MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT | CISA
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Software - T1592.002 Vulnerabilities - T1588.006 |
Common Information
| Type | Value |
|---|---|
| UUID | d0f4e0a6-303d-45c7-b944-748b0b5429bc |
| Fingerprint | 6119993cf729fcf |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Feb. 14, 2020, midnight |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Dec. 21, 2024, 4:49 a.m. |
| Headline | Malware Analysis Report (AR20-045D) |
| Title | MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT | CISA |
| Detected Hints/Tags/Attributes | 44/2/20 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.us-cert.gov/ncas/analysis-reports/ar20-045d |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 154 | www.us-cert.gov |
|
| Details | Domain | 26 | us-cert.gov |
|
| Details | Domain | 18 | dhs.sgov.gov |
|
| Details | Domain | 18 | dhs.ic.gov |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 17 | ncciccustomerservice@us-cert.gov |
||
| Details | 18 | us-cert@dhs.sgov.gov |
||
| Details | 18 | us-cert@dhs.ic.gov |
||
| Details | 16 | soc@us-cert.gov |
||
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | File | 1199 | svchost.exe |
|
| Details | File | 811 | kernel32.dll |
|
| Details | sha256 | 2 | 8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085 |
|
| Details | IPv4 | 1 | 94.177.123.138 |
|
| Details | Url | 42 | http://www.us-cert.gov/tlp. |
|
| Details | Url | 21 | https://www.us-cert.gov/hiddencobra. |
|
| Details | Url | 17 | https://us-cert.gov/forms/feedback |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Yara rule | 2 | rule CryptographyFunction {
meta:
author = "CISA trusted 3rd party"
incident = "10271944.r1.v1"
date = "2019-12-25"
category = "Hidden_Cobra"
family = "HOTCROISSANT"
strings:
$ALGO_crypto_1 = { 8A [1-5] 32 [1-4] 32 [1-4] 32 [1-4] 88 [1-5] 8A [1-4] 32 [1-4] 22 [1-4] 8B [1-5] 8D [3-7] 33 [1-4] 81 [3-7] C1 [1-5] C1 [1-5] 0B [1-4] 8D [1-5] 33 [1-4] 22 [1-4] C1 [1-5] 33 [1-4] 32 [1-4] 8B [1-4] 83 [1-5] C1 [1-5] 33 [1-4] C1 [1-5] C1 }
condition:
uint16(0) == 0x5A4D and any of them
} |