TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

トップ > Malware: RapperBot > So RapperBot, What Ya Bruting For?

So RapperBot, What Ya Bruting For?

Malware: RapperBot Linux マルウェア Malware: Mirai亜種 (IoT) 攻撃手法: ブルートフォース攻撃 Protocol: SSH

【図表】


RapperBot execution flow
出典: https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery


【ブログ】

◆So RapperBot, What Ya Bruting For? (Fortinet, 2022/08/03)
https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery


【関連情報】

◆SSHにブルートフォース攻撃するマルウェア「RapperBot」急成長、Linuxデバイスは注意 (マイナビニュース, 2022/08/08 10:16)
https://news.mynavi.jp/techplus/article/20220808-2419092/
https://malware-log.hatenablog.com/entry/2022/08/08/000000_3


【関連まとめ記事】

全体まとめ
 ◆マルウェア / Malware (まとめ)
  ◆Linux マルウェア (まとめ)

◆RapperBot (まとめ)
https://malware-log.hatenablog.com/entry/RapperBot

 ◆攻撃手法 (まとめ)

◆ブルートフォース攻撃 (まとめ)
https://malware-log.hatenablog.com/entry/Attack_Method


【インディケータ情報】

■ハッシュ情報(Sha256) - -

92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4
a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d
e8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8
23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a
c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb
05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad
88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6
e8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73
23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad
77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5
dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae
ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010
9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42
1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865
8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5
f5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26
2298071b6ba7baa5393be064876efcdbd9217c212e0c764ba62a6f0ffc83cc5a
2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5
1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96
746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62
ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31
e56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02
55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b
8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102
d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec
ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04

(以上は の情報: 引用元は https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery )


■url情報 - Download URLs -

hxxp://31[.]44[.]185[.]235/x86
hxxp://31[.]44[.]185[.]235/mips
hxxp://31[.]44[.]185[.]235/arm7
hxxp://2[.]58[.]149[.]116/arm
hxxp://2[.]58[.]149[.]116/spc
hxxp://2[.]58[.]149[.]116/mips
hxxp://2[.]58[.]149[.]116/x86_64
hxxp://2[.]58[.]149[.]116/ssh/arm7
hxxp://2[.]58[.]149[.]116/ssh/mips
hxxp://2[.]58[.]149[.]116/ssh/x86
hxxp://2[.]58[.]149[.]116/ssh/spc
hxxp://194[.]31[.]98[.]244/ssh/new/spc
hxxp://194[.]31[.]98[.]244/ssh/new/x86
hxxp://194[.]31[.]98[.]244/ssh/new/mips
hxxp://194[.]31[.]98[.]244/ssh/new/arm7
hxxp://194[.]31[.]98[.]244/ssh/new/arm
hxxp://194[.]31[.]98[.]244/ssh/new/x86
hxxp://194[.]31[.]98[.]244/ssh/new/mips
hxxp://194[.]31[.]98[.]244/ssh/new/arm7
hxxp://194[.]31[.]98[.]244/ssh/new/arm
hxxp://185[.]225[.]73[.]196/ssh/new/arm
hxxp://185[.]225[.]73[.]196/ssh/new/arm7
hxxp://185[.]225[.]73[.]196/ssh/new/mips
hxxp//185[.]225[.]73[.]196/ssh/new/x86

(以上は の情報: 引用元は https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery )


■url情報 - C2 -

31[.]44[.]185[.]235
2[.]58[.]149[.]116
194[.]31[.]98[.]244
185[.]225[.]73[.]196

(以上は の情報: 引用元は https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery )


■公開鍵情報 - SSH public key -

AAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJ GGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30 NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1 giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLD BAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ==

(以上は の情報: 引用元は https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery )


■認証情報 - Threat Actor root user -

/etc /passwd suhelper:x:0:0::/:
/etc /shadow suhelper:$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/:19185:0:99999:7:::

(以上は の情報: 引用元は https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery )


【検索】

google: 92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4
google: a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d
google: e8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8
google: 23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a
google: c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb
google: 05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad
google: 88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6
google: e8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73
google: 23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad
google: 77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5
google: dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae
google: ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010
google: 9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42
google: 1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865
google: 8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5
google: f5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26
google: 2298071b6ba7baa5393be064876efcdbd9217c212e0c764ba62a6f0ffc83cc5a
google: 2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5
google: 1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96
google: 746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62
google: ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31
google: e56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02
google: 55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b
google: 8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102
google: d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec
google: ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04


【VT検索】

https://www.virustotal.com/gui/file/92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4
https://www.virustotal.com/gui/file/a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d
https://www.virustotal.com/gui/file/e8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8
https://www.virustotal.com/gui/file/23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a
https://www.virustotal.com/gui/file/c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb
https://www.virustotal.com/gui/file/05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad
https://www.virustotal.com/gui/file/88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6
https://www.virustotal.com/gui/file/e8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73
https://www.virustotal.com/gui/file/23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad
https://www.virustotal.com/gui/file/77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5
https://www.virustotal.com/gui/file/dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae
https://www.virustotal.com/gui/file/ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010
https://www.virustotal.com/gui/file/9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42
https://www.virustotal.com/gui/file/1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865
https://www.virustotal.com/gui/file/8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5
https://www.virustotal.com/gui/file/f5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26
https://www.virustotal.com/gui/file/2298071b6ba7baa5393be064876efcdbd9217c212e0c764ba62a6f0ffc83cc5a
https://www.virustotal.com/gui/file/2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5
https://www.virustotal.com/gui/file/1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96
https://www.virustotal.com/gui/file/746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62
https://www.virustotal.com/gui/file/ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31
https://www.virustotal.com/gui/file/e56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02
https://www.virustotal.com/gui/file/55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b
https://www.virustotal.com/gui/file/8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102
https://www.virustotal.com/gui/file/d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec
https://www.virustotal.com/gui/file/ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04

https://www.virustotal.com/gui/ip-address/31.44.185.235]
https://www.virustotal.com/gui/ip-address/2.58.149.116]
https://www.virustotal.com/gui/ip-address/194.31.98.244]
https://www.virustotal.com/gui/ip-address/185.225.73.196]

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2023