Abused Update of GOM Player Poses a Threat

Several media reported the news on January 7th, 2014, that a PC associated with “Monju” (the Fast Breeder Reactor of the Japan Atomic Energy Agency) was infected by malware and there was a suspicion of information leaks. Some pointed out that the infection had possibly been led by the abuse of the legitimate update of “GOM Player”, which made it big news. GOM Player is a free media player with popular video/audio codecs built-in, favored by many Japanese people. It is different from similar free media players in some notable points: it supports major file formats such as AVI, DAT, DivX, MPEG, WMV to name just some; and it officially deploys a Japanese version. Its users are said to be more than 6 million in Japan.

We received the sample file named “GoMPLAYER_JPSETUP.EXE”:


The sample is an executable file compressed in RAR format. When it is executed, it unpacks itself and runs the executable file included in the archive. Fig1 shows the files included in the RAR archive:

Fig1: Files within “GoMPLAYER_JPSETUP.EXE”


Two files are included in the archive:


“GOMPLAYERJPSETUP_JP.EXE” is a legitimate update file of the GOM Player. “GOMPLAYERBETASETUP_JP.EXE” is another executable file in RAR format. Fig2 shows the files included in”GOMPLAYERBETASETUP_JP.EXE”.



“GOMPLAYERBETASETUP_JP.EXE” has five files which include malicious code. Among them is “install.exe”, which runs from “GOMPLAYERBETASETUP_JP.EXE”.


The “install.exe” checks which environment it is running in, 32bit or 64bit, using IsWow64Process function (Fig3):

Fig3: Estimation process by the “install.exe”


Based on the result of the estimation process, it reads “dll.tmp /dll64.tmp” (based on the environment) and xor-decrypts it with “x14”, then generates “install.ocx” in “%windir%temp”. Fig4 shows the xor decryption process.

Fig4: xor decryption process of “dll.tmp/dll64.tmp” using “x14”


Then it copies “instructions.pdf /instructions64.pdf” (based on the environment) to the same folder as “install.ocx”.


It creates two values “Default”=”%windir%install.ocx” and “ThreadingModel”=”Apartment” in the following parts of the registry:

“HKEY_CLASSES_ROOTCLSID{ECD4FC4D-521C-11D0-B792-00A0C90312E1}InProcServer32” “HKEY_CURRENT_USERSoftwareClassesCLSID{ECD4FC4D-521C-11D0-B792-00A0C90312E1}InProcServer32” “HKEY_USERS2S-1-5-21-1439904799-1247934098-3846997294-1000SoftwareClassesCLSID{ECD4FC4D-521C-11D0-B792-00A0C90312E1}InProcServer32” “HKEY_USERSS-1-5-21-1439904799-1247934098-3846997294-1000_ClassesCLSID{ECD4FC4D-521-11D0-B792-00A0C90312E1}InProcServer32”

After registration, it restarts “explorer.exe” to load “install.ocx” into the process of “explorer.exe” to infect it. The “install.ocx” loads “instrucsion.pdf/instructions64.pdf” in memory, xor-decrypts it with “x14”. Then it jumps to the decrypted entry point to execute the malware.


In the memory of the decrypted “instruction.pdf/instruction64.pdf”, it reads the 0x400byte data at the foot of the file. It searches strings such as “AAAAAAAA”, “PPPPPPPP”, and “BBBBBBBB” from the data, then extracts the data which follows them. Finally, it decodes base64 and calculates “add x7a” and “xor x19″(Fig5).

Fig5: Decryption process


The table below shows the name of the data before/after decryption:


These strings are used in the domain name and the connection port for the C and C server.


Kaspersky products detect the malware as “Backdoor.Win32.Miancha.*” (Fig6).

Fig6:Kaspersky products detected “Backdoor.Win32.Miancha.b” in the sample


The reason why this free software has been installed in Monju remains unclear. The details remain hidden since its investigation by the law enforcement is ongoing. We will keep a close eye on the situation.

Abused Update of GOM Player Poses a Threat

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox