Update Malware analysis 25-08-19.md

2019-08-25 22:42:51 +02:00 · 2019-08-25 22:42:51 +02:00 · d64ceeddeb
commit d64ceeddeb
parent e0f503a4a1
1 changed files with 4 additions and 2 deletions
--- a/Pakistan/APT/Gorgon/23-08-19/Malware
+++ b/Pakistan/APT/Gorgon/23-08-19/Malware
@ -41,11 +41,13 @@
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/tab.PNG "")
 ###### After this replace the caracters %_ by 0x with the replace function for get a valid array of hex bytes and execute it in memory.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/layer2tab.PNG "")
-
 ###### The dll is protected with the ConfuserEx (1.0.0.0) protector, we can see the escaped caracters and the reference module.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confuserExref.png "")
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "")
-
+###### Once the protection removed, we can see the functions used by the dll.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/unpack.png "")
+###### The run method get the payload string push by the second PE and execute it.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/run.png "")
 ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
 ###### List of all the references with MITRE ATT&CK Matrix