ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-25 11:21:15 +02:00 committed by GitHub
parent befce226dc
commit e664fbcdcd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Indian/APT/Donot/17-09-19/Malware analysis.md
View File

@ -57,6 +57,9 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Hijack.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/connect.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/WriteFile.PNG "")
###### This send the informations collected to the C2, by parts in base 64 (Here on template sandbox). If the upload works this send a reply in base 64 (T0s= -> OK).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/netWine.png "")
###### We can confirm that Backdoor.Win32.Mocker with a custom tag "WankyCat".
### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc <a name="malware4"></a>
###### This continues to use Template injection and to push the persistence by Start Menu.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/inj.PNG "")
@ -147,6 +150,7 @@
|C:\Windows\Tasks\A64.dll|894bd1b82b451fd08d8ac3a3d4e8e248bbc1c153c557aebdfeaa7e1ffafef4d6|
|C:\Windows\Tasks\Serviceflow.exe|ecbaac40bd504defe4f5eaba468e53de10e99f4dca5d05790d26e3ee4e5ce37f|
|C:\Windows\Tasks\sinter.exe|6584b9e3849142d9c479ca58a0098636b556220e76b1ae1376f56dbdb80feb56|
|C:\ProgramData\AudioDriver64\Olmapi32.dll|bc362886422771ee4059284095c49da865ffaf73d2dbb1de3cf5f2ace568617d|
|EFILE|b64691a3fff3b17eb1a169180f470bf1ea36c7793fe36e93ba8aad55fe4a5a83|
|DFILE|746b2a03a6413f97b66fc96c3e12204488f13f0c4b2255bee427b54291a9a639|
|DFILE-|ddc7d7cdc8ceb6a9c5cc776ccd7916cd4c16612aa54c5e0a9827303c6ab38eef|
@ -188,6 +192,7 @@
|hxxp[:]//mscheck.icu/SecurityScan/XLSS|HTTP/HTTPS requests|
|hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X|HTTP/HTTPS requests|
|hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F|HTTP/HTTPS requests|
|hxxp[:]//account-support.site/supp/accsite/cod.php|HTTP/HTTPS requests|
|support.worldupdate.live|Doamin C2|
|account-support.site|Doamin C2|
|skillsnew.top|Doamin C2|
@ -196,6 +201,7 @@
|46.105.40.12|IP C2|
|82.196.7.221|IP C2|
|37.139.28.208|IP C2|
###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/IOC_Donot_25-09-19.json)
## Links <a name="Links"></a>