ランサムウェア

知られざるマルウェアファミリ、Vatet、PyXie、Defray777 の詳細

Clock Icon 10 min read
Related Products
Managed Threat Hunting iconManaged Threat HuntingUnit 42 Incident Response iconUnit 42 Incident Response

This post is also available in: English (英語)

IoC (侵害指標)

Cobalt Strike の C2

  • 192.169.7[.]160
  • 51.79.42[.]156
  • 5.135.230[.]132
  • 162.216.240[.]7
  • 172.245.21[.]224
  • 192.169.6[.]180
  • cloud[.]falconoasisdubai[.]com
  • syvansoft[.]com
  • gue[.]life
  • m33[.]bar
  • j3qq4[.]club

PyXie の C2

  • sarymar[.]com
  • benreat[.]com
  • planlamaison[.]com
  • teamchuan[.]com
  • tedxns[.]com
  • mustome[.]com
  • hekutn[.]com
  • safealyzer[.]com
  • bookrah[.]com
  • c1oudflare[.]com

Defray777 の SHA256 ハッシュ値

  • 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

Defray777 の Linux SHA256 ハッシュ値

  • 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d
  • cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849

PyXie Lite の SHA256 ハッシュ値

  • 5d26300ad2fc008fe278f17f98f173236c8bd7eeb6382062d677d1d6fd37c5b5
  • 82a2149aa09b2b59ee7c97e05d7200d4ccbcd8444182aca2f8c4913f1f59a42c
  • 0ad10472f7aedfd241ecb65a53d5cafdeb94672d92883d161cb37f769e60f013
  • 61b9b7e1329eb540dd751d1db6c00cc45d91b6f58db75ab0212976d4ec4c848e
  • 84428ece8efcb6298435b15d3c4ea281592accf0990cc840ef3a7a0644191061
  • 4d0176e2d6e30e31352f420a4dec79d26cb00f1e6c789b31e84cd05eb4d50956
  • 5e90a331bafd98e41bcf36419c44bd7ff8296ac18cce652e944ae22db15a5366
  • fe564fb38a99dbb94cc8a66d8955b0b7f8e67bf0a5eb820c4a5d0c3efb96c1e5
  • b2b3a199291c3651b1d7413c7dba92566a893010a50e770e1802f173f1c2c7a4
  • 5736e167e234e06b33e8d8d6bb80e13b1bacca8d7cd3271695220cdec2e4a79e
  • a7affc0d93e27165ce44c55ae28189e8b55967443f9e464232f230ab4ba175ca
  • b3c6f365819864340a8a8fe3076fb326c1debfdbbc826384cb2978aea82edc48
  • c7ddbc24a57d1353d73533c47a65e5e3a74e3b666c1fed685fc90de1f089c72b
  • 510cf6e1c55a190490e93d222ea606ed888d222ecedda18bfb2f32bb73f33cab
  • f80bcc60e79b387f63edfe0f1fc66492af4ff201ad5eb8080b1249ca43f6f30f
  • 6485bec374f255831b7ddbfed9925e988dcd7e893f610842809dd7cd1988cffc
  • c58f5b3f7300a13fd9a0a61757e20399fc5e86544befdafae15e8809a02c2db0
  • 9847cea40cec394c947de06010ad1f3033316903b5c822ba16f9574acb30f0cd

PyXie Lite のコマンドライン引数

-q -s {{}} -p

Pyxie Lite Exfil のステージングパス

  • %temp%\tmp\wifi_info.txt
  • %temp%\tmp\software.txt
  • %temp%\tmp\screen.jpg
  • %temp%\tmp\pwds.txt
  • %temp%\tmp\general.txt
  • %temp%\tmp\disks_info.txt
  • %temp%\tmp\desk_files.txt
  • %temp%\tmp\cpu_ram.txt
  • %temp%\tmp\arp_a.txt
  • %temp%\tmp\cmdkey_list.txt
  • %temp%\tmp\cpu_ram.txt
  • %temp%\tmp\disks_info.txt
  • %temp%\tmp\files.txt
  • %temp%\tmp\general.txt
  • %temp%\tmp\gpresult_z.txt
  • %temp%\tmp\ipconfig_all.txt
  • %temp%\tmp\ipconfig_displaydns.txt
  • %temp%\tmp\mimi.txt
  • %temp%\tmp\net_config_workstation.txt
  • %temp%\tmp\net_group_domain_admins_domain.txt
  • %temp%\tmp\net_group_domain_admins.txt
  • %temp%\tmp\net_group_enterprise_admins.txt
  • %temp%\tmp\net_localgroup_administrators.txt
  • %temp%\tmp\net_localgroup.txt
  • %temp%\tmp\net_share.txt
  • %temp%\tmp\net_use.txt
  • %temp%\tmp\net_user.txt
  • %temp%\tmp\net_view_all_domain.txt
  • %temp%\tmp\net_view_all.txt
  • %temp%\tmp\netstat_an.txt
  • %temp%\tmp\nslookup_typeany_userdnsdomain.txt
  • %temp%\tmp\portscan.txt
  • %temp%\tmp\pwds.txt
  • %temp%\tmp\route_print.txt
  • %temp%\tmp\soft.txt
  • %temp%\tmp\software.txt
  • %temp%\tmp\systeminfo.txt
  • %temp%\tmp\tasklist_v.txt
  • %temp%\tmp\wmic_process.txt

PyXie の SHA256 ハッシュ値

  • 70dfa6b21f5eea28ccb77ddac876cf6eac58b2ac55ab7b9ee52d79b1b5f3734d
  • 8d2b3b0cbb32618b86ec362acd142177f5890917ae384cb58bd64f61255e9c7f
  • 260be87cd75f304272094d3bef02eff6ef6b605f01ffe2983361e6e2f6116769
  • 09bb81e5a6c716f14c625ff36beb3b184d0089ed29252af10635b604b69f22ef
  • 70dfa6b21f5eea28ccb77ddac876cf6eac58b2ac55ab7b9ee52d79b1b5f3734d
  • 744d0c4b89e1b2ddd70d614b4dc009afa8f3a528c821c371cf72e60cc3367f19
  • 37268f0ade3050fa2008b546920c4f2052732c092de04a6e108257f5de22ff48
  • 80bd15267756343f028cbe77afe810068b0e6a36ce32f52be63f620ef5b5ed89
  • e2d4aa8662b3db2f3857dbacada1ff0da0ceaf75bbba579bc5ef1a555c065206
  • aed5b487e13e920835b0ba5ca964e25a815f8a10011d8e1eb29278ae254771d9
  • f9da4d61344457c3d68ef0525139c2cf6ee28d3f09220168ba2be601b5c54d6f
  • e03680e0af40a6fa1a12bed2f701c6137335d28b3d222579552658e951cbd13c
  • e2faf6586f8ac70cd98e4ec648f79435bfabaf84d440044aedce0c5c59b662e8
  • 814357417aa8a57e43d50cb3347c9d287b99955b0b8aee4e53e12b463f7441a0
  • de44656b4a3dde6e0acdc6f59f73114ce6bb6342bec0dcd45da8676d78b0042e
  • 78471db16d7bd484932c8eb72f7001db510f4643b3449d71d637567911ca363b
  • e0f22863c84ee634b2650b322e6def6e5bb74460952f72556715272c6c18fe8e
  • 563dd5a95f439bc2b4170a74c8be565a1af076e6cbebd1d018b2809a1e8bc908
  • 411eb20988f57317c177ea64c8bb4c059cc39da6e91eb1e7b9b8da96775d93d5
  • ed675db1e7c93526141d40ba969bdc5bbdfd013932aaf1e644c66db66ff008e0
  • f9290cd938d134a480b41d99ac2c5513a964de001602ed34c6383dfeb577b8f7
  • d271569d5557087aecc340bb570179b73265b29bed2e774d9a2403546c7dd5ff
  • 3a47e59c37dce42304b345a16ba6a3d78fc44b21c4d0e3a0332eee21f1d13845
  • 92a8b74cafa5eda3851cc494f26db70e5ef0259bc7926133902013e5d73fd285
  • ea27862bd01ee8882817067f19df1e61edca7364ce649ae4d09e1a1cae14f7cc
  • c3b3f46a5c850971e1269d09870db755391dcbe575dc7976f90ccb1f3812d5ea
  • edd1480fe3d83dc4dc59992fc8436bc1f33bc065504dccf4b14670e9e2c57a89
  • 3aa746bb94acee94c86a34cb0b355317de8404c91de3f00b40e8257b80c64741
  • 1d970f2e7af9962ae6786c35fcd6bc48bb860e2c8ca74d3b81899c0d3a978b2b
  • 56e96ce15ebd90c197a1638a91e8634dbc5b0b4d8ef28891dcf470ca28d08078
  • 5937746fc1a511d9a8404294b0caa2aedae2f86b5b5be8159385b6c7a4d6fb40
  • 0da9e149ba324f20a390140e9d7913b13ababa07f5b65e4d25e3555c1119e768
  • a765df03fffa343aa7a420a0a57d4b5c64366392ab6162c3561ff9f7b0ad5623
  • 7330fa1ca4e40cdfea9492134636ef06cd999efb71f510074d185840ac16675d
  • c9400b2fff71c401fe752aba967fa8e7009b64114c9c431e9e91ac39e8f79497

PyXie のコマンドライン引数

  • %SYSTEMROOT%\system32\worker.exe

Vatet の SHA256 ハッシュ値

  • bacc02fd23c4f95da0fbc5c490b1278d327fea0878734ea9a55f108ef9f4312e
  • 5e0062def3e1d2ac206aa43854a60e23b0d1158fa982e99e0ba8190e77290dbf
  • 4421720e0321ac8b3820f8178eb8a5ff684388438b62c85f93df9743a1d9fdb9
  • 915e660ec51abea9ffd5716fb2c9b8593643adc5e9ea0834a88d8ea4016899f0
  • 0b42bf15b77cfe9f9e693f2776691647e78a91be27f5bdb8d1a366be510a773f
  • 57eea67e3eebde707c3fb3473a858e7f895ae12aad37cc664f9c0512c0382e6a
  • 2f149a79f721bb78eb956f70183b531fb6a1b233ceb4a3d6385759a0b0c16fd3
  • 6ac07424e5c9b87d76645aa041772ac8af12e30dc670be8adf1cf9f48e32944b
  • 382d9bf5da142d44de5fda544de4fffe2915a3ffc67964b993f3c051aa8c2989
  • ef7e21d874a387f07a9f74f01f2779a280ff06dff3dae0d41906d21e02f9c975
  • e5ce1c1b69bd12640c604971be311f9544adb3797df15199bd754d3aefe0a955
  • 37e8d3ae4c34441b30098d7711df8ef0bcc12c395f265106b825221744b956bc
  • 10c4067908181cebb72202d92ff7a054b19ef3aada939bf76178e35be9506525
  • b159fadb829a206c9a59ec547aa9e2a3ee83e8a3cc1441de04f58fd02a43c760
  • 6c1b17c8d8eca38b9926b40637cb793d0997a6183156d9e6353b53d7b3955f20
  • 375afe90771e63dbec77de439625267d723dc6bbb37cc5e94cf4d281d16c2ca8
  • 4d39782ccdb902e8e5348b8b3ce92f0834c713c565cca82be67a0a8eb6468df6
  • 6497d14f6dd14c39c037cb7da24b51d90b7040af64c245aaab6c6cc80cde7f3b
  • 95e5e83b10df32f06080bd6f8428592d81febbf55e72ec5f843dd6188bef25da
  • 01a2404fcf56027be610c65bbfb0f2dda9cfaf67385cb7f93f0b586e3aa6803a
  • b7fbbbdf7e8795022a41f4e6a94be1de432ae1911e49625f73555e01a5fdc719
  • d7bcb52f027f66c988e595dc29a343e27af7599e3659901f85a92c26440a5e1f
  • d353eeb623e96b32c086a9b64991dfedbc8d31254aec2c3cda51042ceb07ee82
  • 66c2038c6d86333cbc51726bc54d3b8a00162493b2c92ca7f839b50435eaa314
  • 47d6cc0a05218d0c1078dabf8d0ca7b7b424cdd73eaf3bf6261fa1b42f92fe0b
  • 5dc7f70a0d20f97c30c25bd927235deec713cde5d1c41916e23dd0c3431ffacd
  • 7ad92c9d63bd9ed305acbe217c40f9945deb98ed5ecced8b92b93332dc27d3c6
  • d46f72b8598ff80de5661205f6cac0b47831778f70b5edd7525e23418706cc1a
  • ccc162d3a3d6136a9c472d7d2d07acbae47f88a9a7d9b2c9b97b331e7ab7605d
  • 3cd581621d9a16ebe724e9ba7445aa82162307ff6b2a31be572e87dbce2aa8ad
  • e1653fe62e8d90153557324ffe4470d9c9262fe3bddad2bf555680b6078cf66a
  • 75728bc96c934c1521ae08e03ec916e20628e000b056c55b6ee04ccc18c602f6
  • a50a25a312adb9103e52e94018013ebdb6dbfe792a34122cacd53cfa3bbb26ac
  • 87210d6f1773473d28b51de21ed55ecfb6a9bd34f56d2d37f483ed05a1d7efd8
  • d7d28af8af5be22ecca267bdc7e142667f584550cf8a3bbebdb1368725bb6469
  • d7641089fd5d0474b835a633d6d852028b3481c18b3574023b021bfa1e3c1cc1
  • 5aec2fa9e954473d9c6b5233512f833e63541965e2d2e4af2419a457676c440d
  • fcdd72fd2e03badfac13eed5e2d17054bbdcea7c1743179095ce109bf40a7f0f
  • 350926c6bb7419330e55e687c9f00520a560c41f6013528cbb9ea42faeeb3201
  • 8eef012c2eecb7f8a776464f52e12f62c466cfc85adf4eef0d2bc270e7a19212
  • 3928bd8f2fd2db4891b320fa85b37c2598706d27283818ad33a0eeac16d59192
  • 8373be56ddab97188a8606eb5f529187bfb819f5cb5a50c56f6a7878c94c7f86
  • a098b5455fd1e9d0dea067405cd891b94cc42a0067cbd21d385f9c1254c21fdd
  • 2b13dae3c35eb3958253dbf945f6609e59978c2aedbd163608f03920d7d3623b
  • 01011bb45dec3b520ea09e5d9d3c9fb4acce74de72261f68ff1011f9ea6ccebb
  • 80c9d6cf4e8119dc2d0e263f3f4d5c3bf4221715117505d9d6a02e3671337bf8
  • bec5a3cfd7332241e3a7463d951b8f9a9e771d4f436d7776a426074a82d19a7d
  • c7f96f8b15c324bd6bf1aa16f6697d6d407f91ad2d7628a14d70f146334d34be
  • c5ca45581da0bbb3e4d0c6e51d602512fa52833cd16eebed351397a9a0326518
  • 6f1e8f91773609087a417cb34887f292a0be5c246dab667195854f979a45349a
  • e07dd37c92d24ac20b94a183e1f0a22a4eec0f950f441761c065faf0afd2abdd
  • 0d14a1b5574dc12f6286d37d0a624232fb63079416b98c2e1cb5c61f8c2b66ff
  • e5fede5eb43732c7f098acf7b68b1350c6524962215b476de571819b6e5a71fc
  • ecf3f4ba8dd16551908488cfbf2afd18a55584dbf81c28623026a29b9fa4a62d
  • edecfdd2a26b4579ecacf453b9dff073233fb66d53c498632464bca8b3084dc5
  • 1309b052618c6301901ec75cf552e7b49f93d66fb47d4de59b82d37d6ac39039
  • 2ceb5de547ad250140c7eb3c3d73e4331c94cf5a472e2806f93bf0d9df09d886
  • 3259dd0efed1d28a149d4e8c4f980a19199d9bead951ee1231e3a26521185f2f
  • 3a3b7b198769de3e5d81a92aa166f783b611a39a7fcea1b5ec762b54295dbc8d
  • 56934547dcf0d7ecf61868ae2f620f60e94c094dbd5c3b5aaf3d3a904d20a693
  • 608f34a79e5566593b284ef0d24f48ea89bc007e5654ae0969e6d9f92ec87d32
  • 625c22b21277c8a7e1b701da9c1c21b64bfa02baef5d7a530a38f6d70a7a16d0
  • 73609f8ebd14c6970d9162ec8d7786f5264e910573dff73881f85b03163bd40e
  • 840985b782648d57de302936257ba3d537d21616cb81f9dce000eaf1f76a56c8
  • 88565b4c707230eac34d4528205056264cd70d797b6b4eb7d891821b00187a69
  • 91c62841844bde653e0357193a881a42c0bc9fcc798a69f451511c6e4c46fd18
  • a50b58e24eb261157c4f85d02412d80911abe8501b011493c7b393c1905fc234
  • b1f54b88c9b7680877981f6bebde6aea9effbc38a0a8b27a565fb35331094680
  • bd7da341a28a19618b53e649a27740dfeac13444ce0e0d505704b56335cc55bd
  • cb2619b7aab52d612012386d88a0d983c270d9346169b75d2a55010564efc55c
  • ce0936366976f07ea24e86733888e97e421393829ecfd0fde66bd943d4b992ab
  • d50f28cf5012e1ffde1cd28655e07519dadcf94218b15c701c526ab0f6acb915
  • d612144c1f6d4a063530ba5bfae7ef4e4ae134bc55dcf067439471934b841b00
  • ddf83c02effea8ae9ec2c833bf40187bed23ec33c6b828af49632ef98004ea82
  • e48e88542ec4cd6f1aa794abc846f336822b1104557c0dfe67cff63e5231c367

Vatet のペイロードの SHA256 ハッシュ値

  • a512e5ffd33da906fdf896c536bf64adc59599ec2227f60dace4a4ef23d3d21a
  • 56f6084d84bd6371918c3ae7b555099474cdb6665bed0d969f6b5762b8cf5cc9
  • 2f1e047e840620460bdf7371e62e966919f25f763a53248357f890a4ff11791f
  • 6812190b1dec8c2a4c5d2b327d1bdbe72974fc017d86d2337ea06e9d3337959e
  • 77f2df32060e5125c6d4a3ab2a2a0c862eb44bc44614d494d23f4690a45d08a3
  • 309af51a8d86e031e25c2c928101b9afc9bcd1dcadbf4ef27ed3c0e8d7da0c98
  • c2861e5626c5ba40d28ec6c7d4ac32edc972a969d2454e74dc50829d02b5de2a
  • 8a7dc1c39321d972a21bf4fdd24f6f2ef3a03e4ea95c49f383ba03902010210c
  • 0e7824dfb7668af175a2b887e592773517f17213555c3b9af4f98d54278621d5
  • d389e2fc1515b8a2d8d365d072c201a308f776c873fdb185f826a35fde6fbf2b
  • bde87df68407fafc3ebd95665838eb5476cb854b338fb97252d153a2250f28b8
  • ab432a84b05de381c2f96a000c318ec78c98e39abfa7eea3210840c85b0cbee7

Vatet のペイロードのパス

  • \\\\settings.dat
  • \\\\upgrade.dat
  • \\\\vodafone.dat
  • \\\\winint2.sto
  • c:\windows\INF\Rainmeter.dat
  • c:\windows\INF\notepad.dat
  • c:\windows\INF\options.dat
  • c:\windows\debug\Rainmeter.dat
  • c:\windows\debug\config.dat
  • c:\windows\debug\notepad.dat
  • c:\windows\debug\options.dat
  • c:\windows\help\Rainmeter.dat
  • c:\windows\help\notepad.dat
  • c:\windows\help\options.dat
  • c:\windows\media\notepad.dat
  • c:\windows\notepad.dat
  • c:\windows\options.dat
  • c:\windows\system\options.dat
  • c:\windows\temp\options.dat

PDB のパス

  • C:\Users\1\Downloads\notepad-plus-plus-master\PowerEditor\bin\npp.pdb
  • C:\Users\1\Downloads\rainmeter-master\x32-Release\Obj\Library\Rainmeter.pdb
  • C:\Users\1\Downloads\rainmeter-master\x32-Release\Obj\Application\Rainmeter.pdb
  • C:\Users\1\Downloads\notepad-master\Debug\notepad.pdb
  • C:\Users\1\Downloads\tetris-game-master\Release\TetrisGame_zjy.pdb
  • Z:\coding\pyproject\compiled\cobalt_mode\cobalt_mode.pdb
  • Z:\coding\pyproject\compiled\ransom\ransom.pdb

PyXie Lite の設定

{
“logs”: {
“gates”: [
“:8443/data”
],
“aes_key”: “THIS_KEY_IS_FOR_INTERNAL_USE_ONLY”,
“send_attempts”: 10,
“send_attempts_timeout”: 5
},
“dirs_keys”: [“actifio”,
“aldelo”,
“altaro”,
“avamar”,
“avs”,
“back-up”,
“backup”,
“bank”,
“bitmessage”,
“client”,
“cobaltstrike”,
“coin”,
“diebold”,
“filemaker”,
“htape”,
“magtek”,
“ncr”,
“passw”,
“payment”,
“rapid7”,
“replication”,
“screenconnect”,
“swift”,
“tivoli”,
“unitrends”,
“vault”,
“veeam”,
“vranger”,
“wallet”,
“wincor”],
“shell_cmds”: [“arp -a”,
“cmdkey /list”,
“dclist”,
“gpresult /z”,
“ipconfig /all”,
“ipconfig /displaydns”,
“klist”,
“manage-bde -status”,
“net config workstation”,
“net group \”domain admins\” /domain”,
“net group \”Domain Admins\””,
“net group \”Enterprise Admins\””,
“net localgroup \”administrators\””,
“net localgroup”,
“net share”,
“net use”,
“net user”,
“net view /all /domain”,
“net view /all”,
“netstat -an”,
“nltest /domain_trusts /all_trusts”,
“nltest /domain_trusts”,
“nslookup -type=any %userdnsdomain%”,
“qwinsta”,
“route print”,
“systeminfo”,
“tasklist /V”,
“vssadmin List Shadows”,
“wmic process”,
“wmic qfe list”],
“dirs”: [“%ALLDRIVESROOTS%\\Alliance”,
“%APPDATA%\\Agama”,
“%APPDATA%\\Armory”,
“%APPDATA%\\B3-CoinV2”,
“%APPDATA%\\BeerMoney”,
“%APPDATA%\\Bitcloud”,
“%APPDATA%\\Bitcoin”,
“%APPDATA%\\BitcoinZ”,
“%APPDATA%\\bitconnect”,
“%APPDATA%\\Bither”,
“%APPDATA%\\bitmonero”,
“%APPDATA%\\BlocknetDX”,
“%APPDATA%\\Cybroscoin”,
“%APPDATA%\\Daedalus”,
“%APPDATA%\\DashCore”,
“%APPDATA%\\DeepOnion”,
“%APPDATA%\\DigiByte”,
“%APPDATA%\\Dogecoin”,
“%APPDATA%\\ElectronCash”,
“%APPDATA%\\Electrum”,
“%APPDATA%\\Electrum-LTC”,
“%APPDATA%\\Ember”,
“%APPDATA%\\EmeraldWallet”,
“%APPDATA%\\Ethereum Wallet”,
“%APPDATA%\\Exodus”,
“%APPDATA%\\FairCoin”,
“%APPDATA%\\faircoin2”,
“%APPDATA%\\Florincoin”,
“%APPDATA%\\FORT”,
“%APPDATA%\\GambitCoin”,
“%APPDATA%\\GeyserCoin”,
“%APPDATA%\\GreenCoinV2”,
“%APPDATA%\\GridcoinResearch”,
“%APPDATA%\\Gulden”,
“%APPDATA%\\Hush”,
“%APPDATA%\\IOTA Wallet”,
“%APPDATA%\\Komodo”,
“%APPDATA%\\Learncoin”,
“%APPDATA%\\lisk-nano”,
“%APPDATA%\\Litecoin”,
“%APPDATA%\\Minexcoin”,
“%APPDATA%\\mSIGNA_Bitcoin”,
“%APPDATA%\\MultiBitHD”,
“%APPDATA%\\MultiDoge”,
“%APPDATA%\\Neon”,
“%APPDATA%\\NXT”,
“%APPDATA%\\Parity”,
“%APPDATA%\\Particl”,
“%APPDATA%\\Peercoin”,
“%APPDATA%\\pink2”,
“%APPDATA%\\PPCoin”,
“%APPDATA%\\Qtum”,
“%APPDATA%\\RainbowGoldCoin”,
“%APPDATA%\\RoboForm”,
“%APPDATA%\\StartCOIN-v2”,
“%APPDATA%\\straks”,
“%APPDATA%\\Stratis”,
“%APPDATA%\\StratisNode”,
“%APPDATA%\\TREZOR Bridge”,
“%APPDATA%\\TrumpCoinV2”,
“%APPDATA%\\VeriCoin”,
“%APPDATA%\\Verium”,
“%APPDATA%\\Viacoin”,
“%APPDATA%\\VivoCore”,
“%APPDATA%\\Xeth”,
“%APPDATA%\\Zcash”,
“%APPDATA%\\ZcashParams”,
“%APPDATA%\\Zetacoin”,
“%LOCALAPPDATA%\\bisq”,
“%LOCALAPPDATA%\\copay”,
“%LOCALAPPDATA%\\programs\\zap-desktop”,
“%LOCALAPPDATA%\\RippleAdminConsole”,
“%LOCALAPPDATA%\\StellarWallet”,
“%PROGRAMDATA%\\bitmonero”,
“%PROGRAMDATA%\\electroneum”,
“%PROGRAMDATA%\\Tiger Technology”,
“%PROGRAMDATA%\\tivoli”],
“file_find”: {
“enabled”: 1,
“patterns”: [“10-q”,
“10-sb”,
“access”,
“avamar”,
“admin”,
“attack”,
“aws”,
“amazon”,
“backup”,
“balance”,
“bitcoin”,
“bitlocker”,
“bribery”,
“cardholder”,
“censored”,
“checking”,
“clandestine”,
“compromate”,
“concealed”,
“confidential”,
“contraband”,
“convict”,
“credent”,
“cyber”,
“disclosure”,
“engineering”,
“esxi”,
“ethereum”,
“explosive”,
“finance”,
“fraud”,
“hidden”,
“illegal”,
“infrastruct”,
“instruction”,
“investigation”,
“logins”,
“marketwired”,
“military”,
“n-csr”,
“nasdaq”,
“nda”,
“newswire”,
“operation”,
“passport”,
“passw”,
“personal”,
“privacy”,
“private”,
“restricted”,
“routing”,
“saving”,
“secret”,
“security”,
“spy”,
“statement”,
“storage”,
“submarine”,
“suspect”,
“tactical”,
“treason”,
“username”,
“vault”,
“victim”,
“vsphere”,
“wallet”,
“wasabi”,
“wire”
],
“extentions”: [“.doc”,
“.docx”,
“.xls”,
“.xlsx”,
“.pdf”,
“.txt”,
“.rtf”],
“gold_masks”: [“*.rdp”,
“*.kdbx”,
“*.vnc”,
“*.cpp”,
“*.c”,
“*.sln”,
“*.vcproj”,
“*.h”,
“*.asm”,
“*cobaltstrike*”,
“*.ovpn”,
“*.pcf”,
“*.conf”],
“black_files”: [“Default.rdp”,
“Microsoft June”,
“Release_Note”,
“Release Note”,
“desktop.ini”,
“Microsoft Silverlight”,
“localhost_access_log”,
“dd_clwireg.txt”],
“black_dirs”: [“\\microsoft\\windows”,
“\\gfi\\languard”,
“\\microsoft\\windows\\cookies”,
“\\vmware\\vcenterserver”,
“\\autoupdate\\cache”,
“\\microsoft office\\root”],
“max_size”: 5242880
},
“software”: [” OPOS”,
“Aldelo”,
“Actifio”,
“Alliance WebStation”,
“Alliance Workstation”,
“Altaro”,
“Back-up”,
“Rapid7”,
“Backup”,
“Bank”,
“Blockchain”,
“Boot Camp”,
“Box Sync”,
“BridgeHead”,
“CAM Commerce Solutions”,
“Card Processing”,
“Cash”,
“Cisco”,
“Citrix”,
“Cloud”,
“Coin”,
“Dashlane”,
“Diskeeper”,
“Double-Take”,
“Dropbox”,
“Elcomsoft”,
“FileZilla Server”,
“FortiClient”,
“Fund”,
“iDrive”,
“Ledger”,
“LexisNexis”,
“LogMeIn”,
“M262x”,
“Microsoft Dynamics RMS Store Operations”,
“Microsoft POS”,
“vRanger”,
“Money”,
“mRemoteNG”,
“MSR”,
“Password”,
“Payment”,
“Private”,
“Protect”,
“PuTTY”,
“QuickBooks”,
“Replication”,
“ScreenConnect”,
“Shadow”,
“SII RP-D10”,
“Storage”,
“SWIFT”,
“TeamViewer”,
“Token”,
“Trade”,
“Treasury”,
“Trezor”,
“Vault”,
“Unitrends”,
“VIP Access”,
“VMware”,
“Vnc”,
“VPN”,
“Wallet”,
“Withdraw”],
“registry”: [“SOFTWARE\\Ammyy”,
“SOFTWARE\\Cppcheck”,
“SOFTWARE\\DASH”,
“SOFTWARE\\Dash”,
“SOFTWARE\\DeterministicNetworks”,
“SOFTWARE\\GitForWindows”,
“SOFTWARE\\GlavSoft LLC.”,
“SOFTWARE\\GnuPG”,
“SOFTWARE\\Hex-Rays”,
“SOFTWARE\\Hex-Rays SA”,
“SOFTWARE\\HexaD”,
“SOFTWARE\\ITarian”,
“SOFTWARE\\LogMeIn Ignition”,
“SOFTWARE\\LogMeIn”,
“SOFTWARE\\MetaQuotes Software”,
“SOFTWARE\\Microsoft\\ResKit\\Robocopy”,
“SOFTWARE\\Nmap”,
“SOFTWARE\\Pulse Secure”,
“SOFTWARE\\PyBitmessage”,
“SOFTWARE\\PyBitmessage”,
“SOFTWARE\\S.W.I.F.T.”,
“SOFTWARE\\ShrewSoft”,
“SOFTWARE\\SimonTatham”,
“SOFTWARE\\SonicWall”,
“SOFTWARE\\TortoiseSVN”,
“SOFTWARE\\Veeam”,
“SOFTWARE\\VisualSVN”,
“SOFTWARE\\Whole Tomato”,
“SOFTWARE\\WinLicense”],
“portscan”: {“Bitcoin”: [8332,8333],
“DNS”: [53],
“Elasticsearch”: [9200,9300],
“FTP”: [21],
“Horizon Agent”: [22443,4172,9427,32111],
“HTTP”: [80,5000,9043],
“HTTPS”: [443,8443,1311,5001,8200],
“JAVA-RMI”: [34571,1099,1090,1098,1099,4444,11099,47001,47002,10999],
“MongoDB”: [27017],
“MSSQL”: [1433],
“MySQL”: [3306],
“neo4j”: [7687],
“NetBackup”: [5637],
“NETBIOS”: [139],
“Oracle”: [1521],
“POP3”: [110],
“POP3s”: [995],
“PostgreSQL”: [5432],
“PPTP”: [1723],
“RADMIN”: [4899],
“RDP”: [3389],
“SMTP”: [25],
“SonicWall-VPN”: [4433],
“SSH”: [22],
“Telnet”: [23],
“Tivoli”: [1500,1581],
“TOR”: [9050],
“AcronixBackup”: [9877],
“vCenter”: [22024,902,903,10080,10443],
“Veeam”: [9392,9393,9394,9397,9398,9399],
“VNC”: [5900, 5800],
“WinRM”: [5985,5986],
“Zabbix”: [10050,10051],
“JDWP”: [45000,45001],
“JMX”: [8686,9012,50500],
“jBoss”: [11111,4444,4445],
“Cisco Smart Install”: [4786],
“HP Data Protector”: [5555,5556],
“GlassFish”: [4848]
}
}

PyXie Lite のリマップされたオペコード

def_op(‘PRINT_ITEM’, 78)
def_op(‘PRINT_NEWLINE’, 63)
def_op(‘POP_TOP’, 85)
def_op(‘RETURN_VALUE’, 88)
def_op(‘ROT_TWO’, 29)
def_op(‘ROT_THREE’, 9)
def_op(‘STORE_MAP’, 55)
def_op(‘INPLACE_ADD’, 28)
def_op(‘ROT_FOUR’, 72)
def_op(‘UNARY_POSITIVE’, 12)
def_op(‘UNARY_NEGATIVE’, 64)
def_op(‘UNARY_NOT’, 66)
def_op(‘UNARY_CONVERT’, 20)
def_op(‘UNARY_INVERT’, 65)
def_op(‘GET_ITER’, 83)
def_op(‘BINARY_MULTIPLY’, 80)
def_op(‘BINARY_POWER’, 79)
def_op(‘BINARY_DIVIDE’, 15)
def_op(‘BINARY_MODULO’, 76)
def_op(‘BINARY_ADD’, 84)
def_op(‘BINARY_SUBTRACT’, 89)
def_op(‘BINARY_SUBSCR’, 57)
def_op(‘BINARY_FLOOR_DIVIDE’, 68)
def_op(‘INPLACE_FLOOR_DIVIDE’, 24)
def_op(‘INPLACE_DIVIDE’, 82)
def_op(‘INPLACE_SUBTRACT’, 22)
def_op(‘INPLACE_MULTIPLY’, 13)
def_op(‘INPLACE_MODULO’, 70)
def_op(‘STORE_SUBSCR’, 54)
def_op(‘DELETE_SUBSCR’, 77)
def_op(‘BINARY_LSHIFT’, 60)
def_op(‘BINARY_RSHIFT’, 21)
def_op(‘BINARY_AND’, 3)
def_op(‘BINARY_XOR’, 73)
def_op(‘BINARY_OR’, 56)
def_op(‘INPLACE_POWER’, 23)
def_op(‘POP_BLOCK’, 2)
def_op(‘DUP_TOP’, 75)
def_op(‘PRINT_ITEM_TO’, 5)
def_op(‘PRINT_NEWLINE_TO’, 11)
def_op(‘INPLACE_LSHIFT’, 59)
def_op(‘INPLACE_RSHIFT’, 74)
def_op(‘INPLACE_AND’, 61)
def_op(‘INPLACE_XOR’, 27)
def_op(‘INPLACE_OR’, 71)
def_op(‘BREAK_LOOP’, 58)
def_op(‘WITH_CLEANUP’, 19)
def_op(‘END_FINALLY’, 4)
def_op(‘BUILD_CLASS’, 87)
def_op(‘EXEC_STMT’, 10)
def_op(‘LOAD_LOCALS’, 67)
def_op(‘IMPORT_STAR’, 26)
def_op(‘YIELD_VALUE’, 25)

Tags

目次

関連記事

関連項目 リソース

category icon脅威リサーチ

ランサムウェア振り返り: 2024 年上半期
今すぐ読む Right arrow
Constellation image representing the constellation schema used by Palo Alto Networks Unit 42 to track nation-state and
category icon脅威アクター グループ

パロアルトネットワークス Unit 42 が追跡している脅威アクター グループの一覧
今すぐ読む Right arrow
Pictorial representation of APT Fighting Ursa. The silhouette of a bear and the Ursa constellation inside an orange abstract planet. Abstract, stylized cosmic setting with vibrant blue and purple claw marks, representing space and distant planetary bodies.
category icon脅威アクター グループ

「車売ります」広告で標的を釣る Fighting Ursa
今すぐ読む Right arrow
Pictorial representation of phishing or cybersquatting using GenAI keywords. Glowing cube with the letters 'AI' illuminated in blue, centered on a complex network of interconnected circuits and digital nodes, suggesting advanced technology and artificial intelligence themes.
category icon脅威リサーチ

生成 AI (GenAI) 人気に便乗する詐欺攻撃の傾向
今すぐ読む Right arrow
Representation of accelerating malware analysis. Two professionals working in a high-tech monitoring room filled with large screen displays showing data and graphs. One person is seated looking at a monitor, while the other, wearing glasses, is deep in thought.
category icon脅威リサーチ

緊急時に役立つマルウェア分析時短術
今すぐ読む Right arrow
A pictorial representation of RA World ransomware group. A digital graphic of a U.S. dollar bill disintegrating into pixels, symbolizing digital transformation or the concept of cryptocurrency against a backdrop of a dark, tech-inspired visual theme.
category icon脅威リサーチ

RA Group から RA World へ: ランサムウェア グループの進化
今すぐ読む Right arrow
A digital concept of BadPack malware showing a large malware alert symbol on a screen, set against a background filled with lines of computer code and network diagrams in shades of blue and pink. The word "MALWARE" prominently displayed within the alert symbol.
category icon脅威リサーチ

BadPack にご用心: Android アプリの奇妙な分析回避トリック
今すぐ読む Right arrow
Person in a blurred motion is working on a computer with screen showing lines of code, emphasizing a dynamic and intense focus on software development or programming in a dimly lit room.
category icon脅威リサーチ

DarkGate: Excel ルアーから公開 Samba へつづく感染チェーンと回避戦術の分析
今すぐ読む Right arrow
A laptop on a desk displaying a vibrant graphical interface with a circular red pattern, possibly representing cybersecurity or data analysis. The laptop is illuminated by the screen’s glow in a dimly lit room, which also shows a blurred background suggesting a secondary monitor and small desk objects.
category icon脅威リサーチ

Visual Studio Code Node.js デバッグによる GootLoader 分析
今すぐ読む Right arrow
The image depicts a close-up view of a circuit board featuring microchips and electronic components with bright red digital data streams emanating from the surface, symbolizing high-speed data processing and technology innovation.
category icon脅威リサーチ

公開された Cobalt Strike Malleable C2 プロファイルの悪用・回避手口の調査
今すぐ読む Right arrow
Enlarged Image

Default Heading

Read the article Right Arrow