ROKRAT is Back
Contents
ROKRAT is Back!!velocy 2018. 9. 21. 16:22
지난 9월 19일, Virustotal에 "7주 신뢰와 배려의 커뮤니케이션" 이라는 한글 악성코드가 등장
On September 19th, Virustotal appeared in hwp malicious code called "7 week trust and care communication"
(Author : gichang(기창???), Last Saved By : User1) 기창이라는 사람이 User1이라는 계정명으로 작성했나 봄.
(Author : gichang(기창???), Last Saved By : User1)I think that the person named Yi Chang is written as User1.
gbb를 이용하여 아래의 쉘코드 영역을 실행가능한 PE 파일로 변환
Convert the following shellcode area to an executable PE file using gbb
파일을 MZ시그니쳐와 분류하여 “%TEMP%/Dhh01.oju01”, “%TEMP%/Dhh02.oju01” 로 각각 파일 생성
Files are classified as MZ signatures and created as "% TEMP% / Dhh01.oju01" and "% TEMP% / Dhh02.oju01" respectively
생성한 파일을 복사하여 “WinUpdate148399843.pif” 파일을 생성 후 삭제
Copy the generated file and create and delete "WinUpdate148399843.pif" file
생성된 "WinUpdate148399843" 파일은 Themida로 packing 되어있음
The generated "WinUpdate148399843" file is packed with Themida
생성된 Themida 파일을 Unpack 시 쓰레드 인젝션을 시도하는 모습 확인
Confirm that thread injection is …
지난 9월 19일, Virustotal에 "7주 신뢰와 배려의 커뮤니케이션" 이라는 한글 악성코드가 등장
On September 19th, Virustotal appeared in hwp malicious code called "7 week trust and care communication"
(Author : gichang(기창???), Last Saved By : User1) 기창이라는 사람이 User1이라는 계정명으로 작성했나 봄.
(Author : gichang(기창???), Last Saved By : User1)I think that the person named Yi Chang is written as User1.
gbb를 이용하여 아래의 쉘코드 영역을 실행가능한 PE 파일로 변환
Convert the following shellcode area to an executable PE file using gbb
파일을 MZ시그니쳐와 분류하여 “%TEMP%/Dhh01.oju01”, “%TEMP%/Dhh02.oju01” 로 각각 파일 생성
Files are classified as MZ signatures and created as "% TEMP% / Dhh01.oju01" and "% TEMP% / Dhh02.oju01" respectively
생성한 파일을 복사하여 “WinUpdate148399843.pif” 파일을 생성 후 삭제
Copy the generated file and create and delete "WinUpdate148399843.pif" file
생성된 "WinUpdate148399843" 파일은 Themida로 packing 되어있음
The generated "WinUpdate148399843" file is packed with Themida
생성된 Themida 파일을 Unpack 시 쓰레드 인젝션을 시도하는 모습 확인
Confirm that thread injection is …
IoC
3f92afe96b4cfd41f512166c691197b5
41a3e61adf853edaddc999e547a246cc4c173480
51e35a7a4e2c49670ecfba7b55045cfa893aa1459246fa5b23ff0bba91225b76
52976314913289a61282ee1f172a30cce29147ac
6ec89edfffdb221a1edbc9852a9a567a
7a751874ea5f9c95e8f0550a0b93902d
98498b97b7cdce9dd6b1a83057e47bd74dc2be5bb12f42ce505981bff093de73
b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e
bedc4b9f39dcc0907f8645db1acce59e
e68dca8bbfaf785ff4a9de43d91bbefa02200ed6
eeae06fc31982f992993ef0ff12e2d94981d9bff
f885c37b3368faf2ae11d70e15aa75a641de9357dda038d875fe5513d9841582
https://account.box.com/api/oauth2/authorize
https://api.box.com/oauth2/token
https://api.dropboxapi.com/2/files/delete
https://api.pcloud.com/deletefile
https://api.pcloud.com/getfilelink
https://api.pcloud.com/oauth2_token
https://api.pcloud.com/uploadfile
https://cloud-api.yandex.net/v1/disk/resources/download
https://cloud-api.yandex.net/v1/disk/resources/upload
https://cloud-api.yandex.net/v1/disk/resources
https://content.dropboxapi.com/2/files/downloa
https://content.dropboxapi.com/2/files/upload
https://my.pcloud.com/oauth2/authorize
https://upload.box.com/api/2.0/files/content
41a3e61adf853edaddc999e547a246cc4c173480
51e35a7a4e2c49670ecfba7b55045cfa893aa1459246fa5b23ff0bba91225b76
52976314913289a61282ee1f172a30cce29147ac
6ec89edfffdb221a1edbc9852a9a567a
7a751874ea5f9c95e8f0550a0b93902d
98498b97b7cdce9dd6b1a83057e47bd74dc2be5bb12f42ce505981bff093de73
b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e
bedc4b9f39dcc0907f8645db1acce59e
e68dca8bbfaf785ff4a9de43d91bbefa02200ed6
eeae06fc31982f992993ef0ff12e2d94981d9bff
f885c37b3368faf2ae11d70e15aa75a641de9357dda038d875fe5513d9841582
https://account.box.com/api/oauth2/authorize
https://api.box.com/oauth2/token
https://api.dropboxapi.com/2/files/delete
https://api.pcloud.com/deletefile
https://api.pcloud.com/getfilelink
https://api.pcloud.com/oauth2_token
https://api.pcloud.com/uploadfile
https://cloud-api.yandex.net/v1/disk/resources/download
https://cloud-api.yandex.net/v1/disk/resources/upload
https://cloud-api.yandex.net/v1/disk/resources
https://content.dropboxapi.com/2/files/downloa
https://content.dropboxapi.com/2/files/upload
https://my.pcloud.com/oauth2/authorize
https://upload.box.com/api/2.0/files/content