【ハニーポット簡易分析】Honeypot簡易分析(397-403日目:9/21-26)
ハニーポット簡易分析の簡易分析となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数>
| ポート番号 | サービス | 件数 |
| 445 | smb | 24901 |
| 22 | ssh | 17892 |
| 23 | telnet | 7937 |
| 20053 | Unknown | 3085 |
| 5900 | vnc | 2340 |
| 3389 | rdp | 2299 |
| 1433 | ms-sql-s | 1627 |
| 6379 | Unknown | 1091 |
| 2323 | telnet | 1036 |
| 3306 | mysql | 1022 |
<マルウェアダウンロード>
| Malware URL | VT Link | Status Code | Hash | Virus Name |
| hxxp://116[.]203[.]209[.]50/Jaws[.]sh | https://www.virustotal.com/url/750c5f3dc91d280b396c19aa34ea5e6d4d7f5bec3b6b4bd78ac07a9293f413cc/analysis/1569380903/ | Unknown | ||
| hxxp://switchnets[.]net/unstable | https://www.virustotal.com/url/aacd30e68a31b91742fbe5a9078ae0823f13255018ab65efe39a0e4a6c48f89b/analysis/1568526555/ | Unknown | ||
| hxxp://31[.]13[.]195[.]49/x | https://www.virustotal.com/url/65071584ab70a5353da1eeec090311e3fb8c2c1de103387b2c94cb29d32ac4b3/analysis/1568512414/ | Unknown | ||
| hxxp://pm[.]cpuminerpool[.]com/pm[.]sh | https://www.virustotal.com/file/81de9fc33ab05928f9abca627435b3fa40a3470e01dc435dddae0e7bec640274/analysis/1568621852/ | 200 | cd3af8bc58dc26936a02e1598992dffe586b3475 | |
| hxxp://142[.]11[.]199[.]235/mips | https://www.virustotal.com/file/af18cd19287cdf764418b4212cbcd64e5bba8e8632a3990026f6f5c0b54f3fce/analysis/1567916002/ | 200 | 8bc0fcd0b5f456938cf6db535316146359ea02a8 | ESET-NOD32:a variant of Linux/Mirai.AEL, TrendMicro-HouseCall:Backdoor.Linux.MIRAI.SMMR1, Avast:ELF:Hajime-R [Trj], ClamAV:Unix.Trojan.Gafgyt-6748839-0, Kaspersky:HEUR:Backdoor.Linux.Mirai.ad, Rising:Backdoor.Mirai/Linux!1.BAF6 (CLASSIC), DrWeb:Linux.Mirai.1443, TrendMicro:Backdoor.Linux.MIRAI.SMMR1, McAfee-GW-Edition:Linux/Mirai-FDXO!249E607F736C, Sophos:Mal/Generic-S, Fortinet:ELF/Mirai.AE!tr, Microsoft:DDoS:Linux/Gafgyt.YA!MTB, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.ad, Avast-Mobile:ELF:Mirai-UM [Trj], AhnLab-V3:Linux/Exploit.Gen2, McAfee:Linux/Mirai-FDXO!249E607F736C, Tencent:Backdoor.Linux.Mirai.wao, GData:Linux.Trojan.Mirai.E, AVG:ELF:Hajime-R [Trj] |
| hxxp://174[.]128[.]226[.]101/mps | https://www.virustotal.com/file/65d5a289f33ab2bbb3e9c37b30d89ac175e5a6fede4f4ce51703f9d5034ebfff/analysis/1569535088/ | 200 | 4fe19ac96f6e65716db789692a8d462285edb6eb | MicroWorld-eScan:Gen:Variant.Backdoor.Linux.Tsunami.1, FireEye:Gen:Variant.Backdoor.Linux.Tsunami.1, ALYac:Gen:Variant.Backdoor.Linux.Tsunami.1, Symantec:Linux.Backdoor.Kaiten, ESET-NOD32:a variant of Linux/Tsunami.NDJ, TrendMicro-HouseCall:Backdoor.Linux.BASHLITE.SMJC10, Avast:ELF:DDoS-Y [Trj], Kaspersky:HEUR:Backdoor.Linux.Tsunami.cb, BitDefender:Gen:Variant.Backdoor.Linux.Tsunami.1, Tencent:Backdoor.Linux.Tsunami.x, Ad-Aware:Gen:Variant.Backdoor.Linux.Tsunami.1, Sophos:Linux/Tsunami-A, DrWeb:Linux.BackDoor.Tsunami.239, TrendMicro:Backdoor.Linux.BASHLITE.SMJC10, Emsisoft:Gen:Variant.Backdoor.Linux.Tsunami.1 (B), Fortinet:ELF/Tsunami.NDJ!tr, Arcabit:Trojan.Backdoor.Linux.Tsunami.1, ZoneAlarm:HEUR:Backdoor.Linux.Tsunami.cb, Avast-Mobile:ELF:Tsunami-EQ [Trj], AhnLab-V3:Linux/Tsunami.Gen3, MAX:malware (ai score=84), Rising:Backdoor.Tsunami!1.A1B2 (CLASSIC), Ikarus:Trojan.Linux.Gafgyt, GData:Gen:Variant.Backdoor.Linux.Tsunami.1, AVG:ELF:DDoS-Y [Trj], Qihoo-360:virus.elf.tsunami.gen |
| hxxp://174[.]128[.]226[.]101/mips | https://www.virustotal.com/file/c51c776b3aff1533eaf680473d5292cee0fc6d7a8c2821971fc56a781ead56e6/analysis/1568738331/ | 200 | 81542728b7d0ed176f7e9e965880c661ebe72bb0 | MicroWorld-eScan:Gen:Variant.Backdoor.Linux.Tsunami.1, FireEye:Gen:Variant.Backdoor.Linux.Tsunami.1, Symantec:Linux.Backdoor.Kaiten, ESET-NOD32:a variant of Linux/Tsunami.NDJ, TrendMicro-HouseCall:Backdoor.Linux.BASHLITE.SMJC10, Avast:ELF:DDoS-Y [Trj], Kaspersky:HEUR:Backdoor.Linux.Tsunami.cb, BitDefender:Gen:Variant.Backdoor.Linux.Tsunami.1, Tencent:Backdoor.Linux.Tsunami.x, Ad-Aware:Gen:Variant.Backdoor.Linux.Tsunami.1, Emsisoft:Gen:Variant.Backdoor.Linux.Tsunami.1 (B), DrWeb:Linux.BackDoor.Tsunami.239, TrendMicro:Backdoor.Linux.BASHLITE.SMJC10, Sophos:Linux/Tsunami-A, Ikarus:Trojan.Linux.Gafgyt, Fortinet:ELF/Tsunami.NDJ!tr, Arcabit:Trojan.Backdoor.Linux.Tsunami.1, AhnLab-V3:Linux/Tsunami.Gen3, ZoneAlarm:HEUR:Backdoor.Linux.Tsunami.cb, Avast-Mobile:ELF:Tsunami-EQ [Trj], ALYac:Gen:Variant.Backdoor.Linux.Tsunami.1, MAX:malware (ai score=94), Rising:Backdoor.Tsunami!1.A1B2 (CLASSIC), GData:Gen:Variant.Backdoor.Linux.Tsunami.1, AVG:ELF:DDoS-Y [Trj], Qihoo-360:virus.elf.tsunami.gen |
| hxxp://anunna[.]club/x | https://www.virustotal.com/url/909fc6bee20704cbabf60e87015c40449ad952472d2bff376a1abffc9a699ec3/analysis/1568526488/ | Unknown | ||
| hxxp://188[.]241[.]73[.]110 | https://www.virustotal.com/url/1722db233eac9086f70b07d4211d1601c1351da6d56505db9958e3a517fd184a/analysis/1569000735/ | Unknown | ||
| hxxp://192[.]236[.]194[.]242/Omri/mips | https://www.virustotal.com/url/cf7ad3c0525b0cc6fbcb15c65e04b042f48634cdd31e11f00eabd806de1351dc/analysis/1569526018/ | Unknown | ||
| hxxp://54[.]37[.]74[.]232/icy[.]sh | https://www.virustotal.com/url/cef539c393a597a19df98fa6935d20e735fb4c58bf00b0c770787301e282ef0d/analysis/1569535355/ | 404 | ||
| hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | https://www.virustotal.com/url/a6f5ede156b47f49d538b282d79e957cc35bb49a0d7de895b0d1df83a68c2819/analysis/1568282400/ | Unknown | ||
| hxxp://cb[.]fuckingmy[.]life/download[.]exe | https://www.virustotal.com/url/e9f5753e8b9309ed204a1eda6000a92650aeccad615b8fadb622348f1053c7b9/analysis/1569533740/ | Unknown | ||
| hxxp://185[.]181[.]10[.]234/E5DB0E07C3D7BE80V520/init[.]sh | https://www.virustotal.com/file/c523bb5d3985c966fe761f89315f5fa240b328e51700ec91b60f1f0a1bef3594/analysis/1568201583/ | 200 | 773ab67d9863878552a504d4144ebaf6dfc49f56 | McAfee:Linux/CoinMiner.x, Symantec:Trojan.Gen.NPE, TrendMicro-HouseCall:Possible_MINERDLOD.SMLBOB, Avast:BV:Miner-BR [Drp], ClamAV:Txt.Coinminer.Downloader-6811173-0, GData:Script.Trojan.Agent.7JIURA, Kaspersky:HEUR:Trojan-Downloader.Shell.Miner.gen, AegisLab:Trojan.Shell.Miner.4!c, Tencent:Heur:Trojan.Linux.Downloader.i, DrWeb:Linux.BtcMine.222, TrendMicro:Trojan.Linux.PUAMSON.USNELEO19, McAfee-GW-Edition:Linux/CoinMiner.x, Cyren:Trojan.DGIS-4, Jiangmin:Trojan.GenericKD.bju, Antiy-AVL:Trojan[Downloader]/Shell.Miner, ZoneAlarm:HEUR:Trojan-Downloader.Shell.Miner.gen, Microsoft:Trojan:Win32/Mamson.A!ml, AhnLab-V3:Shell/Agent, Ikarus:Trojan.Script.Agent, MaxSecure:Trojan.Malware.74320078.susgen, AVG:BV:Miner-BR [Drp], Qihoo-360:Win32/Trojan.Downloader.7dd |
| hxxp://1[.]2[.]3[.]4 | https://www.virustotal.com/url/0e3af06fb425eb01f41bfbf30eeec767dbadee170094404068408fd43dbd876e/analysis/1569330624/ | Unknown | ||
| hxxp://142[.]11[.]199[.]235 | https://www.virustotal.com/url/f318797d0234d873ff5598096d4017e8ebe5ffe303a1405c2c60135bbdec7b65/analysis/1569422760/ | 403 | ||
| hxxp://185[.]86[.]78[.]254 | https://www.virustotal.com/file/883ef85e3d2ce48c3581398a432e6e902d85ee2276dc28a57026ed33c2e97957/analysis/1569572965/ | 200 | 8c176deaf59f112125b796afe5510e55fac22636 | |
| hxxp://142[.]11[.]210[.]231/bins/packets[.]mips | https://www.virustotal.com/url/97f7e7571a93526ca3c447c3c41a8989371a9f59d493e547c5c2d67ea904f5f5/analysis/1569093338/ | Unknown | ||
| hxxp://46[.]183[.]221[.]143/engine[.]mips | https://www.virustotal.com/url/6765475ea0356a713aa451551beb3c0cc9f2f6be26216770c17f67991e222ba0/analysis/1569573199/ | 404 | ||
| hxxp://185[.]244[.]150[.]111/x | https://www.virustotal.com/url/f0133023bcaca352821d5de13c1da82d5066dccf84af52599f8b0696929755a9/analysis/1565612255/ | Unknown | ||
| hxxp://185[.]35[.]138[.]156/c | https://www.virustotal.com/url/43c2691ddea4cc59176e8bdadf79c46967439412806c4ba3bb143188ba3bd47e/analysis/1568565075/ | Unknown | ||
| hxxp://31[.]13[.]195[.]109/jaws[.]sh | https://www.virustotal.com/url/bdd12fe0171ecb51d25443c0c09f183b134a8271022b7e9651866e9742eca0c6/analysis/1568526339/ | 404 | ||
| hxxp://45[.]80[.]37[.]166/htp/ab[.]arm4 | https://www.virustotal.com/url/830f7e1e87830b156a2ae9f895cc1cf26e6f67d99342c3f7bfc9c5cc8a19941d/analysis/1567476254/ | Unknown |
◾️WoWHoneypot
<国別検知数および検知数>
| target | count |
| Tomcat | 418 |
| - | 204 |
| phpMyAdmin | 117 |
| FreePBX | 46 |
| WordPress | 33 |
| ThinkPHP | 15 |
| Unauthorized Relay | 10 |
| SQLiteManager | 6 |
| Apache Struts2 | 4 |
| SQL | 4 |
| MySQL | 3 |
| Webshell | 3 |
| D-Link DIR-850L | 2 |
| SQLite | 2 |
| DGN1000 Netgea Router | 1 |
| Login Page | 1 |
| SQLite Manager | 1 |
| Unknown | 1 |
<マルウェアダウンロード>
| malware_wowhoneypot_report | wow_path |
| hxxp://103[.]55[.]13[.]68:5678/lsyy | /index.action |
| hxxp://206[.]72[.]206[.]82/sh | /login.cgi |
| hxxp://aaa[.]linuxa[.]club:57843/linux | /index.action |
| hxxp://hfs[.]mhacker[.]cc:9278/Linux[.]server | /index.action |
以上となります。
