RTF Royal Road drops a new backdoor MFC and links with Goblin Panda

the decoy document 74aa6fff407dee851f224329489232a8e7f2d6046aaff3c9cebfff81b7d5db22 uses a version of royal road to drop a new bakdoor developped on MFC C++.


The dectection rate on virustotal is very low:

The backdoor is packed with a home made packer. The real entrypoint is call by a thread with the function AfxWinMain at FUN_00432cc8 and the entry of this thread is at 401740.

in 004285F0, the backdoor checks the windows version:

in 00428DC0, it checks the environnement user:

in 004291C0, it check the IP internal and mac address in the sub function: 004290A3

In 00429620, it find the IP external using the service icanhazip.com using InternetOpenUrlA

in 00429810, it check the kind of the processor in reading the key: ”HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"

in 0042A190, it checks the privilege of the process.

in 00429BB0, it checks the Bios version of the MotherBoard

In 00429CF0, it checks the services installed on the computer.

in 0042A310, it checks the harddrives in the subfunction 0042A780.

The results are stored in the stack:

In 004014C0, it check the Internet Settings on the computer:

a mutex is created: “LOOTWODNIWcae16a2d”

the malware communicates with the domain: jkncj.com

Threat Intelligence

This domain resolves on This IP has resolved on kmbk8.hicp.net

This domain is used during operation by Goblin Panda:



RTF Royal Road: 74aa6fff407dee851f224329489232a8e7f2d6046aaff3c9cebfff81b7d5db22

backdoor MFC: C:\Users\admin\AppData\Local\Temp\OSEF0B7.tmp b19d64d6ef5329b388d688157ebb9f4fa8cae2ccd18ec1fe7bb75b0fcc2350f9


Article Link: https://medium.com/@Sebdraven/rtf-royal-road-drops-a-new-backdoor-mfc-and-links-with-goblin-panda-90db06f80611?source=rss-11d98531eebe------2