Malware Analysis Report AR18-221A: HIDDEN COBRA Trojan – KEYMARBLE

The United States DHS and FBI have published a Malware Analysis Report (AR18-221A) on a Trojan they name as KEYMARBLE. They believe the Trojan to be associated with malicious cyber activity carried out by the North Korean government that they refer to as HIDDEN COBRA.

KEYMARBLE is a Windows executable and its capabilities include obtaining system configuration information, command execution, making changes to the registry, taking screenshots, downloading additional files and exfiltrating data.

The IP addresses of its command and control servers are hard coded in the Trojan.

Indicators of Compromise

Hashes

MD5

  • 704d491c155aad996f16377a35732cb4
  • 47f6fac41465e01dda5eac297ab250db
  • 30d34a8f4c29d7c2feb0f6e2b102b0a4
  • 77f4a11d375f0f35b64a0c43fab947b8
  • d4364f6d2f55a37f0036e9e0dc2c6a2b

SHA1

  • d1410d073a6df8979712dd1b6122983f66d5bef8

SHA256

  • e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09

SHA512

  • 0092900bf4ca71c17a3caa225a4d7dcc60c7b58f7ffd173f46731db7f696e34b2e752aefaf9cedc27fe76fe317962a394f1be2e59bd0cffaabd9f88cc4daedcc

SSDEEP

  • 3072:IDdXEYhXxS550wwiY0Pe6Q1vLo4lJnCtea:EXEEXxcQxZ

IP Addresses

  • 100.43.153.60
  • 104.194.160.59
  • 212.143.21.43

References

  • www.us-cert.gov/ncas/analysis-reports/AR18-221A
  • www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
  • threatpost.com/hidden-cobra-strikes-again-with-custom-rat-smb-malware/132375/