AR20-045G: MAR-10135536-8.v3 – North Korean Trojan: HOPLIGHT

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report provides analysis of twenty malicious executable files. Sixteen of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files. The dropped files primarily contain IP addresses and SSL certificates.

For a downloadable copy of IOCs, see MAR-10135536-8.v3.stix.

Submitted Files (20)

05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461 (23E27E5482E3F55BF828DAB8855690…)

0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 (34E56056E5741F33D823859E77235E…)

084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319 (170A55F7C0448F1741E60B01DCEC9C…)

12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d (868036E102DF4CE414B0E6700825B3…)

1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676 (07D2B057D2385A4CDF413E8D342305…)

2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525 (5C3898AC7670DA30CF0B22075F3E8E…)

32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11 (38FC56965DCCD18F39F8A945F6EBC4…)

4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761 (42682D4A78FE5C2EDA988185A34463…)

4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818 (C5DC53A540ABE95E02008A04A0D56D…)

70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3 (61E3571B8D9B2E9CCFADC3DDE10FB6…)

73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33 (3EDCE4D49A2F31B8BA9BAD0B8EF549…)

83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a (3021B9EF74c&BDDF59656A035F94FD…)

8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520 (5C0C1B4C3B1CFD455AC05ACE994AED…)

b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9 (2FF1688FE866EC2871169197F9D469…)

b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101 (2A791769AA73AC757F210F8546125B…)

c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8 (E4ED26D5E2A84CC5E48D285E4EA898…)

d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39 (F8D26F2B8DD2AC4889597E1F2FD1F2…)

ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d (BE588CD29B9DC6F8CFC4D0AA5E5C79…)

f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03 (D2DA675A8ADFEF9D0C146154084FFF…)

fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5 (F315BE41D9765D69AD60F0B4D29E43…)

Additional Files (7)

44a93ea6e6796530bb3cf99555dfb3b1092ed8fb4336bb198ca15b2a21d32980 (None)

49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359 (rdpproto.dll)

70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289 (udbcgiut.dat)

823d255d3dc8cbc402527072a9220e4c38655de1a3e55a465db28b55d3ac1bf8 (None)

96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 (MSDFMAPI.INI)

ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 (None)

cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f (UDPTrcSvc.dll)

IPs (23)

112.175.92.57

113.114.117.122

117.239.241.2

119.18.230.253

128.200.115.228

137.139.135.151

14.140.116.172

181.39.135.126

186.169.2.237

195.158.234.60

197.211.212.59

21.252.107.198

210.137.6.37

217.117.4.110

218.255.24.226

221.138.17.152

26.165.218.44

47.206.4.145

70.224.36.194

81.94.192.10

81.94.192.147

84.49.242.125

97.90.44.200

Findings

05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461

Tags

trojan

Details
Name 23E27E5482E3F55BF828DAB885569033
Size 242688 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 23e27e5482e3f55bf828dab885569033
SHA1 139b25e1ae32a8768238935a8c878bfbe2f89ef4
SHA256 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461
SHA512 2c481ef42dfc9a7a30575293d09a6f81943e307836ec5b8a346354ab5832c15046dd4015a65201311e33f944763fc55dd44fbe390245be5be7a216026ecfb28b
ssdeep 6144:YnDlYMzUvLFOL9wqk6+pqC8iooIBgajvQlm/Z0cp1:alYiXiooIKajvQeZ3
Entropy 6.537337
Antivirus
Ahnlab Trojan/Win32.Generic
Antiy Trojan/Win32.Casdet
Avira TR/NukeSped.uxivj
BitDefender Trojan.GenericKD.41198265
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.LXQN-3818
ESET a variant of Win32/NukeSped.AI trojan
Emsisoft Trojan.GenericKD.41198265 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 005329311 )
McAfee Trojan-Hoplight
Microsoft Security Essentials Trojan:Win32/Hoplight
Quick Heal Trojan.Hoplight.S5793599
Sophos Troj/Hoplight-C
Symantec Trojan.Hoplight
TrendMicro Trojan.55DEE3DA
TrendMicro House Call Trojan.55DEE3DA
VirusBlokAda Trojan.Casdet
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $polarSSL = “fjiejffndxklfsdkfjsaadiepwn”
       $sn1 = “www.google.com”
       $sn2 = “www.naver.com”
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) — 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-06-05 21:57:29-04:00
Import Hash ff390ec082b48263a3946814ea18ba46
PE Sections
MD5 Name Raw Size Entropy
c06924120c87e2cb79505e4ab0c2e192 header 1024 2.542817
3368eda2d5820605a055596c7c438f0f .text 197120 6.441545
ec1f06839fa9bc10ad8e183b6bf7c1b5 .rdata 27136 5.956914
1e62b7d9f7cc48162e0651f7de314c8a .data 8192 4.147893
980effd28a6c674865537f313318733a .rsrc 512 5.090362
696fd5cac6e744f336e8ab68a4708fcf .reloc 8704 5.247502
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Description

This artifact is a malicious 32-bit Windows executable. When executed the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions.

The malware is capable of the following functions:

—Begin Malware Capability—

Read, Write, and Move Files
Enumerate System Drives
Create and Terminate Processes
Inject into Running Processes
Create, Start and Stop Services
Modify Registry Settings
Connect to a Remote Host
Upload and Download Files

—End Malware Capability—

The malware family has 2 versions. Both are nearly identical in functionality but use slightly different command codes. So if the opcode for Keepalive in version 1 is 0xB6C1, the opcode in version 2 will be 0xB6C2.

There may be some versions of the malware that have limited/additional functionality, but most will have these command codes:

—Begin Version 1 Command Codes—

0xB6A4 GetComputerlnfo
   -Gets OS Version
   -Opens and sends back multiple registry keys
       Keys are encrypted in actually binary using RC4 with 16 byte key (af 3d 78    23 4a 79 92 81 9d 7f 20 47 ad e3 f2 b3). Keys are decrypted prior to calling RegOpenKey/RegQueryValue.
   -Calls GetSystemlnfo, returns results of a SYSTEM_INFO struct
   -Calls GetSystemMetrics and returns results
0xB6AS GetDriveslnfo
   -Gets info about different drives/share drives on system as well as memory available/memory used on those drives
0xB6A6 Directorylist
   -Gives list of all files in a directory that is specified by the C2
0xB6A7 SendFile
   -Sends a file from the victim machine to the C2 that is specified by the C2
0xB6A8 ReceiveFile
   -Victim machine receives file from the C2
0xB6A9 CreateProcess
   -Calls CreateProcessW to run a process via the command line. C2 specifies the path of the file to be run via command line.
0xB6AA EnableLogging
   -Prior to victim and C2 closing out a connection the victim will spawn a new thread that will compile a comprehensive log of system/session information. Inside this thread it opens a file that is named randomly and places it in the temp directory. It puts all the log results into this file.
0xB6AB Deletefile
   -Deletes file specified by the C2.
0xB6AC RunCmdPipe
   -Runs CreateProcessW to run a process via the command line. The process will be cmd.exe and the arguments will be the windows cmd command that the C2 specifies. The results of this command will be sent to a temporary file and then read back to the C2 from that file. Afterwards that file is deleted.
0xB6AD Processlist
   -Gets a list of processes
0xB6AE KillProcess
   -Kills process based on the PID that the C2 supplies.
0xB6AF TestEncryption
   -Tests LFSR encryption, no real functionality
0xB6B0 Uninstall
   -Uninstalls the implant from the victim box
0xB6B2 GetConfig
   -Gets the current callback config file from memory, returns the list to C2. There are 10 IP options in this config.
0xB6B3 SetConfig
   -Gets the current callback config file from memory, allows C2 to change the configurations. This will change the beacon IP to whatever the C2 wants.
0xB6B4 SetCurrentDirectory
   -Changes current working directory to the path supplied by C2
0xB6B5 GetCurrentDirectory
   -Gets the current working directory and returns it to the C2
0xB6C1 KeepAlive
   -C2s sends this as a keep alive to the victim, victim responds with confirmation    that it received the keep alive and keeps session open

—End Version 1 Command Codes—

The malware is capable of opening and binding to a socket. The malware uses a public SSL certificate for secure communication. This certificate is from www.naver.com. Naver.com is the largest search engine in Korea and provides a variety of web services to clients around the world.

The malware uses the default certificates/private keys that come with PolarSSL. These are generally used for testing purposes only. Additionally the C2 IPs that act as the server for the TLS handshake require the malware to respond back with a client key. This key is also a default key found within the PolarSSL libraries.

—Begin SSL Certificate Header—

1 0     UNL10U
PolarSSL10UPolarSSL Test CA0
110212144407Z
2102121144407Z0<1 0 UNL10U
PolarSSL10UPolarSSL Client 200

—End SSL Certificate Header—

When executed, the malware will attempt a TLS Handshake with one of four hardcoded IP addresses embedded in the malware. These IP addresses are referenced in ‘udbcgiut.dat’ below. The malware also contains an embedded Zlib compression library that appears to further obfuscate the communications payload.

After the TLS authentication is completed this particular malware does NOT use the session key that is generated via TLS. It uses a custom Linear Feedback Shift Register (LFSR) encryption scheme to encrypt all communications after the completion of the handshake. A python script to decrypt traffic is given below:

—Begin LFSR Decryption Script—

class lfsr:
   def _init_(self):
       self.b = (0, 0, 0, 0)
       self.data = b”
       self.L= 0

   def lfsr_init(self, data):
       self.L = len(data)
       self.data = data
       self.b[0] = 0
       self.b[1] = 0xc2b45678
       self.b[2] = 0x90abcdef
       self.b[3] = 0xfe268455

   for i in range(int(self.L / 3)):
       self.b[1] ^= self.b[2]
       self.b[2] ^= self.b[3]
       self.b[3] ^= self.b[1]

   for i in range{self.L % 3):
       self.b[1] |= self.b[2]
       self.b[2] |= self.b[3]
       self.b[3] |= self.b[1]

    def lfsr_1(self):
       r = 0
       if (self.b[1] & 0x200) == 0x200:
           r += 1
       if (self.b[2] & 0x800) == 0x800:
           r += 1
       if (self.b[3] & 0x800) == 0x800:
           r += 1
       if r <= 1:
           self.b[0] = 1
       else:
           self.b[0] = 0

   def lfsr_2(self):
       v1 = self.b[1]
       r = (self.b[1] >> 9) & 1
       v3 = r == self.b[0]
       self.b[0] ^= r
       if not v3:
           r = (v1 ^ ((v1 ^ (( v1 ^ (v1 >> 1)) >> 1)) >> 3)) >> 13
           v4 = 2 * (v1 & 0x3ffff)
           self.b[1] = v4
           if (r & 1):
               self.b[1] = v4 ^ 1

   def lfsr_3(self):
       v1 = self.b[2]
       r = (self.b[2] >> 11) & 1
       v3 = r == self.b[0]
       self.b[0] ^= r
       if not v3:
           r = (v1 ^ ((v1 ^ ((v1 ^ (v1 >> 1)) >> 4)) >> 4)) >> 12
           v4 = 2 * (v1 & 0x1fffff)
           self.b[2] = v4
           if (r & 1):
               self.b[2] = v4 ^ 1

   def lfsr 4(self):
       v1 = self.b[3]
       r = (self.b[3] >> 11) & 1
       v3 = r == self.b[0]
       self.b[0] ^= r
       if not v3:
           r = (v1 ^ ((v1 ^ ((v1 ^ (v1 >> 1)) >> 3)) >> 1)) >> 17
           v4 = 2 * (v1 & 0x3fffff)
           self.b[3] = v4
           if (r & 1):
               self.b[3] = v4 ^ 1

   def lfsr_genKeyByte(self):
       self.lfsr_1()
       self.lfsr_2()
       self.lfsr_3()
       self.lfsr_4()
       v2 = self.b[1] ^ self.b[2] ^ self.b[3]
       r = (v2 >> 0x18) ^ (v2 >> 0x10) ^ (v2 >> 0x8) ^ v2
       r &= 0xff
       return r

   def crypt(self):
       r= b”
       for i in range(len(self.data)):
           k = self.lfsr_genKeyByte()
           r += bytes([self.data[i] ^ k])
       return r

—End LFSR Decryption Script—

The following notable strings have been linked to the use of the SSL certificates and can be used to identify the malware:

—Begin Notable Strings—

fjiejffndxklfsdkfjsaadiepwn
ofuierfsdkljffjoiejftyuir
reykfgkodfgkfdskgdfogpdokgsdfpg
ztretrtireotreotieroptkierert
etudjfirejer
yrty
uiyy
uiyiyj lildvucv
erfdfe poiiumwq

—End Notable Strings—

The next four artifacts contain identical characteristics as those described above. Therefore, only capability that is unique will be described for the following four artifacts.

2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525

Tags

trojan

Details
Name 5C3898AC7670DA30CF0B22075F3E8ED6
Size 221184 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5c3898ac7670da30cf0b22075f3e8ed6
SHA1 91110c569a48b3ba92d771c5666a05781fdd6a57
SHA256 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
SHA512 700ec4d923cf0090f4428ac3d4d205b551c3e48368cf90d37f9831d8a57e73c73eb507d1731662321c723362c9318c3f019716991073dc9a4cc829ce01540337
ssdeep 3072:nKBzqEHcJw0sqz7vLFOLBAqui1mqLK1VaU9BzNRyHmdMaF0QqWN0Qjpthmu:nKg0cJ19z7vLFOLSqp0q7syHeFhnhm
Entropy 6.346504
Antivirus
Ahnlab Trojan/Win32.Generic
Antiy Trojan/Win32.NukeSped
Avira TR/NukeSped.bqdkh
BitDefender Trojan.GenericKD.41198269
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.MYIL-1461
ESET a variant of Win32/NukeSped.AI trojan
Emsisoft Trojan.GenericKD.41198269 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 005329311 )
McAfee Trojan-Hoplight
Microsoft Security Essentials Trojan:Win32/Hoplight
Quick Heal Trojan.Hoplight.S5774771
Sophos Troj/Hoplight-C
Symantec Trojan.Hoplight
TACHYON Trojan/W32.Hoplight.221184
TrendMicro Trojan.55DEE3DA
TrendMicro House Call Trojan.55DEE3DA
VirusBlokAda BScope.Trojan.Casdet
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $polarSSL = “fjiejffndxklfsdkfjsaadiepwn”
       $sn1 = “www.google.com”
       $sn2 = “www.naver.com”
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) — 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-05-16 02:35:55-04:00
Import Hash 6ffc5804961e26c43256df683fea6922
PE Sections
MD5 Name Raw Size Entropy
adb596d3ceae66510778e3bf5d4d9582 header 4096 0.695660
6453931a0b6192e0bbd6476e736ca63f .text 184320 6.343388
0ba1433cc62ba7903ada2f1e57603e83 .rdata 16384 6.246206
76a08265777f68f08e5e6ed2102cb31d .data 12288 4.050945
cb8939d6bc1cd076acd850c3850bdf78 .rsrc 4096 3.289605
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
2151c1977b… Connected_To 81.94.192.147
2151c1977b… Connected_To 112.175.92.57
2151c1977b… Related_To 181.39.135.126
2151c1977b… Related_To 197.211.212.59
2151c1977b… Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
2151c1977b… Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When this artifact is executed, it will write the file ‘udbcgiut.dat’ to C:\Users\<user>\AppData\Local\Temp.

The malware will then attempt outbound SSL connections to 81.94.192.147 and 112.175.92.57. Both connection attempts are over TCP Port 443.
The two IP addresses above, as well as the IP addresses 181.39.135.126 and 197.211.212.59 are hard-coded into the malware. However, only connections to the first two IP addresses were attempted during analysis.

197.211.212.59

Ports
Whois

inetnum:        197.211.208.0 – 197.211.215.255
netname:        ZOL-16e-MOBILE-CUSTOMERS
descr:         ZOL Customers on ZTE Mobile WiMAX Platform
country:        ZW
admin-c:        BS10-AFRINIC
admin-c:        GJ1-AFRINIC
admin-c:        JHM1-AFRINIC
tech-c:         BS10-AFRINIC
tech-c:         GJ1-AFRINIC
tech-c:         JHM1-AFRINIC
status:         ASSIGNED PA
mnt-by:         LIQUID-TOL-MNT
source:         AFRINIC # Filtered
parent:         197.211.192.0 – 197.211.255.255

person:         B Siwela
address:        3rd Floor Greenbridge South
address:        Eastgate Center
address:        R. Mugabe Road
address:        Harare
address:        Zimbabwe
phone:         +263774673452
fax-no:         +2634702375
nic-hdl:        BS10-AFRINIC
mnt-by:         GENERATED-DVCNVXWBH3VN3XZXTRPHOT0OJ77GUNN3-MNT
source:         AFRINIC # Filtered

person:         G Jaya
address:        3rd Floor Greenbridge South
address:        Eastgate Center
address:        R. Mugabe Road
address:        Harare
address:        Zimbabwe
phone:         +263773373135
fax-no:         +2634702375
nic-hdl:        GJ1-AFRINIC
mnt-by:         GENERATED-QPEEUIPPW1WPRZ5HLHRXAVHDOKWLC9UC-MNT
source:         AFRINIC # Filtered

person:         John H Mwangi
address:        Liquid Telecom Kenya
address:        P.O.Box 62499 – 00200
address:        Nairobi Kenya
address:        Nairobi, Kenya
address:        Kenya
phone:         + 254 20 556 755

Relationships
197.211.212.59 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
197.211.212.59 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
197.211.212.59 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
Description

This IP address is listed in the file ‘udbcgiut.dat’. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. The domain, zol-ad-bdc.zol.co.zw is associated with the IP address, however, no DNS query is made for the name.

181.39.135.126

Ports
Whois

inetnum:     181.39.135.120/29
status:     reallocated
owner:     Clientes Guayaquil
ownerid:     EC-CLGU1-LACNIC
responsible: Tomislav Topic
address:     Kennedy Norte Mz. 109 Solar 21, 5, Piso 2
address:     5934 – Guayaquil – GY
country:     EC
phone:     +593 4 2680555 [101]
owner-c:     SEL
tech-c:     SEL
abuse-c:     SEL
created:     20160720
changed:     20160720
inetnum-up: 181.39/16

nic-hdl:     SEL
person:     Carlos Montero
e-mail:     networking@TELCONET.EC
address:     Kennedy Norte MZ, 109, Solar 21
address:     59342 – Guayaquil –
country:     EC
phone:     +593 42680555 [4601]
created:     20021004
changed:     20170323

Relationships
181.39.135.126 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
181.39.135.126 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
181.39.135.126 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
Description

This IP address is listed in the file ‘udbcgiut.dat’. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. No domain is associated with the IP address.

112.175.92.57

Ports
Whois

inetnum:        112.160.0.0 – 112.191.255.255
netname:        KORNET
descr:         Korea Telecom
admin-c:        IM667-AP
tech-c:         IM667-AP
country:        KR
status:         ALLOCATED PORTABLE
mnt-by:         MNT-KRNIC-AP
mnt-irt:        IRT-KRNIC-KR
last-modified: 2017-02-03T02:21:58Z
source:         APNIC

irt:            IRT-KRNIC-KR
address:        Seocho-ro 398, Seocho-gu, Seoul, Korea
e-mail:         hostmaster@nic.or.kr
abuse-mailbox: hostmaster@nic.or.kr
admin-c:        IM574-AP
tech-c:         IM574-AP
auth:         # Filtered
mnt-by:         MNT-KRNIC-AP
last-modified: 2017-10-19T07:36:36Z
source:         APNIC

person:         IP Manager
address:        Gyeonggi-do Bundang-gu, Seongnam-si Buljeong-ro 90
country:        KR
phone:         +82-2-500-6630
e-mail:         kornet_ip@kt.com
nic-hdl:        IM667-AP
mnt-by:         MNT-KRNIC-AP
last-modified: 2017-03-28T06:37:04Z
source:         APNIC

Relationships
112.175.92.57 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
112.175.92.57 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
112.175.92.57 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
112.175.92.57 Connected_From 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a
Description

This IP address is listed in the file ‘udbcgiut.dat’. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. The domain, mail.everzone.co.kr is associated with the IP address, however, no DNS query is made for the name.

81.94.192.147

Ports
Whois

inetnum:        81.94.192.0 – 81.94.192.255
netname:        IOMARTHOSTING
descr:         iomart Hosting Limited
country:        GB
admin-c:        RA1415-RIPE
tech-c:         RA1415-RIPE
status:         ASSIGNED PA
remarks:        ABUSE REPORTS: abuse@redstation.com
mnt-by:         REDSTATION-MNT
mnt-domains:    REDSTATION-MNT
mnt-routes:     REDSTATION-MNT
created:        2016-02-14T11:44:25Z
last-modified: 2016-02-14T11:44:25Z
source:         RIPE

role:         Redstation Admin Role
address:        Redstation Limited
address:        2 Frater Gate Business Park
address:        Aerodrome Road
address:        Gosport
address:        Hampshire
address:        PO13 0GW
address:        UNITED KINGDOM
abuse-mailbox: abuse@redstation.com
e-mail:         abuse@redstation.com
nic-hdl:        RA1415-RIPE
mnt-by:         REDSTATION-MNT
created:        2005-04-22T17:34:33Z
last-modified: 2017-05-02T09:47:13Z
source:         RIPE

% Information related to ‘81.94.192.0/24AS20860’

route:         81.94.192.0/24
descr:         Wayne Dalton – Redstation Ltd
origin:         AS20860
mnt-by:         GB10488-RIPE-MNT
created:        2015-11-03T12:58:00Z
last-modified: 2015-11-03T12:58:00Z
source:         RIPE

Relationships
81.94.192.147 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
81.94.192.147 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
81.94.192.147 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
Description

This IP address is listed in the file ‘udbcgiut.dat’. Outbound SSL connection attempts are made to this IP by Malware2.exe, Malware3.exe, and Malware5.exe. No domain is associated with the IP address.

70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289

Tags

droppertrojan

Details
Name udbcgiut.dat
Size 1171 bytes
Type data
MD5 ae829f55db0198a0a36b227addcdeeff
SHA1 04833210fa57ea70a209520f4f2a99d049e537f2
SHA256 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
SHA512 1b4509102ac734ce310b6f8631b1bedd772a38582b4feda9fee09f1edd096006cf5ba528435c844effa97f95984b07bd2c111aa480bb22f4bcfbc751f069868d
ssdeep 3:ElclFUl8GlFcmzkXIil23X1ll:ElcUXmQkXQ3
Entropy 0.395693
Antivirus
Ahnlab BinImage/Hoplight
Antiy Trojan/Generic.Generic
ClamAV Win.Dropper.Hoplight-7402658-0
Ikarus Trojan.Win32.Hoplight
McAfee Trojan-Hoplight.b
Microsoft Security Essentials Trojan:Win32/Hoplight
TrendMicro Trojan.22D9D34C
TrendMicro House Call Trojan.22D9D34C
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
70902623c9… Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
70902623c9… Related_To ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
70902623c9… Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
70902623c9… Related_To 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
70902623c9… Related_To 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d
Description

‘udbcgiut.dat’ is dropped by three of the four PE32 executables. This file contains a 32byte unicode string uniquely generated for the infected system, as well as four socket pairs in hexidecimal.

—Begin Decoded Socket Pairs—

197.211.212.59:443
181.39.135.126:443
112.175.92.57:7443
81.94.192.147:7443

—End Decoded Socket Pairs—

The unicode string generated during this analysis was ‘8a9b11762b96c4b6’. The socket pairs remain the same for all instances of the malware.
For the PE32 executables, ‘udbcgiut.dat’ was dropped in the victim’s profile at %AppData%\Local\Temp. For the 64bit executables, ‘udbcgiut.dat’ was dropped in C:\Windows.

4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818

Tags

trojan

Details
Name C5DC53A540ABE95E02008A04A0D56D6C
Size 241152 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c5dc53a540abe95e02008a04a0d56d6c
SHA1 4cfe9e353b1a91a2add627873846a3ad912ea96b
SHA256 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818
SHA512 fc33c99facfbc98d164e63167353bdcff7c1704810e4bb64f7e56812412d84099b224086c04aea66e321cd546d8cf6f14196f5b58d5e931c68064d659c33b6a2
ssdeep 6144:LA5cWD93YuzTvLFOLoqbWbnuX7ZEAV6efA/Pawzq:Xc93YbLZEAV6mX
Entropy 6.534884
Antivirus
Ahnlab Trojan/Win32.Hoplight
Antiy Trojan/Win32.Casdet
Avira TR/NukeSped.qdbcu
BitDefender Trojan.GenericKD.31879714
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.OTMD-4999
ESET a variant of Win32/NukeSped.AS trojan
Emsisoft Trojan.GenericKD.31879714 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 0051d4f01 )
McAfee Trojan-Hoplight
Microsoft Security Essentials Trojan:Win32/Hoplight
Quick Heal Trojan.Hoplight.S5793599
Sophos Troj/Hoplight-C
Symantec Trojan.Hoplight
TrendMicro Trojan.55DEE3DA
TrendMicro House Call Trojan.55DEE3DA
VirusBlokAda Trojan.Casdet
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $polarSSL = “fjiejffndxklfsdkfjsaadiepwn”
       $sn1 = “www.google.com”
       $sn2 = “www.naver.com”
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) — 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-06-04 21:31:07-04:00
Import Hash c76f6bb3f2ce6f4ce3e83448836f3ddd
PE Sections
MD5 Name Raw Size Entropy
64cb3246aafa83129f7fd6b25d572a9f header 1024 2.625229
e8c15e136370c12020eb23545085b9f6 .text 196096 6.431942
cf0eb4ad22ac1ca687b87a0094999ac8 .rdata 26624 5.990247
b246681e20b3c8ff43e1fcf6c0335287 .data 8192 4.116777
6545248a1e3449e95314cbc874837096 .rsrc 512 5.112624
31a7ab6f707799d327b8425f6693c220 .reloc 8704 5.176231
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

This artifact appears to be named ‘lamp.exe’. The malware contains the following debug pathway:

—Begin Debug Pathway—

Z:\Develop\41.LampExe\Release\LampExe.pdb

—End Debug Pathway—

ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d

Tags

adwaretrojan

Details
Name BE588CD29B9DC6F8CFC4D0AA5E5C79AA
Name ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
Size 267776 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 be588cd29b9dc6f8cfc4d0aa5e5c79aa
SHA1 06be4fe1f26bc3e4bef057ec83ae81bd3199c7fc
SHA256 ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
SHA512 c074ec876350b3ee3f82208041152c0ecf25cc8600c8277eec389c253c12372e78da59182a6df8331b05e0eefb07c142172951115a582606f68b824e1d48f30d
ssdeep 6144:UEFpmt3md/iA3uiyzOvLFOLYqnHGZlDwf/OYy85eqmJKRPg:/PQ3mJxeigqi/OYy+/g
Entropy 6.554499
Antivirus
Ahnlab Trojan/Win32.Generic
Antiy Trojan/Win32.Casdet
Avira TR/NukeSped.yvkuj
BitDefender Trojan.GenericKD.31879713
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.TBKF-4720
ESET a variant of Win32/NukeSped.AI trojan
Emsisoft Trojan.GenericKD.31879713 (B)
Filseclab Adware.Amonetize.heur.xjym.mg
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 005329311 )
McAfee Trojan-Hoplight
Microsoft Security Essentials Trojan:Win32/Nukesped.PA!MTB
Sophos Troj/Hoplight-C
Symantec Trojan.Hoplight
TACHYON Trojan/W32.Hoplight.267776
TrendMicro Trojan.55DEE3DA
TrendMicro House Call Trojan.55DEE3DA
VirusBlokAda BScope.Trojan.Casdet
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $polarSSL = “fjiejffndxklfsdkfjsaadiepwn”
       $sn1 = “www.google.com”
       $sn2 = “www.naver.com”
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) — 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-06-06 10:33:38-04:00
Import Hash 8184d5d35e3a4640bb5d21698a4b6021
PE Sections
MD5 Name Raw Size Entropy
59b5d567b9b7b9da0ca0936675fd95fe header 1024 2.658486
c0b6929e0f01a7b61bde3d7400a801e0 .text 218624 6.470188
ce1e5ab830fcfaa2d7bea92f56e9026e .rdata 27136 5.962575
006bad003b65738ed203a576205cc546 .data 8192 4.157373
992987e022da39fcdbeede8ddd48f226 .rsrc 3072 5.511870
4be460324f0f4dc1f6a0983752094cce .reloc 9728 5.303151
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
ddea408e17… Connected_To 81.94.192.147
ddea408e17… Connected_To 112.175.92.57
ddea408e17… Connected_To 181.39.135.126
ddea408e17… Connected_To 197.211.212.59
ddea408e17… Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
ddea408e17… Connected_To 81.94.192.10
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

This program attempts to initiate a TLS Handshake to the four IP/Port pairs listed in ‘udbcgiut.dat’. If the program is unable to establish a connection, the file ‘udbcgiut.dat’ is deleted.

After ‘udbcgiut.dat’ is deleted, an outbound SSL connection is made to 81.94.192.10. The IP address is hard coded in the malware and are not randomly generated.

This artifact also loads several APIs that are commonly associated with Pass-The-Hash (PTH) toolkits, indicating a capability to harvest user credentials and passwords.

—Begin Common PTH APIs—

SamiChangePasswordUser
SamFreeMemory
SamCloseHandle
SamOpenUser
SamLookupNamesInDomain
SamOpenDomain
SamConnect

—End Common PTH APIs—

81.94.192.10

Whois

Domain name:
       redstation.net.uk

   Registrant:
       Redstation Limited

   Registrant type:
       UK Limited Company, (Company number: 3590745)

   Registrant’s address:
       2 Frater Gate Business Park
       Aerodrome Road
       Gosport
       Hampshire
       PO13 0GW
       United Kingdom

   Data validation:
       Nominet was able to match the registrant’s name and address against a 3rd party data source on 21-Feb-2017

   Registrar:
       Easyspace Ltd [Tag = EASYSPACE]
       URL: https://www.easyspace.com/domain-names/extensions/uk

   Relevant dates:
       Registered on: 11-Apr-2005
       Expiry date: 11-Apr-2019
       Last updated: 12-Apr-2017

   Registration status:
       Registered until expiry date.

   Name servers:
       ns1.redstation.com
       ns2.redstation.com

Relationships
81.94.192.10 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
Description

A high port to high port connection attempt is made to this IP address from ‘Malware5.dll’. No domain is associated with the IP address.

12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d

Tags

droppertrojan

Details
Name 868036E102DF4CE414B0E6700825B319
Size 453791 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 868036e102df4ce414b0e6700825b319
SHA1 7f1e68d78e455aa14de9020abd2293c3b8ec6cf8
SHA256 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d
SHA512 724d83493dbe86cfcee7f655272d2c733baa5470d7da986e956c789aa1b8f518ad94b575e655b4fe5f6f7d426b9aa7d8304fc879b82a385142b8924e0d454363
ssdeep 12288:eb/3G8vg+Rg1cvAHtE0MLa07rt5POui6z:+/3G8vg+pvi9Sa07rt4ui6z
Entropy 7.713852
Antivirus
Ahnlab Trojan/Win64.Hoplight
Antiy Trojan/Generic.Generic
Avira TR/Dropper.ezydy
BitDefender Trojan.Autoruns.GenericKDS.32698229
ClamAV Win.Trojan.Hoplight-7402636-0
Cyren W64/Trojan.PLQG-3049
ESET a variant of Win64/NukeSped.BV trojan
Emsisoft Trojan.Autoruns.GenericKDS.32698229 (B)
Ikarus Trojan.Win64.Nukesped
K7 Riskware ( 0040eff71 )
McAfee Generic Trojan.ix
Microsoft Security Essentials Trojan:Win64/Hoplight
NANOAV Trojan.Win64.Crypted.excqpl
NetGate Trojan.Win32.Malware
Quick Heal Trojan.Win64
Sophos Troj/Hoplight-C
Symantec Trojan.Gen.MBT
TACHYON Trojan/W32.Hoplight.453791
TrendMicro Trojan.D58D9624
TrendMicro House Call Trojan.D58D9624
VirusBlokAda Trojan.Win64.Hoplight
YARA Rules

No matches found.

ssdeep Matches
90 890d3928be0f36b1f4dcfffb20ac3747a31451ce010caba768974bfccdc26e7c
PE Metadata
Compile Date 2017-06-06 10:54:03-04:00
Import Hash 947a389c3886c5fa7f3e972fd4d7740c
PE Sections
MD5 Name Raw Size Entropy
e772c7a04c7e3d53c58fdb8a88bb0c02 header 1024 2.486400
a6a2750e5b57470403299e0327553042 .text 34816 6.297430
cc5d69374e9b0266a4b1119e5274d392 .rdata 12288 4.715650
ac4ee21fcb2501656efc217d139ec804 .data 5120 1.876950
359af12d4a14ced423d39736dfec613a .pdata 2560 3.878158
097e0e4be076b795a7316f1746bace8a .rsrc 3072 5.514584
5849f380266933d6f3c5c4740334b041 .reloc 1024 2.517963
Packers/Compilers/Cryptors
Microsoft Visual C++ 8.0 (DLL)
Relationships
12480585e0… Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
12480585e0… Dropped 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

This artifact is a malicious x64 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

In addition to the capabilities described above, this variant will hook the Windows Local Security Authority (lsass.exe). ‘lsass.exe’ will check the registry for the data value ‘rdpproto’ under the key SYSTEM\CurrentControlSet\Control\Lsa Name: Security Packages. If not found, this value is added by ‘lsass.exe’.
Next, the malware will drop the embedded file, ‘rdpproto.dll’ into the %System32% directory.
The file, ‘udbcgiut.dat’ is then written to C:\Windows. Outbound connection attempts are made to the socket pairs found within this file as described above.

49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359

Tags

trojan

Details
Name rdpproto.dll
Size 391680 bytes
Type PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5 dc268b166fe4c1d1c8595dccf857c476
SHA1 8264556c8a6e460760dc6bb72ecc6f0f966a16b8
SHA256 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
SHA512 b47c4caa0b5c17c982fcd040c7171d36ec962fe32e9b8bec567ee14b187507fe90e026aa05eec17d36c49a924eeaed55e66c95a111cfa9dcae0e305ab9515cac
ssdeep 6144:jfsTC8amAXJeZP6BPjIDeLkigDxcvAHjVXjhtBGshMLa1Mj7rtlkiP60dwtudIye:jvg+Rg1cvAHtE0MLa07rt5POui6
Entropy 7.893665
Antivirus
Ahnlab Trojan/Win64.Hoplight
Antiy Trojan/Win32.Casdet
Avira TR/Crypt.XPACK.xuqld
BitDefender Trojan.Generic.22790108
ClamAV Win.Trojan.Hoplight-7402636-0
ESET a variant of Win64/NukeSped.BV trojan
Emsisoft Trojan.Generic.22790108 (B)
Ikarus Trojan.SuspectCRC
K7 Trojan ( 0054bb211 )
McAfee Hoplight-FDXG!DC268B166FE4
Microsoft Security Essentials Trojan:Win64/Hoplight
NANOAV Trojan.Win64.Crypted.excqpl
Quick Heal Trojan.Win64
Sophos Troj/Hoplight-C
Symantec Trojan.Hoplight
TACHYON Trojan/W32.Hoplight.391680
VirusBlokAda Trojan.Win64.Agent
YARA Rules

No matches found.

ssdeep Matches
99 890d3928be0f36b1f4dcfffb20ac3747a31451ce010caba768974bfccdc26e7c
PE Metadata
Compile Date 2017-06-06 11:34:06-04:00
Import Hash 360d26520c50825099ec61e97b01a43b
PE Sections
MD5 Name Raw Size Entropy
3bb2a7d6aab283c82ab853f536157ce2 header 1024 2.524087
b0bf8ec7b067fd3592c0053702e34504 .text 23552 6.180871
6cc98c5fef3ea1b782262e355b5c5862 .rdata 10752 4.635336
484d4698d46b3b5ad033c1a80ba83acf .data 4096 2.145716
a07c8f17c18c6789a3e757aec183aea6 .pdata 2048 3.729952
fae0d0885944745d98849422bd799457 .rsrc 348672 7.997488
0c1c23e1fb129b1b1966f70fc75cf20e .reloc 1536 1.737829
Relationships
49757cf856… Dropped_By 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d
49757cf856… Connected_To 21.252.107.198
49757cf856… Connected_To 70.224.36.194
49757cf856… Connected_To 113.114.117.122
49757cf856… Connected_To 47.206.4.145
49757cf856… Connected_To 84.49.242.125
49757cf856… Connected_To 26.165.218.44
49757cf856… Connected_To 137.139.135.151
49757cf856… Connected_To 97.90.44.200
49757cf856… Connected_To 128.200.115.228
49757cf856… Connected_To 186.169.2.237
Description

“rdpproto.dll” is dropped into the %System32% directory by 868036E102DF4CE414B0E6700825B319. When the library is loaded,
“rdpproto.dll” will attempt to send SSL Client Hello packets to any of the following embedded IP addresses:

—Begin Embedded IP Addresses—

21.252.107.198
70.224.36.194
113.114.117.122
47.206.4.145
84.49.242.125
26.165.218.44
137.139.135.151
97.90.44.200
128.200.115.228
186.169.2.237

—End Embedded IP Addresses—

This artifact contains the following notable strings:

—Begin Notable Strings—

CompanyName
Adobe System Incorporated
FileDescription
MicrosoftWindows TransFilter/FilterType : 01 WindowsNT Service
FileVersion
6.1 Build 7601
InternalName
TCP/IP Packet Filter Service
LegalCopyright
Copyright 2015 – Adobe System Incorporated
LegalTrademarks
OriginalFileName
TCP/IP – PacketFilter

—End Notable Strings—

21.252.107.198

Ports
Whois

NetRange:     21.0.0.0 – 21.255.255.255
CIDR:         21.0.0.0/8
NetName:        DNIC-SNET-021
NetHandle:     NET-21-0-0-0-1
Parent:         ()
NetType:        Direct Allocation
OriginAS:    
Organization: DoD Network Information Center (DNIC)
RegDate:        1991-06-30
Updated:        2009-06-19
Ref:            https://whois.arin.net/rest/net/NET-21-0-0-0-1

OrgName:        DoD Network Information Center
OrgId:         DNIC
Address:        3990 E. Broad Street
City:         Columbus
StateProv:     OH
PostalCode:     43218
Country:        US
RegDate:        
Updated:        2011-08-17
Ref:            https://whois.arin.net/rest/org/DNIC

Relationships
21.252.107.198 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
21.252.107.198 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

A high port to high port connection attempt is made to this IP address from ‘Malware2.dll’. No domain is associated with the IP address.

70.224.36.194

Ports
Whois

Domain Name: AMERITECH.NET
Registry Domain ID: 81816_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
Updated Date: 2017-06-09T05:27:34Z
Creation Date: 1996-06-14T04:00:00Z
Registry Expiry Date: 2018-06-13T04:00:00Z
Registrar: CSC Corporate Domains, Inc.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: 8887802723
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.ATTDNS.COM
Name Server: NS2.ATTDNS.COM
Name Server: NS3.ATTDNS.COM
Name Server: NS4.ATTDNS.COM
DNSSEC: unsigned

Domain Name: ameritech.net
Registry Domain ID: 81816_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: www.cscprotectsbrands.com
Updated Date: 2017-06-09T05:27:34Z
Creation Date: 1996-06-14T04:00:00Z
Registrar Registration Expiration Date: 2018-06-13T04:00:00Z
Registrar: CSC CORPORATE DOMAINS, INC.
Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: +1.8887802723
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: AT&T SERVICES, INC.
Registrant Street: 801 Chestnut Street
Registrant City: Saint Louis
Registrant State/Province: MO
Registrant Postal Code: 63101
Registrant Country: US
Registrant Phone: +1.3142358168
Registrant Phone Ext:
Registrant Fax: +1.3142358168
Registrant Fax Ext:
Registrant Email: att-domains@att.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: AT&T SERVICES, INC.
Admin Street: 801 Chestnut Street
Admin City: Saint Louis
Admin State/Province: MO
Admin Postal Code: 63101
Admin Country: US
Admin Phone: +1.3142358168
Admin Phone Ext:
Admin Fax: +1.3142358168
Admin Fax Ext:
Admin Email: att-domains@att.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: AT&T SERVICES, INC.
Tech Street: 801 Chestnut Street
Tech City: Saint Louis
Tech State/Province: MO
Tech Postal Code: 63101
Tech Country: US
Tech Phone: +1.3142358168
Tech Phone Ext:
Tech Fax: +1.3142358168
Tech Fax Ext:
Tech Email: att-domains@att.com
Name Server: ns3.attdns.com
Name Server: ns1.attdns.com
Name Server: ns2.attdns.com
Name Server: ns4.attdns.com
DNSSEC: unsigned

Relationships
70.224.36.194 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
70.224.36.194 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

A high port to high port connection attempt is made to this IP address from ‘Malware2.dll’. No domain is associated with the IP address.

113.114.117.122

Ports
Whois

inetnum:        113.112.0.0 – 113.119.255.255
netname:        CHINANET-GD
descr:         CHINANET Guangdong province network
descr:         Data Communication Division
descr:         China Telecom
country:        CN
admin-c:        CH93-AP
tech-c:         IC83-AP
remarks:        service provider
status:         ALLOCATED PORTABLE
mnt-by:         APNIC-HM
mnt-lower:     MAINT-CHINANET-GD
mnt-routes:     MAINT-CHINANET-GD
last-modified: 2016-05-04T00:15:17Z
source:         APNIC
mnt-irt:        IRT-CHINANET-CN

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
e-mail:         anti-spam@ns.chinanet.cn.net
abuse-mailbox: anti-spam@ns.chinanet.cn.net
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:         # Filtered
mnt-by:         MAINT-CHINANET
last-modified: 2010-11-15T00:31:55Z
source:         APNIC

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@ns.chinanet.cn.net
address:        No.31 ,jingrong street,beijing
address:        100032
phone:         +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
mnt-by:         MAINT-CHINANET
last-modified: 2014-02-27T03:37:38Z
source:         APNIC

person:         IPMASTER CHINANET-GD
nic-hdl:        IC83-AP
e-mail:         gdnoc_HLWI@189.cn
address:        NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOU
phone:         +86-20-87189274
fax-no:         +86-20-87189274
country:        CN
mnt-by:         MAINT-CHINANET-GD
remarks:        IPMASTER is not for spam complaint,please send spam complaint to abuse_gdnoc@189.cn
abuse-mailbox: antispam_gdnoc@189.cn
last-modified: 2014-09-22T04:41:26Z
source:         APNIC

Relationships
113.114.117.122 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
113.114.117.122 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

A high port to high port connection attempt is made to this IP address from ‘Malware2.dll’. No domain is associated with the IP address.

47.206.4.145

Ports
Whois

Domain Name: FRONTIERNET.NET
Registry Domain ID: 4305589_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.register.com
Registrar URL: http://www.register.com
Updated Date: 2017-09-14T07:53:05Z
Creation Date: 1995-10-14T04:00:00Z
Registry Expiry Date: 2018-10-13T04:00:00Z
Registrar: Register.com, Inc.
Registrar IANA ID: 9
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: AUTH.DLLS.PA.FRONTIERNET.NET
Name Server: AUTH.FRONTIERNET.NET
Name Server: AUTH.LKVL.MN.FRONTIERNET.NET
Name Server: AUTH.ROCH.NY.FRONTIERNET.NET
DNSSEC: unsigned

Domain Name: FRONTIERNET.NET
Registry Domain ID: 4305589_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.register.com
Registrar URL: www.register.com
Updated Date: 2017-09-14T00:53:05.00Z
Creation Date: 1995-10-14T04:00:00.00Z
Registrar Registration Expiration Date: 2018-10-13T04:00:00.00Z
Registrar: REGISTER.COM, INC.
Registrar IANA ID: 9
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: FRONTIERNET HOSTMASTER
Registrant Organization:
Registrant Street: 95 N. FITZHUGH ST.
Registrant City: ROCHESTER
Registrant State/Province: NY
Registrant Postal Code: 14614-1212
Registrant Country: US
Registrant Phone: +1.8664747662
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: HOSTMASTER@FRONTIERNET.NET
Registry Admin ID:
Admin Name: FRONTIERNET HOSTMASTER
Admin Organization:
Admin Street: 95 N. FITZHUGH ST.
Admin City: ROCHESTER
Admin State/Province: NY
Admin Postal Code: 14614-1212
Admin Country: US
Admin Phone: +1.8664747662
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: HOSTMASTER@FRONTIERNET.NET
Registry Tech ID:
Tech Name: FRONTIERNET HOSTMASTER
Tech Organization:
Tech Street: 95 N. FITZHUGH ST.
Tech City: ROCHESTER
Tech State/Province: NY
Tech Postal Code: 14614-1212
Tech Country: US
Tech Phone: +1.8664747662
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: HOSTMASTER@FRONTIERNET.NET
Name Server: AUTH.DLLS.PA.FRONTIERNET.NET
Name Server: AUTH.FRONTIERNET.NET
Name Server: AUTH.LKVL.MN.FRONTIERNET.NET
Name Server: AUTH.ROCH.NY.FRONTIERNET.NET
DNSSEC: unSigned

Relationships
47.206.4.145 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
47.206.4.145 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

A high port to high port connection attempt is made to this IP address from ‘Malware2.dll’. No domain is associated with the IP address.

84.49.242.125

Ports
Whois

Domain Name: NEXTGENTEL.COM
Registry Domain ID: 13395561_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domaininfo.com
Registrar URL: http://www.ports.domains
Updated Date: 2017-11-10T23:44:50Z
Creation Date: 1999-11-17T15:47:51Z
Registry Expiry Date: 2018-11-17T15:47:51Z
Registrar: Ports Group AB
Registrar IANA ID: 73
Registrar Abuse Contact Email: abuse@portsgroup.se
Registrar Abuse Contact Phone: +46.707260017
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: ANYADNS1.NEXTGENTEL.NET
Name Server: ANYADNS2.NEXTGENTEL.NET
DNSSEC: unsigned

Domain Name: nextgentel.com
Registry Domain ID: 13395561_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domaininfo.com
Registrar URL: ports.domains
Updated Date: 2017-11-10T23:44:50Z
Creation Date: 1999-11-17T15:47:51Z
Registrar Registration Expiration Date: 2018-11-17T15:47:51Z
Registrar: PortsGroup AB
Registrar IANA ID: 73
Registrar Abuse Contact Email: abuse@portsgroup.se
Registrar Abuse Contact Phone: +46.317202000
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Hostmaster
Registrant Organization: NextGenTel AS
Registrant Street: Sandslimarka 31
Registrant City: SANDSLI
Registrant State/Province:
Registrant Postal Code: 5254
Registrant Country: NO
Registrant Phone: +47.55527900
Registrant Fax: +47.55527910
Registrant Email: hostmaster@nextgentel.com
Registry Admin ID:
Admin Name: Hostmaster
Admin Organization: NextGenTel AS
Admin Street: Sandslimarka 31
Admin City: Sandsli
Admin State/Province:
Admin Postal Code: 5254
Admin Country: NO
Admin Phone: +47.55527900
Admin Fax: +47.55527910
Admin Email: hostmaster@nextgentel.com
Registry Tech ID:
Tech Name: Hostmaster v/ Eivind Olsen
Tech Organization: NextGenTel AS
Tech Street: Postboks 3 Sandsli
Tech City: Bergen
Tech State/Province:
Tech Postal Code: 5861
Tech Country: NO
Tech Phone: +47.41649322
Tech Fax: +47.55527910
Tech Email: hostmaster@nextgentel.com
Name Server: ANYADNS1.NEXTGENTEL.NET
Name Server: ANYADNS2.NEXTGENTEL.NET
DNSSEC: unsigned

Relationships
84.49.242.125 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
84.49.242.125 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

A high port to high port connection attempt is made to this IP address from ‘Malware2.dll’. No domain is associated with the IP address.

26.165.218.44

Ports
Whois

NetRange:     26.0.0.0 – 26.255.255.255
CIDR:         26.0.0.0/8
NetName:        DISANET26
NetHandle:     NET-26-0-0-0-1
Parent:         ()
NetType:        Direct Allocation
OriginAS:    
Organization: DoD Network Information Center (DNIC)
RegDate:        1995-04-30
Updated:        2009-06-19
Ref:            https://whois.arin.net/rest/net/NET-26-0-0-0-1

OrgName:        DoD Network Information Center
OrgId:         DNIC
Address:        3990 E. Broad Street
City:         Columbus
StateProv:     OH
PostalCode:     43218
Country:        US
RegDate:        
Updated:        2011-08-17
Ref:            https://whois.arin.net/rest/org/DNIC

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-844-347-2457
OrgTechEmail: disa.columbus.ns.mbx.hostmaster-dod-nic@mail.mil
OrgTechRef:    https://whois.arin.net/rest/poc/MIL-HSTMST-ARIN

OrgAbuseHandle: REGIS10-ARIN
OrgAbuseName: Registration
OrgAbusePhone: +1-844-347-2457
OrgAbuseEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil
OrgAbuseRef:    https://whois.arin.net/rest/poc/REGIS10-ARIN

OrgTechHandle: REGIS10-ARIN
OrgTechName: Registration
OrgTechPhone: +1-844-347-2457
OrgTechEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil
OrgTechRef:    https://whois.arin.net/rest/poc/REGIS10-ARIN

Relationships
26.165.218.44 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
26.165.218.44 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

A high port to high port connection attempt is made to this IP address from ‘Malware2.dll’. No domain is associated with the IP address.

137.139.135.151

Ports
Whois

NetRange:     137.139.0.0 – 137.139.255.255
CIDR:         137.139.0.0/16
NetName:        SUC-OLDWEST
NetHandle:     NET-137-139-0-0-1
Parent:         NET137 (NET-137-0-0-0-0)
NetType:        Direct Assignment
OriginAS:    
Organization: SUNY College at Old Westbury (SCAOW)
RegDate:        1989-11-29
Updated:        2014-02-18
Ref:            https://whois.arin.net/rest/net/NET-137-139-0-0-1

OrgName:        SUNY College at Old Westbury
OrgId:         SCAOW
Address:        223 Store Hill Road
City:         Old Westbury
StateProv:     NY
PostalCode:     11568
Country:        US
RegDate:        1989-11-29
Updated:        2011-09-24
Ref:            https://whois.arin.net/rest/org/SCAOW

OrgTechHandle: SUNYO-ARIN
OrgTechName: SUNYOWNOC
OrgTechPhone: +1-516-876-3379
OrgTechEmail: sunyownoc@oldwestbury.edu
OrgTechRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN

OrgAbuseHandle: SUNYO-ARIN
OrgAbuseName: SUNYOWNOC
OrgAbusePhone: +1-516-876-3379
OrgAbuseEmail: sunyownoc@oldwestbury.edu
OrgAbuseRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN

RAbuseHandle: SUNYO-ARIN
RAbuseName: SUNYOWNOC
RAbusePhone: +1-516-876-3379
RAbuseEmail: sunyownoc@oldwestbury.edu
RAbuseRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN

RTechHandle: SUNYO-ARIN
RTechName: SUNYOWNOC
RTechPhone: +1-516-876-3379
RTechEmail: sunyownoc@oldwestbury.edu
RTechRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN

RNOCHandle: SUNYO-ARIN
RNOCName: SUNYOWNOC
RNOCPhone: +1-516-876-3379
RNOCEmail: sunyownoc@oldwestbury.edu
RNOCRef:    https://whois.arin.net/rest/poc/SUNYO-ARIN

Relationships
137.139.135.151 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
137.139.135.151 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

A high port to high port connection attempt is made to this IP address from ‘Malware2.dll’. No domain is associated with the IP address.

97.90.44.200

Ports
Whois

Domain Name: CHARTER.COM
Registry Domain ID: 340223_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-07-03T04:22:18Z
Creation Date: 1994-07-30T04:00:00Z
Registry Expiry Date: 2019-07-29T04:00:00Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: NS1.CHARTER.COM
Name Server: NS2.CHARTER.COM
Name Server: NS3.CHARTER.COM
Name Server: NS4.CHARTER.COM
DNSSEC: unsigned

Domain Name: charter.com
Registry Domain ID: 340223_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-12-18T04:00:14-0800
Creation Date: 1994-07-29T21:00:00-0700
Registrar Registration Expiration Date: 2019-07-28T21:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Admin
Registrant Organization: Charter Communications Operating, LLC
Registrant Street: 12405 Powerscourt Drive,
Registrant City: Saint Louis
Registrant State/Province: MO
Registrant Postal Code: 63131
Registrant Country: US
Registrant Phone: +1.3149650555
Registrant Phone Ext:
Registrant Fax: +1.9064010617
Registrant Fax Ext:
Registrant Email: hostmaster@charter.com
Registry Admin ID:
Admin Name: Domain Admin
Admin Organization: Charter Communications Operating, LLC
Admin Street: 12405 Powerscourt Drive,
Admin City: Saint Louis
Admin State/Province: MO
Admin Postal Code: 63131
Admin Country: US
Admin Phone: +1.3149650555
Admin Phone Ext:
Admin Fax: +1.9064010617
Admin Fax Ext:
Admin Email: hostmaster@charter.com
Registry Tech ID:
Tech Name: Charter Communications Internet Security and Abuse
Tech Organization: Charter Communications Operating, LLC
Tech Street: 12405 Powerscourt Drive,
Tech City: Saint Louis
Tech State/Province: MO
Tech Postal Code: 63131
Tech Country: US
Tech Phone: +1.3142883111
Tech Phone Ext:
Tech Fax: +1.3149090609
Tech Fax Ext:
Tech Email: abuse@charter.net
Name Server: ns4.charter.com
Name Server: ns3.charter.com
Name Server: ns1.charter.com
Name Server: ns2.charter.com
DNSSEC: unsigned

Relationships
97.90.44.200 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
97.90.44.200 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

A high port to high port connection attempt is made to this IP address from ‘Malware2.dll’. No domain is associated with the IP address.

128.200.115.228

Ports
Whois

Domain Name: UCI.EDU

Registrant:
University of California, Irvine
6366 Ayala Science Library
Irvine, CA 92697-1175
UNITED STATES

Administrative Contact:
Con Wieland
University of California, Irvine
Office of Information Technology
6366 Ayala Science Library
Irvine, CA 92697-1175
UNITED STATES
(949) 824-2222
oit-nsp@uci.edu

Technical Contact:
Con Wieland
University of California, Irvine
Office of Information Technology
6366 Ayala Science Library
Irvine, CA 92697-1175
UNITED STATES
(949) 824-2222
oit-nsp@uci.edu

Name Servers:
NS4.SERVICE.UCI.EDU     128.200.59.190
NS5.SERVICE.UCI.EDU     52.26.131.47

Domain record activated:    30-Sep-1985
Domain record last updated: 07-Jul-2016
Domain expires:             31-Jul-2018

Relationships
128.200.115.228 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
128.200.115.228 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

A high port to high port connection attempt is made to this IP address from ‘Malware2.dll’. No domain is associated with the IP address.

186.169.2.237

Ports
Whois

inetnum:     186.168/15
status:     allocated
aut-num:     N/A
owner:     COLOMBIA TELECOMUNICACIONES S.A. ESP
ownerid:     CO-CTSE-LACNIC
responsible: Administradores Internet
address:     Transversal 60, 114, A 55
address:     N – BOGOTA – Cu
country:     CO
phone:     +57 1 5339833 []
owner-c:     CTE7
tech-c:     CTE7
abuse-c:     CTE7
inetrev:     186.169/16
nserver:     DNS5.TELECOM.COM.CO
nsstat:     20171220 AA
nslastaa:    20171220
nserver:     DNS.TELECOM.COM.CO
nsstat:     20171220 AA
nslastaa:    20171220
created:     20110404
changed:     20141111

nic-hdl:     CTE7
person:     Grupo de Administradores Internet
e-mail:     admin.internet@TELECOM.COM.CO
address:     Transversal, 60, 114 A, 55
address:     571111 – BOGOTA DC – CU
country:     CO
phone:     +57 1 7050000 [71360]
created:     20140220
changed:     20140220

Relationships
186.169.2.237 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
186.169.2.237 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Description

A high port to high port connection attempt is made to this IP address from ‘Malware2.dll’. No domain is associated with the IP address.

4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761

Tags

trojan

Details
Name 42682D4A78FE5C2EDA988185A344637D
Name 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
Size 346624 bytes
Type PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5 42682d4a78fe5c2eda988185a344637d
SHA1 4975de2be0a1f7202037f5a504d738fe512191b7
SHA256 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
SHA512 213e4a0afbfac0bd884ab262ac87aee7d9a175cff56ba11aa4c75a4feb6a96c5e4e2c26adbe765f637c783df7552a56e4781a3b17be5fda2cf7894e58eb873ec
ssdeep 6144:nCgsFAkxS1rrtZQXTip12P04nTnvze6lxjWV346vze6lpjWV34Evze6lSjWV34a7:nCgsukxS1vtZ+5nvze6lxjWV346vze6N
Entropy 6.102810
Antivirus
Ahnlab Trojan/Win32.Generic
Antiy Trojan/Win32.AGeneric
Avira TR/NukeSped.tbxxd
BitDefender Trojan.GenericKD.41198710
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W64/Trojan.NKDY-0871
ESET a variant of Win64/NukeSped.T trojan
Emsisoft Trojan.GenericKD.41198710 (B)
Ikarus Trojan.Win64.Nukesped
K7 Trojan ( 0054bc321 )
McAfee Generic Trojan.ix
Microsoft Security Essentials Trojan:Win64/Hoplight
Quick Heal Trojan.Hoplight.S5795935
Sophos Troj/Hoplight-C
Symantec Trojan.Hoplight
TACHYON Trojan/W32.Hoplight.346624
TrendMicro Trojan.A7CCF529
TrendMicro House Call Trojan.A7CCF529
VirusBlokAda Trojan.Win64.Hoplight
Zillya! Trojan.NukeSped.Win64.56
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $polarSSL = “fjiejffndxklfsdkfjsaadiepwn”
       $sn1 = “www.google.com”
       $sn2 = “www.naver.com”
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) — 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-06-06 11:24:44-04:00
Import Hash e395fbfa0104d0173b3c4fdd3debdceb
Company Name Kamsky Co,.Ltd
File Description Vote_Controller
Internal Name MDL_170329_x86_V06Lv3
Legal Copyright Copyright \u24d2 2017
Original Filename Vote_Controller
Product Name Kamsky ColdFear
Product Version 17, 0, 0, 0
PE Sections
MD5 Name Raw Size Entropy
40d66d1a2f846d7c3bf291c604c9fca3 header 1024 2.628651
d061ffec6721133c433386c96520bc55 .text 284160 5.999734
cbbc6550dcbdcaf012bdbf758a377779 .rdata 38912 5.789426
c83bcaab05056d5b84fc609f41eed210 .data 7680 3.105496
b9fc36206883aa1902566b5d01c27473 .pdata 8704 5.319307
1c1d46056b4cb4627a5f92112b7e09f7 .rsrc 4096 5.608168
3baedaa3d6b6d6dc9fb0ec4f5c3b007c .reloc 2048 2.331154
Relationships
4a74a9fd40… Connected_To 21.252.107.198
4a74a9fd40… Connected_To 70.224.36.194
4a74a9fd40… Connected_To 113.114.117.122
4a74a9fd40… Connected_To 47.206.4.145
4a74a9fd40… Connected_To 84.49.242.125
4a74a9fd40… Connected_To 26.165.218.44
4a74a9fd40… Connected_To 137.139.135.151
4a74a9fd40… Connected_To 97.90.44.200
4a74a9fd40… Connected_To 128.200.115.228
4a74a9fd40… Connected_To 186.169.2.237
Description

This artifact is a malicious 64bit Windows dynamic library called ‘Vote_Controller.dll’. The file shares similar functionality with ‘rdpproto.dll’ above, and attempts to connect to the same ten IP addresses.

42682D4A78FE5C2EDA988185A344637D also contains the same public SSL certificate as many of the artifacts above.

The file contains the following notable strings:

—Begin Notable Strings—

CompanyName
Kamsky Co, .Ltd
FileDescription
Vote_Controller
FileVersion
49, 0, 0, 0
InternalName
MDL_170329_x86_V06Lv3
LegalCopyright
Copyright
2017
LegalTrademarks
OriginalFileName
Vote_Controller
PrivateBuild
ProductName
Kamsky ColdFear
ProductVersion
17, 0, 0, 0

—End Notable Strings—

83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a

Tags

trojan

Details
Name 3021B9EF74c&BDDF59656A035F94FD08
Name 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a
Size 245760 bytes
Type PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5 3021b9ef74c7bddf59656a035f94fd08
SHA1 05ad5f346d0282e43360965373eb2a8d39735137
SHA256 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a
SHA512 f8fcc5ed34b7bf144fc708d01d9685f0cb2e678c173d014987d6ecbf4a7c3ed539452819237173a2ab14609a913cf46c3bd618cffe7b5990c63cfe805a7144ff
ssdeep 6144:4+ZmN/ix9bd+Rvze6lxjWV346vze6lpjWV34Evze6lSjWV34avze6lkjWV34z5FT:4+ZmN/ix9b8Rvze6lxjWV346vze6lpjn
Entropy 5.933390
Antivirus
Ahnlab Trojan/Win64.Hoplight
Antiy Trojan/Win32.Hoplight
Avira TR/AD.APTLazerus.ltfzr
BitDefender Trojan.Agent.DVDE
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W64/Trojan.KDWH-2913
ESET a variant of Win64/NukeSped.BW trojan
Emsisoft Trojan.Agent.DVDE (B)
Ikarus Trojan.Agent
K7 Riskware ( 0040eff71 )
McAfee Generic Trojan.jp
Microsoft Security Essentials Trojan:Win64/Hoplight
Sophos Troj/Hoplight-C
Symantec Trojan.Hoplight
TrendMicro Trojan.A7CCF529
TrendMicro House Call Trojan.A7CCF529
VirusBlokAda Trojan.Win64.Hoplight
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $polarSSL = “fjiejffndxklfsdkfjsaadiepwn”
       $sn1 = “www.google.com”
       $sn2 = “www.naver.com”
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) — 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-05-16 02:44:21-04:00
Import Hash ca767ccbffbed559cbe77c923e3af1f8
Company Name Kamsky Co,.Ltd
File Description Vote_Controller
Internal Name MDL_170329_x86_V06Lv3
Legal Copyright Copyright \u24d2 2017
Original Filename Vote_Controller
Product Name Kamsky ColdFear
Product Version 17, 0, 0, 0
PE Sections
MD5 Name Raw Size Entropy
83ec15e3cf335f784144db4208b328c9 header 1024 2.790421
036c57e89ea3a6afa819c242c5816b70 .text 206848 5.688491
4812d2f39e9a8ae569370d423ba31344 .rdata 26112 6.000116
cb41e8f63b7c22c401a0634cb4fe1909 .data 2048 4.748331
3cc7651747904bfe94ed18f44354a706 .pdata 5120 4.962073
9e92c54604ea67e76210c3c914e9608c .rsrc 4096 5.606351
71dcfb1ec7257ee58dcc20cafb0be691 .reloc 512 0.673424
Relationships
83228075a6… Connected_To 112.175.92.57
Description

This artifact is 64bit Windows dynamic library file which shares many of the same characteristics and name (Vote_Controller.dll) as 42682D4A78FE5C2EDA988185A344637D above.

When this library is loaded it will look for the file ‘udbcgiut.dat’ in C:\WINDOWS. If ‘udbcgiut.dat’ is not found, the file will attempt connections to the same ten IP addresses described under ‘rdpproto.dll’ above.

One notable difference with this variant is that it uses the Windows Management Instrumentation (WMI) process to recompile the Managed Object Format (MOF) files in the WMI repository. At runtime, the malware will enumerate the drivers located in the registry at HKLM\Software\WBEM\WDM.
These files are then recompiled by invoking wmiprvse.exe through svchost.exe: “C:\Windows\system32\wbem\wmiprvse.exe -Embedding”.
MOF files are written in a SQL-like language and are run (compiled) by the operating system when a predetermined event takes place. Recent malware variants have been observed modifying the MOF files within the system registry to run specific commands and create persistency on the system.

Of note, the paravirtual SCSI driver for VMWare Tools is also located in HKLM\Software\WBEM\WDM within a virtual image. When this driver is recompiled by the malware, VMWare Tools no longer works. It cannot be determined if this is an intentional characteristic of the malware to hinder analysis, or simply a symptom of the method used to establish persistence.

70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3

Tags

trojan

Details
Name 61E3571B8D9B2E9CCFADC3DDE10FB6E1
Size 258052 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 61e3571b8d9b2e9ccfadc3dde10fb6e1
SHA1 55daa1fca210ebf66b1a1d2db1aa3373b06da680
SHA256 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
SHA512 235f7b920f54c4d316386cbf6cc14db1929029e8053270e730be15acc8e9f333231d2d984681bea26013a1d1cf4670528ba0989337be13ad4ada3eeba33bdfe8
ssdeep 6144:d71TKN7LBHvS+bujAfrsxwkm1Ka5l7gTtJUGx:dxKHPuj8WR0K6VgTtZx
Entropy 7.829590
Antivirus
Ahnlab Trojan/Win32.Hoplight
Antiy Trojan/Win32.NukeSped
Avira TR/NukeSped.oppme
BitDefender Dropped:Trojan.Generic.22954895
Cyren W32/Trojan.GZYA-1356
ESET Win32/NukeSped.AI trojan
Emsisoft Dropped:Trojan.Generic.22954895 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 005329311 )
McAfee Trojan-Hoplight
Microsoft Security Essentials Trojan:Win32/Hoplight
NANOAV Trojan.Win32.NukeSped.fpblwf
NetGate Trojan.Win32.Malware
Sophos Troj/Hoplight-C
Symantec Trojan.Gen.MBT
TACHYON Trojan/W32.Hoplight.258052
TrendMicro Trojan.55DEE3DA
TrendMicro House Call Trojan.55DEE3DA
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-08-23 00:19:59-04:00
Import Hash 8e253f83371d82907ff72f57257e3810
PE Sections
MD5 Name Raw Size Entropy
84f39a6860555231d60a55c72d07bc5e header 4096 0.586304
649c24790b60bda1cf2a85516bfc7fa0 .text 24576 5.983290
fbd6ca444ef8c0667aed75820cc99dce .rdata 4096 3.520964
0ecb4bcb0a1ef1bf8ea4157fabdd7357 .data 4096 3.988157
Packers/Compilers/Cryptors
Installer VISE Custom
Relationships
70034b33f5… Dropped cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f
70034b33f5… Dropped 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
70034b33f5… Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
70034b33f5… Connected_To 81.94.192.147
70034b33f5… Connected_To 112.175.92.57
70034b33f5… Connected_To 181.39.135.126
70034b33f5… Connected_To 197.211.212.59
70034b33f5… Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
Description

This artifact is a malicious PE32 executable. When executed, the artifact sets up the service, ‘Network UDP Trace Management Service’.
To set up the service, the program drops a dynamic library, ‘UDPTrcSvc.dll’ into the %System32% directory.
Next, the following registry keys are added:

—Begin Registry Keys—

HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: Type Value: 20
HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: Start Value: 02
HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: ImagePath Value: “%SystemRoot%\System32\svchost.exe -k mdnetuse”
HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: DisplayName Value: “Network UDP Trace Management Service”
HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc Name: ObjectName Value: “LocalSystem”
HKLM\SYSTEM\CurrentControlSet\services\UDPTrcSvc\Parameters Name: ServiceDll Value: “%SystemRoot%\System32\svchost.exe -k mdnetuse”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\mdnetuse

—End Registry Keys—

The service is started by invoking svchost.exe.

After writing ‘UDPTrcSvd.dll’ to disk, the program drops two additional files. Similar to 5C3898AC7670DA30CF0B22075F3E8ED6 above, the program writes the file ‘udbcgiut.dat’ to the victim’s profile at %AppData/Local/Temp%. A second file is written to the victim’s profile in the %AppData/Local/VirtualStore/Windows% directory and identified as ‘MSDFMAPI.INI’. ‘MSDFMAPI.INI’ is also written to C:\WINDOWS. More information on the content of these files is below.

61E3571B8D9B2E9CCFADC3DDE10FB6E1 attempts the same outbound connections as 5C3898AC7670DA30CF0B22075F3E8ED6, however the file does not contain any of the public SSL certificates referenced above.

cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f

Tags

backdoortrojan

Details
Name UDPTrcSvc.dll
Size 221184 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 0893e206274cb98189d51a284c2a8c83
SHA1 d1f4cf4250e7ba186c1d0c6d8876f5a644f457a4
SHA256 cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f
SHA512 8042356ff8dc69fa84f2de10a4c34685c3ffa798d5520382d4fbcdcb43ae17e403a208be9891cca6cf2bc297f767229a57f746ca834f6b79056a0ff1202941cf
ssdeep 3072:WsyjTzEvLFOL8AqCiueLt1VFu9+zcSywy0mcj90nSJ5NatCmtWwNQLK:W/zEvLFOLdq9uebdSwHN9n5wtkwNwK
Entropy 6.359677
Antivirus
Ahnlab Backdoor/Win32.Akdoor
Antiy Trojan/Win32.AGeneric
Avira TR/NukeSped.davct
BitDefender Trojan.Generic.22954895
ClamAV Win.Trojan.HiddenCobra-7402602-0
ESET Win32/NukeSped.AI trojan
Emsisoft Trojan.Generic.22954895 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 005329311 )
McAfee Trojan-Hoplight
Microsoft Security Essentials Trojan:Win32/Hoplight
NANOAV Trojan.Win32.NukeSped.fcodob
Sophos Troj/Hoplight-C
Symantec Trojan.Gen.MBT
Systweak malware.gen-ra
TACHYON Trojan/W32.Hoplight.221184.B
TrendMicro Trojan.CCD7B260
TrendMicro House Call Trojan.CCD7B260
VirusBlokAda Trojan.Tiggre
Zillya! Trojan.NukeSped.Win32.73
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $polarSSL = “fjiejffndxklfsdkfjsaadiepwn”
       $sn1 = “www.google.com”
       $sn2 = “www.naver.com”
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) — 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-08-23 00:23:04-04:00
Import Hash 30d3466536de2b423897a3c8992ef999
PE Sections
MD5 Name Raw Size Entropy
d37b95aa17fa132415b37ec777f439ff header 4096 0.709908
badbc93c35554aec904ab0c34f05fbe0 .text 180224 6.295472
64f7a9cafdad34003aba4547bba0e25b .rdata 16384 6.372911
c792eb0c57577f4f3649775cbf32b253 .data 12288 3.996008
8791f715ae89ffe2c7d832c1be821edc .reloc 8192 5.154376
Relationships
cd5ff67ff7… Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
Description

This artifact is a malicious 32bit Windows dynamic library. ‘UDPTrcSvc.dll’ is identified as the ‘Network UDP Trace Management Service’. The following description is provided:

—Begin Service Description—

Network UDP Trace Management Service Hosts TourSvc Tracing. If this service is stopped, notifications of network trace will no longer function and there might not be access to service functions. If this service is disabled, notifications of and monitoring to network state will no longer function.

—End Service Description—

The service is invoked with the command, ‘C:\Windows\System32\svchost.exe -k mdnetuse’.
When the service is run a modification to the system firewall is attempted, ‘cmd.exe /c netsh firewall add portopening TCP 0 “adp”‘.

Unlike many of the files listed above that use a public certificate from naver.com, ‘UDPTrcSvc.dll’ uses a public SSL certificate from google.com.

96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

Tags

trojan

Details
Name MSDFMAPI.INI
Size 2 bytes
Type data
MD5 c4103f122d27677c9db144cae1394a66
SHA1 1489f923c4dca729178b3e3233458550d8dddf29
SHA256 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA512 5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54
ssdeep 3::
Entropy 0.000000
Antivirus
NetGate Trojan.Win32.Malware
YARA Rules

No matches found.

ssdeep Matches
100 028f5531e8593ce6faf30dd5c5131abf1400fc4deb4d322f3f39578f14348be1
100 132fde08d7f788dece120e98bf6c794bafb655959764798ead053b872d097638
100 200608c94d52d33ff86b8f4db28451752eeae7c70062488f380f112e11b4350a
100 2d07a41ae992770085117e9815300bfd0730745883e60b24aaad5e69dfc087ae
100 3d1066ae1cd00d635b2131664a7d0d5483554901ed6aae9d627b697ecb02718e
100 5309e677c79cffae49a65728c61b436d3cdc2a2bab4c81bf0038415f74a56880
100 854871db188e45e5a948fb03d293459aef6def1c9a63acb8cfdaaf7155d5699e
100 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
100 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
Relationships
96a296d224… Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
96a296d224… Dropped_By 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
Description

‘MSDFMAPI.INI’ is written to C:\WINDOWS and to %UserProfile\AppData\Local\VirtualStore\Windows%. During analysis, two NULL characters were written to the file. The purpose of the file has not been determined.

d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39

Tags

droppertrojan

Details
Name F8D26F2B8DD2AC4889597E1F2FD1F248
Name d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39
Size 456241 bytes
Type data
MD5 f8d26f2b8dd2ac4889597e1f2fd1f248
SHA1 dd132f76a4aff9862923d6a10e54dca26f26b1b4
SHA256 d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39
SHA512 34f8d10ebcab6f10c5140e94cf858761e9fa2e075db971b8e49c7334e1d55237f844ed6cf8ce735e984203f58d6b5032813b55e29a59af4bfff3853b1d07bc44
ssdeep 12288:MG31DF/ubokxmgF8JsVusikiWxdj3tIQLYe:NlI0UV0ou1kiWvm4Ye
Entropy 7.999350
Antivirus
Ahnlab BinImage/Agent
Antiy Trojan/Win32.Casdet
Avira TR/Agent.anrq
BitDefender Trojan.Agent.DVDS
ClamAV Win.Dropper.Hoplight-7402659-0
Cyren Trojan.GTWY-8
Emsisoft Trojan.Agent.DVDS (B)
Ikarus Trojan.Agent
McAfee Trojan-Hoplight.b
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This artifact contains a similar public SSL certificate from naver.com, similar to many of the files above. The payload of the file appears to be encoded with a password or key. No context was provided with the file’s submission.

b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101

Tags

trojan

Details
Name 2A791769AA73AC757F210F8546125B57
Size 110592 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2a791769aa73ac757f210f8546125b57
SHA1 269f1cc44f6b323118612bde998d17e5bfbf555e
SHA256 b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101
SHA512 1e88edf97f62282323928a304762864d69e0e5a1b98c7824cf7ee8af92a5a7d17586e30165c6b6ec4b64ea64dd97d6f2b3a3ef880debc8c6eaed1e63f9ce9a97
ssdeep 1536:BdQGY/Ni+mo06N1homALeoYbrAUD7Qum5T9Xlxgj5MX7jbthYWL3:DQGYFFzxAgoYbrAOQum5TsgjbHP
Entropy 6.406443
Antivirus
Ahnlab Trojan/Win32.Akdoor
Antiy Trojan/Win32.Autophyte
Avira TR/AD.APTLazerus.zobau
BitDefender Gen:Variant.Graftor.487501
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.BCDT-8700
ESET a variant of Win32/NukeSped.AU trojan
Emsisoft Gen:Variant.Graftor.487501 (B)
Huorong Trojan/NukeSped.a
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 0052cf421 )
McAfee Trojan-HidCobra
Microsoft Security Essentials Trojan:Win32/Autophyte.E!dha
NANOAV Trojan.Win32.NukeSped.fyoobu
Quick Heal Trojan.Generic
Sophos Troj/NukeSpe-G
Symantec Trojan Horse
TrendMicro BKDR_HO.9D36C86C
TrendMicro House Call BKDR_HO.9D36C86C
VirusBlokAda BScope.Trojan.Autophyte
Zillya! Trojan.NukeSped.Win32.158
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-08-11 01:03:45-04:00
Import Hash e56949fef3294200cb30be8009694a42
PE Sections
MD5 Name Raw Size Entropy
3d755df7f28ddb5a661a68637cfdf23e header 4096 0.647583
8f28409d19efb02746f0cc7f186ac3e3 .text 86016 6.553916
03ec21be9a3702ad9b6a107a387c2be1 .rdata 16384 5.844150
cecd220a4af1182a425b07c4547fd1e6 .data 4096 2.638490
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
b9a26a5692… Connected_To 117.239.241.2
b9a26a5692… Connected_To 195.158.234.60
b9a26a5692… Connected_To 218.255.24.226
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

–Begin IP List–

117.239.241.2
218.255.24.226
195.158.234.60

–End IP List–

Client uses uk.yahoo.com for client hello server name instead of naver.com.
 

117.239.241.2

Relationships
117.239.241.2 Connected_From ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09
117.239.241.2 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101

218.255.24.226

Relationships
218.255.24.226 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101

195.158.234.60

Relationships
195.158.234.60 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101

1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676

Tags

trojan

Details
Name 07D2B057D2385A4CDF413E8D342305DF
Size 2608223 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 07d2b057d2385a4cdf413e8d342305df
SHA1 1991e7797b2e97179b7604497f7f6c39eba2229b
SHA256 1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676
SHA512 fa2535b08c43c0dae210c12c4a5445925723d50f8828e0d0b89ec70d08aaa2f1d222eea9fd4be40c46c9024b3ed9bfe33e16724496c1c4f90ea6fdc8891c5fee
ssdeep 49152:2sn+T/ymkSsvc1vb+oNEOaPmztSWNz25hqhbR5C7kcaFZweRrjxQTgZdy:2sck5ojp+Ef25al5CyjwSJQMzy
Entropy 7.981828
Antivirus
Ahnlab Trojan/Win32.Akdoor
Antiy Trojan/Win64.NukeSped
Avira TR/NukeSped.cgnux
BitDefender Trojan.GenericKD.41793016
Cyren W64/Trojan.DUQO-0431
ESET a variant of Win64/NukeSped.AH trojan
Emsisoft Trojan.GenericKD.41793016 (B)
Ikarus Trojan.Win64.Nukesped
K7 Trojan ( 00545d8d1 )
McAfee Trojan-HidCobra.a
Microsoft Security Essentials Trojan:Win32/Casdet!rfn
NANOAV Trojan.Win64.NukeSped.gayjsq
Sophos Troj/NukeSpe-H
Symantec Trojan.Hoplight
TACHYON Trojan/W64.Agent.2608223
TrendMicro TSPY_KI.58F058EF
TrendMicro House Call TSPY_KI.58F058EF
VirusBlokAda Trojan.Agent
Zillya! Trojan.Agent.Win32.1135323
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-02-12 15:06:28-05:00
Import Hash 347c977c6137a340c7cc0fcd5b224aef
PE Sections
MD5 Name Raw Size Entropy
28fc69ad12a0765af4cc06fbd261cb24 header 1024 2.672166
88425c71e7e293d43db9868e4693b365 .text 89088 6.415516
bb0048e4f3851ea07b365828ddf613f7 .rdata 26624 4.912250
50e3efe1a6ea325c87f8e86e2fbd40b4 .data 5632 2.093641
f56a65eb9562d6c6d607f867d1d0fd09 .pdata 4608 4.725531
6a9a84d523e53e1d43c31b2cc069930c .rsrc 1536 4.308150
dab5e290c15de9634d93d8f592a44633 .reloc 1536 2.912599
Packers/Compilers/Cryptors
Microsoft Visual C++ 8.0 (DLL)
Description

This artifact is a malicious 64bit Windows dynamic library. When run the malware drops a Themida packed DLL. This DLL runs and drops another DLL that acts as the Remote admin tool. This RAT is very similar to version 2 in op codes and functionality however it uses real TLS instead of the LFSR encryption. Additionally it encodes it’s data with XOR Ox47 SUB Ox28 prior to being TLS encrypted.

73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33

Tags

trojan

Details
Name 3EDCE4D49A2F31B8BA9BAD0B8EF54963
Size 147456 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 3edce4d49a2f31b8ba9bad0b8ef54963
SHA1 1209582451283c46f29a5185f451aa3c989723c9
SHA256 73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33
SHA512 0d3de1758b44597ccc4dad46a9b42626237da425a41b8833bf7549a3c809bd7432ce938cd8757b362e2268bead45a0b212c96cc881737cf0e6952097280d7277
ssdeep 3072:bQGYFFzsaXlvJdbx9NAzDZWaNoh05WKRYW7IWwh7:bSFhLlh9N8DZWaNoG5W8VIWC
Entropy 6.605430
Antivirus
Ahnlab Trojan/Win32.Akdoor
Antiy Trojan/Win32.Autophyte
Avira TR/AD.APTLazerus.jtxjg
BitDefender Gen:Variant.Zusy.290462
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.DXJJ-0934
ESET a variant of Win32/NukeSped.AU trojan
Emsisoft Gen:Variant.Zusy.290462 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 0052cf421 )
McAfee Trojan-HidCobra
Microsoft Security Essentials Trojan:Win32/Autophyte.E!dha
NetGate Trojan.Win32.Malware
Sophos Troj/NukeSpe-I
Symantec Trojan.Hoplight
TrendMicro BKDR_HO.9D36C86C
TrendMicro House Call BKDR_HO.9D36C86C
VirusBlokAda Trojan.Autophyte
Zillya! Trojan.NukeSped.Win32.154
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-07-11 14:26:59-04:00
Import Hash cf3e2269004b18054d77ec54601edfd1
PE Sections
MD5 Name Raw Size Entropy
f31fc1b632aa011a29b506385890b3bb header 4096 0.703326
0b401c68fa1a8f024f25189b31fd8caf .text 118784 6.634510
78ad5231f5184af8093a2f31ef1f9952 .rdata 16384 6.126224
8c48fdefd1785500380702796882a0b6 .data 4096 3.860135
e6b0be8044e573ca9fc84de173a7ca3d .reloc 4096 5.404736
Packers/Compilers/Cryptors
Microsoft Visual C++ 6.0 DLL
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

This file is dropped by a different binary into System32 and then run as a service. When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

–Begin IP List–

192.168.1.2

–End IP List–

Client uses uk.yahoo.com for client hello server name instead of naver.com.

084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319

Tags

trojan

Details
Name 170A55F7C0448F1741E60B01DCEC9CFB
Size 197632 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 170a55f7c0448f1741e60b01dcec9cfb
SHA1 b6b84783816cca123adbc18e78d3b847f04f1d32
SHA256 084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319
SHA512 a014cf5772ed993951dc62026e3acef174c424e47fd56583a1563c692ac3ed2ae5e1d51d34974ed04db11824dc9c76290297244e28e5d848cd8b3a05b509ab1e
ssdeep 6144:XT1NVhDJSUaZcdHItR3SG88+Tlm5T7BRWj:xx9tuVSe+Tlm5Tt
Entropy 6.262340
Antivirus
Ahnlab Trojan/Win32.Akdoor
Antiy Trojan/Win32.Agent
Avira TR/AD.APTLazerus.dsenk
BitDefender Trojan.GenericKD.32643407
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W64/Trojan3.AOLF
ESET a variant of Win32/NukeSped.AU trojan
Emsisoft Trojan.GenericKD.32643407 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 005233111 )
McAfee Trojan-HidCobra
Microsoft Security Essentials Trojan:Win32/Casdet!rfn
NANOAV Trojan.Win64.NukeSped.fzpbxb
Quick Heal Trojan.Multi
Sophos Troj/NukeSpe-G
Symantec Trojan.Hoplight
TrendMicro TROJ64_.655BEC93
TrendMicro House Call TROJ64_.655BEC93
VirusBlokAda Trojan.Agent
Zillya! Trojan.Agent.Win32.1134660
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-05-03 22:40:47-04:00
Import Hash 0675d7e21ce264449360c0b797c279e7
PE Sections
MD5 Name Raw Size Entropy
48a2d611f70a4718084857fa2f732b21 header 1024 2.780205
aaf67ea89d12bea95c148274c71ebac5 .text 44544 6.440744
91171a72af025ca7098ba6c94ecbb2a0 .rdata 25600 3.935800
fc2a61b6f1b29162f93fad1660c4b8af .data 120320 6.379891
114b795f9c567e0a81a04cec6ae1a0b4 .pdata 2560 4.287495
17c80d03f2f5729407ec55eca7e1f5b2 .rsrc 2048 2.948558
c9243c94e36bc012d7d5eb0a3f588dfb .reloc 1536 5.079827
Description

This artifact is a malicious 64bit Windows dynamic library. The DLL can be run using the DoStart export. This export calls write file to load the actual implant into a file “C:\windows\msncone.exe” and then calls Win Exec to execute the implant.

c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8

Tags

trojan

Details
Name E4ED26D5E2A84CC5E48D285E4EA898C0
Size 157696 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e4ed26d5e2a84cc5e48d285e4ea898c0
SHA1 c3d28d8e49a24a0c7082053d22597be9b58302b1
SHA256 c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8
SHA512 0c0b8fa4e83036b9dbe88b193e93b412c47eee8c6f4b04f04082288d7dce0f0d687e7581e624145bd357e5ad70584b9ab4d9f5a950afe8389696523697940998
ssdeep 3072:MzviXzovLFOLUAqWilvLc1V2n9+zEty7+LEfq0Mg3ewPWTc:Mzv+zovLFOLFqhlvlQz7ZqueweT
Entropy 6.446363
Antivirus
Ahnlab Trojan/Win32.Crypt
Antiy Trojan/Win32.NukeSped
Avira TR/AD.APTLazerus.tmifd
BitDefender Trojan.GenericKD.32416111
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.GVKT-3327
ESET a variant of Win32/NukeSped.AU trojan
Emsisoft Trojan.GenericKD.32416111 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 0052cf421 )
McAfee Trojan-HidCobra
Microsoft Security Essentials Trojan:Win32/Nukesped.PA!MTB
NANOAV Trojan.Win32.NukeSped.fzlqhl
NetGate Trojan.Win32.Malware
Quick Heal Trojan.Generic
Sophos Troj/NukeSpe-E
Symantec Trojan.Gen.MBT
TrendMicro TROJ_FR.D1E707E2
TrendMicro House Call TROJ_FR.D1E707E2
Vir.IT eXplorer Trojan.Win32.Genus.BRN
VirusBlokAda BScope.Trojan.Casdet
Zillya! Trojan.NukeSped.Win32.153
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $polarSSL = “fjiejffndxklfsdkfjsaadiepwn”
       $sn1 = “www.google.com”
       $sn2 = “www.naver.com”
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) — 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-10-23 16:44:37-04:00
Import Hash 861401f76d1251e0d08a8ade1a5ed38c
PE Sections
MD5 Name Raw Size Entropy
0aa18a6525a2203ee52f6df5f9622dcb header 1024 2.637312
33e3584e4c52c24e16fc108224a3f6a3 .text 132608 6.153434
8a43450710359fae49269f1217924cf5 .rdata 16896 6.299497
b0c95d35585e130bea58057c11e9d53b .data 3584 5.455587
3a4fdc31bb49b29d6f19b94641d14ee8 .rsrc 512 5.112624
f74e21bd34aa3a05131ae77f0b48c2b2 .reloc 3072 5.875833
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Description

This artifact is a malicious PE32 executable that is an add-on tool for other Hoplight implants.

When malware is run it opens a log file C:\WINDOWS\Temp\ndb.dat that is used for the remainder of the program to log all activity.

The malware runs with an IP as an argument. It sends out a beacon to this IP and connects to it using the same FakeTLS/PolarSSL protocol as the other samples. After a successful connection to a C2, it uses a named pipe called \\\\.\\pipe\\AnonymousPipe to connect to a running implant and sends tasking to the running implant. The implant returns the results of these taskings over the named pipe and the malware sends the results back to the C2.

fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5

Tags

trojan

Details
Name F315BE41D9765D69AD60F0B4D29E4300
Size 147456 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 f315be41d9765d69ad60f0b4d29e4300
SHA1 f60c2bd78436a14e35a7e85feccb319d3cc040eb
SHA256 fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5
SHA512 bc8f821b4989076e441fbe5668cee0a388adcc375fac4a553f4c27423cd61c4500739820033b32f4197820ddf34decf1a043c6d34619aa18e1a932feb4e4233b
ssdeep 3072:pQWbIWSG5bzxbT33FiDZWTNArLioB4Gwhes:pR3SGtJ33YDZWTNMLiGah
Entropy 6.477832
Antivirus
Ahnlab Trojan/Win32.Agent
Antiy Trojan/Win32.Autophyte
Avira TR/AD.APTLazerus.ifaaj
BitDefender Gen:Variant.Graftor.487501
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.CTPG-1488
ESET a variant of Win32/NukeSped.AU trojan
Emsisoft Gen:Variant.Graftor.487501 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 0052cf421 )
McAfee Trojan-HidCobra
Microsoft Security Essentials Trojan:Win32/Autophyte.E!rfn
NetGate Trojan.Win32.Malware
Sophos Troj/NukeSpe-D
Symantec Trojan Horse
TrendMicro BKDR_HO.9D36C86C
TrendMicro House Call BKDR_HO.9D36C86C
VirusBlokAda BScope.Trojan.Autophyte
Zillya! Trojan.NukeSped.Win32.161
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-08-21 12:39:06-04:00
Import Hash 00c4520b07e61d244e7e7b942ebae39f
PE Sections
MD5 Name Raw Size Entropy
7991745d0f6ed295154f066bb53ccbc2 header 4096 0.767780
cd39ffb10726106d9b85172804784b97 .text 114688 6.620841
3ab93f20dc7859f5510efbf121790dd7 .rdata 16384 5.991690
9fdf9be0cd049c58cb3718927458e69c .data 4096 3.880827
330d3d9d2c3c1a342547cea468095f2a .rsrc 4096 1.138029
cefd737bf48bc8375f92c8f7d9755e3a .reloc 4096 5.221555
Packers/Compilers/Cryptors
Microsoft Visual C++ 6.0 DLL

f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03

Tags

trojan

Details
Name D2DA675A8ADFEF9D0C146154084FFF62
Size 139264 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d2da675a8adfef9d0c146154084fff62
SHA1 c55d080ea24e542397bbbfa00edc6402ec1c902c
SHA256 f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03
SHA512 06f531e49154d59f684475da95693df1fccd50b505e6d3ca028c9d84fcfc79ef287704dd0b24b022bfac6ba9ee581d19f440773dd00cfcfecf068b644ecbecb5
ssdeep 3072:1QGYFFzYCGUXBk/hbpjYr9Lde0NPV1Y88PxbE:1SFhYaXBkjYJLde0Nd1Hqb
Entropy 6.605300
Antivirus
Ahnlab Trojan/Win32.Akdoor
Antiy Trojan/Win32.Autophyte
Avira TR/AD.APTLazerus.denpe
BitDefender Gen:Variant.Graftor.487501
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.ATKI-5308
ESET a variant of Win32/NukeSped.AU trojan
Emsisoft Gen:Variant.Graftor.487501 (B)
Huorong Trojan/NukeSped.a
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 0052cf421 )
McAfee Trojan-FPIA!D2DA675A8ADF
Microsoft Security Essentials Trojan:Win32/Autophyte.E!dha
NANOAV Trojan.Win32.NukeSped.fyopnf
NetGate Trojan.Win32.Malware
Quick Heal Trojan.Generic
Sophos Troj/NukeSpe-F
Symantec Trojan Horse
TrendMicro BKDR_HO.9D36C86C
TrendMicro House Call BKDR_HO.9D36C86C
VirusBlokAda BScope.Trojan.Autophyte
Zillya! Trojan.NukeSped.Win32.146
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-07-14 18:40:25-04:00
Import Hash 86e90e40d8e53d1e5b06a22353734ed4
PE Sections
MD5 Name Raw Size Entropy
bf34ee8fcf71c0aa14531ae02d74f359 header 4096 0.647238
66e2b83909b4d47d3e3d20ad44df1acc .text 114688 6.660284
d20ad0b8b42883ae6eb4c89cfbbd893b .rdata 16384 6.057701
5e1b09084dfc15dda52bdac606eaed3d .data 4096 3.824972
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

–Begin IP List–

10.10.30.130

–End IP List–

Client uses uk.yahoo.com for client hello server name instead of naver.com.

32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11

Tags

trojan

Details
Name 38FC56965DCCD18F39F8A945F6EBC439
Size 122880 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 38fc56965dccd18f39f8a945f6ebc439
SHA1 50736517491396015afdf1239017b9abd16a3ce9
SHA256 32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11
SHA512 70a1568df0e97e8ab020f108e52ec861a0cdae936ac3340f1657565a8ac8a253179b4c451a79cb7c362fe60ff70be2694705110c67369c645e9061d3800db99e
ssdeep 1536:kSQWbe9BzK0xGtGVyDBWikDsD3bG0aII2Tm5TPb+5MI7jcg9YL23O:fQWbIWSG61UD3bGUI2Tm5TP2Njcmn+
Entropy 6.236928
Antivirus
Ahnlab Trojan/Win32.Crypt
Antiy Trojan/Win32.AGeneric
Avira TR/AD.APTLazerus.sogzc
BitDefender Gen:Variant.Graftor.487501
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.ACES-2943
ESET a variant of Win32/NukeSped.AU trojan
Emsisoft Gen:Variant.Graftor.487501 (B)
Huorong Trojan/NukeSped.a
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 0052cf421 )
McAfee Trojan-FPIA!38FC56965DCC
Microsoft Security Essentials Trojan:Win32/Nukesped.PA!MTB
NANOAV Trojan.Win32.HiddenCobra.fyqdsh
NetGate Trojan.Win32.Malware
Sophos Troj/NukeSpe-F
Symantec Trojan Horse
TrendMicro BKDR_HO.9D36C86C
TrendMicro House Call BKDR_HO.9D36C86C
VirusBlokAda BScope.Trojan.Autophyte
Zillya! Trojan.NukeSped.Win32.149
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-12-12 12:58:45-05:00
Import Hash 2054fd7bbbbcb62441ba2a21c156d403
PE Sections
MD5 Name Raw Size Entropy
39af78f4af9f093c2eb4765202eab41a header 4096 0.704943
48f0a09061c556cbde93f864f2adb2e3 .text 94208 6.479768
65fe1d182b2f7322719d142a81a901a8 .rdata 16384 5.812175
43cd1b0954c2785708b9e8da200242e9 .data 4096 2.465375
cab878079ca8c3f53ed3e0d0414e3a3a .rsrc 4096 1.194369
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

–Begin IP List–

218.255.24.226

–End IP List–

Client uses www.bing.com. Microsoft.com, and facebook.com for client hello server name instead of naver.com.

8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520

Tags

backdoortrojan

Details
Name 5C0C1B4C3B1CFD455AC05ACE994AED4B
Size 348160 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 5c0c1b4c3b1cfd455ac05ace994aed4b
SHA1 69cda1f1adeeed455b519f9cf188e7787b5efa07
SHA256 8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520
SHA512 084d2223934848594e23dbedab5064f98cd3d07d0783d4a7de66800a2a823daf73b0b044aea0ff9516538e6c478c8d18018c006c713e7e63b2977f44df568718
ssdeep 6144:aR3SGkuDrOZm5Te5EXzO7h2ZMB6zJJ+KFvmjyFdzDs0dRb83hYnOQSzS7:aVSWrOZm5TeOjVMoJFFv+mdzDs+kYnOS
Entropy 7.540376
Antivirus
Ahnlab Backdoor/Win32.Akdoor
Antiy Trojan/Win32.Autophyte
Avira TR/AD.APTLazerus.itcpp
BitDefender Gen:Variant.Graftor.487501
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.HLGX-3930
ESET a variant of Win32/NukeSped.AU trojan
Emsisoft Gen:Variant.Graftor.487501 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 0052cf421 )
McAfee Trojan-HidCobra
Microsoft Security Essentials Trojan:Win32/Autophyte.E!rfn
NetGate Trojan.Win32.Malware
Sophos Troj/NukeSpe-I
Symantec Trojan.Hoplight
TrendMicro BKDR_HO.9D36C86C
TrendMicro House Call BKDR_HO.9D36C86C
VirusBlokAda Trojan.Autophyte
Zillya! Trojan.NukeSped.Win32.163
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-08-12 05:20:38-04:00
Import Hash 3ca68e2a005e05e2c4831de87ae091c0
PE Sections
MD5 Name Raw Size Entropy
787ed8122e53d5ea17e3ece6d9fb7342 header 4096 0.782305
83b06d297acb20b05505da2d09905abd .text 102400 6.523509
b2e739b37837f1c2b941660711daf98f .rdata 16384 5.951907
cd8aa1387168caeb4604401aedb143eb .data 4096 2.718596
8840ce03428c311935a20ac968c10ce7 .rsrc 217088 7.888219
2f0ede5fcdada29ec11ad8cd25c53f77 .reloc 4096 4.923777
Packers/Compilers/Cryptors
Microsoft Visual C++ 6.0 DLL
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

This file is dropped by a different binary into System32 and then run as a service. When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

–Begin IP List–

81.94.192.147
112.175.92.57
181.39.135.126
197.211.212.59

–End IP List–
 

0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571

Tags

trojan

Details
Name 34E56056E5741F33D823859E77235ED9
Size 151552 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 34e56056e5741f33d823859e77235ed9
SHA1 fcc2dcbac7d3cbcf749f6aab2f37cc4b62d0bb64
SHA256 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571
SHA512 93ac57f0b9bf48e39870b88f918f9b6e33404c1667d5f98d0965736e9e001b18152530f1c3a843b91929d308f63739faf3de62077bbfb155039f6847d22d3dd0
ssdeep 3072:nQWbIWSGw0CkXbhM1Vsm5TJYwMrzPoXL8GnQj3y3:nR3SGQYM16m5TJDwPo7bUC3
Entropy 6.652398
Antivirus
Ahnlab Trojan/Win32.Agent
Antiy Trojan/Win32.Autophyte
Avira HEUR/AGEN.1023221
BitDefender Gen:Variant.Graftor.487501
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.PGQL-0621
ESET a variant of Win32/NukeSped.AU trojan
Emsisoft Gen:Variant.Graftor.487501 (B)
Huorong Trojan/NukeSped.a
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 0052cf421 )
McAfee Trojan-FPIA!34E56056E574
Microsoft Security Essentials Trojan:Win32/Autophyte.E!rfn
NANOAV Trojan.Win32.NukeSped.fyqduv
Quick Heal Trojan.Generic
Sophos Troj/NukeSpe-F
Symantec Trojan Horse
TrendMicro TROJ_FR.D0256DD5
TrendMicro House Call TROJ_FR.D0256DD5
VirusBlokAda BScope.Trojan.Autophyte
Zillya! Trojan.NukeSped.Win32.166
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-08-12 03:44:57-04:00
Import Hash e93a06b89e75751a9ac2c094ca7da8b0
PE Sections
MD5 Name Raw Size Entropy
a45f9a7c2174752a1472fb634ba9d8c7 header 4096 0.715236
2b9f5ce0725453a209a416ab7a13f3df .text 98304 6.576807
03605ec3eefe3b70e118cea4b8655229 .rdata 16384 5.866137
5ac0ab0641ec076e15dd1468e11c57cd .data 4096 2.680020
58ede934084bbe73fa7f9e0d32c4fafb .rsrc 28672 7.045289
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
0608e41134… Connected_To 14.140.116.172
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

—Begin IP List—

14.140.116.172

—End IP List—

Client uses uk.yahoo.com for client hello server name instead of naver.com.

14.140.116.172

Relationships
14.140.116.172 Connected_From 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571
Description

The file 34E56056E5741F33D823859E77235ED9 beacons to this hard coded IP.

b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9

Tags

trojan

Details
Name 2FF1688FE866EC2871169197F9D46936
Size 229500 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2ff1688fe866ec2871169197f9d46936
SHA1 6dc37ff32ea70cbd0078f1881a351a0a4748d10e
SHA256 b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9
SHA512 91c3a6e84ca728ecc26d63b91a09f3081288c9b9592430035b9ea50ba7cf2d4b4ddba4711933d17013d3d06fcb8d70789a37ddfa5c741445e058bc02d529cf06
ssdeep 6144:GANjUaXCXwz+vLFOLEq3VNwO9zyPqYNkHms:bNjxXgA9uPqR
Entropy 6.385793
Antivirus
Ahnlab Trojan/Win32.Agent
Antiy Trojan/Win32.NukeSped
Avira TR/AD.APTLazerus.oytdw
BitDefender Trojan.GenericKD.32416090
ClamAV Win.Trojan.HiddenCobra-7402602-0
Cyren W32/Trojan.GCCR-6631
ESET a variant of Win32/NukeSped.AI trojan
Emsisoft Trojan.GenericKD.32416090 (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 005329311 )
McAfee Trojan-HidCobra
Microsoft Security Essentials Trojan:Win32/Nukesped.PA!MTB
NetGate Trojan.Win32.Malware
Quick Heal Trojan.Generic
Sophos Troj/Inject-DZV
Symantec Trojan.Gen.MBT
TrendMicro BKDR_HO.9D36C86C
TrendMicro House Call BKDR_HO.9D36C86C
Zillya! Trojan.NukeSped.Win32.160
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  • rule polarSSL_servernames
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $polarSSL = “fjiejffndxklfsdkfjsaadiepwn”
       $sn1 = “www.google.com”
       $sn2 = “www.naver.com”
    condition:
            (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) — 0x4550) and ($polarSSL and 1 of ($sn*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-06-13 11:12:43-04:00
Import Hash 8948765c0ef7c91beff2e97907c801d0
PE Sections
MD5 Name Raw Size Entropy
eb0f947605842ea84fea9d8d8382f056 header 4096 0.684814
f9aa8191af45813b80031064403835f1 .text 192512 6.400854
bbcbbf5f54deaee51d41d404973c30e4 .rdata 16384 6.228868
8ea12cda731d50b93944d8534c11402c .data 12288 3.927662
06d5d2729a367d565819e6867d8caea7 .rsrc 4096 3.317978
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hard coded IPs:

—Begin IP List—

210.137.6.37
119.18.230.253
221.138.17.152

—End IP List—

Client uses naver.com for client hello server name.

119.18.230.253

Description

The file 2FF1688FE866EC2871169197F9D46936 beacons to this hard coded IP.

210.137.6.37

Description

The file 2FF1688FE866EC2871169197F9D46936 beacons to this hard coded IP.

221.138.17.152

Description

The file 2FF1688FE866EC2871169197F9D46936 beacons to this hard coded IP.

ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09

Tags

trojan

Details
Size 117591 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3dbd47cc12c2b7406726154e2e95a403
SHA1 afaa88c46666e5684b89b94ef2c4bc82e4c00845
SHA256 ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09
SHA512 c13e79b4c7e7dd53736e87836930d4aafe5a9c6c467c31c976253ebc0b031424eb2d92a04bbdcb7b610afc5d93f2b752b14663b2e9c015e44650b0a814dd4997
ssdeep 1536:/sQWbe9BzK0xGtFOpVyDpWpQCnRx/bV3Q3Wgim5TjZU15MX7jbQnKVYJ3n:EQWbIWSGWjBjrbV3jgim5TjqPgjbQgA
Entropy 6.387236
Antivirus
Ahnlab Trojan/Win32.Generic
ClamAV Win.Trojan.HiddenCobra-7402602-0
ESET a variant of Win32/NukeSped.AU trojan
Huorong Trojan/NukeSped.a
McAfee Trojan-HidCobra!3DBD47CC12C2
Microsoft Security Essentials Trojan:Win32/Autophyte.E!dha
Symantec Trojan.Hoplight
VirusBlokAda BScope.Trojan.Autophyte
YARA Rules
  • rule crypt_constants_2
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
  •  
  • rule lsfr_constants
    {
    meta:
       Author=”NCCIC trusted 3rd party”
       Incident=”10135536″
       Date = “2018/04/19”    
       category = “hidden_cobra”
       family = “n/a”
       description = “n/a”
    strings:
       $ = {efcdab90}
       $ = {558426fe}
       $ = {7856b4c2}
    condition:
       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-09-03 11:02:30-04:00
Import Hash 7d69af70a4430663ca427aa423f7c5ea
PE Sections
MD5 Name Raw Size Entropy
8291bca724e71f42f0653dbd18357965 header 4096 0.642884
a883335516b2b5c2ff7377e5532611af .text 94208 6.462877
63fb256f6eaf5fbd897d36dd4777ef89 .rdata 16384 5.845991
8934903570874d7e20867e8c89be5c64 .data 2903 3.458180
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
ba80cb0a08… Connected_To 117.239.241.2
ba80cb0a08… Connected_To 217.117.4.110
Description

This artifact is a malicious PE32 executable with similar characteristics of those described in 23E27E5482E3F55BF828DAB885569033 above.

When the malware runs it checks a config file to determine where it should beacon back to. If the config file has not been modified the malware will beacon back to the following hardcoded IPs.

–Begin Hardcoded IP–

117.239.241.2
217.117.4.110

–End Hardcoded IP–

217.117.4.110

Relationships
217.117.4.110 Connected_From ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09
Description

The file ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09 beacons to this hardcoded IP.

44a93ea6e6796530bb3cf99555dfb3b1092ed8fb4336bb198ca15b2a21d32980

Tags

backdoordroppertrojan

Details
Size 557681 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4e595db3b612e1e9da90a0ef7d740792
SHA1 1483720917e754d05818e64ae07b320ffbdf4d78
SHA256 44a93ea6e6796530bb3cf99555dfb3b1092ed8fb4336bb198ca15b2a21d32980
SHA512 fadd5aea13935cfc592da535c0b4b182d3b2c50cfc5122dd9bb4040a6298e5b0db788d9025b5043e216a242334fd4a08ae69597e0a130c1454e0e78aca1278a0
ssdeep 12288:j6k9os/EpYE+DMX6GHU3ZSrLwQ+ruZdwI4TntpdK9roGOeAQ:j6Qos/EpYEWGHFrL1+iZdwVTtp09rbOi
Entropy 7.850778
Antivirus
Ahnlab Backdoor/Win32.Agent
Avira TR/Dropper.Gen
ESET a variant of Win32/NukeSped.O trojan
Ikarus Trojan.Win32.NukeSped
Microsoft Security Essentials Trojan:Win32/Nukesped.PA!MTB
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-02-12 15:04:34-05:00
Import Hash 1e6c10653c6b505369db00e880dbfecb
PE Sections
MD5 Name Raw Size Entropy
aef5c3923e5820f46533bf0b26cd7c4e header 4096 0.626079
70a3e4024020c2792542fcb13130235f .text 73728 6.252791
f29b61b835618a1c4a0c2cf966badbe9 .rdata 12288 4.414075
0b968078c58131b96a48ffc77413a61b .data 4096 2.653332
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Description

This executable must be run with argument 15975345682 to execute and then drops C:\Windows\system32\dispark.dll (E5D1C42E5CA7A0AC3A3B31BD0F290E84), a custom packed loader.

E5D1C42E5CA7A0AC3A3B31BD0F290E84 drops 535C879CA109DBECD336E1DE0ECCB696 that runs as a service.

823d255d3dc8cbc402527072a9220e4c38655de1a3e55a465db28b55d3ac1bf8

Tags

trojan

Details
Size 692274 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 894b81b907c23f927a3f38cfd30f32da
SHA1 411a320c389e492bf41eb6c5708809721f28a81f
SHA256 823d255d3dc8cbc402527072a9220e4c38655de1a3e55a465db28b55d3ac1bf8
SHA512 ea550ce5ad8f58fdaf74476cda5255117b4dd3c64ef70ba0f5f08e3c2af62ba45fdafec56ee7d76de3e59894bddf39e26d6c787e287655268e754cee1c8f4cbc
ssdeep 12288:yeR6alRBGA44gibT2QPAdfyGwspLvgwEq8kkAwkeJbJPCYzH:yeR6alP44JbydfyGn84KAwbxJPCYD
Entropy 7.849516
Antivirus
Ahnlab Trojan/Win32.Akdoor
Antiy Trojan/Win64.NukeSped
ESET a variant of Win64/NukeSped.AH trojan
K7 Trojan ( 00545d8d1 )
Zillya! Trojan.Agent.Win32.1135323
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-02-12 15:06:28-05:00
Import Hash 347c977c6137a340c7cc0fcd5b224aef
PE Sections
MD5 Name Raw Size Entropy
28fc69ad12a0765af4cc06fbd261cb24 header 1024 2.672166
88425c71e7e293d43db9868e4693b365 .text 89088 6.415516
bb0048e4f3851ea07b365828ddf613f7 .rdata 26624 4.912250
50e3efe1a6ea325c87f8e86e2fbd40b4 .data 5632 2.093641
f56a65eb9562d6c6d607f867d1d0fd09 .pdata 4608 4.725531
6a9a84d523e53e1d43c31b2cc069930c .rsrc 1536 4.308150
dab5e290c15de9634d93d8f592a44633 .reloc 1536 2.912599
Packers/Compilers/Cryptors
Microsoft Visual C++ 8.0 (DLL)
Description

This executable must be run with argument 15975345682 to execute and then drops C:\Windows\system32\diskpart.dll (7AFF84FB44840E4FD53CC9561172E14B), a custom packed loader.

7AFF84FB44840E4FD53CC9561172E14B drops BD674814315892B937BC91A10783D140 that runs as a service.

Relationship Summary

2151c1977b… Connected_To 81.94.192.147
2151c1977b… Connected_To 112.175.92.57
2151c1977b… Related_To 181.39.135.126
2151c1977b… Related_To 197.211.212.59
2151c1977b… Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
2151c1977b… Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
197.211.212.59 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
197.211.212.59 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
197.211.212.59 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
181.39.135.126 Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
181.39.135.126 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
181.39.135.126 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
112.175.92.57 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
112.175.92.57 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
112.175.92.57 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
112.175.92.57 Connected_From 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a
81.94.192.147 Connected_From 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
81.94.192.147 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
81.94.192.147 Connected_From 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
70902623c9… Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
70902623c9… Related_To ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
70902623c9… Related_To 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
70902623c9… Related_To 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
70902623c9… Related_To 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d
ddea408e17… Connected_To 81.94.192.147
ddea408e17… Connected_To 112.175.92.57
ddea408e17… Connected_To 181.39.135.126
ddea408e17… Connected_To 197.211.212.59
ddea408e17… Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
ddea408e17… Connected_To 81.94.192.10
81.94.192.10 Connected_From ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
12480585e0… Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
12480585e0… Dropped 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
49757cf856… Dropped_By 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d
49757cf856… Connected_To 21.252.107.198
49757cf856… Connected_To 70.224.36.194
49757cf856… Connected_To 113.114.117.122
49757cf856… Connected_To 47.206.4.145
49757cf856… Connected_To 84.49.242.125
49757cf856… Connected_To 26.165.218.44
49757cf856… Connected_To 137.139.135.151
49757cf856… Connected_To 97.90.44.200
49757cf856… Connected_To 128.200.115.228
49757cf856… Connected_To 186.169.2.237
21.252.107.198 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
21.252.107.198 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
70.224.36.194 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
70.224.36.194 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
113.114.117.122 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
113.114.117.122 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
47.206.4.145 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
47.206.4.145 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
84.49.242.125 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
84.49.242.125 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
26.165.218.44 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
26.165.218.44 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
137.139.135.151 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
137.139.135.151 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
97.90.44.200 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
97.90.44.200 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
128.200.115.228 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
128.200.115.228 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
186.169.2.237 Connected_From 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
186.169.2.237 Connected_From 49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
4a74a9fd40… Connected_To 21.252.107.198
4a74a9fd40… Connected_To 70.224.36.194
4a74a9fd40… Connected_To 113.114.117.122
4a74a9fd40… Connected_To 47.206.4.145
4a74a9fd40… Connected_To 84.49.242.125
4a74a9fd40… Connected_To 26.165.218.44
4a74a9fd40… Connected_To 137.139.135.151
4a74a9fd40… Connected_To 97.90.44.200
4a74a9fd40… Connected_To 128.200.115.228
4a74a9fd40… Connected_To 186.169.2.237
83228075a6… Connected_To 112.175.92.57
70034b33f5… Dropped cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f
70034b33f5… Dropped 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
70034b33f5… Dropped 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
70034b33f5… Connected_To 81.94.192.147
70034b33f5… Connected_To 112.175.92.57
70034b33f5… Connected_To 181.39.135.126
70034b33f5… Connected_To 197.211.212.59
70034b33f5… Related_To 70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
cd5ff67ff7… Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
96a296d224… Dropped_By 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
96a296d224… Dropped_By 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
b9a26a5692… Connected_To 117.239.241.2
b9a26a5692… Connected_To 195.158.234.60
b9a26a5692… Connected_To 218.255.24.226
117.239.241.2 Connected_From ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09
117.239.241.2 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101
218.255.24.226 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101
195.158.234.60 Connected_From b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101
0608e41134… Connected_To 14.140.116.172
14.140.116.172 Connected_From 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571
ba80cb0a08… Connected_To 117.239.241.2
ba80cb0a08… Connected_To 217.117.4.110
217.117.4.110 Connected_From ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.us-cert.gov.

Source