Update Malware analysis 25-08-19.md
This commit is contained in:
parent
166696faff
commit
fd346a9128
@ -7,6 +7,9 @@
|
|||||||
+ [Loader + Frombook](#Loader)
|
+ [Loader + Frombook](#Loader)
|
||||||
+ [Cyber kill chain](#Cyber-kill-chain)
|
+ [Cyber kill chain](#Cyber-kill-chain)
|
||||||
* [Cyber Threat Intel](#Cyber-Threat-Intel)
|
* [Cyber Threat Intel](#Cyber-Threat-Intel)
|
||||||
|
+ [Bitly link](#bitly)
|
||||||
|
+ [C2 domains](#C2)
|
||||||
|
+ [The troubling case of the Hagga account](#Hagga)
|
||||||
* [IOC](#IOC)
|
* [IOC](#IOC)
|
||||||
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
|
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
|
||||||
* [Links](#Links)
|
* [Links](#Links)
|
||||||
@ -33,7 +36,7 @@
|
|||||||
### Second stage <a name="Second"></a>
|
### Second stage <a name="Second"></a>
|
||||||
###### The first pastebin use too a js script with with 3 layers of unescape and the previous obfuscating methods.
|
###### The first pastebin use too a js script with with 3 layers of unescape and the previous obfuscating methods.
|
||||||
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/Unescape3.PNG "")
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/Unescape3.PNG "")
|
||||||
###### we can observe two additionnal requested pastebin links, the first use the LoadWithPartialName funcion by Reflection Assembly in NET framework for download and execute raw hex data in memory, in addition, this execute an array of byte of the PE downloaded by a hijack of the calc program. The second pastebin link close the hidden window.
|
###### We can observe two additionals requested pastebin links, the first use the LoadWithPartialName funcion by Reflection Assembly in NET framework for download and execute raw hex data in memory, in addition, this executes an array of bytes of the PE downloaded by a hijack of the calc program. The second pastebin link close the hidden window.
|
||||||
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/VBcodefinal.PNG "")
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/VBcodefinal.PNG "")
|
||||||
### Loader + Frombook <a name="Loader"></a>
|
### Loader + Frombook <a name="Loader"></a>
|
||||||
#### Loader
|
#### Loader
|
||||||
@ -83,27 +86,31 @@
|
|||||||
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyber.PNG "")
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyber.PNG "")
|
||||||
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyberfrom.PNG "")
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyberfrom.PNG "")
|
||||||
### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
|
### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
|
||||||
|
#### Bitly link <a name="bitly"></a>
|
||||||
|
###### Bitly short link is currently used since June 2019 by the Gorgon Group, we can report all the clicks by location in this map world (don't forget that the sandbox goes to the links that this can modify this graphic representation.)
|
||||||
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Bitlyclicks.png "")
|
||||||
|
#### C2 domains <a name="C2"></a>
|
||||||
###### In the first time, we can note that all domains used as C2 contacts can be resolved.
|
###### In the first time, we can note that all domains used as C2 contacts can be resolved.
|
||||||
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/FakeC2domains.png "")
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/FakeC2domains.png "")
|
||||||
###### In the second time, if we reported all the domains for see if this registered in the WHOIS, we note again that some domains aren't be registered and used as fake domains. All the active domains are active in the last three months, that is match with the recent campaign since the June month.
|
###### In the second time, if we reported all the domains for see if this registered in the WHOIS, we note again that some domains aren't be registered and used as fake domains. All the active domains are active in the last three months, that is match with the recent campaign since the June month.
|
||||||
|
|
||||||
|Domain|Status|
|
|Domain|Status|
|
||||||
|:--------------- |:-------------|
|
|:--------------- |:-------------|
|
||||||
|www.thedip.zone | not been registered yet|
|
|www[.]thedip.zone | not been registered yet|
|
||||||
|www.ycsfuoabdicating.review | not been registered yet|
|
|www[.]ycsfuoabdicating.review | not been registered yet|
|
||||||
|www.hongmenwenhua.com | registered but inused [Link](https://www.whois.com/whois/hongmenwenhua.com)|
|
|www[.]hongmenwenhua.com | registered but inused [Link](https://www.whois.com/whois/hongmenwenhua.com)|
|
||||||
|www.41230077.net | not been registered yet|
|
|www[.]41230077.net | not been registered yet|
|
||||||
|www.1688jtn.com | not been registered yet|
|
|www[.]1688jtn.com | not been registered yet|
|
||||||
|www.ichoubyou.net | registered and used [Link](https://www.whois.com/whois/ichoubyou.net) |
|
|www[.]ichoubyou.net | registered and used [Link](https://www.whois.com/whois/ichoubyou.net) |
|
||||||
|www.grupomsi.com | unregistered / Domain to sale [Link](https://www.whois.com/whois/grupomsi.com)|
|
|www[.]grupomsi.com | unregistered / Domain to sale [Link](https://www.whois.com/whois/grupomsi.com)|
|
||||||
|www.qp0o1j3-dmv4kwncw8e.win | not been registered yet|
|
|www[.]qp0o1j3-dmv4kwncw8e.win | not been registered yet|
|
||||||
|www.klapki.online | not been registered yet|
|
|www[.]klapki.online | not been registered yet|
|
||||||
|www.tourismmanagement.mba | not been registered yet|
|
|www[.]tourismmanagement.mba | not been registered yet|
|
||||||
|www.6474sss.com | not been registered yet|
|
|www[.]6474sss.com | not been registered yet|
|
||||||
|www.theaterloops.com | clientTransferProhibited [Link](https://www.whois.com/whois/theaterloops.com)|
|
|www[.]theaterloops.com | clientTransferProhibited [Link](https://www.whois.com/whois/theaterloops.com)|
|
||||||
|www.sukfat.com| clientTransferProhibited [Link](https://www.whois.com/whois/sukfat.com)|
|
|www[.]sukfat.com| clientTransferProhibited [Link](https://www.whois.com/whois/sukfat.com)|
|
||||||
|
|
||||||
#### The troubling case of the Hagga account
|
#### The troubling case of the Hagga account <a name="Hagga"></a>
|
||||||
|
|
||||||
###### Like reported by me, the 15th May 2019 [(Link)](https://twitter.com/Arkbird_SOLG/status/1128696982783123457) after analysing the sample request of [JAMESWT_MHT](https://twitter.com/JAMESWT_MHT), this recurrent account have use pastebin as malware provider and drop many times different RAT and used each times the same tool obfuscating the strings with escape function and the "MySexoPhone" reference.
|
###### Like reported by me, the 15th May 2019 [(Link)](https://twitter.com/Arkbird_SOLG/status/1128696982783123457) after analysing the sample request of [JAMESWT_MHT](https://twitter.com/JAMESWT_MHT), this recurrent account have use pastebin as malware provider and drop many times different RAT and used each times the same tool obfuscating the strings with escape function and the "MySexoPhone" reference.
|
||||||
###### As reported by [Dodge This Security](https://twitter.com/shotgunner101) in this tweet [(link)](https://twitter.com/shotgunner101/status/1128753406259138560) and by cyberbit analysis some troubling timeline and malware used in the campaign and hosted by Hagga account. This can be proved this involvement in the Gorgon group.
|
###### As reported by [Dodge This Security](https://twitter.com/shotgunner101) in this tweet [(link)](https://twitter.com/shotgunner101/status/1128753406259138560) and by cyberbit analysis some troubling timeline and malware used in the campaign and hosted by Hagga account. This can be proved this involvement in the Gorgon group.
|
||||||
@ -117,19 +124,48 @@
|
|||||||
|
|
||||||
|Enterprise tactics|Technics used|Ref URL|
|
|Enterprise tactics|Technics used|Ref URL|
|
||||||
| :---------------: |:-------------| :------------- |
|
| :---------------: |:-------------| :------------- |
|
||||||
|||
|
|Execution|T1059 - Command-Line Interface<br>T1106 - Execution through API<br> T1170 - Mshta<br>T1086 - PowerShell<br>T1053 - Scheduled Task<br>T1064 - Scripting<br>T1059 - Command-Line Interface|https://attack.mitre.org/techniques/T1059<br>https://attack.mitre.org/techniques/T1106<br>https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1086<br>https://attack.mitre.org/techniques/T1053<br>https://attack.mitre.org/techniques/T1064<br>https://attack.mitre.org/techniques/T1059|
|
||||||
|||
|
|Persistence|T1060 - Registry Run Keys / Startup Folder<br>T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060<br>https://attack.mitre.org/techniques/T1053|
|
||||||
|||
|
|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053|
|
||||||
|||
|
|Defense Evasion|T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064|
|
||||||
|
|Credential Access|T1081 - Credentials in Files|https://attack.mitre.org/techniques/T1081|
|
||||||
|
|Collection|T1113 - Screen Capture<br>T1114 - Email Collection|https://attack.mitre.org/techniques/T1113/<br>https://attack.mitre.org/techniques/T1114|
|
||||||
## Indicators Of Compromise (IOC) <a name="IOC"></a>
|
## Indicators Of Compromise (IOC) <a name="IOC"></a>
|
||||||
|
|
||||||
###### List of all the Indicators Of Compromise (IOC)
|
###### List of all the Indicators Of Compromise (IOC)
|
||||||
| Indicator | Description|
|
| Indicator | Description|
|
||||||
| ------------- |:-------------|
|
| ------------- |:-------------|
|
||||||
|||
|
|IMG76329797.xls|e66181155a9cd827def409135334ecf173459e001e79853e1b38f2b8e5d8cc59|
|
||||||
||IP C2|
|
|mse60dc.exe|de314d038d9b0f8ff32cfe3391c4eec53a3e453297978e46c9b90df2542ed592|
|
||||||
|http[:]//|URL request|
|
|bitly.com|domain requested|
|
||||||
||Domain C2|
|
|xaasxasxasx.blogspot.com|domain requested|
|
||||||
|
|resources.blogblog.com domain requested|
|
||||||
|
|pastebin.com domain requested|
|
||||||
|
|67.199.248.14|ip requested|
|
||||||
|
|67.199.248.15|ip requested|
|
||||||
|
|104.20.208.21|ip requested|
|
||||||
|
|http[:]//www[.]bitly[.]com/aswoesx8sxwxxd |HTTP/HTTPS requests|
|
||||||
|
|https[:]//pastebin[.]com/raw/rjfk3j9m |HTTP/HTTPS requests|
|
||||||
|
|https[:]///pastebin[.]com/raw/tgP7S1Qe |HTTP/HTTPS requests|
|
||||||
|
|https[:]//pastebin[.]com/raw/0rhAppFq |HTTP/HTTPS requests|
|
||||||
|
|https[:]//pastebin[.]com/raw/c3V923PW |HTTP/HTTPS requests|
|
||||||
|
|https[:]//pastebin[.]com/raw/VFUXDF7C |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]ichoubyou[.]net/ao/?3f9L=Lo3E2+YBaBWDL2bUvw2B2SYfQBwPkMAIH1i2HT9ocxT5reT2XuVh6G9ligbLGsBAAwhLuQ==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]grupomsi[.]com/ao/?3f9L=Kbq++Y0aAgDxGCx7fxZFucXlrMdtuSyVttVG37Ejsga78k8ZP/EpUCryDr6PmBWAbaydAw==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]grupomsi[.]com/ao/ |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]theaterloops[.]com/ao/?3f9L=M0MA2fUiqMbVb6H3GNVaAqJS8mhIciwdMXRISKDsKJcWUJLkZY1j+YIFBEd9s0Uz5tYaIQ==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]theaterloops[.]com/ao/ |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]sukfat[.]com/ao/ |HTTP/HTTPS requests|
|
||||||
|
|http[:]//www[.]sukfat[.]com/ao/?3f9L=i08SS1jJNzlL2PYEM5jjY78DODQHD8SSq/VJ1wVBwRJ7J5CmvaFz3C5neJ7p21NB5nPOdg==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests|
|
||||||
|
|www[.]hongmenwenhua[.]com |Domain C2|
|
||||||
|
|www[.]ichoubyou[.]net |Domain C2|
|
||||||
|
|www[.]grupomsi[.]com |Domain C2|
|
||||||
|
|www[.]sukfat[.]com |Domain C2|
|
||||||
|
|www[.]theaterloops[.]com |Domain C2|
|
||||||
|
|210.188.195.164|IP C2|
|
||||||
|
|23.20.239.12|IP C2|
|
||||||
|
|185.68.16.122|IP C2|
|
||||||
|
|199.192.23.220|IP C2v
|
||||||
|
|
||||||
###### This can be exported as JSON format [Export in JSON]()
|
###### This can be exported as JSON format [Export in JSON]()
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user