Update Malware analysis 26-08-19.md

2019-09-05 01:46:16 +02:00 · 2019-09-05 01:46:16 +02:00 · cbf448ddbd
commit cbf448ddbd
parent 80ced95314
1 changed files with 9 additions and 5 deletions
--- a/Israel/APT/Unknown/26-08-19/Malware
+++ b/Israel/APT/Unknown/26-08-19/Malware
@ -5,6 +5,10 @@
  + [Loader](#loader)
  + [JS Backdoor](#Backdoor)
 * [Cyber Threat Intel](#Cyber-Threat-Intel)
+  + [Origin of the method for the JS Backdoor](#Backdoor)
+  + [A army in perdition, an difficult situation](#Army)
+  + [A war of misinformation](#War)
+  + [The drone attack, a result of the information campaign ?](#Result)
 * [Indicators Of Compromise (IOC)](#IOC)
 * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
 * [Links](#Links)
@ -88,15 +92,15 @@
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/cyber.PNG "")

 ## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
-### Origin of the method for the JS Backdoor
+### Origin of the method for the JS Backdoor <a name="Backdoor"></a>
 ###### Firstly, the method for load the JS Backdoor is edited from a post published in 2015 on a forum for show a method for the both architecture for the development of a worm.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/Post.PNG "")
 ###### We can see that the name of the instance is changed and the html tags are removed.If we add the notes from the malware analysis, we can conclude that the malware has been edited in emergency.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/matchcode.PNG "")
-### A army in perdition, an difficult situation
-###### Since the last decade, the inexperience of the army on military issues, rigid doctrine, misunderstanding of the adversary, over-reliance on air and all-technological operations, loss of skills in the IDF, hesitations of unit commanders, the belief - erroneous - that the Israeli population would not accept the possible losses, a reorganized but deficient logistics, the non-mastery of communication. If we add the Syria situation and result of the confrontation in 2006 who have add new enemies against Israel, this creates a difficult situation for these leaders.
+### A army in perdition, an difficult situation <a name="Army"></a>
+###### Since the last decade, the inexperience of the army on military issues, rigid doctrine, misunderstanding of the adversary, over-reliance on air and all-technological operations, loss of skills in the IDF, hesitations of unit commanders, the belief - erroneous - that the Israeli population would not accept the possible losses, a reorganized but deficient logistics, the non-mastery of communication. If we add the Syria situation and the result of the confrontation in 2006 who have add new enemies against Israel, this creates a difficult situation for these leaders.
 ###### Recently, during the election period, each action or precious opportunity can be used for that purpose or to develop a doctrine such as the creation of housing in the colonies.
-### A war of misinformation
+### A war of misinformation <a name="War"></a>
 ###### Like all recent conflicts, communication networks are used to send false news and propaganda or to create it because people can not understand the situation. For example, recently, we could hear that a false evacuation of wounded was launched against Hezbollah for pushing to stop firing, but that is to ignore, guerrilla warfare and the outcome of recent conflicts where it isn't about rockets that destroyed military equipment, but Israeli forces that sabotaged their own equipment by the fear of new recruits and lack of experience. In the same vein, fear of rocket fire on a city can't be realistic, Hezbollah given the priority to garrisons of the border army, infrastructure that a better choice due this have the capacities to destroying the guerilla, this argument is only valid in Israel to prepare the people for the possibilities of declaring war.

 ###### In this way, some images were sent in both sides to use this factor as propaganda vector. For example, an image taken with a drone from the netanyahu window was published on social media at for purposes of spreading retaliatory capabilities. If we see the picture with the naked eye, we can see that the shadow of the drone is not indicated in the wall inside the room, the facade is a decoration, false coordinates and the blur apply to the entire photo.
@ -108,7 +112,7 @@
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/EDOYGWjWsAAsfM1.jpg%20large.jpg "")
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/3fb1c19ecfe9c11d779b8dae397cd781b64c56ef.21349-ela.png "")
 ###### Recently, in the same way for develop the feeling of fear, Israel government have claimed that Iran build precision missiles, this rest to prove it but the scheme of reflexion is the same, a war of fear and misinformation.
-### The drone attack, a result of the information campaign ?
+### The drone attack, a result of the information campaign ? <a name="Result"></a>
 ###### We have got confirmation that the drones used for the operation are trapped with explosives for explode at the moment that the enemies recovers it, that indicate that the Israel know that in these regions the enemies is present and valuable targets can be attainable. In addition of this and the date of submission, this sample has been used in a campaign of profiling. In the submissions, we can observe some samples matching this own sample.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Israel/APT/Unknown/26-08-19/Images/parents.png "")
 ###### The informations of the sandbox show the similarities in the structure of the URL and C2 and the aba, dyndns domains.