# Analysis of the Donot APT campaign ## Table of Contents * [Malware analysis](#Malware-analysis) + [86ccedaa93743e83787f53e09e376713.docx](#malware1) + [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](#malware2) + [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](#malware3) + [pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](#malware4) * [Cyber Threat Intel](#Cyber-Threat-Intel) * [Indicators Of Compromise (IOC)](#IOC) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) * [Links](#Links) + [Original Tweet](#Original-Tweet) + [Link Anyrun](#Links-Anyrun) + [Documents](#Documents) ## Malware analysis ### 86ccedaa93743e83787f53e09e376713.docx ###### The first sample of the campaign is a maldoc file using cve-2017-0199 (Template injection) for request and executed the next stage of the infection. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/InjTemp.PNG "") ###### This use RTF file with the cve-2018-0802 for execute embedded excel object by the CLSID of the Excel COM object. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/RTFInfo.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/CLSID.png "") ###### This extract and execute the zip archive from the RTF file. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/HexPK.PNG "") ###### On the backdoor, we can see that can push an environnement variable and create the "Mknyh" Mutex. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-EnvVar.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mutex.PNG "") ###### After perform this, this install the let's encrypt certificate and collect the informations about the system and send it in the C2. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos1.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos2.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos3.PNG "") ###### This collect the list of disks and the types of this. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Disk1.png "") ###### This can save and execute a stream from the C2. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod1.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod2.PNG "") ### d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc ###### The second samples use the same TTPs and use Template injection. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/Template.png "") ###### The RTF file download and executed drop the same backdoor. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/RTFInfo.png "") ### 01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx ###### The next sample use Template injection too for download and executed drop the RTF file. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Inj.PNG "") ###### The RTF file push a persistence with a LNK file, extract the backdoor and execute on another instance of explorer. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/RTFInfo.PNG "") ###### The backdoor use a timer for as anti-sandbox method and check the features. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Main.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Anti-sandbox.PNG "") ###### This push in memory the backdoor and check the system informations. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/VirtualProtect.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Infos.PNG "") ###### This have the capacity to hijack the AVAST AV, send the informations and request to the C2 for commands. This can save a file and execute it on the computer. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Hijack.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/connect.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/WriteFile.PNG "") ### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc ###### This continue to use Template injection. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/inj.PNG "") ###### The RTF file dropped extract a js file, a dll and an exe file. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/rtfinfos.PNG "") ###### The js file execute the dll and the exe file for bypass the UAC by the UACme tool. The backdoor is the same that the first sample. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/js.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/UAC.PNG "") ## Cyber kill chain ###### The process graph resume the cyber kill chain used by the attacker. ![alt text]() ## Cyber Threat Intel ## References MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix |Enterprise tactics|Technics used|Ref URL| | :---------------: |:-------------| :------------- | |||| |||| |||| ## Indicators Of Compromise (IOC) ###### List of all the Indicators Of Compromise (IOC) | Indicator | Description| | ------------- |:-------------:| ||| ||Domain requested| ||IP requested| ||HTTP/HTTPS requests|| ||IP C2| ||Domain C2| ###### This can be exported as JSON format [Export in JSON]() ## Links ###### Original tweet: [https://twitter.com/Timele9527/status/1173431630171492352](https://twitter.com/Timele9527/status/1173431630171492352) ###### Links Anyrun: ###### Samples : * [86ccedaa93743e83787f53e09e376713.docx](https://app.any.run/tasks/0df3deaf-e8e9-4b23-8b64-fed49b85811f) * [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](https://app.any.run/tasks/63251738-19fb-4155-ae23-0a8d4d780682) * [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](https://app.any.run/tasks/43bb63ce-4c78-4c1c-ae1d-a85b0106d983) * [17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](https://app.any.run/tasks/e194a69c-9e4e-4c7b-9e73-f6b144af95e1) * [A1719.docx](https://app.any.run/tasks/524aff0c-2f82-4f03-8ad0-16928adcf1f2) * [57ecda52cfb12afa08e84fe86cd61a95.zip](https://app.any.run/tasks/411a27d8-9b47-4f87-bd06-35d813ab1457) * [Scan0012.docx](https://app.any.run/tasks/f3397ba6-f8a0-46c5-b40f-f91bdfddc5db) ###### Opendir: * [SecurityM Opendir](https://app.any.run/tasks/793250a3-e767-47a8-9042-fce7c89a0471) * [ScanSecurity Opendir](https://app.any.run/tasks/ae0325de-4aa2-40f0-8b17-1ca540cf2b9f) ###### Documents: * [UACme](https://github.com/hfiref0x/UACME)