CyberThreatIntel/Indian/APT/Patchwork/27-08-19/Malware analysis 27-08-19.md

Malware analysis about sample of APT Patchwork

Table of Contents

• Malware analysis
  • Initial vector
• Cyber Threat Intel
• Indicators Of Compromise (IOC)
• References MITRE ATT&CK Matrix
• Links
  • Original Tweet
  • Link Anyrun
  • Documents

Malware analysis

Initial vector

The initial vector is an INP file (format used for the software InPage) with the exploit cve-2017-12824, we can see here the 0x7E and 0x72 represent a class of type in the stream for use an ole stream for launch the first binairy file.

We can see on the string on the dll, what extract the file in the temp folder in the create a thread for the second PE. file.

Cyber kill chain

The process graph resume the cyber kill chain used by the attacker.

Cyber Threat Intel

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix

Enterprise tactics	Technics used	Ref URL

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

Indicator	Description
	Domain requested
	IP requested
	HTTP/HTTPS requests
	IP C2
	Domain C2

This can be exported as JSON format Export in JSON

Links

Original tweet: https://twitter.com/jsoo/status/1166353584923041798

Links Anyrun:

• Azerbaijan delegation to pakistan.inp

Documents:

• Recent InPage Exploits Lead to Multiple Malware Families
• InPage zero-day exploit used to attack financial institutions in Asia
• Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups