Analysis.md

The campaign of FIN7 group continue

Table of Contents

• Malware analysis
• Cyber kill chain
• Indicators Of Compromise (IOC)
• References MITRE ATT&CK Matrix
• Links
  • Originals Tweets
  • Link Anyrun
  • Documents

Malware analysis

The initial vector is a malicious xls which use a macro for extracts from the strings on the document the js script and execute it.

The first layer of the JS loader is a series of arrays where the second elements are used for giving the second layer of the loader.

The first functions executed in the second layer is encoding the data to send at the C2.

The main sends a pulse to the C2 and wait for the instructions to perform.

The loader performs a discover action for list the DNS host of the list active network cards. This helps to prepare the DNS extraction for sending the data in the C2.

This use after a function for randomizing (4 letters or numbers) the sub part of the URL to domain the contact and the name of file for storage temporary the data in waiting to send it(as tmp file in the disk).

In function of the hard-coded mode in loader, this sends the data via a DNS extraction or via HTTP.

If the target is interesting, the group can perform custom commands and execute a backdoor on the computer. The IP used as C2 rest the same that the samples spotted early September.

IP	Route	ASN	Organization	Country	City	Coordinates
185.231.153.21	185.231.153.0/24	AS48282	VDSINA VDS Hosting	Russia	Moscow	55.7386,37.6068

Cyber kill chain

The process graphs resume all the cyber kill chains used by the attacker.

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

Indicator	Description
order.xlsb	2ba6709be053eb456c7fbe0c7e19196fefc7fe93afaea1e008c417aa6faeeeb3
umyhpakixg.txt	980b6ec3e3fc3d25af8273e8c85142c551875a472cc900e427b9c4cb87e59d39
e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790.xls	e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790
moviedvdpower.com	Domain requested
31.3.232.105	IP requested
185.231.153.21	IP C2
catering_list.xls	73d0b3cdff094bac4f965972a89872a11d60c5a58c0be9652d482808fa6d236e
wcykafy.exe	bd7b57a9303f0156e0737e9768a70f841b222a3e07e1426ecccfffdf2737bfe9
moviedvdpower.com	Domain C2
31.3.232.105	IP C2
8dd588a49d4e2c20a2c97f3726c0d2d85c5f6d402206c1f6dd2b33aea58565fc.exe	8dd588a49d4e2c20a2c97f3726c0d2d85c5f6d402206c1f6dd2b33aea58565fc
8773aeb53d9034dc8de339651e61d8d6ae0a895c4c89b670d501db8dc60cd2d0.dll	8773aeb53d9034dc8de339651e61d8d6ae0a895c4c89b670d501db8dc60cd2d0
DWrite.dll	18cc54e2fbdad5a317b6aeb2e7db3973cc5ffb01bbf810869d79e9cb3bf02bd5
Malware.doc	ee0cb9e6de83f807ccf9c3a02b384c1fb6e59f7de720f1eaf37141bf0487f5e6
Screenshot + payment.doc	75a75224e81423663dd66ce20f845a58d523b0948c9d5cf135d599324512103e
doc1.doc	860a5e83c509ec6615a722cd62ba47a506f115743eeb03cc94b3d2b03cc0ecc0

This can be exported as JSON format Export in JSON

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix

Enterprise tactics	Technics used	Ref URL
Defense Evasion	Scripting	https://attack.mitre.org/techniques/T1064/
Execution	Scripting	https://attack.mitre.org/techniques/T1064/
Defense Evasion	Install Root Certificate	https://attack.mitre.org/techniques/T1130/
Discovery	Query Registry	https://attack.mitre.org/techniques/T1012/

Links

Original tweet:

• https://twitter.com/Rmy_Reserve/status/1184142117284667393

Links Anyrun:

• e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790.xls
• order.xlsb

Documents:

• FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
• Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques
• FIN7 JS Backdoor