ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Analysis_2020-02-08.md

Browse Source
This commit is contained in:
StrangerealIntel 2020-02-13 13:27:58 +01:00 committed by GitHub
parent 1a56a4d06b
commit daac306637
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 51 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
Additional Analysis/Neutrino/Analysis_2020-02-08.md
View File

@ -16,7 +16,27 @@
<h2>Malware analysis <a name="Malware-analysis"></a></h2>
<h3>The initial vector<a name="Initial"></a></h3>
<h6>The initial vector is an malicious document using a macro. As the first look, we can note some constant variables can be replace and deletefor improvement the reading of the code.</h6>
<h6>The initial vector is an malicious document using a macro. The metadata of the maldoc is particulary interesting due to this prove that the maldoc isn't recently edited and is reused for dropped Neutrino many times.</h6>
<table>
<tr>
<td>Creator</td>
<td>Aga</td>
</tr>
<tr>
<td>Last Modified By</td>
<td>Dell</td>
</tr>
<tr>
<td>Creation Date</td>
<td>2016-04-19 09:21:00</td>
</tr>
<tr>
<td>Modified Date</td>
<td>2016-06-06 11:33:00</td>
</tr>
</table>
<h6>As the first look, we can note some constant variables can be replace and deletefor improvement the reading of the code.</h6>
``` VBA
@ -383,17 +403,44 @@ Path: C:\Users\admin\AppData\Roaming\Z0BAZwxx\{Filename}
|Indicator|Description|
| ------------- |:-------------:|
|c4ad847c748521baaa76de1d2fbadd9c6f4801f2f3da72f75735c1262b92af3c|impor.doc|
|c0355c2a7241cb9f764297cf4e7e758116c82db35f909cf18091ec2085fe23ce|jevgr.exe|
|nurofenpanadol.su|Domain C2|
|ns.dotbit.me|Domain C2|
|alors.deepdns.cryptostorm.net|Domain C2|
|onyx.deepdns.cryptostorm.net|Domain C2|
|ns1.any.dns.d0wn.biz|Domain C2|
|ns1.random.dns.d0wn.biz|Domain C2|
|ns2.random.dns.d0wn.biz|Domain C2|
|civet.ziphaze.com|Domain C2|
|anyone.dnsrec.meo.ws|Domain C2|
|ist.fellig.org|Domain C2|
|ns1.sg.dns.d0wn.biz|Domain C2|
|ns2.fr.dns.d0wn.biz|Domain C2|
|ns1.nl.dns.d0wn.biz|Domain C2|
|178.17.170.133|IP C2|
|107.161.16.236|IP C2|
|46.254.21.69|IP C2|
|185.14.29.140|IP C2|
|37.187.0.40|IP C2|
|178.63.145.236|IP C2|
|95.85.9.86|IP C2|
|128.199.248.105|IP C2|
<h6> The IOC can be exported in <a href="">JSON</a></h6>
<h6> The IOC can be exported in <a href="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Neutrino/Json/IOC.json">JSON</a></h6>
<h2> References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a></h2>
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|Execution|Command-Line Interface<br>Execution through API<br>User Execution|https://attack.mitre.org/techniques/T1059/<br>https://attack.mitre.org/techniques/T1106/<br>https://attack.mitre.org/techniques/T1204/|
|Persistence|Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060/|
|Defense Evasion|Disabling Security Tools|https://attack.mitre.org/techniques/T1089/|
|Discovery|Query Registry<br>System Information Discovery|https://attack.mitre.org/techniques/T1012/<br>https://attack.mitre.org/techniques/T1082/|
<h6> This can be exported as JSON format <a href=""></a></h6>
<h6> This can be exported as JSON format <a href="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Neutrino/Json/TTPs.json"></a></h6>
<h2>Yara Rules<a name="Yara"></a></h2>
<h6> YARA Rules are available <a href="">here</a></h6>
<h6> YARA Rules are available <a href="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Neutrino/Yara/Yara_Neutrino.yar">here</a></h6>
<h2>Links <a name="Links"></a></h2>
<h6> Original tweet: </h6><a name="tweet"></a>