[cjbi]

Yet another Korean targeted malware from China. (Gongda/Gongdad exploit pack payload)
Binary and unpacked binary attached.

Strings:

Code: Select all

...
yyyy
eeee
kernel32.dll
GetDiskFreeSpaceExA
kernel32.dll
CreateToolhelp32Snapshot
Heap32ListFirst
Heap32ListNext
Heap32First
Heap32Next
Toolhelp32ReadProcessMemory
Process32First
Process32Next
Process32FirstW
Process32NextW
Thread32First
Thread32Next
Module32First
Module32Next
Module32FirstW
Module32NextW
LAST ACKNOWLEDGMENT
MUpdate2.exe|mautoup.exe|restoreu.exe|mupdate2.exe|v3light.exe|v3lsvc.exe|aflogvw.exe|afquavw.exe|v3lexec.exe|wsctsk.exe|setup_v3rcv.exe|v3lrun.exe|v3ltray.exe|v3medic.exe|v3restore.exe|afquavw.exe|restore.exe|afquavw.exe|btscan.exe|ahnrpt.exe|restoreu.exe|AFLogVw.exe|AhnAzExE.exe|V3LExec.exe|V3Light.exe|V3LNetDn.exe|V3LRun.exe|WscTsk.exe|AKDVE.exe|V3Medic.exe|V3LAxAgn.exe|ahnrpt.exe|V3LTray.exe|AFQuaVw.exe|V3LSvc.exe|setup_v3rcv.exe|MAutoup.exe|MUpdate2.exe|mautoup.exe|restoreu.exe|mupdate2.exe|sgdnldr.exe|sgrun64.exe|sgui.exe|sgrun.exe|sgsvc.exe|v3restore.exe|afquavw.exe|restore.exe|restoreu.exe|ahnrpt.exe|Sgui.exe|SgRun64.exe|SgDnldr.exe|SgSvc.exe|SgRun.exe|ALUpdate.exe|ALUpExt.exe|ALUpProduct.exe|ALYac.aye|AYAgent.aye|AYCon.exe|AYHost.aye|AYLaunch.exe|AYPatch.aye|AYRTSrv.aye|AYRunSC.exe|AYShell.aye|AYTask.aye|AYUpdate.aye|AYUpdSrv.aye|ESTCM.exe|bootalyac.exe|NaverAgent.exe|Uninst_Agent.exe|NaverCommonUpdater_1_0_0_4.exe|NELO_CrashReporter.exe|RemoveUpdater.exe|NaverSafeGuard.exe|
rpcrt4.dll
UuidCreateSequential
getURLDown
loadMM
hxxp://blog.sina.com.cn/s/blog_b2afd7fe01019tkf.html
hxxp://110.34.232.12:1314/tj/Count.asp?mac=
POSTtj
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Download
cmd.exe /c ping localhost -n 10 && del
C:\\windows\\system32\\taskmgr.exe
D:\\windows\\system32\\taskmgr.exe
...

VirusTotal result(s):
down.exe.vir 19/47 https://www.virustotal.com/en/file/58d7 ... 369238382/
down.unpacked.exe.vir 15/47 https://www.virustotal.com/en/file/b4c7 ... 369243690/