CyberThreatIntel/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
2019-08-31 13:50:35 +02:00

5.3 KiB

Malware analysis on Bitter APT campaign (31-08-19)

Table of Contents

Malware-analysis

Initial vector

Use a document with a remote template injection as initial vector. This download the

alt text

Cyber kill chain

This process graph represents the cyber kill chain of Bitter sample.

Cyber Threat Intel

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix
Enterprise tactics Technics used Ref URL
Execution T1059 - Command-Line Interface
T1106 - Execution through API
T1170 - Mshta
T1086 - PowerShell
T1053 - Scheduled Task
T1064 - Scripting
T1059 - Command-Line Interface
https://attack.mitre.org/techniques/T1059
https://attack.mitre.org/techniques/T1106
https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1086
https://attack.mitre.org/techniques/T1053
https://attack.mitre.org/techniques/T1064
https://attack.mitre.org/techniques/T1059
Persistence T1060 - Registry Run Keys / Startup Folder
T1053 - Scheduled Task
https://attack.mitre.org/techniques/T1060
https://attack.mitre.org/techniques/T1053
Privilege Escalation T1053 - Scheduled Task https://attack.mitre.org/techniques/T1053
Defense Evasion T1170 - Mshta
T1064 - Scripting
https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1064
Credential Access T1081 - Credentials in Files https://attack.mitre.org/techniques/T1081
Collection T1113 - Screen Capture
T1114 - Email Collection
https://attack.mitre.org/techniques/T1113
https://attack.mitre.org/techniques/T1114

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)
Indicator Description
IMG76329797.xls e66181155a9cd827def409135334ecf173459e001e79853e1b38f2b8e5d8cc59
Inj.dll 84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6
mse60dc.exe de314d038d9b0f8ff32cfe3391c4eec53a3e453297978e46c9b90df2542ed592
bitly.com domain requested
xaasxasxasx.blogspot.com domain requested
resources.blogblog.com domain requested
pastebin.com domain requested
67.199.248.14 ip requested
67.199.248.15 ip requested
104.20.208.21 ip requested
http[:]//www[.]bitly[.]com/aswoesx8sxwxxd HTTP/HTTPS requests
https[:]//pastebin[.]com/raw/rjfk3j9m HTTP/HTTPS requests
https[:]///pastebin[.]com/raw/tgP7S1Qe HTTP/HTTPS requests
https[:]//pastebin[.]com/raw/0rhAppFq HTTP/HTTPS requests
https[:]//pastebin[.]com/raw/c3V923PW HTTP/HTTPS requests
https[:]//pastebin[.]com/raw/VFUXDF7C HTTP/HTTPS requests
http[:]//www[.]ichoubyou[.]net/ao/?3f9L=Lo3E2+YBaBWDL2bUvw2B2SYfQBwPkMAIH1i2HT9ocxT5reT2XuVh6G9ligbLGsBAAwhLuQ==&BbBX=LhTpETx8Zdn HTTP/HTTPS requests
http[:]//www[.]grupomsi[.]com/ao/?3f9L=Kbq++Y0aAgDxGCx7fxZFucXlrMdtuSyVttVG37Ejsga78k8ZP/EpUCryDr6PmBWAbaydAw==&BbBX=LhTpETx8Zdn&sql=1 HTTP/HTTPS requests
http[:]//www[.]grupomsi[.]com/ao/ HTTP/HTTPS requests
http[:]//www[.]theaterloops[.]com/ao/?3f9L=M0MA2fUiqMbVb6H3GNVaAqJS8mhIciwdMXRISKDsKJcWUJLkZY1j+YIFBEd9s0Uz5tYaIQ==&BbBX=LhTpETx8Zdn&sql=1 HTTP/HTTPS requests
http[:]//www[.]theaterloops[.]com/ao/ HTTP/HTTPS requests
http[:]//www[.]sukfat[.]com/ao/ HTTP/HTTPS requests
http[:]//www[.]sukfat[.]com/ao/?3f9L=i08SS1jJNzlL2PYEM5jjY78DODQHD8SSq/VJ1wVBwRJ7J5CmvaFz3C5neJ7p21NB5nPOdg==&BbBX=LhTpETx8Zdn HTTP/HTTPS requests
www[.]hongmenwenhua[.]com Domain C2
www[.]ichoubyou[.]net Domain C2
www[.]grupomsi[.]com Domain C2
www[.]sukfat[.]com Domain C2
www[.]theaterloops[.]com Domain C2
210.188.195.164 IP C2
23.20.239.12 IP C2
185.68.16.122 IP C2
199.192.23.220 IP C2
This can be exported as JSON format Export in JSON