TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究のログ

Orangeworm (まとめ)

【ニュース】

◆Orangeworm Hackers Infect X-Ray and MRI Machines In Their Quest for Patient Data (BleepingComputer, 2018/04/23)
https://www.bleepingcomputer.com/news/security/orangeworm-hackers-infect-x-ray-and-mri-machines-in-their-quest-for-patient-data/


【ブログ】

◆米国、ヨーロッパ、アジアの医療業界を狙う新しい攻撃グループ「Orangeworm」を確認 (Symantec, 2018/04/23)

Orangeworm という新しい攻撃グループが、医療業界やその関連業界を狙った標的型攻撃でバックドア Kwampirs を拡散していることを、シマンテックは確認しました。

https://www.symantec.com/connect/ja/blogs/orangeworm

◆New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia (Symantec, 2018/04/23)
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia


【関連情報】

f:id:tanigawa:20180506183027j:plain
コマンド一覧
出典: https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

【インディケータ情報】

■ハッシュ情報(MD5, Dropper)

0240ed7e45567f606793dafaff024acf wmipsrvce.exe
047f70dbac6cd9a4d07abef606d89fb7 wmiapsrvce.exe
0240ed7e45567f606793dafaff024acf WMIAPSRVUX.EXE
2ae53de1a1f65a6d57e96dab26c73cda wmiapsrve.exe
47345640c135bd00d9f2969fabb4c9fa WMIPSVRCE.EXE
cb9954509dc82e6bbed2aee202d88415 wmipsrvce.exe
cb9954509dc82e6bbed2aee202d88415 WMIPSVRE.EXE
b680b119643876286030c4f6134dc4e3 wmiapsrve.exe
fac94bc2dcfbef7c3b248927cb5abf6d wmipvsre.exe
856683aee9687f6fdf00cfd4dc4c2aef wmiapsvrce.exe
847459c8379250d8be2b2d365be877f5 wmiapsrve.exe
fac94bc2dcfbef7c3b248927cb5abf6d WMIAPSRVE.EXE
fac94bc2dcfbef7c3b248927cb5abf6d WMIPRVSE.EXE
cb9954509dc82e6bbed2aee202d88415 WMIPVSRE.EXE
6277e675d335fd69a3ff13a465f6b0a8 wmipsrvce.exe
847459c8379250d8be2b2d365be877f5 wmiapsvre.exe
3bedc1c4c1023c141c2f977e846c476e wmipsvrce.exe
ce3894ee6f3c2c2c828148f7f779aafe WMIAPVSRE.EXE
3b3a1062689ffa191e58d5507d39939d wmiaprvse.exe
47345640c135bd00d9f2969fabb4c9fa WMIAPSVRE.EXE
3bedc1c4c1023c141c2f977e846c476e wmiapvsre.exe
6277e675d335fd69a3ff13a465f6b0a8 wmiapsrve.exe
856683aee9687f6fdf00cfd4dc4c2aef wmipsvrce.exe
cb9954509dc82e6bbed2aee202d88415 wmipsvrce.exe
fac94bc2dcfbef7c3b248927cb5abf6d wmipsrvce.exe
847459c8379250d8be2b2d365be877f5 WMIPRVSE.EXE
cb9954509dc82e6bbed2aee202d88415 wmiapsrvcx.exe
856683aee9687f6fdf00cfd4dc4c2aef wmiapsrvce.exe
cb9954509dc82e6bbed2aee202d88415 wmiprvse.exe
7e5f76c7b5bf606b0fdc17f4ba75de03 wmiapsvrce.exe
177bece20ba6cc644134709a391c4a98 wmiapsrvex.exe
fac94bc2dcfbef7c3b248927cb5abf6d wmiaprvse.exe
fac94bc2dcfbef7c3b248927cb5abf6d wmipsvre.exe
3b3a1062689ffa191e58d5507d39939d wmiapsrvex.exe
b59e4942f7c68c584a35d59e32adce3a wmiapsrve.exe
81e61e5f44a6a476983e7a90bdac6a55 WMIAPSRVCX.EXE

https://content.connect.symantec.com/sites/default/files/2018-04/Orangeworm%20IOCs.pdf

■ハッシュ情報(MD5, DLL)

ec968325394f3e6821bf90fda321e09b WMIAMGMT.DLL
01cf05a07af57a7aafd0ad225a6fd300 WMIASSN.DLL
d57df638c7befd7897c9013e90b678f0 wmiamgmt.dll
5c3499acfe0ad7563b367fbf7fb2928c wmipadp.dll
4b91ec8f5d4a008dd1da723748a633b6 wmipadp.dll
134846465b8c3f136ace0f2a6f15e534 wmiassn.dll
9d2cb9d8e73fd879660d9390ba7de263 WMIPDPA.DLL
939e76888bdeb628405e1b8be963273c wmiadrv.dll
de9b01a725d4f19da1c1470cf7a948ee wmipdpa.dll
bb939a868021db963916cc0118aab8ee wmipadp.dll
3289c9a1b534a19925a14a8f7c39187c wmiadrv.dll
9d3839b39d699336993df1dd4501892b wmipdpa.dll
5c3499acfe0ad7563b367fbf7fb2928c wmipadp.dll
fece72bd41cb0e06e05a847838fbde56 wmiassn.dll
bbd9e4204514c66c1babda178c01c213 wmiadrv.dll
ee4206cf4227661d3e7ec846f0d69a43 wmipadp.dll
290d8e8524e57783e8cc1b9a3445dfe9 wmiamgmt.dll

https://content.connect.symantec.com/sites/default/files/2018-04/Orangeworm%20IOCs.pdf


■IPアドレス

  • 65.116.107.24
  • 13.44.61.126
  • 56.28.111.63
  • 118.71.138.69
  • 117.32.65.101
  • 18.25.62.70
  • 92.137.43.17
  • 33.25.72.21
  • 16.48.37.37
  • 91.29.51.11

■URL

  • hxxp://65.116.107.24/login/login.php?q=kt[REDACTED_BASE64_STRING]==
  • hxxp://13.44.61.126/main/indexmain.php?q=KT[REDACTED_BASE64_STRING]==
  • hxxp://56.28.111.63/group/group/defaultmain.php?q=KT[REDACTED_BASE64_STRING]==
  • hxxp://118.71.138.69/new/main/default.php?q=KT[REDACTED_BASE64_STRING]==
  • hxxp://117.32.65.101/users/login.php?q=kt[REDACTED_BASE64_STRING]==
  • hxxp://18.25.62.70/groupgroup/default.php?q=kt[REDACTED_BASE64_STRING]==
  • hxxp://92.137.43.17/group/group/home/login/home.php?q=KT[REDACTED_BASE64_STRING]==
  • hxxp://33.25.72.21/group/main.asp?q=KT[REDACTED_BASE64_STRING]==
  • hxxp://16.48.37.37/groupusers/default.php?q=kt[REDACTED_BASE64_STRING]==
  • hxxp://91.29.51.11/default/main.php?q=KT[REDACTED_BASE64_STRING]==

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2019