Wrangle with Hangul - Analysis of a malicious hwp document

2,354

193 0

Published 2020-11-09

In this video we analyse a malicious Hangul Word Processor (.hwp) file, which apparently is attributed to an APT Threat Actor group who used the malware to target a South Korean organisation . I show you the tools, tactics and methodologies I use to extract the key Indicators of Attack (IOAs) in order for you to feel more confident when handling this kind of malware analysis.

Thanks to a friendly-follower for highlighting this sample to me; you know who you are.

SHORTCUTS
==========
Intro to the sample - 00:00
What is Hangul? - 00:58
Structured Storage Viewer (SSView) - 02:57
OLE Object Example - 03:38
Dumping OLE Streams and ZLIB inflating - 04:40
Carving files from OLE10Native Streams - 07:10
Using pestudio - 08:18
Decoy PDF Carving - 10:10
Carving .lnk file - 10:55
LNK file basic analysis - 12:55
DLL Analysis in x64dbg - 14:28
Dumping .rdata section - 16:10
Base64 Decoding - 16:57
VBScript De-obfuscation using CyberChef - 17:55
VBScript basic analysis - 19:15
Duplicating DLL Exports - 20:58
Injecting the DLL into a process - 21:42
Summary & Close - 22:30

LINKS
=====
www.virustotal.com/gui/file/07dfb10d2a849d7bb3f9cb…
en.wikipedia.org/wiki/Hangul_(word_processor)
twitter.com/RedDrip7/status/1318123634670538752

THANKS
=======
If you liked the video, please give it a THUMBS UP. If you loved it, please SUBSCRIBE.

FOLLOW
=======
Also, feel free to follow me on twitter.com/cybercdh

All Comments (17)

@bizbouk 3 years ago

Whilst I know Colin personally. Each time I watch his videos like this from Col’ I’m just amazed how deep his technical knowledge is. Great work Col’ you really know your stuff. D.
@TheCorei71 3 years ago

Nice and swift as always. Thanks Colin.
@HackeXPlorer 2 years ago

Well, explained breakdown Colin, So much of valuable tips and techniques shared. Spending my annual vacation on your channel :D. really worth it! Thankyou!!!!
@arquivosed 3 years ago

never stop these videos! awesome as always! thanks!
@MauroScomparin 3 years ago

Thank you very much, very interesting sample and analysis! As usual :)
@alimuc 3 years ago

Excellent work, I really like the flow of your analysis. Keep it up.
@stephenemerson2229 3 years ago

Awesome vid as always Colin!
@dilent7525 3 years ago

Awesome Colin! Thanks man!
@andrewfraser2760 3 years ago

Great analysis - really enjoyed following along :-)
@JanivzZ 3 years ago

thank you Colin !!
@compuomari 3 years ago

nice one Colin
@picious 3 years ago

wow, that was cool !! thanks.
@NetherFX 3 years ago

nice!
@TKomoski 3 years ago

In the end Colin what does its maliciously do ie: keylogger, camera voyeur, data thief or ransomware money. If I had that on my machine what would it do. Cheers
@Knightonlinevideos 3 years ago

that was ineradicable thanks ! quick question tho, how do u forward all the traffic thought burp ? , like its not like a webpage that have settings where u can set up a proxy. thanks !
@suheilali7734 3 years ago

Awesome video, can you make video for analyzing ThanOS ransomware?