Snatch (2020/06/21) - IoC (TT Malware Log)

【インディケータ情報】

■ハッシュ情報(Sha256) - Snatch -

3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6
b9e4299239880961a88875e1265db0ec62a8c4ad6baf7a5de6f02ff4c31fcdb1
c305b75a4333c7fca9d1d71b660530cc98197b171856bf433e4e8f3af0424b11
116ebe27202905affb94f5c1597d511abcb5b381411431956a03e47b388582bf
2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57
3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924
251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d
3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6
6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7
a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84

(以上は The DFIR Report の情報: 引用元は https://thedfirreport.com/2020/06/21/snatch-ransomware/ )

■ハッシュ情報(Sha1) - Snatch -

b93d633d379052f0a15b0f9c7094829461a86dbb
d5a0c796032eda2fe20d1f39bae3fbc4e6407e8c
90035ab418033b39d584c7bc609cab1664460069
14b2948a28d16c05fa7237dd8823592a735ef43f
c24aee8fa0a81a82fe73bf60e0282b1038d6ea80
0882f2e72f1ca4410fe8ae0fa1138800c3d1561d
89be35c19a65b9e6f7a277e1a9f66ab76d024378
b93d633d379052f0a15b0f9c7094829461a86dbb
18f963dbee830e64828991d26a06d058326c1ddb
5b86cf095fe515b590d18b2e976d9e544c43f6ca

(以上は The DFIR Report の情報: 引用元は https://thedfirreport.com/2020/06/21/snatch-ransomware/ )

■ハッシュ情報(MD5) - Snatch -

2bbff2111232d73a93cd435300d0a07e
1422dae0330c713935d50773680fcb39
c9a728aa3f5b6f48b68df4bb66b41a5c
1f7b17cacb0263b84cf3e9d4a5429ef9
6d9d31414ee2c175255b092440377a88
3d33a19bb489dd5857b515882b43de12
3e36d3dc132e3a076539acc9fcd5535c
2bbff2111232d73a93cd435300d0a07e
54fe4d49d7b4471104c897f187e07f91
891708936393b69c212b97604a982fed

(以上は The DFIR Report の情報: 引用元は https://thedfirreport.com/2020/06/21/snatch-ransomware/ )

■IPアドレス情報 - Snatch -

91.229.77.161
193.70.12.240
178.162.209.135

(以上は The DFIR Report の情報: 引用元は https://thedfirreport.com/2020/06/21/snatch-ransomware/ )

【検索】

google: 3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6
google: b9e4299239880961a88875e1265db0ec62a8c4ad6baf7a5de6f02ff4c31fcdb1
google: c305b75a4333c7fca9d1d71b660530cc98197b171856bf433e4e8f3af0424b11
google: 116ebe27202905affb94f5c1597d511abcb5b381411431956a03e47b388582bf
google: 2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57
google: 3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924
google: 251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d
google: 3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6
google: 6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7
google: a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84

google: b93d633d379052f0a15b0f9c7094829461a86dbb
google: d5a0c796032eda2fe20d1f39bae3fbc4e6407e8c
google: 90035ab418033b39d584c7bc609cab1664460069
google: 14b2948a28d16c05fa7237dd8823592a735ef43f
google: c24aee8fa0a81a82fe73bf60e0282b1038d6ea80
google: 0882f2e72f1ca4410fe8ae0fa1138800c3d1561d
google: 89be35c19a65b9e6f7a277e1a9f66ab76d024378
google: b93d633d379052f0a15b0f9c7094829461a86dbb
google: 18f963dbee830e64828991d26a06d058326c1ddb
google: 5b86cf095fe515b590d18b2e976d9e544c43f6ca

google: 2bbff2111232d73a93cd435300d0a07e
google: 1422dae0330c713935d50773680fcb39
google: c9a728aa3f5b6f48b68df4bb66b41a5c
google: 1f7b17cacb0263b84cf3e9d4a5429ef9
google: 6d9d31414ee2c175255b092440377a88
google: 3d33a19bb489dd5857b515882b43de12
google: 3e36d3dc132e3a076539acc9fcd5535c
google: 2bbff2111232d73a93cd435300d0a07e
google: 54fe4d49d7b4471104c897f187e07f91
google: 891708936393b69c212b97604a982fed

google: "91.229.77.161"
google: "193.70.12.240"
google: "178.162.209.135"

【VT検索】

https://www.virustotal.com/gui/ip-address/91.229.77.161
https://www.virustotal.com/gui/ip-address/193.70.12.240
https://www.virustotal.com/gui/ip-address/178.162.209.135

【yaraルール】

/*
   YARA Rule Set
   Author: The DFIR Report
   Date: 2020-06-17
   Identifier: snatch-ransomware
   Reference: https://thedfirreport.com/
*/

/* Rule Set ----------------------------------------------------------------- */

import "pe"

rule snatch_ransomware_x3_loader {
   meta:
      description = "snatch-ransomware - file x3.exe"
      author = "DFIR Report"
      reference = "https://thedfirreport.com/"
      date = "2020-06-17"
      hash1 = "b9e4299239880961a88875e1265db0ec62a8c4ad6baf7a5de6f02ff4c31fcdb1"
   strings:
      $s1 = "jd4ob7162ns.dll" fullword wide
      $s2 = "kb05987631s.dll" fullword wide
      $s3 = "fw0a53482aa.dll" fullword wide
      $s4 = "C:\\Builds\\TP\\rtl\\common\\TypInfo.pas" fullword wide
      $s5 = "C:\\Builds\\TP\\rtl\\sys\\SysUtils.pas" fullword wide
      $s6 = "C:\\Builds\\TP\\rtl\\common\\Classes.pas" fullword wide
      $s7 = "/K schtasks /Create /RU SYSTEM /SC DAILY /ST 00:00 /TN \"Regular Idle Maintenance\" /TR \"" fullword wide
      $s8 = "/K schtasks /Create /RU SYSTEM /SC ONSTART /TN \"Regular Idle Maintenances\" /TR \"" fullword wide
      $s9 = "RootP0C" fullword ascii
      $s10 = "Component already destroyed: " fullword wide
      $s11 = "Stream write error The specified file was not found2Length of Strings and Objects arrays must be equal#''%s'' is not a valid int" wide
      $s12 = "PPackageTypeInfo$\"@" fullword ascii
      $s13 = "PositionP0C" fullword ascii
      $s14 = "DesignInfoP0C" fullword ascii
      $s15 = "OwnerP0C" fullword ascii
      $s16 = "3\"4\\4~4" fullword ascii /* hex encoded string '4D' */
      $s17 = "TComponentClassP0C" fullword ascii
      $s18 = ":$:2:6:L:\\:l:t:x:|:" fullword ascii
      $s19 = ":P:T:X:\\:t:" fullword ascii
      $s20 = ":,:<:@:L:T:X:\\:`:d:h:l:p:t:x:|:" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 900KB and
      ( pe.imphash() == "d6136298ea7484a715d40720221233be" or 8 of them )
}

rule snatch_ransomware_safe_go_ransomware {
   meta:
      description = "snatch-ransomware - file safe.exe"
      author = "DFIR Report"
      reference = "https://thedfirreport.com/"
      date = "2020-06-17"
      hash1 = "3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6"
   strings:
      $s1 = "dumpcb" fullword ascii
      $s2 = "dfmaftpgc" fullword ascii
      $s3 = "ngtrunw" fullword ascii
      $s4 = "_dumpV" fullword ascii
      $s5 = ".dll3u^" fullword ascii
      $s6 = "D0s[Host#\"0" fullword ascii
      $s7 = "CPUIRC32D,OPg" fullword ascii
      $s8 = "WSAGetOv" fullword ascii
      $s9 = "Head9iuA" fullword ascii
      $s10 = "SpyL]ZIo" fullword ascii
      $s11 = "cmpbody" fullword ascii
      $s12 = "necwnamep" fullword ascii
      $s13 = "ZonK+ pW" fullword ascii
      $s14 = "printabl" fullword ascii
      $s15 = "atomicn" fullword ascii
      $s16 = "powrprof" fullword ascii
      $s17 = "recdvoc" fullword ascii
      $s18 = "nopqrsx" fullword ascii
      $s19 = "ghijklm" fullword ascii
      $s20 = "spdelta" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 8000KB and
      ( pe.imphash() == "6ed4f5f04d62b18d96b26d6db7c18840" or 8 of them )
}

rule snatch_ransomware_cplXen {
   meta:
      description = "snatch-ransomware - file cplXen.exe"
      author = "DFIR Report"
      reference = "https://thedfirreport.com/"
      date = "2020-06-17"
      hash1 = "c305b75a4333c7fca9d1d71b660530cc98197b171856bf433e4e8f3af0424b11"
   strings:
      $x1 = "C:\\Users\\Administrator\\source\\repos\\tmt\\Release\\TMT.pdb" fullword ascii
      $s2 = "curity><requestedPrivileges><requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel></requeste" ascii
      $s3 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s4 = "hemas.microsoft.com/SMI/2005/WindowsSettings\">true</dpiAware></windowsSettings></application></assembly>" fullword ascii
      $s5 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" fullword wide
      $s6 = "operator<=>" fullword ascii
      $s7 = "operator co_await" fullword ascii
      $s8 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
      $s9 = "91.229.77.71" fullword wide
      $s10 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii
      $s11 = "vileges></security></trustInfo><application xmlns=\"urn:schemas-microsoft-com:asm.v3\"><windowsSettings><dpiAware xmlns=\"http:/" ascii
      $s12 = "Aapi-ms-win-core-datetime-l1-1-1" fullword wide
      $s13 = "Aapi-ms-win-core-fibers-l1-1-1" fullword wide
      $s14 = "api-ms-win-core-file-l1-2-2" fullword wide /* Goodware String - occured 1 times */
      $s15 = "__swift_2" fullword ascii
      $s16 = "__swift_1" fullword ascii
      $s17 = ">6?V?f?" fullword ascii /* Goodware String - occured 1 times */
      $s18 = "7K7P7T7X7\\7" fullword ascii /* Goodware String - occured 1 times */
      $s19 = "Wininet.dll" fullword ascii /* Goodware String - occured 1 times */
      $s20 = "QQSVj8j@" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and
      ( pe.imphash() == "ec348684b8d3fbd21669529c6e5cef8b" or ( 1 of ($x*) or 4 of them ) )
}


rule WmiPrvSystemES_TOR_exe {
   meta:
      description = "snatch-ransomware - file WmiPrvSystemES.exe"
      author = "DFIR Report"
      reference = "https://thedfirreport.com/"
      date = "2020-06-17"
      hash1 = "0cd166b12f8d0f4b620a5819995bbcc2d15385117799fafbc76efd8c1e906662"
   strings:
      $x1 = "Unsupported command (--list-fingerprint, --hash-password, --keygen, --dump-config, --verify-config, or --key-expiration) in NT s" ascii
      $x2 = "Unsupported command (--list-fingerprint, --hash-password, --keygen, --dump-config, --verify-config, or --key-expiration) in NT s" ascii
      $x3 = "Tor is currently configured as a relay and a hidden service. That's not very secure: you should probably run your hidden service" ascii
      $x4 = "Failed to open handle to monitored process %d, and error code %lu (%s) is not 'invalid parameter' -- assuming the process is sti" ascii
      $x5 = "Failed to open handle to monitored process %d, and error code %lu (%s) is not 'invalid parameter' -- assuming the process is sti" ascii
      $x6 = "Unable to parse descriptor of type %s with hash %s and length %lu. Descriptor not dumped because it exceeds maximum log size all" ascii
      $x7 = "Unable to parse descriptor of type %s with hash %s and length %lu. Descriptor not dumped because it exceeds maximum log size all" ascii
      $s8 = "Doesn't look like we'll be able to create descriptor dump directory %s; dumps will be disabled." fullword ascii
      $s9 = "dumping a microdescriptor" fullword ascii
      $s10 = "in a separate Tor process, at least -- see https://trac.torproject.org/8742" fullword ascii
      $s11 = "SR: Commit from authority %s decoded length doesn't match the expected length (%d vs %u)." fullword ascii
      $s12 = "Unable to parse descriptor of type %s with hash %s and length %lu. Descriptor not dumped because the sandbox is configured" fullword ascii
      $s13 = "You are running a new relay. Thanks for helping the Tor network! If you wish to know what will happen in the upcoming weeks rega" ascii
      $s14 = "Unable to get contents of unparseable descriptor dump directory %s" fullword ascii
      $s15 = "Uploading hidden service descriptor: http status 400 (%s) response from dirserver '%s:%d'. Malformed hidden service descriptor?" fullword ascii
      $s16 = "Uploading hidden service descriptor: http status %d (%s) response unexpected (server '%s:%d')." fullword ascii
      $s17 = "Your server (%s:%d) has not managed to confirm that its DirPort is reachable. Relays do not publish descriptors until their ORPo" ascii
      $s18 = "Your server (%s:%d) has not managed to confirm that its ORPort is reachable. Relays do not publish descriptors until their ORPor" ascii
      $s19 = "Dumping statistics about %d channel listeners:" fullword ascii
      $s20 = "\\\\.\\Pipe\\Tor-Process-Pipe-%lu-%lu" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 12000KB and
      ( pe.imphash() == "3fce013d4eb45a62bfe5b4ed33268491" or ( 1 of ($x*) or 4 of them ) )
}

rule WmiPrvSystem_utorrent_exe {
   meta:
      description = "snatch-ransomware - file WmiPrvSystem.exe"
      author = "DFIR Report"
      reference = "https://thedfirreport.com/"
      date = "2020-06-17"
      hash1 = "97bc0e2add9be985aeb5c0b4ca654a6a9e6fca6a6bf712dc26fc454b773212b7"
   strings:
      $x1 = "VirtualQuery for stack base failedadding nil Certificate to CertPoolcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer" ascii
      $x2 = "> (den<<shift)/2unexpected end of JSON inputunexpected protocol version  cannot be converted to type %s(%s) - handshake failed: " ascii
      $x3 = "sync: WaitGroup misuse: Add called concurrently with Waittls: Ed25519 public keys are not supported before TLS 1.2tls: peer does" ascii
      $x4 = "slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)tls: ECDSA signing requires a ECDSA " ascii
      $x5 = "Pakistan Standard TimeParaguay Standard TimePrint version and exitSakhalin Standard TimeTOR_PT_SERVER_BINDADDRTasmania Standard " ascii
      $x6 = "0123456789ABCDEFGHIJKLMNOPQRSTUV28421709430404007434844970703125: day-of-year does not match dayABCDEFGHIJKLMNOPQRSTUVWXYZ234567" ascii
      $x7 = "unknown network workbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)0123456789ABCDEFX0123456789ab" ascii
      $x8 = "unixpacketunknown pcuser-agentws2_32.dll  of size   (targetpc= ErrCode=%v [scrubbed] a.npages=  b.npages=  gcwaiting= gp.status=" ascii
      $x9 = "attempt to execute system stack code on user stackcrypto/cipher: incorrect nonce length given to GCMcryptobyte: attempted write " ascii
      $x10 = "streamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer len=%vunexpected exponent baseunexpect" ascii
      $x11 = "100-continue152587890625762939453125:key_extractBidi_ControlCIDR addressCONTINUATIONContent TypeContent-TypeECDSA-SHA256ECDSA-SH" ascii
      $x12 = "IP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCODEParseFlo" ascii
      $x13 = "tls: ECDSA signature contained zero or negative valuestls: client indicated early data in second ClientHellotls: failed to creat" ascii
      $x14 = "to unallocated span%%!%c(*big.Float=%s)37252902984619140625Arabic Standard TimeAzores Standard TimeBUG: Failed HKDF: %sCertOpenS" ascii
      $x15 = "CertEnumCertificatesInStoreDATA frame with stream ID 0Easter Island Standard TimeG waiting list is corruptedTOR_PT_EXTENDED_SERV" ascii
      $x16 = ".lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625CLIENT_HANDSHAKE_TRAFFIC_SECRETCent" ascii
      $x17 = "Saint Pierre Standard TimeSouth Africa Standard TimeTOR_PT_EXIT_ON_STDIN_CLOSEW. Australia Standard TimeWest Pacific Standard Ti" ascii
      $x18 = "Temporary RedirectUNKNOWN_SETTING_%dVariation_Selectorajax.aspnetcdn.combad Content-Lengthbad manualFreeListbufio: buffer fullco" ascii
      $x19 = "request rejected because the client program and identd report different user-idstls: either ServerName or InsecureSkipVerify mus" ascii
      $x20 = "invalid network interface nameinvalid pointer found on stacklooking for beginning of valuemeek_lite: protocol negotiatedmime: du" ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 26000KB and
      ( pe.imphash() == "f0070935b15a909b9dc00be7997e6112" or 1 of ($x*) )
}

【ブログ】

◆Snatch Ransomware (The DFIR Report, 2020/06/21)
https://thedfirreport.com/2020/06/21/snatch-ransomware/
⇒ https://malware-log.hatenablog.com/entry/2020/06/21/000000_2

【図表】

出典: https://thedfirreport.com/2020/06/21/snatch-ransomware/