Notice
Recent Posts
Recent Comments
Link
«   2024/03   »
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31
Archives
Today
Total
관리 메뉴

Simple Analysis blog

ROKRAT is Back!! 본문

Analysis

ROKRAT is Back!!

velocy 2018. 9. 21. 16:22

지난 9월 19일, Virustotal에 "7주 신뢰와 배려의 커뮤니케이션" 이라는 한글 악성코드가 등장

On September 19th, Virustotal appeared in hwp malicious code called "7 week trust and care communication"




(Author : gichang(기창???), Last Saved By : User1) 기창이라는 사람이 User1이라는 계정명으로 작성했나 봄.

(Author : gichang(기창???), Last Saved By : User1)I think that the person named Yi Chang is written as User1.





gbb를 이용하여 아래의 쉘코드 영역을 실행가능한 PE 파일로 변환

Convert the following shellcode area to an executable PE file using gbb




파일을 MZ시그니쳐와 분류하여 “%TEMP%/Dhh01.oju01”, “%TEMP%/Dhh02.oju01” 로 각각 파일 생성

Files are classified as MZ signatures and created as "% TEMP% / Dhh01.oju01" and "% TEMP% / Dhh02.oju01" respectively




생성한 파일을 복사하여 “WinUpdate148399843.pif” 파일을 생성 후 삭제

Copy the generated file and create and delete "WinUpdate148399843.pif" file




생성된 "WinUpdate148399843" 파일은 Themidapacking 되어있음

The generated "WinUpdate148399843" file is packed with Themida




생성된 Themida 파일을 Unpack 시 쓰레드 인젝션을 시도하는 모습 확인

Confirm that thread injection is attempted when Unpack the generated Themida file




쓰레드 인젝션 되는 파일은 안티 디버깅, 안티 샌드박스 기능을 가지고 있음

Thread-injected files have anti-debugging and anti-sandboxing capabilities





VM 환경일 경우 감염 PC의 MBR 영역을 "FAAAA...Sad..." 으로 덮어씌우는 행위를 확인함

In case of VM environment, it confirms the action to overwrite MBR area of infected PC with "FAAAA ... Sad ..."






jpg 파일을 다운로드 요청하며 pcloud, dropbox, yandex를 이용한다.

I want to download the jpg file and use pcloud, dropbox, yandex.


(C&C서버는 현재 죽어있음)

(C & C server is currently dead)




감염 PC의 ComputerName, UserName 확인 및 SMBios를 이용하여 컴퓨터 종류 확인

Check the ComputerName and UserName of the infected PC and check the computer type using SMBios




감염PC의 파일목록 체크

Check file list of infected PC




감염PC의 실행중인 프로세스목록 체크

Check the list of running processes on the infected PC




감염PC 현재 실행중인 화면 캡쳐 후 저장

Save the current running screen capture after infected PC




C&C에 upload 시도

Attempt to upload to C & C







[C&C]

token : VdZhAhd9YXAAAAAAAAAACQaGEx0mpQnzlWKtxGGNveuPx0XtDTzynRk4fnra1-9E


https://api[.]box[.]com/oauth2/token

https://api[.]box[.]com/2[.]0/folders/%s/items

https://api[.]box[.]com/2[.]0/files/%s/content

https://api[.]box[.]com/2[.]0/files/%s/trash

https://api[.]box[.]com/2[.]0/folders/%s

https://account[.]box[.]com/api/oauth2/authorize

https://upload[.]box[.]com/api/2[.]0/files/content

https://api[.]dropboxapi[.]com/2/files/delete

https://content[.]dropboxapi[.]com/2/files/upload

https://content[.]dropboxapi[.]com/2/files/downloa

https://api[.]pcloud[.]com/oauth2_token

https://my[.]pcloud[.]com/oauth2/authorize

https://api[.]pcloud[.]com/uploadfile?path=%s&filename=%s&nop

https://api[.]pcloud[.]com/getfilelink?path=%s&forcedownload=

https://api[.]pcloud[.]com/deletefile?path=%s

https://cloud-api[.]yandex[.]net/v1/disk/resources?path=%s&pe

https://cloud-api[.]yandex[.]net/v1/disk/resources/upload?pat

https://cloud-api[.]yandex[.]net/v1/disk/resources/download?p




[IOC]


[HWP File]

Author : gichang

Last Saved By : User1

Create Time/Data : 2014-02-2613:45:17.799000 (UTC)

Last saved Time/Data : 2018-08-29 00:22:26.729000 (UTC)

MD5 : 3f92afe96b4cfd41f512166c691197b5

SHA-1: eeae06fc31982f992993ef0ff12e2d94981d9bff

SHA-256: 51e35a7a4e2c49670ecfba7b55045cfa893aa1459246fa5b23ff0bba91225b76


[Decoded File (Themida)]

Filename : %APPDATA%\\WinUpdate148399843

TimeStamp : 2018-08-28 01:22:27 (UTC)

MD5: 6ec89edfffdb221a1edbc9852a9a567a

SHA-1: 52976314913289a61282ee1f172a30cce29147ac

SHA-256: 98498b97b7cdce9dd6b1a83057e47bd74dc2be5bb12f42ce505981bff093de73


[Injection File]

TimeStamp : 2018-08-28 01:13:58 (UTC)

MD5: 7a751874ea5f9c95e8f0550a0b93902d

SHA-1: 41a3e61adf853edaddc999e547a246cc4c173480

SHA-256: f885c37b3368faf2ae11d70e15aa75a641de9357dda038d875fe5513d9841582






[부록]


Virustotal 에서는 현재(작성일기준) Detection 0/58 으로 위 한글파일을 탐지를 하지 못하고 있음

Virustotal does not detect the above Hangul file by Detection 0/58




해당 악성코드는 과거 OLE객체를 이용하였던 ROKRAT 악성코드처럼 SMBios를 이용하여 PC정보를 가져오거나 안티 샌드박스의 대상 dll 파일이 동일하며, 패킷 전송시 사용되는 서버와 헤더 값 또한 유사한 모습을 보임

The malicious code is similar to the ROKRAT malicious code that used the OLE object in the past. It gets the PC information by using SMBios or the target dll file of the anti-sandbox is the same.


 - VdZhAhd9YXAAAAAAAAAACQaGEx0mpQnzlWKtxGGNveuPx0XtDTzynRk4fnra1-9E



또한 Bindiff를 이용한 결과 대부분의 함수가 일치하거나 유사하였으며 메인 행위를 하는 함수를 비교한 결과 추가적인 부분을 제외하고는 매우 유사한 모습을 볼 수 있다.

In addition, most of the functions using Bindiff are similar or similar, and the functions that perform the main action are compared.




[2018.11.16 추가]

현재 alyac에서는 해당 케이스를 Operation KoreanSword 라고 명명함.

Currently, alyac calls the case Operation EnglishSword.




[Compare rokrat]

MD5 : bedc4b9f39dcc0907f8645db1acce59e

SHA-1 : e68dca8bbfaf785ff4a9de43d91bbefa02200ed6

SHA-256 : b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e




Thank's to kino, savNi


References
Copyright 2018. (YEJUN KIM) all rights reserved.
Copyright 2018. (YEJUN KIM) All pictures cannot be copied without permission.

'Analysis' 카테고리의 다른 글

Return to Satan, Lucky Ransomware  (0) 2018.12.11
We will become back very soon! ;)  (0) 2018.12.05
Return to ROKRAT!! (feat. FAAAA...Sad...)  (1) 2018.11.16
GandCrab & (CoinMining??)  (1) 2018.11.09
Are you VenusLocker? or GandCrab?  (1) 2018.10.22
Comments