From e71814675ff3999624894521bd2b23dba26304c0 Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Mon, 23 Sep 2019 00:51:00 +0200 Subject: [PATCH] Update Malware analysis.md --- Indian/APT/Donot/17-09-19/Malware analysis.md | 49 ++++++++++++++++--- 1 file changed, 42 insertions(+), 7 deletions(-) diff --git a/Indian/APT/Donot/17-09-19/Malware analysis.md b/Indian/APT/Donot/17-09-19/Malware analysis.md index 9226a5f..83bb93e 100644 --- a/Indian/APT/Donot/17-09-19/Malware analysis.md +++ b/Indian/APT/Donot/17-09-19/Malware analysis.md @@ -1,6 +1,9 @@ +# Analysis of the Donot APT campaign ## Table of Contents * [Malware analysis](#Malware-analysis) - + [Initial vector](#Initial-vector) + + [86ccedaa93743e83787f53e09e376713.docx](#malware1) + + [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](#malware2) + + [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](#malware3) * [Cyber Threat Intel](#Cyber-Threat-Intel) * [Indicators Of Compromise (IOC)](#IOC) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) @@ -10,9 +13,38 @@ + [Documents](#Documents) ## Malware analysis -### Initial vector -###### The initial vector -![alt text](link "") +### 86ccedaa93743e83787f53e09e376713.docx +###### The first sample of the campaign is a maldoc file using cve-2017-0199 (Template injection) for request and executed the next stage of the infection. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/InjTemp.PNG "") +###### This use RTF file with the cve-2018-0802 for execute embedded excel object by the CLSID of the Excel COM object. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/RTFInfo.PNG "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/CLSID.png "") +###### This extract and execute the zip archive from the RTF file. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/HexPK.PNG "") +###### On the backdoor, we can see that can push an environnement variable and create the "Mknyh" Mutex. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-EnvVar.PNG "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mutex.PNG "") +###### After perform this, this install the let's encrypt certificate and collect the informations about the system and send it in the C2. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos1.PNG "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos2.PNG "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos3.PNG "") +###### This collect the list of disks and the types of this. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Disk1.png "") +###### This can save and execute a stream from the C2. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod1.PNG "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod2.PNG "") + +### d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc +###### The second samples use the same TTPs and use Template injection. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/Template.png "") +###### The RTF file download and executed drop the same backdoor. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/RTFInfo.png "") +### 01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx + + + + + ## Cyber kill chain ###### The process graph resume the cyber kill chain used by the attacker. @@ -44,13 +76,16 @@ ## Links ###### Original tweet: [https://twitter.com/Timele9527/status/1173431630171492352](https://twitter.com/Timele9527/status/1173431630171492352) ###### Links Anyrun: -* [86ccedaa93743e83787f53e09e376713](https://app.any.run/tasks/0df3deaf-e8e9-4b23-8b64-fed49b85811f) +###### Samples : +* [86ccedaa93743e83787f53e09e376713.docx](https://app.any.run/tasks/0df3deaf-e8e9-4b23-8b64-fed49b85811f) * [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](https://app.any.run/tasks/63251738-19fb-4155-ae23-0a8d4d780682) -* [ -01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](https://app.any.run/tasks/43bb63ce-4c78-4c1c-ae1d-a85b0106d983) +* [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](https://app.any.run/tasks/43bb63ce-4c78-4c1c-ae1d-a85b0106d983) * [17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](https://app.any.run/tasks/e194a69c-9e4e-4c7b-9e73-f6b144af95e1) * [A1719.docx](https://app.any.run/tasks/524aff0c-2f82-4f03-8ad0-16928adcf1f2) * [57ecda52cfb12afa08e84fe86cd61a95.zip](https://app.any.run/tasks/411a27d8-9b47-4f87-bd06-35d813ab1457) * [Scan0012.docx](https://app.any.run/tasks/f3397ba6-f8a0-46c5-b40f-f91bdfddc5db) +###### Opendir: +* [SecurityM Opendir](https://app.any.run/tasks/793250a3-e767-47a8-9042-fce7c89a0471) +* [ScanSecurity Opendir](https://app.any.run/tasks/ae0325de-4aa2-40f0-8b17-1ca540cf2b9f) ###### Documents: * [link]()