知られざるマルウェアファミリ、Vatet、PyXie、Defray777 の詳細

By and

Category: Unit 42

Tags: , , , ,

The image illustrates the concept of ransomware, such as used by the threat group behind the Vatet loader, the PyXie remote access tool and the Defray777 ransomware

This post is also available in: English (英語)

IoC (侵害指標)

Cobalt Strike の C2

  • 192.169.7[.]160
  • 51.79.42[.]156
  • 5.135.230[.]132
  • 162.216.240[.]7
  • 172.245.21[.]224
  • 192.169.6[.]180
  • cloud[.]falconoasisdubai[.]com
  • syvansoft[.]com
  • gue[.]life
  • m33[.]bar
  • j3qq4[.]club

PyXie の C2

  • sarymar[.]com
  • benreat[.]com
  • planlamaison[.]com
  • teamchuan[.]com
  • tedxns[.]com
  • mustome[.]com
  • hekutn[.]com
  • safealyzer[.]com
  • bookrah[.]com
  • c1oudflare[.]com

Defray777 の SHA256 ハッシュ値

  • 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

Defray777 の Linux SHA256 ハッシュ値

  • 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d
  • cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849

PyXie Lite の SHA256 ハッシュ値

  • 5d26300ad2fc008fe278f17f98f173236c8bd7eeb6382062d677d1d6fd37c5b5
  • 82a2149aa09b2b59ee7c97e05d7200d4ccbcd8444182aca2f8c4913f1f59a42c
  • 0ad10472f7aedfd241ecb65a53d5cafdeb94672d92883d161cb37f769e60f013
  • 61b9b7e1329eb540dd751d1db6c00cc45d91b6f58db75ab0212976d4ec4c848e
  • 84428ece8efcb6298435b15d3c4ea281592accf0990cc840ef3a7a0644191061
  • 4d0176e2d6e30e31352f420a4dec79d26cb00f1e6c789b31e84cd05eb4d50956
  • 5e90a331bafd98e41bcf36419c44bd7ff8296ac18cce652e944ae22db15a5366
  • fe564fb38a99dbb94cc8a66d8955b0b7f8e67bf0a5eb820c4a5d0c3efb96c1e5
  • b2b3a199291c3651b1d7413c7dba92566a893010a50e770e1802f173f1c2c7a4
  • 5736e167e234e06b33e8d8d6bb80e13b1bacca8d7cd3271695220cdec2e4a79e
  • a7affc0d93e27165ce44c55ae28189e8b55967443f9e464232f230ab4ba175ca
  • b3c6f365819864340a8a8fe3076fb326c1debfdbbc826384cb2978aea82edc48
  • c7ddbc24a57d1353d73533c47a65e5e3a74e3b666c1fed685fc90de1f089c72b
  • 510cf6e1c55a190490e93d222ea606ed888d222ecedda18bfb2f32bb73f33cab
  • f80bcc60e79b387f63edfe0f1fc66492af4ff201ad5eb8080b1249ca43f6f30f
  • 6485bec374f255831b7ddbfed9925e988dcd7e893f610842809dd7cd1988cffc
  • c58f5b3f7300a13fd9a0a61757e20399fc5e86544befdafae15e8809a02c2db0
  • 9847cea40cec394c947de06010ad1f3033316903b5c822ba16f9574acb30f0cd

PyXie Lite のコマンドライン引数

-q -s {{}} -p

Pyxie Lite Exfil のステージングパス

  • %temp%\tmp\wifi_info.txt
  • %temp%\tmp\software.txt
  • %temp%\tmp\screen.jpg
  • %temp%\tmp\pwds.txt
  • %temp%\tmp\general.txt
  • %temp%\tmp\disks_info.txt
  • %temp%\tmp\desk_files.txt
  • %temp%\tmp\cpu_ram.txt
  • %temp%\tmp\arp_a.txt
  • %temp%\tmp\cmdkey_list.txt
  • %temp%\tmp\cpu_ram.txt
  • %temp%\tmp\disks_info.txt
  • %temp%\tmp\files.txt
  • %temp%\tmp\general.txt
  • %temp%\tmp\gpresult_z.txt
  • %temp%\tmp\ipconfig_all.txt
  • %temp%\tmp\ipconfig_displaydns.txt
  • %temp%\tmp\mimi.txt
  • %temp%\tmp\net_config_workstation.txt
  • %temp%\tmp\net_group_domain_admins_domain.txt
  • %temp%\tmp\net_group_domain_admins.txt
  • %temp%\tmp\net_group_enterprise_admins.txt
  • %temp%\tmp\net_localgroup_administrators.txt
  • %temp%\tmp\net_localgroup.txt
  • %temp%\tmp\net_share.txt
  • %temp%\tmp\net_use.txt
  • %temp%\tmp\net_user.txt
  • %temp%\tmp\net_view_all_domain.txt
  • %temp%\tmp\net_view_all.txt
  • %temp%\tmp\netstat_an.txt
  • %temp%\tmp\nslookup_typeany_userdnsdomain.txt
  • %temp%\tmp\portscan.txt
  • %temp%\tmp\pwds.txt
  • %temp%\tmp\route_print.txt
  • %temp%\tmp\soft.txt
  • %temp%\tmp\software.txt
  • %temp%\tmp\systeminfo.txt
  • %temp%\tmp\tasklist_v.txt
  • %temp%\tmp\wmic_process.txt

PyXie の SHA256 ハッシュ値

  • 70dfa6b21f5eea28ccb77ddac876cf6eac58b2ac55ab7b9ee52d79b1b5f3734d
  • 8d2b3b0cbb32618b86ec362acd142177f5890917ae384cb58bd64f61255e9c7f
  • 260be87cd75f304272094d3bef02eff6ef6b605f01ffe2983361e6e2f6116769
  • 09bb81e5a6c716f14c625ff36beb3b184d0089ed29252af10635b604b69f22ef
  • 70dfa6b21f5eea28ccb77ddac876cf6eac58b2ac55ab7b9ee52d79b1b5f3734d
  • 744d0c4b89e1b2ddd70d614b4dc009afa8f3a528c821c371cf72e60cc3367f19
  • 37268f0ade3050fa2008b546920c4f2052732c092de04a6e108257f5de22ff48
  • 80bd15267756343f028cbe77afe810068b0e6a36ce32f52be63f620ef5b5ed89
  • e2d4aa8662b3db2f3857dbacada1ff0da0ceaf75bbba579bc5ef1a555c065206
  • aed5b487e13e920835b0ba5ca964e25a815f8a10011d8e1eb29278ae254771d9
  • f9da4d61344457c3d68ef0525139c2cf6ee28d3f09220168ba2be601b5c54d6f
  • e03680e0af40a6fa1a12bed2f701c6137335d28b3d222579552658e951cbd13c
  • e2faf6586f8ac70cd98e4ec648f79435bfabaf84d440044aedce0c5c59b662e8
  • 814357417aa8a57e43d50cb3347c9d287b99955b0b8aee4e53e12b463f7441a0
  • de44656b4a3dde6e0acdc6f59f73114ce6bb6342bec0dcd45da8676d78b0042e
  • 78471db16d7bd484932c8eb72f7001db510f4643b3449d71d637567911ca363b
  • e0f22863c84ee634b2650b322e6def6e5bb74460952f72556715272c6c18fe8e
  • 563dd5a95f439bc2b4170a74c8be565a1af076e6cbebd1d018b2809a1e8bc908
  • 411eb20988f57317c177ea64c8bb4c059cc39da6e91eb1e7b9b8da96775d93d5
  • ed675db1e7c93526141d40ba969bdc5bbdfd013932aaf1e644c66db66ff008e0
  • f9290cd938d134a480b41d99ac2c5513a964de001602ed34c6383dfeb577b8f7
  • d271569d5557087aecc340bb570179b73265b29bed2e774d9a2403546c7dd5ff
  • 3a47e59c37dce42304b345a16ba6a3d78fc44b21c4d0e3a0332eee21f1d13845
  • 92a8b74cafa5eda3851cc494f26db70e5ef0259bc7926133902013e5d73fd285
  • ea27862bd01ee8882817067f19df1e61edca7364ce649ae4d09e1a1cae14f7cc
  • c3b3f46a5c850971e1269d09870db755391dcbe575dc7976f90ccb1f3812d5ea
  • edd1480fe3d83dc4dc59992fc8436bc1f33bc065504dccf4b14670e9e2c57a89
  • 3aa746bb94acee94c86a34cb0b355317de8404c91de3f00b40e8257b80c64741
  • 1d970f2e7af9962ae6786c35fcd6bc48bb860e2c8ca74d3b81899c0d3a978b2b
  • 56e96ce15ebd90c197a1638a91e8634dbc5b0b4d8ef28891dcf470ca28d08078
  • 5937746fc1a511d9a8404294b0caa2aedae2f86b5b5be8159385b6c7a4d6fb40
  • 0da9e149ba324f20a390140e9d7913b13ababa07f5b65e4d25e3555c1119e768
  • a765df03fffa343aa7a420a0a57d4b5c64366392ab6162c3561ff9f7b0ad5623
  • 7330fa1ca4e40cdfea9492134636ef06cd999efb71f510074d185840ac16675d
  • c9400b2fff71c401fe752aba967fa8e7009b64114c9c431e9e91ac39e8f79497

PyXie のコマンドライン引数

  • %SYSTEMROOT%\system32\worker.exe

Vatet の SHA256 ハッシュ値

  • bacc02fd23c4f95da0fbc5c490b1278d327fea0878734ea9a55f108ef9f4312e
  • 5e0062def3e1d2ac206aa43854a60e23b0d1158fa982e99e0ba8190e77290dbf
  • 4421720e0321ac8b3820f8178eb8a5ff684388438b62c85f93df9743a1d9fdb9
  • 915e660ec51abea9ffd5716fb2c9b8593643adc5e9ea0834a88d8ea4016899f0
  • 0b42bf15b77cfe9f9e693f2776691647e78a91be27f5bdb8d1a366be510a773f
  • 57eea67e3eebde707c3fb3473a858e7f895ae12aad37cc664f9c0512c0382e6a
  • 2f149a79f721bb78eb956f70183b531fb6a1b233ceb4a3d6385759a0b0c16fd3
  • 6ac07424e5c9b87d76645aa041772ac8af12e30dc670be8adf1cf9f48e32944b
  • 382d9bf5da142d44de5fda544de4fffe2915a3ffc67964b993f3c051aa8c2989
  • ef7e21d874a387f07a9f74f01f2779a280ff06dff3dae0d41906d21e02f9c975
  • e5ce1c1b69bd12640c604971be311f9544adb3797df15199bd754d3aefe0a955
  • 37e8d3ae4c34441b30098d7711df8ef0bcc12c395f265106b825221744b956bc
  • 10c4067908181cebb72202d92ff7a054b19ef3aada939bf76178e35be9506525
  • b159fadb829a206c9a59ec547aa9e2a3ee83e8a3cc1441de04f58fd02a43c760
  • 6c1b17c8d8eca38b9926b40637cb793d0997a6183156d9e6353b53d7b3955f20
  • 375afe90771e63dbec77de439625267d723dc6bbb37cc5e94cf4d281d16c2ca8
  • 4d39782ccdb902e8e5348b8b3ce92f0834c713c565cca82be67a0a8eb6468df6
  • 6497d14f6dd14c39c037cb7da24b51d90b7040af64c245aaab6c6cc80cde7f3b
  • 95e5e83b10df32f06080bd6f8428592d81febbf55e72ec5f843dd6188bef25da
  • 01a2404fcf56027be610c65bbfb0f2dda9cfaf67385cb7f93f0b586e3aa6803a
  • b7fbbbdf7e8795022a41f4e6a94be1de432ae1911e49625f73555e01a5fdc719
  • d7bcb52f027f66c988e595dc29a343e27af7599e3659901f85a92c26440a5e1f
  • d353eeb623e96b32c086a9b64991dfedbc8d31254aec2c3cda51042ceb07ee82
  • 66c2038c6d86333cbc51726bc54d3b8a00162493b2c92ca7f839b50435eaa314
  • 47d6cc0a05218d0c1078dabf8d0ca7b7b424cdd73eaf3bf6261fa1b42f92fe0b
  • 5dc7f70a0d20f97c30c25bd927235deec713cde5d1c41916e23dd0c3431ffacd
  • 7ad92c9d63bd9ed305acbe217c40f9945deb98ed5ecced8b92b93332dc27d3c6
  • d46f72b8598ff80de5661205f6cac0b47831778f70b5edd7525e23418706cc1a
  • ccc162d3a3d6136a9c472d7d2d07acbae47f88a9a7d9b2c9b97b331e7ab7605d
  • 3cd581621d9a16ebe724e9ba7445aa82162307ff6b2a31be572e87dbce2aa8ad
  • e1653fe62e8d90153557324ffe4470d9c9262fe3bddad2bf555680b6078cf66a
  • 75728bc96c934c1521ae08e03ec916e20628e000b056c55b6ee04ccc18c602f6
  • a50a25a312adb9103e52e94018013ebdb6dbfe792a34122cacd53cfa3bbb26ac
  • 87210d6f1773473d28b51de21ed55ecfb6a9bd34f56d2d37f483ed05a1d7efd8
  • d7d28af8af5be22ecca267bdc7e142667f584550cf8a3bbebdb1368725bb6469
  • d7641089fd5d0474b835a633d6d852028b3481c18b3574023b021bfa1e3c1cc1
  • 5aec2fa9e954473d9c6b5233512f833e63541965e2d2e4af2419a457676c440d
  • fcdd72fd2e03badfac13eed5e2d17054bbdcea7c1743179095ce109bf40a7f0f
  • 350926c6bb7419330e55e687c9f00520a560c41f6013528cbb9ea42faeeb3201
  • 8eef012c2eecb7f8a776464f52e12f62c466cfc85adf4eef0d2bc270e7a19212
  • 3928bd8f2fd2db4891b320fa85b37c2598706d27283818ad33a0eeac16d59192
  • 8373be56ddab97188a8606eb5f529187bfb819f5cb5a50c56f6a7878c94c7f86
  • a098b5455fd1e9d0dea067405cd891b94cc42a0067cbd21d385f9c1254c21fdd
  • 2b13dae3c35eb3958253dbf945f6609e59978c2aedbd163608f03920d7d3623b
  • 01011bb45dec3b520ea09e5d9d3c9fb4acce74de72261f68ff1011f9ea6ccebb
  • 80c9d6cf4e8119dc2d0e263f3f4d5c3bf4221715117505d9d6a02e3671337bf8
  • bec5a3cfd7332241e3a7463d951b8f9a9e771d4f436d7776a426074a82d19a7d
  • c7f96f8b15c324bd6bf1aa16f6697d6d407f91ad2d7628a14d70f146334d34be
  • c5ca45581da0bbb3e4d0c6e51d602512fa52833cd16eebed351397a9a0326518
  • 6f1e8f91773609087a417cb34887f292a0be5c246dab667195854f979a45349a
  • e07dd37c92d24ac20b94a183e1f0a22a4eec0f950f441761c065faf0afd2abdd
  • 0d14a1b5574dc12f6286d37d0a624232fb63079416b98c2e1cb5c61f8c2b66ff
  • e5fede5eb43732c7f098acf7b68b1350c6524962215b476de571819b6e5a71fc
  • ecf3f4ba8dd16551908488cfbf2afd18a55584dbf81c28623026a29b9fa4a62d
  • edecfdd2a26b4579ecacf453b9dff073233fb66d53c498632464bca8b3084dc5
  • 1309b052618c6301901ec75cf552e7b49f93d66fb47d4de59b82d37d6ac39039
  • 2ceb5de547ad250140c7eb3c3d73e4331c94cf5a472e2806f93bf0d9df09d886
  • 3259dd0efed1d28a149d4e8c4f980a19199d9bead951ee1231e3a26521185f2f
  • 3a3b7b198769de3e5d81a92aa166f783b611a39a7fcea1b5ec762b54295dbc8d
  • 56934547dcf0d7ecf61868ae2f620f60e94c094dbd5c3b5aaf3d3a904d20a693
  • 608f34a79e5566593b284ef0d24f48ea89bc007e5654ae0969e6d9f92ec87d32
  • 625c22b21277c8a7e1b701da9c1c21b64bfa02baef5d7a530a38f6d70a7a16d0
  • 73609f8ebd14c6970d9162ec8d7786f5264e910573dff73881f85b03163bd40e
  • 840985b782648d57de302936257ba3d537d21616cb81f9dce000eaf1f76a56c8
  • 88565b4c707230eac34d4528205056264cd70d797b6b4eb7d891821b00187a69
  • 91c62841844bde653e0357193a881a42c0bc9fcc798a69f451511c6e4c46fd18
  • a50b58e24eb261157c4f85d02412d80911abe8501b011493c7b393c1905fc234
  • b1f54b88c9b7680877981f6bebde6aea9effbc38a0a8b27a565fb35331094680
  • bd7da341a28a19618b53e649a27740dfeac13444ce0e0d505704b56335cc55bd
  • cb2619b7aab52d612012386d88a0d983c270d9346169b75d2a55010564efc55c
  • ce0936366976f07ea24e86733888e97e421393829ecfd0fde66bd943d4b992ab
  • d50f28cf5012e1ffde1cd28655e07519dadcf94218b15c701c526ab0f6acb915
  • d612144c1f6d4a063530ba5bfae7ef4e4ae134bc55dcf067439471934b841b00
  • ddf83c02effea8ae9ec2c833bf40187bed23ec33c6b828af49632ef98004ea82
  • e48e88542ec4cd6f1aa794abc846f336822b1104557c0dfe67cff63e5231c367

Vatet のペイロードの SHA256 ハッシュ値

  • a512e5ffd33da906fdf896c536bf64adc59599ec2227f60dace4a4ef23d3d21a
  • 56f6084d84bd6371918c3ae7b555099474cdb6665bed0d969f6b5762b8cf5cc9
  • 2f1e047e840620460bdf7371e62e966919f25f763a53248357f890a4ff11791f
  • 6812190b1dec8c2a4c5d2b327d1bdbe72974fc017d86d2337ea06e9d3337959e
  • 77f2df32060e5125c6d4a3ab2a2a0c862eb44bc44614d494d23f4690a45d08a3
  • 309af51a8d86e031e25c2c928101b9afc9bcd1dcadbf4ef27ed3c0e8d7da0c98
  • c2861e5626c5ba40d28ec6c7d4ac32edc972a969d2454e74dc50829d02b5de2a
  • 8a7dc1c39321d972a21bf4fdd24f6f2ef3a03e4ea95c49f383ba03902010210c
  • 0e7824dfb7668af175a2b887e592773517f17213555c3b9af4f98d54278621d5
  • d389e2fc1515b8a2d8d365d072c201a308f776c873fdb185f826a35fde6fbf2b
  • bde87df68407fafc3ebd95665838eb5476cb854b338fb97252d153a2250f28b8
  • ab432a84b05de381c2f96a000c318ec78c98e39abfa7eea3210840c85b0cbee7

Vatet のペイロードのパス

  • \\\\settings.dat
  • \\\\upgrade.dat
  • \\\\vodafone.dat
  • \\\\winint2.sto
  • c:\windows\INF\Rainmeter.dat
  • c:\windows\INF\notepad.dat
  • c:\windows\INF\options.dat
  • c:\windows\debug\Rainmeter.dat
  • c:\windows\debug\config.dat
  • c:\windows\debug\notepad.dat
  • c:\windows\debug\options.dat
  • c:\windows\help\Rainmeter.dat
  • c:\windows\help\notepad.dat
  • c:\windows\help\options.dat
  • c:\windows\media\notepad.dat
  • c:\windows\notepad.dat
  • c:\windows\options.dat
  • c:\windows\system\options.dat
  • c:\windows\temp\options.dat

PDB のパス

  • C:\Users\1\Downloads\notepad-plus-plus-master\PowerEditor\bin\npp.pdb
  • C:\Users\1\Downloads\rainmeter-master\x32-Release\Obj\Library\Rainmeter.pdb
  • C:\Users\1\Downloads\rainmeter-master\x32-Release\Obj\Application\Rainmeter.pdb
  • C:\Users\1\Downloads\notepad-master\Debug\notepad.pdb
  • C:\Users\1\Downloads\tetris-game-master\Release\TetrisGame_zjy.pdb
  • Z:\coding\pyproject\compiled\cobalt_mode\cobalt_mode.pdb
  • Z:\coding\pyproject\compiled\ransom\ransom.pdb

PyXie Lite の設定

{
“logs”: {
“gates”: [
“:8443/data”
],
“aes_key”: “THIS_KEY_IS_FOR_INTERNAL_USE_ONLY”,
“send_attempts”: 10,
“send_attempts_timeout”: 5
},
“dirs_keys”: [“actifio”,
“aldelo”,
“altaro”,
“avamar”,
“avs”,
“back-up”,
“backup”,
“bank”,
“bitmessage”,
“client”,
“cobaltstrike”,
“coin”,
“diebold”,
“filemaker”,
“htape”,
“magtek”,
“ncr”,
“passw”,
“payment”,
“rapid7”,
“replication”,
“screenconnect”,
“swift”,
“tivoli”,
“unitrends”,
“vault”,
“veeam”,
“vranger”,
“wallet”,
“wincor”],
“shell_cmds”: [“arp -a”,
“cmdkey /list”,
“dclist”,
“gpresult /z”,
“ipconfig /all”,
“ipconfig /displaydns”,
“klist”,
“manage-bde -status”,
“net config workstation”,
“net group \”domain admins\” /domain”,
“net group \”Domain Admins\””,
“net group \”Enterprise Admins\””,
“net localgroup \”administrators\””,
“net localgroup”,
“net share”,
“net use”,
“net user”,
“net view /all /domain”,
“net view /all”,
“netstat -an”,
“nltest /domain_trusts /all_trusts”,
“nltest /domain_trusts”,
“nslookup -type=any %userdnsdomain%”,
“qwinsta”,
“route print”,
“systeminfo”,
“tasklist /V”,
“vssadmin List Shadows”,
“wmic process”,
“wmic qfe list”],
“dirs”: [“%ALLDRIVESROOTS%\\Alliance”,
“%APPDATA%\\Agama”,
“%APPDATA%\\Armory”,
“%APPDATA%\\B3-CoinV2”,
“%APPDATA%\\BeerMoney”,
“%APPDATA%\\Bitcloud”,
“%APPDATA%\\Bitcoin”,
“%APPDATA%\\BitcoinZ”,
“%APPDATA%\\bitconnect”,
“%APPDATA%\\Bither”,
“%APPDATA%\\bitmonero”,
“%APPDATA%\\BlocknetDX”,
“%APPDATA%\\Cybroscoin”,
“%APPDATA%\\Daedalus”,
“%APPDATA%\\DashCore”,
“%APPDATA%\\DeepOnion”,
“%APPDATA%\\DigiByte”,
“%APPDATA%\\Dogecoin”,
“%APPDATA%\\ElectronCash”,
“%APPDATA%\\Electrum”,
“%APPDATA%\\Electrum-LTC”,
“%APPDATA%\\Ember”,
“%APPDATA%\\EmeraldWallet”,
“%APPDATA%\\Ethereum Wallet”,
“%APPDATA%\\Exodus”,
“%APPDATA%\\FairCoin”,
“%APPDATA%\\faircoin2”,
“%APPDATA%\\Florincoin”,
“%APPDATA%\\FORT”,
“%APPDATA%\\GambitCoin”,
“%APPDATA%\\GeyserCoin”,
“%APPDATA%\\GreenCoinV2”,
“%APPDATA%\\GridcoinResearch”,
“%APPDATA%\\Gulden”,
“%APPDATA%\\Hush”,
“%APPDATA%\\IOTA Wallet”,
“%APPDATA%\\Komodo”,
“%APPDATA%\\Learncoin”,
“%APPDATA%\\lisk-nano”,
“%APPDATA%\\Litecoin”,
“%APPDATA%\\Minexcoin”,
“%APPDATA%\\mSIGNA_Bitcoin”,
“%APPDATA%\\MultiBitHD”,
“%APPDATA%\\MultiDoge”,
“%APPDATA%\\Neon”,
“%APPDATA%\\NXT”,
“%APPDATA%\\Parity”,
“%APPDATA%\\Particl”,
“%APPDATA%\\Peercoin”,
“%APPDATA%\\pink2”,
“%APPDATA%\\PPCoin”,
“%APPDATA%\\Qtum”,
“%APPDATA%\\RainbowGoldCoin”,
“%APPDATA%\\RoboForm”,
“%APPDATA%\\StartCOIN-v2”,
“%APPDATA%\\straks”,
“%APPDATA%\\Stratis”,
“%APPDATA%\\StratisNode”,
“%APPDATA%\\TREZOR Bridge”,
“%APPDATA%\\TrumpCoinV2”,
“%APPDATA%\\VeriCoin”,
“%APPDATA%\\Verium”,
“%APPDATA%\\Viacoin”,
“%APPDATA%\\VivoCore”,
“%APPDATA%\\Xeth”,
“%APPDATA%\\Zcash”,
“%APPDATA%\\ZcashParams”,
“%APPDATA%\\Zetacoin”,
“%LOCALAPPDATA%\\bisq”,
“%LOCALAPPDATA%\\copay”,
“%LOCALAPPDATA%\\programs\\zap-desktop”,
“%LOCALAPPDATA%\\RippleAdminConsole”,
“%LOCALAPPDATA%\\StellarWallet”,
“%PROGRAMDATA%\\bitmonero”,
“%PROGRAMDATA%\\electroneum”,
“%PROGRAMDATA%\\Tiger Technology”,
“%PROGRAMDATA%\\tivoli”],
“file_find”: {
“enabled”: 1,
“patterns”: [“10-q”,
“10-sb”,
“access”,
“avamar”,
“admin”,
“attack”,
“aws”,
“amazon”,
“backup”,
“balance”,
“bitcoin”,
“bitlocker”,
“bribery”,
“cardholder”,
“censored”,
“checking”,
“clandestine”,
“compromate”,
“concealed”,
“confidential”,
“contraband”,
“convict”,
“credent”,
“cyber”,
“disclosure”,
“engineering”,
“esxi”,
“ethereum”,
“explosive”,
“finance”,
“fraud”,
“hidden”,
“illegal”,
“infrastruct”,
“instruction”,
“investigation”,
“logins”,
“marketwired”,
“military”,
“n-csr”,
“nasdaq”,
“nda”,
“newswire”,
“operation”,
“passport”,
“passw”,
“personal”,
“privacy”,
“private”,
“restricted”,
“routing”,
“saving”,
“secret”,
“security”,
“spy”,
“statement”,
“storage”,
“submarine”,
“suspect”,
“tactical”,
“treason”,
“username”,
“vault”,
“victim”,
“vsphere”,
“wallet”,
“wasabi”,
“wire”
],
“extentions”: [“.doc”,
“.docx”,
“.xls”,
“.xlsx”,
“.pdf”,
“.txt”,
“.rtf”],
“gold_masks”: [“*.rdp”,
“*.kdbx”,
“*.vnc”,
“*.cpp”,
“*.c”,
“*.sln”,
“*.vcproj”,
“*.h”,
“*.asm”,
“*cobaltstrike*”,
“*.ovpn”,
“*.pcf”,
“*.conf”],
“black_files”: [“Default.rdp”,
“Microsoft June”,
“Release_Note”,
“Release Note”,
“desktop.ini”,
“Microsoft Silverlight”,
“localhost_access_log”,
“dd_clwireg.txt”],
“black_dirs”: [“\\microsoft\\windows”,
“\\gfi\\languard”,
“\\microsoft\\windows\\cookies”,
“\\vmware\\vcenterserver”,
“\\autoupdate\\cache”,
“\\microsoft office\\root”],
“max_size”: 5242880
},
“software”: [” OPOS”,
“Aldelo”,
“Actifio”,
“Alliance WebStation”,
“Alliance Workstation”,
“Altaro”,
“Back-up”,
“Rapid7”,
“Backup”,
“Bank”,
“Blockchain”,
“Boot Camp”,
“Box Sync”,
“BridgeHead”,
“CAM Commerce Solutions”,
“Card Processing”,
“Cash”,
“Cisco”,
“Citrix”,
“Cloud”,
“Coin”,
“Dashlane”,
“Diskeeper”,
“Double-Take”,
“Dropbox”,
“Elcomsoft”,
“FileZilla Server”,
“FortiClient”,
“Fund”,
“iDrive”,
“Ledger”,
“LexisNexis”,
“LogMeIn”,
“M262x”,
“Microsoft Dynamics RMS Store Operations”,
“Microsoft POS”,
“vRanger”,
“Money”,
“mRemoteNG”,
“MSR”,
“Password”,
“Payment”,
“Private”,
“Protect”,
“PuTTY”,
“QuickBooks”,
“Replication”,
“ScreenConnect”,
“Shadow”,
“SII RP-D10”,
“Storage”,
“SWIFT”,
“TeamViewer”,
“Token”,
“Trade”,
“Treasury”,
“Trezor”,
“Vault”,
“Unitrends”,
“VIP Access”,
“VMware”,
“Vnc”,
“VPN”,
“Wallet”,
“Withdraw”],
“registry”: [“SOFTWARE\\Ammyy”,
“SOFTWARE\\Cppcheck”,
“SOFTWARE\\DASH”,
“SOFTWARE\\Dash”,
“SOFTWARE\\DeterministicNetworks”,
“SOFTWARE\\GitForWindows”,
“SOFTWARE\\GlavSoft LLC.”,
“SOFTWARE\\GnuPG”,
“SOFTWARE\\Hex-Rays”,
“SOFTWARE\\Hex-Rays SA”,
“SOFTWARE\\HexaD”,
“SOFTWARE\\ITarian”,
“SOFTWARE\\LogMeIn Ignition”,
“SOFTWARE\\LogMeIn”,
“SOFTWARE\\MetaQuotes Software”,
“SOFTWARE\\Microsoft\\ResKit\\Robocopy”,
“SOFTWARE\\Nmap”,
“SOFTWARE\\Pulse Secure”,
“SOFTWARE\\PyBitmessage”,
“SOFTWARE\\PyBitmessage”,
“SOFTWARE\\S.W.I.F.T.”,
“SOFTWARE\\ShrewSoft”,
“SOFTWARE\\SimonTatham”,
“SOFTWARE\\SonicWall”,
“SOFTWARE\\TortoiseSVN”,
“SOFTWARE\\Veeam”,
“SOFTWARE\\VisualSVN”,
“SOFTWARE\\Whole Tomato”,
“SOFTWARE\\WinLicense”],
“portscan”: {“Bitcoin”: [8332,8333],
“DNS”: [53],
“Elasticsearch”: [9200,9300],
“FTP”: [21],
“Horizon Agent”: [22443,4172,9427,32111],
“HTTP”: [80,5000,9043],
“HTTPS”: [443,8443,1311,5001,8200],
“JAVA-RMI”: [34571,1099,1090,1098,1099,4444,11099,47001,47002,10999],
“MongoDB”: [27017],
“MSSQL”: [1433],
“MySQL”: [3306],
“neo4j”: [7687],
“NetBackup”: [5637],
“NETBIOS”: [139],
“Oracle”: [1521],
“POP3”: [110],
“POP3s”: [995],
“PostgreSQL”: [5432],
“PPTP”: [1723],
“RADMIN”: [4899],
“RDP”: [3389],
“SMTP”: [25],
“SonicWall-VPN”: [4433],
“SSH”: [22],
“Telnet”: [23],
“Tivoli”: [1500,1581],
“TOR”: [9050],
“AcronixBackup”: [9877],
“vCenter”: [22024,902,903,10080,10443],
“Veeam”: [9392,9393,9394,9397,9398,9399],
“VNC”: [5900, 5800],
“WinRM”: [5985,5986],
“Zabbix”: [10050,10051],
“JDWP”: [45000,45001],
“JMX”: [8686,9012,50500],
“jBoss”: [11111,4444,4445],
“Cisco Smart Install”: [4786],
“HP Data Protector”: [5555,5556],
“GlassFish”: [4848]
}
}

PyXie Lite のリマップされたオペコード

def_op(‘PRINT_ITEM’, 78)
def_op(‘PRINT_NEWLINE’, 63)
def_op(‘POP_TOP’, 85)
def_op(‘RETURN_VALUE’, 88)
def_op(‘ROT_TWO’, 29)
def_op(‘ROT_THREE’, 9)
def_op(‘STORE_MAP’, 55)
def_op(‘INPLACE_ADD’, 28)
def_op(‘ROT_FOUR’, 72)
def_op(‘UNARY_POSITIVE’, 12)
def_op(‘UNARY_NEGATIVE’, 64)
def_op(‘UNARY_NOT’, 66)
def_op(‘UNARY_CONVERT’, 20)
def_op(‘UNARY_INVERT’, 65)
def_op(‘GET_ITER’, 83)
def_op(‘BINARY_MULTIPLY’, 80)
def_op(‘BINARY_POWER’, 79)
def_op(‘BINARY_DIVIDE’, 15)
def_op(‘BINARY_MODULO’, 76)
def_op(‘BINARY_ADD’, 84)
def_op(‘BINARY_SUBTRACT’, 89)
def_op(‘BINARY_SUBSCR’, 57)
def_op(‘BINARY_FLOOR_DIVIDE’, 68)
def_op(‘INPLACE_FLOOR_DIVIDE’, 24)
def_op(‘INPLACE_DIVIDE’, 82)
def_op(‘INPLACE_SUBTRACT’, 22)
def_op(‘INPLACE_MULTIPLY’, 13)
def_op(‘INPLACE_MODULO’, 70)
def_op(‘STORE_SUBSCR’, 54)
def_op(‘DELETE_SUBSCR’, 77)
def_op(‘BINARY_LSHIFT’, 60)
def_op(‘BINARY_RSHIFT’, 21)
def_op(‘BINARY_AND’, 3)
def_op(‘BINARY_XOR’, 73)
def_op(‘BINARY_OR’, 56)
def_op(‘INPLACE_POWER’, 23)
def_op(‘POP_BLOCK’, 2)
def_op(‘DUP_TOP’, 75)
def_op(‘PRINT_ITEM_TO’, 5)
def_op(‘PRINT_NEWLINE_TO’, 11)
def_op(‘INPLACE_LSHIFT’, 59)
def_op(‘INPLACE_RSHIFT’, 74)
def_op(‘INPLACE_AND’, 61)
def_op(‘INPLACE_XOR’, 27)
def_op(‘INPLACE_OR’, 71)
def_op(‘BREAK_LOOP’, 58)
def_op(‘WITH_CLEANUP’, 19)
def_op(‘END_FINALLY’, 4)
def_op(‘BUILD_CLASS’, 87)
def_op(‘EXEC_STMT’, 10)
def_op(‘LOAD_LOCALS’, 67)
def_op(‘IMPORT_STAR’, 26)
def_op(‘YIELD_VALUE’, 25)