Wins blog

글로벌 정보보안 파트너! Global Security  No.1 윈스는 국가대표 정보보안 기업에서 글로벌 강소기업으로 도약합니다.

보안 정보

앞 내용 보기 다음 내용 보기
악성코드 정보[Malware Info] Win32/Trojan.VPNfilter
작성일 2018-06-05 조회 785

 

 

 

ㅁ Malware IoC

 

  Pattern    Win32/Trojan.VPNfilter
  Filename    qsync.php
  Type    elf
  Size    291,256 bytes
  MD5    5f358afee76f2a74b1a3443c6012b27b

 

 

 

ㅁ Malware Traffic

 

GET /?format=json HTTP/1.1

User-Agent: Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)

Host: api.ipify.org

Accept: */*

Content-Type: application/x-www-form-urlencoded

 

HTTP/1.1 200 OK

Server: Cowboy

Connection: keep-alive

Content-Type: application/json

Vary: Origin

Date: Tue, 29 May 2018 01:09:20 GMT

Content-Length: 22

Via: 1.1 vegur

 

{"ip":"[Removed]"}

GET /user/nikkireed11/library HTTP/1.1

User-Agent: Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)

Host: photobucket.com

Accept: */*

GET /manage/content/update.php HTTP/1.1

User-Agent: Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)

Host: toknowall.com

Accept: */*

 

* 일반적인 User-Agent 헤더와 다른 헤더를 가지고 C2 통신 

 

 

 

ㅁ Malware String

 

 -  ASCII : User-Agent: Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)
 -  ASCII : qnapx86
 -  ASCII : npxXoudifFeEgGaACScs
 -  ASCII : hlLjztqZ

 

 

 

ㅁ Malware C2

 

 - photobucket[.]com/user/nikkireed11/library
 - photobucket[.]com/user/kmila302/library
 - photobucket[.]com/user/lisabraun87/library
 - photobucket[.]com/user/eva_green1/library
 - photobucket[.]com/user/monicabelci4/library
 - photobucket[.]com/user/katyperry45/library
 - photobucket[.]com/user/saragray1/library
 - photobucket[.]com/user/millerfred/library
 - photobucket[.]com/user/jeniferaniston1/library
 - photobucket[.]com/user/amandaseyfried1/library
 - photobucket[.]com/user/suwe8/library
 - photobucket[.]com/user/bob7301/library
 - toknowall[.]com
 - 91.121.109[.]209
 - 217.12.202[.]40
 - 94.242.222[.]68
 - 82.118.242[.]124
 - 46.151.209[.]33
 - 217.79.179[.]14
 - 91.214.203[.]144
 - 95.211.198[.]231
 - 195.154.180[.]60
 - 5.149.250[.]54
 - 91.200.13[.]76
 - 94.185.80[.]82
 - 62.210.180[.]229
 - zuh3vcyskd4gipkm[.]onion/bin32/update.php

 

 

 

ㅁ Malware Hashes

 

 - 50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
 - 0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
 - 9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17
 - d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e
 - 4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b
 - 9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387
 - 37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4
 - 776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
 - 8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
 - 0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
 - f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344
 - afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719

 

 

 

ㅁ Wins Sniper Pattern

 

 - [4328] Linux/Trojan.VPNfilter.291256

 - [4329] Linux/Trojan.VPNfilter.Connection

 

 

 

 

 

 

Source

https://blog.talosintelligence.com/2018/05/VPNFilter.html

첨부파일 첨부파일이 없습니다.
태그 Trojan  VPNfilter  Malware Info