Malware Analysis: Jonap

Ben Lee
3 min readDec 22, 2021

--

MD5 hash: E7832020692E8914F53804FE1A0569DC
Virus Total Link: https://www.virustotal.com/gui/file/dc030c478d783044dfbf68de54ca6f36e154f60f65dc92f2c6d724078402e738/detection

Intro:

In this blog post, i will be analysing a RAT (Remote Acess Trojan) used by North Korean APT group Lazarus called ‘Jonap’ to infect devices. I will be analysing it via IDA. Feedback on how to improve my analysis is appreciated.

Analysis:

If we go to the address 0x401770 in IDA we can see the start of the malware trying to enable and create services to execute commands.

The function we are analysing, which as seen above, tries to get Windows Directory and SystemDirectory. It then tries to call to a function giving %s\\%s for input.

%s\\%s basically replaces 1st % with 2nd argument, 2nd % with 3rd argument and save the return in the 1st argument.

We can see the malware tries searching for scardprv.dll, wcssvc.dll, mssscardprv.ax. It opens the Service Control Manager and if it couldn’t find these services, drop the malware from its resources and create extra services to execute and maintain persistence.

We can see that the malware queries service status below.

Analysing further, we can see the malware drops an executable called 101 and creates scardprv.dll in sys32 directory with write permissions. If the file exists beforehand delete it first, otherwise save the resource file into it.

We also see the malware do the same for another executable 104 creating wcssvc.dll.

The malware then tries to create a fake malicious service masking itself as legitimate inside svchost.exe process.

The svchost.exe process requires the malware to save its information into ServiceDLL Path for both scardprv and wcssvc.

Conclusion:

This malware can be used to execute multiple malicious activities. We can see how it creates services to obfuscate itself and maintain persistence in an infected machine.

Using Resource Hacker, we can find the two files scardprv.dll and wcssvc.dll dropped by the malware. We can also find their MD5 hashes via PEStudio. You can check if they are malicious via VirusTotal. We can also see they are PE executable files as it displays ‘ MZ This program cannot be run in DOS mode.’

MD5 Hashes for the 2 resources extracted from the malware:
101: fd59af723b7a4044ab41f1b2a33350d6
104: 9a981085a87647b5e99517506ea83a9b

--

--

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.