PostScript를 이용한 한글 악성코드
2017-09-18 • Sands Lab • Korean malware using PostScript •
The Korean malware analysis excerpt describes a document-based infection involving embedded EPS/PostScript content and GhostScript. The extracted artifact creates a startup-path executable named SMHost.exe under the Windows roaming profile, indicating persistence through the user Startup folder. The available evidence also includes multiple file hashes for related samples or artifacts. The excerpt does not provide enough supported context to identify a specific actor, victim set, campaign name, or DPRK attribution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | e5adba30f177431f91ef71d322091f6… | 2017-09-18 | 2017-09-18 |
| HASH | b7e5f9391b12475fdae20c8afd6c2a7… | 2017-09-18 | 2017-09-18 |
| HASH | 16a5126924e876b78449ff7eca701fe… | 2017-09-18 | 2017-09-18 |
| HASH | c9e44073df7cfa6321b08acc8c3b7b8… | 2017-09-18 | 2017-09-18 |
| HASH | 58febbf2e2f3f2add32a81d91a94ed9… | 2017-09-18 | 2017-09-18 |
| HASH | 851723d38c11654d881cb0528ac82f3… | 2017-09-18 | 2017-09-18 |
| HASH | 126dd2187a4a86752f5d1375084c607… | 2017-09-18 | 2017-09-18 |
| HASH | e4f19fdc2ef890209082e02906c4fab… | 2017-09-18 | 2017-09-18 |
| HASH | 541afa9b9cdff833f0a6e0b60528636… | 2017-09-18 | 2017-09-18 |
| IPv4 | 211.161.153.131 | 2017-09-18 | 2017-09-18 |
| IPv4 | 211.149.170.108 | 2017-09-18 | 2017-09-18 |
| IPv4 | 107.151.199.160 | 2017-09-18 | 2017-09-18 |
| IPv4 | 59.188.15.196 | 2017-09-18 | 2017-09-18 |
| IPv4 | 203.124.12.88 | 2017-09-18 | 2017-09-18 |
| IPv4 | 203.68.250.10 | 2017-09-18 | 2017-09-18 |