NHKから国民を守る党しきしま会派

しきしま会YouTubeチャンネル https://www.youtube.com/channel/UCeirWwT-PJRTvhUtI1UlwMQ

しきしま会YouTubeチャンネル
https://www.youtube.com/channel/UCeirWwT-PJRTvhUtI1UlwMQ

救急救命講習に行ってまいりました20171125

豊島区救急業務連絡協議会主催

「大切な命を守るためにやってみよう」

心肺蘇生法・AED使用法・三角巾使用法など
54
ブログランキングにぜひご協力ください 


Youtubeチャンネル登録よろしくお願いします

食物で気道が塞がった場合

チョークのサイン

質問 どうしたの?ではなく詰まったの?

ヘソと胸骨の真ん中を押し肺の中の空気で押し出す

※失神者には不可


心室細動 意識のあるなし確認

横にゆすると頚椎を痛めるので肩をたたく

呼吸してない-マッサージ開始


人形を使って心マッサージの練習

1秒間に120回程度の速さ

30回やったら2回人工呼吸、は今やらない

感染症の問題・下手で効果が期待できない


救急隊員によるデモ

P_20171125_100519
人形が超不気味でした

P_20171125_100559

犬との違いいろいろ


急に骨折したので三角巾で固定

2
三角巾ない場合がほとんど パンストで代用するそうで「パンスト術」もいろいろと開発されている模様
 

しきしま会ご支援のお願い

よろしければ、選挙公報の街頭演説集会などの会の運営費をご支援くださいますようお願い致します。

※税務上は「政治団体への政治献金」でご処理をお願い致します。


ゆうちょ 10130-84940451 (店番 018 口座番号 84940451)
名義 シキシマカイ
※お振込みにiPhoneなどスマホ端末をお使いの方は、最後の1を無視して10130-8494045 または018-8494045  でお試しください。
 

しきしま会YouTubeチャンネルにご登録お願いします 
 

アーティスト名「さるげり」楽曲の販売を始めました 
 

オリジナルTシャツ販売もしております 
 

くつざわ@しきしま会ツイッター、よかったらフォローしてください 
 

お知らせ:アーティスト名「さるげり」で楽曲販売を始めました。

Amazon http://ur0.biz/D7z5 

i-tune  http://ur0.biz/D7zf  

ご視聴はこちらからどうぞ 

http://sarugeri.blog.jp/archives/1065327382.html   

ブログランキングにぜひご協力ください。  


保育士さんはお母さんの浮気を見抜いてるそうです20171126

とある保育士さんの証言

毎年3~4人いるお母さんのタイプ

判で押したように

・延長保育をしょっちゅう頼む

・お迎えに10~20分遅刻

・子供を愛してるアピール

ブログランキングにぜひご協力ください 

Youtubeチャンネル登録よろしくお願いします

判で押したように

・ピンクの口紅

・シルバー下塗りにピンクのシャドウ

これがあったらクロ確定 

連絡は私の携帯にください家には電話しないで

ときつく念を押される


このお母さんたちは何者なのか

答え パコリーヌ

仕事で忙しいアピールもするが、保育士さんは本当に忙しいお母さんは分かるそうです

保育士さんいわく仕事や介護で忙しいと

・顔色が悪くなる

・バッチリ化粧できない

・服装もばっちりでない

とあるお母さんの証言

「半年ぐらいシてないと女は顔に出る」

Unknown
もちろん私にはサッパリわかりません

 

しきしま会ご支援のお願い

よろしければ、選挙公報の街頭演説集会などの会の運営費をご支援くださいますようお願い致します。

※税務上は「政治団体への政治献金」でご処理をお願い致します。


ゆうちょ 10130-84940451 (店番 018 口座番号 84940451)
名義 シキシマカイ
※お振込みにiPhoneなどスマホ端末をお使いの方は、最後の1を無視して10130-8494045 または018-8494045  でお試しください。
 

しきしま会YouTubeチャンネルにご登録お願いします 
 

アーティスト名「さるげり」楽曲の販売を始めました 
 

オリジナルTシャツ販売もしております 
 

くつざわ@しきしま会ツイッター、よかったらフォローしてください 
 

お知らせ:アーティスト名「さるげり」で楽曲販売を始めました。

Amazon http://ur0.biz/D7z5 

i-tune  http://ur0.biz/D7zf  

ご視聴はこちらからどうぞ 

http://sarugeri.blog.jp/archives/1065327382.html   

ブログランキングにぜひご協力ください。  


皇子も王子も公子も後継は皆「皇太子」と書くマスゴミの慣習はおかしい20171126

産経新聞が単語間違い
3

サウジの王太子を皇太子と4回も表記
images
ブログランキングにぜひご協力ください 

 

Youtubeチャンネル登録よろしくお願いします

世界に皇太子はお1人だけ

皇室典範第8条 

「皇嗣たる皇子を皇太子という」

WIKI

「現在の日本のマスコミによる報道などでは、対象が次期国王や次期大公であっても「王太子」「大公世子」の語は用いられず、「皇太子」を用いる」

全マスゴミが誤用

エンペラーが世界に天皇陛下のみを隠蔽するマスゴミの皇室ディスりでは


全国で2559の橋が通行規制

老朽化を財政難で修繕できないため

・ODAやる前に橋直せや

・田舎の橋は潰していいよ

・車両税やガソリン税はどうした

・金が無いなら公務員の給料減らせ

私見

重要な道路以外の通行の少ない橋が放置されてると推測

公務員の給料を減らすとロシアやタイの警官のように汚職するから反対

がんばれば誰でも公務員に門戸が開かれてる&日本の公務員は他の先進国の水準より安月給

日本で公務員叩きは敵の策謀

米国ですでに同様の現象が発生

高度経済成長後50~70年で発生する宿命

人口減るんだし宅配あるんだし必要度の低い橋をあきらめるのも1つの選択肢

文明論 文明とは分業化の歴史である

Unknown-1
人は都市に集約し地方には大規模農場・工場を


韓国政府

済州海軍基地建設妨害

密陽送電塔設置妨害

THAAD配備妨害などの左翼活動家に恩赦

images-2
クルサリンドゥ隊を恩赦するよなもん

さすが北朝鮮工作員が現大統領

ムンにしてみればスパイの同士

日本で言うなら社民党が政権与党で福島みずほが総理になったようなもん

Unknown-2
アメリカにケンカ売ってます

ミサイル防衛システムに参加しない

THAAD増やさない

日本と軍事協力しない

3不宣言は米韓同盟破棄同然の宣言だがアメリカはお仕置きしないんだろうか


日本に対して慰安婦慰安婦言う韓国を見てベトナム人がライダイハン問題と民間人虐殺を明らかにしようと心変わり

それが世界に知れ渡ると米国もまずい

使用者としての責任がある

自称慰安婦は実は米軍相手の売春婦ということも重々承知

オバマ政権と当時の韓国政府、事が大きくなる前に日韓合意を働きかける

韓国人、オバマとパクの意図に全く気がつかず

北朝鮮工作員ムンが大統領になり中朝の利益を優先

慰安婦の日 慰安婦合意再発防止法があいついで制定


米国は多民族国家である

宿敵の国民同士でも米国人として一丸にならなければならない

宿敵 英仏 英独 仏独 オランダ-インドネシアなども米国人として国に尽くさなければならない

民族同士が怨念をむき出しにに憎み合う=米国崩壊

日系米国人や在米日本人を差別するSF市の慰安婦像

これが建っちゃったということは多文化共生・人権・平等の多民族国家という属性が崩壊した証拠

今後米国は急速に力を失い今のような覇権国家では無くなる

アメリカをアテにできなくなる


しきしま会ご支援のお願い

よろしければ、選挙公報の街頭演説集会などの会の運営費をご支援くださいますようお願い致します。

※税務上は「政治団体への政治献金」でご処理をお願い致します。


ゆうちょ 10130-84940451 (店番 018 口座番号 84940451)
名義 シキシマカイ
※お振込みにiPhoneなどスマホ端末をお使いの方は、最後の1を無視して10130-8494045 または018-8494045  でお試しください。
 

しきしま会YouTubeチャンネルにご登録お願いします 
 

アーティスト名「さるげり」楽曲の販売を始めました 
 

オリジナルTシャツ販売もしております 
 

くつざわ@しきしま会ツイッター、よかったらフォローしてください 
 

お知らせ:アーティスト名「さるげり」で楽曲販売を始めました。

Amazon http://ur0.biz/D7z5 

i-tune  http://ur0.biz/D7zf  

ご視聴はこちらからどうぞ 

http://sarugeri.blog.jp/archives/1065327382.html   

ブログランキングにぜひご協力ください。  


北朝鮮マルウェア攻撃用IPアドレスが90以上判明、サーバー管理者さんは遮断がオススメ「テキスト版2」20171126

北朝鮮からのマルウェア攻撃に使用されたIPアドレス90あまりが発表されてました。

サーバー管理者さんはご参考になさってください。

このアドレスからのアクセスを遮断するのがオススメです。

画像版  テキスト版1 
 

ブログランキングにぜひご協力ください 

Youtubeチャンネル登録よろしくお願いします


Packers 

NA 

NA 

This artifact is a service DLL and contains the same authentication key string embedded in the file 5dd1ccc8fb2a5615bf5656721339efed. These files have similar code functionality. 

During runtime, the malware de-obfuscates its strings and APIs. It will attempt to load and decode the encoded configuration data stored in the following registry key installed: 

--Begin key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SYSTEM\CurrentControlSet\Control\WMI\Security" ValueName = "2d54931A-47A9-b749-8e23-311921741dcd" ValueName =" c72a93f5-47e6-4a2a-b13e-6AFE0479cb01" --End key-- 

The configuration data and the file that stores the data in the registry key were not included of the submission. If the configuration data is installed, analysis indicates that it will connect to its C2s and listen for commands or access requests from a remote server. Displayed below are sample strings used to perform these functions: 

--Begin strings of interest—
svchost.exe
services.exe SYSTEM\CurrentControlSet\Control\WMI\Security 2d54931A-47A9-b749-8e23-311921741dcd c72a93f5-47e6-4a2a-b13e-6AFE0479cb01
config_reg HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString 

\\.\VBoxMiniRdrDN SYSTEM
Avira
Kaspersk 

ESET
360
AVG
COMODO F-Secure
Trend Micro
Norton
Symantec Endpoint McAfee 

AVAST
AhnLab
ALYac
nProtect
NaverVaccine
SOFTWARE\VanDyke\SecureCRT SOFTWARE\Config Path SOFTWARE\Microsoft\Terminal Server Client\Servers SOFTWARE\RealVNC 

SOFTWARE\TightVNC SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultravnc2_is1 SOFTWARE\Radmin
SOFTWARE\mRemote 

US-CERT MAR-10135536-D 

12 of 18 

Name Version Entry Point 

TLP:WHITE 

SOFTWARE\mRemoteNG
SOFTWARE\TeamViewer
SOFTWARE\FileZilla Client
SOFTWARE\Classes\Remote Desktop Connection Groups SOFTWARE\Symantec\pcAnywhere 

Wireshark TCPView
Network Monitor Process Monitor Registry Monitor File system monitor Disk Monitor 

API Monitor
OllyDbg
Interactive Disassembler
Windows GUI symbolic debugger
PEiD
Autostart program viewer
Process Explorer
Winalysis
IceSword
PE Tools
Regshot
sysAnalyzer
WinSys
Process Hacker
Sigcheck
System Explorer
ProcDump
NTFS directory enumertion
Listdlls
cmd.exe /c netsh firewall add portopening TCP VboxHook.dll
cmd.exe /c netsh firewall add portopening TCP "adp"
cmd.exe /c
2>&1
--End strings of interest-- 

IPs 

103.16.223.35 

Ports 

8080 

Relationships 

(I) 103.16.223.35 

(I) 103.16.223.35 

113.28.244.194 

Ports 

8080 

Relationships 

(I) 113.28.244.194 

(I) 113.28.244.194 

116.48.145.179 

Ports 

8080 

Relationships 

Related_To 

Connected_From 

Related_To 

Connected_From 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

TLP:WHITE 

      

US-CERT MAR-10135536-D 

13 of 18 

TLP:WHITE 

(I) 116.48.145.179 

(I) 116.48.145.179 

186.116.9.20 

Ports 

8000 

Relationships 

(I) 186.116.9.20 

(I) 186.116.9.20 

186.149.198.172 

Ports 

8080 

Relationships 

(I) 186.149.198.172 

(I) 186.149.198.172 

195.28.91.232 

Ports 

8088 

Relationships 

(I) 195.28.91.232 

(I) 195.28.91.232 

195.97.97.148 

Ports 

8080 

Relationships 

(I) 195.97.97.148 

(I) 195.97.97.148 

199.15.234.120 

Ports 

8080 

Relationships 

(I) 199.15.234.120 

(I) 199.15.234.120 

200.42.69.133 

Ports 

8080 

Relationships 

(I) 200.42.69.133 

(I) 200.42.69.133 

203.131.222.99 

Ports 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8000 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

TLP:WHITE 

            

US-CERT MAR-10135536-D 

14 of 18 

TLP:WHITE 

8080 

TLP:WHITE 


Relationships 

(I) 203.131.222.99 

(I) 203.131.222.99 

210.187.87.181 

Ports 

8080 

Relationships 

(I) 210.187.87.181 

(I) 210.187.87.181 

83.231.204.157 

Ports 

8088 

Relationships 

(I) 83.231.204.157 

(I) 83.231.204.157 

84.232.224.218 

Ports 

8088 

Relationships 

(I) 84.232.224.218 

(I) 84.232.224.218 

89.190.188.42 

Ports 

8080 

Relationships 

(I) 89.190.188.42 

(I) 89.190.188.42 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

        

Relationship Summary 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

Contains 

Contained_Within 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

(I) 103.16.223.35 

(I) 113.28.244.194 

(I) 116.48.145.179 

(I) 186.116.9.20 

(I) 186.149.198.172 

(I) 195.28.91.232 

(I) 195.97.97.148 

(I) 199.15.234.120 

 

US-CERT MAR-10135536-D 

15 of 18 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

Contains (F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

TLP:WHITE 


(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) Connected_To (I) 200.42.69.133 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(I) 103.16.223.35 

(I) 103.16.223.35 

(I) 113.28.244.194 

(I) 113.28.244.194 

(I) 116.48.145.179 

(I) 116.48.145.179 

(I) 186.116.9.20 

(I) 186.116.9.20 

(I) 186.149.198.172 

(I) 186.149.198.172 

(I) 195.28.91.232 

(I) 195.28.91.232 

(I) 195.97.97.148 

(I) 195.97.97.148 

(I) 199.15.234.120 

(I) 199.15.234.120 

(I) 200.42.69.133 

(I) 200.42.69.133 

(I) 203.131.222.99 

(I) 203.131.222.99 

(I) 210.187.87.181 

(I) 210.187.87.181 

(I) 83.231.204.157 

(I) 83.231.204.157 

(I) 84.232.224.218 

(I) 84.232.224.218 

(I) 89.190.188.42 

(I) 89.190.188.42 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

(S) Screenshot_1.png 

(S) Screenshot_2.png 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8000 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Characterized_By 

Characterized_By 

Characterizes 

Characterizes 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

(I) 203.131.222.99 

(I) 210.187.87.181 

(I) 83.231.204.157 

(I) 84.232.224.218 

(I) 89.190.188.42 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8000 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(S) Screenshot_1.png 

(S) Screenshot_2.png 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

(I) 103.16.223.35 

(I) 113.28.244.194 

(I) 116.48.145.179 

(I) 186.149.198.172 

(I) 195.97.97.148 

(I) 199.15.234.120 

(I) 200.42.69.133 

(I) 203.131.222.99 

(I) 210.187.87.181 

(I) 89.190.188.42 

(I) 186.116.9.20 

TLP:WHITE 

 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) Contained_Within 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

US-CERT MAR-10135536-D 

16 of 18 

TLP:WHITE 


(P) 8088 Related_To (I) 83.231.204.157 

(P) 8088 Related_To (I) 84.232.224.218 

Mitigation Recommendations 

US-CERT recommends monitoring activity to the following domain(s) and/or IP(s) as a potential indicator of infection: 103.16.223.35 

113.28.244.194 116.48.145.179 186.116.9.20 186.149.198.172 195.28.91.232 195.97.97.148 199.15.234.120 200.42.69.133 203.131.222.99 210.187.87.181 83.231.204.157 84.232.224.218 89.190.188.42 

US-CERT would like to remind users and administrators of the following best practices to strengthen the security posture of their organization's systems: 

Maintain up-to-date antivirus signatures and engines.
Restrict users' ability (permissions) to install and run unwanted software applications.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Keep operating system patches up-to-date.
Enable a personal firewall on agency workstations.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats; implement appropriate ACLs. 

Contact Information 

1-888-282-0870
soc@us-cert.gov (UNCLASS) us-cert@dhs.sgov.gov (SIPRNET) us-cert@dhs.ic.gov (JWICS) 

US-CERT continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://forms.us-cert.gov/ncsd-feedback/ 

Document FAQ 

TLP:WHITE 


(P) 8088 Related_To (I) 195.28.91.232 

                                       

US-CERT MAR-10135536-D 

17 of 18 

TLP:WHITE 

TLP:WHITE 

What is a MAR? A Malware Analysis Report (MAR) is intended to provide detailed code analysis and insight into specific tactics, techniques, and procedures (TTPs) observed in the malware. 

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the US-CERT Security Operations Center at 1-888-282-0870 or soc@us-cert.gov. 

Can I submit malware to US-CERT? Malware samples can be submitted via three methods. Contact us with any questions. Web: https://malware.us-cert.gov
E-Mail: submit@malware.us-cert.gov
FTP: ftp.malware.us-cert.gov/malware (anonymous) 

US-CERT encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov. 

TLP:WHITE 

       

US-CERT MAR-10135536-D 

18 of 18 



しきしま会ご支援のお願い

よろしければ、選挙公報の街頭演説集会などの会の運営費をご支援くださいますようお願い致します。

※税務上は「政治団体への政治献金」でご処理をお願い致します。


ゆうちょ 10130-84940451 (店番 018 口座番号 84940451)
名義 シキシマカイ
※お振込みにiPhoneなどスマホ端末をお使いの方は、最後の1を無視して10130-8494045 または018-8494045  でお試しください。
 

しきしま会YouTubeチャンネルにご登録お願いします 
 

アーティスト名「さるげり」楽曲の販売を始めました 
 

オリジナルTシャツ販売もしております 
 

くつざわ@しきしま会ツイッター、よかったらフォローしてください 
 

お知らせ:アーティスト名「さるげり」で楽曲販売を始めました。

Amazon http://ur0.biz/D7z5 

i-tune  http://ur0.biz/D7zf  

ご視聴はこちらからどうぞ 

http://sarugeri.blog.jp/archives/1065327382.html   

ブログランキングにぜひご協力ください。  


北朝鮮マルウェア攻撃用IPアドレスが90以上判明、サーバー管理者さんは遮断がオススメ「テキスト版1」20171126

北朝鮮からのマルウェア攻撃に使用されたIPアドレス90あまりが発表されてました。

サーバー管理者さんはご参考になさってください。

このアドレスからのアクセスを遮断するのがオススメです。

画像版  テキスト版2

ブログランキングにぜひご協力ください 

Youtubeチャンネル登録よろしくお願いします

Malware Analysis Report (MAR) - 10135536-D 2017-11-01 

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. 

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distr buted without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov /tlp/. 

Summary 

Description 

This submission included five unique files. These files include a malware dropper, two Remote Access Tools (RAT), and a Botnet controller. The RATs are capable of providing command and control capabilities over a victim system including the ability to exfiltrate user files and execute secondary payloads. The Botnet controller listens for connections from bots. The RATs and Botnet utilize identical ciphers to encoded/decode network traffic. 

6
143cb4f16dcfc16a02812718acd32c8f (143cb4f16dcfc16a02812718acd32c8f) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd83ee7e4cfc8fed7ceb998e75b996) 35f9cfe5110471a82e330d904c97466a (35f9cfe5110471a82e330d904c97466a) 5dd1ccc8fb2a5615bf5656721339efed (5dd1ccc8fb2a5615bf5656721339efed) 81180bf9c7b282c6b8411f8f315bc422 (81180bf9c7b282c6b8411f8f315bc422) e3d03829cbec1a8cca56c6ae730ba9a8 (e3d03829cbec1a8cca56c6ae730ba9a8) 

14 103.16.223.35 113.28.244.194 116.48.145.179 186.116.9.20 186.149.198.172 195.28.91.232 195.97.97.148 199.15.234.120 200.42.69.133 203.131.222.99 210.187.87.181 83.231.204.157 84.232.224.218 89.190.188.42 

TLP:WHITE 

   

Notification 

     

Files 


Processed 


IPs 


Identified 


US-CERT MAR-10135536-D 

1 of 18 

TLP:WHITE 

Files 

1ecd83ee7e4cfc8fed7ceb998e75b996 

1ecd83ee7e4cfc8fed7ceb998e75b996
131072
PE32 executable (console) Intel 80386, for MS Windows
1ecd83ee7e4cfc8fed7ceb998e75b996
eddb7228e2f8b7a99c4c32a743504ed3c16b5ef3 3072:Kn13mR+uvEuCBlMclG4te7DFQstzN29ZfyXZM5QVj+XZ4dC:KneZvrRclG4mF5qZfyO2AJWC 7.00782518905 

Details 

TLP:WHITE 

  

Name Size Type MD5 SHA1 ssdeep Entropy 

Antivirus 

McAfee K7 Symantec VirusBlokAda Zillya! Microsoft Security Essentials Avira Ahnlab NANOAV Filseclab Vir.IT eXplorer Quick Heal Ikarus 


PE Information 


2014-06-11T11:38:06Z 

(header) b6214e428fa300398d713f342dd73720 

.text ccee43451bf78c75c2a487a75245aed2 

.rdata 921b3440b4b8a40600f0d733db4fdca8 

.data 2211eee046bd996c987599e0cbe6e1cc 

.rsrc e12b92a1aeeb53d25ac14b4be573e860 

Microsoft Visual C++ v6.0 NA NA 

Relationships 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

Description 

4096 

53248 

12288 

8192 

53248 

Contains 

0.677312761147 

6.41939123297 

3.69760287752 

5.00827779889 

7.99100438632 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

Compiled 

GenericR-GMA!1ECD83EE7E4C Riskware ( 0040eff71 ) Trojan.Volgmer.B TrojanDropper.Agent Dropper.Agent.Win32.182535 Backdoor:Win32/Joanap.I!dha TR/Agent.131088 Trojan/Win32.Ghost Trojan.Win32.Agent.dpmfwf TrojanDrop.Agent.pjjh.dvly Trojan.Win32.Siggen6.BULS Backdoor.Joanap Trojan-Dropper.Win32.Agent 


PE Sections 


Name MD5 Raw Size Entropy 


Packers 


Name Version Entry Point 


(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

Contains (F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

This artifact is a malicious PE32 executable designed to install a DLL (Ins.dll) and a configuration file (Config.cpl) onto the victim's system. When executed, the malware de-obfuscates its strings and APIs. 

This dropper malware contains the service DLL and configuration file in a password-protected ZIP archive embedded in its resource "MYRES." 

--Begin ZIP File-- 

US-CERT MAR-10135536-D 

2 of 18 

TLP:WHITE 

Ins.dll==> Service DLL Config.cpl ==> Configuration File --End ZIP File-- 

To decompress these files, the malware uses a hard-coded password "!1234567890 dghtdhtrhgfjnui$%^^&fdt." 

When the files are decompressed, Ins.dll is installed into "%system32%\appnettimgr.dll" as a service named "appnettimgr." appnettimgr is designed to modify its file created timestamp to match that of notepad.exe." The DLL file name is generated from the following hard-coded letters or words: 

--Begin hard-coded words-- enum
mgr
mgmt 

svc ud dc win vol up ti sec rm q 

o p net m 

l
k
i
h
g
f
ex
d
c
bg
app
--End hard-coded words-- 

The display name for the installed service is generated from the following hard-coded words: 

--Begin hard-coded words-- Application
Background
Control Desktop 

Extension Function Group
Host Intelligent Key
Layer Multimedia Network Operation Portable Quality Remote Security TCP/IP
User Profile Volume Windows Device Update Service Management 

TLP:WHITE 

US-CERT MAR-10135536-D 

3 of 18 

TLP:WHITE 

Manager
Enumerator
Is an essential service for management of Windows System.
If the service is stopped or disabled, Windows will be able to damaged seriously. --End hard-coded words-- 

During runtime, the DLL service is hosted and loaded by the host process SvcHost.exe. Displayed below are the properties of the created DLL service: 

--Begin service properties--
ServiceName = "appnettimgr"
DisplayName = "Application Network TCP/IP Manager"
StartType = SERVICE_AUTO_START
BinaryPathName = "%SystemRoot%\System32\svchost.exe -k LocalSystems" --End service properties-- 

The malware checks if the following registry key is installed: 

--Begin registry key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SYSTEM\CurrentControlSet\Control\WMI\Security" ValueName = "125463f3-2a9c-bdf0-d890-5a98b08d8898" --End registry key-- 

If the registry key is not installed, the malware decompresses the configuration file (Config.cpl). The malware will XOR-encode the content of the configuration file and the generated file name of the service DLL. The encoded data is installed into the following registry key: 

--Begin registry key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SYSTEM\CurrentControlSet\Control\WMI\Security" ValueName ="f0012345-2a9c-bdf8-345d-345d67b542a1" ValueName = "125463f3-2a9c-bdf0-d890-5a98b08d8898" --End registry key-- 

Analysis indicates that the encoded configuration file stored in the registry key is used by the malware component. After infection of the victim system, the malware will create and execute the batch file "%Temp%\pdm.bat" to delete itself after infection. This file was not available for analysis. 

81180bf9c7b282c6b8411f8f315bc422 


Details 


81180bf9c7b282c6b8411f8f315bc422
546
data
81180bf9c7b282c6b8411f8f315bc422
c9b703cbc692977dfa0fe7b82768974f17dbf309 3:3l/l/0P5BQCfqgFwylTDRv9tWpdYYg11MBMs5vY6Pw/l/lN:3tlMP5BQCigFwyFDlWzYn1FF6PQ/ 1.69870551288 

TLP:WHITE 


Antivirus 

No matches found. 

Relationships 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

Contained_Within 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

(I) 103.16.223.35 

(I) 113.28.244.194 

(I) 116.48.145.179 

(I) 186.116.9.20 

(I) 186.149.198.172 

(I) 195.28.91.232 

(I) 195.97.97.148 

US-CERT MAR-10135536-D 

4 of 18 

Name Size Type MD5 SHA1 ssdeep Entropy 

TLP:WHITE 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

Description 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

(I) 199.15.234.120 

(I) 200.42.69.133 

(I) 203.131.222.99 

(I) 210.187.87.181 

(I) 83.231.204.157 

(I) 84.232.224.218 

(I) 89.190.188.42 

TLP:WHITE 

This artifact is the configuration file embedded in the dropper malware's (1ECD83EE) resource named "MYRES." The configuration data contains control & command (C2) IP addresses and port numbers. Displayed below is the content of the configuration data: 

--Begin configuration data--
cgi_config
00 00 00 00 00 00 00 00
67 10 DF 23 90 1F =>IP 6710DF23 => 103.16.223.35: port 1F90=8080 00 00 

71 1C F4 C2 90 1F = IP 711CF4C2 => 113.28.244.194: port 1F90=8080 00 00 

74 30 91 B3 90 1F => IP 743091B3 => 116.48.145.179: port 1F90=8080 00 00 

BA 74 09 14 40 1F => BA740914 => 186.116.9.20: port 1F40=8000 00 00 

BA 95 C6 AC 90 1F => BA95C6AC => 186.149.198.172: port 1F90=8080 00 00
BA 43 47 61 90 1F => BA434761 => 186.67.71.97: port 1F90=8080
00 00 

C3 1C 5B E8 98 1F => C31C5BE8 => 195.28.91.232: port 1F98=8088 00 00
C3 61 61 94 90 1F => C3616194 => 195.97.97.148: port 1F90=8080
00 00 

C7 0F EA 78 90 1F => C70FEA78 => 199.15.234.120: port 1F90=8080 00 00
C8 2A 45 85 90 1F=> C82A4585 => 200.42.69.133: port 1F90=8080 

00 00
CB 83 DE 63 90 1F=> CB83DE63 => 203.131.222.99: port 1F90=8080 

00 00
D2 BB 57 B5 90 1F => D2BB57B5 => 210.187.87.181: port 1F90=8080 

00 00 

53 E7 CC 9D 98 1F => 53E7CC9D =>83.231.204.157: port 1F98=8088 00 00
54 E8 E0 DA 98 1F => 54E8E0DA =>84.232.224.218: port 1F98=8088 00 00 

59 BE BC 2A 90 1F => 59BEBC2A=>89.190.188.42: port 1F90=8080 00 00 

00 00 00 00 00 00
--End configuration data-- 

5dd1ccc8fb2a5615bf5656721339efed 

5dd1ccc8fb2a5615bf5656721339efed
110592
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 5dd1ccc8fb2a5615bf5656721339efed
1b247442e28d9d72cb0c1a6e7dfbcd092829ee6d 1536:VWzaaYA98ReypyDfOyzrj5b6T9LN52GoDCKRRpyJutZTgMJ:gaS98ppkj5b0DBSCscJuthg 6.09092146887 

Backdoor/W32.Volgmer.110592 RDN/Generic BackDoor 

 

Details 


US-CERT MAR-10135536-D 

5 of 18 

Name Size Type MD5 SHA1 ssdeep Entropy 


Antivirus 


nProtect McAfee 

TLP:WHITE 

Riskware ( 0040eff71 ) Trojan.Volgmer Backdoor.Volgmer Backdoor.Volgmer.Win32.1 Backdoor.Win32.Volgmer.d Trojan.GenericKD.2167403 Backdoor:Win32/Joanap.I!dha BKDR_VOLGMER.W BKDR_VOLGMER.W Trojan.GenericKD.2167403 (B) BDS/Volgmer.110592 Trojan/Win32.Dl bot Trojan.Win32.Volgmer.ehpxxz Backdoor.Volgmer.d.sncb.dll Backdoor.Win32.Volgmer BackDoor.Generic19.ANUB 

2014-06-11T11:38:05Z 

(header) 8f4d22d26031119928449f856466da0a 4096 

.text 74a2bd172adaf6d5964d238371ba9f4e 73728 

.rdata 9f849d9f0bb48924b8f04e47a36b59c4 8192 

.data 07768f7af89f774cbeaa36bf80d68dd9 12288 

.rsrc 68fe7330ba22a7f4f9a4b7c2582a803a 4096 

.reloc 74c867b7fa902e50761d82dfe59ee255 8192 

Microsoft Visual C++ 6.0 NA NA 

Microsoft Visual C++ 6.0 DLL (Debug) NA NA 

Relationships 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

Description 

0.768313545404 

6.66081346755 

3.69298868173 

5.07028751143 

0.966835527753 

4.36591156691 

TLP:WHITE 

K7 Symantec VirusBlokAda Zillya! Kaspersky BitDefender Microsoft Security Essentials TrendMicro House Call TrendMicro Emsisoft Avira Ahnlab NANOAV Filseclab Ikarus AVG 


PE Information 


PE Sections 


US-CERT MAR-10135536-D 

6 of 18 

Compiled 


Name MD5 Raw Size Entropy 


Packers 

Name Version Entry Point 

Contained_Within 

Characterized_By 

Characterized_By 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

(S) Screenshot_1.png 

(S) Screenshot_2.png 

This artifact is the service DLL embedded in the dropper malware's (1ECD83EE) resource named "MYRES" and during runtime it is decompressed and executed. This application has been identified as a fully functioning Remote Access Tool (RAT) designed to provide stealthy and persistent access to a compromised system. 

To execute this DLL, it must be called from by its ServiceMain export. When called, the DLL will immediately attempt to unpack 1298 bytes of string data that is used during runtime. The algorithm displayed in Screenshot_1 will be utilized to decode these strings. This algorithm, a simple XOR cipher, will also be utilized to decode and encoded traffic sent and received by this implant. The following hard-coded 16-byte key is utilized to decode the 1298 bytes of string data: 74615104773254458995125212023273 (hex encoded). Displayed below are the implant’s decoded strings: 

--Begin decoded strings-- svchost.exeservices.exeSYSTEM\CurrentControlSet\Control\WMI\Security125463f3-2a9c-bdf0-d890-5a98b08d8898f0012345-2a9c- bdf8-345d-345d67b542a1cgi_configpdm.batHARDWARE\DESCRIPTION\System\CentralProcessor\0ProcessorNameString \\.\VBoxMiniRdrDNSYSTEMAviraKasperskyESET360AVGCOMODOF-SecureTrend MicroNortonSymantec EndpointMcAfeeAVASTAhnLabALYacnProtectNaverVaccineSOFTWARE\VanDyke\SecureCRTSOFTWARE\Config PathSOFTWARE\Microsoft\Terminal Server Client\ServersSOFTWARE\RealVNCSOFTWARE\TightVNCSOFTWARE\Microsoft\Windows \CurrentVersion\Uninstall\Ultravnc2_is1SOFTWARE\RadminSOFTWARE\mRemoteSOFTWARE\mRemoteNGSOFTWARE 

TLP:WHITE 

TLP:WHITE 

\TeamViewerSOFTWARE\FileZilla ClientSOFTWARE\Classes\Remote Desktop Connection GroupsSOFTWARE\Symantec \pcAnywhereKernel32.dllIsDebuggerPresentCheckRemoteDebuggerPresentntdll.dllNtQueryInformationProcessGetNativeSystemInfoGetProd uctInfoWiresharkTCPViewNetwork MonitorProcess MonitorRegistry MonitorFile system monitorDisk MonitorAPI MonitorOllyDbgInteractive DisassemblerWindows GUI symbolic debuggerPEiDAutostart program viewerProcess ExplorerWinalysisIceSwordPE ToolsRegshotsysAnalyzerWinSysProcess HackerSigcheckSystem ExplorerProcDumpNTFS directory enumertionListdllscmd.exe /c netsh firewall add portopening TCP 

--End decoded strings--
The malware attempts to read data from the following registry key: 

--Begin registry key-- SYSTEM\CurrentControlSet\Control\WMI\Security125463f3-2a9c-bdf0-d890-5a98b08d8898 --End registry key-- 

If this registry key is found, the malware will attempt to decode its contents using the same algorithm used to decode the string data. This key is also used to decode the registry key’s contents. Static analysis indicates this registry key is expected to contain IP addresses that the malware will use as C2 servers. The malware will not function without this registry key being present, and containing properly encoded C2 servers. This analysis indicates a loader is required to configure the registry key to contain the proper configuration data. 

If an IP address is found, the malware will piece together a header in a pseudo random fashion using hard-coded "header pieces." The URL in a headers is randomly generated. Even though the header contains a randomly generated URL, the malware will communicate directly with one of its configured IP addresses. The hard-coded "header pieces" which are used to create a header are used in the connection to the C2 server, including the following: 

--Begin "Header Strings" used to form the malware header--
User-Agent: Mozillar/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/6.0) User-Agent: Mozillar/5.0 (compatible; MSIE 8.0; Windows NT 6.2; Win64; x64; Trident/6.0) User-Agent: Mozillar/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0) User-Agent: Mozillar/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Win64; x32; Trident/5.0) User-Agent: Mozillar/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Win64; x32; Trident/5.0) User-Agent: Mozillar/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Win64; x32; Trident/5.0) User-Agent: Mozillar/5.0 (compatible; MSIE 9.0; Windows NT 5.2; Win64; x32; Trident/5.0) User-Agent: Mozillar/5.0 (compatible; MSIE 8.0; Windows NT 5.3; Win64; x32; Trident/5.0) Accept-Encoding: gzip, compress
Accept-Encoding: gzip, compress, deflate
Accept-Encoding: deflate
Accept-Encoding: compress, deflate
Accept-Encoding: gzip, deflate
AMD32
AMD64
TP/1.0
TP/1.1
HEAD
POST
GET
--End "Header Strings" used to create the malware header-- 

Within our lab environment the malware generated the following header when attempting to communicate with one of its C2 servers: 

--Begin Sample GET Request-- POST smygr.ico HTTP/1.1 Accept: */*
AMD64 

Accept-Encoding: gzip, deflate
User-Agent: Mozillar/5.0 (compatible; MSIE 8.0; Windows NT 5.3; Win64; x32; Trident/5.0) Host: www[.]uxcest.com
DNT: 1
Connection: Keep-Alive
--End Sample GET Request-- 

NOTE: The DNT: 1 is in all the posts. In addition, the "Mozillar" string appears to be an anomaly within the malware's connection header. 

If the malware is able to locate and decode this registry key, it will sleep for a randomly generated period of time. The algorithm displayed in Screenshot_2 determines the period of time to sleep. 

After the sleep interval, the malware randomly chooses one of the IPs configured in the registry key and attempts to connect to it. This implant contains a hashing method that is used in the authentication process. Static analysis indicates this hashing algorithm utilizes a combination of SHA1 and the RIPEMD hashing algorithms to produce a 20-byte result from input data. It appears this hashing method is designed to be proprietary in nature, and unique to this malware. 

US-CERT MAR-10135536-D 

7 of 18 

TLP:WHITE 

TLP:WHITE 

If the malware is able to connect to one of its C2 servers, it generates a 16 byte random value and appends it with four byte value 0x26200000, resulting in 20 bytes. Next, it will hash the 20-bytes, resulting in a 20-byte hash value. The malware sends the original 16-bytes and the 20-byte hash. The C2 server is expected to hash the 20-byte hash value and send it back to the implant. In turn, the malware will rehash the 20-byte hash value generated from the previous operation. The values are then compared to ensure they match. If they do not, the malware will terminate the C2 session. The hashing algorithm is proprietary, which means that the malware and C2 server can be ensure they are communicating with each other. 

-The primary purpose of this malware is to provide Command and Control capabilities to an operator. This malware provides the following capabilities:
-Allow an operator to upload a secondary payload to the victim system (TEMP folder), and execute it using the cmd.exe process.
-Allow an operator to read, encode, and transmit a file to the C2 server. The same algorithm used to decode the malware’s strings data, mentioned above, will be utilized to encode the file before it is exfiltrated. 

-The operator may update the configuration registry used by the malware. This indicates they will be able to dynamically change the C2 servers used by this implant.
-The operator may upload additional payloads to the victim system using this malware, and execute them using the Windows API CreateProcessW. 

-The operator may attain information about the victim host, using the APIs GetComputerNameW, GetSystemInfo, and GetLocalInfoW. 

Screenshots 

Screenshot_1.png 

Screenshot_2.png 

      

US-CERT MAR-10135536-D 

8 of 18 

TLP:WHITE 

     

Details 


PE Information 

US-CERT MAR-10135536-D 

9 of 18 

Name Size Type MD5 SHA1 ssdeep Entropy 

Trojan/W32.Agent.122880.CBW RDN/Generic BackDoor Riskware ( 0040eff71 ) Trojan.Volgmer Trojan.GenericKD.Win32.7276 Backdoor.Win32.Volgmer.b Trojan.GenericKD.3069267 Backdoor:Win32/Joanap.I!dha TROJ_VOLGMER.A TROJ_VOLGMER.A Trojan.GenericKD.3069267 (B) Trojan/Win32.Agent Trojan.Win32.Volgmer.dnrknz Backdoor.Win32.Volgmer BackDoor.Generic19.VXF 

TLP:WHITE 


35f9cfe5110471a82e330d904c97466a 

35f9cfe5110471a82e330d904c97466a
122880
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
35f9cfe5110471a82e330d904c97466a
1207d3bad08688a694b6152c57aacfe705914170 1536:oCzyWbtrzz/9kIqTyDfOyzC0kETbzZuHjdWucoN+Txh9+9dhkHJBtPd8G:okXz5qTT0k4ZuH5i6I38dhWJBtPd8 5.88485432033 

Antivirus 

nProtect McAfee K7 Symantec Zillya! Kaspersky BitDefender Microsoft Security Essentials TrendMicro House Call TrendMicro Emsisoft Ahnlab NANOAV Ikarus AVG 

TLP:WHITE 

TLP:WHITE 

Compiled 2014-04-07T07:55:25Z 


PE Sections 


Name MD5 Raw Size Entropy 

(header) e1d6628e550c3c99207d85828a6cd932 4096 

.text eb005743ac215eb0f146227f3480e6e9 77824 

.rdata a92c0e7aeced10cc835d04f072c44c5d 8192 

.data c83f6ab61a65902e9b94f8fa0c93fa07 20480 

.rsrc 6e50576388df1a686f37bd49ea0542e4 4096 

.reloc 686c6badf362b2716ea522a2357991fd 8192 

Microsoft Visual C++ 6.0 NA NA 

Microsoft Visual C++ 6.0 DLL (Debug) NA NA 

Description 

0.767932225624 

6.69900771717 

3.83186894214 

3.35932719076 

0.966835527753 

4.54454887721 


Packers 

Name Version Entry Point 

Similar in design, functionality, and structure to the file, 5dd1ccc8fb2a5615bf5656721339efed. 

143cb4f16dcfc16a02812718acd32c8f 

143cb4f16dcfc16a02812718acd32c8f
107008
PE32 executable (DLL) (console) Intel 80386, for MS Windows 143cb4f16dcfc16a02812718acd32c8f
f8397d940a204a2261dba2babd6e0718dd87574c 1536:GvSjInlBLrYOyzlgZdQ0OTigNDFxu/7zS5o3tRShIYQtl5ye:GvSjIPrmgZdQ00NHoKUShctl5ye 5.74626869405 

 

Details 


Name Size Type MD5 SHA1 ssdeep Entropy 


Antivirus 


Trojan/W32.Agent.107008.UB Trojan.Volgmer Trojan.Agent.Win32.662648 Trojan.Win32.Agent.iiet Backdoor.Agent.ABTZ Troj/Agent-APLG Backdoor.Agent.ABTZ (B) BDS/Agent.107008.26 Trojan/Win32.Backdoor Trojan.Win32.Agent.dzibpq Trojan.Backdoor.Agent BackDoor.Agent.BBGZ 

2014-03-15T06:10:17Z 

(header) e1b62318f465d0a1e7b5e98574456f62 4096 

.text 12c4003f6526b045c92e9fa4cf3da2f9 69632 

.rdata 6a0443b1df33fdb22fe2068751f9f007 8192 

.data 819f69a104b87fb32f61b9853df8a9be 16384 

.reloc 9a6eb9c39222d2a6358f6c2adeabcf87 8192 

0.705581697936 

6.61682172061 

3.86224622312 

2.2520247571 

3.58204703661 

nProtect Symantec Zillya! Kaspersky BitDefender Sophos Emsisoft Avira Ahnlab NANOAV Ikarus AVG 


PE Information 


Compiled 


PE Sections 


Name MD5 Raw Size Entropy 


Packers 


US-CERT MAR-10135536-D 

10 of 18 

TLP:WHITE 

Details 

TLP:WHITE 

Name 

Microsoft Visual C++ 6.0 

Microsoft Visual C++ 6.0 DLL (Debug) 

Description 

Version Entry Point 

NA NA 

NA NA 

This artifact is a malicious Windows 32-bit DLL that uses multiple configuration or data files that were not included in the submission. 

Static analysis of this application indicates that its primary purpose is to function as a Botnet controller. It will listen and accept connections from bots. The specific port is defined within its configuration file. 

During runtime, the malware listens on a defined port for incoming connections. If a connection is initiated, the malware will first accept up to 500 bytes of data, which will be discarded. Next, the malware will accept 40 bytes of data, which will be used as the size of the next received block. If the next received block size is not set to 40 bytes, the malware terminates the connection with the incoming bot. 

Next, the malware will rehash the received hash value contained within the 40-byte block from the bot and send the result back to the bot. 

Upon execution, the malware 143CB4F16DCFC16A02812718ACD32C8F attempts to read its configuration file, “swinrm.ini.” The malware expects this encoded configuration file to be 880-bytes in size. This configuration file was not included in the submission.
Static analysis indicates the malware decodes this configuration file using what appears to be the identical cipher utilized by the application 5DD1CCC8FB2A5615BF5656721339EFED to decode its own configuration file and network traffic. It also uses this cipher to decode and encode network traffic it receives and sends to connected bots. 

e3d03829cbec1a8cca56c6ae730ba9a8 

e3d03829cbec1a8cca56c6ae730ba9a8
139264
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows e3d03829cbec1a8cca56c6ae730ba9a8 ae65ffcd83dab3fdafea3ff6915fce34e1307bce 3072:+4V0+H9kt2K5aiV6CDDP+LQWOfsJEta8Ql:+35p6wP+X8Q 6.27885773112 

Trojan/W32.Agent.139264.CBA RDN/Generic BackDoor Riskware ( 0040eff71 )
Trojan Horse 

Backdoor.Agent Backdoor.Agent.Win32.58903 Backdoor.Win32.Agent.dojc Trojan.GenericKD.2604845 Backdoor:Win32/Joanap.I!dha BKDR_CMDSHELL.C BKDR_CMDSHELL.C Trojan.GenericKD.2604845 (B) BDS/Agent.KM Trojan/Win32.Agent Win32/Agent.XYC trojan Trojan.Win32.Agent.dusvat Backdoor.Joanap Backdoor.Win32.Agent Generic36.BTKP 

2015-05-04T05:24:04Z 

  

Name Size Type MD5 SHA1 ssdeep Entropy 

Antivirus 

nProtect McAfee K7 Symantec VirusBlokAda Zillya! Kaspersky BitDefender Microsoft Security Essentials TrendMicro House Call TrendMicro Emsisoft Avira Ahnlab ESET NANOAV Quick Heal Ikarus AVG 


PE Information 


US-CERT MAR-10135536-D 

11 of 18 

Compiled 


PE Sections 


TLP:WHITE 

TLP:WHITE 

Name MD5 

(header) 0c73039cd8388fd8c45b8367398f2ce6 

.text a8b3c39fdf381c29d7e2a9f1a46ddfdd 

.rdata a7cf4e7d72c146b5abc2bfb31ad7ccfc 

.data 762fc1698ef3b6b4577f8dc8872dcac5 

.reloc 4911328ef1c6ec0210fa3b92fe556efe 

Microsoft Visual C++ 6.0 NA 

Microsoft Visual C++ 6.0 DLL (Debug) NA 

Description 

Raw Size 

4096 

94208 

8192 

24576 

8192 

Entropy 

0.703554962694 

6.70321589416 

3.70575875762 

4.40193462948 

5.62835626046 
 

しきしま会ご支援のお願い

よろしければ、選挙公報の街頭演説集会などの会の運営費をご支援くださいますようお願い致します。

※税務上は「政治団体への政治献金」でご処理をお願い致します。


ゆうちょ 10130-84940451 (店番 018 口座番号 84940451)
名義 シキシマカイ
※お振込みにiPhoneなどスマホ端末をお使いの方は、最後の1を無視して10130-8494045 または018-8494045  でお試しください。
 

しきしま会YouTubeチャンネルにご登録お願いします 
 

アーティスト名「さるげり」楽曲の販売を始めました 
 

オリジナルTシャツ販売もしております 
 

くつざわ@しきしま会ツイッター、よかったらフォローしてください 
 

お知らせ:アーティスト名「さるげり」で楽曲販売を始めました。

Amazon http://ur0.biz/D7z5 

i-tune  http://ur0.biz/D7zf  

ご視聴はこちらからどうぞ 

http://sarugeri.blog.jp/archives/1065327382.html   

ブログランキングにぜひご協力ください。  


最新記事
閲覧数
  • 今日:
  • 昨日:

  • ライブドアブログ