{
	"id": "f19d8683-3121-4150-a205-65ab95846da7",
	"created_at": "2026-04-06T00:14:11.043368Z",
	"updated_at": "2026-04-10T13:12:13.793716Z",
	"deleted_at": null,
	"sha1_hash": "6d83deba61a70b59ad085ba18539057a9bbfba62",
	"title": "Another country-sponsored #malware: Vietnam APT Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1678349,
	"plain_text": "Another country-sponsored #malware: Vietnam APT Campaign\r\nPublished: 2014-08-24 · Archived: 2026-04-05 17:45:40 UTC\r\nThis is a team work analysis, we have at least 5 (five) members involved with this investigation.\r\nThe case that is about to be explained here is an APT case. Until now, we were (actually) avoiding APT cases for publicity in\r\nMalware Must Die! posts. But due to recent progress in \"public privacy violation or power-abuse/bullying\" malware cases,\r\nwe improved our policy, so for several cases fit to \"a certain condition\", i.e. malware developed by \"powerful actors with\r\nbudget\" aiming weak victims including the APT method, or, intimidation for public privacy cases using a crafted-malware,\r\nare going to be disclosed and reported here \"ala MMD\", along w/public criminal threat too. So don't use malware if you\r\ndon't want to look BAD :-)\r\nThis case is NOT a new threat, for the background this threat was written in the Infosec Island blog, written by By Eva\r\nGalperin and Morgan Marquis-Boire in the good report of article: \"Vietnamese Malware Gets Very Personal\" which is\r\nposted several months ago, access is in here--\u003e[LINK], the post was very well written as heads up for this threat. Also, there\r\nare similar article supported to this threat and worth reading beforehand like:\r\nhttp://www.nytimes.com/aponline/2014/01/20/world/asia/ap-as-vietnam-online-wars.html\r\nYou can consider this post is made as additional for the previous writings, to disclose deeper of what public and the victims\r\nactually SHOULD know in-depth about the malicious activity detail, that is performed by this malware. To be more\r\npreventive in the future for the similar attack that is possibly occurred.\r\nWe suspect a group with good budget is in behind of this malware, aiming and bullying privacy of specific individuals who\r\nagainst one country's political method. In a glimpse, the malware, which is trying hard to look like a common-threat, looks\r\nlike a simple backdoor \u0026 connecting/sending some stuffs to CNC. But if you see it closely to the way it works, you will be\r\namazed of the technique used to fulfill its purpose, and SPYING is the right word for that purpose.\r\nThe sample we analyzed in this post was received from the victims side, we picked the one file called \"Thu moi.7z\" which\r\ncontains the \"Thu moi.hta\" snipped below:\r\n..which was reported as the latest of this series.\r\nFrom the surface, if \"Thu moi.hta\" file is being executed (double clicked), it will extract (drop) and opening a Microsoft\r\nWord DOC file, to camouflage the victim to make them believe that they are opening an archived document file, while what\r\nhad actually happened is, in the background a series of infection activities happened in the victim's PC.\r\nMalware installer scheme\r\nHow the file was extracted from \"Thu moi.hta\" is by utilizing a simple embedded VB Script, you can see it started in the line\r\n307 (of that .hta sample file) as per shown below in any text editor you pick:\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 1 of 30\n\nAt the starting part of this script. you can see three points was used to camouflage, which are : (1) The usage of the long\r\nwhite space to cover the evil script start tag from the eye-sight, (2) the effort to minimize the \"window\" for the shell used to\r\nrun this evil VB Script, and (3) the effort to NOT showing the window taskbar during the script running.\r\nI will try to peel the evil script used, with the explanation I commented within the lines, as per below:\r\nSo, the script was design to keep on running in any run time error. You will meet the function forming the randomized\r\nstrings for an \"exe\" filename. You can see how this script generate the \"random seed\" to be used for randomizing the strings\r\nused for filename, and how it merged filename with the \".exe\" extension afterwards. Then the script is obfuscating the\r\nWScript's (the Windows OS interpreter engine for running a VB Script) commands to form an object of file system, and the\r\nshell for execution a windows command/executable file(s).\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 2 of 30\n\nThe line 48 \u0026 49 of the script is to declare the file object \u0026 shell mentioned above in the variable \"os\" and \"ws\". And\r\nfollowing by defining the windows temporary folder as file's path added by the function's generated randomized name as\r\nfilename+extension. To make sure of what these variables generated values, I am using break points formed by\r\nWscript.Echo trick to burp its value in a pop-up.\r\nThe VB Script is creating the EXE file as per previously described above, declared it as an object \"p1\". Then you can see\r\nblob of binary codes to be written as HEX to form a file, by using the combination of commands in VB script. This method\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 3 of 30\n\nis commonly used as technique to write a malware binary in VB Script. But this one is a well-thought one.\r\nThe next lines is explaining the same method used for HEX file-writing. Yes, it wrote another file, and declaring it as object\r\n\"p\", but this one is using the static variable name \"Doc Loi.doc\" which is using the %Temp% path too (noted:\r\nGetSpecialFolder(x) where x=2 means %Temp%).\r\nHere's the punchline, the last part of codes (lines 116 and 117) you will see the script is performing execution of object \"p\"\r\n(the .doc file) and without waiting it just run the \"p1\" (the .exe malware).\r\nWe recheck the run result of any decoding method we did. In this case I just commented the line 116 and 117 and..as per\r\nexpected, this script runs and minimizing the window w/o taskbar title:\r\nAnd it creates those two files (before execution). I run it many times for fun..NO!\" ..for \"analysis\" (Uhm!), so I can extract\r\nrandomized injected files to check is it polymorphic or not (and..of course..it is not, NOT with this plain Hex writing crap).\r\nFurther, we also formed the binary file-injecting itself from hex-strings directly from the script as per snipped below, to\r\nstudy the possibility of a miss-writing that can happened during forming the PE extraction, the test was done with the same\r\nresult. A snip of scratch used (thanks to MMD DE team):\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 4 of 30\n\nWe also check bit-by-bit to make sure which samples belong to which installers, since this malware looks hit some victims /\r\nmore than one time.\r\nSo what does this \".exe\" malware do?\r\nPolymorphic self-copy \u0026 new process spawner\r\nI picked the .exe file dropped by this .hta installer with the MD5 hash f38d0fb4f1ac3571f07006fb85130a0d, this malware\r\nwas uploaded to VT about 7 months ago.\r\nThe malware is the one was dropped by the installer, you can see the same last bits before blobs of \"00\" hex were written in\r\nthe malware binary as per snipped and red-marked color in the VB script mentioned in the previous section:\r\nThis binary is having an interesting functionality. There's so much to write from it..but I will go to important highlights, or\r\nthis post is going to be a book. Among all usual malicious tricks for evasion \u0026 \"reverse/debug checking\" tricks used, it was\r\ndesigned to detect the way it was called. When it was initially executed as the form of the dropped .exe from the .hta\r\ninstaller it will delete the original file and rewrite itself to the %Temp% folder using the random Hex-filename with \".tmp\"\r\nextension, below is the partial writing codes snipped for it:\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 5 of 30\n\nThe self-copied files are polymorphic, below some PoC, one AV evasion detection designed:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nSize Exec Date Filename MD5\r\n-------------------------------------------------------------\r\n438272 Aug 23 01:28 10.tmp* 577237bfd9c40e7419d27b7b884f95d3\r\n438272 Aug 23 07:22 17.tmp* 9451a18db0c70960ace7d714ac0bc2d2\r\n438272 Aug 23 07:36 18.tmp* 53d57a45d1b05dce56dd139fc985c55e\r\n438272 Aug 23 07:39 19.tmp* 387321416ed21f31ab497a774663b400\r\n438272 Aug 23 07:43 1A.tmp* 0a65ecc21f16797594c53b1423749909\r\n438272 Aug 23 07:44 1B.tmp* 91a49ed76f52d5b6921f783748edab01\r\n438272 Aug 23 07:44 1C.tmp* f89571efe231f9a05f9288db84dcb006\r\n438272 Aug 23 07:45 1D.tmp* 7ca95b52ed43d71e2d6a3bc2543b4ee1\r\n438272 Aug 23 07:46 1E.tmp* faec9c62f091dc2163a38867c28c224d\r\n438272 Aug 23 07:47 1F.tmp* 4b02063c848181e3e846b59cbb6b3a46\r\n438272 Aug 23 08:14 20.tmp* 5c8f2f581f75beff1316eee0b5eb5f6d\r\n438272 Aug 23 01:19 F.tmp* b466cb01558101d934673f56067f63aa\r\n: :\r\nIt'll then create the process (with the command line API), which will be executed at the function reversed below, I put\r\ndefault IDA commented information since it is important for all of us (not only reverser) to understand flow used below, pls\r\nbear the length, just please scroll down to skip these assembly explanation (unless you interest to know how it works):\r\n1\r\n2\r\n3\r\n0x40BF20 sub_40BF20 proc near\r\n0x40BF20\r\n0x40BF20 StartupInfo= _STARTUPINFOW ptr -8508h\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 6 of 30\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n0x40BF20 ProcessInformation= _PROCESS_INFORMATION ptr -84C4h\r\n0x40BF20 var_84B4= dword ptr -84B4h\r\n0x40BF20 CommandLine= word ptr -84B0h\r\n0x40BF20 FileName= word ptr -4B0h\r\n0x40BF20 ApplicationName= dword ptr -2A8h\r\n0x40BF20 var_A0= dword ptr -0A0h\r\n0x40BF20 var_1C= dword ptr -1Ch\r\n0x40BF20 var_18= dword ptr -18h\r\n0x40BF20 var_10= dword ptr -10h\r\n0x40BF20 var_8= dword ptr -8\r\n0x40BF20 var_4= dword ptr -4\r\n0x40BF20 arg_8= dword ptr   10h\r\n0x40BF20\r\n0x40BF20 push     ebp\r\n0x40BF21 mov      ebp , esp\r\n0x40BF23 push     0FFFFFFFEh\r\n0x40BF25 push     offset unk_4284D0\r\n0x40BF2A push     offset sub_416480\r\n0x40BF2F mov      eax , large fs :0\r\n0x40BF35 push     eax\r\n0x40BF36 sub      esp , 8\r\n0x40BF39 mov      eax , 84F0h\r\n0x40BF3E call     sub_4207F0\r\n0x40BF43 mov      eax , dword_42A520\r\n0x40BF48 xor      [ ebp +var_8], eax\r\n0x40BF4B xor      eax , ebp  \r\n0x40BF4D mov      [ ebp +var_1C], eax\r\n0x40BF50 push     ebx\r\n0x40BF51 push     esi\r\n0x40BF52 push     edi\r\n0x40BF53 push     eax\r\n0x40BF54 lea      eax , [ ebp +var_10]\r\n0x40BF57 mov      large fs :0, eax\r\n0x40BF5D mov      [ ebp +var_18], esp\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 7 of 30\n\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n0x40BF60 mov      esi , [ ebp +arg_8]\r\n0x40BF63 xor      ebx , ebx      \r\n0x40BF65 push     ebx     \r\n0x40BF66 call     ds :CoInitialize\r\n0x40BF6C mov      [ ebp +var_4], ebx\r\n0x40BF6F push     6\r\n0x40BF71 push     offset aHelp\r\n0x40BF76 push     esi\r\n0x40BF77 call     sub_41196F\r\n0x40BF7C add      esp , 0Ch\r\n0x40BF7F test     eax , eax     \r\n0x40BF81 jz       loc_40C13E\r\n:\r\n0x40BF87 call     sub_409740\r\n0x40BF8C xor      eax , eax   \r\n0x40BF8E mov      [ ebp +FileName], ax\r\n0x40BF95 push     206h\r\n0x40BF9A push     ebx\r\n0x40BF9B lea      ecx , [ ebp -4AEh]\r\n0x40BFA1 push     ecx\r\n0x40BFA2 call     sub_412510\r\n0x40BFA7 add      esp , 0Ch\r\n0x40BFAA push     104h\r\n0x40BFAF lea      edx , [ ebp +FileName]\r\n0x40BFB5 push     edx            \r\n0x40BFB6 push     ebx            \r\n0x40BFB7 call     ds :GetModuleFileNameW\r\n0x40BFBD test     eax , eax   \r\n0x40BFBF jz       loc_40C15D\r\n:\r\n0x40BFC5 xor      eax , eax   \r\n0x40BFC7 mov      word ptr [ ebp +ApplicationName], ax\r\n0x40BFCE push     206h\r\n0x40BFD3 push     ebx\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 8 of 30\n\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n98\r\n99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n0x40BFD4 lea      ecx , [ ebp +ApplicationName+2]\r\n0x40BFDA push     ecx            \r\n0x40BFDB call     sub_412510\r\n0x40BFE0 add      esp , 0Ch\r\n0x40BFE3 lea      edx , [ ebp +ApplicationName]\r\n0x40BFE9 push     edx            \r\n0x40BFEA push     104h\r\n0x40BFEF call     ds :GetTempPathW\r\n0x40BFF5 test     eax , eax       \r\n0x40BFF7 jz       loc_40C15D\r\n:\r\n0x40BFFD lea      eax , [ ebp +ApplicationName]\r\n0x40C003 push     eax            \r\n0x40C004 push     ebx            \r\n0x40C005 push     ebx            \r\n0x40C006 mov      ecx , eax\r\n0x40C008 push     ecx            \r\n0x40C009 call     ds :GetTempFileNameW\r\n0x40C00F test     eax , eax    \r\n0x40C011 jz       loc_40C15D\r\n:\r\n0x40C017 call     sub_4079C0\r\n0x40C01C test     eax , eax       \r\n0x40C01E jz       loc_40C15D\r\n:\r\n0x40C024 mov      byte ptr [ ebp +var_A0], bl\r\n0x40C02A push     80h\r\n0x40C02F push     ebx            \r\n0x40C030 lea      edx , [ ebp +var_A0+1]\r\n0x40C036 push     edx            \r\n0x40C037 call     sub_412510\r\n0x40C03C add      esp , 0Ch\r\n0x40C03F mov      [ ebp +var_84B4], 81h\r\n0x40C049 lea      edx , [ ebp +var_84B4]\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 9 of 30\n\n106\r\n107\r\n108\r\n109\r\n110\r\n111\r\n112\r\n113\r\n114\r\n115\r\n116\r\n117\r\n118\r\n119\r\n120\r\n121\r\n122\r\n123\r\n124\r\n125\r\n126\r\n127\r\n128\r\n129\r\n130\r\n131\r\n132\r\n133\r\n134\r\n135\r\n136\r\n137\r\n138\r\n139\r\n0x40C04F lea      eax , [ ebp +var_A0]\r\n0x40C055 call     sub_40A300\r\n0x40C05A test     eax , eax    \r\n0x40C05C jz       loc_40C15D\r\n:\r\n0x40C07B xor      eax , eax       \r\n0x40C07D mov      [ ebp +CommandLine], ax\r\n0x40C084 push     7FFEh\r\n0x40C089 push     ebx            \r\n0x40C08A lea      ecx , [ ebp -84AEh]\r\n0x40C090 push     ecx            \r\n0x40C091 call     sub_412510\r\n0x40C096 lea      edx , [ ebp +var_A0]\r\n0x40C09C push     edx            \r\n0x40C09D lea      eax , [ ebp +FileName]\r\n0x40C0A3 push     eax            \r\n0x40C0A4 lea      ecx , [ ebp +ApplicationName]\r\n0x40C0AA push     ecx            \r\n0x40C0AB push     offset aSHelpSS\r\n0x40C0B0 push     4000h\r\n0x40C0B5 lea      edx , [ ebp +CommandLine]\r\n0x40C0BB push     edx            \r\n0x40C0BC call     sub_411448\r\n0x40C0C1 mov      [ ebp +StartupInfo.cb], ebx\r\n0x40C0C7 push     40h\r\n0x40C0C9 push     ebx            \r\n0x40C0CA lea      eax , [ ebp +StartupInfo.lpReserved]\r\n0x40C0D0 push     eax            \r\n0x40C0D1 call     sub_412510\r\n0x40C0D6 add      esp , 30h\r\n0x40C0D9 mov      [ ebp +StartupInfo.cb], 44h\r\n0x40C0E3 xor      ecx , ecx       \r\n0x40C0E5 mov      [ ebp +StartupInfo.wShowWindow], cx\r\n0x40C0EC mov      [ ebp +StartupInfo.dwFlags], 1\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 10 of 30\n\n140\r\n141\r\n142\r\n143\r\n144\r\n145\r\n146\r\n147\r\n148\r\n149\r\n150\r\n151\r\n152\r\n153\r\n154\r\n155\r\n156\r\n157\r\n158\r\n159\r\n160\r\n161\r\n162\r\n0x40C0F6 mov      [ ebp +ProcessInformation.hProcess], ebx\r\n0x40C0FC xor      eax , eax       \r\n0x40C0FE mov      [ ebp +ProcessInformation.hThread], eax\r\n0x40C104 mov      [ ebp +ProcessInformation.dwProcessId], eax\r\n0x40C10A mov      [ ebp +ProcessInformation.dwThreadId], eax\r\n0x40C110 lea      edx , [ ebp +ProcessInformation]\r\n0x40C116 push     edx            \r\n0x40C117 lea      eax , [ ebp +StartupInfo]\r\n0x40C11D push     eax            \r\n0x40C11E push     ebx            \r\n0x40C11F push     ebx            \r\n0x40C120 push     8000000h\r\n0x40C125 push     ebx            \r\n0x40C126 push     ebx            \r\n0x40C127 push     ebx            \r\n0x40C128 lea      ecx , [ ebp +CommandLine]\r\n0x40C12E push     ecx            \r\n0x40C12F lea      edx , [ ebp +ApplicationName]\r\n0x40C135 push     edx            \r\n0x40C136 call     ds :CreateProcessW\r\n0x40C13C jmp      short loc_40C15D\r\nif the .hta dropped malware named \"sample.exe\", new process will be started by launching command line contains\r\nparameters described below:\r\n1\r\n2\r\n3\r\n4\r\n\"CreateProcessW\" , \"C:\\DOCUME~1\\...\\LOCALS~1\\Temp\\RANDOM[0-9A-F]{1,2}.tmp\" , \"SUCCESS|FAIL\" ,\"PID: xxx,\r\nCommand line: \"\" C :\\DOCUME~1\\...\\LOCALS~1\\Temp\\RANDOM[0-9A-F]{1,2}.tmp \"\" \\n\r\n--helpC:\\DOCUME~1\\...\\LOCALS~1\\Temp\\sample.exe \\n\r\nBCE6D32D8CD4F1E6A1064F66D561FDA47E0CD5F8F330C4856A250BB104BC18320FF75E6E56A1741C6770AD238DCFD23DD8A82DDF332FDC8110972549\r\nThe decryption function used is as per below:\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 11 of 30\n\nAnd this malware will end its process here, raising new process that has just been executed..\r\nMore drops \u0026 payload installation\r\nThe process RANDOM[0-9A-F]{1,2}.tmp started by allocated memory, loading rpcss.dll, uxtheme.dll, MSCTF.dll before it\r\nself deleting the dropper .exe. The snip code for the deletion is as per below, this isn't also an easy operation, it checks\r\nwhether the file is really there, if not it makes sure it is there..\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n0x40A648 push     edi            \r\n0x40A649 call     ds :PathFileExistsW\r\n:\r\n0x40A657 push     0Ah\r\n0x40A659 push     65h\r\n0x40A65B push     ebx            \r\n0x40A65C call     ds :FindResourceW\r\n0x40A662 mov      esi , eax       \r\n0x40A664 cmp      esi , ebx       \r\n0x40A666 jz       loc_0x40A7CB\r\n:\r\n0x40A7CB loc_0x40A7CB:\r\n0x40A7CB push     edi            \r\n0x40A7CC call     ds :DeleteFileW\r\n0x40A7D2 mov      [ ebp +var_18], 1\r\n0x40A779 mov      ecx , [ ebp +lpFile]\r\n0x40A77C mov      edx , [ ebp +lpExistingFileName]\r\n0x40A77F push     ecx            \r\n0x40A780 push     edx            \r\n:\r\n0x40A78B mov      eax , [ ebp +lpFile]\r\n0x40A78E push     1\r\n0x40A790 push     ebx            \r\n0x40A791 push     ebx            \r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 12 of 30\n\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n0x40A792 push     eax            \r\n0x40A793 push     ebx            \r\n0x40A794 push     ebx            \r\n0x40A795 call     ds :ShellExecuteW\r\n0x40A79B mov      [ ebp +var_18], 1\r\n:\r\n..up to this point I know that we're dealing with a tailored-made malware.\r\nBack to the highlights, RANDOM[0-9A-F]{1,2}.tmp executed with the right condition will drop payloads of this threat, the\r\nfirst drop is the real deal payload, following by the second drop as the its driver. The file creation of first payload is handled\r\nin function 0x41FC90, with the related snip below:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n0x41FEAF mov      eax , [ ebp +arg_0]\r\n0x41FEB2 mov      edi , ds :CreateFileW\r\n0x41FEB8 push     0\r\n0x41FEBA push     [ ebp +dwFlagsAndAttributes]\r\n0x41FEBD mov      dword ptr [ eax ], 1\r\n0x41FEC3 push     [ ebp +dwCreationDisposition]\r\n0x41FEC6 lea      eax , [ ebp +SecurityAttributes]\r\n0x41FEC9 push     eax            \r\n0x41FECA push     [ ebp +dwShareMode]\r\n0x41FECD push     [ ebp +dwDesiredAccess]\r\n0x41FED0 push     [ ebp +lpFileName]\r\n0x41FED0\r\n0x41FED0\r\n0x41FED0\r\n0x41FED0\r\n0x41FED0\r\n0x41FED0\r\n0x41FED0\r\n0x41FED0\r\n0x41FED0\r\n0x41FED3 call     edi\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 13 of 30\n\n22 0x41FED5 mov      [ ebp +hHandle], eax\r\nAnd the writing this file is written in function 0x418EC2 after deobfuscating data part, as per snipped here:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n0x418FB9 mov      eax , [ eax +6Ch]\r\n0x418FBC xor      ecx , ecx       \r\n0x418FBE cmp      [ eax +14h], ecx\r\n0x418FC1 lea      eax , [ ebp +CodePage]\r\n0x418FC7 setz     cl             \r\n0x418FCA push     eax            \r\n0x418FCB mov      eax , [ ebx ]\r\n0x418FCD push     dword ptr [ edi + eax ]\r\n0x418FD0 mov      esi , ecx\r\n0x418FD2 call     ds :GetConsoleMode\r\n: (etc etc)\r\n0x4194F0 push     ecx            \r\n0x4194F1 lea      ecx , [ ebp +var_1AD8]\r\n0x4194F7 push     ecx            \r\n0x4194F8 push     [ ebp +nNumberOfBytesToWrite]\r\n0x4194FB push     [ ebp +lpBuffer]\r\n0x419501 push     dword ptr [ eax + edi ]\r\n0x419504 call     ds :WriteFile\r\n0x41950A test     eax , eax       \r\n0x41950C jz       short loc_0x419523\r\n:\r\n0x419523 call     ds :GetLastError\r\n0x419529 mov      dword ptr [ ebp +WideCharStr],\r\nwe recorded this drop operation in the forensics way too, as per below as evidence:\r\nAs you can see the wiring method is in redundancy per 4096 bytes.\r\nThis first drop called defrag.exe looks pretty much like Windows harddisk defragmentation tool, down to its property, a\r\nperfectly crafted evil file:\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 14 of 30\n\nOnly by using good analysis binary static analysis tool like PEStudio (maker: Marc Oschenmeier), we can spot and focus\r\ninvestigation to the badness indicators right away:\r\n@MalwareMustDie Thx for using PEStudio for your investigation. In that case, PEStudio indicating that the\r\nimage is a fake Microsoft EXE! :-)\r\n— Marc Ochsenmeier (@ochsenmeier) August 25, 2014\r\nThe next drop is the next task of this binary, noted that none of these drops were fetched from internet instead the data is\r\nalready included in .hta or .[random].exe or [random.tmp].\r\nUsing the exactly the same functions described above, 0x41FC90 for creation and 0x418EC2 for writing, the second drop\r\noperation were also performed. The file name is formed as per below strings:\r\n1\r\n2\r\n3\r\n\"%USERPROFILE%\\AppData\\Identities\\{RANDOM-ID}\\disk1.img\"\r\nlike:\r\n\"C:\\Documents and Settings\\MMD\\Application Data\\Identities\\{116380ff-9f6a-4a90-9319-\r\n89ee4f513542}\\disk1.img\"\r\nthe forensics PoC is:\r\nThis file is actually a DLL file, here's some peframe:\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 15 of 30\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nFile Name: disk1.img\r\nPE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit\r\nFile Size: 249344 byte\r\nCompile Time: 2010-08-14 17:16:08\r\n\"DLL: True\"\r\nEntry Point: 0x0001BBD1\r\nSections: 4\r\nMD5 hash: 62646ea0a4ce1e6d955cbaef8c4a510d\r\nSHA-1 hash: 10116a65e19a7ebc6702250cc1caabf755ce8e7f\r\nAnti Debug: Yes\r\nAnti VM: None\r\nAnd Virus Total showing the good infection info:\r\n1\r\n2\r\n3\r\nFirst submission 2013-03-11 10:38:19 UTC ( 1 year, 5 months ago )\r\nLast submission 2014-01-21 12:49:00 UTC ( 7 months ago )\r\nFile names disk1.dl, disk1.img\r\nThis file is then performing registry query and writing operations, I will skip some assembly for this, so shortly, these are the\r\n8 keys added, below data I snip from forensics result:\r\nWe can see the autostart, and the way it camouflage malicious data in registry using legit scattered softwares and Windows\r\ncomponents. Like: Auslogic (RecoveryDataStore), Photo Viewer, Disk Defragment Module, Microsoft Remote Assitance.\r\nThis all means to hide and prevent the quick notice of this malware in the infected PC, it is a well thought plan.\r\nTo be noted that one of the key is used to run the defrag.exe execution via ShellExecuteW by the [Random].tmp file, and\r\nalso you can see the \"key\" used for this malware saved, one last thing to be noticed is the the bot ID used.\r\nPS: There are also more drops made which are the Windows task installer for this malware\r\n1\r\n2\r\nC:\\Windows\\Tasks\\ScheduledDefrag.job\r\nC:\\Windows\\Tasks\\ScheduledDefrag_admin.job\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 16 of 30\n\nIt is the Windows scheduler (kinda crond) to execute the EXE payload (defrag.exe). Pic:\r\nWhat this payload does\r\nFirst thing that caught interest and attention is these obfuscation constant variables saved in .rdata section:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n0x40F3AC\r\n0x40F3AC aTztxpx75Xtdsjq:\r\n0x40F3AC unicode 0, \u003c \"tztxpx75]xtdsjqu/fyf\" \u003e,0\r\n0x40F3D6 align 4\r\n0x40F3D8\r\n0x40F3D8 aTztufn43Xtdsjq:\r\n0x40F3D8 unicode 0, \u003c \"tztufn43]xtdsjqu/fyf\" \u003e,0\r\n0x40F402 align 4\r\n0x40F404\r\n0x40F404 a2e6g3ddEmm:\r\n0x40F404 unicode 0, \u003c \"2e6g3dd/emm\" \u003e,0\r\n0x40F430\r\n0x40F430 aQsphsbnGjmftY9:\r\n0x40F430 unicode 0, \u003c \"Qsphsbn!Gjmft!)y97*]Joufsofu!Fyqmpsfs]jfmpxvujm/fyf\" \u003e,0\r\n0x40F498\r\n0x40F498 aQsphsbnGjmftNf:\r\n0x40F498 unicode 0, \u003c \"Qsphsbn!Gjmft]Nfttfohfs]ntntht/fyf\" \u003e,0\r\n0x40F4DE align 10h\r\n0x40F4E0\r\n0x40F4E0 aQsphsbnGjmft_0:\r\n0x40F4E0 unicode 0, \u003c \"Qsphsbn!Gjmft!)y97*]Joufsofu!Fyqmpsfs]jfyqmpsf/fyf\" \u003e,0\r\n0x40F546 align 4\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 17 of 30\n\n23\r\n24\r\n25\r\n26\r\n0x40F548\r\n0x40F548 aQsphsbnGjmftJo:\r\n0x40F548 unicode 0, \u003c \"Qsphsbn!Gjmft]Joufsofu!Fyqmpsfs]jfyqmpsf/fyf\" \u003e,0\r\n0x40F5A2 align 4\r\nWe have good decoder team in MMD. Soon these data were translated as per below:\r\nWhen these data formed in the functions where they were called, we will have better idea of WHY these strings were\r\nobfuscated. This time we will take a look at the dump analysis in disassembly, to seek the executed code parts only:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n0x0C22D37 call 0x0C28720h target: 0x0C28720\r\n0x0C22D3C add esp , 0Ch\r\n0x0C22D3F push 0x0C2F404h \u003c== UTF-16 \"2e6g3dd/emm\"\r\n0x0C22D44 lea edx , dword ptr [ ebp -00000084h]\r\n0x0C22D4A push edx  \r\n0x0C22D4B call dword ptr [0x0C2D06Ch] lstrcpyW@KERNEL32.DLL\r\n0xC2207C lea ecx , dword ptr [ ebp -00000802h]\r\n0xC22082 push ecx  \r\n0xC22083 mov word ptr [ ebp -00000804h], ax  \r\n0xC2208A call 00C28720h target: 00C28720\r\n0xC2208F add esp , 0Ch\r\n0xC22092 push 00C2F278h \u003c== UTF-16\r\n\"Tpguxbsf]Bvtmphjdt]|11111111.1111.1111.1111.111111111111~]SfdpwfszEbubTupsf\"\r\n0x0C22A4E call ebx   PathFileExistsW@SHLWAPI.DLL ( Import , 1 Params)\r\n0x0C22A50 test eax , eax  \r\n0x0C22A52 jne 0x0C22AB8h target: 0x0C22AB8\r\n0x0C22A54 push 0x0C2F4E0h \u003c== UTF-16 \"Qsphsbn!Gjmft!)y97*]Joufsofu!Fyqmpsfs]jfyqmpsf/fyf\"\r\n0x0C22625 xor eax , eax  \r\n0x0C22627 push 0000007Eh\r\n0x0C22629 push eax  \r\n0x0C2262A lea ecx , dword ptr [ ebp -0x000086h]\r\n0x0C22630 push ecx  \r\n0x0C22631 mov word ptr [ ebp -0x000088h], ax  \r\n0x0C22638 call 0x0C28720h target: 0x0C28720\r\n0x0C2263D mov esi , dword ptr [0x0C2D06Ch] lstrcpyW@KERNEL32.DLL\r\n0x0C22643 add esp , 0Ch\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 18 of 30\n\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n0x0C22646 push 0x0C2F360h \u003c== UTF-16 \"//]tlzqf/fyf\"\r\n0x0C2264B lea edx , dword ptr [ ebp -0x000088h]\r\n0x0C22651 push edx  \r\n0x0C22652 call esi   lstrcpyW@KERNEL32.DLL\r\n0x0C229DB push edx  \r\n0x0C229DC call ebx   PathFileExistsW@SHLWAPI.DLL\r\n0x0C229DE test eax , eax  \r\n0x0C229E0 jne 0x0C22A46h target: 0x0C22A46\r\n0x0C229E2 push 0x0C2F498h \u003c== UTF-16 \"Qsphsbn!Gjmft]Nfttfohfs]ntntht/fyf\"\r\n0x0C229E7 lea eax , dword ptr [ esp +74h]\r\n0x0C229EB push eax  \r\n0x0C229EC call esi   lstrcpyW@KERNEL32.DLL\r\n0x0C22876 call dword ptr [0x0C2D090h] GetVersion@KERNEL32.DLL ( Import , 0 Params)\r\n0x0C2287C mov esi , dword ptr [0x0C2D06Ch] lstrcpyW@KERNEL32.DLL ( Import , 2 Params)\r\n0x0C22882 push 0x0C2F3ACh \u003c== UTF-16 \"tztxpx75]xtdsjqu/fyf\" ; DECODED:\r\n\"syswow64\\wscript.exe\"\r\n0x0C22887 lea eax , dword ptr [ esp +74h]\r\n0x0C2288B push eax  \r\n0x0C2288C call esi   lstrcpyW@KERNEL32.DLL ( Import , 2 Params)\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 19 of 30\n\n61\r\n62\r\n63\r\nFound this function is interesting, I found the check for username \"Administrator\" and SUID \"system\" are checked:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n0x0C21FAB xor bl , bl  \r\n0x0C21FAD call dword ptr [0xC2D00Ch] GetUserNameW@ADVAPI32.DLL ( Import , 2 Params)\r\n0x0C21FB3 test eax , eax  \r\n0x0C21FB5 je 0x0C21FCEh target: 0xC21FCE\r\n0x0C21FB7 push 0x0C2F22Ch \u003c== UTF-16 \"system\"\r\n0x0C21FBC lea ecx , dword ptr [ ebp -0x000204h]\r\n0x0C21FC2 push ecx\r\n0x0C21AC9 call dword ptr [0x0C2D014h] LookupAccountSidW@ADVAPI32.DLL\r\n0x0C21ACF test eax , eax  \r\n0x0C21AD1 je 0x0C21AFDh target: 0x0C21AFD\r\n0x0C21AD3 lea ecx , dword ptr [ ebp -0x000204h]\r\n0x0C21AD9 push ecx  \r\n0x0C21ADA push 0x0C2F1FCh \u003c== UTF-16 \"administrators\"\r\n0x0C21ADF call dword ptr [0x0C2D030h] lstrcmpiW@KERNEL32.DLL\r\n0x0C21AE5 test eax , eax\r\nSuspicious isn't it?\r\nI go back to the binary for understanding the related functions, which is in 0x4027F0. I was wondering of what is the part of\r\nwscript.exe (not again!??) mentioned by this binary. So I trailed the path of the wscript.exe starting here, assumed that the\r\nWindows architecture is x64:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n0x40286E call     sub_408720\r\n0x402873 add      esp , 0Ch\r\n0x402876 call     ds :GetVersion\r\n0x402876\r\n0x40287C mov      esi , ds :lstrcpyW\r\n0x402882 push     offset aTztxpx75Xtdsjq \u003c== Push : \"tztxpx75]xtdsjqu/fyf\" to stack\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 20 of 30\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n0x402882\r\n0x402887 lea      eax , [ esp +694h+pMore]\r\n0x40288B push     eax            \r\n0x40288C call     esi\r\n0x40288E mov      dx , [ esp +690h+pMore]\r\n0x402893 xor      edi , edi       \r\n0x402895 xor      ecx , ecx       \r\n0x402897 movzx    eax , dx        \r\n0x40289A cmp      di , dx         \r\nthen found the binary wscript.exe is executed in this part:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n0x402B54 xor      eax , eax\r\n0x402B56 push     40h\r\n0x402B58 push     eax\r\n0x402B59 mov      [ esp +698h+ProcessInformation.hThread], eax\r\n0x402B5D mov      [ esp +698h+ProcessInformation.dwProcessId], eax\r\n0x402B61 mov      [ esp +698h+ProcessInformation.dwThreadId], eax\r\n0x402B65 lea      eax , [ esp +698h+StartupInfo.lpReserved]\r\n0x402B69 push     eax\r\n0x402B6A mov      [ esp +69Ch+ProcessInformation.hProcess], 0\r\n0x402B72 call     sub_408720\r\n0x402B77 add      esp , 0Ch\r\n0x402B7A xor      ecx , ecx       \r\n0x402B7C lea      edx , [ esp +690h+ProcessInformation]\r\n0x402B80 push     edx            \r\n0x402B80\r\n0x402B81 lea      eax , [ esp +694h+StartupInfo]\r\n0x402B81\r\n0x402B85 push     eax            \r\n0x402B86 push     offset Buffer\r\n0x402B8B push     ecx            \r\n0x402B8B\r\n0x402B8C push     ecx            \r\n0x402B8D push     ecx            \r\n0x402B8E push     ecx            \r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 21 of 30\n\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n0x402B8F push     ecx            \r\n0x402B90 mov      [ esp +6B0h+StartupInfo.wShowWindow], cx\r\n0x402B95 lea      ecx , [ esp +6B0h+CommandLine]\r\n0x402B9C push     ecx            \r\n0x402B9D lea      edx , [ esp +6B4h+ApplicationName]\r\n0x402BA4 push     edx            \r\n0x402BA5 mov      [ esp +6B8h+StartupInfo.cb], 44h\r\n0x402BAD mov      [ esp +6B8h+StartupInfo.dwFlags], 1\r\n0x402BB5 call     ds :CreateProcessW\r\n0x402BBB test     eax , eax       \r\nSo we have the wscript.exe process up and running.\r\nUp to this part our teammate poke me in DM, and he asked me what can he helped, so I asked our friend (Mr. Raashid Bhat)\r\nto take over the further analysis of this defrag.exe and disk1.img, while I went to other parts, and after a while he came up\r\nstraight forward with (1) decoder logic, which is match to our crack team did:\r\nAnd (2) the conclusion of what \"defrag.exe\" is actually doing, is a loader which patches the executed wsscript.exe's\r\nExitProcess to load the DLL \"disk1.img\"....Well, it's all starts to make more sense now.\r\nChecking the reported data. I confirmed to find the \"process was read\" from here:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n0x4014BB mov      edx , [ ebp +nSize]\r\n0x4014C1 lea      ecx , [ ebp +NumberOfBytesRead]\r\n0x4014C7 push     ecx            \r\n0x4014C8 mov      ecx , [ ebp +lpAddress]\r\n0x4014CE push     edx            \r\n0x4014CF lea      eax , [ ebp +Buffer]\r\n0x4014D2 push     eax            \r\n0x4014D3 push     ecx            \r\n0x4014D4 push     esi            \r\n0x4014D5 mov      [ ebp +NumberOfBytesRead], ebx\r\n0x4014DB call     ds :ReadProcessMemory\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 22 of 30\n\n12\r\n13\r\n14\r\n0x4014E1 test     eax , eax       \r\nAs for the \"Exit Process patching\" itself, it is a quite sophisticate technique was used. It used a tiny shellcode that was\r\nobserved within Mem Loc 1 : 009C0000 to 009D0000 (by Raashid).\r\nThe shellcode then was saved in binary which I received and then I was reversing it deeper, it looks like as per following\r\nsnips:\r\nThis shellcode I tweaked a bit, is in a plain assembly, contains three addresses of Windows static API call to (I wrote these\r\nAPI in order of calls from top to bottom) LoadLibraryW@kernel32.dll, RtlGetLastWin32Error@ntdll.dll,\r\nSleep@kernel32.dll which can be shown in assembly code of the code as per snips below:\r\nSo now we know that defrag.exe is actually hacked wscript.exe, hooks ExitProcess Function of kernel32.dll and patches it\r\nwith a LoadLibraryW@kernel32.dll and loads a DLL string in local (for further execution), does some error-trapping and\r\ngives time for the DLL to be processed (loaded and executed).\r\nOK. So now we have the idea on how this binary sniffs for account, checks for processes and load and use the DLL\r\n(disk1.img). There are many more details for more operation in defrag.exe, like searching the process of Auslogic and that\r\nskype/messenger buff (also many registry values sniffed too) , but those will be added later after this main course..\r\nThe DLL Payload\r\nThis DLL is the goal of this infection. It has operations for networking functionalitiy, contains the CNC information and the\r\ndata to be sent to the CNC. If you do forensics, you may never see disk1.img or the deobfuscated DLL filename in the\r\nprocess, but you will see its operation by the patched wscript.exe (for it was hacked to load this DLL, the wscript.exe\r\nprocess should appear).\r\nBelow is the DLL part that in charge for the socket connections...\r\n1\r\n2\r\n3\r\n4\r\n5\r\n10010593 lea      edx , [ ebp +var_8]\r\n10010596 push     edx\r\n10010597 lea      edx , [ ebp +var_2C]\r\n1001059A push     edx\r\n1001059B push     ecx\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 23 of 30\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n1001059C push     eax\r\n1001059D call     ds :getaddrinfo\r\n:\r\n100105C7 push     dword ptr [ esi +0Ch]\r\n100105CA push     dword ptr [ esi +8]\r\n100105CD push     dword ptr [ esi +4]\r\n100105D0 call     ds :socket\r\n100105D6 mov      edi , eax\r\n:\r\n100105DD push     dword ptr [ esi +10h]\r\n100105E0 push     dword ptr [ esi +18h]\r\n100105E3 push     edi            \r\n100105E4 call     ds :connect\r\n:\r\n10010600 push     [ ebp +var_8]\r\n10010603 call     ds :freeaddrinfo\r\n10010609 mov      esi , ds :setsockopt\r\n1001060F push     ebx            \r\n10010610 lea      eax , [ ebp -1]\r\n10010613 push     eax            \r\n10010614 push     ebx            \r\n10010615 push     6\r\n10010617 push     edi            \r\n10010618 mov      [ ebp +var_1], bl\r\n1001061B call     esi\r\n1001061D push     4\r\n1001061F lea      eax , [ ebp +optval]\r\n10010622 push     eax            \r\n10010623 push     1006h\r\n10010628 push     0FFFFh\r\n1001062D push     edi            \r\n1001062E call     esi\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 24 of 30\n\n..this will be resulted in some internal socket binding operation we spotted in the debug mode as:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nBind IP Port Status (n) HookAddr API Calls\r\n--------------------------------------------------------\r\n0.0.0.0 51902 success 1 100105A3 getaddrinfo\r\n0.0.0.0 52652 success 1 100105A3 getaddrinfo\r\n0.0.0.0 57334 success 1 100105A3 getaddrinfo\r\n0.0.0.0 1209 success 1 100105EA connect\r\n0.0.0.0 54643 success 1 100105A3 getaddrinfo\r\n0.0.0.0 53539 success 1 100105A3 getaddrinfo\r\n0.0.0.0 54536 success 1 100105A3 getaddrinfo\r\n0.0.0.0 1210 success 1 100105EA connect\r\n0.0.0.0 51696 success 1 100105A3 getaddrinfo\r\nWhich one of them is successfully established connection to CNC:\r\n1\r\n2\r\n3\r\nBind IP Port Status (n) HookAddr API Calls\r\n--------------------------------------------------------\r\n\"91.229.77.179 8008 success\" or wait 2 100105EA connect\r\nFrom the further reversing section for this DLL (which was done by Raashid), the domains are encoded using single byte\r\nmove. and can be seen in the below IDA snapshot:\r\nWhich sending the below blobs of binary:\r\nWhen I received the result, since I had the report that the CNC was down at the time reversed, I used the local dummy DNS\r\nto seek whether the requests was made to those CNC hosts, and is proven:\r\nFurthermore, using the different method of networking (I won't explain this for the security purpose), I could find the alive\r\nconnection to the CNC's IP and PoC'ing the blob binary sent to initiate the connection. Noted, again the data matched, the\r\nreversing blob binary is actually the CNC sent data used to initiate the CNC communication, as per captured in the PCAP\r\nbelow, same bits:\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 25 of 30\n\nDoes it means the CNC still alive?\r\nI am not so sure. It was connected. The CNC \"allowed\" the bot to send the data to them, yet it was not responding back\r\nafterward and let the communication becoming in \"pending\" stage. So, there is many possibility can be happened, like: CNC\r\nis gone, or CNC specs has changed, etc. After all this APT sample is about 6-7months old.\r\nSo please allow me to take a rain check for analysis the blob binary used (still on it..among tons of tasks..). Let's investigate\r\nthis CNC related network.\r\nThe CNC investigation\r\nBased on the reverse engineering, forensics \u0026 behavior analysis we did, we found the CNC is actually 3 (three) hostnames\r\nmatched to the 6 (six) IP addresses as per listed below:\r\n1\r\n2\r\n3\r\nstatic.jg7.org\r\nimaps.qki6.com\r\nmenmin.strezf.com\r\nWhich historically are using the below IP addresses:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n8.5.1.38\r\n64.74.223.38\r\n208.73.211.66\r\n91.229.77.179\r\n124.217.252.186\r\n212.7.198.211\r\nThe first three domains is having a very bad reputation in phishing \u0026 malware infection globally. PoC--\u003e[here]\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 26 of 30\n\nFor the location of these IP are shown in the below details:\r\nAnd the period time for each CNC's used subdomains VS IP addresses above can be viewed clearly below (Thank you\r\nFairSight team):\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nfirst seen 2013-11-01 21:17:45 -0000\r\nlast seen 2013-11-04 05:22:20 -0000\r\nstatic.jg7.org. A 8.5.1.41\r\nfirst seen 2013-10-07 13:10:00 -0000\r\nlast seen 2013-11-18 14:38:32 -0000\r\nstatic.jg7.org. A 64.74.223.41\r\nfirst seen 2013-08-26 10:01:39 -0000\r\nlast seen 2013-10-07 12:34:21 -0000\r\nstatic.jg7.org. A 91.229.77.179\r\nfirst seen 2012-12-17 04:20:19 -0000\r\nlast seen 2013-06-20 05:53:03 -0000\r\nstatic.jg7.org. A 124.217.252.186\r\nfirst seen 2013-06-20 08:00:28 -0000\r\nlast seen 2013-08-26 09:00:42 -0000\r\nstatic.jg7.org. A 212.7.198.211\r\nfirst seen 2013-11-01 21:22:55 -0000\r\nlast seen 2013-11-04 05:24:20 -0000\r\nimaps.qki6.com. A 8.5.1.38\r\nfirst seen 2013-10-07 13:10:18 -0000\r\nlast seen 2013-11-18 14:38:38 -0000\r\nimaps.qki6.com. A 64.74.223.38\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 27 of 30\n\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\nfirst seen 2013-08-26 10:02:05 -0000\r\nlast seen 2013-10-07 12:33:13 -0000\r\nimaps.qki6.com. A 91.229.77.179\r\nfirst seen 2012-12-17 04:19:46 -0000\r\nlast seen 2013-06-20 05:52:30 -0000\r\nimaps.qki6.com. A 124.217.252.186\r\nfirst seen 2014-01-06 01:21:07 -0000\r\nlast seen 2014-01-11 14:30:44 -0000\r\nimaps.qki6.com. A 208.73.211.66\r\nfirst seen 2013-06-20 07:07:43 -0000\r\nlast seen 2013-08-26 09:01:08 -0000\r\nimaps.qki6.com. A 212.7.198.211\r\nfirst seen 2013-08-26 10:02:31 -0000\r\nlast seen 2014-08-22 04:06:36 -0000\r\nmenmin.strezf.com. A 91.229.77.179\r\nfirst seen 2013-10-05 11:54:26 -0000\r\nlast seen 2013-10-07 13:45:55 -0000\r\nmenmin.strezf.com. A 208.91.197.101\r\nfirst seen 2013-06-20 06:26:33 -0000\r\nlast seen 2013-08-26 09:01:34 -0000\r\nmenmin.strezf.com. A 212.7.198.211\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 28 of 30\n\nAnd below is the DNS queries for these hostname (not IP) recorded in the recent terms, thank's to OpenDNS:\r\nCross checking various similar samples with the all recorded domains \u0026 IPs for the related CNC we found more possibility\r\nrelated hostnames to the similar series of the threat, suggesting the same actor(s), noted the usage of DDNS domains:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nfoursquare.dyndns.tv\r\nneuro.dyndns-at-home.com\r\ntripadvisor.dyndns.info\r\nwowwiki.dynalias.net\r\nyelp.webhop.org\r\n(there are some more but we are not 100% sure of them yet..is a TBA now..)\r\nThe bully actor(s) who spread this APT loves to hide their domain behind various of services like:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nnsX.dreamhost.com\r\nnsX.cloudns.net\r\nnsXX.ixwebhosting.com\r\nnsXX.domaincontrol.com\r\ndnsX.name-services.com\r\nnsXX.dsredirection.com\r\ndnsX.parkpage.foundationapi.com\r\nWith noted that these THREE CNC domains used by this sample, are made on this purpose only, and leaving many traceable\r\nevidence in the internet that we collected all of those successfully. Trailing every info leaves by this domains: jg7.org,\r\nqki6.com. strezf.com will help you to know who is actually behind this attack. Noted: see the time frame data we disclosed\r\nabove. If there any malware initiators and coders think they can bully others and hide their ass in internet is a BIG FAIL.\r\nThe data is too many to write it all here, by the same method of previous check we can find the relation between results. It is\r\nan interesting investigation.\r\nSamples\r\nWhat we analyzed is shared only in KernelMode, link--\u003e[here]\r\nWith thankfully to KM team (rocks!) I am reserving a topic there for the continuation disclosure for same nature of sample\r\nand threat.\r\nThe epilogue\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 29 of 30\n\nThis series of APT attack looks come and go, it was reported back then from 2009. This one campaign looks over, but for\r\nsome reason that we snipped in above writing, there is no way one can be sure whether these networks used are dead. The\r\nthreat is worth to investigate and monitor deeper. Some posts are suspecting political background supporting a government\r\nmission of a certain group is behind this activities, by surveillance to the targeting victims. Avoiding speculation, what we\r\nsaw is a spyware effort, with a good quality...a hand-made level, suggesting a custom made malware, and I bet is not a cheap\r\nwork too. We talked and compare results within involved members and having same thought about this.\r\nIf you received the sample, or, maybe got infected by these series, I suggest to please take a look at the way it was spread,\r\ndropped techniques used binaries, and the many camouflage tricks used. Further, for the researchers involved, we should add\r\nthat the way to hide the CNC within crook's network is the PoC for a very well-thought \u0026 clever tricks. We have enough\r\nidea for whom is capable to do this, and now is under investigation.\r\nWe are informing to all MMD friends, this investigation is OPEN, please help in gathering information that is related to this\r\nthreat for the future time frame too, as much as possible. We are opposing whoever group that is backing up this evil\r\noperation, and believe me, the dots are started to connect each other..\r\nWe are going to handle the similar threat from now on, so IF you have the abuse case by malware and need the deep\r\ninvestigation of what that malware does, do not hesitate to send us sample, archive the samples and text contains the\r\nexplanations of how you got the sample and how can we contact you, with the password \"infected\", and please upload it in\r\nthis link--\u003e[DropBin].\r\nDon't use malware, we never believe that any usage of malware can achieve any goodness. We will battle the malware\r\ninitiators and its coders for the sake to support a better humanity and better internet usage.\r\nSource: http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nhttp://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html\r\nPage 30 of 30\n\n102 0x40C037 103 0x40C03C call sub_412510 add esp , 0Ch \n104 0x40C03F mov [ ebp +var_84B4], 81h\n105 0x40C049 lea edx , [ ebp +var_84B4] \n   Page 9 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html"
	],
	"report_names": [
		"another-country-sponsored-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434451,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d83deba61a70b59ad085ba18539057a9bbfba62.pdf",
		"text": "https://archive.orkl.eu/6d83deba61a70b59ad085ba18539057a9bbfba62.txt",
		"img": "https://archive.orkl.eu/6d83deba61a70b59ad085ba18539057a9bbfba62.jpg"
	}
}