ホームページの見た目は下記のように企業のサイトですね。
そして下記のウRLをアクセスしたらマルウェアがダウンロードされてしまいます。
ダウンロード証拠(ログ)は下記となりますが...
--2013-04-22 18:28:48-- hxxp://dp26022227.lolipop.jp/6ycg8n.exe Resolving dp26022227.lolipop.jp... 210.172.144(.)245 Caching dp26022227.lolipop.jp => 210.172.144(.)245 Connecting to dp26022227.lolipop.jp|210.172.144(.)245|:80... connected. : GET /6ycg8n.exe HTTP/1.1 Host: dp26022227.lolipop.jp HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Mon, 22 Apr 2013 09:28:29 GMT Server: Apache Last-Modified: Mon, 15 Apr 2013 22:41:00 GMT ETag: "868074c-4b000-f2677700" Accept-Ranges: bytes Content-Length: 307200 Content-Type: application/octet-stream Keep-Alive: timeout=5, max=100 Connection: Keep-Alive : 200 OK Length: 307200 (300K) [application/octet-stream] Saving to: ‘6ycg8n.exe’ 2013-04-22 18:28:50 (725 KB/s) - ‘6ycg8n.exe’ saved [307200/307200]
ファイルのスナップショットの証拠(下記)
ファイル自体に暗号されたPEファイルです、詳細情報は下記のようになります...
Sections: .text 0x1000 0xe00 3584 .rdata 0x2000 0x870 2560 .data 0x3000 0x2000 512 .rsrc 0x5000 0x4904f 299520 Entry Point at 0x59e Virtual Address is 0x40119e Compile time: 2013-01-23 18:06:23 ExifTool: MIMEType : application/octet-stream Subsystem : Windows GUI MachineType : Intel 386 or later, and compatibles TimeStamp : 2013:01:23 19:06:23+01:00 FileType : Win32 EXE PEType : PE32 CodeSize : 3584 LinkerVersion : 2 25 FileAccessDate : 2013:04:21 03:40:23+01:00 Warning : Invalid Version Info block EntryPoint : 0x119e InitializedDataSize : 302592 SubsystemVersion : 5 1 ImageVersion : 0 0 OSVersion : 5 1 FileCreateDate : 2013:04:21 03:40:23+01:00 UninitializedDataSize : 0 00004D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 002000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003000 00 00 00 00 00 00 00 01 00 00 00 80 00 00 00 ................ 0040BB 11 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 ........!..L.!.. 005054 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus 006074 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W 007069 6E 33 32 0A 0D 24 37 00 00 00 00 00 00 00 00 in32..$7........ 008050 45 00 00 4C 01 04 00 9F 26 00 51 00 00 00 00 PE..L....&.Q.... [...]
このマルウェアを実行されたら下記のマルウェアファイルが出て、保存されます。。。
%AppData%\Lilagi(random, regex: [A-Z]{1}[a-z]{5})\veiby.exe (random, format regex: [a-z]{5}¥.exe )
%Temp%\tmp7cf80627.bat (random, format regex: tmp[a-z|0-9]{8}¥.bat )
%AppData%\Microsoft\Address Book\(USER).wab下記のマルウェアプロセスが立ち上がって...
C:\Documents and Settings\[PC-USER]\Application Data\Lilagi\veiby.exe"" C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\[PC-USER]\LOCALS~1\Temp\tmp7cf80627.bat""
そしてもっとのマルウェアファイルとBATファイルが削除されました。
当時下記のWindowsのレジストリに変更が行い...
HKEY_CURRENT_USER\Software\Microsoft\Epnese\27h77jd0 / VALUE: TZK2ftIpZeQhBJelF7vDdg== HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server ID / VALUE: 0 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server ID/VALUE: 1 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server ID/VALUE: 2 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server ID/VALUE: 3 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Server ID/VALUE: 4 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVer/ VALUE: 4 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVerNTDS/VALUE: 1 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\Account Name/ VALUE: Active Directory HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server/VALUE: NULL HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Return/VALUE: 100 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Timeout/VALUE: 60 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Authentication/VALUE: 2 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Simple Search/VALUE: 0 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Bind DN/VALUE: 0 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Port/VALUE: 196 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Resolve Flag/VALUE: 1 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Secure Connection/VALUE: 0 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP User Name/VALUE: NULL HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Base/VALUE: NULL HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\Account Name/VALUE: Bigfoot Internet Directory Service HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server/VALUE: ldap.bigfoot.com HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP URL/VALUE: http://www.bigfoot.com HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Search Return/VALUE: 100 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Timeout/VALUE: 60 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Authentication/VALUE: 0 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search/VALUE: 1 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Logo/VALUE: %ProgramFiles%\Common Files\Services\bigfoot.bmp HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\Account Name/VALUE: VeriSign Internet Directory Service HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server/VALUE: directory.verisign.com HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP URL/VALUE: http://www.verisign.com HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Return/VALUE: 100 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Timeout/VALUE: 60 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Authentication/VALUE: 0 HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Base [...] HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name\(null) /VALUE: C:\Documents and Settings\\Application Data\Microsoft\Address Book\ .wab HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\OlkContactRefresh/VALUE: 0 HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\OlkFolderRefresh/VALUE: 0 HKEY_CURRENT_USER\Identities\{B0BB3B42-3666-47AA-8D85-B94B99DB4C9B}\Identity Ordinal/VALUE: 1 HKEY_CURRENT_USER\Identities\Identity Ordinal/VALUE: 2 HKEY_CURRENT_USER\Software\Microsoft\Epnese\230fjh3e/VALUE: 1
最後にネットワーク動きを発見、下記のようにレコードされました...
195.169.125.228:29902 78.139.187.6:14384 190.21.87.83:15196 186.134.148.36:12460 75.6.222.103:11577 79.186.121.2:29666
ウイルストータルに確認しましたら、下記の情報となります...
URL: https://www.virustotal.com/en/file/ebb5522800279af67e2d209c26b6c97a4c15ea6e384c5f02a51e5c1a2b92a590/analysis/ SHA256: ebb5522800279af67e2d209c26b6c97a4c15ea6e384c5f02a51e5c1a2b92a590 SHA1:fdc202a332c52a55b4a9939bd8e8c2d0b7c1f40e MD5: 1b55d07cb1ef519409d449ceb883999f File size: 300.0 KB ( 307200 bytes ) File name: e68e83363dfcd5e48240116a502f0845f1f5a6c6 File type: Win32 EXE Tags:peexe Detection ratio: 34 / 46 Analysis date:2013-04-21 02:31:37 UTC ( 1 day, 8 hours ago ) MicroWorld-eScan: Trojan.GenericKDZ.14448 nProtect : Trojan.GenericKDZ.14448 McAfee : PWS-FASY!1B55D07CB1EF Malwarebytes : Malware.Packer.EGX7 K7AntiVirus : Trojan K7GW: Trojan Symantec : Packed.Generic.402 Norman : Hlux.WH ESET-NOD32: a variant of Win32/Kryptik.AYWT TrendMicro-HouseCall : TROJ_SPNR.14DG13 Avast : Win32:Kryptik-LKV [Trj] Kaspersky : Trojan-Spy.Win32.Zbot.kkce BitDefender : Trojan.GenericKDZ.14448 Sophos : Mal/Zbot-KR Comodo : TrojWare.Win32.Kryptik.AYFK F-Secure : Trojan.GenericKDZ.14448 DrWeb : Trojan.Packed.2928 VIPRE : Trojan.Win32.Winwebsec.mdc (v) AntiVir: TR/Spy.ZBot.EB.325 TrendMicro: TROJ_SPNR.14DG13 McAfee-GW-Edition : Heuristic.LooksLike.Win32.Suspicious.B Emsisoft : Trojan-Spy.Win32.Zbot (A) Kingsoft : Win32.Troj.Zbot.KK.(kcloud) Microsoft : PWS:Win32/Zbot.gen!AM SUPERAntiSpyware: Trojan.Agent/Gen-Fynloski GData : Trojan.GenericKDZ.14448 Commtouch : W32/Trojan.SQKB-8856 AhnLab-V3 : Trojan/Win32.Foreign VBA32 : OScope.Malware-Cryptor.Hlux.6413 PCTools: HeurEngine.MaliciousPacker Ikarus : Trojan-PWS.Win32.Zbot Fortinet : W32/Kryptik.X!tr AVG : Crypt_s.AZD Panda : Generic Malware
やはりZeusですね、はやめにお手続きした方がいいと思います、下記はサイトの連絡先とネットワーク情報となります...
・サイトに書いた連絡先:
チーフマリッジカウンセラー
後藤理恵
・ドメイン:
[Domain Name] LOLIPOP.JP
[Registrant] paperboy&co.
[Name Server] sv.madame.jp
[Name Server] dns2.lolipop.jp
[Signing Key]
[Created on] 2001/09/21
[Expires on] 2013/09/30
[Status] Active
[Last Updated] 2012/10/01 01:05:01 (JST)
Contact Information:
[Name] paperboy&co.
[Email] jp@muumuu-domain.com
[Web Page]
[Postal code] 150-8512
[Postal Address] 26-1 Sakuragaokacho
Shibuya-ku, Tokyo
1508512,JAPAN
[Phone] 03-5456-2622
[Phone] +81-3-5456-2622
[Fax] +81-3-5456-2633
・ネットワーク:
inetnum: 210.172.128.0 - 210.172.191.255
netname: interQ-CIDR-BLK-JP
descr: GMO Internet, Inc.
remarks: Email address for spam or abuse complaints : abuse@gmo.jp
country: JP
admin-c: JP00014973
tech-c: JP00014973
0 件のコメント:
コメントを投稿