kimsuky's love is all around
Contents
티스토리 뷰
[Hwp Malware] kimsuky's love is all around분석가E 2020. 7. 3. 21:47
기존 "KINU 전문가 자문 요청사항" (https://sfkino.tistory.com/75)과 동일한 스타일의 악성코드이다. 하나하나 비교하면서 분석해보자.
this malware is the same style with "KINU Expert Advisory Request.hwp" that was released October 2019. Let's analyze it compared to the existing one.
Stage 1. Exploit code & shellcode
EPS 파일의 /ar 변수에 들어있는 익스플로잇 코드와 쉘코드는 기존과 거의 동일하지만, 기존에는 0x00으로 XOR되어있었고, 이번 케이스에서는 0x91로 인코딩 되어있다. 0x91로 디코딩한뒤 익스플로잇 코드와 쉘코드를 비교하면 signature code를 제외하고 모두 동일하다.
exploit code and shellcode in variable /ar is almost same with Previous case, but xor key was changed 0x00 to ox91. comparing exploit code and shellcode after decoding. After decoding and comparing the exploit code and the shell code, they are all the same except for the signature code.
shellcode structure
Previous case
signature : 0xBE 0x0C 0x79 0x0C
1byte xor key : 0xF5
Decrypt Size : 0x00018E3F
Current case
signature : 0x30 0xE7 0x8D 0x1B
1byte xor key …
[Hwp Malware] kimsuky's love is all around분석가E 2020. 7. 3. 21:47
기존 "KINU 전문가 자문 요청사항" (https://sfkino.tistory.com/75)과 동일한 스타일의 악성코드이다. 하나하나 비교하면서 분석해보자.
this malware is the same style with "KINU Expert Advisory Request.hwp" that was released October 2019. Let's analyze it compared to the existing one.
Stage 1. Exploit code & shellcode
EPS 파일의 /ar 변수에 들어있는 익스플로잇 코드와 쉘코드는 기존과 거의 동일하지만, 기존에는 0x00으로 XOR되어있었고, 이번 케이스에서는 0x91로 인코딩 되어있다. 0x91로 디코딩한뒤 익스플로잇 코드와 쉘코드를 비교하면 signature code를 제외하고 모두 동일하다.
exploit code and shellcode in variable /ar is almost same with Previous case, but xor key was changed 0x00 to ox91. comparing exploit code and shellcode after decoding. After decoding and comparing the exploit code and the shell code, they are all the same except for the signature code.
shellcode structure
Previous case
signature : 0xBE 0x0C 0x79 0x0C
1byte xor key : 0xF5
Decrypt Size : 0x00018E3F
Current case
signature : 0x30 0xE7 0x8D 0x1B
1byte xor key …
IoC
04F9579865C6611AFD27FED6ACAF8581C662B52B817FBC9007455E046C73A05E
0C457E1800DC1E516D97BEF2C8F05C7D9CBB461B45F9257E958C5D88EA7C5EC8
0EF06518DFCE6641B2002C3C924A770D5E579891
1DB71AF7956F90AF9544C370A9DD3570CFBE04010C7608E5A160B997CF134F89
22BEA8086D87FAC45B85BEA9E81CA142
2FD6AD80E0FACBB2E9C46734035E190333F0EFE3
[email protected]
327865FA4009FC6A4D2EAD8AA523EEFF
3F64D8526190607541DB64981E38255ADBAD981C
55689D91DF8435A5040ABD591537BD6893166E402E6E5610E49BE76384EF9F1D
55AE82C3D83E95B93AAC9047B5AC35B72CC29BC2
70EC91D17B55980036351C70B2CBE3A0
77F67E93C8BDEA2CE9A66012B5EA2929
8F8AA835E65998DD472D2C641AA82DA5
A869624BCD3FBA754DEC27FD7B04046455F6929DB7BF117CCA215B78B0889C79
B889A52BE4E070FDEBED48392574029766FE603D
C6661195693D0F09D70C643F87194282593EF0D6A0E349720310D760D002E062
C73225F976100AB972934F31B61EABCC
F9B8645BCB399E48B046BDD96F33B4B0FED1598E
[email protected]
http://clouds.scienceontheweb.net/img/png/download.png?filename=button03
http://clouds.scienceontheweb.net/img/png/load.png
http://lovelovelove.atwebpages.com/home/jpg/download.php?filename=lover01
http://lovelovelove.atwebpages.com/home/jpg/post.php
0C457E1800DC1E516D97BEF2C8F05C7D9CBB461B45F9257E958C5D88EA7C5EC8
0EF06518DFCE6641B2002C3C924A770D5E579891
1DB71AF7956F90AF9544C370A9DD3570CFBE04010C7608E5A160B997CF134F89
22BEA8086D87FAC45B85BEA9E81CA142
2FD6AD80E0FACBB2E9C46734035E190333F0EFE3
[email protected]
327865FA4009FC6A4D2EAD8AA523EEFF
3F64D8526190607541DB64981E38255ADBAD981C
55689D91DF8435A5040ABD591537BD6893166E402E6E5610E49BE76384EF9F1D
55AE82C3D83E95B93AAC9047B5AC35B72CC29BC2
70EC91D17B55980036351C70B2CBE3A0
77F67E93C8BDEA2CE9A66012B5EA2929
8F8AA835E65998DD472D2C641AA82DA5
A869624BCD3FBA754DEC27FD7B04046455F6929DB7BF117CCA215B78B0889C79
B889A52BE4E070FDEBED48392574029766FE603D
C6661195693D0F09D70C643F87194282593EF0D6A0E349720310D760D002E062
C73225F976100AB972934F31B61EABCC
F9B8645BCB399E48B046BDD96F33B4B0FED1598E
[email protected]
http://clouds.scienceontheweb.net/img/png/download.png?filename=button03
http://clouds.scienceontheweb.net/img/png/load.png
http://lovelovelove.atwebpages.com/home/jpg/download.php?filename=lover01
http://lovelovelove.atwebpages.com/home/jpg/post.php