티스토리 뷰
오랜만에, EPS를 포함한 hwp 악성코드가 헌팅되었다.
After a long time, the hwp malware hunted.
Filename : 국가핵심인력등록관리제등검토요청(10.16)(김경환변호사).hwp
문서 내용은 "국가핵심기술 보유인력 등록관리제" 이다.
The content of the document is "Registration System for Manpower with National Core Technology"
EPS를 포함하고있고 2018년 10월 21일에 마지막으로 저장했다.
Including EPS, and there were last saved on October 21, 2018.
EPS 쉘코드는 16바이트의 XOR키로 인코딩 되어있다
The EPS shellcode is
encoded with a 16-byte XOR key.
XOR Key : 059AE0B142AF7B91D0C05BF7CD7F3A46
쉘코드 내부에 추가 악성코드를 다운로드하는 URL이 존재한다.
There is a URL to download additional malicious code inside the shellcode.
URL
hxxps://flydashi[.]com/wp-content/plugins/akism1[.]pgi
hxxps://flydashi[.]com/wp-content/plugins/akism2[.]pgi
다운로드된 파일은 0xAA로 인코딩 되어있다.
Downloaded File was encoded by 0xAA
디코딩된 악성코드는 manuscrypt이다.
The Decoded malware is manuscrypt.
IOC
HWP
국가핵심인력등록관리제등검토요청(10.16)(김경환변호사).hwp
MD5 : 0316f6067bc02c23c1975d83c659da21
SHA-1 : 9a301f2a0259bdedb85e2ea4c071534776d471ab
SHA-256 : b2dd7f9bb24428b0e2ed30b9373fe033d981a29415576b4c654c0d999dd109e5
Download URL
hxxps://flydashi[.]com/wp-content/plugins/akism1[.]pgi
hxxps://flydashi[.]com/wp-content/plugins/akism2[.]pgi
Downloaded File
MD5 : akism1.pgi = e0410c8a915205d5117c6c5171a5f40f
SHA-1 : akism1.pgi = f0a87e8475c158f7144ba186b3795ed374f331dc
SHA-256 : akism1.pgi = 1ff597e8bd590896c17d856188d1f0950a5a4cf4e7d2c0b40a6c1eb95c9586b3
MD5 : akism2.pgi = ecc8c05dfabdc28e3a6c89e55bd08158
SHA-1 : akism2.pgi = cd5c8af95851ace218adb1aac09cf16042ee78ae
SHA-256 : akism2.pgi = 60b56eff7fbc2413d1b755e8b3f2f4e94d000448a3cd16965c9411d88a1ac935
C2 :
hxxps://theinspectionconsultant[.]com/wp-content/plugins/akismet/index1[.]php
hxxp://danagloverinteriors[.]com/wp-content/plugins/jetpack/common[.]php
hxxps://as-brant[.]ru/wp-content/themes/shapely/common[.]php