Olympic Destroyer Analysis and Samples

Olympic Destroyer as the name implies is a malware / worm designed for destruction and sabotage the of on going Winter Olympic games in Pyeongchang, South Korea.

In a nutshell, Olympic Destroyer steal credentials stored in the browser, i.e. Chrome, Firefox and Internet Explorer. It also steal credentials from of the local system. It propagates by discovering the network the infected machine is connected. Every time it propagates it create a new mutated copy of itself which contains the credentials of all of its previous hosts its infected and hard coded credentials which were put it by its authors.

Then its destructive mechanism is kicked in and it deletes the OS system backup catalog which make recovery difficult. It also disables BCEdit.exe, which is pre-boot Windows recovery console, so that window do not try to repair itself. Stop all the services and removes its activity from event logs and ultimately shut down the system, which then fails to start.

For more details see VirusTotal analysis which can be found here.

Olympic Destroyer Sandbox Run

Olympic Destroyer Attack Flow

Olympic Destroyer Sample Hash

MD5: cfdd16225e67471f5ef54cab9b3a5558
SHA1: 26DE43CC558A4E0E60EDDD4DC9321BCB5A0A181C
SHA256: EDB1FF2521FB4BF748111F92786D260D40407A2E8463DCD24BB09F908EE13EB9

Download Olympic Destroyer Sample

Download Olympic Destroyer Malware Sample
The password of the zip is: infected

Download Olympic Destroyer PCAP

Download Saturn Malware PCAP