ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-26 00:36:00 +02:00 committed by GitHub
parent 43e2d635e4
commit c875b50226
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Indian/APT/Donot/17-09-19/Malware analysis.md
View File

@ -114,12 +114,12 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/res.png "")
###### This rest possible to findable this in the cache.This can give a probable conclusion that Iran will be aware about the Donot operation against, or Nepal is aware about it.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/back.png "")
###### This offers an idea when the group have found and reedit the pdf to word document for weaponizing it as opportunity to exploit.
###### This offers an idea when the group have found and reedit the pdf to word document for weaponizing it as opportunity to exploit. This is interesting to note this that the group will limit as domains known rather than novelty, it would have been possible to edit the pdf with a JavaScript shellcode for the same result.
###### This can note that a group in the Donot organization is charged to collect the opportunities to exploit. We can note too that the group reuse old operations and samples for theirs operations.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/op.png "")
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume all the cyber kill chains used by the attacker.
###### The process graphs resume all the cyber kill chains used by the attacker. We can note that in majority of time, this use RTF exploits as downloader and execution methods.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/cyber.png "")
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
@ -127,9 +127,12 @@
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
||||
||||
||||
|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012/|
|Execution|Command-Line Interface<br>Rundll32<br>Execution through Module Load<br>Exploitation for Client Execution<br>User Execution|https://attack.mitre.org/techniques/T1059/<br>https://attack.mitre.org/techniques/T1085/<br>https://attack.mitre.org/techniques/T1129/<br>https://attack.mitre.org/techniques/T1203/<br>https://attack.mitre.org/techniques/T1204/|
|Lateral Movement|Remote File Copy|https://attack.mitre.org/techniques/T1105/|
|Persistence|Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060/|
|Defense Evasion|Rundll32|https://attack.mitre.org/techniques/T1085/|
## Indicators Of Compromise (IOC) <a name="IOC"></a>
@ -215,6 +218,8 @@
* [A1719.docx](https://app.any.run/tasks/524aff0c-2f82-4f03-8ad0-16928adcf1f2)
* [INGOs Spending on Rohingyas.doc](https://app.any.run/tasks/411a27d8-9b47-4f87-bd06-35d813ab1457)
* [Scan0012.docx](https://app.any.run/tasks/f3397ba6-f8a0-46c5-b40f-f91bdfddc5db)
* [wine.exe](https://app.any.run/tasks/aeb75861-d2bc-4a2c-863f-6ec10f758abf)
###### Opendir:
* [SecurityM Opendir](https://app.any.run/tasks/793250a3-e767-47a8-9042-fce7c89a0471)
* [ScanSecurity Opendir](https://app.any.run/tasks/ae0325de-4aa2-40f0-8b17-1ca540cf2b9f)