South Korea Incident - New Malware samples

Forum for analysis and discussion about malware.
Post Reply
User avatar
R136a1
Forum Admin
Posts: 225
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

South Korea Incident - New Malware samples

Post by R136a1 » Wed Apr 24, 2013 4:21 pm

A few weeks ago, I started to reverse engineer a malicious x64 .dll (see Parts section below, No. 2) to begin to learn x64 (dis)assembly. From analysis it became apparent that the .dll was part of a bigger malware package. After a while searching on the Internet, I found some Droppers which contained similar files to the one I was analyzing. Luckily some of the files of these Droppers contained .pdb debug strings. At the same time there were the "South Korean Cyber Attacks" on banks and broadcasting organizations (see: http://www.symantec.com/connect/blogs/s ... ber-attack and http://www.symantec.com/connect/blogs/a ... ks-related). As it turned out, the Droppers I found are from the same attackers like described in the Symantec article.
...
Blogpost: http://thegoldenmessenger.blogspot.de/2 ... lware.html

The samples can be found here (ZIP Password = "infected"):
Concealment Troy - https://www.dropbox.com/s/w1892v0hzjgti ... xer%29.zip
Http Dr0pper - https://www.dropbox.com/s/fzk9bkn6fk5kl ... r0pper.zip
Http Troy - https://www.dropbox.com/s/n6h6vgnoihy59 ... 20Troy.zip
PDF Exploit - https://www.dropbox.com/s/lvzj14261bbaj ... xploit.zip
TDrop - https://www.dropbox.com/s/wn5a1jruatpq3x5/TDrop.zip
Parts (of additional packages) - https://www.dropbox.com/s/mqp1bvhuacoakcq/Parts.zip

User avatar
R136a1
Forum Admin
Posts: 225
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: South Korea Incident - New Malware samples

Post by R136a1 » Wed Jun 19, 2013 6:42 pm

Analysis of a tiny Downloader: http://thegoldenmessenger.blogspot.de/2 ... -tiny.html

Malware attached.
You do not have the required permissions to view the files attached to this post.

User avatar
R136a1
Forum Admin
Posts: 225
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: South Korea Incident - New Malware samples

Post by R136a1 » Sun Jun 30, 2013 6:04 pm

You do not have the required permissions to view the files attached to this post.

Marc Ochsenmeier
Posts: 27
Joined: Wed Oct 10, 2012 11:43 am
Contact:

Re: South Korea Incident - New Malware samples

Post by Marc Ochsenmeier » Fri Jul 19, 2013 6:05 pm

Thank you very much for the info!

With PeStudio http://www.winitor.com, it takes one drag-and-drop to see that the image contains *several* EXE, DLL inside...(which is almost always a big red flag)

Post Reply