The Return of the CHINESE TROJANS SET in ODN Softbank N/W

1. THE CASE OF #OCJP-021 IS REOPEN / ←本件のケース
2. COMMENT ADDED: http://unixfreaxjp.blogspot.jp/2012/02/ocjp-021.html?showComment=1332761381445#c1890660745097712696
3.  
4. MALWARE IS REAPPREARED IN THE PREVIOUS URL:
5. hxxp://211.121.253.172/vct/set.rar 642ef29e0194075c830d0f2a418d8fce
6. hxxp://211.121.253.172/vct/stL1.rar a200699ce01d73c61a1b9ccb9009d9c6
7. hxxp://211.121.253.172/vct/vel19.rar 472c2c1ff132392bf8656a2b427e8f22
8. hxxp://211.121.253.172/int/vel20.rar 09b3818d4480a486db78ef2bd34c7e38
9.  
10. SOFTBANK TELECOM Corp.
11. [Allocation] 211.121.0.0/16
12. a. [Network Number] 211.121.192.0/18
13. b. [Network Name] ODN
14. g. [Organization] Open Data Network(JAPAN TELECOM CO.,LTD.)
15. m. [Administrative Contact] JP00035900
16. n. [Technical Contact] JP00035900
17. p. [Nameserver] ns2.odn.ne.jp
18. p. [Nameserver] ns4.odn.ne.jp
19.  
20. WEB SERVER OF THE MALWARES (SIGNATURES MATCHED)
21. Last-Modified: Mon, 26 Mar 2012 11:15:15 GMT
22. Accept-Ranges: bytes
23. Etag: W/"f653fbb741bcd1:2a8"
24. Server: Microsoft-IIS/6.0
25. Date: Mon, 26 Mar 2012 11:15:16 GMT
26.  
27. PROOF:
28. --19:51:08-- hxxp://211.121.253.172/int/vel20.rar
29. => `vel20.rar'
30. Connecting to 211.121.253.172:80... connected.
31. hxxp request sent, awaiting response... 200 OK
32. Length: 73,728 (72K) [application/octet-stream]
33. 100%[====================================>] 73,728 337.48K/s
34. 19:51:09 (336.93 KB/s) - `vel20.rar' saved [73728/73728]
35.  
36. --19:51:32-- hxxp://211.121.253.172/vct/stL1.rar
37. => `stL1.rar'
38. Connecting to 211.121.253.172:80... connected.
39. hxxp request sent, awaiting response... 200 OK
40. Length: 249,856 (244K) [application/octet-stream]
41. 100%[===================================> ] 249,856 740.11K/s
42. 19:51:33 (738.00 KB/s) - `stL1.rar' saved [249856/249856]
43.  
44. --19:51:42-- hxxp://211.121.253.172/vct/vel19.rar
45. => `vel19.rar'
46. Connecting to 211.121.253.172:80... connected.
47. hxxp request sent, awaiting response... 200 OK
48. Length: 73,728 (72K) [application/octet-stream]
49. 100%[====================================>] 73,728 --.--K/s
50. 19:51:42 (529.53 KB/s) - `vel19.rar' saved [73728/73728]
51.  
52. --19:51:56-- hxxp://211.121.253.172/vct/set.rar
53. => `set.rar'
54. Connecting to 211.121.253.172:80... connected.
55. hxxp request sent, awaiting response... 200 OK
56. Length: 28,672 (28K) [application/octet-stream]
57. 100%[====================================>] 28,672 --.--K/s
58. 19:51:57 (299.76 KB/s) - `set.rar' saved [28672/28672]
59.  
60. VIRUS TOTAL REPORT:
61. https://www.virustotal.com/file/50cc09617912edf3a5077fb09fe540803e6c467a7bff6417bc41d02d60c39d76/analysis/1332759518/
62. https://www.virustotal.com/file/5a8c16df19d7198b5c0ea2a36c90f34bc835202e6108afa8a49221cb598f9c4f/analysis/1332759446/
63. https://www.virustotal.com/file/f8faf5656a27f6df63ad5b49cf4747ad3cb474fc1e94caf939b8b17133ec6595/analysis/1332759462/
64. https://www.virustotal.com/file/f72556dadc6bc5ae4e4dd3911f94e1d012a3987e555aa4b55170c20f41184d95/analysis/1332759402/
65.  
66. SOME QUICK ANALYSIS 調査証拠↓
67. payload: aho.exe
68. MD5: 2aa259224e8ffa280d11ce2e19d9adb3
69. SHA-1: 3007a22e0d049e8685db1303f36ee3b708e48ff4
70. File Size: 20,480 Bytes
71. Command Line: $shell= "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aho.exe"
72. registry:
73. Iprip
74. SERVICE_AUTO_START
75. %SystemRoot%\System32\svchost.exe -k netsvcs
76. (SAME AS PREVIOUS REPORT..)
77. Note: Changes in MD5 noted. Same sized, trace of the crypter tools.
78. ----
79. ZeroDay Japan http://0day.jp
80. OPERATION CLEAUP JAPAN | #OCJP
81. PIC: Hendrik ADRIAN, Malware Researcher / Twitter/ Google: @unixfreaxjp
82. Malware Analysis Blog: http://unixfreaxjp.blogspot.jp/
83. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com