## 10135536.11

# Malware Analysis 2018-03-09


## Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties
of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this
bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no
foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.uscert.gov/tlp.


-----

## Summary


**Description**


This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal
Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North
Korean government. This malware variant is known as SHARPKNOT. The U.S. Government refers to malicious cyber activity by the North
Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

DHS and FBI are distributing this MAR to enable network defense and reduce exposure to malicious cyber activity by the North Korean
government.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques.
Users or administrators should flag activity associated with the malware, report the activity to the DHS National Cybersecurity and
Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced
mitigation.

This malware report contains analysis of a malicious 32-bit Windows executable file. When executed from the command line, the malware
overwrites the Master Boot Record (MBR) and deletes files on the local system, any mapped network shares, and physically connected
storage devices.

The following Yara rule can be used to detect this malware:

--- BEGIN YARA RULE --
rule r4_wiper_1
{
meta:
source = "NCCIC Partner"
date = "2017-12-12"
strings:
$mbr_code = { 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 5D 7C 33 C9 41 81 F9 00 ?? 74 24 B4 43 B0 00 CD 13 FE C2 80 FA 84
7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 83 55 06 00 EB D5 BE 4D 7C B4 43 B0 00 CD 13 33 C9 BE 5D 7C EB C5 }
$controlServiceFoundlnBoth = { 83 EC 1C 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 44 8B 44 24 24 53 56 6A
24 50 57 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F0 85 F6 74 1C 8D 4C 24 0C 51 6A 01 56 FF 15 ?? ?? ?? ?? 68 E8 03 00 00 FF 15 ??
?? ?? ?? 56 FF D3 57 FF D3 5E 5B 33 C0 5F 83 C4 1C C3 33 C0 5F 83 C4 1C C3 }
condition:
uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and any of them
}

rule r4_wiper_2
{
meta:
source = "NCCIC Partner"
date = "2017-12-12"
strings:
// BIOS Extended Write
$PhysicalDriveSTR = "\\\\.\\PhysicalDrive" wide
$ExtendedWrite = { B4 43 B0 00 CD 13 }
condition:
uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and all of them
}

--- END YARA RULE --

**Files (1)**


ca057fd197fc99cfb60b7379cb64475e6bd206fdd4b019f1f70c2214115f3b83 (350CBA65E28C723CBF0724C19BD7EE...)


-----

## Findings

### ca057fd197fc99cfb60b7379cb64475e6bd206fdd4b019f1f70c2214115f3b83


**Details**


**Name** 350CBA65E28C723CBF0724C19BD7EE69

**Size** 20480 bytes

**Type** PE32 executable (console) Intel 80386, for MS Windows

**MD5** 350cba65e28c723cbf0724c19bd7ee69

**SHA1** c8cb01bc1f62c6d6b95caa7bf2cae167d5736ffa

**SHA256** ca057fd197fc99cfb60b7379cb64475e6bd206fdd4b019f1f70c2214115f3b83

**ssdeep** 192:s/7pzppvWcUcHfHxSnx5LqSe/7m8EI2K3A+Y6Geny6VuwjZhfJP4oynQ6f:K7pvWc/HfHsFGqrI2K3AZwuwzV4+6f

**Entropy** 2.914359


**Antivirus**


**ClamAV** Win.Trojan.Agent-1388723


**Yara Rules**


No matches found.

**ssdeep Matches**

No matches found.


**Packers/Compilers/Cryptors**


Microsoft Visual C++ 5.0


**Description**


This file is a malicious 32-bit Windows executable. Analysis indicates the primary purpose of this application is to destroy a compromised
Windows system by overwriting and deleting the Master Boot Record (MBR) on the victim's system and deleting files on network mapped
shares as well as physically attached storage devices.

The malware must be executed from a command line using any alphanumeric character or string as an argument. Once executed, the
malware first attempts to disable the "System Event Notification" and "Alerter" services (Figure 1).

Note: The Alerter service is present in Windows XP and Windows 2003, which are no longer supported by Microsoft. Current operating
systems supported by Microsoft do not run the Alerter service.

Next, the malware overwrites the MBR, displaying a status in the command (CMD) window. If the malware is able to overwrite the MBR, an
"OK" status is displayed in the CMD window. If the malware is unable to overwrite the MBR, a "Fail" status is displayed.

After the MBR is overwritten, the malware attempts to gain access to physical and network drives attached to the victim's system and
recursively enumerate through the drive’s contents. When the malware identifies a file, it overwrites the file's contents with NULL bytes,
renames the file with a randomly generated file name (Figure 2), then deletes the file, making forensic recovery impossible.

If the malware is able to overwrite, rename and delete the file, the CMD window will display a “Break>" status. If the malware is only able to
delete the file, the CMD window will display a “Del>" status (Figure 3).

Once the malware has completed deleting files, the system is rebooted. If the malware has executed successfully, the system is rendered
inoperative.


-----

**ScreenshotsFigure 1. Example of code used to disable "System Event Notification" and "Alerter" services.**


**Figure 1 - Example of code used to disable "System Event Notification" and "Alerter" services.**


-----

**Figure 2 - The malware renaming a file to a randomly generated file name.**

Figure 3. The CMD window displaying deletion status of the victim's data.

**Figure 3 - The CMD window displaying deletion status of the victim's data.**


-----

## Recommendations

NCCIC would like to remind users and administrators of the following best practices to strengthen the security posture of their organization's
systems:
Maintain up-to-date antivirus signatures and engines.
Restrict users' ability (permissions) to install and run unwanted software applications.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Keep operating system patches up-to-date.
Enable a personal firewall on agency workstations.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the
file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats; implement appropriate ACLs.

## Contact Information

1-888-282-0870
NCCICCustomerService@us-cert.gov (UNCLASS)
us-cert@dhs.sgov.gov (SIPRNET)
us-cert@dhs.ic.gov (JWICS)

NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this
product at the following URL: https://us-cert.gov/forms/feedback/

## Document FAQ

**What is a MAR? A Malware Analysis Report (MAR) includes results from both automated analysis and manual reverse engineering. In most**
instances this report will provide indicators for computer and network defense. To request additional analysis, please contact US-CERT and
provide information regarding the level of desired analysis.

**Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document**
should be directed to the US-CERT Security Operations Center at 1-888-282-0870 or soc@us-cert.gov.

**Can I submit malware to NCCIC? Malware samples can be submitted via three methods:**
Web: https://malware.us-cert.gov
E-Mail: submit@malware.us-cert.gov
FTP: ftp.malware.us-cert.gov (anonymous)

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities,
and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.


## TLP: WHITE


-----