KimJongRAT | Joachim De Zutter
February 2019
File size: 685568
MD5: 9cefeae7219d6d2a3188877ebc71a82d
SHA1: 162a72a53e79602e4d0e2cc81dc5b3253498cb92
SHA256: 52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731
SSDeep: 12288:NBIstlQ4Dkqp78EKIF7Zbx+wbLJP2k2YhvJjG//aN4hu/RlMCFc79aHaoEEsN7Gu:NBIqlQ41IOgg2kPhxi//UauEtAHQNKLy
VirusTotal report
Compilation Timestamp: 4th of January 2019, 05:44:31.

Mentioned in New BabyShark Malware Targets U.S. National Security Think Tanks.

Contains strings encrypted with a symmetric substitution cipher:
LxkIorfMhhoxjj
GrmhGpqomouV
LxkFyooxzkIorfxjj
JxkIopropkuFgmjj
LxkArhygxDmzhgxV
Jgxxi
FriuCpgxV
VphxFdmoKrAygkpQukx
AygkpQukxKrVphxFdmo
LxkArhygxCpgxZmaxV
LxkCpgxJpnx
LxkVpzhrvjHpoxfkrouV
JxkCpgxMkkopqykxjV
OxmhCpgx
FgrjxDmzhgx
KxoapzmkxIorfxjj
FoxmkxKdoxmh
JxkKdoxmhIopropku
FoxmkxIorfxjjV
CoxxGpqomou
RixzIorfxjj
LxkXepkFrhxIorfxjj
FoxmkxAykxeV
RixzAykxeV
LxkFraiykxoZmaxM
HxgxkxCpgxV
LxkCyggImkdZmaxV
LxkFraamzhGpzxV
FoxmkxOxarkxKdoxmh
WpokymgMggrfXe
VopkxIorfxjjAxarou
WpokymgIorkxfkXe
VmpkCroJpzlgxRqsxfk
OxmhIorfxjjAxarou
OxjyaxKdoxmh
JxkKdoxmhFrzkxek
LxkKdoxmhFrzkxek
LxkArhygxCpgxZmaxM
LxkKxaiImkdV
CpzhOxjryofxV
GrmhOxjryofx
GrftOxjryofx
JpnxrcOxjryofx
CoxxOxjryofx
LxkWxojprzXeM
LxkJujkxaPzcr
LgrqmgGrft
LgrqmgYzgrft
FoxmkxKrrgdxgi32Jzmijdrk
Iorfxjj32CpojkV
Iorfxjj32Cpojk
Iorfxjj32ZxekV
Iorfxjj32Zxek
GrmhGpqomouM
mhwmip32?hgg
OxlFoxmkxTxuXeM
OxlByxouWmgyxXeM
OxlFoxmkxTxuM
OxlRixzTxuXeM
OxlJxkWmgyxXeM
OxlFgrjxTxu
FoxmkxJxowpfxM
RixzJxowpfxM
ByxouJxowpfxJkmkyj
FgrjxJxowpfxDmzhgx
JkmokJxowpfxFkogHpjimkfdxoM
JkmokJxowpfxM
RixzJFAmzmlxoM
JxkJxowpfxJkmkyj
OxlpjkxoJxowpfxFkogDmzhgxoM
LxkYjxoZmaxM
RixzIorfxjjKrtxz
LxkKrtxzPzcroamkprz
GrrtyiMffryzkJphM
vpzpzxk?hgg
PzkxozxkFrzzxfkM
PzkxozxkRixzM
DkkiRixzOxbyxjkM
DkkiJxzhOxbyxjkM
PzkxozxkOxmhCpgx
PzkxozxkFgrjxDmzhgx
PzkxozxkJxkRikprzM
PzkxozxkRixzYogM
DkkiByxouPzcrM
jdxgg32?hgg
JDLxkJixfpmgCrghxoImkdV
yjxo32?hgg
LxkJujkxaAxkopfj
LxkMjuzfTxuJkmkx
PjFgpiqrmohCroamkMwmpgmqgx
RixzFgpiqrmoh
LxkFgpiqrmohHmkm
FgrjxFgpiqrmoh
LxkCroxloryzhVpzhrv
LxkVpzhrvKdoxmhIorfxjjPh
XzyaFdpghVpzhrvj
LxkVpzhrv
txozxg32?hgg
f(\vpzhrvj\jujkxa32\
Which can easily be decrypted with:
cat encrypted.txt | tr '(:?.!\-%+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' ':).?\-!+%mqfhxcldpstgazribojkywveunMQFHXCLDPSTGAZRIBOJKYWVEUN'
to:
GetProcAddress
LoadLibraryW
GetCurrentProcess
SetPriorityClass
GetModuleHandleW
Sleep
CopyFileW
WideCharToMultiByte
MultiByteToWideChar
GetModuleFileNameW
GetFileSize
GetWindowsDirectoryW
SetFileAttributesW
ReadFile
CloseHandle
TerminateProcess
CreateThread
SetThreadPriority
CreateProcessW
FreeLibrary
OpenProcess
GetExitCodeProcess
CreateMutexW
OpenMutexW
GetComputerNameA
DeleteFileW
GetFullPathNameW
GetCommandLineW
CreateRemoteThread
VirtualAllocEx
WriteProcessMemory
VirtualProtectEx
WaitForSingleObject
ReadProcessMemory
ResumeThread
SetThreadContext
GetThreadContext
GetModuleFileNameA
GetTempPathW
FindResourceW
LoadResource
LockResource
SizeofResource
FreeResource
GetVersionExA
GetSystemInfo
GlobalLock
GlobalUnlock
CreateToolhelp32Snapshot
Process32FirstW
Process32First
Process32NextW
Process32Next
LoadLibraryA
advapi32.dll
RegCreateKeyExA
RegQueryValueExA
RegCreateKeyA
RegOpenKeyExA
RegSetValueExA
RegCloseKey
CreateServiceA
OpenServiceA
QueryServiceStatus
CloseServiceHandle
StartServiceCtrlDispatcherA
StartServiceA
OpenSCManagerA
SetServiceStatus
RegisterServiceCtrlHandlerA
GetUserNameA
OpenProcessToken
GetTokenInformation
LookupAccountSidA
wininet.dll
InternetConnectA
InternetOpenA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
InternetSetOptionA
InternetOpenUrlA
HttpQueryInfoA
shell32.dll
SHGetSpecialFolderPathW
user32.dll
GetSystemMetrics
GetAsyncKeyState
IsClipboardFormatAvailable
OpenClipboard
GetClipboardData
CloseClipboard
GetForegroundWindow
GetWindowThreadProcessId
EnumChildWindows
GetWindow
kernel32.dll
c:\windows\system32\
It also contains encrypted strings which the sample with SHA256 63d49254ee2d07ce08bd981743c17f3d5a3242478cea883332e0cc1ae43c0fe6 does not which could be decrypted to:
POP3
IMAP
HTTP
SMTP
NNTP
None
Outlook Express
IncrediMail
Eudora
Group Mail Free
Outlook
Outlook 2002-2003-2007-2010
Gmail
Yahoo! Mail
Netscape Mail
Thunderbird
Google Desktop
Windows Mail
Windows Live Mail
Outlook2013
Outlook2016
None
IE 4-6
IE 7-9
Firefox 1.x
Firefox 2.x
Firefox 3.0
Firefox 3.5-31
Chrome
Opera
Safari
IE 10
SeaMonkey
Firefox 32+
Yandex
Firefox
Has similarities with an older version of KimJongRAT:
File size: 437248
MD5: 3eee8d2ed3601756839e090d851b6250
SHA1: d85e5752052196115f2a8d0a4981059d28c822a8
SHA256: 6cec00f9d3b7a34c899b1b0cdb69eb5356fa33b80144a10499b7ec905b12e903
SSDeep: 6144:PpI8o0NEUa6TYMa7OzD+7oMuHY9V6BWWGMTRdNcRnEgpV2NJi/gOZi:Pp20TYMa7OzihN9S/3ehpk2
VirusTotal report
Compilation Timestamp: 3rd of November 2018, 07:06:59.

File is UPX compressed. Can be decompressed to:
File size: 1019392
MD5: 903487ca013528221ad12adca2e5a5cd
SHA1: 641867296a6201e88d5bb15ac8b0ae17bd0a1df7
SHA256: 63d49254ee2d07ce08bd981743c17f3d5a3242478cea883332e0cc1ae43c0fe6
The decompressed file contains the same encrypted strings as the file above.

Exports Landstart and Wakestart in contrast to the other sample. Landstart contains code to download files. In Wakestart SetWindowsHookEx is used to perform DLL injection with a global message hook.
From within the context of the explorer.exe process after the DLL was injected, there was an attempt to perform an HTTP GET request for http://koreaweek.us/include/send/test2/serverok.html
The user-agent string was set using WININET.dll!InternetOpenA to "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36". A command like the following was executed:
cmd.exe /c dir a:\*.hwp a:\*.pdf a:\*.doc a:\*.docx a:\*.xls a:\*.xlsx a:\*.bin a:\*.ppt a:\*.zip a:\*.rar a:\*.alz a:\*.txt a:\*.json a:\*.dat a:\*.jpg a:\*.png a:\*.keystore /s >> "C:\Users\USER\Desktop\6cec00f9d3b7a34c899b1b0cdb69eb5356fa33b80144a10499b7ec905b12e903.lis"

Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families