MAR-10135536-12 – North Korean Trojan: TYPEFRAME | CISA
Tags
Common Information
| Type | Value |
|---|---|
| UUID | e3749c00-68ca-43c0-9f47-aa129504825c |
| Fingerprint | dfddc9ef5d6911c7 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 14, 2018, midnight |
| Added to db | Sept. 26, 2022, 9:32 a.m. |
| Last updated | Nov. 17, 2024, 5:55 p.m. |
| Headline | Malware Analysis Report (AR18-165A) |
| Title | MAR-10135536-12 – North Korean Trojan: TYPEFRAME | CISA |
| Detected Hints/Tags/Attributes | 50/2/63 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.us-cert.gov/ncas/analysis-reports/AR18-165A |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 145 | www.us-cert.gov |
|
| Details | Domain | 1 | midimapper.rs |
|
| Details | Domain | 1 | tvdaijiworld.com |
|
| Details | Domain | 25 | us-cert.gov |
|
| Details | Domain | 18 | dhs.sgov.gov |
|
| Details | Domain | 18 | dhs.ic.gov |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 17 | ncciccustomerservice@us-cert.gov |
||
| Details | 18 | us-cert@dhs.sgov.gov |
||
| Details | 18 | us-cert@dhs.ic.gov |
||
| Details | 16 | soc@us-cert.gov |
||
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | File | 87 | java.exe |
|
| Details | File | 1 | laxhost.dll |
|
| Details | File | 1 | dwnhost.dll |
|
| Details | File | 1 | kdcolcwp.dll |
|
| Details | File | 1 | pdll.dll |
|
| Details | File | 1 | mdll.dll |
|
| Details | File | 1 | %temp%\leo.exe |
|
| Details | File | 1 | dll64.dll |
|
| Details | File | 1 | proxy_svc_dll.dll |
|
| Details | sha256 | 1 | 201c7cd10a2bd50dde0948d14c3c7a0732955c908a3392aee3d08b94470c9d33 |
|
| Details | sha256 | 1 | 20abb95114de946da7595438e9edf0bf39c85ba8512709db7d5532d37d73bd64 |
|
| Details | sha256 | 1 | 3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210 |
|
| Details | sha256 | 1 | 40ef57ca2a617f5d24ac624339ba2027b6cf301c28684bf8b2075fc7a2e95116 |
|
| Details | sha256 | 1 | 4bd7d801d7ce3fe9c2928dbc834b296e934473f5bbcc9a1fd18af5ebd43192cd |
|
| Details | sha256 | 1 | 546dbd370a40c8e46f9b599a414f25000eec5ae6b3e046a035fe6e6cd5d874e1 |
|
| Details | sha256 | 1 | 675a35e04b19aab314bcbc4b1f2610e3dea4a80c277cc5188f1d1391a00dfdb1 |
|
| Details | sha256 | 1 | 8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8 |
|
| Details | sha256 | 1 | c9e3b83d77ce93cc1d70b22e967f049b13515c88572aa78e0a838103e5478777 |
|
| Details | sha256 | 1 | d1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92 |
|
| Details | sha256 | 1 | e69d6c2d3e9c4beebee7f3a4a3892e5fdc601beda7c3ec735f0dfba2b29418a7 |
|
| Details | sha256 | 1 | 089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359 |
|
| Details | sha256 | 1 | a71017302e1745c8a3d6e425187eb23c7531551bb6f547e47198563a78e933b6 |
|
| Details | sha256 | 1 | e088c3a0b0f466df5329d9a66ff618de3d468d8a5981715303babb1452631eef |
|
| Details | IPv4 | 2 | 111.207.78.204 |
|
| Details | IPv4 | 2 | 181.119.19.56 |
|
| Details | IPv4 | 2 | 184.107.209.2 |
|
| Details | IPv4 | 1 | 59.90.93.97 |
|
| Details | IPv4 | 2 | 80.91.118.45 |
|
| Details | IPv4 | 1 | 81.0.213.173 |
|
| Details | IPv4 | 1 | 98.101.211.162 |
|
| Details | IPv4 | 1 | 98.100.0.0 |
|
| Details | IPv4 | 1 | 98.103.255.255 |
|
| Details | IPv4 | 1 | 81.0.213.168 |
|
| Details | IPv4 | 1 | 81.0.213.175 |
|
| Details | IPv4 | 1 | 111.192.0.0 |
|
| Details | IPv4 | 1 | 111.207.255.255 |
|
| Details | IPv4 | 1 | 80.91.118.0 |
|
| Details | IPv4 | 1 | 80.91.119.255 |
|
| Details | IPv4 | 1 | 181.0.0.0 |
|
| Details | IPv4 | 1 | 181.255.255.255 |
|
| Details | IPv4 | 1 | 59.90.64.0 |
|
| Details | IPv4 | 1 | 59.90.127.255 |
|
| Details | Url | 42 | http://www.us-cert.gov/tlp. |
|
| Details | Url | 21 | https://www.us-cert.gov/hiddencobra. |
|
| Details | Url | 17 | https://us-cert.gov/forms/feedback |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Yara rule | 1 | rule enc_PK_header {
meta:
author = "NCCIC trusted 3rd party"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
hash0 = "3229a6cea658b1b3ca5ca9ad7b40d8d4"
strings:
$s0 = { 5F A8 80 C5 A0 87 C7 F0 9E E6 }
$s1 = { 95 F1 6E 9C 3F C1 2C 88 A0 5A }
$s2 = { AE 1D AF 74 C0 F5 E1 02 50 10 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
} |
|
| Details | Yara rule | 1 | rule import_obfuscation_2 {
meta:
author = "NCCIC trusted 3rd party"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51"
strings:
$s0 = { A6 D6 02 EB 4E B2 41 EB C3 EF 1F }
$s1 = { B6 DF 01 FD 48 B5 }
$s2 = { B6 D5 0E F3 4E B5 }
$s3 = { B7 DF 0E EE }
$s4 = { B6 DF 03 FC }
$s5 = { A7 D3 03 FC }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
} |
|
| Details | Yara rule | 1 | rule HC_RAT {
meta:
author = "NCCIC Code & Media Analysis"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
hash0 = "1C53E7269FE9D84C6DF0A25BA59B822C"
strings:
$s0 = { 8B 4C 24 04 33 C0 81 E1 FF FF 00 00 81 C1 00 80 FF FF 83 F9 43 0F 87 70 01 00 00 }
$s1 = { 88 04 30 40 3D 00 01 00 00 }
$s2 = { 48 89 4C 24 08 57 48 83 EC 20 0F B7 C1 33 FF 05 00 80 FF FF 83 F8 43 0F 87 60 02 00 00 }
$s3 = { 88 01 FF C0 48 FF C1 3D 00 01 00 00 }
condition:
($s0 and $s1) or ($s2 and $s3)
} |
|
| Details | Yara rule | 1 | rule import_deob {
meta:
author = "NCCIC trusted 3rd party"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
md5 = "ae769e62fef4a1709c12c9046301aa5d"
md5 = "e48fe20eb1f5a5887f2ac631fed9ed63"
strings:
$ = { 8A 01 3C 62 7C 0A 3C 79 7F 06 B2 DB 2A D0 88 11 8A 41 01 41 84 C0 75 E8 }
$ = { 8A 08 80 F9 62 7C 0B 80 F9 79 7F 06 82 DB 2A D1 88 10 8A 48 01 40 84 C9 75 E6 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
} |