Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THE CASE OF #OCJP-021 IS REOPEN / ←本件のケース
- COMMENT ADDED: http://unixfreaxjp.blogspot.jp/2012/02/ocjp-021.html?showComment=1332761381445#c1890660745097712696
- MALWARE IS REAPPREARED IN THE PREVIOUS URL:
- hxxp://211.121.253.172/vct/set.rar 642ef29e0194075c830d0f2a418d8fce
- hxxp://211.121.253.172/vct/stL1.rar a200699ce01d73c61a1b9ccb9009d9c6
- hxxp://211.121.253.172/vct/vel19.rar 472c2c1ff132392bf8656a2b427e8f22
- hxxp://211.121.253.172/int/vel20.rar 09b3818d4480a486db78ef2bd34c7e38
- SOFTBANK TELECOM Corp.
- [Allocation] 211.121.0.0/16
- a. [Network Number] 211.121.192.0/18
- b. [Network Name] ODN
- g. [Organization] Open Data Network(JAPAN TELECOM CO.,LTD.)
- m. [Administrative Contact] JP00035900
- n. [Technical Contact] JP00035900
- p. [Nameserver] ns2.odn.ne.jp
- p. [Nameserver] ns4.odn.ne.jp
- WEB SERVER OF THE MALWARES (SIGNATURES MATCHED)
- Last-Modified: Mon, 26 Mar 2012 11:15:15 GMT
- Accept-Ranges: bytes
- Etag: W/"f653fbb741bcd1:2a8"
- Server: Microsoft-IIS/6.0
- Date: Mon, 26 Mar 2012 11:15:16 GMT
- PROOF:
- --19:51:08-- hxxp://211.121.253.172/int/vel20.rar
- => `vel20.rar'
- Connecting to 211.121.253.172:80... connected.
- hxxp request sent, awaiting response... 200 OK
- Length: 73,728 (72K) [application/octet-stream]
- 100%[====================================>] 73,728 337.48K/s
- 19:51:09 (336.93 KB/s) - `vel20.rar' saved [73728/73728]
- --19:51:32-- hxxp://211.121.253.172/vct/stL1.rar
- => `stL1.rar'
- Connecting to 211.121.253.172:80... connected.
- hxxp request sent, awaiting response... 200 OK
- Length: 249,856 (244K) [application/octet-stream]
- 100%[===================================> ] 249,856 740.11K/s
- 19:51:33 (738.00 KB/s) - `stL1.rar' saved [249856/249856]
- --19:51:42-- hxxp://211.121.253.172/vct/vel19.rar
- => `vel19.rar'
- Connecting to 211.121.253.172:80... connected.
- hxxp request sent, awaiting response... 200 OK
- Length: 73,728 (72K) [application/octet-stream]
- 100%[====================================>] 73,728 --.--K/s
- 19:51:42 (529.53 KB/s) - `vel19.rar' saved [73728/73728]
- --19:51:56-- hxxp://211.121.253.172/vct/set.rar
- => `set.rar'
- Connecting to 211.121.253.172:80... connected.
- hxxp request sent, awaiting response... 200 OK
- Length: 28,672 (28K) [application/octet-stream]
- 100%[====================================>] 28,672 --.--K/s
- 19:51:57 (299.76 KB/s) - `set.rar' saved [28672/28672]
- VIRUS TOTAL REPORT:
- https://www.virustotal.com/file/50cc09617912edf3a5077fb09fe540803e6c467a7bff6417bc41d02d60c39d76/analysis/1332759518/
- https://www.virustotal.com/file/5a8c16df19d7198b5c0ea2a36c90f34bc835202e6108afa8a49221cb598f9c4f/analysis/1332759446/
- https://www.virustotal.com/file/f8faf5656a27f6df63ad5b49cf4747ad3cb474fc1e94caf939b8b17133ec6595/analysis/1332759462/
- https://www.virustotal.com/file/f72556dadc6bc5ae4e4dd3911f94e1d012a3987e555aa4b55170c20f41184d95/analysis/1332759402/
- SOME QUICK ANALYSIS 調査証拠↓
- payload: aho.exe
- MD5: 2aa259224e8ffa280d11ce2e19d9adb3
- SHA-1: 3007a22e0d049e8685db1303f36ee3b708e48ff4
- File Size: 20,480 Bytes
- Command Line: $shell= "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aho.exe"
- registry:
- Iprip
- SERVICE_AUTO_START
- %SystemRoot%\System32\svchost.exe -k netsvcs
- (SAME AS PREVIOUS REPORT..)
- Note: Changes in MD5 noted. Same sized, trace of the crypter tools.
- ----
- ZeroDay Japan http://0day.jp
- OPERATION CLEAUP JAPAN | #OCJP
- PIC: Hendrik ADRIAN, Malware Researcher / Twitter/ Google: @unixfreaxjp
- Malware Analysis Blog: http://unixfreaxjp.blogspot.jp/
- sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement