CyberThreatIntel/Additional Analysis/Neutrino/Analysis_2020-02-08.md
2020-02-09 00:50:11 +01:00

3.6 KiB

Neutrino physics 101

Table of Contents

Malware analysis

The initial vector

The initial vector is an malicious document using a macro. As the first look, we can note some constant variables can be replace and deletefor improvement the reading of the code.

Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHOneMask = 16515072
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHTwoMask = 258048
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHThreeMask = 4032
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHFourMask = 63

Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHighMask = 16711680
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHMidMask = 65280
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHLowMask = 255

Private Const MNAJSAQQQQQQ18 = 262144
Private Const MNAJSAQQQQQQ12 = 4096
Private Const MNAJSAQQQQQQ6 = 64
Private Const MNAJSAQQQQQQ8 = 256
Private Const MNAJSAQQQQQQ16 = 65536

We can see the both functions for auto-open the macro in the reading of the document for the Word and Excel document. This is for a common code for the both vectors or for reduce the rate of the detection, hard to say it.
Sub AutoOpen()
 AddSpace
End Sub

Private Sub Workbook_Open()
 AddSpace
End Sub

Threat Intelligence

Cyber kill chain

The process graph resume cyber kill chains used by the attacker :

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)
Indicator Description
The IOC can be exported in JSON

References MITRE ATT&CK Matrix

Enterprise tactics Technics used Ref URL
This can be exported as JSON format

Yara Rules

YARA Rules are available here

Links

Original tweet:
Links Anyrun:
Resources :