{
	"id": "6ba30e0b-707a-453e-aba8-fcc7855173c4",
	"created_at": "2026-04-06T00:12:38.946089Z",
	"updated_at": "2026-04-10T03:38:06.326652Z",
	"deleted_at": null,
	"sha1_hash": "4e27d72191af3fec3eb763f4e618ccc88c0bde93",
	"title": "Return to ROKRAT!! (feat. FAAAA...Sad...)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 112295,
	"plain_text": "Return to ROKRAT!! (feat. FAAAA...Sad...)\r\nBy velocy\r\nPublished: 2018-11-16 · Archived: 2026-04-05 22:21:50 UTC\r\nSimple Analysis blog\r\nAnalysis\r\nReturn to ROKRAT!! (feat. FAAAA...Sad...)\r\nvelocy 2018. 11. 16. 15:42\r\n2018-11-16, VirusTotal에 \"※ 기 록 부.hwp\" 라는 이름의 한글파일이 헌팅되었다.\r\n2018-11-16, VirusTotal has hunted a HWP file named \"※ 기 록 부.hwp\".\r\n해당 한글파일은 RedEyes, 스카크러프트 그룹의 ROKRAT 라고 알려진 유형의 악성코드로 추정된다.\r\nThe Korean file is estimated to be a malicious code of the type known as the ROKRAT of the Scraft group.\r\n * RedEyes, Scarcruft : 한국의 유명기관이나 정치단체를 대상으로 데이터 탈취와 파괴를 모두 수행하는 공\r\n격 그룹\r\n * RedEyes, Scarcruft: Attack group that performs data capture and destruction on famous institutions or political\r\ngroups in Korea\r\n\"※ 기 록 부.hwp\" 파일를 열어보면 의미없는 값들로 채워져 있음을 볼 수 있다.\r\nWhen you open the \"※ 기 록 부.hwp\" file, you can see that it is filled with meaningless values.\r\nhttp://v3lo.tistory.com/24\r\nPage 1 of 8\n\n위 한글파일은 \"BIN0001.eps\" 를 이용하여 악성코드를 인젝션 한다.\r\nInject malicious code using \"BIN0001.eps\".\r\n%APPDATA% 경로에 \"Pemnn01.hje01\", \"Pemnn02.hje01\" 파일을 생성하여 두 파일을 합쳐\r\n\"MemoryOrder85584031.com\" 파일로 생성한다.\r\nCreate \"Pemn01.hje01\" \"Pnn02.hje01\" file in the %APPDATA% path and combine the two files to create the\r\n\"MemoryOrder85584031.com\" file.\r\nhttp://v3lo.tistory.com/24\r\nPage 2 of 8\n\n생성된 파일에서는 cmd.exe에 Thread Injection을 시도하며, 이때 xor 복호화된 바이너리가 사용된다.\r\nThe generated file has a try Thread Injection on cmd.exe, and xor decryt binary is used.\r\nXor key : 0x4A\r\nhttp://v3lo.tistory.com/24\r\nPage 3 of 8\n\n이후 인젝션 되는 악성코드는 이전 \"ROKRAT is BACK\" 에서 분석한 내용과 동일하다.\r\nThe injected malicious code is the same as the previous analysis of \"ROKRAT is BACK\".\r\nhttp://v3lo.tistory.com/24\r\nPage 4 of 8\n\n해당 샘플에서 사용되는 Token 값은 \"tgaNZQXaLAwmirSFZfdPhI7ZCC8LqqvoBSkBdhfC5Fzw1SFeOr70\" 이\r\n며, 이전 악성코드와 샌드박스, 가상환경일 경우 재부팅되어 MBR이 파괴된다.\r\nThe Token value used in the sample is \"tgaNZQXaLAwmirSFZfdPhI7ZCC8LqqvoBSkBdhfC5Fzw1SFeOr70\". \r\nIn case of previous malicious code, sandbox, or virtual environment, the MBR is destroyed by rebooting.\r\n[추가]\r\n현재 alyac에서는 해당 케이스를 Operation KoreanSword 라고 명명함.\r\nCurrently, alyac calls the case Operation EnglishSword.\r\nhttp://v3lo.tistory.com/24\r\nPage 5 of 8\n\n[IOC]\r\n[HWP File]\r\nFileName : \r\nAuthor : (주)한글과컴퓨터\r\nLast Saved By : User1\r\nCreate Time/Data : 2004-11-26 06:23:46.535000 (UTC)\r\nLast saved Time/Data : 2018-11-16 02:54:41.390000 (UTC)\r\nMD5 : 804a8c076b4aaa2e21ab4f06453d1c4e\r\nSHA-1: 35eda3c7aedcfaa69e4b2ad0f613eb587a519960\r\nSHA-256: d0cac300272954919538888c2e8b2be81113a60fa0bbb1d4a5a0a0367037050e\r\n[Drop File]\r\nFilename : %APPDATA%\\\\MemoryOrder85584031.com\r\nTimeStamp : 2018-11-14 15:47:51 (UTC)\r\nMD5: 80a2a804e12ad9c039c3de1466fac46f\r\nhttp://v3lo.tistory.com/24\r\nPage 6 of 8\n\n[Injection File]\r\nTimeStamp : 2018-11-07 07:06:11 (UTC)\r\nMD5: fb80235fbf92da08bc8bcddd241c3d42\r\nToken: tgaNZQXaLAwmirSFZfdPhI7ZCC8LqqvoBSkBdhfC5Fzw1SFeOr70\r\n[Similar malware]\r\n[HWP File]\r\nFileName : 7주 신뢰와 배려의 커뮤니케이션.hwp\r\nAuthor : gichang\r\nLast Saved By : User1\r\nCreate Time/Data : 2014-02-2613:45:17.799000 (UTC)\r\nLast saved Time/Data : 2018-08-29 00:22:26.729000 (UTC)\r\nMD5 : 3f92afe96b4cfd41f512166c691197b5\r\nSHA-1: eeae06fc31982f992993ef0ff12e2d94981d9bff\r\nSHA-256: 51e35a7a4e2c49670ecfba7b55045cfa893aa1459246fa5b23ff0bba91225b76\r\n[Decoded File (Themida)]\r\nFilename : %APPDATA%\\\\WinUpdate148399843\r\nTimeStamp : 2018-08-28 01:22:27 (UTC)\r\nMD5: 6ec89edfffdb221a1edbc9852a9a567a\r\nSHA-1: 52976314913289a61282ee1f172a30cce29147ac\r\nSHA-256: 98498b97b7cdce9dd6b1a83057e47bd74dc2be5bb12f42ce505981bff093de73\r\n[Injection File]\r\nTimeStamp : 2018-08-28 01:13:58 (UTC)\r\nMD5: 7a751874ea5f9c95e8f0550a0b93902d\r\nSHA-1: 41a3e61adf853edaddc999e547a246cc4c173480\r\nSHA-256: f885c37b3368faf2ae11d70e15aa75a641de9357dda038d875fe5513d9841582\r\ntoken: VdZhAhd9YXAAAAAAAAAACQaGEx0mpQnzlWKtxGGNveuPx0XtDTzynRk4fnra1-9E\r\nhttp://v3lo.tistory.com/24\r\nPage 7 of 8\n\nThank's to kino, savNi\r\nReferences\r\nCopyright 2018. (YEJUN KIM) all rights reserved.\r\nCopyright 2018. (YEJUN KIM) All pictures cannot be copied without permission.\r\n'Analysis' 카테고리의 다른 글\r\nReturn to Satan, Lucky Ransomware  (0) 2018.12.11\r\nWe will become back very soon! ;)  (0) 2018.12.05\r\nGandCrab \u0026 (CoinMining??)  (1) 2018.11.09\r\nAre you VenusLocker? or GandCrab?  (1) 2018.10.22\r\nROKRAT is Back!!  (0) 2018.09.21\r\n공유하기 링크\r\nComments\r\nSource: http://v3lo.tistory.com/24\r\nhttp://v3lo.tistory.com/24\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://v3lo.tistory.com/24"
	],
	"report_names": [
		"24"
	],
	"threat_actors": [
		{
			"id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e",
			"created_at": "2025-08-07T02:03:25.082908Z",
			"updated_at": "2026-04-10T02:00:03.744649Z",
			"deleted_at": null,
			"main_name": "NICKEL FOXCROFT",
			"aliases": [
				"APT37 ",
				"ATK4 ",
				"Group 123 ",
				"InkySquid ",
				"Moldy Pisces ",
				"Operation Daybreak ",
				"Operaton Erebus ",
				"RICOCHET CHOLLIMA ",
				"Reaper ",
				"ScarCruft ",
				"TA-RedAnt ",
				"Venus 121 "
			],
			"source_name": "Secureworks:NICKEL FOXCROFT",
			"tools": [
				"Bluelight",
				"Chinotto",
				"GOLDBACKDOOR",
				"KevDroid",
				"KoSpy",
				"PoorWeb",
				"ROKRAT",
				"final1stpy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bbe36874-34b7-4bfb-b38b-84a00b07042e",
			"created_at": "2022-10-25T15:50:23.375277Z",
			"updated_at": "2026-04-10T02:00:05.327922Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"APT37",
				"InkySquid",
				"ScarCruft",
				"Group123",
				"TEMP.Reaper",
				"Ricochet Chollima"
			],
			"source_name": "MITRE:APT37",
			"tools": [
				"BLUELIGHT",
				"CORALDECK",
				"KARAE",
				"SLOWDRIFT",
				"ROKRAT",
				"SHUTTERSPEED",
				"POORAIM",
				"HAPPYWORK",
				"Final1stspy",
				"Cobalt Strike",
				"NavRAT",
				"DOGCALL",
				"WINERACK"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "552ff939-52c3-421b-b6c9-749cbc21a794",
			"created_at": "2023-01-06T13:46:38.742547Z",
			"updated_at": "2026-04-10T02:00:03.08515Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"Operation Daybreak",
				"Red Eyes",
				"ScarCruft",
				"G0067",
				"Group123",
				"Reaper Group",
				"Ricochet Chollima",
				"ATK4",
				"APT 37",
				"Operation Erebus",
				"Moldy Pisces",
				"APT-C-28",
				"Group 123",
				"InkySquid",
				"Venus 121"
			],
			"source_name": "MISPGALAXY:APT37",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9b02c527-5077-489e-9a80-5d88947fddab",
			"created_at": "2022-10-25T16:07:24.103499Z",
			"updated_at": "2026-04-10T02:00:04.867181Z",
			"deleted_at": null,
			"main_name": "Reaper",
			"aliases": [
				"APT 37",
				"ATK 4",
				"Cerium",
				"Crooked Pisces",
				"G0067",
				"Geumseong121",
				"Group 123",
				"ITG10",
				"InkySquid",
				"Moldy Pisces",
				"Opal Sleet",
				"Operation Are You Happy?",
				"Operation Battle Cruiser",
				"Operation Black Banner",
				"Operation Daybreak",
				"Operation Dragon messenger",
				"Operation Erebus",
				"Operation Evil New Year",
				"Operation Evil New Year 2018",
				"Operation Fractured Block",
				"Operation Fractured Statue",
				"Operation FreeMilk",
				"Operation Golden Bird",
				"Operation Golden Time",
				"Operation High Expert",
				"Operation Holiday Wiper",
				"Operation Korean Sword",
				"Operation North Korean Human Right",
				"Operation Onezero",
				"Operation Rocket Man",
				"Operation SHROUDED#SLEEP",
				"Operation STARK#MULE",
				"Operation STIFF#BIZON",
				"Operation Spy Cloud",
				"Operation Star Cruiser",
				"Operation ToyBox Story",
				"Osmium",
				"Red Eyes",
				"Ricochet Chollima",
				"Ruby Sleet",
				"ScarCruft",
				"TA-RedAnt",
				"TEMP.Reaper",
				"Venus 121"
			],
			"source_name": "ETDA:Reaper",
			"tools": [
				"Agentemis",
				"BLUELIGHT",
				"Backdoor.APT.POORAIM",
				"CARROTBALL",
				"CARROTBAT",
				"CORALDECK",
				"Cobalt Strike",
				"CobaltStrike",
				"DOGCALL",
				"Erebus",
				"Exploit.APT.RICECURRY",
				"Final1stSpy",
				"Freenki Loader",
				"GELCAPSULE",
				"GOLDBACKDOOR",
				"GreezeBackdoor",
				"HAPPYWORK",
				"JinhoSpy",
				"KARAE",
				"KevDroid",
				"Konni",
				"MILKDROP",
				"N1stAgent",
				"NavRAT",
				"Nokki",
				"Oceansalt",
				"POORAIM",
				"PoohMilk",
				"PoohMilk Loader",
				"RICECURRY",
				"RUHAPPY",
				"RokRAT",
				"SHUTTERSPEED",
				"SLOWDRIFT",
				"SOUNDWAVE",
				"SYSCON",
				"Sanny",
				"ScarCruft",
				"StarCruft",
				"Syscon",
				"VeilShell",
				"WINERACK",
				"ZUMKONG",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434358,
	"ts_updated_at": 1775792286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e27d72191af3fec3eb763f4e618ccc88c0bde93.pdf",
		"text": "https://archive.orkl.eu/4e27d72191af3fec3eb763f4e618ccc88c0bde93.txt",
		"img": "https://archive.orkl.eu/4e27d72191af3fec3eb763f4e618ccc88c0bde93.jpg"
	}
}