# [Update] Malware analysis on Gamaredon APT campaign (06-08-19) ## Table of Contents * [Malware analysis](#Malware-analysis) + [Analysis of the TTPs](#Initial-vector) + [Cyber kill chain](#Initial-vector) * [Cyber Threat Intel](#Cyber-Kill-Chain) * [IOC](#IOC) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) * [Links](#Links) + [Original Tweet](#Original-Tweet) + [Ref previous analysis](#Documents) + [Link Anyrun](#Links-Anyrun) ## Malware-analysis ### Analysis of the TTPs ###### Like the last sample analysed, the new samples uses an SFX archive for extract the files and execute the fake document and the payload. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/SFX.png "SFX startup") ###### We can see again the cmd file extracted by the SFX archive. The randomization of the obfuscated strings has been by the algorithm in the archive. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/CMD.PNG "Extraction cmd file") ###### Also this use the function GetCommandLineA for getting a pointer to the command-line string for the current process. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/command.PNG "Commandline function") ### Cyber kill chain ###### The process graph resume the cyber kill chain used by the attacker. We can observe that the TTPs are the same. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/cyber.PNG "Cyber kill chain") ## Cyber Threat Intel ###### Both latest spotted samples have the same C2 hosted in a Russia provider. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/IP.png "IP informations") ###### The domain seems don't be registered on list of the domain added. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/query.PNG "Query WHOIS") ###### Like the last sample, this comes at a crisis period between Russia and Ukraine, Ukraine rest the main target of Gamaredon group. ## References MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix |Enterprise tactics|Technics used|Ref URL| | :---------------: |:-------------| :------------- | |Execution|T1059 - Starts CMD.EXE for commands execution
T1106 - Execution through API
T1053 - Scheduled Task
T1064 - Scripting|https://attack.mitre.org/techniques/T1059
https://attack.mitre.org/techniques/T1106
https://attack.mitre.org/techniques/T1053
https://attack.mitre.org/techniques/T1064| |Persistence|T1060 - Registry Run Keys / Startup Folder
T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060
https://attack.mitre.org/techniques/T1053| |Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053| |Defense Evasion|T1112 - Modify Registry
T1064 - Scripting|https://attack.mitre.org/techniques/T1112
https://attack.mitre.org/techniques/T1064| |Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012| ## Indicators Of Compromise (IOC) ###### List of all the Indicators Of Compromise (IOC) | Indicator | Description| | ------------- |:-------------| |1426f88edaf207d2c62422f343209fae|204da6b16288cf94890ab036836a27a8163bef259092b3eb21c99e52144256e8| |a.exe|a94b4e7ecd9482b0e610b2521727715d1d401d775617512514bdd2e0b9351e06| |23379.txt|a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599| |18535.cmd|29389990ce789001c337e98abd3ff49b3c80dd34e66033c62732e4af89e13f4f| |21826.cmd|825deff8a0d7635b2e45ac2d7ad09c80e45cd380a0e54831910e0bb62063d20b| |QoceoIJ.vbs|37b05d4273e3e0a558d431ed3cc443d2a93001b121c4aae9fc8f9778a5578316| |zZBwUAc.vbs|f29d970f4ace8516a254515be3b3adf14ebf9651c0ee1aecaddd68a3d12c0315| |PowerShellCertificates_C4BA3647.ps1|6de997b9bbfa09def80109108def78a42bc16820c681d12210011ea5d1a86321| |Document.docx|2a5c7e6e9347f74e8a5d288274117cb638ff0305a3e46813d64316f869d5e7ec| |document-listing.ddns.net|Domain C2| |188.225.24.161|IP C2| |http[:]//document-listing.ddns.net/|URL request| ###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/IOC_Gamaredon_16-08-19.json) ## Links * Original tweet: https://twitter.com/RedDrip7/status/1161900271477252101 * Ref previous analysiss: [Gamaradon sample analysis 06-08-19](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Russia/APT/Gamaredon/06-08-19/Malware%20analysis%2006-08-19.md) * Anyrun Links: + [1426f88edaf207d2c62422f343209fae](https://app.any.run/tasks/8b718d6a-04c4-44fc-9afd-e0cffd1b626a) + [a.exe](https://app.any.run/tasks/58d83fbe-36c9-4fad-9e21-9140207b6152)