【概要】
- EternalRocksが発生
- NSAのツールを悪用
【ニュース】
◆新型ワーム「EternalRocks」が発生--NSAの流出ツール7つを利用 (ZDNet, 2017/05/23 12:26)
https://japan.zdnet.com/article/35101568/
◆WannaCryは序章? NSAツールを悪用したマルウェアが相次ぎ出現 (ITmedia, 2017/05/23 10:00)
ネットワークワームの「EternalRocks」は、NSAのツールを長期的に悪用し、感染マシンを攻撃の発射台として利用する意図をもつ
http://www.itmedia.co.jp/enterprise/articles/1705/23/news059.html
【公開情報】
◆EternalRocks (a.k.a. MicroBotMassiveNet)
https://github.com/stamparm/EternalRocks
【インディケータ情報】
■Sha256
- cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30
- 3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693
- a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0
- 70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d
- e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc
- 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d
- 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15
- 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97
- 9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b
- a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392
- ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa
- b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867
- c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491
- d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c
- d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5
- fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd
(以上は Kstamparm/EternalRocksの情報: https://github.com/stamparm/EternalRocks)
【マルウェア情報】
(1)
| Sha256 | cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30 |
| MD5 | c52f20a854efb013a0a1248fd84aaa95 |
| SHA1 | 8a2cfe220eebde096c17266f1ba597a1065211ab |
| ssdeep | 98304:oix7H2smW+eW/4oEAxd1jzOYGYSXmNjT2opEqH+IHK:XGW2dpOXoFWqrH |
| authentihash | a1ad24faa00fcc7a65319294f78b6fcb49ebad8d3262037c0d4453f45c4a1652 |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 |
| File size | 5275648 bytes |
| File type | Win32 EXE |
| ファイル名 | EternalRocks.exe |
| 参考情報 | https://www.virustotal.com/ja/file/cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30/analysis/ |
| 参考情報 | https://www.hybrid-analysis.com/sample/cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30?environmentId=100 |
| 検体 | https://www.hybrid-analysis.com/sample/cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30?environmentId=100 |
(2)
| Sha256 | 3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693 |
| MD5 | 53f23e72664dc9efd4251ba1b120d932 |
| SHA1 | 5e033b70775429fb6a5c2f40435984526f3a4ca1 |
| ssdeep | 98304:SX/pvSmTsOmMpu5l/sB0seyAp/QszFjXEKZFbr0vKPMKznq:EBvpsOmX5ly0sbAtVXEKZF+sVq |
| authentihash | 66ae3fc472f511b525187101d461b74da392e6d9963950646b35c07852d2b85f |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 |
| File size | 5275648 bytes |
| File type | Win32 EXE |
| ファイル名 | EternalRocks.exe |
| 参考情報 | https://www.virustotal.com/ja/file/3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693/analysis/ |
| 参考情報 | https://www.hybrid-analysis.com/sample/3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693?environmentId=100 |
(3)
| Sha256 | a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0 |
| MD5 | 198f27f5ab972bfd99e89802e40d6ba7 |
| SHA1 | e8b40f35af4d5bb24d73faa5a4babb86191b5310 |
| ssdeep | 98304:aE8msmmmnWH92McSBfvSG/hux95f1nsK0HYHHHAzoqu:aJd2M5BfJqf1n70toP |
| authentihash | dc825bffc7541711597c1f2e8a0d05e299a863e44f27c2e66660bc72dbbab26c |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 |
| File size | 5277184 bytes |
| File type | Win32 EXE |
| ファイル名 | EternalRocks.exe, taskhost.exe |
| 参考情報 | https://www.virustotal.com/ja/file/a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0/analysis/ |
| 検体 | https://www.reverse.it/sample/a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0?environmentId=100 |
(4)
| Sha256 | 70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d |
| MD5 | 6fdbee99dc99a63ac6a5809450d55ad5 |
| SHA1 | d553d55d3a9d99453550c9493468db663e0af4ec |
| ssdeep | 98304:Y0NAYR+lMkf9ucI0BZJcvtPVJox5icT8CRbzq7VEPgX3mB43UsRxURhWgyR:Euc9DBZJcvJly8ofslOHWhR |
| authentihash | |
| imphash | |
| File size | 4359964 bytes |
| File type | ZIP |
| ファイル名 | |
| 参考情報 | https://www.virustotal.com/ja/file/70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d/analysis/ |
| 検体 | https://www.reverse.it/sample/15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9?environmentId=100 |
(5)
| Sha256 | e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc |
| MD5 | 994bd0b23cce98b86e58218b9032ffab |
| SHA1 | b05f2d07d0af1184066f766bc78d1b680236c1b3 |
| ssdeep | 6144:I5ogkSVhfAJC+1CAbw8n2DU5fiJmokZFDldqJ1gh7s0XbfjxyPtfmepikB1+G2we:I5rk2hKt1Hbw/DuvldqJ1ghw0XbfjxyY |
| authentihash | 9f51c926d172563d17d797ebeb035ad01fb3f9e7b8f7cb9f28eff2ade338288e |
| imphash | 8ef751c540fdc6962ddc6799f35a907c |
| File size | 339968 bytes |
| File type | Win32 EXE |
| ファイル名 | |
| 参考情報 | https://www.virustotal.com/ja/file/e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc/analysis/ |
| 参考情報 | https://www.hybrid-analysis.com/sample/e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc?environmentId=100 |
| 検体 | https://www.hybrid-analysis.com/sample/e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc?environmentId=100 |
(6)
| Sha256 | 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d |
| MD5 | 76e94e525a2d1a350ff989d532239976 |
| SHA1 | 70181383eedd8e93e3ecf1c05238c928e267163d |
| ssdeep | 1536:3TNDdNSkM83X6/o4iXYW3qtssxGFVFZvoxO3My:3TNDdNSkt30JiXYW3qts0GFVvouMy |
| authentihash | ad507ae5b2f8a0b9ade01ee7199ddddf4e4f540f5ac4a09ba01ed276dbbc733d |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 |
| File size | 109056 bytes |
| File type | Win32 EXE |
| ファイル名 | svchost.exe |
| 参考情報 | https://www.virustotal.com/ja/file/1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d/analysis/ |
| 参考情報 | https://www.hybrid-analysis.com/sample/1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d?environmentId=100 |
