# StrangerealIntel/CyberThreatIntel ###### github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware analysis 20-08 19.md StrangerealIntel ##### 1 contributor # Malware analysis about unknown Chinese APT campaign ## Table of Contents Malware analysis ### Initial vector #### The initial PE extract the fake document and a second PE which create a Run key as persistence, extract the legit ESET 5 RAT and the hijacking dll and shellcode to execute (by folder permissions). Here, we can see the persistence (Run key) for the dropper. ----- #### This detect if the persistence is already pushed and edit the status of key in reedit the key. ----- #### This use the RichEdit function for push the data on the documentused as leur for decoy the victims. ----- ----- #### Once this did, this executes it and waits for the command of the attacker. ### ESET Remote Administrator #### The new PE file is ESET Remote Administrator, we can see the verification of the validation of the certificate. ----- ----- ----- #### This load after the xml configuration for the global parameters on the ESET software, this manage the service of the RAT and the status if need it. All this things prove the utilisation of the legit RAT tool of ESET at the malicious usage by the attackers. ### Hijacking DLL ----- ----- ### After push it in the memory, this protect it with a Virtualprotect. ----- ----- ----- ### We can see all the events on do by the hijacking DLL. Cyber kill chain #### The process graph resume the cyber kill chain used by the attacker. ### Cyber Threat Intel #### The malware is as well-know RAT, PlugX current used since 2012 on the Chinese APT group.The domain used as C2 is based in Canada by the cloud provider GoDaddy. ----- #### The information put in the domain register has a Chinese provenance. ----- #### This operation is done by the Chinese APT group(s) after the visit of the U.S. National Security Advisor in Mongolia about the national security concept. ----- #### The document are a compiled of muliple documents about the national security concept available on the web. ----- #### The others samples are leurs against Jaish group who have recently infiltrate Kashmir. Pakistan and China cooperate against the Jaish Association who have increased since the attack foiled in November 2018 against the Chinese consulate. This infiltration on the Jaish group on the Kashmir has give all the cyberattacks who have analysed and military deployments observed by d-atis between Pakistan, India and China since the last 2 months. ## Indicators Of Compromise (IOC) ##### c3159d4f85ceb84c4a0f7ea9208928e729a30d‐ dda4fead7ec6257c7dd1984763 918de40e8ba7e9c1ba555aa22c8acbfd‐ f77f9c050d5ddcd7bd0e3221195c876f fb3e3d9671bb733fcecd6900def15b9a6b4f36b0a35b‐ dc769b0a69bc5fb7e40d ##### NATIONAL SECURITY CONCEPT OF MONGOLIA.exe DSR & CSR of Special Branch Sind.exe Daily News (19-8-2019)(Soft Copy).lnk ----- ##### 22213496e4613b226f30da3c9f3dd612c9655cd‐ c3fd72bafc3a21d38893879fa c3159d4f85ceb84c4a0f7ea9208928e729a30d‐ dda4fead7ec6257c7dd1984763 a0385659fe284a85d471da0e909bfb‐ b102bfe184b1466912c1cf41844ce4ee4b 9555d2ae685a1606cac0992922cecd7872d‐ d0267c8bf8267a137c5a41a14c32c 9a8880b4495d103ae30f7b0cd77824c25e2adcb‐ d6f616e01798de6defd1bbfef ##### http_dll.dat unsecapp.exe Daily News (19-8-2019)(Soft Copy).doc NATIONAL SECURITY CONCEPT OF MONGOLIA.docx DSR.docx ##### 167.88.180.148 IP C2 www.apple-net.com Domain C2 ## Links #### Original tweet: https://twitter.com/h4ckak/status/1163328926573137922 Links Anyrun: Documents: Ref MITRE ATTACK : PlugX RAT -----