こんばんは。はしだいです。

any.runにアップされてたEmotetの通信先について、Maldoc解析の勉強がてら調べてみたのでブログ書きます。

11/29の午前中（JST）にアップされていた.docのものを調べてみました。

https[://]app[.]any[.]run/tasks/74719cfc-67b6-455c-89aa-34bdb3a41dc3/

md5: c404bf981ea5909a508b3ff9269e0986

URL

• http[://]www[.]stages[.]defilangues[.]be/3hs5wkd/VoT/
  • IP: 213[.]186[.]33[.]5
  • AS: AS16276 OVH, FR
• http[://]delicedurucher[.]fr/wp-includes/vn/
  • IP: 87[.]98[.]154[.]146
  • AS: AS16276 OVH, FR
• https[://]rosimonteiro[.]com[.]br/wp-content/AH4/
  • IP: 35[.]161[.]124[.]10
  • AS: AS16509 AMAZON-02 - Amazon.com, Inc., US
• http[://]www[.]cdfatimasad[.]pt/wp-admin/ls7g/
  • IP: 52[.]30[.]157[.]149
  • AS: AS16509 AMAZON-02 - Amazon.com, Inc., US
• https[://]thedressmaker[.]pk/wp-includes/HrppOePG/
  • IP: 104[.]28[.]26[.]66
  • AS: AS13335 CLOUDFLARENET - Cloudflare, Inc., US

https[://]app[.]any[.]run/tasks/56d3cc78-3a38-4f8c-9b1a-533e7d4492bb/

md5: 172a64f1ca46e3a8a779821c0561ef50

URL

• http[://]tanghuo8[.]com/wp-admin/y5q6e02/
  • IP: 129[.]211[.]68[.]85
  • AS: AS45090 CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN
• http[://]mnmsg[.]com/calendar/4u5/
  • IP: 209[.]134[.]150[.]115
  • AS: AS8015 Vector Internet Services, Inc., US
• http[://]downloadmovies24[.]com/upload/aumPBqD02/2i09833/
  • IP: 104[.]28[.]29[.]38
  • AS: AS13335 Cloudflare, Inc., US
• http[://]classywonders[.]com/web_map/fsrm01124/
  • IP: 35[.]158[.]125[.]211
  • AS: AS16509 Amazon.com, Inc., DE
• http[://]iimtgroupeducation[.]info/wp-admin/a7900276/
  • IP: 166[.]62[.]10[.]32
  • AS: AS26496 GoDaddy.com, LLC, US

https[://]app[.]any[.]run/tasks/83add37f-0198-46d5-823a-45d1e9f9ac01/

md5: 7ee69ba54f45faf416687c01a95f0192

URL

• http[://]www[.]huayishi[.]cn/wp-includes/p1GL8OTW/
  • IP: 124[.]116[.]176[.]81
  • AS: AS4134 No.31,Jin-rong Street, CN
• http[://]bangsaraycondo[.]com/bxqg/le81/
  • IP: 104[.]28[.]21[.]199
  • AS: AS13335 Cloudflare, Inc., US
• http[://]healvideos[.]com/blogs/e23/
  • IP: 107[.]180[.]26[.]81
  • AS: AS26496 GoDaddy.com, LLC, US
• https[://]www[.]sisustussuunnittelu[.]fi/cgi-bin/218t/
  • IP: 185[.]26[.]49[.]42
  • AS: AS202053 UpCloud Ltd, FI
• https[://]www[.]noticiare[.]com[.]br/oihpj/jmjhf2/
  • IP: 35[.]193[.]38[.]118
  • AS: AS15169 Google LLC,US

https[://]app[.]any[.]run/tasks/83add37f-0198-46d5-823a-45d1e9f9ac01/

md5: 404b834f271885bb15d23658ba1b2179

URL

• https[://]nompareilleproductions[.]fr/wp-content/WTdK/
  • IP: 46[.]105[.]57[.]16
  • AS: AS16276 OVH, FR
• https[://]lockingsystemsnw[.]com/o144/ueffi/
  • IP: 198[.]71[.]233[.]109
  • AS: AS26496 AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC, US
• https[://]learn8home[.]com/cgi-bin/rex/
  • IP: 64[.]20[.]39[.]19
  • AS: AS19318 IS-AS-1 - Interserver, Inc, US
• https[://]news4uni[.]com/wp-admin/jz8i/
  • IP: 138[.]201[.]5[.]129
  • AS: AS24940 HETZNER-AS, DE
• https[://]wooodev[.]com/wp-admin/bokm7/
  • IP: 149[.]255[.]60[.]174
  • AS: AS34931 AWARESOFT, GB

また調査したらブログ書こうと思います。 では。