Internals of Lazarus Operation Dream Job
Contents
Wayback Machine
https://0xthreatintel.medium.com/internals-of-lazarus-operation-dream-job-7ced9fc7da3e
8 captures
27 Jan 2021 - 17 Oct 2022
JAN FEB APR
Previous capture 11 Next capture
2020 2021 2022
About this capture
0xthreatintel
40 Followers
About
Follow
Sign in
Get started
Internals of Lazarus Operation Dream Job
0xthreatintel
0xthreatintel
Jan 27·7 min read
Reverse Engineering Torisma and LCPDot Malware.
Image for postImage for post
In this blog, i will be reversing two malwares found in Lazarus(aka Unit 180/Hidden Cobra) group “Operation Dream Job” which are Torisma and LCPDot Malware.
Torisma Internals
Static Analysis (Basic)
File Information:
It’s 64bit malware.
Image for postImage for post
File Information of Torisma Sample.
Image for postImage for post
It’s the unpacked sample from origin sample.
Image for postImage for post
Image for postImage for post
Here’s the view of unpacked vs packed Torisma Sample.
For reversing the sample we had unpacked the sample of Torisma.
Static Analysis (Advanced)
For starting with the advanced static analysis lets see the exports. In exports there is only one function.
Image for postImage for post
exports of Torisma.
For reversing & convenient purpose, i had rename the “DllEntryMain” function …
https://0xthreatintel.medium.com/internals-of-lazarus-operation-dream-job-7ced9fc7da3e
8 captures
27 Jan 2021 - 17 Oct 2022
JAN FEB APR
Previous capture 11 Next capture
2020 2021 2022
About this capture
0xthreatintel
40 Followers
About
Follow
Sign in
Get started
Internals of Lazarus Operation Dream Job
0xthreatintel
0xthreatintel
Jan 27·7 min read
Reverse Engineering Torisma and LCPDot Malware.
Image for postImage for post
In this blog, i will be reversing two malwares found in Lazarus(aka Unit 180/Hidden Cobra) group “Operation Dream Job” which are Torisma and LCPDot Malware.
Torisma Internals
Static Analysis (Basic)
File Information:
It’s 64bit malware.
Image for postImage for post
File Information of Torisma Sample.
Image for postImage for post
It’s the unpacked sample from origin sample.
Image for postImage for post
Image for postImage for post
Here’s the view of unpacked vs packed Torisma Sample.
For reversing the sample we had unpacked the sample of Torisma.
Static Analysis (Advanced)
For starting with the advanced static analysis lets see the exports. In exports there is only one function.
Image for postImage for post
exports of Torisma.
For reversing & convenient purpose, i had rename the “DllEntryMain” function …