Update Malware analysis 31-08-19.md

This commit is contained in:
StrangerealIntel 2019-09-01 14:39:54 +02:00 committed by GitHub
parent 8bfbc70bdc
commit f140997934
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -23,7 +23,7 @@
###### Here we can see the redirection and the data sended on the victim. ###### Here we can see the redirection and the data sended on the victim.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/trace.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/trace.png "")
### ArtraDownloader <a name="ArtraDownloader"></a> ### ArtraDownloader <a name="ArtraDownloader"></a>
###### In the first, we can see some encoded string pushed on a function and the result is moved on another registry as storage for be used by the backdoor. ###### In the first, we can see that launch by the factory option for separate the application of the current Explorer instance for avoid if one crashes the other stays alive (C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding). Secondly, we can note encoded string pushed on a function and the result is moved on another registry as storage for be used by the backdoor.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/str.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/str.png "")
###### In observing this function we can resume by the folowing algorithm used for decode these strings : for each byte of the string -> value of the byte -1 -> get Unicode value -> convert to char. ###### In observing this function we can resume by the folowing algorithm used for decode these strings : for each byte of the string -> value of the byte -1 -> get Unicode value -> convert to char.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/dec.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/dec.png "")
@ -35,22 +35,29 @@
###### Once this done, we can see on the entrypoint, this use the startupinfo structure to specify window properties, verify the header of the PE and the get the environment values for create the process. The malware is coded in C++ language. ###### Once this done, we can see on the entrypoint, this use the startupinfo structure to specify window properties, verify the header of the PE and the get the environment values for create the process. The malware is coded in C++ language.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Entry.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Entry.png "")
###### We can observe that the malware push the persistence in the startup menu. ###### We can observe that the malware push the persistence by a Run key in the registry. We can note too that use DOS commands with an environment value ("C:\ProgramData\Ntuser\winlgn.exe") for launch the backdoor.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/persistence.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/persistence.png "")
###### This query the registry for get the version of the OS ###### This query the registry for get the version of the OS and proceeds for identify the victims machine GUID by the HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid registry key.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/GetProcname.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/GetProcname.PNG "")
###### This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values). ###### This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/PointerDATA.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/PointerDATA.png "")
###### After perform the reconnaissance actions, this send the informations to the C2 ###### After perform the reconnaissance actions, this can send a query as pulse with the informations to the C2.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/send.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/send.png "")
###### In additional capacity, this can send a query the C2
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/query.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/query.png "")
###### The data are encoded by the algoritm too, with the script, we can decode the strings and see that the roles and data send to the C2.
|Variable|Description|
| ------------- |:-------------|
|SNI|Computer name|
|UME|OS Version|
|OPQ|Account name|
|IVR|[Computer name]##[Account name]@@[GUID]|
|st|downloaded file executed successfully ?|
### Cyber kill chain <a name="Cyber-kill-chain"></a> ### Cyber kill chain <a name="Cyber-kill-chain"></a>
###### This process graph represents the cyber kill chain of Bitter sample. ###### This process graph represents the cyber kill chain of Bitter sample.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Cyber.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Cyber.png "")
### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a> ### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a> ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
@ -69,38 +76,16 @@
###### List of all the Indicators Of Compromise (IOC) ###### List of all the Indicators Of Compromise (IOC)
| Indicator | Description| | Indicator | Description|
| ------------- |:-------------| | ------------- |:-------------|
|IMG76329797.xls|e66181155a9cd827def409135334ecf173459e001e79853e1b38f2b8e5d8cc59| |Urgent Action.docx]|34b53cd683f60800ac4057d25b24d8f083f759d024d22b4e5f2a464bc85de65a|
|Inj.dll|84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6| |smss.exe|dcb8531b0879d46949dd63b1ac094f5588c26867805d0795e244f4f9b8077ed1|
|mse60dc.exe|de314d038d9b0f8ff32cfe3391c4eec53a3e453297978e46c9b90df2542ed592| |maq.com.pk|domain requested|
|bitly.com|domain requested| |203.124.43.227|ip requested|
|xaasxasxasx.blogspot.com|domain requested| |http[:]//maq.com.pk/|HTTP/HTTPS requests|
|resources.blogblog.com domain requested| |http[:]//maq.com.pk/wehsd|HTTP/HTTPS requests|
|pastebin.com domain requested| |http[:]//maq.com.pk/wehs|HTTP/HTTPS requests|
|67.199.248.14|ip requested| |http[:]//onlinejohnline99.org/kvs06v.php|HTTP/HTTPS requests|
|67.199.248.15|ip requested| |onlinejohnline99.org|Domain C2|
|104.20.208.21|ip requested| |93.123.73.193|IP C2|
|http[:]//www[.]bitly[.]com/aswoesx8sxwxxd |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/rjfk3j9m |HTTP/HTTPS requests|
|https[:]///pastebin[.]com/raw/tgP7S1Qe |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/0rhAppFq |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/c3V923PW |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/VFUXDF7C |HTTP/HTTPS requests|
|http[:]//www[.]ichoubyou[.]net/ao/?3f9L=Lo3E2+YBaBWDL2bUvw2B2SYfQBwPkMAIH1i2HT9ocxT5reT2XuVh6G9ligbLGsBAAwhLuQ==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests|
|http[:]//www[.]grupomsi[.]com/ao/?3f9L=Kbq++Y0aAgDxGCx7fxZFucXlrMdtuSyVttVG37Ejsga78k8ZP/EpUCryDr6PmBWAbaydAw==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests|
|http[:]//www[.]grupomsi[.]com/ao/ |HTTP/HTTPS requests|
|http[:]//www[.]theaterloops[.]com/ao/?3f9L=M0MA2fUiqMbVb6H3GNVaAqJS8mhIciwdMXRISKDsKJcWUJLkZY1j+YIFBEd9s0Uz5tYaIQ==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests|
|http[:]//www[.]theaterloops[.]com/ao/ |HTTP/HTTPS requests|
|http[:]//www[.]sukfat[.]com/ao/ |HTTP/HTTPS requests|
|http[:]//www[.]sukfat[.]com/ao/?3f9L=i08SS1jJNzlL2PYEM5jjY78DODQHD8SSq/VJ1wVBwRJ7J5CmvaFz3C5neJ7p21NB5nPOdg==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests|
|www[.]hongmenwenhua[.]com |Domain C2|
|www[.]ichoubyou[.]net |Domain C2|
|www[.]grupomsi[.]com |Domain C2|
|www[.]sukfat[.]com |Domain C2|
|www[.]theaterloops[.]com |Domain C2|
|210.188.195.164|IP C2|
|23.20.239.12|IP C2|
|185.68.16.122|IP C2|
|199.192.23.220|IP C2|
###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/IOC_Gorgon_25-08-19.json) ###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/IOC_Gorgon_25-08-19.json)
@ -109,8 +94,5 @@
* Original tweet: https://twitter.com/RedDrip7/status/1164855381052416002 <a name="Original-Tweet"></a> * Original tweet: https://twitter.com/RedDrip7/status/1164855381052416002 <a name="Original-Tweet"></a>
* Anyrun Link: <a name="Links-Anyrun"></a> * Anyrun Link: <a name="Links-Anyrun"></a>
+ [Urgent Action.docx](https://app.any.run/tasks/27a486be-50cc-4c75-ac00-b5009582d4ff) + [Urgent Action.docx](https://app.any.run/tasks/27a486be-50cc-4c75-ac00-b5009582d4ff)
+ [inj2.exe](https://app.any.run/tasks/d7365b93-470c-4e2e-bc6d-5e43c711d72e)
* Docs : <a name="Documents"></a> * Docs : <a name="Documents"></a>
+ [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/) + [Bitter Analysis by Unit42](https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/)
+ [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html)
+ [Frombook analysis from cyberbit (June 2019)](https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/)