ch0ic3/CyberThreatIntel

StrangerealIntel 6a07dc709a

Update Malware analysis 16-08-19.md

2019-08-25 01:34:32 +02:00

5.3 KiB

Raw Permalink Blame History

[Update] Malware analysis on Gamaredon APT campaign (06-08-19)

Table of Contents

Malware analysis
- Analysis of the TTPs
- Cyber kill chain
Cyber Threat Intel
IOC
References MITRE ATT&CK Matrix
Links

Malware-analysis

Analysis of the TTPs

Like the last sample analysed, the new samples uses an SFX archive for extract the files and execute the fake document and the payload.

We can see again the cmd file extracted by the SFX archive. The randomization of the obfuscated strings has been by the algorithm in the archive.

Also this use the function GetCommandLineA for getting a pointer to the command-line string for the current process.

Cyber kill chain

The process graph resume the cyber kill chain used by the attacker. We can observe that the TTPs are the same.

Cyber Threat Intel

Both latest spotted samples have the same C2 hosted in a Russia provider.

The domain seems don't be registered on list of the domain added.

Like the last sample, this comes at a crisis period between Russia and Ukraine, Ukraine rest the main target of Gamaredon group.

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix

Enterprise tactics	Technics used	Ref URL
Execution	T1059 - Starts CMD.EXE for commands execution T1106 - Execution through API T1053 - Scheduled Task T1064 - Scripting	https://attack.mitre.org/techniques/T1059 https://attack.mitre.org/techniques/T1106 https://attack.mitre.org/techniques/T1053 https://attack.mitre.org/techniques/T1064
Persistence	T1060 - Registry Run Keys / Startup Folder T1053 - Scheduled Task	https://attack.mitre.org/techniques/T1060 https://attack.mitre.org/techniques/T1053
Privilege Escalation	T1053 - Scheduled Task	https://attack.mitre.org/techniques/T1053
Defense Evasion	T1112 - Modify Registry T1064 - Scripting	https://attack.mitre.org/techniques/T1112 https://attack.mitre.org/techniques/T1064
Discovery	T1012 - Query Registry	https://attack.mitre.org/techniques/T1012

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

Indicator	Description
1426f88edaf207d2c62422f343209fae	204da6b16288cf94890ab036836a27a8163bef259092b3eb21c99e52144256e8
a.exe	a94b4e7ecd9482b0e610b2521727715d1d401d775617512514bdd2e0b9351e06
23379.txt	a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
18535.cmd	29389990ce789001c337e98abd3ff49b3c80dd34e66033c62732e4af89e13f4f
21826.cmd	825deff8a0d7635b2e45ac2d7ad09c80e45cd380a0e54831910e0bb62063d20b
QoceoIJ.vbs	37b05d4273e3e0a558d431ed3cc443d2a93001b121c4aae9fc8f9778a5578316
zZBwUAc.vbs	f29d970f4ace8516a254515be3b3adf14ebf9651c0ee1aecaddd68a3d12c0315
PowerShellCertificates_C4BA3647.ps1	6de997b9bbfa09def80109108def78a42bc16820c681d12210011ea5d1a86321
Document.docx	2a5c7e6e9347f74e8a5d288274117cb638ff0305a3e46813d64316f869d5e7ec
document-listing.ddns.net	Domain C2
188.225.24.161	IP C2
http[:]//document-listing.ddns.net/	URL request

This can be exported as JSON format Export in JSON

Links

Original tweet: https://twitter.com/RedDrip7/status/1161900271477252101
Ref previous analysis: Gamaradon sample analysis 06-08-19
Anyrun Links:
- 1426f88edaf207d2c62422f343209fae
- a.exe
Another analysis: SFX analysis by ThreatRecon Team