From debbce0794a3a0ae83a73088291ee54783cb6464 Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Sun, 1 Sep 2019 20:45:45 +0200 Subject: [PATCH] Update Malware analysis 31-08-19.md --- .../27-08-19/Malware analysis 31-08-19.md | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md index 4cb72bb..9dd3530 100644 --- a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md +++ b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md @@ -16,38 +16,38 @@ ###### Use a document with a remote template injection as initial vector. This request http[:]//maq.com.pk/ for be redirected on the next URL. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Extref.png "") -###### This second URL (http[:]//maq.com.pk/wehsd) send a RTF exploit. +###### This seconds URL (http[:]//maq.com.pk/wehsd) send an RTF exploit. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/HexRTF.png "") -###### This exploit execute firstly a request by WebDAV and after by WebClient service for download the backdoor on the final address (http[:]//maq.com.pk/wehs) and execute it. +###### This exploit firstly executes a request by WebDAV and after by WebClient service for download the backdoor on the final address (http[:]//maq.com.pk/wehs) and execute it. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/redirect.png "") ###### Here we can see the redirection and the data sended on the victim. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/trace.png "") ### ArtraDownloader ###### In the first, we can see that launch by the factory option for separate the application of the current Explorer instance for avoid if one crashes the other stays alive (C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding). Secondly, we can note encoded string pushed on a function and the result is moved on another registry as storage for be used by the backdoor. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/str.png "") -###### In observing this function we can resume by the folowing algorithm used for decode these strings : for each byte of the string -> value of the byte -1 -> get Unicode value -> convert to char. +###### In observing this function we can resume by the following algorithm used for decode these strings : for each byte of the string -> value of the byte -1 -> get Unicode value -> convert to char. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/dec.png "") ###### We can edit a script for decode the encoded string. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/algo.png "") ###### Now we can see the actions did by the malware. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/res.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/decstr.png "") -###### Once this done, we can see on the entrypoint, this use the startupinfo structure to specify window properties, verify the header of the PE and the get the environment values for create the process. The malware is coded in C++ language. +###### Once this done, we can see on the entry point, this uses the startupinfo structure to specify window properties, verify the header of the PE and the get the environment values for create the process. The malware is coded in C++ language. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Entry.png "") -###### We can observe that the malware push the persistence by a Run key in the registry. We can note too that use DOS commands with an environment value ("C:\ProgramData\Ntuser\winlgn.exe") for launch the backdoor. +###### We can observe that the malware pushes the persistence by a Run key in the registry. We can note too that use DOS commands with an environment value ("C:\ProgramData\Ntuser\winlgn.exe") for launch the backdoor. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/persistence.png "") -###### This query the registry for get the version of the OS and proceeds for identify the victim’s machine GUID by the HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid registry key. +###### This query the registry for getting, the version of the OS and proceeds for identifying the victim’s machine GUID by the HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid registry key. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/GetProcname.PNG "") -###### This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values). +###### This use too, the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values). ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/PointerDATA.png "") -###### After perform the reconnaissance actions, this can send a query as pulse with the informations to the C2, the URL to send is decoded and an additionnal operation give the final URL. +###### After performing the reconnaissance actions, this can send a query as pulse with the informations to the C2, the URL to send is decoded and an additional operation give the final URL. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/send.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/query.png "") -###### The data are encoded by the algoritm too, with the script, we can decode the strings and see that the roles and data send to the C2. +###### The data are encoded by the algorithm too, with the script, we can decode the strings and see that the roles and data send to the C2. `SNI=VTFS.QD&UME=Xjoepxt!8!Qspgfttjpobm&OPQ=benjo&IVR=VTFS.QD$$benjoAA11482.572.3314613.96675&st=0` (Here from the Anyrun sandbox) -###### We can resume all the variables used and the type of the informations sended in the C2. +###### We can resume all the variables used and the type of the informations sent in the C2. |Variable|Description| | ------------- |:-------------| @@ -89,8 +89,9 @@ |http[:]//onlinejohnline99.org/kvs06v.php|HTTP/HTTPS requests| |onlinejohnline99.org|Domain C2| |93.123.73.193|IP C2| +|93.123.73.198|IP C2| -###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/IOC_Gorgon_25-08-19.json) +###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/IOC_Bitter_31-08-19.json) ## Links