From e664fbcdcd4b454f03e34cbb6dfcc3eb495251dd Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Wed, 25 Sep 2019 11:21:15 +0200
Subject: [PATCH] Update Malware analysis.md

---
 Indian/APT/Donot/17-09-19/Malware analysis.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Indian/APT/Donot/17-09-19/Malware analysis.md b/Indian/APT/Donot/17-09-19/Malware analysis.md
index 6a258be..99e43a8 100644
--- a/Indian/APT/Donot/17-09-19/Malware analysis.md	
+++ b/Indian/APT/Donot/17-09-19/Malware analysis.md	
@@ -57,6 +57,9 @@
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Hijack.png "")
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/connect.PNG "")
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/WriteFile.PNG "")
+###### This send the informations collected to the C2, by parts in base 64 (Here on template sandbox). If the upload works this send a reply in base 64 (T0s= -> OK).
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/netWine.png "")
+###### We can confirm that Backdoor.Win32.Mocker with a custom tag "WankyCat".
 ### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc <a name="malware4"></a>
 ###### This continues to use Template injection and to push the persistence by Start Menu.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/inj.PNG "")
@@ -147,6 +150,7 @@
 |C:\Windows\Tasks\A64.dll|894bd1b82b451fd08d8ac3a3d4e8e248bbc1c153c557aebdfeaa7e1ffafef4d6|
 |C:\Windows\Tasks\Serviceflow.exe|ecbaac40bd504defe4f5eaba468e53de10e99f4dca5d05790d26e3ee4e5ce37f|
 |C:\Windows\Tasks\sinter.exe|6584b9e3849142d9c479ca58a0098636b556220e76b1ae1376f56dbdb80feb56|
+|C:\ProgramData\AudioDriver64\Olmapi32.dll|bc362886422771ee4059284095c49da865ffaf73d2dbb1de3cf5f2ace568617d|
 |EFILE|b64691a3fff3b17eb1a169180f470bf1ea36c7793fe36e93ba8aad55fe4a5a83|
 |DFILE|746b2a03a6413f97b66fc96c3e12204488f13f0c4b2255bee427b54291a9a639|
 |DFILE-|ddc7d7cdc8ceb6a9c5cc776ccd7916cd4c16612aa54c5e0a9827303c6ab38eef|
@@ -188,6 +192,7 @@
 |hxxp[:]//mscheck.icu/SecurityScan/XLSS|HTTP/HTTPS requests|
 |hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X|HTTP/HTTPS requests|
 |hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F|HTTP/HTTPS requests|
+|hxxp[:]//account-support.site/supp/accsite/cod.php|HTTP/HTTPS requests|	
 |support.worldupdate.live|Doamin C2|
 |account-support.site|Doamin C2|
 |skillsnew.top|Doamin C2|
@@ -196,6 +201,7 @@
 |46.105.40.12|IP C2|
 |82.196.7.221|IP C2|
 |37.139.28.208|IP C2|
+
 ###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/IOC_Donot_25-09-19.json)	
 
 ## Links <a name="Links"></a>