From c3fbf09032429e0f8ff4f9ba19e6516ac71f114c Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Sat, 24 Aug 2019 15:59:09 +0200
Subject: [PATCH] Create Malware analysis 16-08-19.md

---
 .../16-08-19/Malware analysis 16-08-19.md     | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 Russia/APT/Gamaredon/16-08-19/Malware analysis 16-08-19.md

diff --git a/Russia/APT/Gamaredon/16-08-19/Malware analysis 16-08-19.md b/Russia/APT/Gamaredon/16-08-19/Malware analysis 16-08-19.md
new file mode 100644
index 0000000..753cb23
--- /dev/null
+++ b/Russia/APT/Gamaredon/16-08-19/Malware analysis 16-08-19.md	
@@ -0,0 +1,79 @@
+# [Update] Malware analysis on Gamaredon APT campaign (06-08-19)
+## Table of Contents
+* [Malware analysis](#Malware-analysis)
+  + [Analysis of the TTPs](#Initial-vector)
+* [Cyber Threat Intel](#Cyber-Threat-Intel)
+* [IOC](#IOC)
+* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
+* [Links](#Links)
+  + [Original Tweet](#Original-Tweet)
+  + [Ref previous analysis](#Documents)
+  + [Link Anyrun](#Links-Anyrun)
+
+## Malware-analysis
+### Analysis of the TTPs
+###### Like the last sample analysed, the new samples uses an SFX archive for extract the files and execute the fake document and the payload.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/SFX.png "SFX startup")
+###### We can see again the cmd file extracted by the SFX archive. The randomization of the obfuscated strings has been by the algorithm in the archive.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/CMD.PNG "Extraction cmd file")
+###### Also this use the function GetCommandLineA for getting a pointer to the command-line string for the current process.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/command.PNG "Commandline function")
+
+### Cyber kill chain
+
+###### The process graph resume the cyber kill chain used by the attacker. We can observe that the TTPs are the same.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/cyber.PNG "Cyber kill chain")
+## Cyber Threat Intel
+
+###### Both latest spotted samples have the same C2 hosted in a Russia provider.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/IP.png "IP informations")
+###### The domain seems don't be registered on list of the domain added.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/query.PNG "Query WHOIS")
+###### Like the last sample, this comes at a crisis period between Russia and Ukraine, Ukraine rest the main target of Gamaredon group.
+## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
+###### List of all the references with MITRE ATT&CK Matrix
+
+|Enterprise tactics|Technics used|Ref URL|
+| :---------------: |:-------------| :------------- |
+|Execution|T1059 - Starts CMD.EXE for commands execution<br>T1106 - Execution through API<br>T1053 - Scheduled Task<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1059<br>https://attack.mitre.org/techniques/T1106<br>https://attack.mitre.org/techniques/T1053<br>https://attack.mitre.org/techniques/T1064|
+|Persistence|T1060 - Registry Run Keys / Startup Folder<br>T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060<br>https://attack.mitre.org/techniques/T1053|
+|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053|
+|Defense Evasion|T1112 - Modify Registry<br> T1064 - Scripting|https://attack.mitre.org/techniques/T1112<br>https://attack.mitre.org/techniques/T1064|
+|Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012|
+
+## Indicators Of Compromise (IOC) <a name="IOC"></a>
+
+###### List of all the Indicators Of Compromise (IOC)
+| Indicator     | Description|
+| ------------- |:-------------|
+|02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c.scr|02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c|
+|FDGSKGN.vbs|630c0c86faf828bc4645526ca58b855d1a2db57cca0e406c1d5b7e2de88a1322|
+|PowerShellCertificates_C4BA3647.ps1|8f33ce796ee08525d32f5794ebd355914140e43e4b63e09b384dabda93a8b22c|
+|9856.txt|a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599|
+|176.57.215.22|IP C2|
+|http[:]//shell-create.ddns.net/|URL request|	
+|shell-create.ddns.net|Domain C2|
+
+###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/IOC_Gamaredon_16-08-19.json)	
+
+## Links <a name="Links"></a>
+
+* Original tweet: https://twitter.com/RedDrip7/status/1161900271477252101 <a name="Original-Tweet"></a>
+* Ref previous analysiss: [Gamaradon sample analysis 06-08-19](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Russia/APT/Gamaredon/06-08-19/Malware%20analysis%2006-08-19.md)<a name="Documents"></a>
+* Anyrun Links: <a name="Links-Anyrun"></a>
+  + [1426f88edaf207d2c62422f343209fae](https://app.any.run/tasks/8b718d6a-04c4-44fc-9afd-e0cffd1b626a) 
+  + [a.exe](https://app.any.run/tasks/58d83fbe-36c9-4fad-9e21-9140207b6152)
+
+
+
+
+
+
+
+
+
+
+
+
+
+