TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する個人の調査・研究ログ

Winnti (まとめ)

【関連グルーブ】

  • Blackfly
  • Axiom
  • Suckfly


【解析資料】

◆Winnti (Kaspersky, 2013/04)
https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf

◆WINNTI ANALYSIS (NOVETTA)
http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf


【公開情報】

◆Group: Winnti Group, Blackfly (Mitre)
https://attack.mitre.org/wiki/Group/G0044

◆Winnti Evolution - Going Open Source (PROTECTWISE, 2017/07/11)
https://www.protectwise.com/blog/winnti-evolution-going-open-source.html


【インディケータ情報】

■ハッシュ情報 (MD5)

  • 05edd53508c55b9dd64129e944662c0d
  • 1cf5ce3e3ea310b0f7ce72a94659ff54
  • 352eede25c74775e6102a095fb49da8c
  • 3b595d3e63537da654de29dd01793059
  • 4709395fb143c212891138b98460e958
  • 50f4464d0fc20d1932a12484a1db4342
  • 96c317b0b1b14aadfb5a20a03771f85f
  • ba7b1392b799c8761349e7728c2656dd
  • de5057e579be9e3c53e50f97a9b1832b
  • e7d92039ffc2f07496fe7657d982c80f
  • e864f32151d6afd0a3491f432c2bb7a2

以上は「Suckfly: Revealing the secret life of your code signing certificates」より引用
https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

■ハッシュ情報 (Sha256)

  • 0798740771dc8f40a5a45a2f58aeab479e2ead6682d67b24fafc46a7ab40c128
  • 0e21bf36ce80687d69caf537ea2a77cd8ef3210fb845256f56b5096efb0f7177
  • 0e258047b5883e8e8841f8649352478bf1ad4362c53b8be082cf701380694fc5
  • 0e3d6da65139e01a8f9be0ee63b4510123fc9f644100b00535f7f3b1611ab2ce
  • 1616adcdb750330cdad6223d26311244ce21080fce5ff03203261302d1031249
  • 18c42f98affc8f053d0a20e9bc85786f1cc8c33bd5f7c0080687b5aa8c97f1d7
  • 18df4e50d2db8e352755bab86e2aa04ce9dcf2a83bf3e03135abae00ab3d16c2
  • 1b0cd7bbd5188798f0bbcebb06afb54f6455a680b061bf32fa43d28e829837b0
  • 21cbd6ba2f1787ebdeac8e6098a94e0e3f8d760bf7277f0e30229d9362cd7689
  • 246feb48f0a8e11b1c0d6cfb1a6fcbcb3b1b6014dc825367e67976cc31d29c37
  • 2491fcac659f72cf9f0247e6444f1024e3f93b8684d9129fee61b7fe27ae4848
  • 288e9ac646b5c42666717326943fcfe90d206a2b29b6bcd46dd0b4a5db683689
  • 29c43ec1a4c4fc823028ee0e5b4ce9e6e5e1217766ee430f663538a60ccf13d4
  • 2c3032b2b19b19369a37c7d60cd850c4208ec042ef32c9870b701f333734ae56
  • 2e90ec6594eb5fda2cfb6d46b91e13e9ee3f8941de31b57f366dbe254ee9fc32
  • 2fa4b025c74dec27d2640d441db27601e6d1c7717db90b7e9915f6ef5db92fa3
  • 2fde6617eaca9e178bd4de52fd55d4bcf211632c004703f31efbd541b3d16319
  • 3087f00b5ef2941ebf3005e9ed46c134a601c629d8dd26e83b25b3e3a4106f77
  • 316f052a09f1f121cfe70491697048db32612c4a2c4f007748fda9a2b0e56c20
  • 33f8cfb672ab39e7ef1986848b293ade35e08480a8f7d2cbe96195357fb39cfb
  • 35541d4f586a97d5f4cd0c43436df0cee2944a1a650dd7b9d3f14a63e7f20c8a
  • 4466f22fd87e4d7fc875c7e073131cf81635fac48ba0fa7bbcf37f8a2dd0563e
  • 47053e77580ef64ca39058f72986c6ff46a81c092027e240916c8bdb42cdfcb6
  • 4a4e729b5a2212bdcba4314594cbdf8fcbec7146bb1f47b3c99ad6d183bceb38
  • 4a7e8d72dbaf30ebe2328771381912df9387deea6e240f3ad046ba1154250680
  • 52ce11b571aacf298c10d6dce47a60c199f6f58a76b901583bde65d86886cf1f
  • 5f41b896d76c04677ac400262aae06727771d408b598e870827c2c8f4aac061c
  • 62bd0c6eca0c4d562de0d83bbc7ce63fe9bfb3ac149e9a449dd44e2e3165c9dc
  • 6aa66eef38c6fcc2d9ab8034723acdaf2af0195749ff713dddaf414d2caea45f
  • 6c8347ec0c0a26a8942342e4031cf823332a8637d9a4e7f31bad725edc04a395
  • 7339fe6a7799ab8369d0dbafed9d7f3b6c81d164b00ec5d3a17d6c69ea52b141
  • 7a0fdc652e0ce4d84e9a6fd89343e6d71756c0a8f537276d3aed7388264ddb16
  • 7c09b14a34114e5b6861530ac19ab1aaadf9e8c9a7fbbde96542c21175b094e0
  • 7c754b0bec42a85f78393082b011e07fb0e964437c0c5c690ccf51d5508ab8b6
  • 7d8da529d439e31b917661ae7421ee99b132e995cc78156fdd6e1f7df43ac07c
  • 823e09d204e3c4d57abcbb23c1db50b0db3d8d4eecde72b0ffefa2f0b6abe904
  • 87e4096e3989ae5f047d1ede355e5e95b2eb4ce2fc8fb42a7d8a39f3224d41ab
  • 890137121b159b0de4b287627a8710605327f8aa0b2e657362b05b793881d87e
  • 8ac94fb63d023242e62d08ef7552beed720845266ea884c8d992d2533b81cf12
  • 8dcae5e7f13d190ff492687ddca33342450fdef868fbfa92d2ac7b32ffbf7365
  • 8f9e875825f498cee1ef74c57829cd367a8b3089fe4e8918449711fa3af0f984
  • 90745e366f46b1065c56a1a3e262e9e1f0f26baf05b6d29e4758dabdc2570d76
  • 92f960ddcfa6ed39289e28f03bb36cd2b6b513f3c3c21ef31ee5f9a8238a8a01
  • 959630cb90c5e3810a8a02c771f37b46388204d2d99a436463cd87411f961ba0
  • 970415694f5b1952a45b7c3c776292877738e32b42b23d97e1b5361e0eaf97de
  • 9df413b0da7355bbb203c294ed64c06ec68ab4a00221c8e9a0e635a40a08576d
  • a679d46a8ce8da6135b0dec9b2632ae41d01629a17f3183f9bcb76debfcecba5
  • a8f50d0f0c41e83dc3697b6668013e8cff990e5b98b99170c24c57281ff43e09
  • aa17bce6d8c469ce22ba29f79d2754db5d44096862d7a13be9324121c04a5343
  • ad1e7e12607ccdda70197a9cc0fc3df7fb74db540d1a1764da9da7347cbd73e3
  • b21a5ac48502ff75057f9773bf31abd970ef6c75a2c0ea1c871dd4e81ec5a994
  • b63407714c73d022b748411df888ccabcca082cf87bc32d53c6a9cfd55f46bda
  • b9140df8a58f02469f9f5789e1a39e476381855820730c997580f3a49fff1148
  • bdb451dd67a1101f8437a2f4231abac37d8bcc4b7c7b85bc74ace83e31aaa156
  • bf1ac8ab322891defe755552c198891ff28fb2fa57fd36a8b1b5a6b649fbc027
  • c46bfed74f17b114664adb658c7a10389eceb3c35edbaa472197d32b66bea7ad
  • c6791c74cf345c38ff10f04d36c11ad2953eb39bbc95df837dd4bf77176d6322
  • ca0acc09b6b17271bcda7f67eaf9b9a8d8227408e7fd6b0def0f99e501bc179a
  • ca6540211b309620c38db716b29d282492c4842d5d6e167ecc3b0707431c491f
  • cf15e587ef51527660947510b53f2a7b28da4b5ea02e39ff24c04e7156210612
  • d11884d05b679e494d8d997784e2d11648946b66d2f04daf3813e57fd1a156fc
  • d173811a545ba495934cb293460bc86b0c6681c2cd98de52b6b10c63e4d3abb3
  • d1e1a66afb0e33d865776758abb5869fae5b3deab58e6a9f996253bdaf02a91f
  • d6011662c2d1a18c50b02dc6ec5d9650c34bd67083038a9d56d9e0c98b100730
  • d72b78c634d9e1c24c90da7badb54a1243573c49dffe43ddb6a14db586b2aaf8
  • d929406819df0faaf297e2b2e4253724a9f6fafaafa239c4b90db5ab6e58bd83
  • da198b32b61d0a5765d2961b1f4a20592a90bd919835bd5cf1f64329ef388a61
  • ddccba1aa87ec9d12a896bed96d2d16465b4b63baefd4580828372971881be00
  • dec864735d2017b52accdd5285d24131ee556f9266156c62a83cde0ae8dbd095
  • df6e40fb0bea1d00c86e0bca493d05a9318ba8e27b015bcadb2fc1d82fa8af04
  • e13c06fa97a3f502edc3aee62b0f6aee174d5ced7a5d0a4dffc7323a9c993347
  • e82f0bfa09fa9d855a73ae82ca56566c5b59074fa2ad4aad1f6870d5331eede8
  • e9bfcfe6d1bbfabca1d8c0896b1bcf452000bed161c1eba95bbae2256993f3ab
  • eb8d20f3241a702409ef153b9f71c3af4e4f4557371265b86f4edd075c36cb91
  • ec198eb746eb1d87315e4ce2cb0d960246da4824f4925d340201288947537bfa
  • f1c61fd84e925eb42d681755395f20b1adedd4ee43c58e974a32604e953cbbfd
  • f255321e7331ec856bcbf816f4a38371c2311b00d531fdff541fb18496cc0edd
  • f37762bb2199c20d0c5ea0a21774f60bef1fabd7966ee9dc9c67514d5e7ed239
  • f3ccc986dc4922514432440612331e74b1677995258291dd1fb068314e413a75
  • f4bf952b5b922a431ad15e4b9a9bc7011a999241187ca93811cec3cdd0a87351
  • f571b27da6fc097bfc7a989fb9b752320f45ded7505125c558851ddd68f01688
  • f8d6b5995ae855e9cd89194faf0c2f683f8e2d83376bcd4f2da55904d411368c
  • f97ba6bdd7893af406d500634d5982184d278b46d392a0f7ad7d7bade0c47fc0
  • fcc252231ec72ef03fb1309f415fb3f39db5f625925d7b01b8f851f33f506342
  • fef59f6fc920a7a0ce7f67ec88d7d081a23d5c00aa93a646caa06e0a23bb7639

以上は「WINNTI ANALYSIS」より引用
http://www.novetta.com/wp-content/uploads/2015/04/vt-winnti.txt


■通信先

Indicator Description
job.yoyakuweb.technology Phishing email link destination.
resume.immigrantlol.com Phishing email link destination.
macos.exoticlol.com Likely phishing email link destination.
css.google-statics[.]com BeEF Landing and C2.
minami.cc Potential BeEF - Low confidence (Linode)
vps2java.securitytactics.com Malware C2
106.184.5.252 Phishing email link destination.
61.78.62.21 Used in BeEF C2, reused Winnit Infra.
139.162.106.19 Linode - Used in BeEF C2.
172.104.101.131 Linode - Malware C2.
139.162.17.161 Linode - Used in BeEF C2.
133.242.145.137 Linode - Used in BeEF C2.
106.185.31.128 Linode - hosting BeEF landings.

以上は「Winnti Evolution - Going Open Source」より引用
https://www.protectwise.com/blog/winnti-evolution-going-open-source.html


■通信先(C&Cサーバ)

IPアドレス ポート
160.16.]243.129 443 (HTTPS)
160.16.243.129 53 (DNS)
160.16.243.129 80 (HTTP)
174.139.203.18 443 (HTTPS)
174.139.203.18 53 (DNS)
174.139.203.20 53 (DNS)
174.139.203.22 443 (HTTPS)
174.139.203.22 53 (DNS)
174.139.203.27 53 (DNS)
174.139.203.34 53 (DNS)
174.139.62.58 80 (HTTP)
174.139.62.60 443 (HTTPS)
174.139.62.60 53 (DNS)
174.139.62.60 80 (HTTP)
174.139.62.61 443 (HTTPS)
61.195.98.245 443 (HTTPS)
61.195.98.245 53 (DNS)
61.195.98.245 80 (HTTP)
67.198.161.250 443 (HTTPS)
67.198.161.250 53 (DNS)
67.198.161.251 443 (HTTPS)
67.198.161.252 443 (HTTPS)

以上は「「WINNTI」、C&C通信にGitHubを悪用」より引用
http://malware-log.hatenablog.com/entry/2017/03/30/000000


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2017