ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 25-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-08-25 22:42:51 +02:00 committed by GitHub
parent e0f503a4a1
commit d64ceeddeb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md
View File

@ -41,11 +41,13 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/tab.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/tab.PNG "")
###### After this replace the caracters %_ by 0x with the replace function for get a valid array of hex bytes and execute it in memory. ###### After this replace the caracters %_ by 0x with the replace function for get a valid array of hex bytes and execute it in memory.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/layer2tab.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/layer2tab.PNG "")
###### The dll is protected with the ConfuserEx (1.0.0.0) protector, we can see the escaped caracters and the reference module. ###### The dll is protected with the ConfuserEx (1.0.0.0) protector, we can see the escaped caracters and the reference module.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confuserExref.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confuserExref.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "")
###### Once the protection removed, we can see the functions used by the dll.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/unpack.png "")
###### The run method get the payload string push by the second PE and execute it.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/run.png "")
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a> ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix