Malware Analysis

Malware Analysis Report: ASEAN Notes.iso from Mustang Panda Campaign Author: Capang Date: 24-01-2025 Analysis Environment: Windows 10 VM Associated Campaign: Mustang Panda ASEAN Notes.iso Ref: https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/ Executive Summary The ASEAN Notes.iso file is a component of a Mustang Panda campaign targeting entities in Myanmar. The attack leverages DLL sideloading via a hijacked Microsoft GetCurrentRollback.exe process (renamed office.exe) to execute the malicious GetCurrentDeploy.dll. The malware establishes persistence through registry modification and attempts C2 communication with fallback infrastructure. Primary objectives include initial access, persistence, and command execution, with suspected espionage motivations. ...

A bubarparlimen.docx file with an external RemoteLoad.dotm attached template file where it contains malicious VBA Macro which will write PE files, fetch .exe + .dll file and executing it in the infected machine. The macro uses base64 encoding method and constructing the encoded string little by little to avoid suspicion. 2. Case Details File Name bubarparlimen.docx File Size 214.91 KiB File Type Microsoft Office Word(15.0000) MD5 afbe00e755a2cf963f0eedbb4e310198 SHA1 a55bd3f15ce743c9cda7bec05afe50b9aefa4683 SHA256 ab541df861c6045a17006969dac074a7d300c0a8edd0a5815c8b871b62ecdda7 Created Time 15/5/2024 11:47:03 PM File Name RemoteLoad.dotm File Size 23.76 KiB File Type Microsoft Office Word(15.0000) MD5 8114e5e15d4086843cf33e3fca7c945b SHA1 5f7f0b1419448c5fe1a8051ac8cb2cf7b95a3ffa SHA256 145daf50aefb7beec32556fd011e10c9eaa71e356649edfce4404409c1e8fa30 Created Time 15/5/2024 11:52:02 PM 3. Case Specific Requirements Machine Windows Environment Tools hashmyfiles olevba Microsoft Word CyberChef 4. Static Analysis 4.1 bubarparlimen.docx bubarparlimen.docx is a .docx. To go further into the analysis, it is necessary to understand what .docx structure is. ...