Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- New ROKRAT-like implant 2018-07-5
- Exploit: CVE-2017-8291
- Encapsulated PostScript method:
- -partial reverse string PostScript
- -single-byte XOR shellcode-loader shellcode
- -4-byte XOR encoded payload
- IOCs
- (제출용)신청서.hwp|a636cd2f1ba46a9af23f9c0a24f8ee4e
- (제출용)신청서.hwp|9e6ff58202f6c1bd2381e8209231efd0ef6855db59db975fb5b75041706ed104
- BIN0001.eps|fced98d03bf14529be7ef8d2af8d9417
- BIN0001.eps|5abef9c21ae1ccbc895d101b9b5c20588fc0c4cfe79edd869f8a5406e9155f24
- extracted implant:
- 113637bc6f6f84d74ec2a4d0e988300b
- 4d37f80da97845129debf3244e1f731d2c93a02519f9fdaa059f5f124cf7c26f
- Payload extraction script:
- https://pastebin.com/VaK7eHXg
- VirusTotal
- HWP: https://www.virustotal.com/#/file/9e6ff58202f6c1bd2381e8209231efd0ef6855db59db975fb5b75041706ed104/detection
- Implant: https://www.virustotal.com/#/file/4d37f80da97845129debf3244e1f731d2c93a02519f9fdaa059f5f124cf7c26f/detection
Add Comment
Please, Sign In to add comment