{"id":105532,"date":"2015-03-19T12:00:37","date_gmt":"2015-03-19T19:00:37","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=105532"},"modified":"2022-03-24T21:48:02","modified_gmt":"2022-03-25T04:48:02","slug":"findpos-new-pos-malware-family-discovered","status":"publish","type":"post","link":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/","title":{"rendered":"FindPOS \u65b0\u305f\u306aPOS\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa"},"content":{"rendered":"<h2><a id=\"post-105532-\u30ea\u30b5\u30fc\u30c1\u30bb\u30f3\u30bf\u30fc\u30d6\u30ed\u30b0-findpos-\u65b0\u305f\u306apos\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa\"><\/a>\u6982\u8981<\/h2>\n<p>Unit 42\u306f\u65b0\u305f\u306aPOS(\u8ca9\u58f2\u6642\u70b9\u7ba1\u7406)\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u306b\u306f2014\u5e7411\u6708\u306b\u4f5c\u6210\u3055\u308c\u305f\u6700\u3082\u53e4\u3044\u3082\u306e\u3092\u542b\u3081\u3001\u8907\u6570\u306e\u5909\u7a2e\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u5404\u5909\u7a2e\u306b\u4e00\u69d8\u306b\u898b\u3064\u304b\u308b\u6587\u5b57\u5217\u306b\u57fa\u3065\u3044\u3066\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u300cFindPOS\u300d\u3068\u540d\u4ed8\u3051\u3001\u904e\u53bb\u6570\u9031\u9593\u3001\u5206\u6790\u3092\u884c\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u7279\u5225\u306b\u5de7\u5999\u306a\u3082\u306e\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u304c\u3001\u591a\u6570\u306e\u5909\u7a2e\u304c<a href=\"https:\/\/www.trustwave.com\/Resources\/SpiderLabs-Blog\/Alina--Following-The-Shadow-Part-1\/\">Alina<\/a>\u3084<a href=\"https:\/\/www.trustwave.com\/Resources\/SpiderLabs-Blog\/Backoff---Technical-Analysis\/\">Backoff<\/a>\u306a\u3069\u3068\u540c\u69d8\u306b\u307e\u3093\u5ef6\u306e\u69d8\u76f8\u3092\u898b\u305b\u3066\u3044\u307e\u3059\u3002FindPOS\u306f\u660e\u3089\u304b\u306bMicrosoft Windows POS\u30d9\u30f3\u30c0\u30fc\u306b\u5bfe\u3059\u308b\u5f37\u529b\u306a\u8105\u5a01\u3068\u898b\u306a\u3059\u3079\u304d\u3067\u3042\u308a\u3001\u78ba\u5b9f\u306a\u9632\u5fa1\u306e\u305f\u3081\u306e\u5bfe\u7b56\u3092\u3068\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<h3>\u30ef\u30fc\u30af\u30d5\u30ed\u30fc<\/h3>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u30e1\u30e2\u30ea \u30b9\u30af\u30ec\u30a4\u30d4\u30f3\u30b0\uff08\u60c5\u5831\u62bd\u51fa\uff09\u306b\u3088\u3063\u3066<a href=\"https:\/\/en.wikipedia.org\/wiki\/Magnetic_stripe_card\">\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf<\/a>\u3092\u53ce\u96c6\u3057\u3001\u898b\u3064\u304b\u3063\u305f\u30c7\u30fc\u30bf\u3092HTTP POST\u8981\u6c42\u3092\u4ecb\u3057\u3066\u5f15\u304d\u51fa\u3059\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u307e\u305f\u3001\u30ad\u30fc\u30b9\u30c8\u30ed\u30fc\u30af\uff08\u30bf\u30a4\u30d4\u30f3\u30b0\u8a8d\u8a3c\uff09\u306e\u8a18\u9332\u6a5f\u80fd\u3082\u6301\u3064\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001POS\u30c7\u30d0\u30a4\u30b9\u3092\u6a19\u7684\u3068\u3059\u308b\u3053\u308c\u307e\u3067\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3068\u5171\u901a\u3057\u305f\u624b\u6cd5\u3092\u591a\u6570\u4f7f\u7528\u3057\u3066\u3044\u308b\u3082\u306e\u306e\u3001\u305d\u306e\u5e83\u304c\u308a\u5177\u5408\u3084\u7d99\u7d9a\u7684\u9032\u5316\u304b\u3089\u3001Windows\u30d9\u30fc\u30b9\u306ePOS\u7aef\u672b\u3092\u5229\u7528\u3059\u308b\u4eba\u3005\u306b\u3068\u3063\u3066\u8105\u5a01\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>FindPOS\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u4e00\u822c\u7684\u306a\u30ef\u30fc\u30af\u30d5\u30ed\u30fc\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<p><img width=\"1604\" height=\"880\"  class=\"wp-image-105533 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-68.png\" \/><\/p>\n<h3>\u9032\u5316<\/h3>\n<p>\u79c1\u305f\u3061\u306f\u8abf\u67fb\u3092\u7d9a\u3051\u308b\u306a\u304b\u3067\u3001FindPOS\u306e\u5909\u7a2e\u3092\u5408\u8a089\u500b\u691c\u51fa\u3057\u307e\u3057\u305f\u3002\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\uff08\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\uff0f\u4fee\u6b63\u65e5\u6642\uff09\u60c5\u5831\u306b\u57fa\u3065\u3044\u3066\u3001\u3053\u308c\u3089\u306e\u5909\u7a2e\u304c\u6b21\u306e\u3088\u3046\u306a\u6642\u7cfb\u5217\u306b\u306a\u3063\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002<\/p>\n<p><img width=\"717\" height=\"582\"  class=\"wp-image-105535 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-69.png\" \/><\/p>\n<p>\u30d0\u30fc\u30b8\u30e7\u30f3\u9593\u306e\u5177\u4f53\u7684\u306a\u6a5f\u80fd\u5909\u66f4\u306e\u5185\u8a33\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f32.1<\/strong><\/h4>\n<ul>\n<li>\u6b21\u306e\u60c5\u5831\u3092\u4f7f\u7528\u3059\u308b\u3088\u3046\u306b\u3001\u30cf\u30c3\u30b7\u30f3\u30b0 \u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u5909\u66f4:\n<ul>\n<li>\u30dc\u30ea\u30e5\u30fc\u30e0 \u30b7\u30ea\u30a2\u30eb\u756a\u53f7<\/li>\n<li>\u30cd\u30c3\u30c8\u30ef\u30fc\u30ad\u30f3\u30b0 \u30a2\u30c0\u30d7\u30bf(IPv4\u306e\u307f)<\/li>\n<\/ul>\n<\/li>\n<li>\u300cuinfo\u300dPOST\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u8ffd\u52a0<\/li>\n<\/ul>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f35.57<\/strong><\/h4>\n<ul>\n<li>\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u6642\u306b\u4ee5\u524d\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u305fFindPOS\u3092\u7d42\u4e86\u3055\u305b\u308b\u6a5f\u80fd\u3092\u8ffd\u52a0<\/li>\n<li>\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u6642\u306e\u30b3\u30fc\u30c9\u306e\u30af\u30ea\u30fc\u30f3\u30a2\u30c3\u30d7<\/li>\n<li>\u30e1\u30a4\u30f3 \u30b9\u30ec\u30c3\u30c9\u3092\u6700\u4f4e\u512a\u5148\u5ea6\u306b\u8a2d\u5b9a<\/li>\n<li>\u30e1\u30e2\u30ea \u30b9\u30af\u30ec\u30a4\u30d4\u30f3\u30b0 \u30c1\u30a7\u30c3\u30af\u3092\u8ffd\u52a0\n<ul>\n<li>\u6709\u52b9\u671f\u9650\u5e74\u7bc4\u56f2\u306f2014\uff5e2030<\/li>\n<li>\u6709\u52b9\u671f\u9650\u6708\u7bc4\u56f2\u306f1\uff5e12<\/li>\n<li>\u30b5\u30fc\u30d3\u30b9 \u30b3\u30fc\u30c9\u306e\u8a2d\u5b9a\u306f\u300c101\u300d\u307e\u305f\u306f\u300c201\u300d\u306e\u3044\u305a\u308c\u304b<\/li>\n<\/ul>\n<\/li>\n<li>\u30d5\u30a1\u30a4\u30eb\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\/\u5b9f\u884c\u6a5f\u80fd\u3092\u8ffd\u52a0<\/li>\n<li>\u300cCookie: income=1\u300dHTTP\u30d8\u30c3\u30c0\uff0d\u3092\u524a\u9664<\/li>\n<li>User-Agent HTTP\u30d8\u30c3\u30c0\u30fc\u3092\u8ffd\u52a0<\/li>\n<\/ul>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f35.80<\/strong><\/h4>\n<ul>\n<li>\u30e1\u30e2\u30ea \u30b9\u30af\u30ec\u30a4\u30d4\u30f3\u30b0 \u30c1\u30a7\u30c3\u30af\u3092\u5909\u66f4\n<ul>\n<li>\u6709\u52b9\u671f\u9650\u5e74\u306f2030\u3092\u8d8a\u3048\u306a\u3044\u3082\u306e\u3068\u3059\u308b(\u4e0b\u9650\u30c1\u30a7\u30c3\u30af\u306f\u306a\u3057)<\/li>\n<li>\u6709\u52b9\u671f\u9650\u6708\u306f12\u3092\u8d8a\u3048\u306a\u3044\u3082\u306e\u3068\u3059\u308b(\u4e0b\u9650\u30c1\u30a7\u30c3\u30af\u306f\u306a\u3057)<\/li>\n<\/ul>\n<\/li>\n<li>\u30c9\u30e1\u30a4\u30f3\/URI\u69cb\u6210\u306e\u30b3\u30fc\u30c9\u3092\u5f37\u5316<\/li>\n<\/ul>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f35.90<\/strong><\/h4>\n<ul>\n<li>\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0\u6a5f\u80fd\u3092\u8ffd\u52a0<\/li>\n<\/ul>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f36.0<\/strong><\/h4>\n<ul>\n<li>\u5927\u304d\u306a\u5909\u66f4\u306f\u306a\u3057<\/li>\n<\/ul>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f36.02<\/strong><\/h4>\n<ul>\n<li>\u30c7\u30fc\u30bf\u5f15\u304d\u51fa\u3057\u6a5f\u80fd\u306e\u30de\u30a4\u30ca\u30fc\u30c1\u30a7\u30f3\u30b8<\/li>\n<\/ul>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f36.03<\/strong><\/h4>\n<ul>\n<li>\u5927\u304d\u306a\u5909\u66f4\u306f\u306a\u3057<\/li>\n<\/ul>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f36.04<\/strong><\/h4>\n<ul>\n<li>\u30c7\u30fc\u30bf\u5f15\u304d\u51fa\u3057\u30b9\u30ea\u30fc\u30d7 \u30bf\u30a4\u30de\u30fc\u306e\u30de\u30a4\u30ca\u30fc\u30c1\u30a7\u30f3\u30b8<\/li>\n<\/ul>\n<p>\u4e0a\u8a18\u306e\u6642\u7cfb\u5217\u304b\u3089\u3001FindPOS\u306f\u521d\u671f\u306b\u304d\u308f\u3081\u3066\u7a4d\u6975\u7684\u306a\u958b\u767a\u304c\u884c\u308f\u308c\u3001\u305d\u306e\u5f8c\u306f\u6700\u5c0f\u9650\u306e\u5909\u66f4\u304c\u884c\u308f\u308c\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u3002\u6700\u5c0f\u9650\u306e\u5909\u66f4\u306f\u3001\u30d1\u30d5\u30a9\u30fc\u30de\u30f3\u30b9\u4e0a\u306e\u7406\u7531\u304b\u3001\u304a\u305d\u3089\u304f\u30d0\u30b0\u306e\u4fee\u6b63\u3092\u76ee\u7684\u3068\u3057\u3066\u9069\u7528\u3055\u308c\u305f\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<h3>\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h3>\n<p>FindPOS\u306f\u3001\u5b9f\u884c\u3092\u958b\u59cb\u3059\u308b\u3068\u3001\u82f1\u5c0f\u6587\u5b578\u6587\u5b57\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u540d(\u4f8b: abodeign.exe)\u3092\u751f\u6210\u3057\u307e\u3059\u3002\u3053\u306e\u540d\u524d\u306f\u3001\u6b21\u306e\u30b7\u30b9\u30c6\u30e0\u60c5\u5831\u3092\u57fa\u306b\u751f\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li>C:\\\u30dc\u30ea\u30e5\u30fc\u30e0 \u30b7\u30ea\u30a2\u30eb\u756a\u53f7<\/li>\n<li>SystemBiosdate<\/li>\n<li>VideoBiosdate<\/li>\n<li>CPU\u8b58\u5225\u5b50<\/li>\n<li>Microsoft Windows\u30d7\u30ed\u30c0\u30af\u30c8ID<\/li>\n<\/ul>\n<p>\u540d\u524d\u306e\u751f\u6210\u306b\u3053\u308c\u3089\u306e\u5024\u3092\u4f7f\u7528\u3059\u308b\u3053\u3068\u3067\u3001\u540c\u3058\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u4e0a\u3067\u306e\u5b9f\u884c\u6642\u306e\u540d\u524d\u751f\u6210\u306b\u4e00\u8cab\u6027\u304c\u7dad\u6301\u3055\u308c\u307e\u3059\u3002\u306a\u304a\u3001\u4f7f\u7528\u3055\u308c\u308b\u30cf\u30c3\u30b7\u30f3\u30b0 \u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u306f\u30d0\u30fc\u30b8\u30e7\u30f32.1\u3067\u5909\u66f4\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001\u4e0a\u8a18\u306e\u300c\u9032\u5316\u300d\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p>\u305d\u306e\u5f8c\u3001\u3053\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u3001\u5b9f\u884c\u4e2d\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5143\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u540d\u3068\u6bd4\u8f03\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u540d\u524d\u304c\u4e00\u81f4\u3057\u306a\u304b\u3063\u305f\u5834\u5408\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u81ea\u8eab\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb \u30eb\u30fc\u30c1\u30f3\u306e\u5b9f\u884c\u306b\u9032\u307f\u307e\u3059\u3002<\/p>\n<p>FindPOS\u306f\u3001\u3055\u304d\u307b\u3069\u751f\u6210\u3057\u305f\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u4f7f\u3063\u3066\u3001\u6b21\u306e\u5404\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u81ea\u8eab\u3092\u30b3\u30d4\u30fc\u3057\u59cb\u3081\u307e\u3059\u3002<\/p>\n<ul>\n<li>%SystemRoot%\\System32\\[\u540d\u524d].exe<\/li>\n<li>%USERPROFILE%\\[\u540d\u524d].exe<\/li>\n<\/ul>\n<p>\u3053\u308c\u3089\u306e\u30d5\u30a1\u30a4\u30eb \u30b3\u30d4\u30fc\u64cd\u4f5c\u304c\u6b63\u5e38\u306b\u5b8c\u4e86\u3059\u308b\u3068\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u6b21\u306e\u5404\u30ec\u30b8\u30b9\u30c8\u30ea \u30ad\u30fc\u3092\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002<\/p>\n<ul>\n<li>HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run [\u540d\u524d] :%SystemRoot%\\System32\\[\u540d\u524d].exe<\/li>\n<li>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run [\u540d\u524d] :%USERPROFILE%\\[\u540d\u524d].exe<\/li>\n<\/ul>\n<p>\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms682425(v=vs.85).aspx\">CreateProcessA<\/a>\u306e\u547c\u3073\u51fa\u3057\u3092\u4ecb\u3057\u3066\u3001%SystemRoot%\\System32\\[\u540d\u524d].exe\u306e\u65b0\u3057\u3044\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u4f5c\u6210\u3092\u958b\u59cb\u3057\u307e\u3059\u3002\u3053\u306e\u51e6\u7406\u304c\u6b63\u5e38\u306b\u5b8c\u4e86\u3059\u308b\u3068\u3001\u7d42\u4e86\u524d\u306b\u6b21\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u3001\u5143\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\u3059\u308b\u305f\u3081\u306e\u3082\u306e\u3067\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><em>cmd.exe \/c del [\u5143\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9] &gt;&gt; NUL<\/em><\/p>\n<p>%SystemRoot%\\System32\\[\u540d\u524d].exe\u306b\u5bfe\u3059\u308bCreateProcessA\u306e\u547c\u3073\u51fa\u3057\u306b\u5931\u6557\u3057\u305f\u5834\u5408\u3001FindPOS\u306f%USERPROFILE%\\[\u540d\u524d].exe\u306e\u65b0\u3057\u3044\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u4f5c\u6210\u3092\u8a66\u307f\u307e\u3059\u3002\u3053\u308c\u306b\u6210\u529f\u3059\u308b\u3068\u3001FindPOS\u306f\u3055\u304d\u307b\u3069\u3068\u540c\u3058\u624b\u6cd5\u3092\u4f7f\u3063\u3066\u5143\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u524a\u9664\u3092\u8a66\u307f\u307e\u3059\u3002<\/p>\n<p>\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u304c\u6b63\u5e38\u306b\u5b8c\u4e86\u3059\u308b\u3068\u3001FindPOS\u306f\u3001\u5fc5\u305a1\u3064\u306eFindPOS\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u307f\u304c\u7a3c\u50cd\u3059\u308b\u3088\u3046\u306b\u3059\u308b\u305f\u3081\u306b\u3001\u30b0\u30ed\u30fc\u30d0\u30eb \u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u3053\u306e\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u306b\u306f\u6b21\u306e\u540d\u524d\u304c\u4ed8\u3051\u3089\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li>WIN_[16\u9032\u6570]<\/li>\n<\/ul>\n<p>[16\u9032\u6570]\u306f\u300116\u6841\u306e\u5927\u6587\u5b57\u306e16\u9032\u6587\u5b57\u5217\u3067\u3042\u308a\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb \u30eb\u30fc\u30c1\u30f3\u306e\u5b9f\u884c\u6642\u306b\u30de\u30eb\u30a6\u30a7\u30a2\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u540d\u306e\u751f\u6210\u3067\u4f7f\u308f\u308c\u305f\u3082\u306e\u3068\u540c\u3058\u624b\u6cd5\u3067\u751f\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u306e\u4f5c\u6210\u304c\u6b63\u5e38\u306b\u5b8c\u4e86\u3059\u308b\u3068\u3001FindPOS\u306f\u30e1\u30e2\u30ea\u306e\u30b9\u30af\u30ec\u30a4\u30d4\u30f3\u30b0\u3092\u958b\u59cb\u3057\u307e\u3059\u3002\u3055\u3089\u306b\u30ad\u30fc\u30b9\u30c8\u30ed\u30fc\u30af\u306e\u30ed\u30ae\u30f3\u30b0\u3082\u958b\u59cb\u3059\u308b\u5834\u5408\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<h3>\u30e1\u30e2\u30ea \u30b9\u30af\u30ec\u30a4\u30d4\u30f3\u30b0<\/h3>\n<p>\u30e1\u30e2\u30ea \u30b9\u30af\u30ec\u30a4\u30d4\u30f3\u30b0\uff08\u60c5\u5831\u62bd\u51fa\uff09\u306f\u3001\u904e\u53bb\u306b\u691c\u51fa\u3055\u308c\u305fPOS\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5927\u534a\u3067\u691c\u51fa\u3055\u308c\u3066\u3044\u308b\u624b\u6cd5\u3067\u3059\u3002\u30b3\u30f3\u30bb\u30d7\u30c8\u306f\u5358\u7d14\u3067\u3001POS\u7aef\u672b\u3067\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u30d7\u30ed\u30bb\u30b9\u30e1\u30e2\u30ea\u3092\u8aad\u307f\u53d6\u308a\u3001\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u3092\u63a2\u3059\u3068\u3044\u3046\u3082\u306e\u3067\u3059\u3002POS\u7aef\u672b\u3067\u306f\u3001\u30ab\u30fc\u30c9\u6c7a\u6e08\u60c5\u5831\u304c\u6697\u53f7\u5316\u3055\u308c\u3066\u9001\u4fe1\u3055\u308c\u308b\u307e\u3067\u306e\u4e00\u77ac\u306e\u9593\u3001\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u306a\u3044\u72b6\u614b\u3067\u30e1\u30e2\u30ea\u306b\u5b58\u5728\u3059\u308b\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002\u653b\u6483\u8005\u306f\u3053\u306e\u308f\u305a\u304b\u306e\u9699\u3092\u3064\u3044\u3066\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u3092\u63a2\u3057\u307e\u3059\u3002<\/p>\n<p>\u30e1\u30e2\u30ea \u30b9\u30af\u30ec\u30a4\u30d1\u30fc\u306e\u30d1\u30d5\u30a9\u30fc\u30de\u30f3\u30b9\u3092\u9ad8\u3081\u308b\u4e00\u822c\u7684\u306a\u624b\u6cd5\u306e1\u3064\u306f\u3001explorer.exe\u3001lsass.exe\u3001csrss.exe\u306a\u3069\u306e\u3088\u304f\u898b\u3089\u308c\u308b\u30d7\u30ed\u30bb\u30b9\u540d\u306e\u30d6\u30e9\u30c3\u30af\u30ea\u30b9\u30c8\u3092\u4f5c\u6210\u3059\u308b\u3053\u3068\u3067\u3059\u3002\u307e\u305f\u3001\u7279\u5b9a\u306e\u30d7\u30ed\u30bb\u30b9\u540d\u3092\u6a19\u7684\u3068\u3057\u305f\u30db\u30ef\u30a4\u30c8\u30ea\u30b9\u30c8 \u30a2\u30d7\u30ed\u30fc\u30c1\u3092\u4f7f\u7528\u3059\u308b\u30de\u30eb\u30a6\u30a7\u30a2\u3082\u3042\u308a\u307e\u3059\u3002\u3057\u304b\u3057\u3001FindPOS\u306f\u307e\u3063\u305f\u304f\u65b0\u3057\u3044\u30a2\u30d7\u30ed\u30fc\u30c1\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms682629(v=vs.85).aspx\">EnumProcesses<\/a>\u3001<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms684320(v=vs.85).aspx\">OpenProcess<\/a>\u3001<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa446671(v=vs.85).aspx\">GetTokenInformation<\/a>\u3001\u304a\u3088\u3073<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa379166(v=vs.85).aspx\">LookupAccountSid<\/a>\u306e\u547c\u3073\u51fa\u3057\u3092\u4ecb\u3057\u3066\u3001\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u5404\u30d7\u30ed\u30bb\u30b9\u306e\u6240\u6709\u8005\u3092\u7279\u5b9a\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u30d7\u30ed\u30bb\u30b9\u306e\u6240\u6709\u8005\u3092\u300cNT AUTHORITY\u300d\u6587\u5b57\u5217\u3068\u6bd4\u8f03\u3057\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u3063\u3066\u3001\u30b7\u30b9\u30c6\u30e0\u307e\u305f\u306f\u30b5\u30fc\u30d3\u30b9\u3068\u3057\u3066\u5b9f\u884c\u3055\u308c\u3066\u3044\u306a\u3044\u30d7\u30ed\u30bb\u30b9\u3092\u9664\u5916\u3057\u307e\u3059\u3002\u6b21\u306e\u4f8b\u3067\u306f\u3001\u300cdwm.exe\u300d\u3068\u8907\u6570\u306e\u300cconhost.exe\u300d\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u4ee5\u5916\u306e\u3059\u3079\u3066\u306e\u30d7\u30ed\u30bb\u30b9\u304c\u9664\u5916\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><img width=\"1065\" height=\"783\"  class=\"wp-image-105537 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-70.png\" \/><\/p>\n<p style=\"text-align: center;\"><em><span style=\"font-size: 10pt;\">\u56f31\u00a0 \u5b9f\u884c\u4e2d\u306e\u30d7\u30ed\u30bb\u30b9\u306e\u4f8b<\/span><\/em><\/p>\n<p>\u30d7\u30ed\u30bb\u30b9\u304c\u9664\u5916\u3055\u308c\u306a\u304b\u3063\u305f\u5834\u5408\u306f\u3001<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa366907(v=vs.85).aspx\">VirtualQueryEx<\/a>\u3068<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms680553(v=vs.85).aspx\">ReadProcessMemory<\/a>\u306e\u547c\u3073\u51fa\u3057\u3092\u4ecb\u3057\u3066\u30e1\u30e2\u30ea\u304c\u30b9\u30af\u30ec\u30a4\u30d4\u30f3\u30b0\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u306f\u307b\u307c\u3059\u3079\u3066\u306e\u30e1\u30e2\u30ea \u30b9\u30af\u30ec\u30a4\u30d1\u30fc\u3067\u898b\u3089\u308c\u308b\u3054\u304f\u4e00\u822c\u7684\u306a\u30a2\u30d7\u30ed\u30fc\u30c1\u3067\u3059\u3002<\/p>\n<p><img width=\"1149\" height=\"993\"  class=\"wp-image-105539 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-11.jpeg\" \/><\/p>\n<p>\u30c7\u30fc\u30bf\u306e\u8aad\u307f\u53d6\u308a\u304c\u5b8c\u4e86\u3059\u308b\u3068\u3001FindPOS\u306f\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u3092\u63a2\u3057\u59cb\u3081\u307e\u3059\u3002\u30d0\u30fc\u30b8\u30e7\u30f35.57\u304b\u3089\u3001\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u5185\u3067\u691c\u51fa\u3055\u308c\u308b\u5404\u7a2e\u30c7\u30fc\u30bf\u306b\u57fa\u3065\u304f\u30c1\u30a7\u30c3\u30af\u3092\u5b9f\u884c\u3059\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f\u3002\u305f\u3068\u3048\u3070\u3001\u30d0\u30fc\u30b8\u30e7\u30f35.57\u4ee5\u964d\u3067\u306f\u3001\u6709\u52b9\u671f\u9650\u65e5\u304c2014\u5e747\u6708\u304b\u30892030\u5e7412\u6708\u307e\u3067\u306e\u7bc4\u56f2\u306b\u542b\u307e\u308c\u306a\u3044\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u3092\u7121\u8996\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u671f\u9650\u5207\u308c\u306e\u30ab\u30fc\u30c9 \u30c7\u30fc\u30bf\u3092\u53d6\u308a\u8fbc\u307e\u308c\u306a\u3044\u3088\u3046\u306b\u3059\u308b\u305f\u3081\u3067\u3059\u3002<\/p>\n<p>\u307e\u305f\u3001\u691c\u51fa\u3055\u308c\u305f\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u5185\u306b\u51fa\u73fe\u3059\u308b\u30b5\u30fc\u30d3\u30b9 \u30b3\u30fc\u30c9\u306b\u7279\u306b\u6ce8\u610f\u3092\u6255\u3063\u3066\u3044\u307e\u3059\u3002\u30b5\u30fc\u30d3\u30b9 \u30b3\u30fc\u30c9\u306f\u3001\u30ab\u30fc\u30c9 \u30ea\u30fc\u30c0\u30fc\u306b\u901a\u3055\u308c\u305f\u30ab\u30fc\u30c9\u306e\u7a2e\u985e\u3092\u8868\u30593\u6841\u306e\u6570\u5b57\u3067\u3059\u3002\u3053\u3053\u3067\u53d6\u308a\u4e0a\u3052\u3066\u3044\u308b\u4e8b\u4f8b\u3067\u306f\u3001\u6b21\u306e\u30aa\u30d7\u30b7\u30e7\u30f3\u304c\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u30ab\u30fc\u30c9\u306e\u307f\u3092\u53d6\u308a\u8fbc\u3093\u3067\u3044\u307e\u3059\u3002<\/p>\n<p><strong>\u68411<\/strong> \u2013 \u300c\u56fd\u969b\u30c7\u30fc\u30bf\u4ea4\u63dbOK\u300d\u307e\u305f\u306f\u300c\u56fd\u969b\u30c7\u30fc\u30bf\u4ea4\u63db\u3001\u53ef\u80fd\u306a\u5834\u5408\u306fIC(\u30c1\u30c3\u30d7)\u3092\u4f7f\u7528\u300d<\/p>\n<p><strong>\u68412<\/strong> \u2013 \u300c\u6a19\u6e96\u300d<\/p>\n<p><strong>\u68413<\/strong> \u2013 \u300c\u5236\u9650\u306a\u3057\u300d<\/p>\n<p>\u3053\u308c\u3089\u306e\u5236\u9650\u3092\u8ffd\u52a0\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u3001\u653b\u6483\u3059\u308b\u610f\u5473\u306e\u306a\u3044\u30ab\u30fc\u30c9\u3092\u7121\u8996\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002\u305f\u3068\u3048\u3070\u30ae\u30d5\u30c8 \u30ab\u30fc\u30c9\u3001\u30c7\u30d3\u30c3\u30c8 \u30ab\u30fc\u30c9\u3001\u30c6\u30b9\u30c8 \u30ab\u30fc\u30c9\u306a\u3069\u3067\u3059\u3002<\/p>\n<p>\u691c\u51fa\u3055\u308c\u305f\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u306f\u3001\u30e1\u30e2\u30ea\u306b\u683c\u7d0d\u3055\u308c\u3001\u305d\u306e\u5f8c\u300cdata\u300d POST\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u4f7f\u3063\u3066\u5f15\u304d\u51fa\u3055\u308c\u307e\u3059\u3002<\/p>\n<h3>\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0<\/h3>\n<p>\u30d0\u30fc\u30b8\u30e7\u30f35.90\u304b\u3089\u3001FindPOS\u30d5\u30a1\u30df\u30ea\u30fc\u306b\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0\uff08\u30ad\u30fc\u5165\u529b\u64cd\u4f5c\u3092\u8a18\u61b6\u3059\u308b\uff09\u6a5f\u80fd\u304c\u8ffd\u52a0\u3055\u308c\u307e\u3057\u305f\u3002\u78c1\u6c17\u30ab\u30fc\u30c9 \u30ea\u30fc\u30c0\u30fc\u306e\u591a\u304f\u304c\u3001\u3057\u3070\u3057\u3070\u30ad\u30fc\u30dc\u30fc\u30c9\u88c5\u7f6e\u3092\u30a8\u30df\u30e5\u30ec\u30fc\u30c8\u3057\u307e\u3059\u3002\u3053\u308c\u3092\u8e0f\u307e\u3048\u3066\u3001\u591a\u6570\u306ePOS\u30de\u30eb\u30a6\u30a7\u30a2 \u30d5\u30a1\u30df\u30ea\u30fc\u306b\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0\u6a5f\u80fd\u304c\u7d44\u307f\u8fbc\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0\u3067\u306f\u3001\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u53ce\u96c6\u3060\u3051\u3067\u306a\u304f\u3001\u4fb5\u5165\u3057\u305f\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u4e0a\u3067\u30e6\u30fc\u30b6\u30fc\u540d\u3084\u30d1\u30b9\u30ef\u30fc\u30c9\u306a\u3069\u306e\u6a5f\u5bc6\u60c5\u5831\u3092\u53ce\u96c6\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u76ee\u7684\u3067\u3001FindPOS\u3067\u306f\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0\u3092\u5b9f\u884c\u3059\u308b\u65b0\u3057\u3044\u30b9\u30ec\u30c3\u30c9\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u4e00\u822c\u7684\u306a\u624b\u6cd5\u3092\u4f7f\u3063\u3066\u3001\u65b0\u305f\u306a\u7a7a\u767d\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u4f5c\u6210\u3001<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms645600(v=vs.85).aspx\">\u76f4\u63a5\u5165\u529b\u88c5\u7f6e<\/a>\u3068\u3057\u3066\u306e\u81ea\u8eab\u306e\u767b\u9332\u3001<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms645596(v=vs.85).aspx\">GetRawInputData<\/a> API\u306e\u547c\u3073\u51fa\u3057\u304c\u884c\u308f\u308c\u307e\u3059\u3002<\/p>\n<p><img width=\"1386\" height=\"1360\"  class=\"wp-image-105541 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-71.png\" \/><\/p>\n<p>\u30ad\u30fc\u30b9\u30c8\u30ed\u30fc\u30af\u306f\u30e1\u30e2\u30ea\u306b\u683c\u7d0d\u3055\u308c\u3001\u305d\u306e\u5f8c\u5f15\u304d\u51fa\u3055\u308c\u307e\u3059\u3002\u30ad\u30fc\u30b9\u30c8\u30ed\u30fc\u30af\u306f\u3001\u300clogs\u300d POST\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u4ecb\u3057\u3066\u5f15\u304d\u51fa\u3055\u308c\u307e\u3059\u3002<\/p>\n<h3>\u30c7\u30fc\u30bf\u306e\u5f15\u304d\u51fa\u3057<\/h3>\n<p>FindPOS\u3067\u306f\u3001HTTP POST\u8981\u6c42\u3092\u4ecb\u3057\u3066\u30c7\u30fc\u30bf\u304c\u5f15\u304d\u51fa\u3055\u308c\u307e\u3059\u3002\u30b5\u30f3\u30d7\u30eb\u3054\u3068\u306b\u3001\u3044\u304f\u3064\u304b\u306e\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3\u304c\u69cb\u6210\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u306f\u591a\u304f\u306e\u5834\u5408FindPOS\u306e\u5909\u7a2e\u9593\u3067\u7570\u306a\u308a\u307e\u3059\u3002HTTP POST\u8981\u6c42\u306f120\u79d2(2\u5206)\u3054\u3068\u306b\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u3084\u30ad\u30fc\u30b9\u30c8\u30ed\u30fc\u30af \u30c7\u30fc\u30bf\u306a\u3069\u306e\u30c7\u30fc\u30bf\u304c\u898b\u3064\u304b\u3063\u305f\u5834\u5408\u306f\u3001\u3053\u306e\u30c7\u30fc\u30bf\u304c\u633f\u5165\u3055\u308c\u307e\u3059\u3002\u30d0\u30fc\u30b8\u30e7\u30f35.80\u306e\u8981\u6c42\u306e\u4f8b\u3092\u4ee5\u4e0b\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<p><img width=\"875\" height=\"391\"  class=\"wp-image-105543 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-72.png\" \/><\/p>\n<p>\u3053\u306e\u4f8b\u306b\u660e\u3089\u304b\u306a\u3088\u3046\u306b\u3001\u5404\u8981\u6c42\u306b\u306f\u3044\u304f\u3064\u304b\u306ePOST\u5909\u6570\u304c\u633f\u5165\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><img width=\"891\" height=\"210\"  class=\"wp-image-105545 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-73.png\" \/><\/p>\n<p>\u300cuinfo\u300d\u30d1\u30e9\u30e1\u30fc\u30bf\u306e\u30c7\u30b3\u30fc\u30c9\u306e\u4f8b\u3092\u4ee5\u4e0b\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\"><em>&gt;&gt;&gt; import base64\u2028&gt;&gt;&gt; base64.b64decode(\u201cSk9TSC1QQyBAIGpvc2gtUENcam9zaA==\u201d)\u2028\u2018JOSH-PC @ josh-PC\\\\josh\u2019<\/em><\/span><\/p>\n<p>\u30ad\u30fc\u30b9\u30c8\u30ed\u30fc\u30af \u30c7\u30fc\u30bf\u3068\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u306f\u3001Base64\u30a8\u30f3\u30b3\u30fc\u30c9\u30681\u30d0\u30a4\u30c8\u306eXOR\u6697\u53f7\u5316\u306e\u7d44\u307f\u5408\u308f\u305b\u3092\u4f7f\u3063\u3066\u8b58\u5225\u4e0d\u80fd\u306b\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30c7\u30fc\u30bf\u306e\u30c7\u30b3\u30fc\u30c9\u306f\u6b21\u306e\u3088\u3046\u306b\u884c\u308f\u308c\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\"><em>&gt;&gt;&gt; import base64\u2028&gt;&gt;&gt; raw = \u201c\u201d\u2028&gt;&gt;&gt; for s in base64.b64decode(\u201cHxkaGxgfGhodGhoaGhsTGxcbHxoSGxobGhMbGBkeHxwdEhMaGxU=\u201d):&gt;&gt;&gt; \u00a0\u00a0\u00a0 raw += chr(ord(s) ^ 0x2a)\u2028&gt;&gt;&gt; print raw\u20285301250070000191=15081010912345678901?<\/em><\/span><\/p>\n<p><em>\u00a0<\/em>FindPOS\u306b\u306f\u3001\u30c7\u30fc\u30bf\u306e\u5f15\u304d\u51fa\u3057\u306e\u307b\u304b\u306b\u3001\u3055\u3089\u306a\u308b\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\/\u5b9f\u884c\u6a5f\u80fd\u304c\u8ffd\u52a0\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u5f15\u304d\u51fa\u3057\u8981\u6c42\u306e\u9001\u4fe1\u5f8c\u3001\u30b5\u30fc\u30d0\u304c0x1\u307e\u305f\u306f0x4\u30d0\u30a4\u30c8\u306b\u7d9a\u3051\u3066URL\u3067\u5fdc\u7b54\u3057\u305f\u5834\u5408\u3001\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u3001\u305d\u306e\u5f8c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u30d5\u30a1\u30a4\u30eb\u306f\u4e00\u6642\u30d5\u30a9\u30eb\u30c0\u306b\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u3001\u30d5\u30a1\u30a4\u30eb\u81ea\u4f53\u306b\u30d7\u30ec\u30d5\u30a3\u30c3\u30af\u30b9\u300cBN\u300d\u304c\u4ed8\u52a0\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u306f\u3001<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms682425(v=vs.85).aspx\">CreateProcessA<\/a>\u306e\u547c\u3073\u51fa\u3057\u3092\u4ecb\u3057\u3066\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\u6b63\u5e38\u306b\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u307e\u305f\u306f\u5b9f\u884c\u3067\u304d\u306a\u304b\u3063\u305f\u5834\u5408\u3001\u30d5\u30a1\u30a4\u30eb\u306f\u30c7\u30a3\u30b9\u30af\u304b\u3089\u524a\u9664\u3055\u308c\u307e\u3059\u3002<\/p>\n<h3>\u30c9\u30e1\u30a4\u30f3\/IP\u30a2\u30c9\u30ec\u30b9\u60c5\u5831<\/h3>\n<p>FindPOS\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u8abf\u67fb\u3067\u691c\u51fa\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3\u6570\u306f\u5408\u8a0837\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u30c9\u30e1\u30a4\u30f3\u306e\u3046\u3061\u300113\u500b\u306e\u4e00\u610f\u306eIP\u30a2\u30c9\u30ec\u30b9\u304c\u691c\u51fa\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306eIP\u30a2\u30c9\u30ec\u30b9\u306e\u5730\u7406\u7684\u306a\u4f4d\u7f6e\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002\u5168\u30c9\u30e1\u30a4\u30f3\u3092\u7db2\u7f85\u3057\u305f\u5b8c\u5168\u306a\u30ea\u30b9\u30c8\u306b\u3064\u3044\u3066\u306f\u3001\u4ed8\u9332\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><img width=\"1275\" height=\"835\"  class=\"wp-image-105547 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-74.png\" \/><\/p>\n<p>\u691c\u51fa\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3\u306e\u5927\u534a\u306f\u3001\u4ee5\u4e0b\u306eWHOIS\u60c5\u5831\u3092\u4f7f\u3063\u3066\u69cb\u6210\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p style=\"padding-left: 40px;\"><em>\u767b\u9332\u8005\u540d: Julio Quinlan\u2028\u767b\u9332\u8005\u306e\u7d44\u7e54:\u00a0 NA\u2028\u767b\u9332\u8005\u306e\u756a\u5730: 4516 Glory Road\u2028\u767b\u9332\u8005\u306e\u90fd\u5e02:Nashville\u2028\u767b\u9332\u8005\u306e\u5dde: TN\u2028\u767b\u9332\u8005\u306e\u90f5\u4fbf\u756a\u53f7: 37204\u2028\u767b\u9332\u8005\u306e\u56fd: us\u2028\u767b\u9332\u8005\u306e\u96fb\u8a71\u756a\u53f7: +01.9318135965\u2028\u767b\u9332\u8005\u306e\u5185\u7dda\u756a\u53f7:<\/em> <em>\u767b\u9332\u8005\u306e\u30d5\u30a1\u30c3\u30af\u30b9\u756a\u53f7: +01.9318135965\u2028\u767b\u9332\u8005\u306e\u30d5\u30a1\u30c3\u30af\u30b9\u5185\u7dda\u756a\u53f7:<\/em> <em>\u767b\u9332\u8005\u306e\u96fb\u5b50\u30e1\u30fc\u30eb:<\/em> <a href=\"mailto:barkmanueta@rambler.ru\"><em>barkmanueta@rambler.ru<\/em><\/a><\/p>\n<p>\u306a\u304a\u3001\u767b\u9332\u8005\u306e\u96fb\u5b50\u30e1\u30fc\u30eb\u306b\u3064\u3044\u3066\u306f\u3001\u7167\u4f1a\u5bfe\u8c61\u306e\u30c9\u30e1\u30a4\u30f3\u306b\u5fdc\u3058\u3066\u3084\u3084\u7570\u306a\u3063\u3066\u3044\u307e\u3057\u305f\u3002\u4e0a\u8a18\u306e\u60c5\u5831\u306f\u4e00\u898b\u6b63\u898f\u306e\u60c5\u5831\u306e\u3088\u3046\u306b\u898b\u3048\u307e\u3059\u304c\u3001\u507d\u308a\u3067\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<h3>\u95a2\u9023\u3059\u308b\u30b5\u30f3\u30d7\u30eb \u2013 \u30ad\u30fc\u30ed\u30ae\u30f3\u30b0\/LogMeIn Recon<\/h3>\n<p>\u79c1\u305f\u3061\u306e\u8abf\u67fb\u3067\u306f\u3001\u3044\u304f\u3064\u304b\u306e\u985e\u4f3c\u3059\u308b\u30b5\u30f3\u30d7\u30eb\u304c\u691c\u51fa\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u3088\u3046\u306a\u30b5\u30f3\u30d7\u30eb\u306e1\u3064\u3092\u4ee5\u4e0b\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f38.3 \u2013 LogMeIn Recon \/<\/strong> <strong>\u30ad\u30fc\u30ed\u30ac\u30fc<\/strong><\/h4>\n<p><img width=\"740\" height=\"323\"  class=\"wp-image-105549 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-75.png\" \/><\/p>\n<p>\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001LogMeIn\u30a2\u30ab\u30a6\u30f3\u30c8\u60c5\u5831\u306e\u53ce\u96c6\u3001\u30ad\u30fc\u30b9\u30c8\u30ed\u30fc\u30af\u3068\u30de\u30a6\u30b9 \u30af\u30ea\u30c3\u30af\u306e\u30ed\u30ae\u30f3\u30b0\u3001\u3053\u308c\u3089\u306e\u30c7\u30fc\u30bf\u306e\u5b9a\u671f\u7684\u306a\u5f15\u304d\u51fa\u3057(\u30ea\u30e2\u30fc\u30c8 \u30b5\u30fc\u30d0\u3078\u306e\u9001\u4fe1)\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306b\u306f\u3001\u4ee5\u524d\u306b\u691c\u51fa\u3055\u308c\u305fFindPOS\u30b5\u30f3\u30d7\u30eb\u3068\u540c\u3058\u7279\u6027\u304c\u3044\u304f\u3064\u3082\u3042\u308a\u307e\u3059\u3002\u305f\u3068\u3048\u3070\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb \u30d7\u30ed\u30bb\u30b9\u3001URI\u30b9\u30ad\u30fc\u30e0\u3001HTTP POST\u8981\u6c42\u306e\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u3001PDB\u6587\u5b57\u5217\u306a\u3069\u3067\u3059\u3002<\/p>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u5b9f\u884c\u3092\u958b\u59cb\u3059\u308b\u3068\u3001FindPOS\u3068\u540c\u3058\u65b9\u6cd5\u3067\u81ea\u8eab\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002\u307e\u305f\u3001\u524d\u8ff0\u306e\u624b\u6cd5\u3067\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u6b21\u306e\u30ec\u30b8\u30b9\u30c8\u30ea \u30ad\u30fc\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u3001\u4fb5\u5165\u3057\u305f\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u306bLogMeIn Ignition\u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u5224\u5225\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\"><em>HKCU\\Software\\LogMeIn Ignition\\[\u5909\u6570\u306e\u30cf\u30c3\u30b7\u30e5]\\Account :Email<\/em><\/span><\/p>\n<p>\u96fb\u5b50\u30e1\u30fc\u30eb\u3092\u691c\u51fa\u3059\u308b\u3068\u3001\u3059\u3079\u3066\u5f15\u304d\u51fa\u3057\u307e\u3059\u3002\u3053\u308c\u306b\u306f\u3001FindPOS\u306b\u898b\u3089\u308c\u308b\u3082\u306e\u3068\u540c\u3058HTTP POST\u8981\u6c42\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u305f\u3060\u3057\u3001\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u306f\u3001\u300cdata\u300dPOST\u30d1\u30e9\u30e1\u30fc\u30bf\u3067\u306f\u306a\u304f\u3001\u300clogs\u300d\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<p><img width=\"876\" height=\"478\"  class=\"wp-image-105551 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-76.png\" \/><\/p>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u30ad\u30fc\u30b9\u30c8\u30ed\u30fc\u30af\u3068\u30de\u30a6\u30b9 \u30af\u30ea\u30c3\u30af\u306e\u30ed\u30ae\u30f3\u30b0\u3092\u958b\u59cb\u3057\u307e\u3059\u30022\u5206\u3054\u3068\u306b\u3053\u308c\u3089\u306e\u30c7\u30fc\u30bf\u3092\u5f15\u304d\u51fa\u3057\u307e\u3059\u3002<\/p>\n<p><img width=\"880\" height=\"548\"  class=\"wp-image-105553 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-77.png\" \/><\/p>\n<p>\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u30ad\u30fc\u30dc\u30fc\u30c9\u88c5\u7f6e\u3092\u30a8\u30df\u30e5\u30ec\u30fc\u30c8\u3059\u308b\u30ab\u30fc\u30c9 \u30ea\u30fc\u30c0\u30fc\u3092\u6301\u3064POS\u7aef\u672b\u304b\u3089\u30c8\u30e9\u30c3\u30af \u30c7\u30fc\u30bf\u3092\u30b9\u30af\u30ec\u30a4\u30d4\u30f3\u30b0\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u305f\u53ef\u80fd\u6027\u3082\u3042\u308a\u307e\u3059\u304c\u3001\u3080\u3057\u308d\u3001\u3088\u308a\u591a\u304f\u306ePOS\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u76ee\u7684\u3067\u4f7f\u308f\u308c\u305f\u53ef\u80fd\u6027\u306e\u307b\u3046\u304c\u9ad8\u3044\u306e\u3067\u306f\u306a\u3044\u304b\u3068\u79c1\u306f\u898b\u3066\u3044\u307e\u3059\u3002\u304a\u305d\u3089\u304f\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001\u8907\u6570\u306ePO\uff33\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u3092\u7ba1\u7406\u3059\u308b\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u306b\u30c9\u30ed\u30c3\u30d7\u3055\u308c\u3001\u3053\u306e\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u304b\u3089\u53d6\u5f97\u3057\u305f\u60c5\u5831\u3092\u4f7f\u3063\u3066\u3001\u3053\u306e\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u306e\u7ba1\u7406\u5bfe\u8c61\u3068\u306a\u3063\u3066\u3044\u308bPOS\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a66\u307f\u305f\u306e\u3067\u306f\u306a\u3044\u3067\u3057\u3087\u3046\u304b\u3002<\/p>\n<p>\u307e\u305f\u3001\u3082\u30461\u3064\u8208\u5473\u6df1\u3044\u306e\u306f\u3001\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u304c\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0\u6a5f\u80fd\u306e\u5c0e\u5165(\u30d0\u30fc\u30b8\u30e7\u30f35.90)\u306e\u304a\u3088\u305d2\u9031\u9593\u5f8c\u3067\u3042\u308b\u3053\u3068\u3067\u3059\u3002\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u958b\u767a\u8005\u304c\u65b0\u3057\u3044\u624b\u53e3\u3092\u30ec\u30d1\u30fc\u30c8\u30ea\u30fc\u306b\u52a0\u3048\u305f\u6642\u671f\u3068\u3061\u3087\u3046\u3069\u4e00\u81f4\u3059\u308b\u306e\u3067\u3059\u3002<\/p>\n<h2>\u7d50\u8ad6<\/h2>\n<p>\u5168\u4f53\u7684\u306b\u898b\u3066\u3001FindPOS\u306f\u305d\u308c\u307b\u3069\u5de7\u5999\u306a\u3082\u306e\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u5de7\u5999\u306a\u30b3\u30de\u30f3\u30c9 \u30a2\u30f3\u30c9 \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u69cb\u9020\u3001\u5f37\u529b\u306a\u6697\u53f7\u5316\u3001\u691c\u51fa\u3057\u305f\u3042\u3089\u3086\u308b\u30c7\u30fc\u30bf\u306b\u5bfe\u3059\u308b<a href=\"https:\/\/en.wikipedia.org\/wiki\/Luhn_algorithm\">luhn<\/a>\u30c1\u30a7\u30c3\u30af\u306e\u5b9f\u884c\u306a\u3069\u3001\u3053\u308c\u307e\u3067\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u898b\u3089\u308c\u305f\u3044\u304f\u3064\u304b\u306e\u6a5f\u80fd\u306f\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u305b\u3093\u3002\u307e\u305f\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u9032\u5316\u306e\u72b6\u6cc1\u304b\u3089\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u4e00\u304b\u3089\u958b\u767a\u3055\u308c\u305f\u3089\u3057\u3044\u3053\u3068\u304c\u7aba\u3048\u307e\u3059\u3002\u3053\u308c\u307e\u3067\u306b\u691c\u51fa\u3055\u308c\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u3068\u308f\u305a\u304b\u306a\u985e\u4f3c\u70b9\u306f\u3042\u308b\u3082\u306e\u306e\u3001FindPOS\u306f\u307e\u3063\u305f\u304f\u65b0\u3057\u3044\u30de\u30eb\u30a6\u30a7\u30a2\u3067\u3042\u308b\u3068\u79c1\u305f\u3061\u306f\u78ba\u4fe1\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u683c\u6bb5\u306b\u5de7\u5999\u306a\u3082\u306e\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u304c\u3001\u591a\u6570\u306e\u5909\u7a2e\u304c<a href=\"https:\/\/www.trustwave.com\/Resources\/SpiderLabs-Blog\/Alina--Following-The-Shadow-Part-1\/\">Alina<\/a>\u3084<a href=\"https:\/\/www.trustwave.com\/Resources\/SpiderLabs-Blog\/Backoff---Technical-Analysis\/\">Backoff<\/a>\u306a\u3069\u306e\u30d5\u30a1\u30df\u30ea\u30fc\u3068\u540c\u69d8\u306b\u307e\u3093\u5ef6\u3057\u3066\u3044\u307e\u3059\u3002FindPOS\u306f\u660e\u3089\u304b\u306bMicrosoft Windows POS\u30d9\u30f3\u30c0\u30fc\u306b\u5bfe\u3059\u308b\u5f37\u529b\u306a\u8105\u5a01\u3068\u898b\u306a\u3059\u3079\u304d\u3067\u3042\u308a\u3001\u78ba\u5b9f\u306a\u9632\u5fa1\u306e\u305f\u3081\u306e\u5bfe\u7b56\u3092\u3068\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>\u5bfe\u7b56\u3068\u3057\u3066\u3001\u3042\u3089\u3086\u308b\u30ea\u30e2\u30fc\u30c8 \u30a2\u30af\u30bb\u30b9 \u30b5\u30fc\u30d3\u30b9(LogMeIn\u3001VNC\u3001RDP\u306a\u3069)\u306b\u5bfe\u3059\u308b2\u8981\u7d20\u8a8d\u8a3c\u306e\u69cb\u6210\u3001\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9\u306e\u78ba\u5b9f\u306a\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3068\u66f4\u65b0\u3001POS\u30c7\u30d0\u30a4\u30b9\u3067\u306eWeb\u53c2\u7167\u3084\u96fb\u5b50\u30e1\u30fc\u30eb \u30c1\u30a7\u30c3\u30af\u306a\u3069\u306e\u627f\u8a8d\u3055\u308c\u3066\u3044\u306a\u3044\u6a5f\u80fd\u306e\u4f7f\u7528\u7981\u6b62\u306a\u3069\u304c\u3042\u3052\u3089\u308c\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306fWildFire\u306b\u3088\u3063\u3066\u4fdd\u8b77\u3055\u308c\u307e\u3059\u3002WildFire\u306fFindPOS\u306e\u30b5\u30f3\u30d7\u30eb\u3092\u81ea\u52d5\u7684\u306b\u30de\u30eb\u30a6\u30a7\u30a2\u3068\u3057\u3066\u5206\u985e\u3057\u307e\u3059\u3002\u307e\u305f\u3001\u79c1\u305f\u3061\u304c\u691c\u51fa\u3057\u305f\u3001\u3053\u308c\u3089\u653b\u6483\u306b\u95a2\u9023\u3059\u308b\u30a4\u30f3\u30b8\u30b1\u30fc\u30bf\u304cPANDB\u304a\u3088\u3073\u30a2\u30f3\u30c1\u30de\u30eb\u30a6\u30a7\u30a2\u9632\u5fa1\u30b7\u30b9\u30c6\u30e0\u306b\u8ffd\u52a0\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<h2>\u4ed8\u9332<\/h2>\n<h3>\u30b5\u30f3\u30d7\u30eb\u60c5\u5831<\/h3>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f32.0<\/strong><\/h4>\n<p><img width=\"954\" height=\"262\"  class=\"wp-image-105555 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-78.png\" \/><\/p>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f32.1<\/strong><\/h4>\n<p><img width=\"956\" height=\"281\"  class=\"wp-image-105557 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-79.png\" \/><\/p>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f35.57<\/strong><\/h4>\n<p><img width=\"956\" height=\"283\"  class=\"wp-image-105559 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-80.png\" \/><\/p>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f35.80<\/strong><\/h4>\n<p><img width=\"957\" height=\"325\"  class=\"wp-image-105561 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-81.png\" \/><\/p>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f35.90<\/strong><\/h4>\n<p><img width=\"953\" height=\"419\"  class=\"wp-image-105563 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-82.png\" \/> <img width=\"955\" height=\"418\"  class=\"wp-image-105565 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-83.png\" \/><\/p>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f36.0<\/strong><\/h4>\n<p><img width=\"954\" height=\"371\"  class=\"wp-image-105567 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-84.png\" \/> <img width=\"954\" height=\"370\"  class=\"wp-image-105569 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-85.png\" \/><\/p>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f36.02<\/strong><\/h4>\n<p><img width=\"953\" height=\"324\"  class=\"wp-image-105571 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-86.png\" \/><\/p>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f36.03<\/strong><\/h4>\n<p><img width=\"957\" height=\"371\"  class=\"wp-image-105573 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-87.png\" \/><\/p>\n<h4><strong>\u30d0\u30fc\u30b8\u30e7\u30f36.04<\/strong><\/h4>\n<p><img width=\"955\" height=\"322\"  class=\"wp-image-105575 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-88.png\" \/> <img width=\"953\" height=\"346\"  class=\"wp-image-105577 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-89.png\" \/><\/p>\n<h4>YARA\u30eb\u30fc\u30eb<\/h4>\n<pre class=\"lang:default decode:true \">import \"cuckoo\"\r\n\r\nrule findpos\r\n{\r\n\tmeta:\r\n\t\tdescription = \"FindPOS is a newly discovered POS family.\"\r\n\t\tcategory = \"Point of Sale\"\r\n\t\tauthor = \"Josh Grunzweig\"\r\n\r\n\tstrings:\r\n\t\t$s1 = \"oprat=2&amp;uid=%I64u&amp;uinfo=%s&amp;win=%d.%d&amp;vers=%s\" nocase wide ascii\r\n\r\n\t\t$pdb1 = \"H:\\\\Work\\\\Current\\\\FindStr\\\\Release\\\\FindStr.pdb\" nocase wide ascii\r\n\t\t$pdb2 = \"H:\\\\Work\\\\FindStrX\\\\Release\\\\FindStr.pdb\" nocase wide ascii\r\n    \t\t$pdb3 = \"H:\\\\Work\\\\Current\\\\KeyLogger\\\\Release\\\\KeyLogger.pdb\" nocase wide ascii\r\n\r\n\tcondition:\r\n\t\tany of ($s*) or\r\n\t\tany of ($pdb*) or\r\n        (\r\n          cuckoo.sync.mutex(\/WIN_[a-fA-F0-9]{16}\/) and\r\n          cuckoo.registry.key_access(\/\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\/) and\r\n          (\r\n              cuckoo.filesystem.file_access(\/C\\:\\\\WINDOWS\\\\System32\\\\\\w{8}\\.exe\/) or\r\n              cuckoo.filesystem.file_access(\/C\\:\\\\Documents\\ and\\ Settings\\\\[^\\\\]+\\\\\\w{8}\\.exe\/)\r\n          )\r\n        )\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 Unit 42\u306f\u65b0\u305f\u306aPOS(\u8ca9\u58f2\u6642\u70b9\u7ba1\u7406)\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u306b\u306f2014\u5e7411\u6708\u306b\u4f5c\u6210\u3055\u308c\u305f\u6700\u3082\u53e4\u3044\u3082\u306e\u3092\u542b\u3081\u3001\u8907\u6570\u306e\u5909\u7a2e\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u5404\u5909\u7a2e\u306b\u4e00\u69d8\u306b\u898b\u3064\u304b\u308b\u6587\u5b57\u5217\u306b\u57fa\u3065\u3044\u3066\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u300cF<\/p>\n","protected":false},"author":21,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4321,1974,4428],"tags":[8070,5547,7905,4637],"product_categories":[4340,4444],"coauthors":[933],"class_list":["post-105532","post","type-post","status-publish","format-standard","hentry","category-threat-research","category-malware-ja","category-threat-research-ja","tag-findpos","tag-microsoft-ja","tag-point-of-sale-ja","tag-windows-ja","product_categories-advanced-wildfire","product_categories-advanced-wildfire-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>FindPOS \u65b0\u305f\u306aPOS\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa<\/title>\n<meta name=\"description\" content=\"\u6982\u8981 Unit\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"FindPOS \u65b0\u305f\u306aPOS\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa\" \/>\n<meta property=\"og:description\" content=\"\u6982\u8981 Unit\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2015-03-19T19:00:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-03-25T04:48:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-68.png\" \/>\n<meta name=\"author\" content=\"Josh Grunzweig\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"FindPOS \u65b0\u305f\u306aPOS\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa","description":"\u6982\u8981 Unit","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/","og_locale":"ja_JP","og_type":"article","og_title":"FindPOS \u65b0\u305f\u306aPOS\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa","og_description":"\u6982\u8981 Unit","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/","og_site_name":"Unit 42","article_published_time":"2015-03-19T19:00:37+00:00","article_modified_time":"2022-03-25T04:48:02+00:00","og_image":[{"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-68.png","type":"","width":"","height":""}],"author":"Josh Grunzweig","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/"},"author":{"name":"Josh Grunzweig","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/946b9392c26b4a1a91f6e4eeb2889600"},"headline":"FindPOS \u65b0\u305f\u306aPOS\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa","datePublished":"2015-03-19T19:00:37+00:00","dateModified":"2022-03-25T04:48:02+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/"},"wordCount":251,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-68.png","keywords":["FindPOS","Microsoft","Point of Sale","Windows"],"articleSection":["Threat Research","\u30de\u30eb\u30a6\u30a7\u30a2","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/","name":"FindPOS \u65b0\u305f\u306aPOS\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-68.png","datePublished":"2015-03-19T19:00:37+00:00","dateModified":"2022-03-25T04:48:02+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/946b9392c26b4a1a91f6e4eeb2889600"},"description":"\u6982\u8981 Unit","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-68.png","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/03\/word-image-68.png"},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/findpos-new-pos-malware-family-discovered\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"FindPOS \u65b0\u305f\u306aPOS\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u691c\u51fa"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/946b9392c26b4a1a91f6e4eeb2889600","name":"Josh Grunzweig","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/9213e49ea48b7676660bac40d05c9e3e","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Josh Grunzweig"},"url":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/author\/joshgruznweig\/"}]}},"_links":{"self":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/105532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=105532"}],"version-history":[{"count":2,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/105532\/revisions"}],"predecessor-version":[{"id":122447,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/105532\/revisions\/122447"}],"wp:attachment":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=105532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=105532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=105532"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=105532"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=105532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}