> Analysis · 0c9e772d8730_

~/packetpursuit $ cat /intel/analyses/0c9e772d8730.../report.md

familyhippamsascomconfidencehighcreated2026-05-31
SHA-256: 0c9e772d8730204dd850797827745a27bde599983d1ee070d0b61ea5faeaf535

hippamsascom / Bright.exe — Deep Static Analysis

Build / RE

Toolchain: MSVC 14.50 (Visual Studio 2022), C, x64 Release ^[rabin2-info.txt]. LinkerVersion=14.50, compiled Wed May 13 18:05:43 2026 ^[exiftool.json]. PE32+ GUI, 7 sections, ImageBase 0x140000000 ^[pefile.txt].

Import Table: Zero IAT. IMAGE_DIRECTORY_ENTRY_IMPORT VA=0, Size=0 ^[pefile.txt:223]. Runtime API resolution via PEB-walking export hash lookup ^[r2:fcn.14002ecb0].

Exports: 228 semantic-jargon names mapping to 19 unique RVAs (~12:1 collision ratio) ^[strings.txt:59-279], same pattern as sunwukong. Names are ML/networking/dev-ops themed (AgentConnectSignal, DispatcherModifyPassword, StreamConnect, MapperTransformerChunk) ^[pefile.txt].

Anti-Analysis / Evasion:

  • Export-obfuscation saturation (T1027) ^[r2:sym.App.exe_AddonMove — sym.App.exe_WrapperConnectMethod].
  • Parent-process/sandbox gate at entry0fcn.14002efe0 checks process environment (hardcoded hash constants 0x419, 0x423, 0x12927f6d, 0x75d615be, 0x1c0f2787, 0xbc5c956) before allowing payload decryption ^[r2:fcn.14002efe0].
  • Payload lives in .data (entropy 7.74, 0x2F394 bytes) and is decrypted at runtime with a custom stream cipher into freshly allocated RWX memory ^[r2:fcn.14002f0e0], ^[r2:fcn.14002da90].

Signing: Authenticode PKCS#7 with leaf CN Emard LLC, issuer Emard LLC Intermediate CA 3, cross-signed DigiCert Trusted Root G4 ^[binwalk.txt], ^[strings.txt]. Version info masquerades as "JBOD monitor Ultimate Monitor" by Emard LLC, OriginalFilename: JBODmonitor_client.exe, CompanyName: Emard LLC ^[exiftool.json]. Certificate chain includes fabricated locality (Singapore, West Kadenbury, Bruen Koepp Partners) and alt-names *.emardllc-golda.io, *.emardllc-dolores.tech, *.emardllc-bria.digital ^[strings.txt].

Embedded Resources: Two PNG icons (512×512, 256×256) in .rsrc ^[binwalk.txt:2-3]. No .rsrc icon table anomalies (normal RT_ICON/RT_GROUP_ICON structure).

Notable Functions:

  • fcn.14002f0e0: allocates RWX buffer (0x27800 bytes), copies encrypted payload from .data (rip+0x2fab = 0x140032100), calls custom decryptor fcn.14002da90, then parses the decrypted MZ/PE header (0x5a4d check) and performs manual relocations / IAT fixup / section mapping ^[r2:fcn.14002f1a0]. This is a self-LOADER: the binary decrypts and maps a second PE in-memory, then likely transfers execution.
  • fcn.14002ecb0: PEB-walking hash resolver. Walks InMemoryOrderModuleList, hashes export names (fcn.14002eb80 → fcn.14002ed60 DJB2-like), matches against 32-bit constant. Returns resolved function pointer. Called to fetch VirtualAlloc, memcpy, VirtualProtect, etc. ^[r2:fcn.14002ecb0].
  • fcn.14002da90: custom stream-cipher decryptor. Initializes 1024-byte, 256-byte, and 128-byte state buffers, then performs multi-round byte substitution using table lookups from .rdata and XOR/add operations. High-branching, likely intentionally obfuscated to slow reverse engineering ^[r2:fcn.14002da90].

Code Quality: No stack canary (canary: false) ^[rabin2-info.txt]. No SafeSEH (x64, irrelevant). No CFG/AutoHotkey. No PDB path stripped. Debug directory contains only IMAGE_DEBUG_TYPE_POGO (PGO profile data), no PDB ^[pefile.txt:237-240]. This is release-build malware, not debug.

Deploy / ATT&CK

No CAPE detonation available (no Windows guest) ^[dynamic-analysis.md]. All behavioural claims are static inference.

Technique ID Evidence
Masquerading T1036.002 Version info claims "JBOD monitor Ultimate Monitor" by Emard LLC ^[exiftool.json]
Obfuscated Files / Information T1027 Semantic export obfuscation (228 names → 19 RVAs) ^[pefile.txt]
Software Packing T1027.002 Custom stream-cipher payload decryption into RWX memory ^[r2:fcn.14002f0e0], ^[r2:fcn.14002da90]
Native API T1106 PEB-walking export hash resolution for all Win32 APIs ^[r2:fcn.14002ecb0]
Code Signing T1553.002 Authenticode with fabricated Emard LLC intermediate CA ^[binwalk.txt], ^[strings.txt]
Evade Detection T1497 Parent-process / sandbox hash gate at entry ^[r2:fcn.14002efe0]
Process Injection (inferred) T1055 Self-loader maps decrypted PE into memory and likely hollows or spawns child process; ShellExecuteA/W import resolution present ^[strings.txt]

C2 / Network: No hardcoded IPs, domains, or URL paths in static strings. C2 resolution is likely runtime-decoded inside the encrypted payload. The presence of ShellExecuteA/W, SHGetSpecialFolderPathW, and COM/OLE32 resolution suggests payload may be a downloader or dropper.

Persistence (inferred): Unknown. Typical siblings place payloads in %APPDATA% or Startup folders via ShellExecute/SHCreateDirectoryExW — but this is speculation without dynamic confirmation.

Attribution / Clustering:

  • Label hippamsas-com from OpenCTI/MalwareBazaar, co-tagged sunwukong ^[metadata.json], ^[triage.json].
  • Shares core build traits with sunwukong: MSVC x64, zero IAT, PEB-walking hash API resolution, semantic export obfuscation, Authenticode fraud with fabricated intermediate CA and DigiCert cross-sign, version-info masquerade, and self-loading encrypted payload.
  • Diverges in masquerade identity (sunwukong = "Erdman Group" / 1080p protocol; hippamsascom = "Emard LLC" / JBOD monitor) and certificate alt-name pattern.
  • Confidence: high that hippamsascom and sunwukong represent the same loader/dropper family under different campaign labels. Treat as a single cluster with rotating masquerade identities.