I noticed the other day that 188.43.136.115 and 188.43.136.116 had the same certificate information in November 2021 as 175.45.176.21 and 175.45.176.22 had until recently. Now this doesn’t prove anything but it’s also interesting to note that both had ports 443 and 8888 exposed. Something to keep an eye on. Certificate is below. Could not find any other IP’s using that certificate when searching the hash.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9961 (0x26e9)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: CN=ISRA
        Validity
            Not Before: Sep 10 10:19:41 2021 GMT
            Not After : Sep 10 10:19:41 2022 GMT
        Subject: CN=is_server
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:4d:da:80:80:5e:1c:99:c0:cb:cf:c0:a3:a2:6f:
                    2b:1c:ca:f0:4a:03:6a:82:35:64:26:08:0f:c0:ac:
                    6f:31:e5:38:b9:04:cd:ca:1c:4e:39:d7:1e:32:81:
                    a5:62:65:be:2d:db:9f:80:61:e8:0b:46:95:d8:c6:
                    e5:48:29:e8:48:e8:af:85:24:bd:58:93:92:40:aa:
                    10:d1:a8:c2:e7:06:f3:ab:7b:29:cd:6f:57:b3:84:
                    60:1d:90:96:3b:7f:c8
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier: 
                C2:A2:12:38:21:74:43:BF:F0:DE:5A:F8:EA:0E:B1:68:98:0E:3E:C3
            X509v3 Authority Key Identifier: 
                keyid:CB:36:50:B9:C4:39:6E:9B:F4:43:46:56:D5:2B:C2:99:6D:E6:F5:FA

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
    Signature Algorithm: ecdsa-with-SHA384
         30:65:02:30:4c:19:3b:cc:a9:3d:4b:01:5d:ab:df:09:93:3f:
         fc:e0:8f:f1:9c:61:11:c8:a4:d7:d8:fa:5f:6f:4e:08:a9:1f:
         42:81:97:6e:5d:d5:cb:53:30:d2:25:cb:56:db:9f:22:02:31:
         00:c7:b1:5e:ac:f8:67:82:c9:7b:88:e4:cf:03:23:b2:1f:65:
         39:e7:22:25:d6:e1:76:68:e2:1e:f5:de:13:ce:fa:94:24:77:
         51:8d:eb:08:77:eb:8d:55:9c:da:f7:38:63

Found this posted on GitHub the other day. What’s interesting is that it looks like rns.edu.kp did resolve for a while in 2020 and I found reference to the URL http://rns.edu.kp/AntiVirus

https://github.com/Alyzana/kwang-myong-addresses/blob/master/sites-en

I’ve been trying to find a GitHub commit that had a commit from North Korea. For some reason I never saved it. But I found something much more interesting here: https://github.com/Alyzana/kwang-myong-addresses/blob/master/sites-en

I have no idea where the data is from but the user has a list of domains on Naenara. Most of them don’t resolve but the one interesting thing I did find when doing some quick research is that apparently rns.edu.kp did resolve last year. To make things much more interesting the only URL that I could reliably find is rns.edu.kp/AntiVirus

This lead down a further search and I found a references to the BangPae-Client from KIM IL SUNG University MATH. I have no idea what this is but I found these hashes:

3e459baf7f73e38c3779b07db58c2821

9b4a54b93351a35b34299a4d9db16afd

eb18354bc621e53fabf5375ef9b42664

decb5dd7c6a3a74d9b89df2d643af0e4

85ba460b6c11da2c01cef6a296073630

If anyone has a copy and wants to share, I would appreciate it. I haven’t been able to find a copy at all. Additional details are below:

Directories found on disk:

• C:\Program Files\BangPae-Client
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BangPae-Client

Generally, the following files are left on disk:

• C:\Program Files\BangPae-Client\audio\2_13.pcm
• C:\Program Files\BangPae-Client\audio\2_14.pcm
• C:\Program Files\BangPae-Client\audio\2_17.pcm
• C:\Program Files\BangPae-Client\audio\2_19.pcm
• C:\Program Files\BangPae-Client\audio\2_24.pcm
• C:\Program Files\BangPae-Client\audio\2_4.pcm
• C:\Program Files\BangPae-Client\audio\2_9.pcm
• C:\Program Files\BangPae-Client\BangPae-Client.exe
• C:\Program Files\BangPae-Client\GPUCache\data_0
• C:\Program Files\BangPae-Client\GPUCache\data_1
• C:\Program Files\BangPae-Client\GPUCache\data_2
• C:\Program Files\BangPae-Client\GPUCache\data_3
• C:\Program Files\BangPae-Client\GPUCache\index
• C:\Program Files\BangPae-Client\help.pdf
• C:\Program Files\BangPae-Client\iconengines\qsvgicon.dll
• C:\Program Files\BangPae-Client\imageformats\qgif.dll
• C:\Program Files\BangPae-Client\imageformats\qico.dll
• C:\Program Files\BangPae-Client\imageformats\qjpeg.dll
• C:\Program Files\BangPae-Client\imageformats\qsvg.dll
• C:\Program Files\BangPae-Client\kpcholim.ttc
• C:\Program Files\BangPae-Client\kpchopom.ttc
• C:\Program Files\BangPae-Client\libcrypto-1_1-x64.dll
• C:\Program Files\BangPae-Client\libgcc_s_seh-1.dll
• C:\Program Files\BangPae-Client\libssl-1_1-x64.dll
• C:\Program Files\BangPae-Client\libstdc++-6.dll
• C:\Program Files\BangPae-Client\libwinpthread-1.dll
• C:\Program Files\BangPae-Client\lua5.1.dll
• C:\Program Files\BangPae-Client\OpenAL32.dll
• C:\Program Files\BangPae-Client\platforms\qdirect2d.dll
• C:\Program Files\BangPae-Client\platforms\qminimal.dll
• C:\Program Files\BangPae-Client\platforms\qoffscreen.dll
• C:\Program Files\BangPae-Client\platforms\qwindows.dll
• C:\Program Files\BangPae-Client\Poster\poster_big-1.dat
• C:\Program Files\BangPae-Client\Poster\poster_big-2.dat
• C:\Program Files\BangPae-Client\Poster\poster_big-3.dat
• C:\Program Files\BangPae-Client\Poster\poster_big-4.dat
• C:\Program Files\BangPae-Client\Poster\poster_big-5.dat
• C:\Program Files\BangPae-Client\Poster\poster_big-6.dat
• C:\Program Files\BangPae-Client\Poster\poster_small-1.dat
• C:\Program Files\BangPae-Client\Poster\poster_small-2.dat
• C:\Program Files\BangPae-Client\Poster\poster_small-3.dat
• C:\Program Files\BangPae-Client\Poster\poster_small-4.dat
• C:\Program Files\BangPae-Client\Poster\poster_small-5.dat
• C:\Program Files\BangPae-Client\Poster\poster_small-6.dat
• C:\Program Files\BangPae-Client\Qt5Core.dll
• C:\Program Files\BangPae-Client\Qt5Gui.dll
• C:\Program Files\BangPae-Client\Qt5Network.dll
• C:\Program Files\BangPae-Client\Qt5Svg.dll
• C:\Program Files\BangPae-Client\Qt5Widgets.dll
• C:\Program Files\BangPae-Client\Qt5Xml.dll
• C:\Program Files\BangPae-Client\RecordSample.sam
• C:\Program Files\BangPae-Client\uninstall.exe
• C:\Program Files\BangPae-Client\Uninstall\IRIMG1.JPG
• C:\Program Files\BangPae-Client\Uninstall\IRIMG2.JPG
• C:\Program Files\BangPae-Client\Uninstall\IRIMG3.JPG
• C:\Program Files\BangPae-Client\Uninstall\uninstall.dat
• C:\Program Files\BangPae-Client\Uninstall\uninstall.xml
• C:\Program Files\BangPae-Client\Win10 Active Tool.exe
• C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\125\{6D809377-6AF0-444B-8957-A3773F02200E}_BangPae-Client_BangPae-Client_exe
• C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\125\{6D809377-6AF0-444B-8957-A3773F02200E}_BangPae-Client_help_pdf
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\BangPae-Client.suf.lnk
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\BangPae-Client-1.9.0-20201203.exe.7z.lnk
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\BangPae-Client-1.9.0-20201217.exe.7z.lnk
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\BangPae-Client-1.9.1-20201217.exe.7z.lnk
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BangPae-Client\BangPae-Client.lnk
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BangPae-Client\BangPae-Help.lnk
• C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BangPae-Client\Uninstall BangPae-Client.lnk

Use regedit.exe to manually remove from the Windows Registry the keys below:

• HKEY_LOCAL_MACHINE\Software\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\BangPae-Client.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\BangPae-Client1.9.1

Registry values that are not removed from your PC:

• HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\program files\bangpae-client\bangpae-client.exe.FriendlyAppName
• HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\program files\bangpae-client\bangpae-client-test-202012282110.exe.FriendlyAppName
• HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\BangPae-Client\KCTV.exe.FriendlyAppName
• HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\D:\dev\meeting system\qTox\Distribution\1.9\Client\BangPae-Client-1.9.1.exe.FriendlyAppName
• HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\D:\dev\meeting system\qTox\Distribution\1.9\Client\BangPae-Client-1.9.2.exe.FriendlyAppName
• HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\D:\dev\meeting system\qTox\work\Setup\Client\BangPae-Client-x86_64-release\BangPae-Client.exe.FriendlyAppName
• HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\D:\dev\meeting system\qTox\work\Setup\Client\BangPae-Client-x86_64-release\BangPae-Client-202013311336.exe.FriendlyAppName
• HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\J:\Dev\JYJ\New Folder\TEST\BangPae-Client-1.7.7-del.exe.ApplicationCompany
• HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\J:\Dev\JYJ\New Folder\TEST\BangPae-Client-1.7.7-del.exe.FriendlyAppName
• HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\M:\BangPae-Client.exe.FriendlyAppName
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1243145971-3851564632-427313449-500\\Device\HarddiskVolume3\Program Files\BangPae-Client\BangPae-Client.exe
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1243145971-3851564632-427313449-500\\Device\HarddiskVolume3\Program Files\BangPae-Client\uninstall.exe
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{553D376B-C335-4AEE-AD0A-06DA388B93B0}C:\program files\bangpae-client\bangpae-client.exe
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{7B36511F-CCE6-433B-99D4-2A8B9AEF8892}C:\program files\bangpae-client\bangpae-client-test-202012282110.exe
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{1A4B66A6-21CB-441E-83E7-80F6B9F75306}C:\program files\bangpae-client\bangpae-client-test-202012282110.exe
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{5D3E7543-AF1A-4B21-8EBB-457C0434908C}C:\program files\bangpae-client\bangpae-client.exe

For the longest time I’ve been meaning to go through this data dump and see if there was anything interesting in there. For now here’s a list of KP domains that don’t come up too often. https://www.databreaches.net/uriminzokkiri-breach-update-9001-accounts-leaked-and-message-released-for-opnorthkorea/

kcc.go.kp
nnr.kcc.co.kp
co.kp
chongbong.kcc.go.kp
uri.kp.kp
mgic.kcc.go.kp
kgic.com.kp
kut.ac.kp
naenara.ko.kp
dg.kp
naenara.co.kp
sobaeksu.kcc.kp
sillibanck.kp.com
naenara.inf.kp
123.kp
kcc.oic.co.kp
htd.co.kp
cn.kp

Looks like it’s currently redirecting to http://mediaryugyong.com.kp/

Interesting to see that korstamp.com.kp has a set of authors listed on each page. Can’t seem to find much information about anyone.

There’s also a list of contact emails that are outside the traditional DRPK email domains:

email : stamp@star-co.net.kp, stampdealerlink@163.com, kssb_exhi@foxmail.com, xuyong0824@qq.com, jugwangjang@gmail.com

Searching on dprkportal.kp appears to be broken. Example below:

Digging into the javascript it looks like most of the validation is done in the browser based on a regex

I haven’t tested further but the search can be accessed with the following example:

curl http://dprkportal.kp/include/search_func.php?action=search_site&keyword=kcna.kp&page=1

I assume the search doesn’t ever return results since the string for each URL has a period in it and the search bar automatically removes these when typed or copied in.

I finally found a copy of netkey.exe that I posted about a few months back. Haven’t had a chance to really try it out yet and the IP is my own. I’m also relying on Google Translate but it looks like it’s titled Network Certification Program, but if anyone can help translate that would be greatly appreciated.

I can’t find anything online about this yet but looking at the subject information for the cert at vok.rep.kp there’s a pretty interesting email address listed. I haven’t seen any email or domain so far that’s publicly accessible for tech.krt.kp