Lazarus group's Brambul worm of the former Wannacry - 2
Contents
Malware researcher, Reverse engineer, Digital forensicator.
26 Feb 2020 | | 악성코드, 라자루스, 북한, 워너크라이, 웜, malware, wannacry, lazarus, worm, north korea, english
Continued from [Malware] Lazarus group’s Brambul worm of the former Wannacry - 1
As soon as the second routine starts, three subroutines are called: sub_401ba0, sub_401b30, and sub_401040.
Create the lsasvc.exe file and run the process. Afterwards, access the shared folder as admin like the first routine.
By adding a value named “WindowsUpdate” to the registry “Software \ Microsoft \ Windows \ CurrentVersion \ Run” path, the process will automatically run each time the computer is turned on.
Similar to what it did at the beginning of the program run, the gethostname function gets the user’s name.
After the three subroutines are executed, the GetVersion function is used to get the version of the operating system. I could see that it was classified as “WinNt”, “Win2000”, “WinVista”, “Win2003”, “WinXp”, and “Unkonwn”.
After that, it push …
26 Feb 2020 | | 악성코드, 라자루스, 북한, 워너크라이, 웜, malware, wannacry, lazarus, worm, north korea, english
Continued from [Malware] Lazarus group’s Brambul worm of the former Wannacry - 1
As soon as the second routine starts, three subroutines are called: sub_401ba0, sub_401b30, and sub_401040.
Create the lsasvc.exe file and run the process. Afterwards, access the shared folder as admin like the first routine.
By adding a value named “WindowsUpdate” to the registry “Software \ Microsoft \ Windows \ CurrentVersion \ Run” path, the process will automatically run each time the computer is turned on.
Similar to what it did at the beginning of the program run, the gethostname function gets the user’s name.
After the three subroutines are executed, the GetVersion function is used to get the version of the operating system. I could see that it was classified as “WinNt”, “Win2000”, “WinVista”, “Win2003”, “WinXp”, and “Unkonwn”.
After that, it push …