RokRAT Adobe Flash Malware Sample (CVE-2018-4878)

RokRAT exploits CVE-2018-4878, a Adobe Falsh 0-day vulnerability. Its is believed to be the work of supposedly North Korean Group 123 or APT37. RokRAT is disseminated via a excel file which has an ActiveX Object, that object is an embedded SWF file.

RokRAT Excel File The embedded SWF object exploits Flash's Zero-day Use After Free (UAF) vulnerability identified by CVE-2018-4878. When then contact its command and control (C&C) server for shell codes which then will be executed in the memory. VirusTotal report of RokRAT can be found here. RokRAT execution flow is depicted in following image.

RokRAT execution flow

RokRAT Malware Sample Hash

MD5: d2881e56e66aeaebef7efaa60a58ef9b
SHA1: c09c1be69e5a206bcfe3d726773f0b0ddecb3622
SHA256: e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
SSDEEP: 12288:cbeQy0+6dUlyAcdqfAkMvGpns9gKYLd+NjhzZkZf7:AfuJGv2ns9XRkZf

Dowload RokRAT Malware Sample

Download RokRAT Malware Sample The password of the zip is: infected
© Tutorial Jinni