{"id":123079,"date":"2022-05-17T06:00:17","date_gmt":"2022-05-17T13:00:17","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=123079"},"modified":"2022-05-17T02:02:05","modified_gmt":"2022-05-17T09:02:05","slug":"emotet-malware-summary-epoch-4-5","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/","title":{"rendered":"Emotet\u306e\u6982\u8981: 2021\u5e7411\u6708\uff5e2022\u5e741\u6708"},"content":{"rendered":"<h2><a id=\"post-122995-_4lt92rr5muov\"><\/a>\u6982\u8981<\/h2>\n<p>Emotet\u306f\u73fe\u5728\u306e\u8105\u5a01\u6982\u6cc1\u3067\u3082\u3063\u3068\u3082\u30e1\u30fc\u30eb\u914d\u4fe1\u6570\u306e\u591a\u3044\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30d5\u30a1\u30df\u30ea\u306e1\u3064\u3067\u3059\u3002\u6cd5\u57f7\u884c\u6a5f\u95a2\u306e\u9023\u643a\u306b\u3088\u308a2021\u5e741\u6708\u306b\u30c6\u30a4\u30af\u30c0\u30a6\u30f3\u3055\u308c\u305f\u3082\u306e\u306e\u30012021\u5e7411\u6708\u306b\u306f\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u518d\u958b\u3057\u3001\u305d\u308c\u4ee5\u6765\u7a81\u51fa\u3057\u305f\u8105\u5a01\u306b\u8fd4\u308a\u54b2\u3044\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u672c\u7a3f\u3067\u306f\u3001Emotet\u306e\u80cc\u666f\u30682021\u5e7411\u6708\u306e\u5fa9\u6d3b\u4ee5\u964d\u306e\u6d3b\u52d5\u3092\u632f\u308a\u8fd4\u308a\u3001\u5fa9\u6d3b\u304b\u30892022\u5e741\u6708\u672b\u307e\u3067\u306eEmotet\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3067\u89b3\u6e2c\u3055\u308c\u305f\u5909\u5316\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002\u672c\u7a3f\u3067\u53d6\u308a\u4e0a\u3052\u305f\u30b5\u30f3\u30d7\u30eb\u3067\u5168\u4f53\u50cf\u3092\u3064\u304b\u307f\u3064\u3064\u3001Emotet\u304c\u3044\u307e\u4e16\u754c\u4e2d\u3067\u3069\u306e\u3088\u3046\u306a\u8105\u5a01\u3068\u306a\u3063\u3066\u3044\u308b\u306e\u304b\u306e\u7406\u89e3\u306b\u3064\u306a\u304c\u308c\u3070\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001<a href=\"https:\/\/www.paloaltonetworks.jp\/products\/secure-the-network\/wildfire\">WildFire<\/a>\u3068<a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/threat-prevention\">\u8105\u5a01\u9632\u5fa1<\/a>\u306e\u30b5\u30d6\u30b9\u30af\u30ea\u30d7\u30b7\u30e7\u30f3\u3092\u6709\u52b9\u5316\u3057\u305f<a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/next-generation-firewall\">\u6b21\u4e16\u4ee3\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb<\/a> \u3068<a href=\"https:\/\/www.paloaltonetworks.jp\/cortex\/cortex-xdr\"> Cortex XDR<\/a>\u306b\u3088\u3063\u3066Emotet\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<table style=\"width: 100.596%;\">\n<tbody>\n<tr>\n<td style=\"width: 49.8765%;\"><span style=\"font-weight: 400;\">\u672c\u7a3f\u3067\u89e3\u8aac\u3059\u308b\u4e3b\u306a\u30de\u30eb\u30a6\u30a7\u30a2<\/span><\/td>\n<td style=\"width: 295.062%;\"><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/Emotet-ja\/\"><span style=\"font-weight: 400;\">Emotet<\/span><\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 49.8765%;\"><span style=\"font-weight: 400;\">\u5f71\u97ff\u3092\u53d7\u3051\u308b\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0\u30b7\u30b9\u30c6\u30e0<\/span><\/td>\n<td style=\"width: 295.062%;\"><span style=\"font-weight: 400;\">Windows<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 49.8765%;\"><span style=\"font-weight: 400;\">Unit 42\u306e\u95a2\u9023\u30c8\u30d4\u30c3\u30af<\/span><\/td>\n<td style=\"width: 295.062%;\"><a href=\"https:\/\/unit42.paloaltonetworks.jp\/category\/malware-2-ja\/\"><span style=\"font-weight: 400;\">Malware<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/macros-ja\/\"><span style=\"font-weight: 400;\">macros<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/phishing-ja\/\"><span style=\"font-weight: 400;\">phishing<\/span><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><a id=\"post-122995-_kwlpnqom1xtg\"><\/a>\u76ee\u6b21<\/h2>\n<p><a href=\"#Background-on-Emotet\">Emotet\u306e\u80cc\u666f<\/a><br \/>\n<a href=\"#Visual-Timeline\">\u30d3\u30b8\u30e5\u30a2\u30eb\u30bf\u30a4\u30e0\u30e9\u30a4\u30f3<\/a><br \/>\n<a href=\"#Emotet-in-November-2021\">2021\u5e7411\u6708\u306eEmotet<\/a><br \/>\n<a href=\"#Emotet-Abuses-Microsoft-App-Installer\">Emotet\u304cMicrosoft\u306e\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u3092\u60aa\u7528<\/a><br \/>\n<a href=\"#Emotet-in-December-2021\">2021\u5e7412\u6708\u306eEmotet<\/a><br \/>\n<a href=\"#Emotet-in-January-2022\">2022\u5e741\u6708\u306eEmotet<\/a><br \/>\n<a href=\"#Conclusion\">\u7d50\u8ad6<\/a><br \/>\n<a href=\"#Indicators-of-Compromise\">IoC<\/a><br \/>\n<a href=\"#Appendix-A-Emotet-epoch-4-activity\">\u4ed8\u9332A: 2021\u5e7411\u670818\u65e5\u306eEmotet\u30a8\u30dd\u30c3\u30af4\u306e\u6d3b\u52d5<\/a><br \/>\n<a href=\"#Appendix-B-Emotet-epoch-4-abusing-App-Installer\">\u4ed8\u9332B: 2021\u5e7411\u670830\u65e5\u306e\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u3092\u60aa\u7528\u3059\u308bEmotet\u30a8\u30dd\u30c3\u30af4<\/a><br \/>\n<a href=\"#Appendix-C-Emotet-epoch-4-infection\">\u4ed8\u9332C: 2021\u5e7412\u670821\u65e5\u306eEmotet\u30a8\u30dd\u30c3\u30af4\u611f\u67d3<\/a><br \/>\n<a href=\"#Appendix-D-Emotet-epoch-5-infection\">\u4ed8\u9332D: 2022\u5e741\u670811\u65e5\u306eEmotet\u30a8\u30dd\u30c3\u30af5\u611f\u67d3<\/a><br \/>\n<a href=\"#Additional-Resources\">\u8ffd\u52a0\u30ea\u30bd\u30fc\u30b9<\/a><\/p>\n<h2><a id=\"Background-on-Emotet\"><\/a>Emotet\u306e\u80cc\u666f<\/h2>\n<p>Emotet\u306f2014\u5e74\u306b\u6700\u521d\u306b\u767b\u5834\u3057\u305fWindows\u30d9\u30fc\u30b9\u306e\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u30de\u30eb\u30a6\u30a7\u30a2\u3067\u3001Geodo\u3084Feodo\u3068\u547c\u3070\u308c\u308b\u3053\u3068\u3082\u3042\u308a\u307e\u3059\u3002\u767b\u5834\u4ee5\u964d\u3001\u3055\u307e\u3056\u307e\u306a\u6a5f\u80fd\u3092\u5b9f\u884c\u3059\u308b\u30e2\u30b8\u30e5\u30e9\u30fc\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u3078\u3068\u9032\u5316\u3057\u3001\u60c5\u5831\u7a83\u53d6\u3084\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u6d3b\u52d5\u3001\u4ed6\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30ed\u30fc\u30c9\u306a\u3069\u3082\u884c\u3046\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>Emotet\u306e\u80cc\u5f8c\u306b\u3044\u308b\u30a2\u30af\u30bf\u30fc\u306f<a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/evolution-emotet-trojan-distributor\">Mealybug<\/a>\u3001<a href=\"https:\/\/www.crowdstrike.com\/blog\/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider\/\">MUMMY SPIDER<\/a>\u3001<a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/threat-actor-profile-ta542-banker-malware-distribution-service\">TA542<\/a>\u306a\u3069\u3055\u307e\u3056\u307e\u306a\u547c\u3073\u540d\u3067\u77e5\u3089\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u4e3b\u306a\u62e1\u6563\u624b\u6bb5\u306f\u96fb\u5b50\u30e1\u30fc\u30eb\u3067\u3059\u3002<\/p>\n<p>Emotet\u306f\u3070\u3089\u307e\u304d\u578b\u306e\u30b9\u30d1\u30e0\u9001\u4fe1\u3092\u884c\u3044\u307e\u3059\u3002Emotet\u306b\u611f\u67d3\u3057\u305f\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u306f\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u3068\u3057\u3066\u52d5\u4f5c\u3059\u308b\u3053\u3068\u3082\u591a\u304f\u3001\u305d\u308c\u3089\u306fEmotet\u3092\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u30e1\u30fc\u30eb\u3092\u6bce\u520610\u6570\u901a\u3070\u3089\u307e\u304d\u307e\u3059\u3002\u3064\u307e\u308a1\u53f0\u306e\u30db\u30b9\u30c8\u304b\u3089\u6bce\u65e5\u4f55\u5343\u901a\u3082\u306eEmotet\u30e1\u30fc\u30eb\u3092\u9001\u4fe1\u53ef\u80fd\u3067\u3059\u3002Emotet\u611f\u67d3\u30db\u30b9\u30c8\u304c\u5e38\u6642\u6570\u767e\u53f0\u6d3b\u52d5\u3057\u3066\u3044\u308b\u3068\u3059\u308c\u3070\u3001Emotet\u306e\u6d3b\u52d5\u4e2d\u30011\u65e5\u6570\u5341\u4e07\u901a\u306eEmotet\u30e1\u30fc\u30eb\u304c\u751f\u6210\u3055\u308c\u308b\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>Emotet\u306f\u691c\u51fa\u3092\u56de\u907f\u3057\u307e\u3059\u3002\u30cf\u30c3\u30b7\u30e5\u30d0\u30b9\u30c8\u3068\u547c\u3070\u308c\u308b\u6280\u8853\u3092\u4f7f\u3044\u3001\u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u3067\u3070\u3089\u307e\u304f\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u7570\u306a\u308b\u30d5\u30a1\u30a4\u30eb\u30cf\u30c3\u30b7\u30e5\u3092\u751f\u6210\u3057\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u30b5\u30f3\u30d7\u30eb\u306eSHA256\u30cf\u30c3\u30b7\u30e5\u306f<a href=\"https:\/\/twitter.com\/malwaretechblog\/status\/1251606958592757760\">\u611f\u67d3\u30b7\u30b9\u30c6\u30e0\u3054\u3068\u306b\u7570\u306a\u308b<\/a>\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002\u307e\u305fEmotet\u306f\u6700\u521d\u306e\u611f\u67d3\u30d7\u30ed\u30bb\u30b9\u3067\u4f7f\u7528\u3055\u308c\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u96e3\u8aad\u5316\u3057\u305f\u30b3\u30fc\u30c9\u3092\u4f7f\u3044\u307e\u3059\u3002<\/p>\n<p>Emotet\u306f\u654f\u6377\u3067\u3059\u3002\u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u306f\u30b3\u30de\u30f3\u30c9\uff06\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb(C2)\u901a\u4fe1\u306b\u4f7f\u3046IP\u30a2\u30c9\u30ec\u30b9\u3084TCP\u30dd\u30fc\u30c8\u3092\u983b\u7e41\u306b\u66f4\u65b0\u3057\u307e\u3059\u3002\u3055\u3089\u306b\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u30db\u30b9\u30c8\u3059\u308bURL\u3082\u983b\u7e41\u306b\u5909\u66f4\u3057\u3001\u6642\u306b\u306f1\u65e5\u306b\u6570\u5341\u306e\u7570\u306a\u308bURL\u3092\u4f7f\u3046\u3053\u3068\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>Emotet\u3092\u914d\u5e03\u3059\u308b\u96fb\u5b50\u30e1\u30fc\u30eb\u306b\u306f\u3001\u60aa\u610f\u306e\u3042\u308b\u6dfb\u4ed8\u30d5\u30a1\u30a4\u30eb\u304c\u542b\u307e\u308c\u3066\u3044\u305f\u308a\u3001\u60aa\u610f\u306e\u3042\u308b\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u30ea\u30f3\u30af\u304c\u542b\u307e\u308c\u3066\u3044\u305f\u308a\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30e1\u30c3\u30bb\u30fc\u30b8\u306b\u306f\u3088\u304fWord\u6587\u66f8\u3084Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u306e\u3088\u3046\u306aMicrosoft Office\u30d5\u30a1\u30a4\u30eb\u304c\u542b\u307e\u308c\u3066\u3044\u3066\u3001\u305d\u308c\u3089\u306b\u306f\u60aa\u610f\u306e\u3042\u308b\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u306f\u88ab\u5bb3\u8005\u304c\u30de\u30af\u30ed\u3092\u6709\u52b9\u306b\u3057\u305f\u5f8c\u3001\u8106\u5f31\u306aWindows\u30db\u30b9\u30c8\u306b\u611f\u67d3\u3059\u308b\u3088\u3046\u306b\u3057\u304f\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>Emotet\u306f\u305d\u306e\u9686\u76db\u3068\u3068\u3082\u306b\u3001<a href=\"https:\/\/isc.sans.edu\/forums\/diary\/Emotet+infections+and+followup+malware\/24532\/\">Gootkit<\/a>\u3001<a href=\"https:\/\/www.malware-traffic-analysis.net\/2019\/01\/18\/index.html\">IcedID<\/a>\u3001<a href=\"https:\/\/www.malware-traffic-analysis.net\/2020\/08\/10\/index.html\">Qakbot<\/a>\u3001<a href=\"https:\/\/unit42.paloaltonetworks.jp\/unit42-malware-team-malspam-pushing-emotet-trickbot\/\">Trickbot\u3068\u3044\u3063\u305f<\/a>\u4ed6\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u914d\u5e03\u3059\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n<p>2019\u5e749\u6708\u307e\u3067\u306b\u3001Emotet\u306e\u30a4\u30f3\u30d5\u30e9\u306f<a href=\"https:\/\/twitter.com\/Cryptolaemus1\/status\/1174195815876894720\">3\u3064\u306e\u5225\u3005\u306e\u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u3067\u7a3c\u50cd<\/a>\u3059\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u306f\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8abf\u67fb\u30c1\u30fc\u30e0<a href=\"https:\/\/paste.cryptolaemus.com\/about\/\">Cryptolaemus<\/a>\u306b\u3088\u308a\u30a8\u30dd\u30c3\u30af1\u3001\u30a8\u30dd\u30c3\u30af2\u3001\u30a8\u30dd\u30c3\u30af3\u3068\u547d\u540d\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30a8\u30dd\u30c3\u30af\u306f\u3088\u304fE1\u3001E2\u3001E3\u3068\u7565\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>2020\u5e74\u307e\u3067\u306b\u306f\u3001<a href=\"https:\/\/unit42.paloaltonetworks.jp\/emotet-thread-hijacking\/\">Emotet\u3092\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u60aa\u8cea\u306a\u30b9\u30d1\u30e0<\/a>\u306e\u5927\u534a\u304c<a href=\"https:\/\/unit42.paloaltonetworks.jp\/emotet-thread-hijacking\/\">\u30b9\u30ec\u30c3\u30c9\u30cf\u30a4\u30b8\u30e3\u30c3\u30af\u3092\u4f7f\u7528\u3059\u308b\u3088\u3046\u306b\u306a\u308a<\/a>\u307e\u3057\u305f\u3002\u30b9\u30ec\u30c3\u30c9\u30cf\u30a4\u30b8\u30e3\u30c3\u30af\u3068\u3044\u3046\u306e\u306f\u611f\u67d3\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u306e\u30e1\u30fc\u30eb\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304b\u3089\u76d7\u3093\u3060\u6b63\u898f\u30e1\u30c3\u30bb\u30fc\u30b8\u3092\u5229\u7528\u3059\u308b\u624b\u6cd5\u3067\u3001Emotet\u306e\u30e1\u30fc\u30eb\u306f\u6b63\u898f\u30e6\u30fc\u30b6\u30fc\u3092\u507d\u88c5\u3057\u3001\u76d7\u3093\u3060\u30e1\u30fc\u30eb\u3078\u306e\u8fd4\u4fe1\u306e\u3075\u308a\u3092\u3057\u307e\u3059\u3002<\/p>\n<p>Emotet\u306f\u3068\u304d\u304a\u308a\u60aa\u8cea\u30e1\u30fc\u30eb\u914d\u4fe1\u3092\u4f11\u6b62\u3059\u308b\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002\u8105\u5a01\u6982\u6cc1\u304b\u3089<a href=\"https:\/\/www.proofpoint.com\/jp\/blog\/threat-insight\/comprehensive-look-emotets-summer-2020-return\">Emotet\u304c\u6700\u3082\u9577\u304f\u59ff\u3092\u6d88\u3057\u305f<\/a>\u306e\u306f2020\u5e742\u6708\u521d\u65ec\u3067\u3053\u306e\u4f11\u6b62\u306f5\u30ab\u6708\u4ee5\u4e0a\u7d9a\u304d\u307e\u3057\u305f\u3002Emotet\u306f2020\u5e747\u6708\u4e2d\u65ec\u306b\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u518d\u958b\u3057\u3001\u60aa\u8cea\u30b9\u30d1\u30e0\u306e\u91cf\u3067\u307e\u305f\u305f\u304f\u9593\u306b<a href=\"https:\/\/www.proofpoint.com\/jp\/blog\/threat-insight\/comprehensive-look-emotets-summer-2020-return\">\u4ed6\u306e\u8105\u5a01\u3092\u51cc\u99d5<\/a>\u3057\u307e\u3057\u305f\u3002<\/p>\n<p>2021\u5e741\u6708\u3001\u6cd5\u57f7\u884c\u6a5f\u95a2\u306a\u3069\u306e\u5354\u529b\u306b\u3088\u308a\u3001<a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action\">Emotet\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u304c\u30c6\u30a4\u30af\u30c0\u30a6\u30f3<\/a>\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u308c\u306b\u3088\u308a\u3053\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u4e8b\u5b9f\u4e0a\u505c\u6b62\u3055\u308c\u3001Emotet\u306f\u8105\u5a01\u6982\u6cc1\u304b\u3089\u59ff\u3092\u6d88\u3057\u307e\u3057\u305f\u3002<\/p>\n<p>\u305d\u308c\u304b\u3089\u7d0410\u30ab\u6708\u5f8c\u30012021\u5e7411\u6708\u4e2d\u65ec\u306bEmotet\u306f\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u518d\u958b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h2><a id=\"Visual-Timeline\"><\/a>\u30d3\u30b8\u30e5\u30a2\u30eb\u30bf\u30a4\u30e0\u30e9\u30a4\u30f3<\/h2>\n<p>\u56f31\u306f2021\u5e7411\u6708\u4e2d\u65ec\u306e\u5fa9\u6d3b\u304b\u30892022\u5e741\u6708\u307e\u3067\u306eEmotet\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u6642\u7cfb\u5217\u3067\u793a\u3057\u305f\u3082\u306e\u3067\u3001\u672c\u7a3f\u3067\u53d6\u308a\u4e0a\u3052\u305f3\u30f6\u6708\u9593\u306eEmotet\u306e\u6ce8\u76ee\u3059\u3079\u304d\u6d3b\u52d5\u3092\u6642\u7cfb\u5217\u3067\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_122999\" aria-describedby=\"caption-attachment-122999\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123000 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/figure01-ja-1.png\" alt=\"2021\u5e7411\u6708\u304b\u30892022\u5e741\u6708\u306b\u304b\u3051\u3066\u306eEmotet\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306e\u30bf\u30a4\u30e0\u30e9\u30a4\u30f3: 11\u670814\u65e5 Trickbot\u611f\u67d3\u304b\u3089\u65b0\u3057\u3044Emotet\u30d0\u30a4\u30ca\u30ea\u3092\u78ba\u8a8d\u300111\u670815\u65e5 Emotet\u304c\u30b9\u30d1\u30e0\u3092\u518d\u958b(\u30e1\u30fc\u30eb\u306b\u6dfb\u4ed8\u30d5\u30a1\u30a4\u30eb\u3042\u308a)\u300111\u670823\u65e5 Emotet\u611f\u67d3\u30d7\u30ed\u30bb\u30b9\u306b\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb\u3092\u78ba\u8a8d\u300111\u670830\u65e5 Emotet\u304c\u30a2\u30d7\u30ea\u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u60aa\u7528\u958b\u59cb\u300112\u67087\u65e5 Emotet\u611f\u67d3\u304b\u3089\u306eCobaltStrike\u304c\u78ba\u8a8d\u3055\u308c\u306f\u3058\u3081\u308b\u300112\u670821\u65e5 Emotet\u30e1\u30fc\u30eb\u306b\u4e3b\u306b\u521d\u671fOffice\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u30ea\u30f3\u30af\u304c\u4f7f\u7528\u3055\u308c\u308b\u300112\u67087\u65e5 Emotet\u611f\u67d3\u304b\u3089\u306eCobaltStrike\u304c\u78ba\u8a8d\u3055\u308c\u306f\u3058\u3081\u308b\u300112\u670821\u65e5 Emotet\u30e1\u30fc\u30eb\u306b\u4e3b\u306b\u521d\u671fOffice\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u30ea\u30f3\u30af\u304c\u4f7f\u7528\u3055\u308c\u308b\u3001.hta\u30d5\u30a1\u30a4\u30eb\u304a\u3088\u3073PowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u3088\u308b\u65b0\u305f\u306a\u611f\u67d3\u624b\u6cd5\u304c\u78ba\u8a8d\u3055\u308c\u306f\u3058\u3081\u308b\u300112\u670825\u65e5 Emotet\u30b9\u30d1\u30e0\u304c\u505c\u6b62\u30011\u670811\u65e5 Emotet\u30b9\u30d1\u30e0\u304c\u518d\u958b\u30011\u670821\u65e5 Emotet\u96fb\u5b50\u30e1\u30fc\u30eb\u304c\u30ea\u30f3\u30af\u3067\u306f\u306a\u304f\u518d\u3073\u6dfb\u4ed8\u3092\u4f7f\u7528\u3057\u306f\u3058\u3081\u308b\u3002\" width=\"900\" height=\"412\" \/><figcaption id=\"caption-attachment-122999\" class=\"wp-caption-text\">\u56f31. Emotet\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306e\u30bf\u30a4\u30e0\u30e9\u30a4\u30f3(2021\u5e7411\u6708\u301c2022\u5e741\u6708)<\/figcaption><\/figure>\n<h2><a id=\"Emotet-in-November-2021\"><\/a>2021\u5e7411\u6708\u306eEmotet<\/h2>\n<p>2021\u5e7411\u670814\u65e5(\u65e5)\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306e<a href=\"https:\/\/cyber.wtf\/author\/lucaebach1\/\">Luca Ebach<\/a>\u304c\u3001<a href=\"https:\/\/cyber.wtf\/2021\/11\/15\/guess-whos-back\/\">Trickbot\u611f\u67d3\u3092\u901a\u3058\u3066\u914d\u4fe1<\/a>\u3055\u308c\u308b\u65b0\u305f\u306aEmotet\u30d0\u30a4\u30ca\u30ea\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u300211\u670815\u65e5(\u6708)\u307e\u3067\u306b\u3001<a href=\"https:\/\/isc.sans.edu\/diary\/Emotet+Returns\/28044\">Emotet\u306e\u30a4\u30f3\u30d5\u30e9\u306f\u901a\u5e38\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u518d\u958b<\/a>\u3057\u3001\u60aa\u8cea\u306a\u30b9\u30d1\u30e0\u3092\u5927\u91cf\u306b\u751f\u6210\u3057\u306f\u3058\u3081\u307e\u3057\u305f\u3002<\/p>\n<p>\u65b0\u3057\u3044Emotet\u306e\u30a4\u30f3\u30d5\u30e9\u306f\u3001\u30a8\u30dd\u30c3\u30af4\u3001\u30a8\u30dd\u30c3\u30af5\u3068\u540d\u4ed8\u3051\u3089\u308c\u305f2\u3064\u306e\u7570\u306a\u308b\u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u3067\u7a3c\u50cd\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306f\u3088\u304fE4\u3001E5\u3068\u7565\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>11\u670815\u65e5\u6642\u70b9\u3067Emotet\u306e\u60aa\u8cea\u30b9\u30d1\u30e0\u306b\u306f\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u4fdd\u8b77\u3055\u308c\u305fZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u3001Word\u6587\u66f8\u3001Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u306e3\u7a2e\u985e\u306e\u3044\u305a\u308c\u304b\u306e\u6dfb\u4ed8\u30d5\u30a1\u30a4\u30eb\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u306f\u4ee5\u524d\u306eEmotet\u611f\u67d3\u3067\u3088\u304f\u89b3\u6e2c\u3055\u308c\u305f\u624b\u6cd5\u3092\u8e0f\u8972\u3057\u3066\u3044\u307e\u3059\u3002\u305d\u306e\u30b5\u30f3\u30d7\u30eb\u3068\u8a73\u7d30\u306f\u3001\u7b46\u8005\u306e\u6295\u7a3f\u300c<a href=\"https:\/\/isc.sans.edu\/diary\/Emotet+Returns\/28044\">Emotet Returns (Emotet\u306e\u5e30\u9084)<\/a>\u300d\u306b\u8a18\u8f09\u3057\u3066\u3044\u307e\u3059\u3002\u30a4\u30d9\u30f3\u30c8\u30c1\u30a7\u30fc\u30f3\u3092\u6587\u66f8\u5316\u3057\u305f\u30d5\u30ed\u30fc\u30c1\u30e3\u30fc\u30c8\u306f\u4ee5\u4e0b\u56f32\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<figure id=\"attachment_123001\" aria-describedby=\"caption-attachment-123001\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123002 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-1-ja.png\" alt=\"2021\u5e7411\u670815\u65e5(\u6708)\u306b\u89b3\u6e2c\u3055\u308c\u305fEmotet\u611f\u67d3\u30c1\u30a7\u30fc\u30f3\u3092\u6587\u66f8\u5316\u3057\u305f\u30d5\u30ed\u30fc\u30c1\u30e3\u30fc\u30c8\u3002\u30b9\u30ec\u30c3\u30c9\u4e57\u3063\u53d6\u308a\u30e1\u30fc\u30eb\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u4fdd\u8b77\u3055\u308c\u305fZIP\u307e\u305f\u306fOffice\u6587\u66f8\u3001\u30de\u30af\u30ed\u306e\u6709\u52b9\u5316\u3001Emotet DLL\u306eWeb\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3001Emotet DLL\u3001Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\" width=\"900\" height=\"477\" \/><figcaption id=\"caption-attachment-123001\" class=\"wp-caption-text\">\u56f32. 2021\u5e7411\u670815\u65e5(\u6708)\u306b\u89b3\u6e2c\u3055\u308c\u305fEmotet\u306e\u611f\u67d3\u30a4\u30d9\u30f3\u30c8\u30c1\u30a7\u30fc\u30f3<\/figcaption><\/figure>\n<p><a href=\"#Appendix-A-Emotet-epoch-4-activity\">\u4ed8\u9332A<\/a>\u306b11\u670818\u65e5(\u6c34)\u306b\u767a\u751f\u3057\u305f\u611f\u67d3\u304b\u3089\u306eIoC(\u4fb5\u5bb3\u6307\u6a19)\u3092\u8a18\u8f09\u3057\u307e\u3059\u3002<\/p>\n<p>11\u670823\u65e5(\u6708)\u307e\u3067\u306b\u306f\u4ee5\u4e0b\u56f33\u306e\u3088\u3046\u306b\u611f\u67d3\u30d7\u30ed\u30bb\u30b9\u306b\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb\u304c\u8ffd\u52a0\u3055\u308c\u307e\u3057\u305f\u3002<\/p>\n<figure id=\"attachment_123003\" aria-describedby=\"caption-attachment-123003\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123004 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-2-ja.png\" alt=\"2021\u5e7411\u670823\u65e5(\u6708)\u306b\u89b3\u6e2c\u3055\u308c\u305fEmotet\u611f\u67d3\u30c1\u30a7\u30fc\u30f3\u3002\u8105\u5a01\u306b\u3088\u308b\u30e1\u30fc\u30eb\u30b9\u30ec\u30c3\u30c9\u306e\u30cf\u30a4\u30b8\u30e3\u30c3\u30af\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u4fdd\u8b77\u3064\u304dZIP\u307e\u305f\u306fOffice\u6587\u66f8\u3001\u30de\u30af\u30ed\u306e\u6709\u52b9\u5316\u3001\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb\u3092C:\\ProgramData\\directory\u306b\u30c9\u30ed\u30c3\u30d7\u3001Emotet DLL\u7528\u306eWeb\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3001Emotet DLL\u3001Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\" width=\"900\" height=\"486\" \/><figcaption id=\"caption-attachment-123003\" class=\"wp-caption-text\">\u56f33. 2021\u5e7411\u670823\u65e5(\u6708)\u306b\u89b3\u6e2c\u3055\u308c\u305fEmotet\u306e\u611f\u67d3\u30a4\u30d9\u30f3\u30c8\u30c1\u30a7\u30fc\u30f3<\/figcaption><\/figure>\n<p>Emotet\u306f\u4e16\u754c\u306e\u3055\u307e\u3056\u307e\u306a\u5730\u57df\u3092\u6a19\u7684\u306b\u3057\u3066\u3044\u307e\u3059\u3002\u305f\u3060\u3057\u88ab\u5bb3\u8005\u304c\u82f1\u8a9e\u8a71\u8005\u3067\u306a\u304f\u3066\u3082\u3001Office\u6587\u66f8\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u306f\u82f1\u8a9e\u306e\u307e\u307e\u3067\u3059\u3002\u4ee5\u4e0b\u306e\u56f34\u3068\u56f35\u306f\u30a4\u30bf\u30ea\u30a2\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u3057\u305f\u30e1\u30fc\u30eb\u306e\u4f8b\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_123005\" aria-describedby=\"caption-attachment-123005\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123006 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-3.jpeg\" alt=\"Emotet\u306f\u4e16\u754c\u306e\u3055\u307e\u3056\u307e\u306a\u5730\u57df\u3092\u6a19\u7684\u306b\u3057\u3066\u3044\u307e\u3059\u3002\u305f\u3060\u3057\u88ab\u5bb3\u8005\u304c\u82f1\u8a9e\u8a71\u8005\u3067\u306a\u304f\u3066\u3082\u3001Office\u6587\u66f8\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u306f\u82f1\u8a9e\u306e\u307e\u307e\u3067\u3059\u3002\u3053\u306e\u56f3\u306f\u30a4\u30bf\u30ea\u30a2\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u3057\u305f\u30e1\u30fc\u30eb\u306e\u4f8b\u3067\u3059\u3002\" width=\"900\" height=\"745\" \/><figcaption id=\"caption-attachment-123005\" class=\"wp-caption-text\">\u56f34. 2021\u5e7411\u670823\u65e5\u306e\u30a4\u30bf\u30ea\u30a2\u3092\u6a19\u7684\u3068\u3059\u308bEmotet\u30e1\u30fc\u30eb\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8<\/figcaption><\/figure>\n<figure id=\"attachment_123007\" aria-describedby=\"caption-attachment-123007\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123008 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-4.jpeg\" alt=\"Emotet\u306f\u4e16\u754c\u306e\u3055\u307e\u3056\u307e\u306a\u5730\u57df\u3092\u6a19\u7684\u306b\u3057\u3066\u3044\u307e\u3059\u3002\u305f\u3060\u3057\u88ab\u5bb3\u8005\u304c\u82f1\u8a9e\u8a71\u8005\u3067\u306a\u304f\u3066\u3082\u3001Office\u6587\u66f8\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u306f\u82f1\u8a9e\u306e\u307e\u307e\u3067\u3059\u3002\u3053\u306e\u56f3\u306f\u30a4\u30bf\u30ea\u30a2\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u3057\u305f\u30e1\u30fc\u30eb\u306e\u4f8b\u3067\u3001Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"665\" \/><figcaption id=\"caption-attachment-123007\" class=\"wp-caption-text\">\u56f35 \u30a4\u30bf\u30ea\u30a2\u8a9e\u306e\u30e1\u30fc\u30eb\u306b\u306fEmotet\u7528\u306eExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u304c\u6dfb\u4ed8\u3055\u308c\u3066\u3044\u308b\u304c\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u306f\u82f1\u8a9e<\/figcaption><\/figure>\n<p>\u3053\u306e\u6642\u70b9\u3067\u306f\u30de\u30af\u30ed\u3092\u6709\u52b9\u5316\u3057\u3066\u3082Emotet\u306eDLL\u3092\u76f4\u63a5\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u30fb\u5b9f\u884c\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u305d\u306e\u304b\u308f\u308a\u3053\u306e\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u306f\u56f36\u3067\u793a\u3059\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb\u3092\u30c9\u30ed\u30c3\u30d7\u3057\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u5b9f\u884c\u3057\u307e\u3057\u305f\u3002<\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">C:\\WINDOWS\\system32\\cmd.exe \/c c:\\programdata\\sdfhiuwu.bat<\/span><\/p>\n<figure id=\"attachment_123009\" aria-describedby=\"caption-attachment-123009\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123010 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-5.jpeg\" alt=\"\u3053\u306e\u6642\u70b9\u3067\u306f\u30de\u30af\u30ed\u3092\u6709\u52b9\u5316\u3057\u3066\u3082Emotet\u306eDLL\u3092\u76f4\u63a5\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u30fb\u5b9f\u884c\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u305d\u306e\u304b\u308f\u308a\u3053\u306e\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u306f\u3053\u306e\u56f3\u3067\u793a\u3059\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb\u3092\u30c9\u30ed\u30c3\u30d7\u3057\u3001C:\\WINDOWS\\system32\\cmd.exe \/c c:\\programdata\\sdfhiuwu.bat \u3067\u5b9f\u884c\u3057\u307e\u3057\u305f\u3002\" width=\"900\" height=\"565\" \/><figcaption id=\"caption-attachment-123009\" class=\"wp-caption-text\">\u56f36. 2021\u5e7411\u670823\u65e5\u306eEmotet\u611f\u67d3\u3067\u306f\u30de\u30af\u30ed\u6709\u52b9\u5316\u5f8c\u306b\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb\u304c\u30c9\u30ed\u30c3\u30d7\u3055\u308c\u305f<\/figcaption><\/figure>\n<p>\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb\u5185\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u691c\u51fa\u56de\u907f\u306e\u305f\u3081\u306b\u96e3\u8aad\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u304cEmotet DLL\u3092\u53d6\u5f97\u3057\u3001\u88ab\u5bb3\u8005\u306e\u30db\u30b9\u30c8\u4e0a\u3067\u5b9f\u884c\u3059\u308bPowerShell\u30b3\u30de\u30f3\u30c9\u3092\u751f\u6210\u3057\u307e\u3059\u3002\u3053\u306ePowerShell\u30b3\u30de\u30f3\u30c9\u306fbase64\u30a8\u30f3\u30b3\u30fc\u30c9\u3057\u305f\u6587\u5b57\u5217\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059(\u56f37\u53c2\u7167)\u3002<\/p>\n<figure id=\"attachment_123011\" aria-describedby=\"caption-attachment-123011\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123012 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-6.jpeg\" alt=\"\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb\u5185\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u691c\u51fa\u56de\u907f\u306e\u305f\u3081\u306b\u96e3\u8aad\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u304cEmotet DLL\u3092\u53d6\u5f97\u3057\u3001\u88ab\u5bb3\u8005\u306e\u30db\u30b9\u30c8\u4e0a\u3067\u5b9f\u884c\u3059\u308bPowerShell\u30b3\u30de\u30f3\u30c9\u3092\u751f\u6210\u3057\u307e\u3059\u3002\u3053\u306ePowerShell\u30b3\u30de\u30f3\u30c9\u306f\u3053\u306e\u56f3\u304c\u793a\u3059\u3088\u3046\u306bBase64\u30a8\u30f3\u30b3\u30fc\u30c9\u3057\u305f\u6587\u5b57\u5217\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"713\" \/><figcaption id=\"caption-attachment-123011\" class=\"wp-caption-text\">\u56f37 PowerShell\u30b3\u30de\u30f3\u30c9\u306fBase64\u30a8\u30f3\u30b3\u30fc\u30c9\u3057\u305f\u6587\u5b57\u5217\u3092\u4f7f\u3063\u3066\u3044\u308b<\/figcaption><\/figure>\n<p>\u3053\u306ebase64\u6587\u5b57\u5217\u3092ASCII\u30c6\u30ad\u30b9\u30c8\u306b\u5909\u63db\u3059\u308b\u3068\u3001\u4ee5\u4e0b\u56f38\u306e\u3088\u3046\u306a\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u73fe\u308c\u307e\u3059\u3002\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u76ee\u7684\u306f7\u3064\u3042\u308bURL\u306e\u3044\u305a\u308c\u304b1\u3064\u304b\u3089Emotet DLL\u3092\u53d6\u5f97\u3057\u3066<span style=\"font-family: 'courier new', courier, monospace;\">C:\\ProgramData\\<\/span>\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u4fdd\u5b58\u3059\u308b\u3053\u3068\u3067\u3059\u3002\u3053\u306eEmotet DLL\u306f\u30e9\u30f3\u30c0\u30e0\u306a\u6587\u5b57\u5217\u3092\u30a8\u30f3\u30c8\u30ea\u30dd\u30a4\u30f3\u30c8\u3068\u3057\u3066<span style=\"font-family: 'courier new', courier, monospace;\">rundll32.exe<\/span>\u306b\u3088\u3063\u3066\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_123013\" aria-describedby=\"caption-attachment-123013\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123014 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-7.jpeg\" alt=\"\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u76ee\u7684\u306f7\u3064\u3042\u308bURL\u306e\u3044\u305a\u308c\u304b1\u3064\u304b\u3089Emotet DLL\u3092\u53d6\u5f97\u3057\u3066C:\\ProgramData\\\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u4fdd\u5b58\u3059\u308b\u3053\u3068\u3067\u3059\u3002\u3053\u306eEmotet DLL\u306f\u30e9\u30f3\u30c0\u30e0\u306a\u6587\u5b57\u5217\u3092\u30a8\u30f3\u30c8\u30ea\u30dd\u30a4\u30f3\u30c8\u3068\u3057\u3066rundll32.exe\u306b\u3088\u3063\u3066\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\" width=\"900\" height=\"311\" \/><figcaption id=\"caption-attachment-123013\" class=\"wp-caption-text\">\u56f38 \u56f34\u306ebase64\u6587\u5b57\u5217\u306b\u3088\u308b\u96e3\u8aad\u5316\u3092\u89e3\u9664\u3057\u305f\u30b9\u30af\u30ea\u30d7\u30c8<\/figcaption><\/figure>\n<p>\u65b0\u305f\u306aEmotet DLL\u306f2021\u5e741\u6708\u306e\u30c6\u30a4\u30af\u30c0\u30a6\u30f3\u524d\u306eEmotet DLL\u306b\u4f3c\u3066\u3044\u307e\u3059\u3002Emotet\u306f\u611f\u67d3\u30e6\u30fc\u30b6\u30fc\u306e<span style=\"font-family: 'courier new', courier, monospace;\">AppData\\Local\\Temp<\/span>\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u4e0b\u306e\u30e9\u30f3\u30c0\u30e0\u306a\u540d\u524d\u306e\u30d5\u30a9\u30eb\u30c0\u4e0b\u3067\u6c38\u7d9a\u5316\u3055\u308c\u307e\u3059\u3002\u6c38\u7d9a\u5316\u3055\u308c\u308bDLL\u306e\u66f4\u65b0\u65e5\u306f\u611f\u67d3\u65e5\u6642\u306e\u304b\u3063\u304d\u308a1\u9031\u9593\u524d\u306b\u5dfb\u304d\u623b\u3055\u308c\u307e\u3059\u3002Emotet\u306fWindows\u30ec\u30b8\u30b9\u30c8\u30ea\u3092\u66f8\u304d\u63db\u3048\u308b\u3053\u3068\u3067\u6c38\u7d9a\u5316\u3055\u308c\u307e\u3059\u3002\u56f39\u306f11\u670823\u65e5\u306b\u89b3\u6e2c\u3055\u308c\u305f\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_123015\" aria-describedby=\"caption-attachment-123015\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123016 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-8.jpeg\" alt=\"Emotet\u306f\u3053\u306e\u56f3\u306e\u3088\u3046\u306bWindows\u30ec\u30b8\u30b9\u30c8\u30ea\u3092\u66f8\u304d\u63db\u3048\u308b\u3053\u3068\u3067\u6c38\u7d9a\u5316\u3055\u308c\u307e\u3059\u3002 \" width=\"900\" height=\"393\" \/><figcaption id=\"caption-attachment-123015\" class=\"wp-caption-text\">\u56f39 \u518d\u8d77\u52d5\u5f8c\u3082Emotet\u3092\u6c38\u7d9a\u5316\u3059\u308b\u305f\u3081\u306b\u30ec\u30b8\u30b9\u30c8\u30ea\u3092\u66f8\u304d\u63db\u3048\u308b<\/figcaption><\/figure>\n<p>2021\u5e7411\u6708\u306e\u518d\u767b\u5834\u4ee5\u964d\u3001Emotet\u306e\u611f\u67d3\u5f8c\u306eC2\u6d3b\u52d5\u306b\u306f\u6697\u53f7\u5316\u3055\u308c\u305fHTTPS\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u4f7f\u308f\u308c\u307e\u3059\u3002Emotet\u306eC2\u306eHTTPS\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u8a3c\u660e\u66f8\u767a\u884c\u8005\u30c7\u30fc\u30bf\u306f\u3001\u4ed6\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u3067\u3082\u3088\u304f\u898b\u3089\u308c\u308b\u5024\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u56f310\u306fWireshark\u3067\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u3092\u884c\u3044\u3001Emotet\u306eC2\u6d3b\u52d5\u306e\u8a3c\u660e\u66f8\u767a\u884c\u8005\u30c7\u30fc\u30bf\u3092\u8868\u793a\u3057\u305f\u4f8b\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_123017\" aria-describedby=\"caption-attachment-123017\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123018 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-9.jpeg\" alt=\"Wireshark\u3067\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u3092\u884c\u3044\u3001Emotet\u306eC2\u6d3b\u52d5\u306e\u8a3c\u660e\u66f8\u767a\u884c\u8005\u30c7\u30fc\u30bf\u3092\u8868\u793a\u3057\u305f\u4f8b\u3002\u91cd\u8981\u306a\u7b87\u6240\u3092\u8d64\u3044\u77e2\u5370\u306e\u3064\u3044\u305f\u8d64\u67a0\u3067\u56f2\u3093\u3067\u3042\u308a\u307e\u3059\u3002 \" width=\"900\" height=\"568\" \/><figcaption id=\"caption-attachment-123017\" class=\"wp-caption-text\">\u56f310 Emotet\u306eHTTPS C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u8a3c\u660e\u66f8\u767a\u884c\u8005\u30c7\u30fc\u30bf\u3092Wireshark\u3067\u78ba\u8a8d\u3057\u305f\u3068\u3053\u308d<\/figcaption><\/figure>\n<p>\u4e0a\u8a18\u306e\u56f310\u3067\u793a\u3059\u3088\u3046\u306bEmotet C2\u306eHTTPS \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u8a3c\u660e\u66f8\u767a\u884c\u8005\u30c7\u30fc\u30bf\u306f\u6b21\u306e\u5f62\u5f0f\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">id-at-countryName=<strong>GB<br \/>\n<\/strong><\/span><span style=\"font-family: 'courier new', courier, monospace;\">id-at-statOrProvinceName=<strong>London<br \/>\n<\/strong><\/span><span style=\"font-family: 'courier new', courier, monospace;\">id-at-localityName=<strong>London<br \/>\n<\/strong><\/span><span style=\"font-family: 'courier new', courier, monospace;\">id-at-organizationName=<strong>Global Security<br \/>\n<\/strong><\/span><span style=\"font-family: 'courier new', courier, monospace;\">id-at-organizationalUnitName=<strong>IT Department<br \/>\n<\/strong><\/span><span style=\"font-family: 'courier new', courier, monospace;\">id-at-commonName=<strong>example.com<\/strong><\/span><\/p>\n<p>\u306a\u304a\u4ed6\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u7fa4\u3082\u540c\u69d8\u306e\u8a3c\u660e\u66f8\u767a\u884c\u8005\u30c7\u30fc\u30bf\u3092\u4f7f\u7528\u3059\u308b\u3053\u3068\u304c\u3042\u308a\u3001\u3053\u306e\u60c5\u5831\u306fEmotet\u72ec\u81ea\u306e\u3082\u306e\u3068\u306f\u9650\u308a\u307e\u305b\u3093\u3002<\/p>\n<p>11\u670830\u65e5\u3001Emotet\u306f\u518d\u3073\u624b\u53e3\u3092\u5909\u3048\u3001<a href=\"https:\/\/www.malware-traffic-analysis.net\/2021\/11\/30\/index.html\">Microsoft\u306e\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u3092<\/a>\u611f\u67d3\u30c1\u30a7\u30fc\u30f3\u5185\u3067\u60aa\u7528\u3057\u306f\u3058\u3081\u307e\u3057\u305f\u3002<\/p>\n<h2><a id=\"Emotet-Abuses-Microsoft-App-Installer\"><\/a>Emotet\u304cMicrosoft\u306e\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u3092\u60aa\u7528<\/h2>\n<p>\u73fe\u5728\u306fMicrosoft\u306b\u7121\u52b9\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u306f\u3001Web\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u76f4\u63a5\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u305f\u3081\u306e<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/msix\/app-installer\/installing-windows10-apps-we\">Windows 10\u306e\u30d7\u30ed\u30c8\u30b3\u30eb<\/a>\u3067\u3057\u305f\u3002\u3053\u306e\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u306b\u306f\u62e1\u5f35\u5b50\u304c<span style=\"font-family: 'courier new', courier, monospace;\">.appinstaller<\/span>\u306eXML\u30d9\u30fc\u30b9\u306e\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u30d5\u30a1\u30a4\u30eb\u304c\u4f7f\u308f\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30d7\u30ed\u30c8\u30b3\u30eb\u306f2021\u5e7411\u6708\u306b<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/windows-10-app-installer-abused-in-bazarloader-malware-attacks\/\">BazarLoader\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u653b\u6483\u3067\u60aa\u7528<\/a>\u3055\u308c\u305f\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002\u56f311\u306b\u3053\u306e\u30bf\u30a4\u30d7\u306eEmotet\u611f\u67d3\u30d5\u30ed\u30fc\u30c1\u30e3\u30fc\u30c8\u3092\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_123019\" aria-describedby=\"caption-attachment-123019\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123020 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-10-ja.png\" alt=\"Microsoft\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u3092\u60aa\u7528\u3059\u308bEmotet\u611f\u67d3\u306e\u30d5\u30ed\u30fc\u30c1\u30e3\u30fc\u30c8\" width=\"900\" height=\"432\" \/><figcaption id=\"caption-attachment-123019\" class=\"wp-caption-text\">\u56f311 Microsoft\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u30d7\u30ed\u30c8\u30b3\u30eb\u3092\u60aa\u7528\u3059\u308bEmotet\u611f\u67d3\u306e\u30d5\u30ed\u30fc\u30c1\u30e3\u30fc\u30c8<\/figcaption><\/figure>\n<p>\u3053\u306e\u653b\u6483\u306e\u624b\u53e3\u3067\u306f\u3001\u307e\u305a\u82e6\u60c5\u306e\u5831\u544a\u3092\u30c6\u30fc\u30de\u3068\u3059\u308b\u30e1\u30fc\u30eb\u306b\u60aa\u610f\u306e\u3042\u308b\u30da\u30fc\u30b8\u3078\u306e\u30ea\u30f3\u30af\u304c\u8cbc\u3089\u308c\u3066\u304d\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u60aa\u610f\u306e\u3042\u308b\u30da\u30fc\u30b8\u306f\u4fb5\u5bb3\u3055\u308c\u305fWeb\u30b5\u30a4\u30c8\u3067\u30db\u30b9\u30c8\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u30d6\u30e9\u30a6\u30b6\u306e\u30bf\u30d6\u306b\u8868\u793a\u3055\u308c\u308bGoogle Drive\u30a2\u30a4\u30b3\u30f3\u306a\u3069\u306eGoogle Drive\u306e\u30da\u30fc\u30b8\u30b9\u30bf\u30a4\u30eb\u3092\u307e\u306d\u3066\u3001Google Drive\u306b\u306a\u308a\u3059\u307e\u3057\u307e\u3059\u3002\u3053\u306e\u30da\u30fc\u30b8\u306b\u306fPDF\u30d9\u30fc\u30b9\u306e\u82e6\u60c5\u5831\u544a\u3092\u30d7\u30ec\u30d3\u30e5\u30fc\u3067\u304d\u308b\u304b\u306e\u3088\u3046\u306a\u30ea\u30f3\u30af\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u5b9f\u969b\u306b\u306f\u8106\u5f31\u306aWindows 10\u30db\u30b9\u30c8\u3092Emotet\u306b\u611f\u67d3\u3055\u305b\u3088\u3046\u3068\u3059\u308b\u60aa\u610f\u306e\u3042\u308b<span style=\"font-family: 'courier new', courier, monospace;\">.appinstaller<\/span>\u30d5\u30a1\u30a4\u30eb\u306b\u30ea\u30f3\u30af\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u56f312\u306f11\u670830\u65e5\u306b\u89b3\u6e2c\u3057\u305f\u60aa\u610f\u306e\u3042\u308b\u30ea\u30f3\u30af\u3092\u542b\u3080\u30b9\u30ec\u30c3\u30c9\u30cf\u30a4\u30b8\u30e3\u30c3\u30af\u3055\u308c\u305f\u30e1\u30fc\u30eb\u3067\u3001\u56f313\u306f\u305d\u308c\u306b\u95a2\u9023\u3059\u308b\u60aa\u610f\u306e\u3042\u308b<span style=\"font-family: 'courier new', courier, monospace;\">.appinstaller<\/span>\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u30ea\u30f3\u30af\u3092\u542b\u3080\u82e6\u60c5\u5831\u544a\u30da\u30fc\u30b8\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_123021\" aria-describedby=\"caption-attachment-123021\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123022 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-11.jpeg\" alt=\"11\u670830\u65e5\u306b\u89b3\u6e2c\u3057\u305f\u30b9\u30ec\u30c3\u30c9\u30cf\u30a4\u30b8\u30e3\u30c3\u30af\u30e1\u30fc\u30eb\u3002\u60aa\u610f\u306e\u3042\u308b\u30ea\u30f3\u30af\u306f\u4e0a\u90e8\u306b\u8868\u793a\u3055\u308c\u3066\u3044\u3066\u3001\u4e00\u898bPDF\u306e\u3088\u3046\u306b\u898b\u3048\u308b\u3002\u5b9f\u969b\u306e\u60aa\u610f\u306e\u3042\u308b\u30ea\u30f3\u30af\u5148\u3092\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u4e0a\u306b\u8d64\u5b57\u3067\u91cd\u306d\u3066\u8868\u793a\u3002 \" width=\"900\" height=\"732\" \/><figcaption id=\"caption-attachment-123021\" class=\"wp-caption-text\">\u56f312. 11\u670830\u65e5\u306b\u89b3\u6e2c\u3057\u305f\u30b9\u30ec\u30c3\u30c9\u30cf\u30a4\u30b8\u30e3\u30c3\u30af\u30e1\u30fc\u30eb\u3002\u60aa\u8cea\u306a\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u30da\u30fc\u30b8\u3078\u306e\u30ea\u30f3\u30af\u304c\u8cbc\u3089\u308c\u3066\u3044\u308b<\/figcaption><\/figure>\n<figure id=\"attachment_123023\" aria-describedby=\"caption-attachment-123023\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123024 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-12.jpeg\" alt=\"\u507d\u82e6\u60c5\u5831\u544a\u30da\u30fc\u30b8\u306bEmotet\u306e.appinstaller\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u30ea\u30f3\u30af\u304c\u78ba\u8a8d\u3067\u304d\u308b\u3002\u8d64\u3044\u77e2\u5370\u306f\u30e6\u30fc\u30b6\u30fc\u304c\u30af\u30ea\u30c3\u30af\u3057\u305f\u5834\u5408\u306e\u52d5\u4f5c\u3092\u793a\u3059\u3002 \" width=\"900\" height=\"506\" \/><figcaption id=\"caption-attachment-123023\" class=\"wp-caption-text\">\u56f313. Emotet\u306e.appinstaller\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u30ea\u30f3\u30af\u3092\u542b\u3080\u507d\u306e\u82e6\u60c5\u5831\u544a\u30da\u30fc\u30b8<\/figcaption><\/figure>\n<p>\u56f313\u306b\u793a\u3059\u3088\u3046\u306b\u3001\u3053\u306e<span style=\"font-family: 'courier new', courier, monospace;\">.appinstaller<\/span>\u30d5\u30a1\u30a4\u30eb\u306fAdobe PDF\u30d5\u30a1\u30a4\u30eb\u306e\u3088\u3046\u306b\u898b\u305b\u304b\u3051\u3066\u3044\u307e\u3059\u304c\u3001\u5b9f\u969b\u306b\u306fMicrosoft Azure\u3092\u60aa\u7528\u3057\u3066\u60aa\u8cea\u306a\u30d5\u30a1\u30a4\u30eb\u304c\u30db\u30b9\u30c8\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u4e0b\u306e\u56f314\u306f\u60aa\u610f\u306e\u3042\u308b<span style=\"font-family: 'courier new', courier, monospace;\">.appinstaller<\/span>\u30d5\u30a1\u30a4\u30eb\u3092\u30c6\u30ad\u30b9\u30c8\u30a8\u30c7\u30a3\u30bf\u3067\u958b\u3044\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_123025\" aria-describedby=\"caption-attachment-123025\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123026 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-13.jpeg\" alt=\"\u30c6\u30ad\u30b9\u30c8\u30a8\u30c7\u30a3\u30bf\u3067\u958b\u3044\u305f\u60aa\u610f\u306e\u3042\u308b.appinstaller\u30d5\u30a1\u30a4\u30eb\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u540c\u3058\u30b5\u30fc\u30d0\u30fc\u304b\u3089.appxbundle\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u62e1\u5f35\u5b50\u304c\u4ed8\u52a0\u3055\u308c\u305f\u60aa\u610f\u306e\u3042\u308bZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u3092\u53d6\u5f97\u3059\u308b\u3002 \" width=\"900\" height=\"311\" \/><figcaption id=\"caption-attachment-123025\" class=\"wp-caption-text\">\u56f314 Emotet\u306b\u4f7f\u7528\u3055\u308c\u305f\u60aa\u8cea\u306a.appinstaller\u30d5\u30a1\u30a4\u30eb\u300211\u670830\u65e5\u306b\u89b3\u6e2c<\/figcaption><\/figure>\n<p>\u56f314\u306e\u60aa\u610f\u306e\u3042\u308b<span style=\"font-family: 'courier new', courier, monospace;\">.appinstaller<\/span>\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u540c\u3058\u30b5\u30fc\u30d0\u30fc\u304b\u3089<span style=\"font-family: 'courier new', courier, monospace;\">.appxbundle<\/span>\u30d5\u30a1\u30a4\u30eb\u62e1\u5f35\u5b50\u3092\u6301\u3064\u60aa\u610f\u306e\u3042\u308bZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002\u4ee5\u4e0b\u3001\u56f315\u306b\u305d\u306e\u60aa\u610f\u306e\u3042\u308b<span style=\"font-family: 'courier new', courier, monospace;\">.appxbundle<\/span>\u306e\u5185\u5bb9\u3092\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_123027\" aria-describedby=\"caption-attachment-123027\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123028 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-14.jpeg\" alt=\"\u60aa\u610f\u306e\u3042\u308b.appxbundle\u306e\u5185\u5bb9\u3002\u62e1\u5f35\u5b50\u304c.appx\u306eZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u3092\u542b\u3080\u3055\u307e\u3056\u307e\u306a\u30d5\u30a1\u30a4\u30eb\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u3002.appxbundle\u5168\u4f53\u306f\u3001Emotet DLL\u3092\u53d6\u5f97\u3057\u3001\u8106\u5f31\u306aWindows\u30db\u30b9\u30c8\u4e0a\u3067\u5b9f\u884c\u3059\u308b\u3088\u3046\u306b\u3057\u304f\u307e\u308c\u3066\u3044\u308b\u3002 \" width=\"900\" height=\"436\" \/><figcaption id=\"caption-attachment-123027\" class=\"wp-caption-text\">\u56f315. Emotet\u611f\u67d3\u306b\u4f7f\u7528\u3055\u308c\u305f\u60aa\u8cea\u306a.appxbundle\u300211\u670830\u65e5\u306b\u89b3\u6e2c<\/figcaption><\/figure>\n<p>Adobe\u306e\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u88c5\u3063\u305f\u60aa\u8cea\u306a<span style=\"font-family: 'courier new', courier, monospace;\">.appxbundle<\/span>\u306b\u306f\u62e1\u5f35\u5b50<span style=\"font-family: 'courier new', courier, monospace;\">.appx<\/span>\u306eZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u3092\u542b\u3080\u3055\u307e\u3056\u307e\u306a\u30d5\u30a1\u30a4\u30eb\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">.appxbundle<\/span>\u5168\u4f53\u306f\u3001Emotet\u306eDLL\u3092\u53d6\u5f97\u3057\u3001\u8106\u5f31\u306aWindows\u30db\u30b9\u30c8\u4e0a\u3067\u5b9f\u884c\u3059\u308b\u3088\u3046\u306b\u3057\u304f\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>11\u670830\u65e5\u306e\u6d3b\u52d5\u304b\u3089\u5f97\u3089\u308c\u305f\u6307\u6a19\u3068\u305d\u306e\u8a73\u7d30\u306f\u3001<a href=\"https:\/\/www.malware-traffic-analysis.net\/2021\/11\/30\/index.html\">Malware Traffic Analysis<\/a>\u304b\u3089\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u30d5\u30a1\u30a4\u30eb\u306e\u6027\u8cea\u4e0a\u3001\u3053\u306e\u611f\u67d3\u624b\u6cd5\u306f\u5f53\u521d\u691c\u51fa\u56f0\u96e3\u3067\u3057\u305f\u3002\u3055\u3044\u308f\u3044Microsoft\u306f\u3053\u306e\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u30d5\u30a1\u30a4\u30eb\u3092\u30db\u30b9\u30c8\u3057\u3066\u3044\u305fAzure\u30d5\u30a1\u30a4\u30eb\u30b5\u30fc\u30d0\u30fc\u3092\u3059\u3050\u306b\u505c\u6b62\u3057\u307e\u3057\u305f\u3002<a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-disables-msix-protocol-handler-abused-in-emotet-attacks\/\">Microsoft\u306f\u3001\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u30d7\u30ed\u30c8\u30b3\u30eb\u3082\u7121\u52b9\u306b\u3057\u305f<\/a>\u306e\u3067\u3001Emotet\u305d\u306e\u307b\u304b\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u3088\u308b\u653b\u6483\u7d4c\u8def\u3068\u3057\u3066\u3082\u306f\u3084\u6b8b\u3063\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<p><a href=\"#Appendix-B-Emotet-epoch-4-abusing-App-Installer\">\u4ed8\u9332B<\/a>\u306b\u300111\u670830\u65e5\u306b\u89b3\u6e2c\u3055\u308c\u305fMicrosoft\u306e\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u3092\u60aa\u7528\u3059\u308bEmotet\u611f\u67d3\u306eIoC(\u4fb5\u5bb3\u6307\u6a19)\u3092\u8a18\u8f09\u3057\u307e\u3059\u3002<\/p>\n<h2><a id=\"Emotet-in-December-2021\"><\/a>2021\u5e7412\u6708\u306eEmotet<\/h2>\n<p>2021\u5e7411\u6708\u3092\u901a\u3058\u3001\u6570\u3005\u306eEmotet\u611f\u67d3\u30b5\u30f3\u30d7\u30eb\u304b\u3089\u30c7\u30fc\u30bf\u6f0f\u51fa\u3084\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u6d3b\u52d5\u304c\u660e\u3089\u304b\u306b\u306a\u308a\u307e\u3057\u305f\u30022021\u5e7412\u6708\u306b\u306a\u308b\u307e\u3067\u3001\u30d5\u30a9\u30ed\u30fc\u30a2\u30c3\u30d7\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u6307\u6a19\u306f\u516c\u8868\u3055\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u300212\u67087\u65e5\u306b\u306f\u3001Cryptolaemus\u306e\u8abf\u67fb\u30c1\u30fc\u30e0\u304cEmotet\u611f\u67d3Windows\u30db\u30b9\u30c8\u306b<a href=\"https:\/\/twitter.com\/Cryptolaemus1\/status\/1468266929014157316\">Cobalt Strike\u304c\u5c55\u958b\u3055\u308c\u305f\u3053\u3068\u3092\u78ba\u8a8d<\/a>\u3057\u307e\u3057\u305f\u3002<\/p>\n<p>2021\u5e7412\u6708\u306b\u306f\u3001Microsoft\u306e\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u30d7\u30ed\u30c8\u30b3\u30eb\u3092\u60aa\u7528\u3057\u3088\u3046\u3068\u3059\u308bEmotet\u30e1\u30fc\u30eb\u306e\u653b\u6483\u6ce2\u304c\u5c11\u306a\u304f\u3068\u3082\u3082\u30461\u56de\u767a\u751f\u3057\u307e\u3057\u305f\u3002\u3057\u304b\u3057\u3001Emotet\u306f\u3059\u3050\u307b\u304b\u306e\u611f\u67d3\u30d1\u30bf\u30fc\u30f3\u306b\u79fb\u884c\u3057\u3001Office\u6587\u66f8\u3001\u4e3b\u306bExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u306e\u3055\u307e\u3056\u307e\u306a\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092\u4f7f\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u30af\u30ea\u30b9\u30de\u30b9\u307e\u3067\u306e1\u9031\u9593\u3001Emotet\u306e\u30e1\u30fc\u30eb\u306b\u306f\u3001\u4fb5\u5bb3\u3055\u308c\u305f\u3055\u307e\u3056\u307e\u306aWeb\u30b5\u30a4\u30c8\u306eWeb\u30da\u30fc\u30b8\u3078\u306e\u30ea\u30f3\u30af\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u307e\u305f\u3053\u308c\u3089\u306e\u30da\u30fc\u30b8\u306b\u306f\u3001Google\u30c9\u30e9\u30a4\u30d6\u3092\u3088\u305d\u304a\u3063\u3066\u60aa\u610f\u306e\u3042\u308bExcel\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u305b\u308b\u30ea\u30f3\u30af\u304c\u8cbc\u3089\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u4eca\u56deEmotet\u306f\u56f316\u306b\u793a\u3059\u65b0\u305f\u306a\u611f\u67d3\u30d1\u30bf\u30fc\u30f3\u3092\u4f7f\u3044\u306f\u3058\u3081\u307e\u3057\u305f\u3002<\/p>\n<figure id=\"attachment_123029\" aria-describedby=\"caption-attachment-123029\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123030 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-15-ja.png\" alt=\"12\u670821\u65e5\uff5e12\u670824\u65e5\u306b\u89b3\u6e2c\u3055\u308c\u305fEmotet\u306e\u611f\u67d3\u30d1\u30bf\u30fc\u30f3: \u30e1\u30fc\u30eb\u3001\u30e1\u30fc\u30eb\u304b\u3089\u306e\u30ea\u30f3\u30af\u3001\u507d\u306e\u82e6\u60c5\u5831\u544a\u30da\u30fc\u30b8\u3001\u82e6\u60c5\u5831\u544a\u30da\u30fc\u30b8\u304b\u3089\u306e\u30ea\u30f3\u30af\u3001Excel\u30d5\u30a1\u30a4\u30eb\u3001\u30de\u30af\u30ed\u306e\u6709\u52b9\u5316\u3001cmd.exe\u304cWeb URL\u3067\u30db\u30b9\u30c8\u3055\u308c\u3066\u3044\u308bHTML\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3(.hta\u30d5\u30a1\u30a4\u30eb)\u3067mshta.exe\u3092\u5b9f\u884c\u3001.hta\u30d5\u30a1\u30a4\u30eb\u3078\u306eWeb\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3001powershell.exe\u304c\u5225\u306eWeb URL\u3067\u30db\u30b9\u30c8\u3055\u308c\u3066\u3044\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5b9f\u884c\u3001PowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u3078\u306eWeb\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3001Emotet DLL\u3001Emotet DLL\u3001Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306eWeb\u30c8\u30e9\u30d5\u30a3\u30c3\u30af \" width=\"900\" height=\"662\" \/><figcaption id=\"caption-attachment-123029\" class=\"wp-caption-text\">\u56f316. 12\u670821\u65e5\uff5e12\u670824\u65e5\u306b\u89b3\u6e2c\u3055\u308c\u305fEmotet\u306e\u611f\u67d3\u30d1\u30bf\u30fc\u30f3<\/figcaption><\/figure>\n<p>\u56f316\u306f\u3001\u5c11\u306a\u304f\u3068\u30822022\u5e742\u6708\u4e2d\u306b\u306f\u4f7f\u7528\u304c\u898b\u3089\u308c\u305fEmotet\u306e\u611f\u67d3\u30d7\u30ed\u30bb\u30b9\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<a href=\"https:\/\/unit42.paloaltonetworks.jp\/new-emotet-infection-method\/\">\u4ee5\u524d1\u6708\u306b\u3082\u3053\u306e\u3088\u3046\u306a\u30d0\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u306e\u8a73\u7d30\u3092\u304a\u4f1d\u3048<\/a>\u3057\u305f\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002<a href=\"#Appendix-C-Emotet-epoch-4-infection\">\u4ed8\u9332C<\/a>\u306b12\u670821\u65e5\u306b\u89b3\u6e2c\u3057\u305f\u3001\u3053\u306e\u65b9\u6cd5\u3092\u4f7f\u3046Emotet\u611f\u67d3\u306eIoC\u3092\u8a18\u8f09\u3057\u307e\u3059\u3002<\/p>\n<p>\u4ee5\u4e0b\u306e\u56f317\u306f12\u670823\u65e5\u306b\u89b3\u6e2c\u3055\u308c\u305fEmotet\u3092\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u30e1\u30fc\u30eb\u3092\u3001\u56f318\u306f\u30e1\u30fc\u30eb\u306b\u30ea\u30f3\u30af\u304c\u8a18\u8f09\u3055\u308c\u3066\u3044\u305fWeb\u30b5\u30a4\u30c8\u3092\u3001\u56f319\u306f\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305fExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u305d\u308c\u305e\u308c\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_123031\" aria-describedby=\"caption-attachment-123031\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123032 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-16.jpeg\" alt=\"12\u670823\u65e5\u306b\u89b3\u6e2c\u3057\u305fEmotet\u3092\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u30e1\u30fc\u30eb\u3002\u8d64\u3044\u77e2\u5370\u3067\u60aa\u610f\u306e\u3042\u308b\u30ea\u30f3\u30af\u306b\u6ce8\u610f\u3092\u559a\u8d77\u3057\u3066\u3044\u308b\u3002\" width=\"900\" height=\"713\" \/><figcaption id=\"caption-attachment-123031\" class=\"wp-caption-text\">\u56f317. 12\u670823\u65e5\u306b\u89b3\u6e2c\u3057\u305fEmotet\u3092\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u30e1\u30fc\u30eb<\/figcaption><\/figure>\n<figure id=\"attachment_123033\" aria-describedby=\"caption-attachment-123033\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123034 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-17.jpeg\" alt=\"\u60aa\u8cea\u306aExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u914d\u4fe1\u3059\u308bWeb\u30da\u30fc\u30b8\u3002\u3053\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u306f\u3001\u60aa\u610f\u306e\u3042\u308b\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u958b\u304f\u304b\u4fdd\u5b58\u3059\u308b\u304b\u306e\u30aa\u30d7\u30b7\u30e7\u30f3\u304c\u8868\u793a\u3055\u308c\u3066\u3044\u308b\u3002 \" width=\"900\" height=\"501\" \/><figcaption id=\"caption-attachment-123033\" class=\"wp-caption-text\">\u56f318. 12\u670823\u65e5\u306b\u89b3\u6e2c\u3057\u305fEmotet\u306b\u3064\u306a\u304c\u308b\u60aa\u8cea\u306aExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u914d\u4fe1\u3059\u308bWeb\u30da\u30fc\u30b8<\/figcaption><\/figure>\n<figure id=\"attachment_123035\" aria-describedby=\"caption-attachment-123035\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123036 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-18.jpeg\" alt=\"\u60aa\u8cea\u306aExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c88278500.xls\u3002\u3053\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u306f\u3001\u30de\u30af\u30ed\u3092\u6709\u52b9\u5316\u3057\u3066\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u958b\u304f\u3088\u3046\u6c42\u3081\u3066\u3044\u308b\u3002 \" width=\"900\" height=\"549\" \/><figcaption id=\"caption-attachment-123035\" class=\"wp-caption-text\">\u56f319. \u56f317\u306b\u793a\u3057\u305f\u30da\u30fc\u30b8\u304b\u3089\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u305f\u60aa\u610f\u306e\u3042\u308bExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8<\/figcaption><\/figure>\n<p>12\u670824\u65e5(\u6728)\u3001\u30af\u30ea\u30b9\u30de\u30b9\u3092\u30c6\u30fc\u30de\u306b\u3057\u305f\u4ef6\u540d\u3092\u4f7f\u3044\u3001\u30e1\u30c3\u30bb\u30fc\u30b8\u672c\u6587\u306b\u30af\u30ea\u30b9\u30de\u30b9\u306e\u304a\u795d\u3044\u306e\u8a00\u8449\u3092\u66f8\u3044\u3066\u3042\u308b\u4f3c\u305f\u3088\u3046\u306a\u30e1\u30fc\u30eb\u304c\u8907\u6570\u89b3\u6e2c\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u306e\u30e1\u30fc\u30eb\u653b\u6483\u6ce2\u306f\u4e0a\u8a18\u56f319\u306b\u793a\u3057\u305f\u3082\u306e\u3068\u540c\u3058\u30b9\u30bf\u30a4\u30eb\u306eExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u914d\u4fe1\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u56f320\u306f\u30af\u30ea\u30b9\u30de\u30b9\u3092\u30c6\u30fc\u30de\u306b\u3059\u308b\u30e1\u30fc\u30eb\u306e\u4e00\u4f8b\u3092\u3001\u56f321\u306f\u305d\u308c\u3089\u306b\u95a2\u9023\u3057\u3066Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u914d\u4fe1\u3059\u308bWeb\u30da\u30fc\u30b8\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_123037\" aria-describedby=\"caption-attachment-123037\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123038 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-19.jpeg\" alt=\"12\u670824\u65e5\u306b\u89b3\u6e2c\u3055\u308c\u305fEmotet\u3092\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u30e1\u30fc\u30eb\u3002\u30af\u30ea\u30b9\u30de\u30b9\u3092\u30c6\u30fc\u30de\u306b\u3057\u3066\u3044\u305f\u3002\u8d64\u3044\u77e2\u5370\u306f\u60aa\u610f\u306e\u3042\u308b\u30ea\u30f3\u30af\u3092\u793a\u3057\u3001\u5b9f\u969b\u306e\u30ea\u30f3\u30af\u5148\u3092\u8d64\u3067\u8868\u793a\u3057\u3066\u3044\u308b\u3002 \" width=\"900\" height=\"389\" \/><figcaption id=\"caption-attachment-123037\" class=\"wp-caption-text\">\u56f320. 12\u670824\u65e5\u306b\u89b3\u6e2c\u3055\u308c\u305fEmotet\u3092\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u30e1\u30fc\u30eb\u3002\u30af\u30ea\u30b9\u30de\u30b9\u3092\u30c6\u30fc\u30de\u306b\u3057\u3066\u3044\u305f<\/figcaption><\/figure>\n<figure id=\"attachment_123039\" aria-describedby=\"caption-attachment-123039\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123040 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-20.jpeg\" alt=\"Emotet\u306b\u3064\u306a\u304c\u308b\u60aa\u8cea\u306aExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u914d\u4fe1\u3059\u308b\u30b5\u30a4\u30c8\u3002\u30da\u30fc\u30b8\u306b\u306f File 'Christmas Greetings' is ready for open \u3068\u3044\u3046\u30e1\u30c3\u30bb\u30fc\u30b8 \" width=\"900\" height=\"416\" \/><figcaption id=\"caption-attachment-123039\" class=\"wp-caption-text\">\u56f321. 12\u670824\u65e5\u306b\u89b3\u6e2c\u3057\u305fEmotet\u306b\u3064\u306a\u304c\u308b\u60aa\u8cea\u306aExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u914d\u4fe1\u3059\u308bWeb\u30da\u30fc\u30b8<\/figcaption><\/figure>\n<p>12\u670824\u65e5\u4ee5\u964d\u3001Emotet\u306f\u5e74\u660e\u3051\u307e\u3067\u30b9\u30d1\u30e0\u30e1\u30fc\u30eb\u3092\u505c\u6b62\u3057\u307e\u3057\u305f\u3002<\/p>\n<h2><a id=\"Emotet-in-January-2022\"><\/a>2022\u5e741\u6708\u306eEmotet<\/h2>\n<p>2022\u5e741\u670811\u65e5(\u706b)\u3001Emotet\u306f<a href=\"https:\/\/twitter.com\/Cryptolaemus1\/status\/1480893070870818820\">\u4f11\u6687\u660e\u3051\u306b\u30b9\u30d1\u30e0\u30e1\u30fc\u30eb\u3092<\/a>\u518d\u958b\u3057\u307e\u3057\u305f\u3002\u305d\u306e\u30e1\u30fc\u30eb\u3067\u3082\u507d\u306e\u82e6\u60c5\u30da\u30fc\u30b8\u3092\u30c6\u30fc\u30de\u3068\u3057\u305f\u30ea\u30f3\u30af\u3092\u4f7f\u3063\u3066\u304a\u308a\u3001\u30da\u30fc\u30b8\u5185\u306b\u306f\u53d7\u4fe1\u8005\u540d\u3092\u542b\u3081\u308b\u3088\u3046\u306a\u30ab\u30b9\u30bf\u30de\u30a4\u30ba\u304c\u3055\u308c\u3066\u3044\u308b\u5834\u5408\u3082\u3042\u308a\u307e\u3057\u305f\u3002\u3053\u306e\u624b\u53e3\u306f1\u670820\u65e5\u307e\u3067\u5e83\u304f\u898b\u3089\u308c\u307e\u3057\u305f\u3002<\/p>\n<p>\u56f322\uff5e\u56f324\u306f\u305d\u306e1\u4f8b\u3067\u3001\u3053\u308c\u3089\u306f1\u670820\u65e5\u306b\u89b3\u6e2c\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u4f8b\u3067\u306f\u3001AOL\u306e\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9\u3092\u3082\u3064\u53d7\u4fe1\u8005\u540d\u304c\u300cSolomon Grundy\u300d\u3068\u3044\u3046\u540d\u524d\u3092\u8868\u793a\u3059\u308b\u3088\u3046\u306b\u51e6\u7406\u3055\u308c\u3066\u304a\u308a\u3001\u306a\u308a\u3059\u307e\u3057\u306e\u9001\u4fe1\u8005\u306f\u300calan.scott@thegreenlantern[.]net\u300d\u3068\u8868\u793a\u3055\u308c\u308b\u3088\u3046\u306b\u51e6\u7406\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_123041\" aria-describedby=\"caption-attachment-123041\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123042 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-21.jpeg\" alt=\"1\u670820\u65e5\u306b\u89b3\u6e2c\u3057\u305fEmotet\u30e1\u30fc\u30eb\u60aa\u610f\u306e\u3042\u308b\u30ea\u30f3\u30af\u306e\u5834\u6240\u3092\u8d64\u3044\u77e2\u5370\u3067\u793a\u3057\u3001\u305d\u306e\u5b9f\u969b\u306e\u30ea\u30f3\u30af\u5148\u3092\u8d64\u5b57\u3067\u8868\u793a\u3057\u3066\u3044\u308b\u3002 \" width=\"900\" height=\"709\" \/><figcaption id=\"caption-attachment-123041\" class=\"wp-caption-text\">\u56f322. 1\u670820\u65e5\u306b\u89b3\u6e2c\u3057\u305fEmotet\u30e1\u30fc\u30eb<\/figcaption><\/figure>\n<figure id=\"attachment_123043\" aria-describedby=\"caption-attachment-123043\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123044 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-22.jpeg\" alt=\"\u507d\u306e\u82e6\u60c5\u5831\u544a\u30da\u30fc\u30b8\u306f\u56f3\u306e\u3088\u3046\u306a\u60aa\u610f\u306e\u3042\u308bExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u914d\u4fe1\u3057\u3088\u3046\u3068\u3059\u308b\u3002\u3053\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u306b\u306fFile 'Preview Compmlaint Report in XLS' is ready for open\u3068\u3044\u3046\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u8868\u793a\u3055\u308c\u3066\u3044\u308b\u3002 \" width=\"900\" height=\"515\" \/><figcaption id=\"caption-attachment-123043\" class=\"wp-caption-text\">\u56f323. \u507d\u306e\u82e6\u60c5\u5831\u544a\u30da\u30fc\u30b8\u3002\u53d7\u4fe1\u8005\u540d\u3064\u304d\u3067Emotet\u7528\u306eExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u9001\u4fe1\u3057\u3066\u304f\u308b<\/figcaption><\/figure>\n<figure id=\"attachment_123045\" aria-describedby=\"caption-attachment-123045\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123046 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-23.jpeg\" alt=\"\u507d\u306e\u82e6\u60c5\u5831\u544aWeb\u30da\u30fc\u30b8\u304b\u3089\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u305fEmotet\u7528Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3053\u306e\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u306f\u30e6\u30fc\u30b6\u30fc\u3092\u3060\u307e\u3057\u3066\u30de\u30af\u30ed\u3092\u6709\u52b9\u306b\u3055\u305b\u3088\u3046\u3068\u3057\u3066\u3044\u308b\u3053\u3068\u306b\u6ce8\u610f \" width=\"900\" height=\"488\" \/><figcaption id=\"caption-attachment-123045\" class=\"wp-caption-text\">\u56f324. \u507d\u306e\u82e6\u60c5\u5831\u544aWeb\u30da\u30fc\u30b8\u304b\u3089\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u305fEmotet\u7528Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8<\/figcaption><\/figure>\n<p><a href=\"#Appendix-D-Emotet-epoch-5-infection\">\u4ed8\u9332D<\/a>\u306b\u30011\u670811\u65e5\u306b\u89b3\u6e2c\u3055\u308c\u305f\u3001\u3053\u306e\u65b9\u6cd5\u3092\u4f7f\u3046Emotet\u611f\u67d3\u306eIoC\u3092\u8a18\u8f09\u3057\u307e\u3059\u3002<\/p>\n<p>1\u670821\u65e5(\u91d1)\u307e\u3067\u306b\u3001Emotet\u30e1\u30fc\u30eb\u306e\u624b\u53e3\u306f\u3001Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u306e\u6dfb\u4ed8\u3084Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3092\u542b\u3080\u30d1\u30b9\u30ef\u30fc\u30c9\u4fdd\u8b77\u3064\u304dZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u306b\u623b\u308a\u307e\u3057\u305f\u3002\u3053\u306e\u6708\u306e\u6b8b\u308a\u306e\u671f\u9593\u3044\u3063\u3071\u3044\u306f\u3001Emotet\u7528\u306eExcel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u3067\u306f\u3001\u4e0a\u306e\u56f324\u306b\u793a\u3059\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3068\u4e0b\u306e\u56f325\u306b\u793a\u3059\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3068\u304c\u4ea4\u4e92\u306b\u4f7f\u308f\u308c\u307e\u3057\u305f\u3002<\/p>\n<figure id=\"attachment_123047\" aria-describedby=\"caption-attachment-123047\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-123048 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/05\/word-image-24.jpeg\" alt=\"2022\u5e741\u6708\u306e\u6700\u5f8c\u306e\u9031\u306b\u78ba\u8a8d\u3055\u308c\u305fEmotet\u7528Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3002\u300cThis document is protected\u300d\u3068\u3044\u3046\u30a6\u30a3\u30f3\u30c9\u30a6\u304c\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u306b\u8868\u793a\u3055\u308c\u3066\u3044\u308b\u3002 \" width=\"900\" height=\"510\" \/><figcaption id=\"caption-attachment-123047\" class=\"wp-caption-text\">\u56f325. 2022\u5e741\u6708\u306e\u6700\u5f8c\u306e\u9031\u3044\u3063\u3071\u3044\u78ba\u8a8d\u3055\u308c\u305fEmotet\u7528Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8<\/figcaption><\/figure>\n<p>1\u6708\u306b\u306fEmotet\u304cCobalt Strike\u3092\u30d7\u30c3\u30b7\u30e5\u3057\u3066\u3044\u308b\u3068\u3044\u3046\u5831\u544a\u304c\u7d9a\u3051\u3066\u78ba\u8a8d\u3055\u308c\u307e\u3057\u305f\u3002\u30e9\u30dc\u30c6\u30b9\u30c8\u3067\u306fEmotet\u611f\u67d3\u30db\u30b9\u30c8\u304c\u521d\u671f\u611f\u67d3\u304b\u308935\uff5e45\u5206\u5f8c\u306b\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u6d3b\u52d5\u3092\u958b\u59cb\u3059\u308b\u3053\u3068\u304c\u65e5\u5e38\u7684\u306b\u78ba\u8a8d\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<h2><a id=\"Conclusion\"><\/a>\u7d50\u8ad6<\/h2>\n<p>2021\u5e7411\u6708\u306e\u5fa9\u6d3b\u4ee5\u6765\u3001Emotet\u306f\u73fe\u5728\u306e\u8105\u5a01\u6982\u6cc1\u3067\u3082\u3063\u3068\u3082\u914d\u4fe1\u6570\u306e\u591a\u3044\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306e1\u3064\u306b\u8fd4\u308a\u54b2\u3044\u3066\u3044\u307e\u3059\u3002Emotet\u304c\u7a4d\u6975\u7684\u306b\u30b9\u30d1\u30e0\u884c\u70ba\u3092\u884c\u3063\u3066\u3044\u308b\u671f\u9593\u306f\u3001\u65e5\u306b\u4f55\u5341\u4e07\u901a\u3082\u306e\u96fb\u5b50\u30e1\u30fc\u30eb\u304c\u751f\u6210\u3055\u308c\u308b\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002\u30cf\u30c3\u30b7\u30e5\u30d0\u30b9\u30c8\u3084\u30b3\u30fc\u30c9\u96e3\u8aad\u5316\u306a\u3069\u306e\u56de\u907f\u6280\u8853\u306b\u3088\u308aEmotet\u306f\u6df1\u523b\u306a\u8105\u5a01\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>Windows\u30e6\u30fc\u30b6\u30fc\u306f\u3001\u30b9\u30d1\u30e0\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u3001\u9069\u5207\u306a\u30b7\u30b9\u30c6\u30e0\u7ba1\u7406\u3001\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u306e\u78ba\u5b9f\u306a\u6700\u65b0\u30d1\u30c3\u30c1\u9069\u7528\u306b\u3088\u308a\u3001Emotet\u306e\u3082\u305f\u3089\u3059\u30ea\u30b9\u30af\u3092\u4f4e\u6e1b\u3067\u304d\u307e\u3059\u3002\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001<a href=\"https:\/\/www.paloaltonetworks.jp\/cortex\/cortex-xdr\">Cortex XDR<\/a>\u3001<a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/next-generation-firewall\">\u6b21\u4e16\u4ee3\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb<\/a>(<a href=\"https:\/\/www.paloaltonetworks.jp\/products\/secure-the-network\/wildfire\">WildFire<\/a>\u304a\u3088\u3073<a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/threat-prevention\">Threat Prevention<\/a>\u30b5\u30d6\u30b9\u30af\u30ea\u30d7\u30b7\u30e7\u30f3)\u306b\u3088\u308a\u3001Emotet\u304b\u3089\u3055\u3089\u306b\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306f\u30d5\u30a1\u30a4\u30eb\u30b5\u30f3\u30d7\u30eb\u3084\u4fb5\u5bb3\u306e\u5146\u5019\u306a\u3069\u3092\u3075\u304f\u3080\u3053\u308c\u3089\u306e\u8abf\u67fb\u7d50\u679c\u3092Cyber Threat Alliance (CTA \u30b5\u30a4\u30d0\u30fc\u8105\u5a01\u30a2\u30e9\u30a4\u30a2\u30f3\u30b9) \u306e\u30e1\u30f3\u30d0\u30fc\u3068\u5171\u6709\u3057\u307e\u3057\u305f\u3002CTA \u306e\u30e1\u30f3\u30d0\u30fc\u306f\u3053\u306e\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u3092\u4f7f\u7528\u3057\u3066\u3001\u304a\u5ba2\u69d8\u306b\u4fdd\u8b77\u3092\u8fc5\u901f\u306b\u63d0\u4f9b\u3057\u3001\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u8005\u3092\u4f53\u7cfb\u7684\u306b\u963b\u5bb3\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f <a href=\"https:\/\/www.cyberthreatalliance.org\">Cyber Threat Alliance <\/a>\u304b\u3089\u3054\u89a7\u304f\u3060\u3055\u3044\uff61<\/p>\n<h2><a id=\"Indicators-of-Compromise\"><\/a>IoC<\/h2>\n<p>\u30cf\u30c3\u30b7\u30e5\u30d0\u30b9\u30c8\u3001\u65e5\u6b21\u306e\u30de\u30eb\u30a6\u30a7\u30a2URL\u5909\u66f4\u3001\u9ad8\u983b\u5ea6\u306e\u611f\u67d3\u30d1\u30bf\u30fc\u30f3\u5909\u66f4\u306a\u3069\u306b\u3088\u308a\u3001Emotet\u306b\u306f\u65e5\u3005\u4f55\u767e\u3082\u306e\u65b0\u305f\u306a\u6307\u6a19\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u6307\u6a19\u306f\u3042\u307e\u308a\u306b\u6570\u304c\u591a\u304f\u5909\u5316\u3082\u6fc0\u3057\u3044\u3053\u3068\u304b\u3089\u30ea\u30b9\u30c8\u30921\u3064\u63d0\u793a\u3057\u305f\u3060\u3051\u3067\u306f\u5f79\u306b\u7acb\u3061\u307e\u305b\u3093\u3002<a href=\"https:\/\/abuse.ch\/\">abuse.ch<\/a>\u306f<a href=\"https:\/\/feodotracker.abuse.ch\/browse\/emotet\/\">Emotet\u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u306e\u30b3\u30de\u30f3\u30c9\uff06\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u30b5\u30fc\u30d0\u30fc<\/a>\u3001<a href=\"https:\/\/threatfox.abuse.ch\/browse\/tag\/Emotet\/\">Emotet\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u30db\u30b9\u30c8\u3059\u308bURL<\/a>\u3001<a href=\"https:\/\/bazaar.abuse.ch\/browse\/tag\/Emotet\/\">Emotet\u30de\u30eb\u30a6\u30a7\u30a2\u30b5\u30f3\u30d7\u30eb<\/a>\u306a\u3069\u306e\u30c8\u30e9\u30c3\u30ab\u30fc\u3092\u7121\u511f\u3067\u63d0\u4f9b\u3059\u308b\u7814\u7a76\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u3067\u3059\u3002<\/p>\n<p>\u4ed8\u9332<a href=\"#Appendix-A-Emotet-epoch-4-activity\">A<\/a>\u3001<a href=\"#Appendix-B-Emotet-epoch-4-abusing-App-Installer\">B<\/a>\u3001<a href=\"#Appendix-C-Emotet-epoch-4-infection\">C<\/a>\u3001<a href=\"#Appendix-D-Emotet-epoch-5-infection\">D<\/a>\u306f\u672c\u7a3f\u3067\u53c2\u7167\u3057\u305f\u6307\u6a19\u306e\u3054\u304f\u4e00\u90e8\u3067\u3059\u3002<\/p>\n<h2><a id=\"Appendix-A-Emotet-epoch-4-activity\"><\/a>\u4ed8\u9332A: 2021\u5e7411\u670818\u65e5\u306eEmotet\u30a8\u30dd\u30c3\u30af4\u306e\u6d3b\u52d5<\/h2>\n<h5><strong>\u30d1\u30b9\u30ef\u30fc\u30c9\u4fdd\u8b77\u3064\u304dZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u306e7\u3064\u306e\u30b5\u30f3\u30d7\u30eb\u306eSHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">a1ab66a0fbb84a29e5c7733c42337bc733d8b3c11e2d9f9e4357f47fb337c4d5 3.zip<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">176cfa7f0742d5a79b9cfbf266c437b965fc763cf775415ca251c6bb2dd5e9e5 9.zip<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">6c34e373479e1a7485025dc3ffa5d23db999aea83e4f3759bd8381fb88e2bbbf 435.zip<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">8dc28ac1c66f3d17794bb0059445f4deb9db029eb6d4ea1adca734d035bdaecf 1811.zip<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">4668e7d6bdb00fb80807ed91eef5ac9f6ba0dfd50d260d3e0240847b0ec16f69 18112021.zip<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">bfdad57171267921a678ba9d86fd096c00197524698cc03a84d2cfeefdca5587 433492807279.zip<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">66c34636aaf73f74df8da9981ca6054eb4143d1761dbde8e0e83899805590db2 763325738862.zip<\/span><\/p>\n<h5><strong>\u4e0a\u8a18ZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u306e\u30d1\u30b9\u30ef\u30fc\u30c9:<\/strong><\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">3.zip<\/span> password:<span style=\"font-family: 'courier new', courier, monospace;\"> 008<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">9.zip<\/span> password: <span style=\"font-family: 'courier new', courier, monospace;\">3854<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">435.zip<\/span> password: <span style=\"font-family: 'courier new', courier, monospace;\">636<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">1811.zip<\/span> password: <span style=\"font-family: 'courier new', courier, monospace;\">9483<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">18112021.zip<\/span> password: <span style=\"font-family: 'courier new', courier, monospace;\">2927<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">433492807279.zip<\/span> password: <span style=\"font-family: 'courier new', courier, monospace;\">209<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">763325738862.zip<\/span> password: <span style=\"font-family: 'courier new', courier, monospace;\">339<\/span><\/p>\n<h5><strong>\u62bd\u51fa\u3055\u308c\u305f7\u3064\u306eWord\u6587\u66f8\u306eSHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">304fba4a048904744d6d1c4d8bfd5d7b4019c2c45aba0499d797ee0d6807dfa8 3.doc<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">e5f3a7e75c03d45462992b0a973e7e25b533e293724590c9eb34f5ee729039b0 9.doc<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">0cacc247469125b5e0977b9de9814db0eb642c109ca5d13ee9c336aef2ec4c19 435.doc<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">801ec1ec71051838efe75fd89344b676fa741d9e7718e534f119c57a899f4792 1811.doc<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">cbddc8fea92cdf40f8efac2fe8fa534d52d90cccecbb914f3827002f680da98a 18112021.doc<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">fccaf2af38484493d763b0ea37e68a40eb6def3030cfa975fa8d389e96b49378 433492807279.doc<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">d655ab6b9350ec4f64c735cd23be62ca87d49165b244cefe75ad0dbb061de3d4 763325738862.doc<\/span><\/p>\n<h5><strong>\u4e0a\u8a18Word\u6587\u66f8\u306b\u3088\u308a\u751f\u6210\u3055\u308c\u308bURL:<\/strong><\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/jamaateislami[.]com\/wp-admin\/FKyNiHeRz1\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/voltaicplasma[.]com\/wp-includes\/wkCYpDihyc8biTPn444B\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/linebot.gugame[.]net\/images\/RX6MVSCgGr\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/lpj917[.]com\/wp-content\/Cc4KG1MDR4xAWp91SjA\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/html.gugame[.]net\/img\/5xUBiRIQ4s3EtKEv67Ebn\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/xanthelasmaremoval[.]com\/wp-includes\/VVVcpYsRtGgjQqfgjxbS\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/giadinhviet[.]com\/pdf\/log_in\/8kQBFUyohsDRGCJx\/<\/span><\/p>\n<h5><strong>Emotet DLL\u306e\u30d5\u30a1\u30a4\u30eb\u30b5\u30f3\u30d7\u30eb:<\/strong><\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">555dff455242a5f82f79eecb66539bfd1daa842481168f1f1df911ac05a1cfba<\/span><br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>485,376\u30d0\u30a4\u30c8<br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/jamaateislami[.]com\/wp-admin\/FKyNiHeRz1\/<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">C:\\ProgramData\\1245045870.dll<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\[username]\\AppData\\Local\\Tzbklmcf\\ljkklzcncxkf.pgk<br \/>\n<\/span><strong>Windows\u30ec\u30b8\u30b9\u30c8\u30ea\u66f4\u65b0\u306e\u5b9f\u884c\u65b9\u6cd5:<\/strong> rundll32.exe <em>[filename]<\/em>,truHNmRuL<br \/>\n<strong>\u6ce81: <\/strong> 1811.doc\u3092\u4f7f\u7528\u3057\u3066\u751f\u6210\u3055\u308c\u305f\u3082\u306e<br \/>\n<strong>\u6ce82: <\/strong>rundll32.exe\u3067\u4f7f\u7528\u3059\u308b\u30a8\u30f3\u30c8\u30ea\u30dd\u30a4\u30f3\u30c8\u306b\u306f\u4efb\u610f\u306e\u82f1\u6570\u5b57\u3092\u4f7f\u7528\u53ef\u80fd<\/p>\n<h5>\u611f\u67d3Windows\u30db\u30b9\u30c8\u304b\u3089\u306eHTTPS Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af:<\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">51.178.61[.]60<\/span> <span style=\"font-family: 'courier new', courier, monospace;\"><span style=\"font-family: georgia, palatino, serif;\">port<\/span> 443<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">103.161.172[.]108<\/span> port <span style=\"font-family: 'courier new', courier, monospace;\">443<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">122.129.203[.]163 <span style=\"font-family: georgia, palatino, serif;\">port<\/span> 443<\/span><\/p>\n<h2><a id=\"Appendix-B-Emotet-epoch-4-abusing-App-Installer\"><\/a>\u4ed8\u9332B: 2021\u5e7411\u670830\u65e5\u306e\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u3092\u60aa\u7528\u3059\u308bEmotet\u30a8\u30dd\u30c3\u30af4<\/h2>\n<h5>\u30e1\u30fc\u30eb\u5185\u306e\u30ea\u30f3\u30af:<\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/hispanicaidgroup[.]org\/ufay0vq\/keWIgzwT\/<\/span><\/p>\n<h5>\u60aa\u8cea\u306a\u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc<\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">450cba4a0f2b8c14dee55c33c9c0f522a4dddd1b463e39e8e736ed37dc2fac74<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>472\u30d0\u30a4\u30c8<br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/locstorageinfo.z13.web.core.windows[.]net\/ioocceneen.appinstaller<\/span><\/p>\n<h5><strong>\u60aa\u8cea\u306aAppxbundle:<\/strong><\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">7c55c3656184b145b3b3f6449c05d93fa389650ad235512d2f99ee412085cf3a<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>1,261,364\u30d0\u30a4\u30c8<br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/locstorageinfo.z13.web.core.windows[.]net\/ioocceneen.appxbundle<\/span><\/p>\n<h5>Appxbundle\u306b\u542b\u307e\u308c\u308b\u60aa\u610f\u306e\u3042\u308b\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb:<\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">36a81cd64e7649d9f91925194e89e8463c980682596eef19c4f5df6e1ac77b2a<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>192,800\u30d0\u30a4\u30c8<br \/>\n<strong>Appixbundle\u5185\u306e\u5834\u6240: <\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">ioocceneen.appxbundle\/Adobe_1.2.0.0_x86\/CustomParts\/wsprotocol.exe<\/span><\/p>\n<h5>Emotet DLL\u306e\u30b5\u30f3\u30d7\u30eb:<\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">a04714dcfad52b9dbf2f649810a6c489c5eb2a15118043f0173571310597b8cb<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>643,147\u30d0\u30a4\u30c8<br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/www.thebanditproject[.]com\/wp-content\/BvZK54PFsCqKio6\/<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\<em>[username]<\/em>\\AppData\\Local\\Pvglfpllzel\\bhryuac.wmn<br \/>\n<\/span><strong>\u5b9f\u884c\u65b9\u6cd5:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">rundll32.exe<\/span> <em>[filename]<\/em>,<em>[any alpha-numeric value]<\/em><\/p>\n<h5>\u611f\u67d3Windows\u30db\u30b9\u30c8\u304b\u3089\u306eHTTPS Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af:<\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">46.55.222[.]11 <span style=\"font-family: georgia, palatino, serif;\">port<\/span> 443<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">163.172.50[.]82 <span style=\"font-family: georgia, palatino, serif;\">port<\/span> 443<\/span><\/p>\n<h2><a id=\"Appendix-C-Emotet-epoch-4-infection\"><\/a>\u4ed8\u9332C: 2021\u5e7412\u670821\u65e5\u306eEmotet\u30a8\u30dd\u30c3\u30af4\u611f\u67d3<\/h2>\n<h5>\u30e1\u30fc\u30eb\u306b\u6dfb\u4ed8\u3055\u308c\u305fExcel\u30d5\u30a1\u30a4\u30eb:<\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">fcf5500a8b46bf8c7234fb0cc4568e2bd65b12ef8b700dc11ff8ee507ba129da<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>194,273\u30d0\u30a4\u30c8<br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u540d:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">REP_1671971987654103376.xls<\/span><\/p>\n<h5>HTA\u30d5\u30a1\u30a4\u30eb:<\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">97ebdff655fa111863fbd084f99187c9b6b369fe88fdb1333f8b89aac09fc48d<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>10,980\u30d0\u30a4\u30c8<br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/87.251.86[.]178\/pp\/_.html<\/span><\/p>\n<h5>Powershell\u30b9\u30af\u30ea\u30d7\u30c8:<\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">a08271fe6d67cc6cf678683f58e22412e6872a985a03b8444584bea57aa3cbb7<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>721\u30d0\u30a4\u30c8<br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/87.251.86[.]178\/pp\/PP.PNG<\/span><\/p>\n<h5>\u4e0a\u8a18Powershell\u30b9\u30af\u30ea\u30d7\u30c8\u3067\u751f\u6210\u3055\u308c\u305fURL:<\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/mustache.webstory[.]sa\/wp-includes\/cRwe2Pkxasj\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/vdevigueta[.]com\/wp-admin\/qYOwD7kPD6JX\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/bujogradba[.]com\/5tvjjl\/qiP8H0W5GmR5P9fGIw\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/daxinghuo[.]com\/get\/oU8lM4P\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/masl[.]cn\/1\/4Ilcpoj6PjTsj3eAR\/<\/span><\/p>\n<h5>Emotet DLL\u306e\u30b5\u30f3\u30d7\u30eb:<\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">7c35902055f69af2cbb6c941821ceba3d79b2768dd2235c282b195eb48cc6c83<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>1,257,472\u30d0\u30a4\u30c8<br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/mustache.webstory[.]sa\/wp-includes\/cRwe2Pkxasj\/<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\Public\\Documents\\ssd.dll<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\<em>[username]<\/em>\\AppData\\Local\\Piqvlxzjzu\\vrjlv.srn<br \/>\n<\/span><strong>\u5b9f\u884c\u65b9\u6cd5:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">rundll32.exe<\/span> <em>[filename]<\/em>,<em>[any alpha-numeric value]<\/em><\/p>\n<h5>\u611f\u67d3Windows\u30db\u30b9\u30c8\u304b\u3089\u306eHTTPS Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af:<\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">54.37.212[.]235 <span style=\"font-family: georgia, palatino, serif;\">port<\/span> 80<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">144.202.34[.]169 <span style=\"font-family: georgia, palatino, serif;\">port<\/span> 443<\/span><\/p>\n<h2><a id=\"Appendix-D-Emotet-epoch-5-infection\"><\/a>\u4ed8\u9332D: 2022\u5e741\u670811\u65e5\u306eEmotet\u30a8\u30dd\u30c3\u30af5\u611f\u67d3<\/h2>\n<h5>\u30e1\u30fc\u30eb\u306b\u8a18\u8f09\u3055\u308c\u305f\u507d\u82e6\u60c5\u30da\u30fc\u30b8\u306e\u30ea\u30f3\u30af\u4f8b:<\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/goodmarketinggroup[.]com\/newish\/562_9559085\/<\/span><\/p>\n<h5>Excel\u30b9\u30d7\u30ec\u30c3\u30c9\u30b7\u30fc\u30c8\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9URL:<\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/goodmarketinggroup[.]com\/newish\/562_9559085\/?i=1<\/span><\/p>\n<h5>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305fEmotet\u306eExcel\u30d5\u30a1\u30a4\u30eb\u4f8b:<\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">292826fa66737d718d0d23f5842dc88e05c8ba5ade7e51212dded85137631b31<\/span><br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>85,352\u30d0\u30a4\u30c8<br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u540d:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">06028_2603.xlsm<\/span><\/p>\n<h5>\u30de\u30af\u30ed\u6709\u52b9\u5316\u5f8cEmotet DLL\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308bURL3\u3064:<\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/mammy-chiro[.]com\/case\/ZTkBzbz\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/bluetoothheadsetreview[.]xyz\/wp-includes\/xmdHAGgfki\/<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/topline36[.]xyz\/wp-includes\/css\/BB9Ajvjs89U9O\/<\/span><\/p>\n<h5>Emotet DLL\u306e\u30b5\u30f3\u30d7\u30eb:<\/h5>\n<p><strong>SHA256\u30cf\u30c3\u30b7\u30e5:<\/strong><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">4978285fc20fb2ac2990a735071277302c9175d16820ac64f326679f162354ff<\/span><br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba: <\/strong>481,792\u30d0\u30a4\u30c8<br \/>\n<strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/mammy-chiro[.]com\/case\/ZTkBzbz\/<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\<em>[username]<\/em>\\dwa.ocx<br \/>\n<\/span><strong>\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\<em>[username]<\/em>\\AppData\\Local\\Fhcnkauwkz\\gavlgclbak.wwa<br \/>\n<\/span><strong>\u5b9f\u884c\u65b9\u6cd5:<\/strong> <span style=\"font-family: 'courier new', courier, monospace;\">rundll32.exe<\/span> <em>[filename]<\/em>,<em>[any alpha-numeric value]<\/em><\/p>\n<h5>\u611f\u67d3Windows\u30db\u30b9\u30c8\u304b\u3089\u306eHTTPS Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af:<\/h5>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">41.226.30[.]6 port 8080<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">45.138.98[.]34 port 80<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">62.141.45[.]103 port 443<br \/>\n<\/span><span style=\"font-family: 'courier new', courier, monospace;\">161.97.77[.]73 port 443<\/span><\/p>\n<h2><a id=\"post-122995-_570cbe1pdhwx\"><\/a>\u8ffd\u52a0\u30ea\u30bd\u30fc\u30b9<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa20-280a\">Emotet \u30de\u30eb\u30a6\u30a7\u30a2<\/a>- \u7c73\u56fd\u56fd\u571f\u5b89\u5168\u4fdd\u969c\u7701\u3001\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fb\u30a4\u30f3\u30d5\u30e9\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5e81(CISA)<\/li>\n<li><a href=\"https:\/\/unit42.paloaltonetworks.jp\/emotet-thread-hijacking\/\">Emotet\u306e\u30e1\u30fc\u30eb\u653b\u6483\u624b\u6cd5\u300c\u30b9\u30ec\u30c3\u30c9\u30cf\u30a4\u30b8\u30e3\u30c3\u30af\u300d\u306e\u30b1\u30fc\u30b9\u30b9\u30bf\u30c7\u30a3<\/a> - \u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9 Unit 42<\/li>\n<li><a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action\">\u4e16\u754c\u3067\u6700\u3082\u5371\u967a\u306a\u30de\u30eb\u30a6\u30a7\u30a2EMOTET\u3001\u4e16\u754c\u898f\u6a21\u306e\u9023\u643a\u306b\u3088\u308a\u5d29\u58ca<\/a> - \u6b27\u5dde\u5211\u4e8b\u8b66\u5bdf\u6a5f\u69cb(Europol)<\/li>\n<li><a href=\"https:\/\/isc.sans.edu\/forums\/diary\/Emotet+Returns\/28044\/\">Emotet\u306e\u5e30\u9084<\/a>- Internet Storm Center<\/li>\n<li><a href=\"https:\/\/twitter.com\/malwaretechblog\/status\/1251606958592757760\">Emotet\u306e\u30cf\u30c3\u30b7\u30e5\u30d0\u30b9\u30c8<\/a>- @MalwareTechBlog \u3055\u3093\u306e\u30c4\u30a4\u30fc\u30c8<\/li>\n<li><a href=\"https:\/\/www.malware-traffic-analysis.net\/2021\/11\/30\/index.html\">Emotet\u3001\u611f\u67d3\u306bappinstaller\u3092\u4f7f\u7528<\/a>- malware-traffic-analysis.net<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages\/\">Emotet\u3001\u507d\u306eAdobe Windows \u30a2\u30d7\u30ea \u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc\u30d1\u30c3\u30b1\u30fc\u30b8\u3067\u62e1\u6563\u4e2d<\/a>- BleepingComputer<\/li>\n<li><a href=\"https:\/\/twitter.com\/Cryptolaemus1\/status\/1468266929014157316\">Emotet\u304cCobalt Strike\u3092\u30c9\u30ed\u30c3\u30d7<\/a>- @Cryptolaemus1\u3055\u3093\u306e\u30c4\u30a4\u30fc\u30c8<\/li>\n<li><a href=\"https:\/\/unit42.paloaltonetworks.jp\/new-emotet-infection-method\/\">Emotet\u306b\u65b0\u305f\u306a\u611f\u67d3\u624b\u6cd5<\/a>- \u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9 Unit 42<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 Emotet\u306f\u73fe\u5728\u306e\u8105\u5a01\u6982\u6cc1\u3067\u3082\u3063\u3068\u3082\u30e1\u30fc\u30eb\u914d\u4fe1\u6570\u306e\u591a\u3044\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30d5\u30a1\u30df\u30ea\u306e1\u3064\u3067\u3059\u3002\u6cd5\u57f7\u884c\u6a5f\u95a2\u306e\u9023\u643a\u306b\u3088\u308a2021\u5e741\u6708\u306b\u30c6\u30a4\u30af\u30c0\u30a6\u30f3\u3055\u308c\u305f\u3082\u306e\u306e\u30012021\u5e7411\u6708\u306b\u306f\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u518d\u958b\u3057\u3001\u305d\u308c\u4ee5\u6765\u7a81\u51fa\u3057\u305f\u8105<\/p>\n","protected":false},"author":35,"featured_media":134330,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4321,1974,4428],"tags":[5397,5691,5695,5697,4519,5698],"product_categories":[4346,4442,4444,4448,4456],"coauthors":[485],"class_list":["post-123079","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-research","category-malware-ja","category-threat-research-ja","tag-emotet-ja","tag-macros-ja","tag-mealybug-ja","tag-mummy-spider-ja","tag-phishing-ja","tag-ta542","product_categories-advanced-threat-prevention","product_categories-advanced-threat-prevention-ja","product_categories-advanced-wildfire-ja","product_categories-cortex-xdr-ja","product_categories-next-generation-firewall-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Emotet\u306e\u6982\u8981: 2021\u5e7411\u6708\uff5e2022\u5e741\u6708<\/title>\n<meta name=\"description\" content=\"\u6982\u8981\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Emotet\u306e\u6982\u8981: 2021\u5e7411\u6708\uff5e2022\u5e741\u6708\" \/>\n<meta property=\"og:description\" content=\"\u6982\u8981\" \/>\n<meta property=\"og:url\" content=\"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-17T13:00:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/05_Malware_Category_1920x900.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Brad Duncan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Emotet\u306e\u6982\u8981: 2021\u5e7411\u6708\uff5e2022\u5e741\u6708","description":"\u6982\u8981","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/","og_locale":"ja_JP","og_type":"article","og_title":"Emotet\u306e\u6982\u8981: 2021\u5e7411\u6708\uff5e2022\u5e741\u6708","og_description":"\u6982\u8981","og_url":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/","og_site_name":"Unit 42","article_published_time":"2022-05-17T13:00:17+00:00","og_image":[{"width":1920,"height":900,"url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/05_Malware_Category_1920x900.jpg","type":"image\/jpeg"}],"author":"Brad Duncan","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/#article","isPartOf":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/"},"author":{"name":"Brad Duncan","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/66a2d5ad3475220e098802b8b82a6b5b"},"headline":"Emotet\u306e\u6982\u8981: 2021\u5e7411\u6708\uff5e2022\u5e741\u6708","datePublished":"2022-05-17T13:00:17+00:00","mainEntityOfPage":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/"},"wordCount":1278,"commentCount":0,"image":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/05_Malware_Category_1920x900.jpg","keywords":["Emotet","Macros","MealyBug","Mummy Spider","phishing","TA542"],"articleSection":["Threat Research","\u30de\u30eb\u30a6\u30a7\u30a2","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/","url":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/","name":"Emotet\u306e\u6982\u8981: 2021\u5e7411\u6708\uff5e2022\u5e741\u6708","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/#primaryimage"},"image":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/05_Malware_Category_1920x900.jpg","datePublished":"2022-05-17T13:00:17+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/66a2d5ad3475220e098802b8b82a6b5b"},"description":"\u6982\u8981","breadcrumb":{"@id":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/05_Malware_Category_1920x900.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/05_Malware_Category_1920x900.jpg","width":1920,"height":900,"caption":"A close-up view of a computer screen displaying lines of code in red and pink shades, highlighting a central circular warning icon with a biohazard symbol. The word 'DETECTED' is prominently displayed in the lower right corner, indicating a cybersecurity alert and the end of a phrase."},{"@type":"BreadcrumbList","@id":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/emotet-malware-summary-epoch-4-5\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"Emotet\u306e\u6982\u8981: 2021\u5e7411\u6708\uff5e2022\u5e741\u6708"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/66a2d5ad3475220e098802b8b82a6b5b","name":"Brad Duncan","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4408571da084e452077209da810f700c","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/09\/Duncan-bio-picture-1-copy-150x150.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2017\/09\/Duncan-bio-picture-1-copy-150x150.jpg","caption":"Brad Duncan"},"url":"https:\/\/unit42.paloaltonetworks.com\/ja\/author\/bduncan\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/123079","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=123079"}],"version-history":[{"count":7,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/123079\/revisions"}],"predecessor-version":[{"id":123086,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/123079\/revisions\/123086"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/134330"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=123079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=123079"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=123079"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=123079"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=123079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}