8.6 KiB
8.6 KiB
Malware analysis about unknown Israel APT campaign
Table of Contents
- Malware analysis
- Cyber Threat Intel
- Indicators Of Compromise (IOC)
- References MITRE ATT&CK Matrix
- Links
Malware analysis
Initial vector
The initial vector use an SFX executable, who drop a lnk file for the persistence, a vbs file and the docx file for decoys the victim.
We can also note the multiples possiblities for push the persisitence and options.
This execute the vbs file for push the persistence in the startup menu, hide it in changing these atributes and launch the persistence (lnk file)
This download the VB script and execute it by mshta call.
On the VB code, we can observed that use BITS fonctionality for download by a job the JS script to execute on the victim. Secondly, this check the architecture of the system and execute the correct path of wscript and push the windows out the screen.
Loader
We can see that use function for decode the commands with a array of bytes.
For decode the string , we use the next function used by the backdoor for decode the commands.
You can now change the encoded commands.
Once the encoded strings removed, we have the following code :
As anti-forensic method, a method which can know if determiner if a debugger is present.
Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call.
By the following PowerShell script, we can get the second layer that is the JS Backdoor.
JS Backdoor
Firstly, the script get the system informations about the system of the victim and send to one the list of C2 in the logical sense (not random call on the list of C2) with the suffix "/is-ready". The backdoor use a while loop for rest in communication with C2 by send pulse with the system information of the victim.
This send the data with the following structure to the C2 (Here from the Anyrun sandbox) :
C4BA3647<|>USER-PC<|>admin<|>Microsoft Windows 7 Professional <|>plus<|>nan-av<|>
We can note that the USB spread option isn't used on this sample. The structure of the reply to the C2 is the next :
[volumeserialnumber]<|>[computername]<|>[username]<|>plus<|>[AV product (yes -> name or no ->nan-av)]<|>[usbspreading option (= "")]<|>
In a second time, when a response of the C2 was given and use a swith structure for execute the command.
Now, we analyse all functions used by this switch. As first function, we can see a function used by others functions of the script and used for send the data to the C2.
We can observe after a group of functions who use the wql queries by the WMI for get the system informations, this is used by the attacker as profiling the victim.
After, a function is used by the attacker for download an executable file.
In the same idea for the attacker, a fonction which give the possiblity to read the bytes of files in a buffer and send it to the C2 is present.
The next function give to the attacker to have the list drives on the computer.
Another function can emumerate the paths of folders, files and to give in more the attributes of them.
And third function is used for get the list of the process running in the computer.
The last function exit the process with a kill signal by taskkill call.
We can resume the list of commands of the backdoor :
| Command | Description |
|---|---|
| execute | execute a command DOS/Powershell |
| send | Download a file to execute |
| site-send | Function don't exist but have the same arg that send command, seems be edited function of site-send and not deleted ? |
| recv | Read a file, put in a buffer and send to the C2 |
| enum-driver | Send the list of drives to the C2 |
| enum-faf | Get list of the folders, files and attributes and send it to the C2 |
| enum-process | Get list of the process (name, id, path of the executable) and send it on the C2 |
| delete | Function don't exist but by the params seems give to the attacker to delete folders or files |
| exit-process | Kill the backdoor process but can't remove the persistence, an "execute" command must be performed before for delete it in the registry |
Cyber kill chain
The process graph resume the cyber kill chain used by the attacker.
Cyber Threat Intel
References MITRE ATT&CK Matrix
List of all the references with MITRE ATT&CK Matrix
| Enterprise tactics | Technics used | Ref URL |
|---|---|---|
Indicators Of Compromise (IOC)
List of all the Indicators Of Compromise (IOC)
| Indicator | Description |
|---|---|
| Domain requested | |
| IP requested | |
| HTTP/HTTPS requests | |
| IP C2 | |
| Domain C2 |