43 lines
1.7 KiB
Markdown
43 lines
1.7 KiB
Markdown
# The SideWinder campaign continue
|
|
## Table of Contents
|
|
* [Malware analysis](#Malware-analysis)
|
|
* [Cyber Threat Intel](#Cyber-Threat-Intel)
|
|
* [Cyber kill chain](#Cyber-kill-chain)
|
|
* [Indicators Of Compromise (IOC)](#IOC)
|
|
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
|
|
* [Links](#Links)
|
|
+ [Original Tweet](#Original-Tweet)
|
|
+ [Link Anyrun](#Links-Anyrun)
|
|
|
|
## Malware analysis <a name="Malware-analysis"></a>
|
|
###### The initial vector is a malicious excel file which used an XLM macro (macro v4). This uses a function for launch the payload when the excel windows is active (selected as primary window). As first action, this executes the module 1.
|
|
![alt text]()
|
|
|
|
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
|
|
######
|
|
## Cyber kill chain <a name="Cyber-kill-chain"></a>
|
|
###### The process graphs resume all the cyber kill chains used by the attacker.
|
|
![alt text]()
|
|
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
|
|
###### List of all the references with MITRE ATT&CK Matrix
|
|
|
|
|Enterprise tactics|Technics used|Ref URL|
|
|
| :---------------: |:-------------| :------------- |
|
|
||||
|
|
|
|
## Indicators Of Compromise (IOC) <a name="IOC"></a>
|
|
###### List of all the Indicators Of Compromise (IOC)
|
|
|Indicator|Description|
|
|
| ------------- |:-------------:|
|
|
|||
|
|
|
|
###### This can be exported as JSON format [Export in JSON]()
|
|
|
|
## Links <a name="Links"></a>
|
|
###### Original tweet:
|
|
* [https://twitter.com/Timele9527/status/1182587382626996224](https://twitter.com/Timele9527/status/1182587382626996224) <a name="Original-Tweet"></a>
|
|
###### Links Anyrun: <a name="Links-Anyrun"></a>
|
|
* [zhengce.doc](https://app.any.run/tasks/7cdd1bfc-f0a3-4dd6-a29c-5ed70a77e76c)
|
|
###### Ressources:
|
|
* [DotNetToJScript](https://github.com/tyranid/DotNetToJScript)
|