From f9503a3b9c74d820ed2a14322adda28d154d21a4 Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Mon, 30 Sep 2019 00:29:36 +0200 Subject: [PATCH] Update Analysis_29-09-2019.md --- .../Analysis_29-09-2019.md | 67 ++++++++++++++++++- 1 file changed, 65 insertions(+), 2 deletions(-) diff --git a/Unknown/Unknown phishing group/Analysis_29-09-2019.md b/Unknown/Unknown phishing group/Analysis_29-09-2019.md index 4a12e61..ed1da7a 100644 --- a/Unknown/Unknown phishing group/Analysis_29-09-2019.md +++ b/Unknown/Unknown phishing group/Analysis_29-09-2019.md @@ -14,6 +14,67 @@ ### Initial vector ###### The initial vector ![alt text](link "") +###### Liste des commands : +|Command|Description| +|:-------------:| :------------- | +|disconnect|Disconnect reverse shell| +|reboot|Reboot the computer| +|shutdown|Shutdown the computer| +|execute|Execute commands (cmd + PowerShell)| +|install-sdk|Install sdk tool for grabbing password for browser| +|get-pass|Grabbing the password of specific browser chosen by the attacker| +|get-pass-offline|Grabbing the password off all current browser| +|update|run update the version of the script| +|uninstall|Remove persistence + close process| +|up-n-exec|"Download and execute an executable file (Fixed URL ->""send-to-me"")"| +|bring-log|upload the log of the js backdoor| +|down-n-exec|Download and execute an executable file (Custom URL )| +|filemanager|Kill the backdoor process + download an executable file (Custom URL)| +|rdp|Start rdp module| +|rev-proxy|Start reverse proxy module| +|exit-proxy|kill reverse proxy process| +|keylogger|Start keylogger module| +|offline-keylogger|Launch keylogger module with mod| +|browse-logs|Send the logs do by the backdoor| +|cmd-shell|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]| +|get-processes|Enumerates processes| +|disable-uac|Disable security settings (UAC + Defender)| +|check-eligible|Check existence of the file verified by the attacker| +|force-eligible|Check existence of the file verified by the attacker + elevated rights| +|elevate|Check elevated rights + runas for elevated the rights| +|if-elevate|Check elevated rights| +|kill-process|Kill a specific process (by taskkill)| +|Sleep|Hibernate process via a duration chosen by the attacker| + + +###### Liste des commands : + +|Command|Description| +|:-------------:| :------------- | +|disconnect|Disconnect reverse shell| +|reboot|Reboot the computer| +|shutdown|Shutdown the computer| +|execute|Execute commands (cmd + PowerShell)| +|get-pass|Grabbing the password of specific browser chosen by the attacker| +|get-pass-offline|Grabbing the password off all current browser| +|update|run update the version of the script| +|uninstall|Remove persistence + close process| +|up-n-exec|Download and execute an executable file (Fixed URL ->"send-to-me")| +|bring-log|upload the log of the js backdoor| +|down-n-exec|Download and execute an executable file (Custom URL )| +|filemanager|Kill the backdoor process + download an executable file (Custom URL)| +|rdp|Start rdp module| +|keylogger|Start keylogger module| +|offline-keylogger|Launch keylogger module with mod| +|browse-logs|Send the logs do by the backdoor| +|cmd-shell|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]| +|get-processes|Enumerates processes| +|disable-uac|Disable security settings (UAC + Defender)| +|elevate|Check elevated rights + runas for elevated the rights| +|if-elevate|Check elevated rights| +|kill-process|Kill a specific process (by taskkill)| +|Sleep|Hibernate process via a duration chosen by the attacker| + ## Cyber kill chain ###### The process graph resume the cyber kill chain used by the attacker. @@ -45,6 +106,8 @@ ## Links ###### Original tweet: [https://twitter.com/dvk01uk/status/1176483058058440705](https://twitter.com/dvk01uk/status/1176483058058440705) ###### Links Anyrun: -* []() +* [TNT Collection Request BH7 297745.js](https://app.any.run/tasks/62990e45-e920-48b0-a3b3-9ce2e83f99dc) +* [BANK DETAILS CONFIRMATION_PDF.js](https://app.any.run/tasks/ec7c360a-5cd0-4cfc-b123-2f43fda77423) +* [vvvv.js](https://app.any.run/tasks/26647b54-0c71-4461-adee-765e926ab5fc) ###### Documents: -* [link]() +* [Houdini Worm Transformed in New Phishing Attack - June 2019](https://cofense.com/houdini-worm-transformed-new-phishing-attack/)