Malware Analysis: Jonap

Intro:

In this blog post, i will be analysing a RAT (Remote Acess Trojan) used by North Korean APT group Lazarus called ‘Jonap’ to infect devices. I will be analysing it via IDA. Feedback on how to improve my analysis is appreciated.

Analysis:

If we go to the address 0x401770 in IDA we can see the start of the malware trying to enable and create services to execute commands.

The function we are analysing, which as seen above, tries to get Windows Directory and SystemDirectory. It then tries to call to a function giving %s\\%s for input.

%s\\%s basically replaces 1st % with 2nd argument, 2nd % with 3rd argument and save the return in the 1st argument.

We can see the malware tries searching for scardprv.dll, wcssvc.dll, mssscardprv.ax. It opens the Service Control Manager and if it couldn’t find these services, drop the malware from its resources and create extra services to execute and maintain persistence.

We can see that the malware queries service status below.

Analysing further, we can see the malware drops an executable called 101 and creates scardprv.dll in sys32 directory with write permissions. If the file exists beforehand delete it first, otherwise save the resource file into it.

We also see the malware do the same for another executable 104 creating wcssvc.dll.

The malware then tries to create a fake malicious service masking itself as legitimate inside svchost.exe process.

The svchost.exe process requires the malware to save its information into ServiceDLL Path for both scardprv and wcssvc.

Conclusion:

This malware can be used to execute multiple malicious activities. We can see how it creates services to obfuscate itself and maintain persistence in an infected machine.

Using Resource Hacker, we can find the two files scardprv.dll and wcssvc.dll dropped by the malware. We can also find their MD5 hashes via PEStudio. You can check if they are malicious via VirusTotal. We can also see they are PE executable files as it displays ‘ MZ This program cannot be run in DOS mode.’

--

--

--

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Get to Know: Munya Kanaventi, Senior Director of Information Security at Everbridge

Details of Profit Distribution for Game Fan Card Holder

{UPDATE} Aces Up Solitaire · Hack Free Resources Generator

The U.S. Digital Service July 2017 Report to Congress

THE BENEFITS OF S-WALLET FOR USERS

Securing Enterprise DevOps Environments — a new eBook by Sogeti and Microsoft

{UPDATE} 儿童益智切水果 Hack Free Resources Generator

{UPDATE} Slider Scouts Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

More from Medium

Introduction to ATXM NFT

Response on General Data Protection Regulation

code background with dollar signs

Finnhub : Insiders Sentiment Analysis

It was a night to forget for Guardiola and his sea blue army as Chelsea against all odds, lifted…