Update Analysis_29-09-2019.md

Unknown/Unknown phishing group/Analysis_29-09-2019.md

@@ -14,6 +14,67 @@
 ### Initial vector <a name="Initial-vector"></a>
 ###### The initial vector 
 ![alt text](link "")
+###### Liste des commands :
+|Command|Description|
+|:-------------:| :------------- |
+|disconnect|Disconnect reverse shell|
+|reboot|Reboot the computer|
+|shutdown|Shutdown the computer|
+|execute|Execute commands (cmd + PowerShell)|
+|install-sdk|Install sdk tool for grabbing password for browser|
+|get-pass|Grabbing the password of specific browser chosen by the attacker|
+|get-pass-offline|Grabbing the password off all current browser|
+|update|run update the version of the script|
+|uninstall|Remove persistence +  close process|
+|up-n-exec|"Download and execute an executable file (Fixed URL ->""send-to-me"")"|
+|bring-log|upload the log of the js backdoor|
+|down-n-exec|Download and execute an executable file (Custom URL )|
+|filemanager|Kill the backdoor process + download an executable file (Custom URL)|
+|rdp|Start rdp module|
+|rev-proxy|Start reverse proxy module|
+|exit-proxy|kill reverse proxy process|
+|keylogger|Start keylogger module|
+|offline-keylogger|Launch keylogger module with mod|
+|browse-logs|Send the logs do by the backdoor|
+|cmd-shell|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]|
+|get-processes|Enumerates processes|
+|disable-uac|Disable security settings (UAC + Defender)|
+|check-eligible|Check existence of the file verified by the attacker|
+|force-eligible|Check existence of the file verified by the attacker + elevated rights|
+|elevate|Check elevated rights + runas for elevated the rights|
+|if-elevate|Check elevated rights|
+|kill-process|Kill a specific process (by taskkill)|
+|Sleep|Hibernate process via a duration chosen by the attacker|
+
+
+###### Liste des commands :
+
+|Command|Description|
+|:-------------:| :------------- |
+|disconnect|Disconnect reverse shell|
+|reboot|Reboot the computer|
+|shutdown|Shutdown the computer|
+|execute|Execute commands (cmd + PowerShell)|
+|get-pass|Grabbing the password of specific browser chosen by the attacker|
+|get-pass-offline|Grabbing the password off all current browser|
+|update|run update the version of the script|
+|uninstall|Remove persistence +  close process|
+|up-n-exec|Download and execute an executable file (Fixed URL ->"send-to-me")|
+|bring-log|upload the log of the js backdoor|
+|down-n-exec|Download and execute an executable file (Custom URL )|
+|filemanager|Kill the backdoor process + download an executable file (Custom URL)|
+|rdp|Start rdp module|
+|keylogger|Start keylogger module|
+|offline-keylogger|Launch keylogger module with mod|
+|browse-logs|Send the logs do by the backdoor|
+|cmd-shell|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]|
+|get-processes|Enumerates processes|
+|disable-uac|Disable security settings (UAC + Defender)|
+|elevate|Check elevated rights + runas for elevated the rights|
+|if-elevate|Check elevated rights|
+|kill-process|Kill a specific process (by taskkill)|
+|Sleep|Hibernate process via a duration chosen by the attacker|
+
 
 ## Cyber kill chain <a name="Cyber-kill-chain"></a>
 ###### The process graph resume the cyber kill chain used by the attacker.
@@ -45,6 +106,8 @@
 ## Links <a name="Links"></a>
 ###### Original tweet: [https://twitter.com/dvk01uk/status/1176483058058440705](https://twitter.com/dvk01uk/status/1176483058058440705) <a name="Original-Tweet"></a>
 ###### Links Anyrun: <a name="Links-Anyrun"></a>
-* []()
+* [TNT Collection Request BH7 297745.js](https://app.any.run/tasks/62990e45-e920-48b0-a3b3-9ce2e83f99dc)
+* [BANK DETAILS CONFIRMATION_PDF.js](https://app.any.run/tasks/ec7c360a-5cd0-4cfc-b123-2f43fda77423)
+* [vvvv.js](https://app.any.run/tasks/26647b54-0c71-4461-adee-765e926ab5fc)
 ###### Documents: <a name="Documents"></a>
-* [link]()
+* [Houdini Worm Transformed in New Phishing Attack - June 2019](https://cofense.com/houdini-worm-transformed-new-phishing-attack/)