South Korea Incident - New Malware samples
Contents
To make it clear, this Blogpost is just an overview of the various malware samples and no analysis! Therefore all credit goes to the people who provided me the samples: Chae Jong Bin (MD5 hashes), Artem Baranov (samples), Xylitol (samples).
In the following paragraph I will give some basic information of the different malware tools (C&C Server, .pdb strings, ...). To distinguish the malware tools, I named them after their .pdb debug strings, so we have 5 tools in total:
- Concealment Troy (Backdoor.Prioxer ?)
- Http Dr0pper
- Http Troy
- PDF Exploit
- TDrop
The samples can be found here (ZIP Password = "infected"):
Concealment Troy - https://www.dropbox.com/s/w1892v0hzjgtikw/Concealment%20Troy%20%28Backdoor.Prioxer%29.zip
Http Dr0pper - https://www.dropbox.com/s/fzk9bkn6fk5klab/Http%20Dr0pper.zip
Http Troy - https://www.dropbox.com/s/n6h6vgnoihy59a6/Http%20Troy.zip
PDF Exploit - https://www.dropbox.com/s/lvzj14261bbajkg/PDF%20Exploit.zip
TDrop - https://www.dropbox.com/s/wn5a1jruatpq3x5/TDrop.zip
Parts (of additional packages) - https://www.dropbox.com/s/mqp1bvhuacoakcq/Parts.zip
In my overview the samples of each tool are chronologically arranged (from PE Timestamp which looks valid). First I present information about the initial Dropper followed by an picture which shows the various …
In the following paragraph I will give some basic information of the different malware tools (C&C Server, .pdb strings, ...). To distinguish the malware tools, I named them after their .pdb debug strings, so we have 5 tools in total:
- Concealment Troy (Backdoor.Prioxer ?)
- Http Dr0pper
- Http Troy
- PDF Exploit
- TDrop
The samples can be found here (ZIP Password = "infected"):
Concealment Troy - https://www.dropbox.com/s/w1892v0hzjgtikw/Concealment%20Troy%20%28Backdoor.Prioxer%29.zip
Http Dr0pper - https://www.dropbox.com/s/fzk9bkn6fk5klab/Http%20Dr0pper.zip
Http Troy - https://www.dropbox.com/s/n6h6vgnoihy59a6/Http%20Troy.zip
PDF Exploit - https://www.dropbox.com/s/lvzj14261bbajkg/PDF%20Exploit.zip
TDrop - https://www.dropbox.com/s/wn5a1jruatpq3x5/TDrop.zip
Parts (of additional packages) - https://www.dropbox.com/s/mqp1bvhuacoakcq/Parts.zip
In my overview the samples of each tool are chronologically arranged (from PE Timestamp which looks valid). First I present information about the initial Dropper followed by an picture which shows the various …
IoC
028693C655BE9CED65A5FDD419F870C1
0629E207BB9669359C867000EC3A4D9E
0812115B49786BCE91D67556F2413003
0c6663ea04ea2940d6d43e650a877a23
1265957A6C44A23DA14622675C26CE7A
152B264288BCF5DC02222CEE49587B8E
158FD0A1D1AE027B1569ADBEBB2D3E66
1C91B0E3CF2E908F8BA10E7A4C741EB4
2BDD0194B499D694D75FFF5514D53C40
3456f42bba032cff5518a5e5256cc433
3504EEAAFBDBFB7867A24065BF5C8CD0
3B0068227DD0833125956AC62C44E713
417583CB8687C41F336F7D7013B89EC8
41CFFD9DA299AB3C6AD8C04303558303
4249502D550B88D5722DFDDED024756F
42B175E68D3C2D1D8AFE7A4719EC9804
43771061FF9BA8734B35E8E6C73BCCBA
4687A05ABBC463B092A136BAB2B0B8C1
50E03200C3A0BECBF33B3788DAC8CD46
539251E10A1366246514A4E9D96F5750
5FA4DC5D15DF823187FBF1AC8EB64776
61FDACF830D5B51AA22E3F5B40E86763
65D3483E47A196AF7E00BD1C7DF28367
67C341676A795013BE3D8237D1491C23
6A4895F0B647674CB19D31A38EBEC7F4
6f375123f7d8df0f7460845528d9e0a1
758589DF298CD282E904148520C88E98
7EF56A024343BACA47051E3C217BEDBF
7fdcae6d4b26be8ba730647dbaf60123
813D061ABE874C1EEDF907FED6022343
8192CC6512076C16DC35840C9E283C91
854C800489E0F6CFC1E26F4A3BDB1C9B
861DEF06A85F2439A8C80F760D599AAF
8EBA82BE94E87EEA3F456A8908EC287B
8FBC1F3048263AA0D4F56D119198ED04
8f75f32c667c62ebeffa6907efcba3f8
912C43B9671155F239F6652B879025E8
91373B901CA888EC00FD5E0EB44641A2
9674D77DAA86BF4736623F4F4191BFA7
97166E20B921219020CF9B590804AFEA
9B9A0EDD4E8403B14BADD659394AB491
9E26CEFEC658E519376FF8F25280B8B6
A68C7116CF1CC7A1810B1B9555889F5E
AAF3BF7F33CDF71661F367A931626DD6
AB456ACE1530658397DC9A60279D9450
ACE6354688262926F3694EBA0E856F93
B1947B493AAC4055F4CB3E793882A07E
B881C797AF30CAF2519136475F8E9995
B8B96FB1C0B1360FDB3BE2D3ECFF6DA7
C1FB527D87280B128CAC84E61AD107E7
C28F73737E5105ECDC98A73427088C7C
C95CFEC9D538250F94E696138ECD6AB2
D177A29C3D19A9E7DFA9E5FD66C0B8CB
D1782106B81464CE0866772D4F494A87
D6B59967C8E75CF8F85F9FFF9A71EE55
D7E8F73493534BF40CC6DB4D309951AC
DA6422053C1FF233C897E0E17FA80A16
DFABBE5D1F9514D0B7E3CBD1533B9698
E088A1B4F0384BEAA802280D2F11605A
E280ED273E3C8E56A82171E51422DA65
E5CA80611B44971242CE86A5E93E0BB1
EC2FB1C71E58CC1B5C6287C3D1A87463
F0306EF42E300D36C6A331203E67EDF3
F0C4892E5A7EBB7107E906CC3DEEE1D5
F172BB194BAC17A3991D63E130406661
F3A4EC6EB26FDF2104F11A23B32684D3
FA32CFA9A10F78DC0F790E577BEDFDD5
FBB1F08C540997C1C4D817A8269C900A
FBFB61F214B89A7FE01C7FC9321FE51A
a03ae3a480dd17134b04dbc5e62bf57b
c9b65b764985dfd7a11d3faf599c56b8
ebc7741e6e0115c2cf992860a7c7eae7
ec887c65ed4b57ebcd535a3d065ec9eb
http://babcom-h1.bluethunder.co/challenge/inc/challengemember.php|
http://delmundo.kr/bbs/login_ok.php|
http://dong-a.jp/upload/csv/login_ok.php|
http://lawbookcenter.co.kr/shop/temp/goods_list.php|
http://nowq.net/rgboard/addon/mb_join.php|
http://qitaegyo.com/rgboard/data/mb_join.php|
http://solarshade.co.kr/eml/goods_list_ok.php|
http://sujewha.com/sms/login_ok.php|
http://traveler.foxlink.com/challenge/inc/challengemember.php|
http://www.gcglobal.com/challenge/inc/challengemember.php|
http://www.hanja-edu.com/bbs/login_ok.php|
http://www.pnpdent.com/bbs/send_message_cancel.php|
http://www.theumin.net/bbs/login_ok.php|
http://www.toneharbor.com/AllplanPG/login_ok.php|
http://yaryar.ivyro.net/bbs/send_message_cancel.php|
https://www.dropbox.com/s/fzk9bkn6fk5klab/Http%20Dr0pper.zip
https://www.dropbox.com/s/lvzj14261bbajkg/PDF%20Exploit.zip
https://www.dropbox.com/s/mqp1bvhuacoakcq/Parts.zip
https://www.dropbox.com/s/n6h6vgnoihy59a6/Http%20Troy.zip
https://www.dropbox.com/s/w1892v0hzjgtikw/Concealment%20Troy%20%28Backdoor.Prioxer%29.zip
https://www.dropbox.com/s/wn5a1jruatpq3x5/TDrop.zip
0629E207BB9669359C867000EC3A4D9E
0812115B49786BCE91D67556F2413003
0c6663ea04ea2940d6d43e650a877a23
1265957A6C44A23DA14622675C26CE7A
152B264288BCF5DC02222CEE49587B8E
158FD0A1D1AE027B1569ADBEBB2D3E66
1C91B0E3CF2E908F8BA10E7A4C741EB4
2BDD0194B499D694D75FFF5514D53C40
3456f42bba032cff5518a5e5256cc433
3504EEAAFBDBFB7867A24065BF5C8CD0
3B0068227DD0833125956AC62C44E713
417583CB8687C41F336F7D7013B89EC8
41CFFD9DA299AB3C6AD8C04303558303
4249502D550B88D5722DFDDED024756F
42B175E68D3C2D1D8AFE7A4719EC9804
43771061FF9BA8734B35E8E6C73BCCBA
4687A05ABBC463B092A136BAB2B0B8C1
50E03200C3A0BECBF33B3788DAC8CD46
539251E10A1366246514A4E9D96F5750
5FA4DC5D15DF823187FBF1AC8EB64776
61FDACF830D5B51AA22E3F5B40E86763
65D3483E47A196AF7E00BD1C7DF28367
67C341676A795013BE3D8237D1491C23
6A4895F0B647674CB19D31A38EBEC7F4
6f375123f7d8df0f7460845528d9e0a1
758589DF298CD282E904148520C88E98
7EF56A024343BACA47051E3C217BEDBF
7fdcae6d4b26be8ba730647dbaf60123
813D061ABE874C1EEDF907FED6022343
8192CC6512076C16DC35840C9E283C91
854C800489E0F6CFC1E26F4A3BDB1C9B
861DEF06A85F2439A8C80F760D599AAF
8EBA82BE94E87EEA3F456A8908EC287B
8FBC1F3048263AA0D4F56D119198ED04
8f75f32c667c62ebeffa6907efcba3f8
912C43B9671155F239F6652B879025E8
91373B901CA888EC00FD5E0EB44641A2
9674D77DAA86BF4736623F4F4191BFA7
97166E20B921219020CF9B590804AFEA
9B9A0EDD4E8403B14BADD659394AB491
9E26CEFEC658E519376FF8F25280B8B6
A68C7116CF1CC7A1810B1B9555889F5E
AAF3BF7F33CDF71661F367A931626DD6
AB456ACE1530658397DC9A60279D9450
ACE6354688262926F3694EBA0E856F93
B1947B493AAC4055F4CB3E793882A07E
B881C797AF30CAF2519136475F8E9995
B8B96FB1C0B1360FDB3BE2D3ECFF6DA7
C1FB527D87280B128CAC84E61AD107E7
C28F73737E5105ECDC98A73427088C7C
C95CFEC9D538250F94E696138ECD6AB2
D177A29C3D19A9E7DFA9E5FD66C0B8CB
D1782106B81464CE0866772D4F494A87
D6B59967C8E75CF8F85F9FFF9A71EE55
D7E8F73493534BF40CC6DB4D309951AC
DA6422053C1FF233C897E0E17FA80A16
DFABBE5D1F9514D0B7E3CBD1533B9698
E088A1B4F0384BEAA802280D2F11605A
E280ED273E3C8E56A82171E51422DA65
E5CA80611B44971242CE86A5E93E0BB1
EC2FB1C71E58CC1B5C6287C3D1A87463
F0306EF42E300D36C6A331203E67EDF3
F0C4892E5A7EBB7107E906CC3DEEE1D5
F172BB194BAC17A3991D63E130406661
F3A4EC6EB26FDF2104F11A23B32684D3
FA32CFA9A10F78DC0F790E577BEDFDD5
FBB1F08C540997C1C4D817A8269C900A
FBFB61F214B89A7FE01C7FC9321FE51A
a03ae3a480dd17134b04dbc5e62bf57b
c9b65b764985dfd7a11d3faf599c56b8
ebc7741e6e0115c2cf992860a7c7eae7
ec887c65ed4b57ebcd535a3d065ec9eb
http://babcom-h1.bluethunder.co/challenge/inc/challengemember.php|
http://delmundo.kr/bbs/login_ok.php|
http://dong-a.jp/upload/csv/login_ok.php|
http://lawbookcenter.co.kr/shop/temp/goods_list.php|
http://nowq.net/rgboard/addon/mb_join.php|
http://qitaegyo.com/rgboard/data/mb_join.php|
http://solarshade.co.kr/eml/goods_list_ok.php|
http://sujewha.com/sms/login_ok.php|
http://traveler.foxlink.com/challenge/inc/challengemember.php|
http://www.gcglobal.com/challenge/inc/challengemember.php|
http://www.hanja-edu.com/bbs/login_ok.php|
http://www.pnpdent.com/bbs/send_message_cancel.php|
http://www.theumin.net/bbs/login_ok.php|
http://www.toneharbor.com/AllplanPG/login_ok.php|
http://yaryar.ivyro.net/bbs/send_message_cancel.php|
https://www.dropbox.com/s/fzk9bkn6fk5klab/Http%20Dr0pper.zip
https://www.dropbox.com/s/lvzj14261bbajkg/PDF%20Exploit.zip
https://www.dropbox.com/s/mqp1bvhuacoakcq/Parts.zip
https://www.dropbox.com/s/n6h6vgnoihy59a6/Http%20Troy.zip
https://www.dropbox.com/s/w1892v0hzjgtikw/Concealment%20Troy%20%28Backdoor.Prioxer%29.zip
https://www.dropbox.com/s/wn5a1jruatpq3x5/TDrop.zip