北朝鮮からのマルウェア攻撃に使用されたIPアドレス90あまりが発表されてました。

サーバー管理者さんはご参考になさってください。

このアドレスからのアクセスを遮断するのがオススメです。

画像版  テキスト版1 
 

ブログランキングにぜひご協力ください 

Youtubeチャンネル登録よろしくお願いします


Packers 

NA 

NA 

This artifact is a service DLL and contains the same authentication key string embedded in the file 5dd1ccc8fb2a5615bf5656721339efed. These files have similar code functionality. 

During runtime, the malware de-obfuscates its strings and APIs. It will attempt to load and decode the encoded configuration data stored in the following registry key installed: 

--Begin key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SYSTEM\CurrentControlSet\Control\WMI\Security" ValueName = "2d54931A-47A9-b749-8e23-311921741dcd" ValueName =" c72a93f5-47e6-4a2a-b13e-6AFE0479cb01" --End key-- 

The configuration data and the file that stores the data in the registry key were not included of the submission. If the configuration data is installed, analysis indicates that it will connect to its C2s and listen for commands or access requests from a remote server. Displayed below are sample strings used to perform these functions: 

--Begin strings of interest—
svchost.exe
services.exe SYSTEM\CurrentControlSet\Control\WMI\Security 2d54931A-47A9-b749-8e23-311921741dcd c72a93f5-47e6-4a2a-b13e-6AFE0479cb01
config_reg HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString 

\\.\VBoxMiniRdrDN SYSTEM
Avira
Kaspersk 

ESET
360
AVG
COMODO F-Secure
Trend Micro
Norton
Symantec Endpoint McAfee 

AVAST
AhnLab
ALYac
nProtect
NaverVaccine
SOFTWARE\VanDyke\SecureCRT SOFTWARE\Config Path SOFTWARE\Microsoft\Terminal Server Client\Servers SOFTWARE\RealVNC 

SOFTWARE\TightVNC SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultravnc2_is1 SOFTWARE\Radmin
SOFTWARE\mRemote 

US-CERT MAR-10135536-D 

12 of 18 

Name Version Entry Point 

TLP:WHITE 

SOFTWARE\mRemoteNG
SOFTWARE\TeamViewer
SOFTWARE\FileZilla Client
SOFTWARE\Classes\Remote Desktop Connection Groups SOFTWARE\Symantec\pcAnywhere 

Wireshark TCPView
Network Monitor Process Monitor Registry Monitor File system monitor Disk Monitor 

API Monitor
OllyDbg
Interactive Disassembler
Windows GUI symbolic debugger
PEiD
Autostart program viewer
Process Explorer
Winalysis
IceSword
PE Tools
Regshot
sysAnalyzer
WinSys
Process Hacker
Sigcheck
System Explorer
ProcDump
NTFS directory enumertion
Listdlls
cmd.exe /c netsh firewall add portopening TCP VboxHook.dll
cmd.exe /c netsh firewall add portopening TCP "adp"
cmd.exe /c
2>&1
--End strings of interest-- 

IPs 

103.16.223.35 

Ports 

8080 

Relationships 

(I) 103.16.223.35 

(I) 103.16.223.35 

113.28.244.194 

Ports 

8080 

Relationships 

(I) 113.28.244.194 

(I) 113.28.244.194 

116.48.145.179 

Ports 

8080 

Relationships 

Related_To 

Connected_From 

Related_To 

Connected_From 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

TLP:WHITE 

      

US-CERT MAR-10135536-D 

13 of 18 

TLP:WHITE 

(I) 116.48.145.179 

(I) 116.48.145.179 

186.116.9.20 

Ports 

8000 

Relationships 

(I) 186.116.9.20 

(I) 186.116.9.20 

186.149.198.172 

Ports 

8080 

Relationships 

(I) 186.149.198.172 

(I) 186.149.198.172 

195.28.91.232 

Ports 

8088 

Relationships 

(I) 195.28.91.232 

(I) 195.28.91.232 

195.97.97.148 

Ports 

8080 

Relationships 

(I) 195.97.97.148 

(I) 195.97.97.148 

199.15.234.120 

Ports 

8080 

Relationships 

(I) 199.15.234.120 

(I) 199.15.234.120 

200.42.69.133 

Ports 

8080 

Relationships 

(I) 200.42.69.133 

(I) 200.42.69.133 

203.131.222.99 

Ports 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8000 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

TLP:WHITE 

            

US-CERT MAR-10135536-D 

14 of 18 

TLP:WHITE 

8080 

TLP:WHITE 


Relationships 

(I) 203.131.222.99 

(I) 203.131.222.99 

210.187.87.181 

Ports 

8080 

Relationships 

(I) 210.187.87.181 

(I) 210.187.87.181 

83.231.204.157 

Ports 

8088 

Relationships 

(I) 83.231.204.157 

(I) 83.231.204.157 

84.232.224.218 

Ports 

8088 

Relationships 

(I) 84.232.224.218 

(I) 84.232.224.218 

89.190.188.42 

Ports 

8080 

Relationships 

(I) 89.190.188.42 

(I) 89.190.188.42 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

        

Relationship Summary 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

Contains 

Contained_Within 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

(I) 103.16.223.35 

(I) 113.28.244.194 

(I) 116.48.145.179 

(I) 186.116.9.20 

(I) 186.149.198.172 

(I) 195.28.91.232 

(I) 195.97.97.148 

(I) 199.15.234.120 

 

US-CERT MAR-10135536-D 

15 of 18 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

Contains (F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

TLP:WHITE 


(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) Connected_To (I) 200.42.69.133 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(I) 103.16.223.35 

(I) 103.16.223.35 

(I) 113.28.244.194 

(I) 113.28.244.194 

(I) 116.48.145.179 

(I) 116.48.145.179 

(I) 186.116.9.20 

(I) 186.116.9.20 

(I) 186.149.198.172 

(I) 186.149.198.172 

(I) 195.28.91.232 

(I) 195.28.91.232 

(I) 195.97.97.148 

(I) 195.97.97.148 

(I) 199.15.234.120 

(I) 199.15.234.120 

(I) 200.42.69.133 

(I) 200.42.69.133 

(I) 203.131.222.99 

(I) 203.131.222.99 

(I) 210.187.87.181 

(I) 210.187.87.181 

(I) 83.231.204.157 

(I) 83.231.204.157 

(I) 84.232.224.218 

(I) 84.232.224.218 

(I) 89.190.188.42 

(I) 89.190.188.42 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

(S) Screenshot_1.png 

(S) Screenshot_2.png 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8080 

(P) 8000 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Connected_To 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Related_To 

Connected_From 

Characterized_By 

Characterized_By 

Characterizes 

Characterizes 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

Related_To 

(I) 203.131.222.99 

(I) 210.187.87.181 

(I) 83.231.204.157 

(I) 84.232.224.218 

(I) 89.190.188.42 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8000 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8088 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(P) 8080 

(F) 81180bf9c7b282c6b8411f8f315bc422 (81180) 

(S) Screenshot_1.png 

(S) Screenshot_2.png 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) 

(I) 103.16.223.35 

(I) 113.28.244.194 

(I) 116.48.145.179 

(I) 186.149.198.172 

(I) 195.97.97.148 

(I) 199.15.234.120 

(I) 200.42.69.133 

(I) 203.131.222.99 

(I) 210.187.87.181 

(I) 89.190.188.42 

(I) 186.116.9.20 

TLP:WHITE 

 

(F) 5dd1ccc8fb2a5615bf5656721339efed (5dd1c) Contained_Within 

(F) 1ecd83ee7e4cfc8fed7ceb998e75b996 (1ecd8) 

US-CERT MAR-10135536-D 

16 of 18 

TLP:WHITE 


(P) 8088 Related_To (I) 83.231.204.157 

(P) 8088 Related_To (I) 84.232.224.218 

Mitigation Recommendations 

US-CERT recommends monitoring activity to the following domain(s) and/or IP(s) as a potential indicator of infection: 103.16.223.35 

113.28.244.194 116.48.145.179 186.116.9.20 186.149.198.172 195.28.91.232 195.97.97.148 199.15.234.120 200.42.69.133 203.131.222.99 210.187.87.181 83.231.204.157 84.232.224.218 89.190.188.42 

US-CERT would like to remind users and administrators of the following best practices to strengthen the security posture of their organization's systems: 

Maintain up-to-date antivirus signatures and engines.
Restrict users' ability (permissions) to install and run unwanted software applications.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Keep operating system patches up-to-date.
Enable a personal firewall on agency workstations.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats; implement appropriate ACLs. 

Contact Information 

1-888-282-0870
soc@us-cert.gov (UNCLASS) us-cert@dhs.sgov.gov (SIPRNET) us-cert@dhs.ic.gov (JWICS) 

US-CERT continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://forms.us-cert.gov/ncsd-feedback/ 

Document FAQ 

TLP:WHITE 


(P) 8088 Related_To (I) 195.28.91.232 

                                       

US-CERT MAR-10135536-D 

17 of 18 

TLP:WHITE 

TLP:WHITE 

What is a MAR? A Malware Analysis Report (MAR) is intended to provide detailed code analysis and insight into specific tactics, techniques, and procedures (TTPs) observed in the malware. 

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the US-CERT Security Operations Center at 1-888-282-0870 or soc@us-cert.gov. 

Can I submit malware to US-CERT? Malware samples can be submitted via three methods. Contact us with any questions. Web: https://malware.us-cert.gov
E-Mail: submit@malware.us-cert.gov
FTP: ftp.malware.us-cert.gov/malware (anonymous) 

US-CERT encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov. 

TLP:WHITE 

       

US-CERT MAR-10135536-D 

18 of 18 



しきしま会ご支援のお願い

よろしければ、選挙公報の街頭演説集会などの会の運営費をご支援くださいますようお願い致します。

※税務上は「政治団体への政治献金」でご処理をお願い致します。


ゆうちょ 10130-84940451 (店番 018 口座番号 84940451)
名義 シキシマカイ
※お振込みにiPhoneなどスマホ端末をお使いの方は、最後の1を無視して10130-8494045 または018-8494045  でお試しください。
 

しきしま会YouTubeチャンネルにご登録お願いします 
 

アーティスト名「さるげり」楽曲の販売を始めました 
 

オリジナルTシャツ販売もしております 
 

くつざわ@しきしま会ツイッター、よかったらフォローしてください 
 

お知らせ:アーティスト名「さるげり」で楽曲販売を始めました。

Amazon http://ur0.biz/D7z5 

i-tune  http://ur0.biz/D7zf  

ご視聴はこちらからどうぞ 

http://sarugeri.blog.jp/archives/1065327382.html   

ブログランキングにぜひご協力ください。