Disclaimer: The purpose of the thread is to document my experience and meant for educational purpose. I am not liable to any misuse of this information.

Some months back the ngCERT made public a know threat/malware targeting Telcos and ISPs.
https://nairaland.com/6851878/iranian-hackers-targeting-telcos-nigeria/
These malware are Shark.exe(.NET) and Milan.exe together known as James.

During the time the news was made public, I had not really polished my analysis and reverse engineering skills.

During the past few days, I setup my lab to be part honeypot and part analysis lab, yesterday I got a sample of milan.exe(although the actual name on my lab is MsNpENg).

What I did was to get a feel of what the sample really is.

1st Step: I got the cryptographic hash of the malware sample.

Cool... When am done with this language am going to create a virus particularly because of a bank

2nd Step: Downloaded tools to aid analysis and RE.
1st Image: Download RegShot for Dynamic Analysis
2nd Image: Download ProcDOT for Dynamic Analysis
3rd Image: Download FakeNet-NG to intercept c2c traffic that might be used by the malware.

ahmthankgod:
Cool... When am done with this language am going to create a virus particularly because of a bank

.
I won't really advice that. Once you are track, INTERPOL will come for you.

ahmthankgod:
That's why i said when am done i mean fully done(expert) at that time i could implement so many features

Do what ticks you sir.

olioxx:

.
I won't really advice that. Once you are track, INTERPOL will come for you.

That's why i said when am done i mean fully done(expert) at that time i could implement so many features

3rd Step: I performed some static Analysis on the malware. I discovered a lot.
From pestidio I understood that the malware was actually written with C++ as against .NET. So milan.exe is a c++ executable.
Secondly I discovered that the malware was released on May 18 2021 by the Lyceum APT.
Similar information was what Detect It Easy presented me.

4th Step: I found the pdb path of the malware on a typical Windows OS.
And the pdb path is .....
Error lol

5th Step: Could this be the browser user agent the malware uses to establish external connection?
Well I noted it as well.....

Okay so I am done with everything static analysis, by tomorrow I'll dynamically analyze the sample to figure out the c2c servers/domain and then any filesystem attached with the malware.

Chai!

Whats all this for?

Stop suffering ur sef.

Finally I completed the analysis today (Dec 20th).
I found out some filesystem and more importantly the C2C servers used.
I was surprised to figure that the some of the server used are located in Nigeria.
I think these might be VPN-enabled servers(I presume).
Tools Used
Process Hacker, Process Monitor, WireShark, CMD
Edited
My Reverse Engineering process was kind of easy as a lot of researchers had already gleaned into the sample, so I connected with them via Twitter to fast track my analysis process, but my main ish is to figure the servers located in Nigeria.

Later in the day I'll drop my findings here.

LikeAking:
Chai!

Whats all this for?

Stop suffering ur sef.

When something does not concern you learn to waka pass. It helps to mind ones business.
Have a good day.

My two main focus for embarking on the dynamic analysis of the malware is to find out how the file system changes overtime and to find out what the server/domain is.
5th Step I fired up Process Hacker (to do cover up background check) and Process Monitor (to mainly monitor process and events on my lab machine), as usual I was greeted with over 2 million events, but of particular notice is the fact that the malware tries to activate the CMD(Command Prompt)
1st Image: Process Monitor(Filtering for process)
2nd Image: Process Monitor (Filtering for TCP connection)
Although I later used WireShark to monitor and track outbound connection, well at the end of the day VirusTotal gave me a digestible information.

After some while playing around Process Monitor I took a detour to check out some registry samples other researcher found, and I found quite a lot.
3rd Image: The registry samples from other research work.

6th Step: Finding out the C2C is very important.
For this WireShark came to the rescue, I found out some IP address(lol) and also the server name.
Infact the names where even available in the String output of the executable which I checked for cross validation.
And the server name are ....
1st Image: Server name (actually my analysis shows 2 known server name for this malware)
Armed with this information, I went to VT to check out this domain names and viola there are truly malicious.
2nd and 3rd Image: VT shows site as malicious

Okay progressing, I went to check out the IP address associated with this domain name.
4th Image: IP address of this domain names
The reason for getting the IP address is to ensure that the Incident Response team can effectively block connection with such IP address using a firewall.

1st Image: IP address of the other domain name.

Summary
1. I found out the PDB path of the milan.exe malware on a typical windows operating system.
2. Found out a lot of useful metadata about the malware, like the creation date, obfuscation info etc.
3. Found out the known browser agent the malware might utilize to establish external connection.
4. Found out that the malware source code contain some hardcoded CMD command, one of such is that the malware fires up the CMD .
5. Found out domain names and IP address associated with the malware, this can be used for Incident Response.

The file size of the malware is 964kb so I made sure not to waste unnecessary time as this malware can be really tricky.
Infact the malware has some methods it use to check if it has made external connection.
So right now I'll try to use the Mitre Attack Framework to describe the malware.
MITRE ATTACK FRAMEWORK:
Resources Development: Acquired Infrastructure (T1583). The Lyceum APT acquire servers to launch there attacks.
Command and Control: Application Layered Protocol: DNS(Domain Name Server)(T1071) The Lyceum APT used DNS for there C2C servers.(lol)
Persistence: Scheduled Task (T1053). I am very sure that the milan.exe file has persistence mechanism embedded since this is a coordinated attack, the Lyceum APT will want there payload to have some level of persistence, this might be that the program executes upon system startup or at certain time intervals.

Considering the fact that I am not running a Windows Server OS, I can't really make changes to the Windows Group Policy Object, as this is enabled in Windows Server.
At some later time I'll post on how to make the Windows Server secure using the information we've gather.

My laptop was affected with neer virus can you remove it sir?

Dangrace01:
My laptop was affected with neer virus can you remove it sir?

I can give recommendations on how to recover your laptop back to a good state.
1st: Since I don't know the severity of the virus on your laptop, I would suggest you use an anti-virus software to kill the virus. I don't know your budget, but I would recommend Avast Antivirus. The link is here https://www.avast.com/free-antivirus-download#
2nd: You might chose to reinstall a new Operating System. The newest Windows 10 .iso file is 5.4GB (approximately), while Linus .iso(Ubuntu Distro) is 2.7GB(approx.)

olioxx:
Considering the fact that I am not running a Windows Server OS, I can't really make changes to the Windows Group Policy Object, as this is enabled in Windows Server.
At some later time I'll post on how to make the Windows Server secure using the information we've gather.

How to configure Group Policy Management on Windows Server 2019
GPM must be installed on Windows Server 2019 before usage.
1. Press Window key + R, in the console that pops up type in "servermanager".
2. Once Server Manager is opened, click on " Add roles and feature" button.
To continue the installation process, this article appears to be very useful. https://www.hammer-software.com/how-to-install-the-group-policy-management-console-tools-gpmc-on-a-windows-server-2019/

Once GPM is installed, there are 2 main ways to protect the server using GPMC(Group Policy Management Console)
1. Blocking file execution based on its cryptographic hash
2. Utilizing DNAME records to block malicious DNS and instead route to a legitimate site.

Blocking file execution based on its cryptographic hash:
1. Once GPMC is opened, right click on the local domain of the server.
2. click the "Create a GPO in this domain, and Link it here ..." button
3. In the new console that appears, name the GPO according to your choice of words. Click OK
4. Right clock the new GPO created, and then select "Edit". This will open a Settings panel.
5. Still in the same GPO we earlier created, Computer Configuration > Policies> Windows Setting > Security Setting > Additional Rules, right click on Additional Rules and click the "New Hash Rule" button.
(At this point, the file you want to block from execution must reside on your local machine)
6. Click the Browse ... button to select the file you want to block execution
7. Under Security Level drop down option, select "Disallowed".
8. Click the " Apply " button at the far button right corner
9. Finally click OK.
In future once that malicious file is double clicked, Windows Security will notify the user that the file has been blocked from executing.

Utilizing DNAME record
1. Still in the newly created GPO, Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall
From this point a system administrative should be able to effectively backlist certain Domains Names.

Dangrace01:
My laptop was affected with neer virus can you remove it sir?

There's Kaspersky and Bit Defender Virus Removal Tool.
Also check to see if there are strange programs in your start up. You'll see this in task manager in Windows 8 and above

And also start learning how to install and Linux for God's sake.