Threat Analysis: ROKRAT Malware

2018-02-27 Carbonblack

https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/

Carbon Black examined ROKRAT, also known as DOGcall, a remote access trojan used by attackers originating from North Korea. The malware is commonly delivered by loaders or carrier files such as macro-enabled Office documents, injects shellcode into processes such as wscript.exe or cmd.exe, and then deletes the loader to reduce artifacts. Its payload profiles the victim system, performs anti-analysis checks, and provides RAT capabilities including additional tool deployment, data exfiltration, credential harvesting, and screenshot capture. Newer variants used cloud services such as pCloud, Dropbox, and Yandex for command and control, while earlier related variants used hard-coded URLs hosted largely by Korean telecoms and sometimes downloaded second-stage malware disguised as JPG files.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN cloud-api.yandex.net 2018-02-27 2025-08-29
HASH 0ff0f3f0722dd122a0f5c3d4c7752675 2018-02-27 2018-08-14
HASH fc0a9850f7b6a91f7757d64c86cfc141 2018-02-27 2018-08-14
YARA ROKRAT_payload 2018-02-27 2018-02-27
YARA ROKRAT_loader 2018-02-27 2018-02-27
HASH c09c1be69e5a206bcfe3d726773f0b0… 2018-02-27 2018-02-27
HASH 2ca7c2048f247b871e455a9ac8bcb97… 2018-02-27 2018-02-27
HASH 1f354d76203061bfdd5a53dae48d5435 2018-02-27 2018-02-27
HASH a9e25c8aabc041c81ef44ab4483432d… 2018-02-27 2018-02-27
HASH 2eaf2a4764a1e5f4ed5c4c03cb91d910 2018-02-27 2018-02-27
HASH 394e52e219feb1a5c403714154048728 2018-02-27 2018-02-27
HASH d8b76044cedbd7db8cd7d35e35853552 2018-02-27 2018-02-27
HASH 199dba4e0d91649be88d319d6e35679c 2018-02-27 2018-02-27
HASH 0e46e026890982da526d8acf9f1ce62… 2018-02-27 2018-02-27
HASH d699ec58eb259f634e8a0ca394771097 2018-02-27 2018-02-27
HASH da2c1226b37133a26f073e1b2e99725e 2018-02-27 2018-02-27
HASH c4a7bf20f6fc766645a65da614af527f 2018-02-27 2018-02-27
HASH 0c80569caa34549a9ed52c8e747656aa 2018-02-27 2018-02-27
HASH cd6c70f1550d4ec7ef8c2f9389052187 2018-02-27 2018-02-27
HASH 31f84f4086f6cc29fdec3beb3d4143c7 2018-02-27 2018-02-27
HASH 9701f6142ffcddad4bb15c457a064d79 2018-02-27 2018-02-27
HASH 5c6c1ed910e7c9740a0289a6d278908a 2018-02-27 2018-02-27
HASH a3521ae8c25e14c17f986095b07a644b 2018-02-27 2018-02-27
HASH 1bcefc2ccdee1aa41578507d638b33f… 2018-02-27 2018-02-27
HASH e200517ab9482e787a59e60accc8552… 2018-02-27 2018-02-27
HASH 807f171588560279c492b1bf5b5f1392 2018-02-27 2018-02-27
HASH 60d465f1a6c35509174503e87ca106a… 2018-02-27 2018-02-27
HASH d2881e56e66aeaebef7efaa60a58ef9b 2018-02-27 2018-02-27
HASH 462e65d46a453444d5fa86c0df10acb9 2018-02-27 2018-02-27
HASH 220c7c1fe852af006a83412ecef642fe 2018-02-27 2018-02-27
HASH bbc2905f395f561cb2c59b0541c2758a 2018-02-27 2018-02-27
HASH e1546323dc746ed2f7a5c973dcecc79… 2018-02-02 2018-02-27
HASH 7ebc9a1fd93525fc42277efbccecf5a… 2017-02-23 2018-02-27
HASH 7d8008028488edd26e665a3d4f70576… 2017-02-23 2018-02-27
HASH 6c372f29615ce8ae2cdf257e9f26178… 2017-02-23 2018-02-27
HASH 95192de1f3239d5c0a7075627cf9845… 2017-02-23 2018-02-27
HASH 19e4c45c0cd992564532b89a4dc1f35… 2017-02-23 2018-02-27

Related Reports

« Back