Emotet<\/a>\u306f\u60c5\u5831\u7a83\u53d6\u578b\u306e\u30de\u30eb\u30a6\u30a7\u30a2 (\u30a4\u30f3\u30d5\u30a9\u30b9\u30c6\u30a3\u30fc\u30e9) \u3067\u3001\u30d0\u30f3\u30ad\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u3068\u3057\u30662014\u5e74\u306b\u6700\u521d\u306b\u5831\u544a\u3055\u308c\u307e\u3057\u305f<\/a>\u3002\u305d\u308c\u4ee5\u6765\u3001\u30c9\u30ed\u30c3\u30d1\u306a\u3069\u306e\u6a5f\u80fd\u3092\u8ffd\u52a0\u3057\u3066\u9032\u5316\u3092\u304b\u3055\u306d\u3001Gootkit<\/a>\u3001IcedID<\/a>\u3001Qakbot<\/a>\u3001Trickbot<\/a>\u306a\u3069\u3001\u307b\u304b\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u3092\u914d\u5e03\u3059\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u304d\u3066\u3044\u307e\u3059\u3002<\/p>\n \u4eca\u56de\u306e\u30d1\u30b1\u30c3\u30c8\u89e3\u6790\u8b1b\u5ea7\u3067\u306f\u3001Emotet\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u78ba\u8a8d\u3057\u3001\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u5206\u6790\u304b\u3089\u672c\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u7279\u5b9a\u3059\u308b\u306e\u306b\u5f79\u7acb\u3064\u30d2\u30f3\u30c8\u3092\u63d0\u4f9b\u3057\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n \u6ce8\u610f:<\/strong> \u672c\u30c1\u30e5\u30fc\u30c8\u30ea\u30a2\u30eb\u306f\u3001\u4ee5\u524d\u306e\u300eWireshark \u306b\u3088\u308b\u30d1\u30b1\u30c3\u30c8\u89e3\u6790\u8b1b\u5ea71: Wireshark\u306e\u8868\u793a\u5217\u3092\u30ab\u30b9\u30bf\u30de\u30a4\u30ba\u3059\u308b<\/a>\u300f\u3067\u8a2d\u5b9a\u3057\u305f\u30ab\u30b9\u30bf\u30de\u30a4\u30ba\u6e08\u307f\u306e\u5217\u8868\u793a\u3092\u4f7f\u3044\u307e\u3059\u3002\u307e\u305f\u3001\u672c\u30c1\u30e5\u30fc\u30c8\u30ea\u30a2\u30eb\u3067\u4f7f\u3046pcap\u30d5\u30a1\u30a4\u30eb\u306e\u5165\u3063\u305fZIP\u30a2\u30fc\u30ab\u30a4\u30d6<\/a>\u3092\u683c\u7d0d\u3057\u3066\u3044\u308bGithub\u30ea\u30dd\u30b8\u30c8\u30ea\u304b\u3089\u30b5\u30f3\u30d7\u30eb\u30d5\u30a1\u30a4\u30eb\u3092\u3042\u3089\u304b\u3058\u3081\u53d6\u5f97\u3057\u3066\u304a\u3044\u3066\u304f\u3060\u3055\u3044\u3002\u89e3\u51cd\u7528\u30d1\u30b9\u30ef\u30fc\u30c9\u306f\u300cinfected\u300d\u3067\u3059\u3002<\/p>\n \u6ce8\u610f: <\/strong>\u672c\u7a3f\u306e\u30c1\u30e5\u30fc\u30c8\u30ea\u30a2\u30eb\u306b\u5229\u7528\u3059\u308bpcap\u30d5\u30a1\u30a4\u30eb\u306fWindows\u3067\u52d5\u4f5c\u3059\u308b\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u542b\u3093\u3067\u3044\u307e\u3059\u3002\u3057\u305f\u304c\u3063\u3066\u3001Windows\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u3092\u4f7f\u3063\u3066\u3044\u308b\u5834\u5408\u611f\u67d3\u30ea\u30b9\u30af\u304c\u3042\u308a\u307e\u3059\u3002\u3067\u304d\u308b\u304b\u304e\u308a BSD\u7cfb\u3001Linux\u7cfb\u3001macOS\u306a\u3069\u3001Windows\u74b0\u5883\u4ee5\u5916\u306e\u74b0\u5883\u3067pcap\u30d5\u30a1\u30a4\u30eb\u3092\u78ba\u8a8d\u3059\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/p>\n Emotet\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u7406\u89e3\u3059\u308b\u306b\u306f\u3001\u611f\u67d3\u306b\u3064\u306a\u304c\u308b\u4e00\u9023\u306e\u30a4\u30d9\u30f3\u30c8\u3092\u7406\u89e3\u3057\u3066\u304a\u304f\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002Emotet\u306f\u305f\u3044\u3066\u3044\u60aa\u610f\u306e\u3042\u308b\u30b9\u30d1\u30e0\uff08\u30de\u30eb\u30b9\u30d1\u30e0\uff09\u3092\u4ecb\u3057\u3066\u914d\u5e03\u3055\u308c\u3066\u304a\u308a\u3001\u8106\u5f31\u306aWindows\u30db\u30b9\u30c8\u306b\u611f\u67d3\u3059\u308b\u3088\u3046\u306b\u8a2d\u8a08\u3055\u308c\u305f\u30de\u30af\u30ed\u3092\u542b\u3080Microsoft Word\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u304c\u305d\u306e\u611f\u67d3\u30c1\u30a7\u30fc\u30f3\u306e\u91cd\u8981\u30b9\u30c6\u30c3\u30d7\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n Emotet\u3092\u62e1\u6563\u3055\u305b\u308b\u30de\u30eb\u30b9\u30d1\u30e0\u306f\u3055\u307e\u3056\u307e\u306a\u624b\u6cd5\u3067\u3053\u308c\u3089Word\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3092\u914d\u5e03\u3057\u307e\u3059\u3002<\/p>\n \u30de\u30eb\u30b9\u30d1\u30e0\u306b\u306f\u3001\u6dfb\u4ed8\u30d5\u30a1\u30a4\u30eb\u3068\u3057\u3066Microsoft Word\u6587\u66f8\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u5834\u5408\u3082\u3042\u308c\u3070\u3001Word\u6587\u66f8\u3092\u542b\u3080\u6dfb\u4ed8ZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u5834\u5408\u3082\u3042\u308a\u307e\u3059\u3002\u3053\u3053\u6570\u30f6\u6708\u3067\u306f\u3001\u3053\u308c\u3089ZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u304c\u30d1\u30b9\u30ef\u30fc\u30c9\u3067\u4fdd\u8b77\u3055\u308c\u3066\u3044\u308b\u4f8b\u304c\u8907\u6570\u89b3\u6e2c\u3055\u308c\u3066\u3044\u307e\u3059\u3002Emotet\u3092\u914d\u5e03\u3059\u308b\u96fb\u5b50\u30e1\u30fc\u30eb\u306e\u306a\u304b\u306b\u306f\u3001\u6dfb\u4ed8\u30d5\u30a1\u30a4\u30eb\u304c\u306a\u3044\u3082\u306e\u3082\u3042\u308a\u3001\u305d\u306e\u5834\u5408\u304b\u308f\u308a\u306bWord\u6587\u66f8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u30ea\u30f3\u30af\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n \u904e\u53bb\u6570\u5e74\u9593\u3001Emotet\u3092\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u30de\u30eb\u30b9\u30d1\u30e0\u306f\u3001\u3053\u308c\u3089\u306eEmotet Word\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3092\u914d\u4fe1\u3059\u308b\u76ee\u7684\u3067\u3001\u30ea\u30f3\u30af\u3092\u57cb\u3081\u8fbc\u3093\u3060PDF\u6dfb\u4ed8\u30d5\u30a1\u30a4\u30eb\u3082\u4f7f\u7528\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n \u56f32\u306b\u3053\u308c\u30894\u3064\u306e\u914d\u5e03\u624b\u6cd5\u3092\u793a\u3057\u307e\u3059\u3002<\/p>\n Word\u6587\u66f8\u306e\u914d\u4fe1\u5f8c\u3001\u88ab\u5bb3\u8005\u304c\u6587\u66f8\u3092\u958b\u304d\u3001\u8106\u5f31\u306aWindows\u30db\u30b9\u30c8\u4e0a\u3067\u30de\u30af\u30ed\u3092\u6709\u52b9\u306b\u3057\u305f\u5834\u5408\u3001\u305d\u306e\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u306fEmotet\u306b\u611f\u67d3\u3057\u307e\u3059\u3002<\/p>\n \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u89b3\u70b9\u3067\u307f\u308b\u3068\u3001Emotet\u7528Word\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u304b\u3089Emotet\u611f\u67d3\u3078\u3044\u305f\u308b\u30b9\u30c6\u30c3\u30d7\u306f\u6b21\u306e\u3088\u3046\u306a\u3082\u306e\u3067\u3042\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n \u56f33\u306fEmotet\u3078\u306e\u611f\u67d3\u3067\u691c\u51fa\u3055\u308c\u308b\u3053\u3068\u306e\u3042\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u30d5\u30ed\u30fc\u30c1\u30e3\u30fc\u30c8\u306b\u3057\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n 2020\u5e7412\u670821\u65e5\u4ee5\u964d\u3001Emotet\u306e\u521d\u671f\u30d0\u30a4\u30ca\u30ea\u306fWindowsDLL\u30d5\u30a1\u30a4\u30eb\u3067\u3057\u305f\u3002\u305d\u308c\u4ee5\u524d\u306e\u30d0\u30a4\u30ca\u30ea\u306fWindows \u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb (EXE) \u3067\u3057\u305f\u3002<\/p>\n Emotet\u306eC2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306f\u3001HTTP\u3092\u4ecb\u3057\u3066\u9001\u4fe1\u3055\u308c\u308b\u30a8\u30f3\u30b3\u30fc\u30c9\u306a\u3044\u3057\u6697\u53f7\u5316\u3055\u308c\u305f\u30c7\u30fc\u30bf\u3067\u69cb\u6210\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306eC2\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306fHTTP\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u305f\u6a19\u6e96\u30fb\u975e\u6a19\u6e96\u306eTCP\u30dd\u30fc\u30c8\u3092\u4f7f\u3046\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002\u3053\u306eC2\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306f\u3053\u306e\u307b\u304b\u3001\u30c7\u30fc\u30bf\u6f0f\u51fa\u3084\u3001\u521d\u671fEmotet\u30d0\u30a4\u30ca\u30ea\u66f4\u65b0\u306e\u305f\u3081\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3067\u69cb\u6210\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n Emotet\u306f\u30de\u30eb\u30a6\u30a7\u30a2\u30c9\u30ed\u30c3\u30d1\u3067\u3082\u3042\u308b\u306e\u3067\u3001\u88ab\u5bb3\u8005\u306f\u4ed6\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u3082\u611f\u67d3\u3059\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u30a2\u30ca\u30ea\u30b9\u30c8\u306f\u3001Emotet\u611f\u67d3\u30db\u30b9\u30c8\u304b\u3089\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u8abf\u67fb\u3059\u308b\u306b\u3042\u305f\u308a\u3001\u4ed6\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u304b\u3089\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306b\u3064\u3044\u3066\u3082\u691c\u7d22\u3059\u3079\u304d\u3067\u3059\u3002<\/p>\n \u6700\u5f8c\u306b\u3001Emotet\u611f\u67d3\u30db\u30b9\u30c8\u306f\u300125\/tcp\u3001465\/tcp\u3001587\/tcp\u306a\u3069\u306eSMTP\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u305fTCP\u30dd\u30fc\u30c8\u3092\u4ecb\u3057\u3001\u5927\u91cf\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u751f\u6210\u3059\u308b\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u306b\u306a\u308b\u53ef\u80fd\u6027\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n \u6700\u8fd1\u306eEmotet\u611f\u67d3\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306epcap\u3092\u542b\u30805\u3064\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u4ed8\u304dZIP\u30a2\u30fc\u30ab\u30a4\u30d6\uff08\u30d1\u30b9\u30ef\u30fc\u30c9\u306f\u300cinfected\u300d\uff09\u3092\u3053\u3061\u3089\u306eGitHub\u30ea\u30dd\u30b8\u30c8\u30ea<\/a>\u304b\u3089\u53d6\u5f97\u3057\u3066\u304f\u3060\u3055\u3044\u3002Github\u30da\u30fc\u30b8\u306b\u79fb\u52d5\u3057\u3066\u3001ZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u306e\u30a8\u30f3\u30c8\u30ea\u3092\u30af\u30ea\u30c3\u30af\u3057\u3001\u56f34\u3068\u56f35\u306b\u793a\u3059\u624b\u9806\u3067\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002<\/p>\n \u672cZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u30d5\u30a1\u30a4\u30eb\u3092\u89e3\u51cd\u3059\u308b\u30d1\u30b9\u30ef\u30fc\u30c9\u306f\u300cinfected<\/em><\/strong>\u300d\u3067\u3059\u3002\u5c55\u958b\u3059\u308b\u3068\u6b21\u306e5\u3064\u306epcap\u30d5\u30a1\u30a4\u30eb\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n Example-1-2021-01-06-Emotet-infection.pcap<\/em><\/strong>\u3092\u958b\u3044\u305f\u3089\u3001\u300eWireshark \u306b\u3088\u308b\u30d1\u30b1\u30c3\u30c8\u89e3\u6790\u8b1b\u5ea7 2: \u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u8abf\u67fb\u306b\u5f79\u7acb\u3064\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u8a2d\u5b9a<\/a>\u300f\u306e\u30c1\u30e5\u30fc\u30c8\u30ea\u30a2\u30eb\u3067\u89e3\u8aac\u3057\u305f\u300cbasic\u300d\u306e web \u7528\u30d5\u30a3\u30eb\u30bf\u3092\u9069\u7528\u3057\u307e\u3059\u3002Wireshark 3.x\u3067\u306ebasic\u30d5\u30a3\u30eb\u30bf\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n (http.request or tls.handshake.type eq 1) and !(ssdp)<\/span><\/p>\n \u30b7\u30ea\u30fc\u30ba\u521d\u56de\u306e\u300eWireshark \u306b\u3088\u308b\u30d1\u30b1\u30c3\u30c8\u89e3\u6790\u8b1b\u5ea7 1: Wireshark\u306e\u8868\u793a\u5217\u3092\u30ab\u30b9\u30bf\u30de\u30a4\u30ba\u3059\u308b<\/a>\u300f\u306b\u5f93\u3063\u3066Wireshark\u3092\u8a2d\u5b9a\u3059\u308b\u3068\u3001\u56f36\u306e\u3088\u3046\u306a\u8868\u793a\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n \u56f36\u306b\u793a\u3059\u3088\u3046\u306b\u3001\u6700\u521d\u306e5\u3064\u306eHTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u306f\u3001\u521d\u671fEmotet DLL\u306e\u53d6\u5f97\u306b\u4f7f\u308f\u308c\u308b4\u3064\u306eURL\u3092\u8868\u3057\u3066\u3044\u307e\u3059\u3002\u305d\u308c\u3089\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n \u6700\u521d\u306e2\u3064\u306eURL\u304b\u3089\u306f\u3001hangarlastik[.]com<\/span>\u306b\u4ee5\u524d\u30db\u30b9\u30c6\u30a3\u30f3\u30b0\u3055\u308c\u3066\u3044\u305fEmotet DLL\u30d5\u30a1\u30a4\u30eb\u304c\u3059\u3067\u306b\u5b58\u5728\u3057\u306a\u3044\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002\u305d\u306e\u78ba\u8a8d\u306b\u306f\u3001\u3053\u308c\u3089\u306e\u5404\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u3064\u3044\u3066TCP\u30b9\u30c8\u30ea\u30fc\u30e0\u3092\u8ffd\u8de1\u3057\u3001\u5404HTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u3078\u306e\u30ec\u30b9\u30dd\u30f3\u30b9\u3092\u78ba\u8a8d\u3057\u3066\u307f\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n HTTP \u30ec\u30b9\u30dd\u30f3\u30b9\u3092\u78ba\u8a8d\u3059\u308b\u7c21\u5358\u306a\u65b9\u6cd5\u306f\u3001\u5148\u7a0b\u9069\u7528\u3057\u305fWireshark\u306e\u300cbasic\u300dWeb\u30d5\u30a3\u30eb\u30bf\u306b\u3001HTTP\u30ec\u30b9\u30dd\u30f3\u30b9\u306e\u30d5\u30a3\u30eb\u30bf\u3092\u8ffd\u52a0\u3057\u3066\u3084\u308b\u3053\u3068\u3067\u3059 (\u4e0b\u8a18\u306e\u5f37\u8abf<\/strong>\u90e8\u5206)\u3002<\/p>\n (http.request or http.response<\/strong> or tls.handshake.type eq 1) and !(ssdp)<\/span><\/p>\n \u3053\u308c\u306b\u3088\u308a\u3001HTTP \u30ec\u30b9\u30dd\u30f3\u30b9\u304c[Info<\/em><\/strong>]\u5217\u306b\u8868\u793a\u3055\u308c\u307e\u3059 (\u56f37\u53c2\u7167)\u3002<\/p>\n \u3053\u308c\u3067\u3001Word\u30de\u30af\u30ed\u304cEmotet DLL\u3092\u53d6\u5f97\u3057\u3088\u3046\u3068\u3057\u305f\u3068\u304d\u306b\u4f55\u304c\u8d77\u3053\u3063\u305f\u306e\u304b\u304c\u3088\u308a\u660e\u78ba\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n \u552f\u4e00\u3001\u300c200 OK<\/span>\u300d\u3068\u306a\u3063\u305f\u30ec\u30b9\u30dd\u30f3\u30b9\u306f\u3001hangarlastik[.]com<\/span>\u304b\u3089\u306e\u3001\u30b5\u30b9\u30da\u30f3\u30c9\u3055\u308c\u305f\u30da\u30fc\u30b8\u306b\u95a2\u3059\u308b\u901a\u77e5\u3078\u306e\u30ea\u30d7\u30e9\u30a4\u3067\u3059\u3002<\/p>\n seo.udaipurkart[.]com<\/span>\u3078\u306eHTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u306f\u30ec\u30b9\u30dd\u30f3\u30b9\u304c\u8868\u793a\u3055\u308c\u3066\u3044\u306a\u3044\u306e\u3067\u3001\u3053\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u3078\u306eTCP\u30b9\u30c8\u30ea\u30fc\u30e0\u3092\u8ffd\u8de1\u3057\u3066\u307f\u307e\u3057\u3087\u3046\uff08\u56f38\u53c2\u7167\uff09\u3002<\/p>\n \u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3055\u308c\u305fDLL\u306eSHA256\u30cf\u30c3\u30b7\u30e5\u5024\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n 8e37a82ff94c03a5be3f9dd76b9dfc335a0f70efc0d8fd3dca9ca34dd287de1b<\/span><\/p>\n Emotet\u306eC2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306f\u3001HTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f7f\u7528\u3057\u3066\u9001\u4fe1\u3055\u308c\u308b\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30c7\u30fc\u30bf\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u306f\u3001\u6b21\u306e\u30d5\u30a3\u30eb\u30bf\u3092\u4f7f\u7528\u3059\u308b\u3068Wireshark\u3067\u7c21\u5358\u306b\u898b\u3064\u3051\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n http.request.method eq POST<\/span><\/p>\n \u3053\u306e\u30d5\u30a3\u30eb\u30bf\u306e\u9069\u7528\u7d50\u679c\u3092\u56f311\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n 1\u3064\u76ee\u306epcap\u3067\u306f\u3001Emotet\u306eC2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306f\u6b21\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u3067\u69cb\u6210\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n Emotet\u306fC2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306b2\u7a2e\u985e\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u751f\u6210\u3057\u307e\u3059\u30021\u7a2e\u985e\u76ee\u306ePOST\u30ea\u30af\u30a8\u30b9\u30c8\u306fHTTP \/1.1<\/span>\u3067\u7d42\u308f\u308b\u3082\u306e\u3067\u30012\u7a2e\u985e\u76ee\u306ePOST\u30ea\u30af\u30a8\u30b9\u30c8\u306fHTTP\/1.1 (application\/x-www-form-urlencoded)<\/span>\u3067\u7d42\u308f\u308b\u3082\u306e\u3067\u3059\u3002<\/p>\n 16:42:34 UTC\u306e1\u3064\u76ee\u306e5.2.136[.]90<\/span>\u3078\u306eHTTP\u30ea\u30af\u30a8\u30b9\u30c8\u306eTCP\u30b9\u30c8\u30ea\u30fc\u30e0\u3092\u8ffd\u8de1\u3057\u3066\u30011\u7a2e\u985e\u76ee\u306eC2 POST\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u4f8b\u3092\u78ba\u8a8d\u3057\u307e\u3057\u3087\u3046 (\u56f312\u53c2\u7167)\u3002<\/p>\n \u56f312\u306f\u3053\u306ePOST\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u3001\u30a8\u30f3\u30b3\u30fc\u30c9\u306a\u3044\u3057\u6697\u53f7\u5316\u3055\u308c\u305f\u30d0\u30a4\u30ca\u30ea\u306e\u3088\u3046\u306b\u898b\u3048\u308b\u7d046KB\u306e\u30d5\u30a9\u30fc\u30e0\u30c7\u30fc\u30bf\u3092\u9001\u4fe1\u3059\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002HTTP\u30ec\u30b9\u30dd\u30f3\u30b9\u307e\u3067\u4e0b\u306b\u30b9\u30af\u30ed\u30fc\u30eb\u3057\u3001\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u8fd4\u3055\u308c\u305f\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30c7\u30fc\u30bf\u3092\u78ba\u8a8d\u3057\u307e\u3057\u3087\u3046\u3002\u56f313\u306f\u3001\u3053\u306e\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30c7\u30fc\u30bf\u306e\u306f\u3058\u307e\u308a\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n \u3053\u306e\u7a2e\u306e\u30a8\u30f3\u30b3\u30fc\u30c9\u306a\u3044\u3057\u6697\u53f7\u5316\u3055\u308c\u305f\u30c7\u30fc\u30bf\u304c\u3001Emotet\u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u30b5\u30fc\u30d0\u30fc\u3068\u611f\u67d3Windows\u30db\u30b9\u30c8\u3068\u3067\u30c7\u30fc\u30bf\u3092\u4ea4\u63db\u3059\u308b\u65b9\u6cd5\u3067\u3059\u3002\u3053\u308c\u306f\u307e\u305f\u3001Emotet\u304cEmotet DLL\u3092\u66f4\u65b0\u3057\u3066\u30d5\u30a9\u30ed\u30fc\u30a2\u30c3\u30d7\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u30c9\u30ed\u30c3\u30d7\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3059\u308b\u30c1\u30e3\u30cd\u30eb\u3067\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e2\u7a2e\u985e\u76ee\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u306f\u30011\u7a2e\u985e\u76ee\u3068\u306f\u304b\u306a\u308a\u7570\u306a\u3063\u3066\u898b\u3048\u307e\u3059\u3002Wireshark\u3067\u6b21\u306e\u30d5\u30a3\u30eb\u30bf\u3092\u4f7f\u7528\u3059\u308b\u3068\u3001\u3053\u306e2\u7a2e\u985e\u76ee\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u5bb9\u6613\u306b\u898b\u3064\u3051\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n urlencoded-form<\/span><\/p>\n \u3053\u306e\u30d5\u30a3\u30eb\u30bf\u306b\u3088\u308a\u30018080\/tcp<\/span>\u7d4c\u7531\u306e167.71.4[.]0<\/span>\u3078\u306e2\u3064\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u8868\u793a\u3055\u308c\u307e\u3059 (\u56f314\u53c2\u7167)\u3002<\/p>\n 16:58:43 UTC \u306b\u767a\u751f\u3057\u305f\u3053\u308c\u30892\u3064\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u3046\u3061\u30011\u3064\u76ee\u306eTCP\u30b9\u30c8\u30ea\u30fc\u30e0\u3092\u8ffd\u8de1\u3057\u3066\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002\u305d\u306e\u7d50\u679c\u3092\u56f315\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n \u56f315\u306b\u793a\u3057\u305f\u3088\u3046\u306b\u3001POST\u30ea\u30af\u30a8\u30b9\u30c8\u3067\u9001\u4fe1\u3055\u308c\u308b\u30c7\u30fc\u30bf\u306e\u4e00\u90e8\u306f\u3001URL\u30a8\u30f3\u30b3\u30fc\u30c9\u306b\u3088\u308abase64\u6587\u5b57\u5217\u3068\u3057\u3066\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u4f8b\u3048\u3070\u3001%2B<\/span>\u304c\u300c+\u300d\u8a18\u53f7\u3092\u3001%2F<\/span>\u304c\u300c\/\u300d\u3092\u3001%3D<\/span>\u304c\u300c=<\/span>\u300d\u3092\u8868\u3059\u306e\u306b\u4f7f\u7528\u3055\u308c\u308b\u3001\u3068\u3044\u3063\u305f\u3050\u3042\u3044\u3067\u3059\u3002<\/p>\n \u30b5\u30fc\u30d0\u30fc\u304b\u3089\u306e\u30ec\u30b9\u30dd\u30f3\u30b9\u3068\u3057\u3066\u9001\u4fe1\u3055\u308c\u308b\u30c7\u30fc\u30bf\u306f\u3001\u30a8\u30f3\u30b3\u30fc\u30c9\u307e\u305f\u306f\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n 1\u3064\u76ee\u306epcap\u306b\u306f\u3001\u30d5\u30a9\u30ed\u30fc\u30a2\u30c3\u30d7\u30de\u30eb\u30a6\u30a7\u30a2\u306a\u3069\u306e\u91cd\u8981\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306f\u542b\u307e\u308c\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n \u307b\u304b\u306e\u552f\u4e00\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306f\u3001443\/tcp<\/span>\u7d4c\u7531\u306746.101.230[.]194<\/span>\u3078\u306e\u63a5\u7d9a\u8a66\u884c\u3092\u7e70\u308a\u8fd4\u3057\u3066\u3044\u308b\u3053\u3068\u3067\u3059\u3002\u3053\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306f\u3001Retransmission (\u518d\u9001\u4fe1) \u306eTCP SYN\u30bb\u30b0\u30e1\u30f3\u30c8\u3092\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u3059\u308b\u3053\u3068\u3067\u7c21\u5358\u306b\u898b\u3064\u304b\u308a\u307e\u3059\u3002\u305d\u306e\u305f\u3081\u306b\u306f\u3001\u6b21\u306eWireshark\u30d5\u30a3\u30eb\u30bf\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n tcp.analysis.retransmission and tcp.flags eq 0x0002<\/span><\/p>\n \u7d50\u679c\u3092\u56f316\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n \u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u306746.101.230[.]194<\/span>\u3092\u691c\u7d22\u3059\u308c\u3070\u3001\u3053\u306eIP\u30a2\u30c9\u30ec\u30b9\u304cEmotet\u306eC2\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306b\u4f7f\u7528\u3055\u308c\u3066\u304d\u305f\u3082\u306e\u3067\u3042\u308b\u3053\u3068\u304c\u660e\u3089\u304b\u306b\u306a\u308b\u3067\u3057\u3087\u3046\u3002<\/p>\n \u3053\u306epcap\u5185\u306e\u6b8b\u308a\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306fMicrosoft Windows10\u30db\u30b9\u30c8\u304c\u751f\u6210\u3057\u305f\u30b7\u30b9\u30c6\u30e0 \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3067\u3059\u3002<\/p>\n \u6b21\u306e2\u3064\u76ee\u306epcap\u3067\u306f\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8 \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u884c\u3046Emotet\u611f\u67d3\u306b\u3064\u3044\u3066\u8abf\u3079\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n Example-2-2021-01-05-Emotet-with-spambot-traffic-part-1.pcap<\/em><\/strong>\u3092Wireshark\u3067\u958b\u3044\u3066\u3001\u300cbasic\u300dWeb\u30d5\u30a3\u30eb\u30bf\u3092\u9069\u7528\u3057\u307e\u3059\uff08\u56f317\u53c2\u7167\uff09\u3002<\/p>\n 1\u3064\u76ee\u306e\u30b5\u30f3\u30d7\u30eb\u540c\u69d8\u3001Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u767a\u751f\u524d\u306b\u8907\u6570\u306eHTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u53d7\u4fe1\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306eGET\u30ea\u30af\u30a8\u30b9\u30c8\u306f\u3001Web\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u7d4c\u7531\u3067\u6700\u521d\u306eEmotet DLL\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3059\u3002\u5217\u8868\u793a\u3057\u305f\u6700\u521d\u306e\u30d5\u30ec\u30fc\u30e0\u306b\u306f\u3001obob[.]tv<\/span>\u3078\u306eHTTPS\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u8868\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u3053\u308c\u304c\u304a\u305d\u3089\u304f\u6700\u521d\u306eEmotet DLL\u3078\u306eWeb\u30ea\u30af\u30a8\u30b9\u30c8\u3060\u3068\u8003\u3048\u3089\u308c\u307e\u3059\u3002\u3068\u3044\u3046\u306e\u3082\u3001\u3053\u306e\u30c9\u30e1\u30a4\u30f3\u306f\u30012021\u5e741\u67085\u65e5\u306bEmotet\u30d0\u30a4\u30ca\u30ea\u3092\u30db\u30b9\u30c6\u30a3\u30f3\u30b0\u3057\u3066\u3044\u305f\u3053\u3068\u304c\u5831\u544a<\/a>\u3055\u308c\u3066\u304a\u308a\u3001\u305d\u306e\u65e5\u4ed8\u306f\u3053\u306epcap\u306e\u65e5\u4ed8\u3068\u540c\u4e00\u3060\u304b\u3089\u3067\u3059\u3002<\/p>\n miprimercamino[.]com<\/span>\u3078\u306eHTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u306eTCP\u30b9\u30c8\u30ea\u30fc\u30e0\u3092\u8ffd\u8de1\u3057\u3001\u3053\u308c\u304cEmotet DLL\u3092\u8fd4\u3057\u305f\u3053\u3068\u3092\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u30021\u3064\u76ee\u306epcap\u306e\u56f39\u3067\u793a\u3057\u305f\u3082\u306e\u3068\u4f3c\u305f\u30a4\u30f3\u30b8\u30b1\u30fc\u30bf\u304c\u8868\u793a\u3055\u308c\u308b\u306f\u305a\u3067\u3059\u3002miprimercamino[.]com<\/span>\u304b\u3089\u8fd4\u3055\u308c\u305fEmotet DLL\u306f\u3001\u56f318\u306b\u793a\u3057\u305f\u624b\u9806\u3067\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3067\u304d\u307e\u3059\u3002<\/p>\n 2\u3064\u76ee\u306epcap\u304b\u3089\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3057\u305fDLL\u306eSHA256\u30cf\u30c3\u30b7\u30e5\u5024\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n 963b00584d8d63ea84585f7457e6ddcac9eda54428a432f388a1ffee21137316<\/span><\/p>\n \u3053\u3053\u3067\u3082Emotet\u306fC2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306b2\u7a2e\u985e\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u751f\u6210\u3057\u307e\u3059\u3002Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u305d\u308c\u305e\u308c\u306e\u7a2e\u985e\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u3059\u308b\u306b\u306f\u3001\u6b21\u306eWireshark\u30d5\u30a3\u30eb\u30bf\u3092\u4f7f\u3044\u307e\u3059\u3002<\/p>\n \u3053\u308c\u3089\u306e\u30d5\u30a3\u30eb\u30bf\u3067\u8fd4\u3055\u308c\u308bHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u306eTCP\u30b9\u30c8\u30ea\u30fc\u30e0\u3092\u8ffd\u8de1\u3057\u30012\u3064\u76ee\u306epcap\u3067\u30821\u3064\u76ee\u306epcap\u3067\u898b\u305f\u306e\u3068\u540c\u3058\u30c8\u30e9\u30d5\u30a3\u30c3\u30af \u30d1\u30bf\u30fc\u30f3\u304c\u898b\u3089\u308c\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n pcap\u5185\u3067Emotet\u306eC2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u4f8b\u3092\u3044\u304f\u3064\u304b\u78ba\u8a8d\u3057\u305f\u3089\u3001\u6b21\u306f\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u78ba\u8a8d\u306b\u79fb\u308a\u307e\u3057\u3087\u3046\u3002<\/p>\n \u3053\u306e\u4f8b\u3067\u306f\u3001\u611f\u67d3\u30db\u30b9\u30c8\u304c\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u306b\u5909\u3048\u3089\u308c\u305f\u305f\u3081\u3001SMTP\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u306eSMTP\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306f\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u300cbasic\u300d\u306eWeb\u30d5\u30a3\u30eb\u30bf\u3092\u4f7f\u3063\u3066\u5217\u8868\u793a\u3092\u4e0b\u306b\u30b9\u30af\u30ed\u30fc\u30eb\u3059\u308b\u3053\u3068\u3067\u7c21\u5358\u306b\u898b\u3064\u3051\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n \u3053\u306epcap\u3067\u306f\u300120:06:20 UTC \u304b\u3089\u300125\/tcp\u3001465\/tcp\u3001587\/tcp\u306a\u3069\u306eSMTP\u96fb\u5b50\u30e1\u30fc\u30eb\u30d7\u30ed\u30c8\u30b3\u30eb\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u305fTCP\u30dd\u30fc\u30c8\u3078\u306eSSL\/TLS\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u8868\u793a\u3055\u308c\u59cb\u3081\u307e\u3059 (\u56f319\u53c2\u7167)\u3002<\/p>\n SMTP\u3067\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u3059\u308c\u3070\u3001\u6697\u53f7\u5316\u3055\u308c\u305fSMTP\u30c8\u30f3\u30cd\u30eb\u306e\u78ba\u7acb\u524d\u306bSMTP<\/span>\u30b3\u30de\u30f3\u30c9\u304c\u3044\u304f\u3064\u304b\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002\u56f320\u306b\u7d50\u679c\u3092\u793a\u3057\u307e\u3059\u3002<\/p>\n Emotet\u306b\u611f\u67d3\u3057\u305fWindows\u30db\u30b9\u30c8\u306e\u751f\u6210\u3059\u308b\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u306a\u304b\u306b\u306f\u3001\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u306a\u3044SMTP\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3082\u898b\u3064\u304b\u308b\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002\u5e73\u6587\u306eSMTP\u304b\u3089\u306f\u30e1\u30c3\u30bb\u30fc\u30b8\u306e\u5185\u5bb9\u304c\u78ba\u8a8d\u3067\u304d\u307e\u3059\u304c\u3001\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8 \u30db\u30b9\u30c8\u304b\u3089\u9001\u4fe1\u3055\u308c\u308b\u6697\u53f7\u5316SMTP\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u30dc\u30ea\u30e5\u30fc\u30e0\u306f\u5e73\u6587\u306e\u305d\u308c\u3068\u304f\u3089\u3079\u3066\u304d\u308f\u3060\u3063\u3066\u5927\u304d\u3044\u3053\u3068\u304b\u3089\u3001Emotet\u611f\u67d3\u30db\u30b9\u30c8\u306e\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u30e1\u30c3\u30bb\u30fc\u30b8\u306f\u305d\u306e\u307b\u3068\u3093\u3069\u304c\u6697\u53f7\u5316\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306b\u6f5c\u3093\u3067\u3044\u308b\u3068\u3044\u3046\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n \u3053\u306e\u4f8b\u3067\u306f\u6697\u53f7\u5316\u3055\u308c\u305fSMTP\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u307f\u3092\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n \u306a\u304a\u3001\u6b21\u306b\u3042\u3052\u308b\u4f8b\u306f\u3053\u308c\u3068\u540c\u3058\u611f\u67d3\u306e\u5f8c\u534a\u306e\u3082\u306e\u3067\u3001\u3053\u3053\u3067\u3088\u3046\u3084\u304f\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u306a\u3044SMTP\u304c\u898b\u3064\u304b\u308a\u307e\u3059\u3002<\/p>\n Example-3-2021-01-05-Emotet-with-spambot-traffic-part-2.pcap<\/em><\/strong>\u3092Wireshark\u3067\u958b\u3044\u3066\u3001\u300cbasic\u300dWeb\u30d5\u30a3\u30eb\u30bf\u3092\u9069\u7528\u3057\u307e\u3059\uff08\u56f321\u53c2\u7167\uff09\u3002<\/p>\n \u3053\u306epcap\u3067\u3082\u3001Emotet C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306b\u5bfe\u3059\u308bHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u5c11\u306a\u304f\u3068\u30821\u5206\u306b2\u56de\u8868\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u4ee5\u524d\u306epcap\u3068\u540c\u69d8\u306e\u6697\u53f7\u5316\u3055\u308c\u305f\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8 \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3082\u898b\u3064\u304b\u308a\u307e\u3059\u3002<\/p>\n \u30b9\u30d1\u30e0\u30dc\u30c3\u30c8 \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3067\u306f\u983b\u7e41\u306b\u5927\u91cf\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u751f\u3058\u307e\u3059\u3002\u3053\u306epcap\u306b\u306f\u3001\u611f\u67d3Windows\u30db\u30b9\u30c8\u4e0a\u3067\u306e4\u520642\u79d2\u306b\u308f\u305f\u308b\u30b9\u30d1\u30e0\u30dc\u30c3\u30c8 \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u304c\u8a18\u9332\u3055\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u3053\u306e\u4e2d\u306b\u306f 21MB \u8d85\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n \u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u306a\u3044SMTP\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u3059\u3070\u3084\u304f\u8b58\u5225\u3059\u308b\u306b\u306f\u6b21\u306eWireshark\u30d5\u30a3\u30eb\u30bf\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n smtp.data.fragment<\/span><\/p>\n \u56f322\u306f\u30013\u3064\u76ee\u306epcap\u306b\u5bfe\u3059\u308b\u3053\u306e\u30d5\u30a3\u30eb\u30bf\u306e\u7d50\u679c\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30d5\u30a3\u30eb\u30bf\u306b\u3088\u308a\u3001\u611f\u67d3Windows\u30db\u30b9\u30c8\u304c\u751f\u6210\u3057\u305f5\u3064\u306eEmotet\u30de\u30eb\u30b9\u30d1\u30e0\u306e\u30b5\u30f3\u30d7\u30eb\u304c\u660e\u3089\u304b\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n 20:19:54 UTC\u306efrom: \u201cGladisbel Miranda<\/span>\u3068\u3044\u3046\u6700\u5f8c\u306e\u96fb\u5b50\u30e1\u30fc\u30eb\u306eTCP\u30b9\u30c8\u30ea\u30fc\u30e0\u3092\u8ffd\u8de1\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u3069\u306e\u3088\u3046\u306a\u5f62\u5f0f\u304b\u3092\u78ba\u8a8d\u3057\u307e\u3057\u3087\u3046 (\u56f323\u53c2\u7167)\u3002<\/p>\n Emotet\u30de\u30eb\u30b9\u30d1\u30e0\u306e\u3053\u308c\u30895\u3064\u306e\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306f\u3001Wireshark\u306e\u30e1\u30cb\u30e5\u30fc\u304b\u3089\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u56f324\u306b\u3057\u305f\u304c\u3063\u3066\u3001[File (\u30d5\u30a1\u30a4\u30eb)]\u3001[Export Objects (\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u30a8\u30af\u30b9\u30dd\u30fc\u30c8)]\u3001[IMF]<\/em><\/strong>\u306e\u9806\u306b\u30af\u30ea\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n \u3053\u308c\u3089\u306e\u96fb\u5b50\u30e1\u30fc\u30eb\u3092\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3057\u3066\u8abf\u3079\u307e\u3057\u3087\u3046\u3002\u3053\u308c\u3082\u3001\u3067\u304d\u308c\u3070Windows\u74b0\u5883\u4ee5\u5916\u3067\u3084\u308b\u306e\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002\u6f5c\u5728\u7684\u306a\u88ab\u5bb3\u8005\u304b\u3089\u3053\u3046\u3057\u305f\u96fb\u5b50\u30e1\u30fc\u30eb\u304c\u3069\u306e\u3088\u3046\u306b\u898b\u3048\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3055\u3044\u306f\u3001Thunderbird<\/a>\u306a\u3069\u306e\u7121\u6599\u96fb\u5b50\u30e1\u30fc\u30eb\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3092\u4f7f\u3046\u3068\u3088\u3044\u3067\u3057\u3087\u3046\u3002<\/p>\n \u3055\u3066\u3001\u5148\u306b\u8ff0\u3079\u305f\u3068\u304a\u308a\u3001Emotet\u306f\u30de\u30eb\u30a6\u30a7\u30a2\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u3067\u3082\u3042\u308a\u307e\u3059\u3002Emotet\u7d4c\u7531\u3067\u914d\u5e03\u3055\u308c\u308b\u6700\u3082\u4e00\u822c\u7684\u306a\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u304a\u305d\u3089\u304fTrickbot\u3067\u3057\u3087\u3046\u3002<\/p>\n Example-4-2021-01-05-Emotet-infection-with-Trickbot.pcap<\/em><\/strong>\u3092Wireshark\u3067\u958b\u3044\u3066\u3001\u300cbasic\u300dWeb\u30d5\u30a3\u30eb\u30bf\u3092\u9069\u7528\u3057\u307e\u3059\uff08\u56f325\u53c2\u7167\uff09\u3002<\/p>\n \u3053\u306epcap\u306b\u306f\u3001\u521d\u671fEmotet DLL\u306b\u5bfe\u3059\u308bHTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u306f\u542b\u307e\u308c\u3066\u3044\u307e\u305b\u3093\u3002\u305f\u3060\u3057basic\u30d5\u30a3\u30eb\u30bf\u3092\u9069\u7528\u3057\u3066\u8868\u793a\u3055\u305b\u305f\u6700\u521d\u306e\u30d5\u30ec\u30fc\u30e0\u306b\u306f\u3001fathekarim[.]com<\/span>\u3078\u306eHTTPS\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u8868\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u304c\u304a\u305d\u3089\u304fEmotet DLL\u3078\u306eWeb\u30ea\u30af\u30a8\u30b9\u30c8\u3060\u3068\u8003\u3048\u3089\u308c\u307e\u3059\u3002\u3068\u3044\u3046\u306e\u3082\u3001\u3053\u306e\u30c9\u30e1\u30a4\u30f3\u306f\u30012021\u5e741\u67085\u65e5\u306bEmotet\u30d0\u30a4\u30ca\u30ea\u3092\u30db\u30b9\u30c6\u30a3\u30f3\u30b0\u3057\u3066\u3044\u305f\u3053\u3068\u304c\u5831\u544a<\/a>\u3055\u308c\u3066\u304a\u308a\u3001\u305d\u306e\u65e5\u4ed8\u306f\u3053\u306epcap\u306e\u65e5\u4ed8\u3068\u540c\u4e00\u3060\u304b\u3089\u3067\u3059\u3002<\/p>\n \u3053\u306e pcap \u3067\u3082\u3001\u5148\u306e2\u3064\u306epcap\u3067\u8aac\u660e\u3057\u305f\u3088\u3046\u306b\u3001Emotet C2\u306b\u95a2\u9023\u4ed8\u3051\u3089\u3066\u3044\u308b\u3082\u306e\u3068\u540c\u30582\u7a2e\u985e\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u898b\u3064\u304b\u308a\u307e\u3059\u3002<\/p>\n \u3053\u306epcap\u306b\u306f\u3001Trickbot\u611f\u67d3\u306e\u30a4\u30f3\u30b8\u30b1\u30fc\u30bf\u3082\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u3053\u3067\u3082\u300cbasic\u300dWeb\u30d5\u30a3\u30eb\u30bf\u3092\u9069\u7528\u3057\u3001\u4e0b\u306b\u30b9\u30af\u30ed\u30fc\u30eb\u3057\u3066\u3044\u3063\u3066Trickbot\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044 (\u56f326\u53c2\u7167)\u3002<\/p>\n \u3059\u3067\u306bTrickbot\u611f\u67d3\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306b\u3064\u3044\u3066\u306f\u300eWireshark\u306b\u3088\u308b\u30d1\u30b1\u30c3\u30c8\u89e3\u6790\u8b1b\u5ea7 5: Trickbot\u611f\u67d3\u306e\u8abf\u67fb<\/a>\u300f\u3067\u30ec\u30d3\u30e5\u30fc\u6e08\u307f\u3067\u3059\u304c\u3001\u3053\u3053\u3067\u7c21\u5358\u306b\u304a\u3055\u3089\u3044\u3057\u3066\u304a\u304d\u307e\u3057\u3087\u3046\u3002Trickbot\u306e\u4e00\u822c\u7684\u306a\u30a4\u30f3\u30b8\u30b1\u30fc\u30bf\u306b\u306f\u6b21\u306e\u3082\u306e\u304c\u3042\u3052\u3089\u308c\u307e\u3059\u3002<\/p>\n \u3053\u308c\u3089\u306e\u30a4\u30f3\u30b8\u30b1\u30fc\u30bf\u306f\u6b21\u306eWireshark\u30d5\u30a3\u30eb\u30bf\u3092\u9069\u7528\u3059\u308b\u3068\u7c21\u5358\u306b\u898b\u3064\u304b\u308a\u307e\u3059\u3002<\/p>\n \u56f327\u304b\u3089\u56f329\u306f\u3001\u4e0a\u8a18\u306e\u5404\u30d5\u30a3\u30eb\u30bf\u3092\u9069\u7528\u3057\u305f\u7d50\u679c\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n \u56f328\u306b\u793a\u3057\u305f\u5404HTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u306eTCP\u30b9\u30c8\u30ea\u30fc\u30e0\u3092\u8ffd\u8de1\u3057\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u30c7\u30fc\u30bf\u304c\u7a83\u53d6\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u307e\u3057\u3087\u3046\u3002\/90<\/span>\u3067\u7d42\u308f\u308b\u6700\u5f8c\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u306f\u3001\u611f\u67d3Windows\u30db\u30b9\u30c8\u3068\u305d\u306e\u74b0\u5883\u306b\u95a2\u3059\u308b\u30c7\u30fc\u30bf\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n \u56f329\u306b\u793a\u3057\u305f\u5404HTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u306eTCP\u30b9\u30c8\u30ea\u30fc\u30e0\u3092\u8ffd\u8de1\u3057\u3001Windows\u30d0\u30a4\u30ca\u30ea\u304c\u8fd4\u3055\u308c\u3066\u3044\u306a\u3044\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u307e\u3057\u3087\u3046\u3002\u305d\u3046\u3059\u308c\u3070\u3001Windows\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u304c2\u3064\u8fd4\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u306f\u305a\u3067\u3059\u3002\u78ba\u8a8d\u5f8c\u306f\u3001\u3053\u308c\u3089\u306e\u30d0\u30a4\u30ca\u30ea\u3092pcap\u304b\u3089\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3057\u307e\u3057\u3087\u3046\u3002\u305d\u306e\u305f\u3081\u306b\u306f\u3053\u308c\u307e\u3067\u306e\u30b5\u30f3\u30d7\u30eb\u3068\u540c\u69d8\u306b[File (\u30d5\u30a1\u30a4\u30eb)]\u30e1\u30cb\u30e5\u30fc\u3067<\/em><\/strong>[Export Objects (\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u30a8\u30af\u30b9\u30dd\u30fc\u30c8)]\u3001[HTTP]<\/em><\/strong>\u306e\u9806\u306b\u30af\u30ea\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n \u3053\u308c\u30892\u3064\u306eWindows\u30d0\u30a4\u30ca\u30ea\uff08\u3044\u305a\u308c\u3082\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\uff09\u306eSHA256\u30cf\u30c3\u30b7\u30e5\u5024\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n Trickbot\u306fEmotet\u306e\u914d\u5e03\u3059\u308b\u6700\u3082\u4e00\u822c\u7684\u306a\u30de\u30eb\u30a6\u30a7\u30a2\u3067\u3059\u304c\u3001\u3053\u308c\u4ee5\u5916\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u914d\u5e03\u3055\u308c\u308b\u3053\u3068\u3082\u3042\u308a\u307e\u3059\u3002Qakbot\u304c\u305d\u3046\u3057\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u306e1\u3064\u3067\u3001\u3053\u308c\u3082Emotet\u306b\u611f\u67d3\u3057\u305fWindows\u30db\u30b9\u30c8\u306b\u3088\u3063\u3066\u3088\u304f\u30c9\u30ed\u30c3\u30d7\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n Example-5-2020-08-18-Emotet-infection-with-Qakbot.pcap<\/em><\/strong>\u3092Wireshark\u3067\u958b\u3044\u3066\u3001\u300cbasic\u300dWeb\u30d5\u30a3\u30eb\u30bf\u3092\u9069\u7528\u3057\u307e\u3059\uff08\u56f330\u53c2\u7167\uff09\u3002<\/p>\n 5\u3064\u76ee\u306epcap\u3067\u306f\u3001Emotet Word\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u304c21:23:50 UTC\u306bsawtpranamam.mysquare[.]in<\/span>\u304b\u3089\u53d6\u5f97\u3055\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u3053\u308c\u306f\u540c\u3058\u65e5\u306bEmotet Word\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3092\u30db\u30b9\u30c6\u30a3\u30f3\u30b0\u3057\u3066\u3044\u305f\u3053\u3068\u304c\u5831\u544a\u3055\u308c\u3066\u3044\u308bURL<\/a>\u3068\u5408\u81f4\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306eWord\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3092pcap\u304b\u3089\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3057\u307e\u3057\u3087\u3046\u3002\u305d\u306e\u305f\u3081\u306b\u306f\u3001\u3053\u308c\u307e\u3067\u306e\u30b5\u30f3\u30d7\u30eb\u3068\u540c\u69d8\u306bEmotet\u306b\u3088\u308b\u611f\u67d3\u30a4\u30d9\u30f3\u30c8 \u30c1\u30a7\u30fc\u30f3<\/h2>\n
![\"\u3053\u3053\u306b\u793a\u3057\u305fWord\u6587\u66f8\u306f\u30012021\u5e741\u6708\u306bEmotet\u611f\u67d3\u3092\u5f15\u304d\u8d77\u3053\u3059\u306e\u306b\u4f7f\u7528\u3055\u308c\u305f\u3082\u306e\u3067\u3059\u3002\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u306e\u30e1\u30c3\u30bb\u30fc\u30b8\u306b\u6ce8\u610f\u3057\u3066\u304f\u3060\u3055\u3044\u300cThis](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-30.jpeg\")
![\"Emotet](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-31.jpeg\")
\n
![\"Emotet\u611f\u67d3\u30d5\u30ed\u30fc\u30c1\u30e3\u30fc\u30c8:](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-32.jpeg\")
Emotet\u306e\u611f\u67d3\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u542b\u3080Pcap\u30d5\u30a1\u30a4\u30eb<\/h2>\n
![\"The](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-33.jpeg\")
![\"The](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-34.jpeg\")
\n
\u4f8b1: Emotet\u611f\u67d3\u30c8\u30e9\u30d5\u30a3\u30c3\u30af<\/h2>\n
![\"\u56f36](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-35.jpeg\")
\n
![\"\u56f37](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-36.jpeg\")
\n
![\"\u56f38](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-37.jpeg\")
![\"\u56f39](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-38.jpeg\")
![\"\u56f310](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-39.jpeg\")
![\"\u56f311](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-40.jpeg\")
\n
![\"\u56f312](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-41.jpeg\")
![\"\u56f313](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-42.jpeg\")
![\"\u56f314](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-43.jpeg\")
![\"\u56f315](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-44.jpeg\")
![\"\u56f316](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-45.jpeg\")
\u4f8b2: \u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u542b\u3080 Emotet \u30d1\u30fc\u30c81<\/h2>\n
![\"\u56f317](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-46.jpeg\")
![\"\u56f318](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-47.jpeg\")
\n
![\"\u56f319](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-48.jpeg\")
![\"\u56f320](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-49.jpeg\")
\u4f8b2: \u30b9\u30d1\u30e0\u30dc\u30c3\u30c8\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u542b\u3080 Emotet \u30d1\u30fc\u30c82<\/h2>\n
![\"\u56f321](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-50.jpeg\")
![\"\u56f322](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-51.jpeg\")
![\"\u56f323](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-52.jpeg\")
![\"\u56f324](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-53.jpeg\")
\u4f8b4: Trickbot\u3092\u914d\u5e03\u3059\u308bEmotet\u611f\u67d3<\/h2>\n
![\"\u56f325](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-54.jpeg\")
![\"\u56f326](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-55.jpeg\")
\n
\n
![\"\u56f327:](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-56.jpeg\")
![\"\u56f328](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-57.jpeg\")
![\"\u56f329](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-58.jpeg\")
\n
\u4f8b5: Qakbot\u3092\u914d\u5e03\u3059\u308bEmotet\u611f\u67d3<\/h2>\n
![\"\u56f330](\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2021\/01\/word-image-59.jpeg\")