TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究のログ

Tick / Bronze Butler (まとめ)

【別名】

組織名 備考
Tick Symantec
Bronze Butler Dell Secureworks
NCPH iDefense
RedBaldKnight Trendmicro
The Bald Knight Rises kaspersky
Nian


【使用マルウェア】

マルウェア名 別名 備考
XXMM KVNDM / Minzen / Murim / ShadowWali / Wali / Wrim RAT
Daserf Muirim / Nioupale / Postbot RAT
Datper RAT
Hdoor RAT
Netboy Domino / Invader RAT
Ninezero 9002 RAT
Wali ダウンローダー
Bisodown Cpycat / HomamDownloader ダウンローダー, 2014/04
Gofarer ダウンローダー, 2015~2019


【辞書】

◆BRONZE BUTLER (MITRE)
https://attack.mitre.org/groups/G0060/

【ニュース】

◆中国・ロシアのハッカー最新事情 (ITPro, 2008/01/07)
http://itpro.nikkeibp.co.jp/article/COLUMN/20071225/290187/?rt=nocnt
http://malware-log.hatenablog.com/entry/2008/01/07/000000

◆Detecting Daserf variants using Security Analytics (RSA, 2015/09/28)
https://community.rsa.com/community/products/netwitness/blog/2015/09/28/detecting-daserf-variants-using-security-analytics
http://malware-log.hatenablog.com/entry/2015/09/28/000000

◆Tick Cyber-Espionage Group Targets Japanese Companies with Daserf Backdoors (Softpedia, 2016/04/29)
http://news.softpedia.com/news/tick-cyber-espionage-group-targets-japanese-companies-with-daserf-backdoors-503555.shtml
http://malware-log.hatenablog.com/entry/2016/04/29/000000_1

◆TICK CYBERESPIONAGE GROUP ZEROS IN ON JAPAN (Information Security Newspaper, 2016/04/30)
http://www.securitynewspaper.com/2016/04/30/tick-cyberespionage-group-zeros-japan/
http://malware-log.hatenablog.com/entry/2016/04/30/000000

◆10年前から密かに活動していたサイバースパイ集団「Tick」、日本のテクノロジー系/水産工学系/報道系の特定企業に集中攻撃 (Internet Watch, 2016/05/06 19:47)
http://internet.watch.impress.co.jp/docs/news/756214.html
http://malware-log.hatenablog.com/entry/2016/05/06/000000_1

◆ラック、マルウェア「Daserf」の実態レポート「日本の重要インフラ事業者を狙った攻撃者」を公開 (EnterpriseZine, 2016/08/02 15:00)
https://enterprisezine.jp/article/detail/8333
http://malware-log.hatenablog.com/entry/2016/08/02/000000

◆重要インフラを狙うマルウェア「Daserf」、長期間標的組織に潜伏の可能性(ラック) (NetSecurity, 2016/08/03)
http://scan.netsecurity.ne.jp/article/2016/08/03/38799.html
http://malware-log.hatenablog.com/entry/2016/08/03/000000_2

◆日本に精通した標的型攻撃「BRONZE BUTLER」の詳細レポートを公開(SecureWorks) (NetSecurity, 2017/06/23)
https://scan.netsecurity.ne.jp/article/2017/06/26/39888.html
http://malware-log.hatenablog.com/entry/2017/06/23/000000

◆Tick threat group linked to multiple malware families (SCmedia, 2017/07/25)
https://www.scmagazine.com/tick-threat-group-linked-to-multiple-malware-families/article/677249/
http://malware-log.hatenablog.com/entry/2017/07/25/000000_7

◆日本企業を狙う中国のサイバースパイ集団、知的財産や製品情報が被害に (ITmedia, 2017/10/16 08:45)
http://www.itmedia.co.jp/enterprise/articles/1710/16/news050.html
http://malware-log.hatenablog.com/entry/2017/10/16/000000_10

◆日本の製造業や重工業を狙うサイバーグループ「BRONZE BUTLER」に注意 (マイナビニュース, 2017/10/17)
http://news.mynavi.jp/news/2017/10/17/127/
http://malware-log.hatenablog.com/entry/2017/10/17/000000_11

◆モバイルWi-Fiルーターがマルウェアの感染経路になっていた! 日本を狙った「XXMM」亜種の特徴的な感染経路 (Internet Watch, 2017/12/27)

活動が続く「The Bald Knight Rises」の洗練された攻撃手法、カスペルスキーが解説

https://internet.watch.impress.co.jp/docs/news/1099223.html
http://malware-log.hatenablog.com/entry/2017/12/27/000000

◆セキュアUSBメモリを使うマルウェア攻撃、Windows XPや2003を標的に (ZDNet, 2018/06/25 15:50)
https://japan.zdnet.com/article/35121409/
http://malware-log.hatenablog.com/entry/2018/06/25/000000

◆攻撃グループ「Tick」、資産管理ソフトへの脆弱性攻撃を継続 - 標的型攻撃も (Security NEXT, 2019/02/22)
http://www.security-next.com/102741
http://malware-log.hatenablog.com/entry/2019/02/22/000000_1


【ブログ】

◆Tick cyberespionage group zeros in on Japan (Symantec, 2016/04/28)
https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan
http://malware-log.hatenablog.com/entry/2016/04/28/000000_4

◆日本を狙い始めたサイバースパイグループ「Tick」 (Symantec, 2016/05/02)

トロイの木馬 Daserf に感染させることを狙って、Web サイトへの侵入とスピア型フィッシングメールが利用されています

http://www.symantec.com/connect/ja/blogs/tick
http://malware-log.hatenablog.com/entry/2016/05/02/000000_1

◆APT Daserf (Jul Ismail, 2016/11/29)
APT Campaign Targets Japanese Critical Infrastructure
http://julismail.staff.telkomuniversity.ac.id/apt-daserf/
http://malware-log.hatenablog.com/entry/2016/11/29/000000

◆SHADOWWALI: NEW VARIANT OF THE XXMM FAMILY OF BACKDOORS (CyberReason, 2017/04/25)
https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors
http://malware-log.hatenablog.com/entry/2018/08/01/212111

◆ビッグデータ時代に昔の手口で検知を逃れるマルウェア (Kaspersky, 2017/05/31)
https://blog.kaspersky.co.jp/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/15323/
http://malware-log.hatenablog.com/entry/2017/05/31/000000_5

◆BRONZE BUTLER Targets Japanese Enterprises (SecureWorks, 2017/10/12)
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
http://malware-log.hatenablog.com/entry/2017/10/12/000000_6

◆REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography (Trendmicro, 2017/11/07 04:34)
http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/
http://malware-log.hatenablog.com/entry/2017/11/07/000000_3

◆標的型サイバー攻撃集団「BRONZE BUTLER」によるバックドア型マルウェア「DASERF」、ステガノグラフィを利用 (Trendmicro, 2017/11/14)
http://blog.trendmicro.co.jp/archives/16375
http://malware-log.hatenablog.com/entry/2017/11/14/000000_5

◆Tracking Tick Through Recent Campaigns Targeting East Asia (TALOS, 2018/10/18)
https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html
http://malware-log.hatenablog.com/entry/2018/10/18/000000_3

◆日韓両国で展開されるターゲット型攻撃の実態 (Ahnlab, 2018/04/04)
https://jp.ahnlab.com/site/securitycenter/securitycenterboard/securityInsightView.do
http://malware-log.hatenablog.com/entry/2019/04/04/000000_4


【公開情報】

◆Network Crack Program Hacker Group(NCPH) (Wikipedia)
https://en.wikipedia.org/wiki/Network_Crack_Program_Hacker_Group
http://malware-log.hatenablog.com/entry/NCPH

◆日本企業を狙う高度なサイバー攻撃の全貌 – BRONZE BUTLER (SecureWorks)
https://www.secureworks.jp/resources/rp-bronze-butler
http://malware-log.hatenablog.com/entry/2017/06/23/000000

◆“Tick” Group Continues Attacks (UNIT42(paloalto), 2017/07/24 18:00)
https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/
http://malware-log.hatenablog.com/entry/2017/07/24/000000_2

◆「Tick」グループによる日本や韓国への継続した巧妙な攻撃~ 日本企業の慣習にならい拡張子の変更をお願いする、ソーシャルエンジニアリング的手法を利用 (UNIT42(paloalto), 2017/07/24 18:00)
https://www.paloaltonetworks.jp/company/in-the-news/2017/tick-continues-cyber-espionage-attacks
http://malware-log.hatenablog.com/entry/2017/07/24/000000_2

◆マルウエアDatperをプロキシログから検知する(2017-08-17) (JPCERT/CC, 2017/08/17)
https://www.jpcert.or.jp/magazine/acreport-datper.html
http://malware-log.hatenablog.com/entry/2017/08/17/000000_5

◆攻撃グループTickによる日本の組織をターゲットにした攻撃活動 (JPCERT/CC, 2019/02/19)
https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html
http://malware-log.hatenablog.com/entry/2019/02/19/000000_2


【資料】

◆CYBER GRID VIEW Vol.2 PDF版 (Lac, 2016/08/02)
http://www.lac.co.jp/security/report/pdf/20160802_cgview_vol2_a001t.pdf
http://malware-log.hatenablog.com/entry/2016/08/02/000000

◆ISTR 22 (Symantec, 2017/04)
https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf
http://malware-log.hatenablog.com/entry/2017/04/30/000000_1

◆日本企業を狙う高度なサイバー攻撃の全貌 – BRONZE BUTLER (SecureWorks)
https://www.secureworks.jp/resources/rp-bronze-butler
https://www.secureworks.jp/resources/rp-bronze-butler

◆REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography (Trendmicro, 2017/11/07)
https://documents.trendmicro.com/assets/appendix-redbaldknight-bronze-butler-daserf-backdoor-steganography.pdf
http://malware-log.hatenablog.com/entry/2017/11/07/000000_3

◆JPCERT/CCが見た、標的型攻撃の実態 (久保啓司, 2017/11/28)
https://www.nic.ad.jp/ja/materials/iw/2017/proceedings/d1/d1-1-kubo.pdf
http://malware-log.hatenablog.com/entry/2017/11/28/000000_7

◆Tick グループの最新攻撃事例分析 (Ahmlab, 2019/04/22)
https://jp.ahnlab.com/global/upload/download/asecreport/PressAhn_Vol64.pdf
https://malware-log.hatenablog.com/entry/2019/04/22/000000_5


【図表】

f:id:tanigawa:20180904201703p:plain
f:id:tanigawa:20190130184513p:plain
f:id:tanigawa:20190130184421p:plain
出典: https://internet.watch.impress.co.jp/docs/news/1099223.html

f:id:tanigawa:20190130174604j:plain
BRONZE BUTLERが使うマルウェアの変遷(出典:Secureworks)
出典: http://www.itmedia.co.jp/enterprise/articles/1710/16/news050.html

f:id:tanigawa:20180904163416p:plain
「[wali]」セクションの文字列
f:id:tanigawa:20180904163426p:plain
「wali.exe」のファイル名
出典: https://blog.kaspersky.co.jp/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/15323/

f:id:tanigawa:20170129182638j:plain
出典: http://scan.netsecurity.ne.jp/article/img/2016/08/03/38799/20656.html

f:id:tanigawa:20180904202505j:plain
出典: https://internet.watch.impress.co.jp/docs/news/756214.html

f:id:tanigawa:20190130185003p:plain
最近の日本に対する攻撃で見つかった感染チェーン
f:id:tanigawa:20190130185318p:plain
地域別の Daserf 感染数
出典: https://www.symantec.com/connect/nl/blogs/tick?page=1

f:id:tanigawa:20190126150534p:plain
出典: https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan

f:id:tanigawa:20190415181733p:plain
出典: https://jp.ahnlab.com/site/securitycenter/securitycenterboard/securityInsightView.do


【関連まとめ記事】

Daserf (まとめ)
http://malware-log.hatenablog.com/entry/Daserf

Datper (まとめ)
http://malware-log.hatenablog.com/entry/Datper


【インディケータ情報】

■ハッシュ情報(Sha256) - app.js -

f36db81d384e3c821b496c8faf35a61446635f38a57d04bde0b3dfd19b674587
f71a3a772f4316ab3c940f94aab3d52eabe7ee9da311b112a12eacfcadddb85e


■ハッシュ情報(Sha256) - node.exe -

ea9399e1f9eafaf6be6608f1401ebb84cf7444ffadabf0b80ba2c186cf7028fa


■ハッシュ情報(Sha256) - getProxy.exe -

c6cf0ad6d1e687b185407ee450a5b8e9a8ab60461f5c051251badb245df6245f


■ハッシュ情報(Sha256) - uninstaller.exe -

d1617e7ec278484920c05476eabf783d399d6c03e8d8ab69e2f1fcb6a76417b4


■ハッシュ情報(Sha256) - Datper -

6530f94ac6d5b7b1da6b881aeb5df078fcc3ebffd3e2ba37585a37b881cde7d3
e38d3a7a86a72517b6ebea89cfd312db0f433385a33d87f2ec8bf83a62396bb3
d91894e366bb1a8362f62c243b8d6e4055a465a7f59327089fa041fe8e65ce30
a7adfd0258e40d4df8cbc2ad7a660fd1c73f8dc2b9a4becc585a712cb5cfa9f1
569ceec6ff588ef343d6cb667acf0379b8bc2d510eda11416a9d3589ff184189
517b2695bbf7164bfb9cab0a133bb0b1aeb387cbb7f30aa01bf5d6f89cca4214
c2e87e5c0ed40806949628ab7d66caaf4be06cab997b78a46f096e53a6f49ffc
4d4ad53fd47c2cc7338fab0de5bbba7cf45ee3d1d947a1942a93045317ed7b49
4dc63bc7bd8bcc758a75f48d573bcea62444db41f6d3bce7c1202265340ab577


■FQDN

www.rakutenline.com
menu.rakutenline.com
www.sa-guard.com
menu.sa-guard.com
www.han-game.com
menu.han-game.com
www.aromatictree.co.kr
rp.thumbbay.com
www.amamihanahana.com
www.kdcnet.co.kr


■IPアドレス

211.233.81.242
110.45.203.133
61.106.60.47

■ハッシュ情報(Sha256)

795327de450e7f1e371a019a3d43673b60df4b7bf91138afa9ddc3913384f913 MSGet downloader
c043c28ea0d767055a8f8d4e94a9acdf62a81927b0ae63b8a9f16288f92cd093 MSGet downloader
4d7ce20a8d5bc05b7d4b1e147174f486033805260db1edbbc2516fced7558bcc MSGet downloader
1ca3b1b259681bca70956139d25a559ccd0b0c04d4f45f08fb954e569aabf9ae MSGet downloader
08e49c1d476aefb4c590cf135229d6da7981c7425e547d4f2877d79c1a1ab601 VBE downloader
6a63cb7089480fa76b784ca7043e147332768bccc39b84249af11f05b0dde66f VBE downloader
026f5c37f0d633ab27b83082dd0e818edbd80c27f86ba12b5cf32b425edb92d0 VBE downloader
21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd Daserf (Visual C)
15abe7b1355cd35375de6dde57608f6d3481755fdc9e71d2bfc7c7288db4cd92 Daserf (Visual C)
2bdb88fa24cffba240b60416835189c76a9920b6c3f6e09c3c4b171c2f57031c Daserf (Visual C)
85544d2bcaf8e6ca32bbc0a9e9583c9db1dce837043f555a7ff66363d5858439 Daserf (Visual C)
f8f31f73157bf049b318429c1d60ad7ff2851e62535d95cf8d121216b95c8602 Daserf (Visual C)
b1690facbce9bcc66ebf18f138dbbc10c3662a2034c211e0c414e47c7e208b4a Daserf (Visual C)
e620c9d19d7d1f609e0bb08465e4c58db97fd0158fb286d938542fc1f03a2302 Daserf (Visual C)
2dc24622c1e91642a21a64c0dd31cbe953e8f77bd3d6abcf2c4676c3b11bb162 Daserf (Visual C)
a4afd9df1b4cc014c3a89d7b4a560fa3e368b02286c42841762714b23e68cc05 Daserf (Visual C)
dab557bae0eb93475c2c2639f186fd717dd57d8d6354232838f44ba6b6a07172 Daserf (Visual C)
db6a6a4f675cba87405c9c7b016713d3e65b052ffc6c8963764a3d3788f432fa Daserf (Visual C)
4b8ca82e6f407792cfb51de881f06b86bd4b59f85746b29c3287aee0015b1683 Daserf (Visual C)
db8b494de8d897976288c8ccee707ff7b7967fb48caef99d75687584191c2411 Daserf (Visual C)
e2fd17445d81df89f7a9c1ff1c69c9b382215f597db5e4730f5c76557a6fd1f9 Daserf (Visual C)
0a031665d05e82038d620facf9d4a86a89e78544f2f770f579c980dae2e252bf Daserf (Visual C)
fa9a3341649e798bbc340ce9b2fe69791fe733aa9e46da666ce13b8cf7ca8f4d Daserf (Visual C)
f06b440052bd2c2eb127c33c35a80c4eca34a06360d3ee1bb37348d6029dc955 Daserf (Visual C)
2a39372dea901665ab9429d2f15b3f4fb10706423e177226539047ee1ac3e4a3 Daserf (Visual)
4e15392553ca8e7d06f9f592eb04cf6dbfed18c98c56afc0ccd132465b270e12 Daserf (Delphi)
89a80ca92600af64eb9c32cab4e936c7d675cf815424d72438973e2d6788ef64 Daserf (Delphi)
b1bd03cd12638f44d9ace271f65645e7f9b707f86e9bcf790e0e5a96b755556b Daserf (Delphi)
22e1965154bdb91dd281f0e86c8be96bf1f9a1e5fe93c60a1d30b79c0c0f0d43 Daserf (Delphi)
b1fdc6dc330e78a66757b77cc67a0e9931b777cd7af9f839911eecb74c04420a Daserf (Delphi)
67e32df3a460f005e7aec83b903f6d47d5533ff3843a97d186ad02316dff9fa9 Daserf (Delphi)
2c449b562dfce53cf98acaddf37286cfb2d1e9da1536511a08bbd24ed93624a6 Daserf (Delphi)
236848e301d71cab6e17a0503fb268f25412838eccb5fb17e78580d2d0a3a31d Daserf (Delphi)
b0966e89eae36a309d89a0c15c8a07677f58130fdc76bc98c16968376ec80626 Daserf (Delphi)
68e5013a8147e77e892dcd06687e5e815c3837fb83fbff16bac442c65b2f3e73 Daserf (Delphi)
e2f174f8368b46054e6ec2feec00b878b63e331ba3628374d584b238a95fd770 Daserf (Delphi)
7afb8082822bf3e55c6639ed2e272846c6be0e5c1fd40402b8b0f69e37402461 Daserf (Delphi)
630aa710bb7080143498d7fafbb152bbfe581bf690d9bfad041e4e285f152de2 Daserf (Delphi)
efa68fcbd455a72276062fb513b71547ea11fedf4db10a476cc6c9a2fa4f67f7 Datper
90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2 Datper
331ac0965b50958db49b7794cc819b2945d7b5e5e919c185d83e997e205f107b Datper
12d9b4ec7f8ae42c67a6fd030efb027137dbe29e63f6f669eb932d0299fbe82f Datper
303b75a7c350d26116fe341d77105a33c8cb1da3dc82424c3eac401820e868dd Datper
340906b6b3a4149875dea37221843cb8b67c51eb4520b39956cb6761ef0a3c5d Datper
b3cc83978bbc4f5603e93ec8c687a7007a3f7dbfbae01bff0a30332b06ea44d9 Datper
18e896a7547aacb33aa3941ab1b61659ed099c0f6fbb924068f81b4289b05f12 xxmm
4d208c86c8331b7f1f6dd53f83af9ee4ec700a74792b419f663a3ce105d15d1c xxmm
28894a78bc00d6774d1242925787d35c5c2ae2563f5f7f1ff38dc0b441a15812 xxmm
747041d73b3eb29dde5c9e31efdd5e675f16f182c23999ed5613be0e9be12351 xxmm
15b4c1d29b41531b255e41d39d194a52bdc98a3b65a13771d8caf92372b324ce xxmm
ac501bb7e9e1bc57dd027d152f4a7c473f108e37023aae4bad64117241963b5c xxmm
7197de18bc5a4c854334ff979f3e4dafa16f43d7bf91edfe46f03e6cc88f7b73 xxmm
fe06b99a0287e2b2d9f7faffbda3a4b328ecc05eab56a3e730cfc99de803b192 xxmm
e94a7e835c657dd8a82dab5705db0ec279d1de97a3524f0e25e1e3d78f0561b8 xxmm
09df0591a885b8d16767820c9eac51a5dd8099a4b17a46bffe38b315a6e29d0b xxmm
7333f4601379d5877ec1416e4d82654d312210d5bcf4d628b98207a737bdb654 xxmm
425616f2958ba176662eb9bd66259fb38ca513b5831f0a07956b22839d915306 xxmm
46eae3931334468246c728a7e0ab3bbfafe40c9f73f80bf0544b8aa649227d60 xxmm
de18ebedc5b29d66244773dda80b22ecf2c453cdbeaa85149c4ff0e96bdc4478 xxmm downloader
70ef2e2fa3ac2c44a34963aca5dfe79e2b4f51795181374cca63bbf789f8a7f0 xxmm downloader
b11941e0510e02283e7732a72f853027ea9271a2d4dc87d736ae33275eab2806 xxmm downloader
bd81521445639aaa5e3bcb5ece94f73feda3a91880a34a01f92639f8640251d6 DGet
0fc1b4fdf0dc5373f98de8817da9380479606f775f5aa0b9b0e1a78d4b49e5f4 RarStar

以上出典: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses


■URL

hxxp://airsteel.co.jp/cgi-bin/search/02/06_cgi.php Datper C2 server
hxxp://gigasolar.jp/images/blog/20131011news-3.php Datper C2 server
hxxp://www.atnet-photo.com/japan/themes/default/themes.php Datper C2 server
hxxp://www.primeob.com/include/mpage/store.php Datper C2 server
hxxp://baby.ests.jp/Templates/themes.php Datper C2 server
hxxp://www.kamomeza.net/coppermine/images/thumb_dom.php xxmm C2 server
hxxp://noukankyo.org/images/about/soshikizu.php xxmm C2 server
hxxp://jmta.co.jp/module/Template/Plugin/Math.php xxmm C2 server
hxxp://i-frontierasia.com/shiryoku/link.php xxmm C2 server
hxxp://leadoffnet.com/img/top/top_12.php xxmm C2 server
hxxp://www.concierge.com.cn/public_html/wp-content/themes/comment.php xxmm C2 server
hxxp://www.wco-kyousai.com/ex-engine/themes/xe_default/conf/info.php xxmm C2 server
hxxp://angelbaby.jpn.cm/html/images/deleteComments.php xxmm C2 server
hxxp://www.infomiracle.info/TwitterQuest/image/ser.dat Used by BRONZE BUTLER to host tools
hxxp://160.16.243.147/images/CUI.jpg Used by BRONZE BUTLER to host tools
hxxp://160.16.243.147/images/ns.jpg Used by BRONZE BUTLER to host tools
hxxp://oan.jp/photo/logo_new.jpg Used by BRONZE BUTLER to host tools
hxxp://oan.jp/photo/logo_old.jpg Used by BRONZE BUTLER to host tools
hxxp://s-city.net/sport/pic1612.jpg Used by BRONZE BUTLER to host tools
hxxp://sha-sigma.com/led/aa.dat Used by BRONZE BUTLER to host tools
hxxp://www.s-city.net/images/beach6.jpg Used by BRONZE BUTLER to host tools
hxxp://www.stylmartin.co.jp/bdflashinfo/ns12.jpg Used by BRONZE BUTLER to host tools
hxxp://www.stylmartin.co.jp/bdflashinfo/pageicons/6.jpg Used by BRONZE BUTLER to host tools
hxxp://www.slvcx.com/t.rar Used by BRONZE BUTLER to host tools
hxxp://www.sinwa-jp.com/works/logo-unix.php BRONZE BUTLER exfiltration point
hxxp://www.baiya.jp/2014dressnumber/images/logo-unix.php BRONZE BUTLER exfiltration point

以上出典: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses


■IPアドレス

115.144.166.240 Daserf (Delphi) C2 server
203.111.252.40 Daserf (Delphi) C2 server
27.255.69.209 Daserf (Delphi) C2 server
27.255.91.238 Daserf (Delphi) C2 server
106.184.5.30 Daserf (Delphi) C2 server

以上出典: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses


■ハッシュ情報(Sha256) -- Datper (LZNT1) --

  • efa68fcbd455a72276062fb513b71547ea11fedf4db10a476cc6c9a2fa4f67f7
  • 12d9b4ec7f8ae42c67a6fd030efb027137dbe29e63f6f669eb932d0299fbe82f
  • 331ac0965b50958db49b7794cc819b2945d7b5e5e919c185d83e997e205f107b
  • 90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2
  • 2384e8ad8eee6db1e69b3ee7b6b3d01ae09f99a86901a0a87fb2788c1115090c
  • 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849


■ハッシュ情報(Sha256) -- Datper (LZRW1/KH) --

  • 7bc042b9a599e1024a668b9921e2a42a02545429cf446d5b3d21f20185afa6ce
  • 1e511c32cdf8abe23d8ba7c39da5ce7fc6c87fdb551c9fc3265ee22ac4076e27
  • 2f6745ccebf8e1d9e3e5284a895206bbb4347cf7daa2371652423aa9b94dfd3d


■ハッシュ情報(Sha256)


□Daserf

  • 04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a
  • f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06
  • e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51
  • 21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd
  • 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423


□Invader

  • 0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287
  • e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e
  • 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb

□9002

  • 933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e
  • 2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe
  • 055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831

□Minzen

  • 797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1
  • 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2
  • 26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82


□NamelessHdoor

  • dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f


□Gh0stRAt Downloader

  • ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974
  • e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c


□Custom Gh0st

  • 8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40


□Datper

  • 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849


□HomamDownloader

  • a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7


■ハッシュ情報(Sha256)

9b5874a19bf112832d8e7fd1a57a2dda180ed50aa4f61126aa1b7b692e6a6665 waliドロッパー
da05667cd1d55fa166ae7bd95335bd080fba7b53c62b0fff248ce25c59ede54a waliドロッパー
10fca84ae22351356ead529944f85ef5d68de38024d4c5f6058468eb399cbc30 waliドロッパー
1f73d3a566ab7274b3248659144f1d092c8a5fc281f69aa71b7e459b72eb6db2 waliローダー+オーバーレイ
24835916af9b1f77ad52ab62220314feea91d976fdacad6c942468e20c0d9ca1 waliローダー+オーバーレイ
303c9fabf6cff78414cebee9873040aeb9dcf6d69962bd9e0bbe1a656376ed16 waliローダー+オーバーレイ
3ffd5d3579bddbfd7136a6969c03673284b1c862129cfafe7a40beea1f56e790 waliローダー+オーバーレイ
803a5a920684a5ab1013cb73bf8581045820f9fc8130407b8f81475d91ff7704 waliローダー+オーバーレイ
d2126d012de7c958b1969b875876ac84871271e8466136ffd14245e0442b6fac waliローダー+オーバーレイ
d7b661754cae77aa3e77c270974a3fd6bda7548d97609ac174a9ca38ee802596 waliローダー+オーバーレイ
dc5e8c6488f7d6f4dcfac64f8f0755eb8582df506730a1ced03b7308587cdc41 waliローダー+オーバーレイ
f4a07e6dcb49cb1d819c63f17a8250f6260a944e6e9a59e822e6118fb1213031 waliローダー+オーバーレイ
ffd45bde777b112206b698947d9d9635e626d0245eb4cfc1a9365edc36614cbe waliローダー+オーバーレイ
a24759369d794f1e2414749c5c11ca9099a094637b6d0b7dbde557b2357c9fcd waliローダー
b55b40c537ca859590433cbe62ade84276f3f90a037d408d5ec54e8a63c4ab31 waliローダー
c48a2077e7d0b447abddebe5e9f7ae9f715d190603f6c35683fff31972cf04a8 waliローダー
725dedcd1653f0d11f502fe8fdf93d712682f77b2a0abe1962928c5333e58cae waliローダー
cfcbe396dc19cb9477d840e8ad4de511ddadda267e039648693e7173b20286b1 waliローダー


■URL

  • hxxp://******essel.com/mt/php/tmpl/missing.php
  • hxxp://******essel.com/mt/mt-static/images/comment/s.php
  • hxxp://******hi.com/da******/hinshu/ki******/ki******.php
  • hxxp://******an.jp/_module/menu/menug/index.php
  • hxxp://******etop.co.jp/includes/firebug/index.php
  • hxxp://******etop.co.jp/phpmyadmin/themes/pmahomme/sprites.html
  • hxxp://******usai.com/ex-engine/modules/comment/queries/deleteComment.php
  • hxxp://******1cs.net/zy/images/patterns/preview/deleteComments.php
  • hxxp://******1cs.net/zy/images/colorpicker/s.php


■ファイル名

  • srvhost.exe
  • propsyse.exe
  • perfcore.exe
  • oldb32.exe
  • oledb32.exe
  • javaup.exe

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2019