Skip to content
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

137 lines (125 sloc) 10.9 KB

Analysis of the new TA505 campaign

Table of Contents

Malware analysis

The initial vector is a malicious excel file which used an XLM macro (macro v4). This uses a function for launch the payload when the excel windows is active (selected as primary window). As first action, this executes the module 1.

alt text

The function call in Module 1 create a Wscript object for change the current directory, show the fake message and push debug messages.

alt text alt text

The userform execute the extract and execute a different PE instead of the architecture of the victim (x86 and x64).

alt text alt text alt text

As anti-forensic technique, this delete the files by call of kill functions.

alt text

We can note that a function is unused and seem to be a rest of the development of the macro.

alt text

The implant executed push all in memory with a call of VirtualAlloc function.

alt text alt text

Once this, this checks the system informations, the process executed on the computer and try to detect if this run in a sandbox (low size of the disk).

alt text alt text

This sends the informations to the C2 and wait for the next instruction of the group.

alt text

We can list the informations send in the following variables :
Variables Description
&D= Name of the computer
&U= Name of the user
&OS= Version of the OS
&PR= List of process (separed by %7C)
And is presented this way (extracted from the sandbox):


That interesting to note that the group get only the process for see if the victim have security messures (AV, endpoint...) before launch the next step.This drop the clop ransomware if we observe the latest analysis on this subject.The group change currently the trust certificate for bypass the security messures that we can see on the analysis of VK_Intel :

Cyber Threat Intel

Recently, new domains used by the group have been spotted by Suspicious Link. On the HTML document, we can see that the fake page usurps dropbox in using external references and the path on the malicious excel document.

alt text

We can see in more that the personal informations is like the Office of the Prime Minister of the Republic of Armenia.

alt text alt text alt text

Cyber kill chain

The process graphs resume all the cyber kill chains used by the attacker.

alt text

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix
Enterprise tactics Technics used Ref URL
Execution Execution through Module Load
Discovery Query Registry

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)
Indicator Description IP C2 IP Requested IP Requested IP Requested IP C2
3ee37a570cc968ca2ad5a99f920c9332 D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6CB36053039A839DFBB7097C
44a20233b3c3b1defcd7484d241c5be6 09A887F08C7F252E642805DDFF5F1FDC390F675E603C994C3C06C055C55B0637
53b2c9d906fc9075fa375295c5bdcf5b 0776289CAC9F64211D5E5DDF14973157160DDCFBE2979D2E40638C4E03238558
89c3a79864a0f0fa5a6cd3f87e8bd3271d1265b4d632bb32bb6be02425b4fe78 89C3A79864A0F0FA5A6CD3F87E8BD3271D1265B4D632BB32BB6BE02425B4FE78
C:\Users\admin\AppData\Roaming{97B34601-5B4A-40AF-8963-D8C75594998B} - 1.dll 0AF713AB3D6D17CD6B96D78FAC2677FE3B5B0051CF8B673478BD767E7553C238
C:\Users\admin\AppData\Roaming\module_p1.dll 57D29E8BA4D1C0ECAD75F2B9EEBEF757D872169C3270DABAF326D9057019CF68
C:\Users\admin\AppData\Roaming\module_p2.dll C16D2A23A27C1E9EAE34D01613C4BAB0FE4871F1D8A72D5C5B40E43B0F24D95C
c6d17efb69bd4a7ac8f9dc11f810c30b 77D8E6C621EA96AF5A677397FE367DC60689D7F4F40B0A60A198F1D117A9A47A
Cheque.xls 375159A45823FF4EAFBA0C364209EB7C35B353E3C64B69978C136CF41B67D570 Domain Requested
doc 6172.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F9B8FD91FF6505C
ed0cde28ce66713974e339715bdde62b CBAAB49338F8F2A9F56575702D9943A3DAFD78EF7812FABFF3B2E2899A460A12
f46e2c2925e6196fae3112fd0bcbb8c2 AD5910E44A63C0FC02376277D28D306A236CB87BCC0FA08B3569069BB5D58A6B
hxxps://chogoon[.]com/srt/gedp4 HTTP/HTTPS requests
hxxps://windows-wsus-en[.]com/version HTTP/HTTPS requests
Invoice 7173.xls BAEE4D4F8838CD7107977D960E4478279E9F321D21CB15126C38AA8204629561
J_280586 D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6CB36053039A839DFBB7097C
LET 7833.xls 544154ED4B0495EBD44210AC6EAC4B5D7B9C9BE36B61D21482616433BE1915DD
Letter 7711.xls E7379BB7A4B46E2378D5722FD2C8F4AE31A2AE15D5A9006609EE3E8D26199D89 Domain C2
Receipt 0787.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F9B8FD91FF6505C
Receipt 4685 YJLJ.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F9B8FD91FF6505C
sample1.xls 6118EC7C0F06B45368DBD85B8F83958FC1F02F85E743F9CD82A1B877FBCCC140
sample4.XLS 566745CE483F3DC1744C757DD7348CE0844BAF5DB8CDF28F242CCD86B91496C0 Domain C2
Xerox Scan_84676113847687.XLS 8741346FB8D6C2F4CA80FA2B176F162AF620F86C5FFC895C84346BE22BDAA976
Xerox.csv 566745CE483F3DC1744C757DD7348CE0844BAF5DB8CDF28F242CCD86B91496C0 IP Requested IP Requested IP Requested IP Requested IP Requested
a78e87d350c8cf3f6d7db126c5fadd7d837aef23df01194fc0973561cd20818e.xls A78E87D350C8CF3F6D7DB126C5FADD7D837AEF23DF01194FC0973561CD20818E
C:\Users\admin\AppData\Roaming\libMongo1.dll 4414195087F01719270AE41F45953139CAF2F24A10C96D56EB28EA6601DD17E0
C:\Users\admin\Downloads\request.xls 34242C2D4A3EF625A6DA375B85B34A3FD3CAFB04442A438378D1153FD355159C Domain Requested
hxxps://dropbox-download[.]com HTTP/HTTPS requests
hxxps://dropbox-download[.]com/?05041770570340 HTTP/HTTPS requests
hxxps://dropbox-download[.]com/?05610068412737 HTTP/HTTPS requests
hxxps://dropbox-download[.]com/?35277620367160 HTTP/HTTPS requests
hxxps://dropbox-download[.]com/download.php HTTP/HTTPS requests
request.xls A78E87D350C8CF3F6D7DB126C5FADD7D837AEF23DF01194FC0973561CD20818E Domain C2
This can be exported as JSON format Export in JSON


Original tweet:
Links Anyrun:
You can’t perform that action at this time.