ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-23 02:18:05 +02:00 committed by GitHub
parent 03ec0f57f5
commit d9a496e28b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Indian/APT/Donot/17-09-19/Malware analysis.md
View File

@ -3,7 +3,8 @@
* [Malware analysis](#Malware-analysis)
+ [86ccedaa93743e83787f53e09e376713.docx](#malware1)
+ [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](#malware2)
+ [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](#malware3)
+ [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](#malware3)
+ [pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](#malware4)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
@ -40,11 +41,28 @@
###### The RTF file download and executed drop the same backdoor.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/RTFInfo.png "")
### 01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx <a name="malware3"></a>
###### The next sample use Template injection too for download and executed drop the RTF file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Inj.PNG "")
###### The RTF file push a persistence with a LNK file, extract the backdoor and execute on another instance of explorer.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/RTFInfo.PNG "")
###### The backdoor use a timer for as anti-sandbox method and check the features.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Main.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Anti-sandbox.PNG "")
###### This push in memory the backdoor and check the system informations.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/VirtualProtect.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Infos.PNG "")
###### This have the capacity to hijack the AVAST AV, send the informations and request to the C2 for commands. This can save a file and execute it on the computer.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Hijack.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/connect.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/WriteFile.PNG "")
### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc <a name="malware74"></a>
###### This continue to use Template injection.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/inj.PNG "")
###### The RTF file dropped extract a js file, a dll and an exe file.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/rtfinfos.PNG "")
###### The js file execute the dll and the exe file for bypass the UAC by the UACme tool. The backdoor is the same that the first sample.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/js.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/UAC.PNG "")
## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker.
@ -88,4 +106,4 @@
* [SecurityM Opendir](https://app.any.run/tasks/793250a3-e767-47a8-9042-fce7c89a0471)
* [ScanSecurity Opendir](https://app.any.run/tasks/ae0325de-4aa2-40f0-8b17-1ca540cf2b9f)
###### Documents: <a name="Documents"></a>
* [link]()
* [UACme](https://github.com/hfiref0x/UACME)