Then it copies “instructions.pdf /instructions64.pdf” (based on the environment) to the same folder as “install.ocx”. Fig4 shows the xor decryption process.įig4: xor decryption process of “dll.tmp/dll64.tmp” using “x14” The “install.exe” checks which environment it is running in, 32bit or 64bit, using IsWow64Process function (Fig3):įig3: Estimation process by the “install.exe”īased on the result of the estimation process, it reads “dll.tmp /dll64.tmp” (based on the environment) and xor-decrypts it with “x14”, then generates “install.ocx” in “%windir%temp”. ![]() Among them is “install.exe”, which runs from “GOMPLAYERBETASETUP_JP.EXE”. “GOMPLAYERBETASETUP_JP.EXE” has five files which include malicious code. Fig2 shows the files included in”GOMPLAYERBETASETUP_JP.EXE”.įig2: Files within “GOMPLAYERBETASETUP_JP.EXE” ![]() “GOMPLAYERBETASETUP_JP.EXE” is another executable file in RAR format. “GOMPLAYERJPSETUP_JP.EXE” is a legitimate update file of the GOM Player. Fig1 shows the files included in the RAR archive:įig1: Files within “GoMPLAYER_JPSETUP.EXE” When it is executed, it unpacks itself and runs the executable file included in the archive. The sample is an executable file compressed in RAR format. We received the sample file named “GoMPLAYER_JPSETUP.EXE”: Its users are said to be more than 6 million in Japan. ![]() It is different from similar free media players in some notable points: it supports major file formats such as AVI, DAT, DivX, MPEG, WMV to name just some and it officially deploys a Japanese version. GOM Player is a free media player with popular video/audio codecs built-in, favored by many Japanese people. Some pointed out that the infection had possibly been led by the abuse of the legitimate update of “GOM Player”, which made it big news. Several media reported the news on January 7th, 2014, that a PC associated with “Monju” (the Fast Breeder Reactor of the Japan Atomic Energy Agency) was infected by malware and there was a suspicion of information leaks.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |