Bumblebee Sample # Bumblebee (Shindig) has been used by TA579 / BazaISO / Exotic Lily / Stolen Images to collect system information and exfil to a C2. Additional second-stage payloads include Cobalt Strike beacons. https://bazaar.abuse.ch/sample/70eb84a6bce741ff988116434e4f531a724257185ab92df8fcfa90b3def6568f/ Download zip > .iso file (password protected)> dll/lnk inside Once the ISO is mounted, the .dll and .lnk are visible. LNK Analysis # Using LECmd.exe to analyze the LNK file. If on Linux, Lnkinfo gives a similar output.
Identify the cloud perimeter of a target. Thanks to colleagues who are smarter than me. Identify Service # Use OSINT to determine the provider and region your target is located in. Shodan for example has a cloud.region filter that lists what region the IP is located in. Some examples: GCP: us-central1 Azure: northeurope AWS: us-east-1 Download corresponding IP ranges based on your target’s provider.
https://analyze.intezer.com/analyses/1832abdc-0212-4f2b-97af-ec69af2e5a92/genetic-analysis https://www.virustotal.com/gui/file/81c7eef54c852dd68050147f77f937933cbff1c22722617180ca386ef55918ab SHA256:81c7eef54c852dd68050147f77f937933cbff1c22722617180ca386ef55918ab Malicious Word document referencing Minsk Protocol. # Uses macros to download a second-stage payload from a server. Process Tree # Uses WINWORD to open the file. "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\<USER>\AppData\Local\Temp\<ANALYZED-FILE-NAME>.doc" /q Runs PowerShell base64 encoded command (listed below in a VBA macro) Child process from WINWORD launches splwow64 C:\Windows\splwow64.exe 12288 Details from the file # Using oleid, VBA macros are found. Next is to use olevba to get more information about the VBA and view the macro code
This guide will serve as a lab for both static and dynamic malware analysis. The dynamic analysis portion will be in its own network that cannot reach out to the host network and vice versa. I have to give credit to c3rb3ru5 because her guide is what taught me about being able to create networks within virtual machines and setting up mitmproxy to capture traffic. It was inspired by her KVM Malware Lab Guide but I had to make some changes due to issues on my end.
Event Triggered Execution: Unix Shell Configuration Modification # T1546.004 Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment.