The user that got infected will run the localhost (127.0.0.1) proxy and hits the S. Korean Bank url.
A splendid scheme to provoke a war between JP & KR by this malware, so I feel I should make analysis of it.
Code: Select all
// IP extracted from binary: 126.96.36.199 standardchartered.co.kr equals www.standardchartered.com (Standard Chartered Bank) 188.8.131.52 www.standardchartered.co.kr equals www.standardchartered.com (Standard Chartered Bank)
but there are enough data in forensics and behaviour test to make the right verdict.
The attempt to download (was fail) the crypto file..sigh..
Since there is no reference of this malware yet, I dare myself to open new post in here.
I fetch this hosts data with Volatility & compares it with sandbox, perfect match..
I am sorry no energy for writing (I am in hospital now), so only to make the Japanese analysis in here: http://blog.0day.jp/2014/03/ocjp-126-kddidion.html
The sample is in VT here: https://www.virustotal.com/en/file/9b3e ... 395652253/
Samples and drops data are attached. Please add your comment or thought, I don't have much reference on this now.
FYI: the malware server is still up and running until to the next 24hrs I suppose.