KimJongRAT/stealer malware analysis
Contents
Public document
KimJongRAT/stealer
malware analysis
General information
Sequence number
003
Version
1.0
State
Final
Approved by
Paul Rascagnères
Approval date
10/06/2013
Classification
Public
Type
Project
Title
Classification
Public document
KimJongRAT/stealer
malware analysis
Public
History
Version
Date
Author
0.1
07/06/2013 P. Rascagnères
Document creation
0.2
08/06/2013 M. Morin
Review and correction
0.3
08/06/2013 P. Rascagnères
Document update
1.0
10/06/2013 P. Rascagnères
Document finalisation
Ref. RAP003_KimJongRAT-Stealer_Analysis.1.0
Modifications
Version 1.0
Page 2 of 36
Type
Project
Title
Classification
Public document
KimJongRAT/stealer
malware analysis
Public
Table of contents
1
Introduction ............................................................................................................................ 5
1.1
1.2
1.3
1.4
2
Context .................................................................................................................................................... 5
Objectives ............................................................................................................................................... 5
Authors .................................................................................................................................................... 5
Document structure ............................................................................................................................... 6
Analysis of the .pdf file .......................................................................................................... 7
2.1 Description .............................................................................................................................................. 7
2.2 Analysis ................................................................................................................................................... 7
3
Sysninit.ocx analysis ........................................................................................................... 10
3.1 Description ............................................................................................................................................ 10
3.2 Function: ShellExploit ......................................................................................................................... 12
3.2.1
3.2.2
3.3
3.4
3.5
3.6
4
Persistence: resource manipulation ............................................................................................................... 12
Persistence: file creation ................................................................................................................................ 13
Function: PDFShow ............................................................................................................................. 15
Function: InitHidden ............................................................................................................................ 16
Function: InjectDLL.............................................................................................................................. 16
IAT Hook: zwQueryDirectoryFile .................................................................................................. 17
Binary (.exe) launcher .......................................................................................................... 20
4.1 Description ............................................................................................................................................ 20
4.2 Analysis ................................................................................................................................................. 20
4.2.1
4.2.2
4.2.3
5
Obfuscation.................................................................................................................................................... 21
Injection of the .dll .......................................................................................................................................... 22
VirtualBox detection ....................................................................................................................................... 24
C&C communication ............................................................................................................ 25
5.1 Introduction .......................................................................................................................................... 25
5.2 First Command & Control ................................................................................................................... 25
5.3 Second Command & Control .............................................................................................................. 26
6
Synthesis schema ................................................................................................................ 28
6.1 Exploit and files deployment .............................................................................................................. 28
6.2 Starting of the malware ....................................................................................................................... 29
6.3 Communication to the Commands and Control ............................................................................... 30
7 Conclusion ............................................................................................................................ 31
Appendix …
KimJongRAT/stealer
malware analysis
General information
Sequence number
003
Version
1.0
State
Final
Approved by
Paul Rascagnères
Approval date
10/06/2013
Classification
Public
Type
Project
Title
Classification
Public document
KimJongRAT/stealer
malware analysis
Public
History
Version
Date
Author
0.1
07/06/2013 P. Rascagnères
Document creation
0.2
08/06/2013 M. Morin
Review and correction
0.3
08/06/2013 P. Rascagnères
Document update
1.0
10/06/2013 P. Rascagnères
Document finalisation
Ref. RAP003_KimJongRAT-Stealer_Analysis.1.0
Modifications
Version 1.0
Page 2 of 36
Type
Project
Title
Classification
Public document
KimJongRAT/stealer
malware analysis
Public
Table of contents
1
Introduction ............................................................................................................................ 5
1.1
1.2
1.3
1.4
2
Context .................................................................................................................................................... 5
Objectives ............................................................................................................................................... 5
Authors .................................................................................................................................................... 5
Document structure ............................................................................................................................... 6
Analysis of the .pdf file .......................................................................................................... 7
2.1 Description .............................................................................................................................................. 7
2.2 Analysis ................................................................................................................................................... 7
3
Sysninit.ocx analysis ........................................................................................................... 10
3.1 Description ............................................................................................................................................ 10
3.2 Function: ShellExploit ......................................................................................................................... 12
3.2.1
3.2.2
3.3
3.4
3.5
3.6
4
Persistence: resource manipulation ............................................................................................................... 12
Persistence: file creation ................................................................................................................................ 13
Function: PDFShow ............................................................................................................................. 15
Function: InitHidden ............................................................................................................................ 16
Function: InjectDLL.............................................................................................................................. 16
IAT Hook: zwQueryDirectoryFile .................................................................................................. 17
Binary (.exe) launcher .......................................................................................................... 20
4.1 Description ............................................................................................................................................ 20
4.2 Analysis ................................................................................................................................................. 20
4.2.1
4.2.2
4.2.3
5
Obfuscation.................................................................................................................................................... 21
Injection of the .dll .......................................................................................................................................... 22
VirtualBox detection ....................................................................................................................................... 24
C&C communication ............................................................................................................ 25
5.1 Introduction .......................................................................................................................................... 25
5.2 First Command & Control ................................................................................................................... 25
5.3 Second Command & Control .............................................................................................................. 26
6
Synthesis schema ................................................................................................................ 28
6.1 Exploit and files deployment .............................................................................................................. 28
6.2 Starting of the malware ....................................................................................................................... 29
6.3 Communication to the Commands and Control ............................................................................... 30
7 Conclusion ............................................................................................................................ 31
Appendix …
IoC
https://malwr.com/analysis/MDZmNGQzOTM2OGRmNDhmMTlkOWYyMTlmNjI3YTkyODM/
http://www.jhj.wv4.org/test2/
https://www.virustotal.com/en/file/41d7b66062825d41726bb243075f2a0d6d0c517bafcf63488a06c
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
http://www.jhj.wv4.org/test1/
http://www.test1.wv4.org/
http://purl.org/dc/elements/1.1/
http://www.google.com/
https://www.virustotal.com/en/file/1ecd67e8690a3f27d282246edc757040ba3eafcc310095bffa5cab
http://www.jhj.wv4.org/test2/serverok.html
http://contagiodump.blogspot.ca/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html
10.0.2.15
[email protected]
[email protected]
2b47119b9c97b736c1c775f4fe62042481234730
60805b352c15413a9ceaabedc8f060ea
41d7b66062825d41726bb243075f2a0d6d0c517bafcf63488a06c5d009561df8
86964f449a82b8485feef8a5339d0615
6a9598599055e4ed876ec699b0a91272
d9313622210409c8ada3a6733b8b5560834e840f
26eaac1501c62c470a1a9c615c4d7fb8
848d0c4c4f608fdd50735a2f0c41af9abd5955a6
http://www.jhj.wv4.org/test2/
https://www.virustotal.com/en/file/41d7b66062825d41726bb243075f2a0d6d0c517bafcf63488a06c
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
http://www.jhj.wv4.org/test1/
http://www.test1.wv4.org/
http://purl.org/dc/elements/1.1/
http://www.google.com/
https://www.virustotal.com/en/file/1ecd67e8690a3f27d282246edc757040ba3eafcc310095bffa5cab
http://www.jhj.wv4.org/test2/serverok.html
http://contagiodump.blogspot.ca/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html
10.0.2.15
[email protected]
[email protected]
2b47119b9c97b736c1c775f4fe62042481234730
60805b352c15413a9ceaabedc8f060ea
41d7b66062825d41726bb243075f2a0d6d0c517bafcf63488a06c5d009561df8
86964f449a82b8485feef8a5339d0615
6a9598599055e4ed876ec699b0a91272
d9313622210409c8ada3a6733b8b5560834e840f
26eaac1501c62c470a1a9c615c4d7fb8
848d0c4c4f608fdd50735a2f0c41af9abd5955a6