【図表】
Exploit variants.
The initial exploitation attempt sample.
Infection Chain.
0I8h4xuvxe PowerShell script.
StealthLoader copies itself to the Temp folder.
The malware uses the sleep function to suspend its own execution.
Obfuscation techniques to avoid static analysis.
出典: https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/
【ブログ】
◆A deep dive into a real-life Log4j exploitation (Check Point, 2021/12/14)
[Log4jを悪用する実例を徹底解説]
https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/
【インディケータ情報】
■ハッシュ情報(Sha256) - -
457b254439cdbbc167b45abc09d9531b59ac7b104e847e453e5abd016991a6e2
8c4b72544f1791dd27e87f13a1c9d3070bb70f979e5e2ec98160f9f31945f33b
(以上は Check Point の情報: 引用元は https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/ )
■IPアドレス情報 - -
188[.]126.89.151
52[.]114.77.236
176[.]12.177.110
87[.]71.62.56
95[.]101.133.173
2[.]21.7.180
2[.]56.59.123
(以上は Check Point の情報: 引用元は https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/ )
■Monero wallet
4AeriA3wiocD9gUjiw7qptRDfECriZJac8CgGbfUUPUmMSYtLE43dr2XXDN6t5vd1GWMeGjNFSDh5NUPKBKU3bBz8uatDoC
【検索】
google: ]457b254439cdbbc167b45abc09d9531b59ac7b104e847e453e5abd016991a6e2
google: ]8c4b72544f1791dd27e87f13a1c9d3070bb70f979e5e2ec98160f9f31945f33b
google: "188.126.89.151"
google: "52.114.77.236"
google: "176.12.177.110"
google: "87.71.62.56"
google: "95.101.133.173"
google: "2.21.7.180"
google: "2.56.59.123"
【VT検索】
https://www.virustotal.com/gui/file/457b254439cdbbc167b45abc09d9531b59ac7b104e847e453e5abd016991a6e2
https://www.virustotal.com/gui/file/8c4b72544f1791dd27e87f13a1c9d3070bb70f979e5e2ec98160f9f31945f33b
https://www.virustotal.com/gui/ip-address/188.126.89.151
https://www.virustotal.com/gui/ip-address/52.114.77.236
https://www.virustotal.com/gui/ip-address/176.12.177.110
https://www.virustotal.com/gui/ip-address/87.71.62.56
https://www.virustotal.com/gui/ip-address/95.101.133.173
https://www.virustotal.com/gui/ip-address/2.21.7.180
https://www.virustotal.com/gui/ip-address/2.56.59.123