Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

제4기AMP 안내자료.pdf

Kimsuky Emotet Gen1 Javascript ShellCode Downloader Malicious Library Malicious Packer HTTP Escalate priviledges KeyLogger Http API Internet API PDF ScreenShot JPEG Format PNG Format MSOffice File OS Processor Check AntiVM AntiDebug

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 9, 2021, 10:23 p.m.	Aug. 9, 2021, 10:25 p.m.

Size	203.2KB
Type	PDF document, version 1.6
MD5	`70294ac8b61bfb936334bcb6e6e8cc50`
SHA256	`512ad244c58064dfe102f27c9ec8814f3e3720593fe1e3ed48a8cb385d52ff84`
CRC32	`E33615E0`
ssdeep	`3072:xMLZB6xP2cQ8mUjIgBPsP5TUYdFTCrQlGvwJpKz9z7PDHUx2p:KLbGPQ8DZkPDFTCEl7s9z7PbB`
Yara	PDF_Javascript_ShellCode - PDF Javascript ShellCode APT_Kimsuky_PDF_Enc_Shellcode_Aug_2021_1 - Detect encoded Kimsuky shellcode used in fake PDF against South Korea PDF_Format_Z - PDF Format

AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Local\Temp\제4기AMP 안내자료.pdf"
1880
Reader_sl.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3064
explorer.exe C:\Windows\Explorer.EXE
1228

Name	Response	Post-Analysis Lookup
ardownload3.adobe.com	CNAME ardownload3-stls.adobe.com.edgesuite.net A 23.74.15.34 CNAME a1818.dscd.akamai.net A 23.74.15.11	23.216.159.128
ardownload.adobe.com	A 23.192.45.96 CNAME a1953.dscd.akamai.net CNAME ardownload.adobe.com.edgesuite.net A 23.192.45.80	23.216.159.145
acroipm2.adobe.com	A 23.74.15.43 CNAME acroipm2.adobe.com.edgesuite.net A 23.74.15.25 CNAME a122.dscd.akamai.net	23.216.159.139

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.192.45.96	Active	Moloch
23.74.15.25	Active	Moloch
23.74.15.34	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49180 -> 23.74.15.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 23.212.12.57:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 23.74.15.34:443 -> 192.168.56.103:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 23.74.15.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 23.74.15.34:443 -> 192.168.56.103:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 23.74.15.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 23.212.12.57:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=San Jose, O=Adobe Inc, CN=*.adobe.com	34:65:16:66:1c:13:4a:0f:09:e2:e7:a8:54:c8:fc:ad:48:e8:ce:89

Performs some HTTP requests (11 events)

request	GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
request	GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
request	GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
request	GET http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
request	GET http://ardownload.adobe.com/pub/adobe/reader/win/AcrobatDC/2100520060/AcroRdrDCUpd2100520060_MUI.msp
request	HEAD https://armmf.adobe.com/arm-manifests/win/ReaderDCManifest3.msi
request	GET https://armmf.adobe.com/arm-manifests/win/ReaderDCManifest3.msi
request	HEAD https://armmf.adobe.com/arm-manifests/win/ArmManifest3.msi
request	GET https://armmf.adobe.com/arm-manifests/win/ArmManifest3.msi
request	HEAD https://armmf.adobe.com/arm-updates/win/ARM/1.8.x/AdobeARM_1824420176.msi
request	GET https://armmf.adobe.com/arm-updates/win/ARM/1.8.x/AdobeARM_1824420176.msi

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://www.adobe.com/support/downloads/product.jsp?product=1
url	http://www.adobe.com/support/downloads/product.jsp?product=10

Yara rule detected in process memory (16 events)

description	Escalate priviledges				rule	Escalate_priviledges
description	Run a KeyLogger				rule	KeyLogger
description	Communications over HTTP				rule	Network_HTTP
description	Match Windows Inet API call				rule	Str_Win32_Internet_API
description	Take ScreenShot				rule	ScreenShot
description	Match Windows Http API call				rule	Str_Win32_Http_API
description	File Downloader				rule	Network_Downloader
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep
description	Affect hook table				rule	win_hook

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

One or more non-whitelisted processes were created (2 events)

parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:20.0 /MODE:3
parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 resumed a thread in remote process 2980
NtResumeThread Aug. 9, 2021, 10:23 p.m.	thread_handle: 0x00000730 suspend_count: 1 process_identifier: 2980	1	0	0

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.PDF.Agent.b!c
MicroWorld-eScan	Trojan.GenericKD.46739119
ALYac	Trojan.PDF.208091A
Arcabit	Trojan.Generic.D2C92EAF
ESET-NOD32	PDF/Exploit.Pidief.AAY
TrendMicro-HouseCall	TROJ_FRS.0NA103H621
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Agent.gen
BitDefender	Trojan.GenericKD.46739119
ViRobot	Trojan.Win32.S.FakePDF.208091
Ad-Aware	Trojan.GenericKD.46739119
Emsisoft	Trojan.GenericKD.46739119 (B)
Comodo	Malware@#2f67s3zn21jr2
TrendMicro	TROJ_FRS.0NA103H621
McAfee-GW-Edition	RDN/Generic Exploit
FireEye	Trojan.GenericKD.46739119
Sophos	Troj/PDFEx-JN
Ikarus	Exploit.Pidief
Avira	EXP/Pidief.nynzr
Gridinsoft	Trojan.U.Agent.oa
ZoneAlarm	HEUR:Trojan.Script.Agent.gen
GData	Trojan.GenericKD.46739119
Cynet	Malicious (score: 99)
AhnLab-V3	Exploit/PDF.FakeDocu
McAfee	RDN/Generic Exploit
Fortinet	JS/Agent.FF84!tr
AVG	Other:Malware-gen [Trj]