My first write up for Joanap malware

Hello all, My name's Mahmoud NourEldin a Student of maltrak.com which presented by Eng: Amr Thabet and I would like to post my first blog about this topic.

It just an exercise from maltrak course and I would like to share the analyzing with you.

Let's start:

What is Joanap Malware ?

Joanap is a remote access tool that is a type of malware used by the government of North Korea. It is two-stage malware, meaning it is "dropped" by another software (in this case the Brambul worm, which was part of the charges against Park Jin Hyok in 2018).^[1] Joanap establishes peer-to-peer communications and is used to manage botnets that can enable other operations. On Windows devices that have been compromised it allows data exfiltration, to drop and run secondary payloads, initialization of proxy communications, file management, process management, creation/deletion of directories, and node management.[Wikipedia].

Summary:

It drops

C:\WINDOWS\system32\scardprv.dll (MD5: FD59AF723B7A4044AB41F1B2A33350D6) ,

C:\WINDOWS\system32\mcssvc.dll(MD5: 9A981085A87647B5E99517506EA83A9B ),

C:\WINDOWS\system32\mssscrdprv.ax.And creates two services with name "SCardPrv","wcssv" to execute that dlls.

Also malware creates these registers:

 • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\Parameters\”ServiceDll” = “%System%\scardprv.dll”.

 • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcssv\Parameters\”ServiceDll” = “%System%\mcssvc.dll”.

Details:

Let's analysis the most interesting function in the malware:

1) As I explained it:

• The malware get the system directory and concat it with "scardprv.dll","wcssvc.dll" and "mssscardprv.ax" to variables by function with its name "sub_402227".

• Function "sub_402227", After getting the output from Olly debugger, I think it's like sprintf function.

2) Then Malware Open the Service Control Manager and trying to find a service with name "SCardPrv".If can't find it, then it trying to create new one as we will see later.

3) Then Malware load the resource which contained to the memory:

4) You can find this resource by Resource Hacker tool.You can save it also by right click -> save resource to .bin file.

5) Then the malware creates the dll files and load the resource from memory to it:

As we can see, it creates first: C:\windows\system32\scardprv.dll and then get the resource which loaded it in memory and save it to the file.

and also repeat it the same thing to C:\windows\system32\mcssvc.dll

6) Then The malware opens the registry key "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost and adds value "SCardPrv" to load services at the startup.

7) Then the malware create the service with name "SCardPrv" [I explains all you want in the file]

8) Then the malware creates a registry key with name "Parameters"

9) Then adding the dll path to the registry

"%SystemRoot%" -> "C:\windows"

10) And repeat the same thing for setting value to svchost by "WcsSvc" and creating a Service with its name , then setting the dll path to the registry key "Parameters" ["%SystemRoot%\\system32\\wcssvc.dll"].

11) Finally:

The malware start the services:

Form the whole analysis of this function, you can see the malware drops 2 executable files (2 DLLs), saves them in the System32 directory and create 2 services to execute them. The malware make sure to overwrite the previous installation or the legitimate service if any of them exists.