use the same TTPs and use Template injection.
|
||||
|
||||
###### The RTF file download and executed drop the same backdoor.
|
||||
###### The RTF file download and executed to drop the same backdoor.
|
||||
|
||||
### 01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx <a name="malware3"></a>
|
||||
###### The next sample use Template injection too for download and executed drop the RTF file.
|
||||
###### The next sample uses Template injection too for download and executed to drop the RTF file.
|
||||
|
||||
###### The RTF file push a persistence with a LNK file, extract the backdoor and execute on another instance of explorer.
|
||||
###### The RTF file pushes a persistence with an LNK file, extracts the backdoor and executes on another instance of explorer.
|
||||
|
||||
###### The backdoor use a timer for as anti-sandbox method and check the features.
|
||||
###### The backdoor uses a timer for as anti-sandbox method and check the features.
|
||||
|
||||
|
||||
###### This push in memory the backdoor and check the system informations.
|
||||
|
||||
|
||||
###### This have the capacity to hijack the AVAST AV, send the informations and request to the C2 for commands. This can save a file and execute it on the computer.
|
||||
###### This has the capacity to hijack the AVAST AV, send the informations and request to the C2 for commands. This can save a file and execute it on the computer.
|
||||
|
||||
|
||||
|
||||
### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc <a name="malware4"></a>
|
||||
###### This continue to use Template injection.
|
||||
###### This continues to use Template injection.
|
||||
|
||||
###### The RTF file dropped extract a js file, a dll and an exe file.
|
||||
|
||||
###### The js file execute the dll and the exe file for bypass the UAC by the UACme tool. The backdoor is the same that the first sample.
|
||||
###### The js file executes the dll and the exe file for bypass the UAC by the UACme tool. The backdoor is the same that the first sample.
|
||||
|
||||
|
||||
### A1719.docx, INGOs Spending on Rohingyas.doc, Scan0012.docx <a name="malware5"></a>
|
||||
@ -72,7 +73,7 @@
|
||||
|
||||
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
|
||||
### Opendir analysis <a name="opendir"></a>
|
||||
###### We can note that the server are main hosted by DigitalOcean cloud provider.
|
||||
###### We can note that the server is main hosted by DigitalOcean cloud provider.
|
||||
|IP|URL|Opendir|ASN|Organization|Route|Coordinates|Country|
|
||||
| :---------------: | :--------------- | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: |:---------------: |
|
||||
|178.62.188.63|hxxp[:]//en-content.com/SecurityM/EFILE|Yes|AS14061|DigitalOcean Amsterdam|178.62.128.0/18|52.3740,4.8897|Netherlands|
|
||||
@ -100,11 +101,24 @@
|
||||
|178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/|DOCS<br>DOCSN<br>DOCSN-1<br>XLSS<br>XLSSN<br>XLSSN-1|2019-08-16 08:17<br>2019-08-27 07:03<br>2019-08-22 08:52<br>2019-08-16 08:26<br>2019-08-28 06:39<br>2019-08-22 08:59|1.1M<br>1.1M<br>1.7M<br>697K<br>685K<br>885K|
|
||||
###### We can confirm that the campaign have begin early August 2019 and reuse old tools.
|
||||
|
||||
### Victimology <a name="Victimology"></a>
|
||||
###### The victimology is based only on the actual enemies of India since the early August and focus on China (reconciliation with Greece) for help Pakistan in Kashmir crisis, Pakistan (Kashmir crisis), Iran (telecom directory) possible allied for Pakistan, same thing for Saudi Arabia.
|
||||
###### We can see a transfer order for Chinese people in Greek.
|
||||
|
||||
###### But the more interesting rest the Iran number directory, we can see that originally available on the Ministry of Foreign Affairs in Nepal.
|
||||
|
||||
|
||||
###### Now, we can observe that the content is removed from the website.
|
||||
|
||||
###### This rest possible to findable this in the cache.This can give a probable conclusion that Iran will be aware about the Donot operation against, or Nepal is aware about it.
|
||||
|
||||
###### This offers an idea when the group have found and reedit the pdf to word document for weaponizing it as opportunity to exploit.
|
||||
###### This can note that a group in the Donot organization is charged to collect the opportunities to exploit. We can note too that the group reuse old operations and samples for theirs operations.
|
||||
|
||||
|
||||
## Cyber kill chain <a name="Cyber-kill-chain"></a>
|
||||
###### The process graph resume the cyber kill chain used by the attacker.
|
||||
![alt text]()
|
||||
|
||||
###### The process graph resume all the cyber kill chains used by the attacker.
|
||||
|
||||
|
||||
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
|
||||
###### List of all the references with MITRE ATT&CK Matrix
|
||||
|
||||
Loading…
Reference in New Issue
Block a user