Share this page!

Arkbird Profile picture
Twitter logo
29 Sep, 6 tweets, 9 min read
#FIN7
As reported by @KorbenD_Intel, the initial powershell script use DeflateStream method for uncompress the zip in memory and extract it. This execute the second layer that heavily obfuscated. More 70 functions are used for reorder the data for sensible strings and the implant ImageImage
Once removed, this extract from another deflated stream with content the x64 PE still in memory by a memorystream. This finally loaded by reflective method. ImageImageImage
The x64 implant extract the configuration from the section ".text" of the PE for get the C2. This initiate the sockets after getting the system infos (computername, username, network cards infos ...). ImageImageImageImage
This perform events for get ready if the C2 reply to download and execute the orders. ImageImageImageImage
Thanks to @KorbenD_Intel @JAMESWT_MHT for their help.
Code, pictures, samples:
github.com/StrangerealInt…
Bazaar:
bazaar.abuse.ch/sample/003645e…
cc: @VK_Intel @malwrhunterteam @MeltX0R @ItsReallyNick @_re_fox @Rmy_Reserve @DeadlyLynn @James_inthe_box @shotgunner101 @0xtornado @ShadowChasing1 @malz_intel @cyb3rops @faisalusuf @JusticeRage @felixaime @ItsReallyNick @DrunkBinary @craiu @jeromesegura

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Arkbird

Arkbird Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Arkbird_SOLG

Arkbird Profile picture
14 Jul
[TLP:White] The #APT Mustang Panda group targets the Vatican state with lures. This uses the TTPs already used for pushing the payloads as vulnerable Word version (office 2007) by side-loading method for execute a dll.
This dll perform a request for getting the dat file (configuration file) for the PlugX implant, performs a side-loading technique on another vulnerable software (Adobe AAM) for execute it.
By tracking the group which use this vulnerable software and the TTPs, this gives the attribution to Mustang Panda. This is the second time that the group targets the catholic organizations due to this have targets Union of Catholic Asian News.
Read 6 tweets
Arkbird Profile picture
10 Jul
#Thanos ransomware use several methods against Sandbox and VM ( debugger, check size of the disk, dlls ...). Once this done, this hide for monitoring tool that uses NtQuerySystemInformation method in downloading and executing ProcessHide binaries.
After this kill the security solutions and change the preferences of MSE. This write the persistence by Winlogon key. This download a second binary "PAExec" for spread install the ransomware on the infrastruture and reboot the computer.
After go on safe mode, this try to bruteforce with the current password if haven't the admin rights. If works, add a new admin and use this password for spread the infrastructure. This ping for get the hosts are up by ICMP and ARP scans.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @Arkbird_SOLG