ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Analysis_29-09-2019.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-10-01 10:14:03 +02:00 committed by GitHub
parent 34fa4d00fa
commit d432be8e86
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Unknown/Unknown phishing group/Analysis_29-09-2019.md
View File

@ -92,7 +92,23 @@
|kill-process|Kill a specific process (by taskkill)|
|Sleep|Hibernate process via a duration chosen by the attacker|
###### A new sample have been spotted (17 September), this gives a period of 2 months between the two versions. The group seems focus the phishing campaign on the general common topics (Bank, suppliers, service provider...), not specific sectors and only as financial goals.
###### A new sample have been spotted (17 September), this gives a period of 2 months between the two versions but, this seems be an edited version or code reuse by a different group for many reasons :
* ###### Different ways and skills to code the script
* ###### Different paths of .pdb
###### List of PDB paths:
|Module|PDB path|
| :---------------: |:-------------|
|RDP module (V2.0)|C:\Users\Android\Documents\Visual Studio 2010\Projects\RDP\RDP\obj\x86\Debug\RDP.pdb|
|Keylogger Module (V2.0)|C:\Users\Android\documents\visual studio 2010\Projects\Keylogger\Keylogger\obj\x86\Debug\Keylogger.pdb|
|Reverse Proxy Module (v2.0)|C:\Users\Android\documents\visual studio 2010\Projects\ReverseProxy\ReverseProxy\obj\x86\Debug\ReverseProxy.pdb|
|RDP module (V1.2)|C:\Users\Android\Documents\Visual Studio 2010\Projects\RDP\RDP\obj\x86\Debug\RDP.pdb|
|Keylogger Module (V1.2)|C:\Users\Android\documents\visual studio 2010\Projects\Keylogger\Keylogger\obj\x86\Debug\Keylogger.pdb|
|Reverse Proxy Module (v1.2)|C:\Users\Android\AppData\Local\Temp\uvfPsywleB\Doctorpol\obj\x86\Debug\Doctorpol.pdb|
###### Whatever, the group(s) seems focus the phishing campaign on the general common topics (Bank, suppliers, service provider...), not specific sectors and only as financial goals.
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
@ -140,6 +156,7 @@
|185.194.141.58|IP C2|
|185.247.228.159|IP C2|
###### note: Read "open-rdp|1280x720" instead of "open-rdp/1280x720" due to "|" is used for the table column definition, this fixed on the JSON file.
###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/IOC/IOC_01-10-19.json)
## Links <a name="Links"></a>