【インディケータ情報】
■ハッシュ情報(MD5)
028515d12e9d59d272a2538045d1f636
03055149340b7a1fd218006c98b30482
25469ddaeff0dd3edb0f39bbe1dcdc46
41b2339950d50cf678c0e5b34e68f537
4bf178f778255b6e72a317c2eb8f4103
7d1efce9c06a310627f47e7d70543aaf
9f313e8ef91ac899a27575bc5af64051
aa6246dc04e9089e366cc57a447fc3a4
c981273c32b581de824e1fd66a19a281
dcb0ea3a540205ad11f32b67030c1e5a
c6721344af76403e9a7d816502dca1c8
d3a2b41b1cd953d254c0fc88071e5027
1FF40E79D673461CD33BD8B68F8BB5B8
ecae141bb068131108c1cd826c82d88b
12477223678e4a41020e66faebd3dd95
460211f1c19f8b213ffaafcdda2a7295
53e035273164f24c200262d61fa374ca
■IPアドレス
108.61.189.174
■Mutex
Local\TEMPDAHCE01
Local\zaapr
Local\reezaaprLog
Local\{Temp-00-aa-123-mr-bbb}
■Scheduled task
CacheTask_
■Directory with malicious modules
Main malware directory: %APPDATA%\Microsoft\Event Cache
Commands from C2 in subdirectory: Cache001\cde00.acf
■Events.exe persistence records in Windows system registry keys
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager
■Victims’ fingerprints stored in
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData or
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData
■RC4 encrypted C2 commands stored in
HKCU\SOFTWARE\Microsoft\Fax
■HTTP requests template
http://
/asp.asp?ui= nrg- -
And bitsadmin.exe task to external network resources, addressed by IP addresses
【ブログ】
◆Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities (SecureList(Kaspersky), 2019/01/30)
https://securelist.com/chafer-used-remexi-malware/89538/