TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems

【ブログ】

◆Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems (paloalto, 2018/06/22)
https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/


【関連まとめ記事】

全体まとめ
 ◆攻撃組織 / Actor (まとめ)
  ◆標的型攻撃組織 / APT (まとめ)

◆Tick / Bronze Butler (まとめ)
http://malware-log.hatenablog.com/entry/Tick


【インディケータ情報】


■ハッシュ情報(Sha256) - Malformed Legitimate software (SymonLoader) -

8549dcbdfc6885e0e7a1521da61352ef4f084d969dd30719166b47fdb204828a

(以上は paloalto の情報: 引用元は https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/ )


■ハッシュ情報(Sha256) - Malformed Legitimate software (SymonLoader) -

31aea8630d5d2fcbb37a8e72fe4e096d0f2d8f05e03234645c69d7e8b59bb0e8

(以上は paloalto の情報: 引用元は https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/ )


■ファイルパス - SymonLoader -

%ProgramFiles%\Windows NT\Accessories\Microsoft\msxml.exe
%UserProfile%\Applications\Microsoft\msxml.exe


■レジストリ - SymonLoader -

HKLM\Software\Microsof\Windows\CurrentVersion\run\”xml” = %ProgramFiles%\Windows NT\Accessories\Microsoft\msxml.exe
HKCU\Software\Microsof\Windows\CurrentVersion\run\”xml” = %UserProfile%\Applications\Microsoft\msxml.exe


■Mutex - SymonLoader -

SysMonitor_3A2DCB47


■ハッシュ情報(Sha256) - Trojanized Legitimate Software(HomamDownloader) -

b1bb1d5f178b064eb1d7c9cc7cadcf8b3959a940c14cee457ce3aba5795660aa
3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6
92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78
33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb

(以上は paloalto の情報: 引用元は https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/ )


■ハッシュ情報(Sha256) - HomamDownloader -

019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e
ee8d025c6fea5d9177e161dbcedb98e871baceae33b7a4a12e9f73ab62bb0e38
f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec

(以上は paloalto の情報: 引用元は https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/ )


■URL

pre.englandprevail.com


【検索】- SymonLoader -

google: 8549dcbdfc6885e0e7a1521da61352ef4f084d969dd30719166b47fdb204828a

google: 31aea8630d5d2fcbb37a8e72fe4e096d0f2d8f05e03234645c69d7e8b59bb0e8


【検索】 - HomamDownloader -

google: b1bb1d5f178b064eb1d7c9cc7cadcf8b3959a940c14cee457ce3aba5795660aa
google: 3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6
google: 92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78
google: 33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb

google: 019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e
google: ee8d025c6fea5d9177e161dbcedb98e871baceae33b7a4a12e9f73ab62bb0e38
google: f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec



【VT検索】 - SymonLoader -

https://www.virustotal.com/gui/file/8549dcbdfc6885e0e7a1521da61352ef4f084d969dd30719166b47fdb204828a

https://www.virustotal.com/gui/file/31aea8630d5d2fcbb37a8e72fe4e096d0f2d8f05e03234645c69d7e8b59bb0e8


【VT検索】- HomamDownloader -

https://www.virustotal.com/gui/file/b1bb1d5f178b064eb1d7c9cc7cadcf8b3959a940c14cee457ce3aba5795660aa
https://www.virustotal.com/gui/file/3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6
https://www.virustotal.com/gui/file/92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78
https://www.virustotal.com/gui/file/33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb

https://www.virustotal.com/gui/file/019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e
https://www.virustotal.com/gui/file/ee8d025c6fea5d9177e161dbcedb98e871baceae33b7a4a12e9f73ab62bb0e38
https://www.virustotal.com/gui/file/f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2020