CINXE.COM

Weekend Researcher Tsurezure Diary

<!DOCTYPE html> <html lang="ja" data-admin-domain="//blog.hatena.ne.jp" data-admin-origin="https://blog.hatena.ne.jp" data-author="disconinja" data-avail-langs="ja en" data-blog="disconinja.hatenablog.com" data-blog-host="disconinja.hatenablog.com" data-blog-is-public="1" data-blog-name="Weekend Researcher Tsurezure Diary" data-blog-owner="disconinja" data-blog-show-ads="1" data-blog-show-sleeping-ads="" data-blog-uri="https://disconinja.hatenablog.com/" data-blog-uuid="820878482948809331" data-blogs-uri-base="https://disconinja.hatenablog.com" data-brand="hatenablog" data-data-layer="{&quot;hatenablog&quot;:{&quot;admin&quot;:{},&quot;analytics&quot;:{&quot;brand_property_id&quot;:&quot;&quot;,&quot;measurement_id&quot;:&quot;&quot;,&quot;non_sampling_property_id&quot;:&quot;&quot;,&quot;property_id&quot;:&quot;&quot;,&quot;separated_property_id&quot;:&quot;UA-29716941-19&quot;},&quot;blog&quot;:{&quot;blog_id&quot;:&quot;820878482948809331&quot;,&quot;content_seems_japanese&quot;:&quot;true&quot;,&quot;disable_ads&quot;:&quot;&quot;,&quot;enable_ads&quot;:&quot;true&quot;,&quot;enable_keyword_link&quot;:&quot;true&quot;,&quot;entry_show_footer_related_entries&quot;:&quot;true&quot;,&quot;force_pc_view&quot;:&quot;false&quot;,&quot;is_public&quot;:&quot;true&quot;,&quot;is_responsive_view&quot;:&quot;false&quot;,&quot;is_sleeping&quot;:&quot;false&quot;,&quot;lang&quot;:&quot;ja&quot;,&quot;name&quot;:&quot;Weekend Researcher Tsurezure Diary&quot;,&quot;owner_name&quot;:&quot;disconinja&quot;,&quot;uri&quot;:&quot;https://disconinja.hatenablog.com/&quot;},&quot;brand&quot;:&quot;hatenablog&quot;,&quot;page_id&quot;:&quot;index&quot;,&quot;permalink_entry&quot;:null,&quot;pro&quot;:&quot;free&quot;,&quot;router_type&quot;:&quot;blogs&quot;}}" data-device="pc" data-dont-recommend-pro="false" data-global-domain="https://hatena.blog" data-globalheader-color="b" data-globalheader-type="pc" data-has-touch-view="1" data-help-url="https://help.hatenablog.com" data-page="index" data-parts-domain="https://hatenablog-parts.com" data-plus-available="" data-pro="false" data-router-type="blogs" data-sentry-dsn="https://03a33e4781a24cf2885099fed222b56d@sentry.io/1195218" data-sentry-environment="production" data-sentry-sample-rate="0.1" data-static-domain="https://cdn.blog.st-hatena.com" data-version="5fa31e35d1ab9280564e15ff7dbf6f" data-initial-state="{}" > <head prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#"> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="max-image-preview:large" /> <meta charset="utf-8"/> <meta http-equiv="X-UA-Compatible" content="IE=7; IE=9; IE=10; IE=11" /> <title>Weekend Researcher Tsurezure Diary</title> <link rel="canonical" href="https://disconinja.hatenablog.com/"/> <meta itemprop="name" content="Weekend Researcher Tsurezure Diary"/> <meta itemprop="image" content="https://cdn.blog.st-hatena.com/images/theme/og-image-1500.png"/> <meta property="og:title" content="Weekend Researcher Tsurezure Diary"/> <meta property="og:type" content="blog"/> <meta property="og:url" content="https://disconinja.hatenablog.com/"/> <meta property="og:image" content="https://cdn.blog.st-hatena.com/images/theme/og-image-1500.png"/> <meta property="og:image:alt" content="Weekend Researcher Tsurezure Diary"/> <meta property="og:description" content="Weekend Researcher Tsurezure Diary" /> <meta property="og:site_name" content="Weekend Researcher Tsurezure Diary"/> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:image" content="https://cdn.blog.st-hatena.com/images/theme/og-image-1500.png" /> <meta name="twitter:title" content="Weekend Researcher Tsurezure Diary" /> <meta name="twitter:description" content="Weekend Researcher Tsurezure Diary" /> <meta name="twitter:app:name:iphone" content="はてなブログアプリ" /> <meta name="twitter:app:id:iphone" content="583299321" /> <meta name="twitter:app:url:iphone" content="hatenablog:///open?uri=https%3A%2F%2Fdisconinja.hatenablog.com%2F" /> <script id="embed-gtm-data-layer-loader" data-data-layer-page-specific="" > (function() { function loadDataLayer(elem, attrName) { if (!elem) { return {}; } var json = elem.getAttribute(attrName); if (!json) { return {}; } return JSON.parse(json); } var globalVariables = loadDataLayer( document.documentElement, 'data-data-layer' ); var pageSpecificVariables = loadDataLayer( document.getElementById('embed-gtm-data-layer-loader'), 'data-data-layer-page-specific' ); var variables = [globalVariables, pageSpecificVariables]; if (!window.dataLayer) { window.dataLayer = []; } for (var i = 0; i < variables.length; i++) { window.dataLayer.push(variables[i]); } })(); </script> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-P4CXTW');</script> <!-- End Google Tag Manager --> <link rel="shortcut icon" href="https://disconinja.hatenablog.com/icon/favicon"> <link rel="apple-touch-icon" href="https://disconinja.hatenablog.com/icon/touch"> <link rel="icon" sizes="192x192" href="https://disconinja.hatenablog.com/icon/link"> <link rel="alternate" type="application/atom+xml" title="Atom" href="https://disconinja.hatenablog.com/feed"/> <link rel="alternate" type="application/rss+xml" title="RSS2.0" href="https://disconinja.hatenablog.com/rss"/> <link rel="author" href="http://www.hatena.ne.jp/disconinja/"> <link rel="stylesheet" type="text/css" href="https://cdn.blog.st-hatena.com/css/blog.css?version=5fa31e35d1ab9280564e15ff7dbf6f"/> <link rel="stylesheet" type="text/css" href="https://usercss.blog.st-hatena.com/blog_style/820878482948809331/73be541c25257e964a1a9e68972470285b1096c7"/> <script> </script> <style> div#google_afc_user, div.google-afc-user-container, div.google_afc_image, div.google_afc_blocklink { display: block !important; } </style> <script src="https://cdn.pool.st-hatena.com/valve/valve.js" async></script> <script id="test-valve-definition"> var valve = window.valve || []; valve.push(function(v) { v.config({ service: 'blog', content: { result: 'adtrust', documentIds: ["blog:entry:6802418398336797316","blog:entry:6802418398335411948","blog:entry:6802418398335411312","blog:entry:6802418398333452759","blog:entry:6802418398331435855","blog:entry:6802418398329612503","blog:entry:6802418398327585665"] } }); v.defineDFPSlot({"lazy":1,"sizes":{"mappings":[[[320,568],[[336,280],[300,250],"fluid"]],[[0,0],[[300,250]]]]},"slotId":"ad-in-entry","unit":"/4374287/blog_pc_entry_sleep_in-article"}); v.defineDFPSlot({"lazy":"","sizes":[[300,250],[336,280],[468,60],"fluid"],"slotId":"google_afc_user_container_0","unit":"/4374287/blog_user"}); v.defineDFPSlot({"lazy":"","sizes":[[300,250],[336,280],[468,60],"fluid"],"slotId":"google_afc_user_container_1","unit":"/4374287/blog_user_2nd"}); v.defineDFPSlot({"lazy":"","sizes":[[300,250],[336,280],[468,60],"fluid"],"slotId":"google_afc_user_container_2","unit":"/4374287/blog_user_2nd"}); v.defineDFPSlot({"lazy":"1","sizes":[[300,250],[336,280],[468,60],"fluid"],"slotId":"google_afc_user_container_3","unit":"/4374287/blog_user_2nd"}); v.defineDFPSlot({"lazy":"1","sizes":[[300,250],[336,280],[468,60],"fluid"],"slotId":"google_afc_user_container_4","unit":"/4374287/blog_user_2nd"}); v.defineDFPSlot({"lazy":"1","sizes":[[300,250],[336,280],[468,60],"fluid"],"slotId":"google_afc_user_container_5","unit":"/4374287/blog_user_2nd"}); v.defineDFPSlot({"lazy":"1","sizes":[[300,250],[336,280],[468,60],"fluid"],"slotId":"google_afc_user_container_6","unit":"/4374287/blog_user_2nd"}); v.sealDFPSlots(); }); </script> <script type="application/ld+json">{"@context":"https://schema.org","@type":"WebSite","name":"Weekend Researcher Tsurezure Diary","url":"https://disconinja.hatenablog.com/"}</script> </head> <body class="page-index globalheader-ng-enabled"> <div id="globalheader-container" data-brand="hatenablog" > <iframe id="globalheader" height="37" frameborder="0" allowTransparency="true"></iframe> </div> <nav class=" blog-controlls "> <div class="blog-controlls-blog-icon"> <a href="https://disconinja.hatenablog.com/"> <img src="https://cdn.image.st-hatena.com/image/square/c949dbb8f54b121ec1d69262177cd75c08ddd306/backend=imagemagick;height=128;version=1;width=128/https%3A%2F%2Fcdn.user.blog.st-hatena.com%2Fblog_custom_icon%2F159169622%2F1690811193910326" alt="Weekend Researcher Tsurezure Diary"/> </a> </div> <div class="blog-controlls-title"> <a href="https://disconinja.hatenablog.com/">Weekend Researcher Tsurezure Diary</a> </div> <a href="https://blog.hatena.ne.jp/disconinja/disconinja.hatenablog.com/subscribe?utm_medium=button&amp;utm_source=blogs_topright_button&amp;utm_campaign=subscribe_blog" class="blog-controlls-subscribe-btn test-blog-header-controlls-subscribe"> 読者になる </a> </nav> <div id="container"> <div id="container-inner"> <header id="blog-title" data-brand="hatenablog"> <div id="blog-title-inner" > <div id="blog-title-content"> <h1 id="title"><a href="https://disconinja.hatenablog.com/">Weekend Researcher Tsurezure Diary</a></h1> </div> </div> </header> <div id="content" class="hfeed" > <div id="content-inner"> <div id="wrapper"> <div id="main"> <div id="main-inner"> <!-- google_ad_section_start --> <!-- rakuten_ad_target_begin --> <article class="entry hentry test-hentry js-entry-article date-first autopagerize_page_element chars-4800 words-600 mode-markdown entry-odd" id="entry-6802418398336797316" data-keyword-campaign="" data-uuid="6802418398336797316" data-publication-type="entry"> <div class="entry-inner"> <header class="entry-header"> <div class="date entry-date first"> <a href="https://disconinja.hatenablog.com/archive/2025/03/16" rel="nofollow"> <time datetime="2025-03-16T08:23:54Z" title="2025-03-16T08:23:54Z"> <span class="date-year">2025</span><span class="hyphen">-</span><span class="date-month">03</span><span class="hyphen">-</span><span class="date-day">16</span> </time> </a> </div> <h1 class="entry-title"> <a href="https://disconinja.hatenablog.com/entry/2025/03/16/172354" class="entry-title-link bookmark">Spotted a Fake CAPTCHA – Let’s Analyze It!</a> </h1> </header> <div class="entry-content hatenablog-entry"> <h2 id="概要">概要</h2> <p>CensysでC2サーバを調査している際に、偽の<a class="keyword" href="https://d.hatena.ne.jp/keyword/CAPTCHA">CAPTCHA</a>を公開しているホストを発見したため、詳細な調査を行いました。今回の調査では、Censysを用いて4つのホストを特定し、そのうち2つのホストから<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%DE%A5%EB%A5%A6%A5%A7%A5%A2">マルウェア</a>のサンプルを取得することができました。<br/> 取得した各サンプルの感染フローは異なっており、最終的に感染させる<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%DE%A5%EB%A5%A6%A5%A7%A5%A2">マルウェア</a>の種類もそれぞれ異なっていました。本稿では、発見したホストに関するCensysのクエリ情報や、取得したサンプルの解析結果について紹介します。</p> <p>While investigating C2 servers with Censys, we discovered a host that was publishing fake CAPTCHAs, so we conducted a detailed investigation. In this investigation, we used Censys to identify four hosts, and we were able to obtain <a class="keyword" href="https://d.hatena.ne.jp/keyword/malware">malware</a> samples from two of them. <br/> The infection flow for each sample we obtained was different, and the types of <a class="keyword" href="https://d.hatena.ne.jp/keyword/malware">malware</a> that ultimately infected them were also different. In this paper, we will introduce the Censys query information for the discovered hosts and the analysis results for the samples we obtained.</p> <h2 id="Search-Query">Search Query</h2> <p>偽の<a class="keyword" href="https://d.hatena.ne.jp/keyword/CAPTCHA">CAPTCHA</a>は、HTMLのタイトル情報を検索クエリとして利用することで特定できます。具体的には、各サービスが提供する<code>title</code>フィールドを用いた検索クエリを活用します。今回は、Censys、Shodan、Urlscanを用いた検索クエリの例を紹介します。</p> <p>Fake CAPTCHAs can be identified by using the HTML title information as a search query. Specifically, we will use the search queries provided by each service using the <code>title</code> field. In this article, we will introduce examples of search queries using Censys, Shodan, and Urlscan.</p> <p>Censys</p> <pre class="code" data-lang="" data-unlink>services.http.response.html_title=&#34;reCAPTCHA Verification&#34;</pre> <p>shodan</p> <pre class="code" data-lang="" data-unlink>title:&#34;reCAPTCHA Verification&#34;</pre> <p>Urlscan</p> <pre class="code" data-lang="" data-unlink>page.title:&#34;reCAPTCHA Verification&#34;</pre> <h2 id="インフラストラクチャー"><a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%A4%A5%F3%A5%D5%A5%E9%A5%B9%A5%C8%A5%E9%A5%AF%A5%C1%A5%E3%A1%BC">インフラストラクチャー</a></h2> <p>Censysのスキャン結果により、4つのホストを特定しました。 さらに、そのうち2つのホストから<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%DE%A5%EB%A5%A6%A5%A7%A5%A2">マルウェア</a>のサンプルを取得できました。<br/> Censys scan results identified four hosts.<br/> In addition, we were able to obtain <a class="keyword" href="https://d.hatena.ne.jp/keyword/malware">malware</a> samples from two of those hosts.</p> <table> <thead> <tr> <th> No </th> <th> IP </th> <th> Find Date </th> <th> Autonomous System Number </th> <th> Autonomous System Label </th> <th> Historical <a class="keyword" href="https://d.hatena.ne.jp/keyword/SSL">SSL</a> Certificates </th> <th> Sample </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> 196[.]251[.]113[.]41 </td> <td> 2025/3/15 </td> <td> 401116 </td> <td> NYBULA </td> <td> Signature Algorithm: <br>Issuer: CN=<a class="keyword" href="https://d.hatena.ne.jp/keyword/localhost">localhost</a> <br>Validity <br>Not Before: 2009-11-10 23:48:47 <br>Not After: 2019-11-08 23:48:47 <br>Subject: CN=<a class="keyword" href="https://d.hatena.ne.jp/keyword/localhost">localhost</a> </td> <td> 〇 </td> </tr> <tr> <td> 2 </td> <td> 101[.]32[.]40[.]22 </td> <td> 2025/3/15 </td> <td> 132203 </td> <td> Tencent Building, Kejizhongyi Avenue </td> <td> </td> <td> × </td> </tr> <tr> <td> 3 </td> <td> 46[.]247[.]108[.]86 </td> <td> 2025/3/15 </td> <td> 58087 </td> <td> Florian Kolb </td> <td> Signature Algorithm: <br>Issuer: CN=test.getmyssafile.ru <br>Validity <br>Not Before: 2025-02-06 15:44:23 <br>Not After: 2026-02-06 15:44:23 <br>Subject: CN=test.getmyssafile.ru </td> <td> × </td> </tr> <tr> <td> 4 </td> <td> 34[.]212[.]15[.]42 </td> <td> 2025/3/15 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> Signature Algorithm: <br>Issuer: C=US O=Let's Encrypt CN=R11 <br>Validity <br>Not Before: 2025-03-12 16:04:49 <br>Not After: 2025-06-10 16:04:48 <br>Subject: CN=34.212.15.42.nip.io </td> <td> 〇 </td> </tr> </tbody> </table> <p>〇:サンプル取得成功/Sample acquisition successful<br/> ×:サンプル取得不可/ Sample cannot be acquired</p> <h2 id="19625111341">196[.]251[.]113[.]41</h2> <h3 id="スクリーンショット"><a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%B9%A5%AF%A5%EA%A1%BC%A5%F3%A5%B7%A5%E7%A5%C3%A5%C8">スクリーンショット</a></h3> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250316/20250316000113.png" width="1200" height="681" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <h3 id="感染フロー">感染フロー</h3> <p>Fake <a class="keyword" href="https://d.hatena.ne.jp/keyword/CAPTCHA">CAPTCHA</a> → <a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a> → バッチファイル(.bat) → <a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a> → npad.exe</p> <p><strong><a class="keyword" href="https://d.hatena.ne.jp/keyword/Powershell">Powershell</a> Command</strong><br/> Fake <a class="keyword" href="https://d.hatena.ne.jp/keyword/CAPTCHA">CAPTCHA</a>の指示により実行される<a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a>コマンドは以下の通りです。<br/> このコマンドは<code>drp.bat</code>をダウンロードし、実行するようになっています。</p> <p>The <a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a> command that is executed according to the instructions of the Fake <a class="keyword" href="https://d.hatena.ne.jp/keyword/CAPTCHA">CAPTCHA</a> is as follows. <br/> This command downloads and executes <code>drp.bat</code>.</p> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250316/20250316171241.png" width="1000" height="145" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p><strong>bat file</strong><br/> <code>drp.bat</code>の内容は、さらに<a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a>を実行するもので、その<a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a><a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%B9%A5%AF%A5%EA%A5%D7%A5%C8">スクリプト</a>は<a class="keyword" href="https://d.hatena.ne.jp/keyword/Base64">Base64</a>で<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%A8%A5%F3%A5%B3%A1%BC%A5%C9">エンコード</a>されています。 The contents of <code>drp.bat</code> are to execute <a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a>, and the <a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a> script is encoded in <a class="keyword" href="https://d.hatena.ne.jp/keyword/Base64">Base64</a>.</p> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250316/20250316171344.png" width="650" height="1200" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p><strong><a class="keyword" href="https://d.hatena.ne.jp/keyword/Powershell">Powershell</a> Command</strong><br/> CyberChefを使用してデコードすると、以下の内容が確認できます。<br/> When decoded using CyberChef, the following information can be confirmed.</p> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250315/20250315235854.png" width="1200" height="643" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p>この<a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a><a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%B9%A5%AF%A5%EA%A5%D7%A5%C8">スクリプト</a>は、<a class="keyword" href="https://d.hatena.ne.jp/keyword/Windows">Windows</a> Defenderの設定確認と変更、さらにEXEファイルのダウンロードと実行を行うように記述されています。<br/> This <a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a> script is written to check and change <a class="keyword" href="https://d.hatena.ne.jp/keyword/Windows">Windows</a> Defender settings, as well as download and execute EXE files.</p> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250316/20250316171429.png" width="890" height="1200" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p><strong>npad.exeの解析結果</strong> CAPE Sandboxで解析した結果、<code>npad.exe</code>は<strong>Xworm</strong>と判定されました。<br/> As a result of analysis using CAPE Sandbox, <code>npad.exe</code> was determined to be <strong>Xworm</strong>.</p> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250315/20250315235916.png" width="1200" height="633" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p><a class="keyword" href="https://d.hatena.ne.jp/keyword/MD5">MD5</a> a84de313553b0bc982eacb3aae4a6cc6</p> <h2 id="342121542">34[.]212[.]15[.]42</h2> <p><strong><a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%B9%A5%AF%A5%EA%A1%BC%A5%F3%A5%B7%A5%E7%A5%C3%A5%C8">スクリーンショット</a></strong> <span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250316/20250316000030.png" width="834" height="730" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p><strong>感染フロー</strong></p> <p>Fake <a class="keyword" href="https://d.hatena.ne.jp/keyword/CAPTCHA">CAPTCHA</a> → <a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a> → onboarding → <a class="keyword" href="https://d.hatena.ne.jp/keyword/JavaScript">JavaScript</a>(.js) → シェルコード実行 → Sliver</p> <p><strong><a class="keyword" href="https://d.hatena.ne.jp/keyword/Powershell">Powershell</a> Command</strong><br/> Fake <a class="keyword" href="https://d.hatena.ne.jp/keyword/CAPTCHA">CAPTCHA</a>の指示により実行される<a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a>コマンドは以下の通りです。<br/> このコマンドは<code>onboarding</code>というファイルをダウンロードするものです。</p> <p>The <a class="keyword" href="https://d.hatena.ne.jp/keyword/PowerShell">PowerShell</a> command that is executed according to the Fake <a class="keyword" href="https://d.hatena.ne.jp/keyword/CAPTCHA">CAPTCHA</a> instructions is as follows. <br/> This command downloads a file called <code>onboarding</code>.</p> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250316/20250316171533.png" width="1050" height="156" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p><strong>onboarding</strong><br/> このファイルは、PDFファイルと<a class="keyword" href="https://d.hatena.ne.jp/keyword/JavaScript">JavaScript</a>(.js)をダウンロードする仕組みになっています。ダウンロードされた<a class="keyword" href="https://d.hatena.ne.jp/keyword/JavaScript">JavaScript</a>ファイルにはシェルコードが含まれており、実行されるようになっています。<br/> また、<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%B9%A5%AF%A5%EA%A5%D7%A5%C8">スクリプト</a>内のコメントには「CS(CrowdStrike)はブロックする」という内容が記載されていました。</p> <p>This file is designed to download a PDF file and <a class="keyword" href="https://d.hatena.ne.jp/keyword/JavaScript">JavaScript</a> (.js). The downloaded <a class="keyword" href="https://d.hatena.ne.jp/keyword/JavaScript">JavaScript</a> file contains shell code that is executed. <br/> In addition, the comment in the script contained the text “CS (CrowdStrike) is blocked”.</p> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250316/20250316171601.png" width="1024" height="790" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p><strong>53222.en.js </strong></p> <p>CAPE Sandboxで解析した結果、この<a class="keyword" href="https://d.hatena.ne.jp/keyword/JavaScript">JavaScript</a>ファイルは<strong>Sliver</strong>と判定されました。<br/> The results of the analysis by CAPE Sandbox show that this <a class="keyword" href="https://d.hatena.ne.jp/keyword/JavaScript">JavaScript</a> file is classified as <strong>Sliver</strong>.</p> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250316/20250316000143.png" width="1200" height="632" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p>md5sum ee30e06e88db574e331e80aea3df82de</p> <p>フィードバックなどがあれば、XのDMでご連絡ください。<br/> If you have any feedback, please contact us via X's DM.</p> </div> <footer class="entry-footer"> <div class="entry-tags-wrapper"> <div class="entry-tags"> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/CTI" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">CTI</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Malware" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Malware</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/DFIR" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">DFIR</span> </a> </span> </div> </div> <p class="entry-footer-section track-inview-by-gtm" data-gtm-track-json="{&quot;area&quot;: &quot;finish_reading&quot;}"> <span class="author vcard"><span class="fn" data-load-nickname="1" data-user-name="disconinja" >disconinja</span></span> <span class="entry-footer-time"><a href="https://disconinja.hatenablog.com/entry/2025/03/16/172354"><time data-relative datetime="2025-03-16T08:23:54Z" title="2025-03-16T08:23:54Z" class="updated">2025-03-16 17:23</time></a></span> <span class=" entry-footer-subscribe " data-test-blog-controlls-subscribe> <a href="https://blog.hatena.ne.jp/disconinja/disconinja.hatenablog.com/subscribe?utm_campaign=subscribe_blog&amp;utm_medium=button&amp;utm_source=blogs_entry_footer"> 読者になる </a> </span> </p> <div class="hatena-star-container" data-hatena-star-container data-hatena-star-url="https://disconinja.hatenablog.com/entry/2025/03/16/172354" data-hatena-star-title="Spotted a Fake CAPTCHA – Let’s Analyze It!" data-hatena-star-variant="profile-icon" data-hatena-star-profile-url-template="https://blog.hatena.ne.jp/{username}/" ></div> <div class="social-buttons"> <div class="social-button-item"> <a href="https://b.hatena.ne.jp/entry/s/disconinja.hatenablog.com/entry/2025/03/16/172354" class="hatena-bookmark-button" data-hatena-bookmark-url="https://disconinja.hatenablog.com/entry/2025/03/16/172354" data-hatena-bookmark-layout="vertical-balloon" data-hatena-bookmark-lang="ja" title="この記事をはてなブックマークに追加"><img src="https://b.st-hatena.com/images/entry-button/button-only.gif" alt="この記事をはてなブックマークに追加" width="20" height="20" style="border: none;" /></a> </div> <div class="social-button-item"> <div class="fb-share-button" data-layout="box_count" data-href="https://disconinja.hatenablog.com/entry/2025/03/16/172354"></div> </div> <div class="social-button-item"> <a class="entry-share-button entry-share-button-twitter test-share-button-twitter" href="https://x.com/intent/tweet?hashtags=CTI&amp;hashtags=Malware&amp;hashtags=DFIR&amp;text=Spotted+a+Fake+CAPTCHA+%E2%80%93+Let%E2%80%99s+Analyze+It!+-+Weekend+Researcher+Tsurezure+Diary&amp;url=https%3A%2F%2Fdisconinja.hatenablog.com%2Fentry%2F2025%2F03%2F16%2F172354" title="X(Twitter)で投稿する" ></a> </div> </div> <div class="google-afc-image test-google-rectangle-ads"> <div id="google_afc_user_container_0" class="google-afc-user-container google_afc_blocklink2_5 google_afc_boder" data-test-unit="/4374287/blog_user"></div> <a href="http://blog.hatena.ne.jp/guide/pro" class="open-pro-modal" data-guide-pro-modal-ad-url="https://hatena.blog/guide/pro/modal/ad">広告を非表示にする</a> </div> <div class="customized-footer"> </div> <div class="comment-box js-comment-box"> <ul class="comment js-comment"> <li class="read-more-comments" style="display: none;"><a>もっと読む</a></li> </ul> <a class="leave-comment-title js-leave-comment-title">コメントを書く</a> </div> </footer> </div> </article> <article class="entry hentry test-hentry js-entry-article date-first autopagerize_page_element chars-4800 words-600 mode-markdown entry-even" id="entry-6802418398335411948" data-keyword-campaign="" data-uuid="6802418398335411948" data-publication-type="entry"> <div class="entry-inner"> <header class="entry-header"> <div class="date entry-date first"> <a href="https://disconinja.hatenablog.com/archive/2025/03/11" rel="nofollow"> <time datetime="2025-03-11T03:31:38Z" title="2025-03-11T03:31:38Z"> <span class="date-year">2025</span><span class="hyphen">-</span><span class="date-month">03</span><span class="hyphen">-</span><span class="date-day">11</span> </time> </a> </div> <h1 class="entry-title"> <a href="https://disconinja.hatenablog.com/entry/2025/03/11/123138" class="entry-title-link bookmark">MetaStealer, which I found by chance Part1</a> </h1> </header> <div class="entry-content hatenablog-entry"> <p>今年の2月、<a class="keyword" href="https://d.hatena.ne.jp/keyword/WebDAV">WebDAV</a>上でMetaStealerを含むOpendirを発見しました。 私がこれをMetaStealerと推測した理由は、2024年1月22日にCyble社が公開したブログ "Threat Actors Target US Asylum Seekers with MetaStealer <a class="keyword" href="https://d.hatena.ne.jp/keyword/Malware">Malware</a>" に記載されている<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%DE%A5%EB%A5%A6%A5%A7%A5%A2">マルウェア</a>と類似点が見られたためです。</p> <p>This February, I discovered OpenDir, which includes MetaStealer, on <a class="keyword" href="https://d.hatena.ne.jp/keyword/WebDAV">WebDAV</a>.<br/> The reason I suspected it was MetaStealer is because it showed similarities to the <a class="keyword" href="https://d.hatena.ne.jp/keyword/malware">malware</a> described in the blog “Threat Actors Target US Asylum Seekers with MetaStealer <a class="keyword" href="https://d.hatena.ne.jp/keyword/Malware">Malware</a>” published by Cyble on January 22, 2024.</p> <p><iframe src="https://hatenablog-parts.com/embed?url=https%3A%2F%2Fcyble.com%2Fblog%2Fthreat-actors-target-us-asylum-seekers-with-metastealer-malware%2F" title="MetaStealer Malware Targets US Asylum Seekers" class="embed-card embed-webcard" scrolling="no" frameborder="0" style="display: block; width: 100%; height: 155px; max-width: 500px; margin: 10px 0px;" loading="lazy"></iframe><cite class="hatena-citation"><a href="https://cyble.com/blog/threat-actors-target-us-asylum-seekers-with-metastealer-malware/">cyble.com</a></cite></p> <h2 id="フロー">フロー</h2> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250311/20250311120758.jpg" width="1200" height="675" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p>ただし、Cyble社のブログに記載されたものとはいくつかの違いがありました。</p> <p>1つ目は LNKファイル です。今回発見したLNKファイルは、PDFファイルと<a class="keyword" href="https://d.hatena.ne.jp/keyword/MSI">MSI</a>ファイルをダウンロードするものでした。 2つ目は <a class="keyword" href="https://d.hatena.ne.jp/keyword/MSI">MSI</a>ファイル です。この<a class="keyword" href="https://d.hatena.ne.jp/keyword/MSI">MSI</a><a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%A4%A5%F3%A5%B9%A5%C8%A1%BC%A5%E9">インストーラ</a>ーを実行すると、%temp% <a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%C7%A5%A3%A5%EC%A5%AF%A5%C8">ディレクト</a>リにCABファイルをドロップします。その後、"files" というフォルダが展開され、その中にEXEファイルが含まれていました。 このEXEファイルをCAPE Sandboxで解析したところ、MetaStealerと類似する挙動が確認されました。</p> <p>However, there were some differences from what was written on the Cyble blog.<br/> The first is the LNK file. The LNK file we discovered this time downloads a PDF file and an <a class="keyword" href="https://d.hatena.ne.jp/keyword/MSI">MSI</a> file.<br/> The second is the <a class="keyword" href="https://d.hatena.ne.jp/keyword/MSI">MSI</a> file. When this <a class="keyword" href="https://d.hatena.ne.jp/keyword/MSI">MSI</a> installer is run, a CAB file is dropped in the %temp% directory. After that, a folder called “files” is extracted, and an EXE file is included in it.<br/> When this EXE file was analyzed using CAPE Sandbox, behavior similar to that of MetaStealer was confirmed.</p> <ol> <li>プロセスの挙動/Process behavior <span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250311/20250311120925.png" width="1200" height="464" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></li> </ol> <p>・EXEは <a class="keyword" href="https://d.hatena.ne.jp/keyword/powershell">powershell</a> と systeminfo を実行します。<br/> ・<a class="keyword" href="https://d.hatena.ne.jp/keyword/powershell">powershell</a> は<a class="keyword" href="https://d.hatena.ne.jp/keyword/Windows">Windows</a> Defenderの設定を変更し、検知を回避しようとします。<br/> ・systeminfo はシステム情報を収集します。</p> <p>・EXE executes <a class="keyword" href="https://d.hatena.ne.jp/keyword/powershell">powershell</a> and systeminfo. <br/> ・<a class="keyword" href="https://d.hatena.ne.jp/keyword/powershell">powershell</a> tries to change the settings of <a class="keyword" href="https://d.hatena.ne.jp/keyword/Windows">Windows</a> Defender and avoid detection. <br/> ・systeminfo collects system information.</p> <pre class="code" data-lang="" data-unlink>powershell Add-MpPreference -ExclusionExtension “hyper-v.exe”</pre> <pre class="code" data-lang="" data-unlink>systeminfo.exe</pre> <ol> <li>C2通信のパターン/C2 Communication Pattern <span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250311/20250311120949.png" width="1200" height="575" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></li> </ol> <p>・<a class="keyword" href="https://d.hatena.ne.jp/keyword/api">api</a>/client_hello や get_worker など、MetaStealerと共通する通信が確認されました。<br/> ・Communication common to MetaStealer, such as <a class="keyword" href="https://d.hatena.ne.jp/keyword/api">api</a>/client_hello and get_worker, was confirmed.</p> <p>これらの類似点から、今回発見した<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%DE%A5%EB%A5%A6%A5%A7%A5%A2">マルウェア</a>はMetaStealerであると判断しました。<br/> Based on these similarities, we have determined that the <a class="keyword" href="https://d.hatena.ne.jp/keyword/malware">malware</a> we have discovered is MetaStealer.</p> <h1 id="インフラストラクチャー"><a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%A4%A5%F3%A5%D5%A5%E9%A5%B9%A5%C8%A5%E9%A5%AF%A5%C1%A5%E3%A1%BC">インフラストラクチャー</a></h1> <p>今回の調査では、Global Connectivity Solutions LLP によって<a class="keyword" href="https://d.hatena.ne.jp/keyword/WebDAV">WebDAV</a>が運用されているケースが多く見られました。<br/> 発見したホストはすべてポート8080で公開されていました。<br/> 下記の表は、今回発見したOpendirの<a class="keyword" href="https://d.hatena.ne.jp/keyword/IP%A5%A2%A5%C9%A5%EC%A5%B9">IPアドレス</a>などをまとめたものです。</p> <p>In this survey, we found that <a class="keyword" href="https://d.hatena.ne.jp/keyword/WebDAV">WebDAV</a> was being used in many cases by Global Connectivity Solutions LLP. All of the hosts we found were published on port 8080. The table below summarizes the IP addresses of the OpenDirs we found.</p> <table> <thead> <tr> <th> No </th> <th> IP </th> <th> Date found </th> <th> Autonomous System Number </th> <th> Autonomous System Label </th> <th> Historical <a class="keyword" href="https://d.hatena.ne.jp/keyword/SSL">SSL</a> Certificates </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> 147[.]45[.]221[.]233 </td> <td> 2025/2/11 </td> <td> 215540 </td> <td> Global Connectivity Solutions Llp </td> <td> Issuer: C=US O=CloudFlare, Inc. OU=CloudFlare Origin <a class="keyword" href="https://d.hatena.ne.jp/keyword/SSL">SSL</a> Certificate Authority L=San Francisco ST=California <br>Subject: O=CloudFlare, Inc. OU=CloudFlare Origin CA CN=CloudFlare Origin Certificate </td> </tr> <tr> <td> 2 </td> <td> 147[.]45[.]221[.]229 </td> <td> 2025/2/14 </td> <td> 215540 </td> <td> Global Connectivity Solutions Llp </td> <td> Issuer: C=US O=Let's Encrypt CN=E6 <br>Subject: CN=rent-365.shop </td> </tr> <tr> <td> 3 </td> <td> 37[.]1[.]215[.]147 </td> <td> 2025/3/1 </td> <td> 29802 </td> <td> HVC-AS </td> <td> Issuer: C=US O=Let's Encrypt CN=E5 <br>Subject: CN=*.na3.to </td> </tr> <tr> <td> 4 </td> <td> 89[.]185[.]80[.]111 </td> <td> 2025/3/3 </td> <td> 215540 </td> <td> Global Connectivity Solutions Llp </td> <td> Issuer: C=US O=Let's Encrypt CN=E5 <br>Subject: CN=securev1fileeditor.digital </td> </tr> <tr> <td> 5 </td> <td> 5[.]181[.]3[.]35 </td> <td> 2025/3/6 </td> <td> 215540 </td> <td> Global Connectivity Solutions Llp </td> <td> Issuer: C=US O=Let's Encrypt CN=E5 <br>Subject: CN=burnfatandfest.com </td> </tr> <tr> <td> 6 </td> <td> 212[.]18[.]104[.]113 </td> <td> 2025/3/8 </td> <td> 215540 </td> <td> Global Connectivity Solutions Llp </td> <td> Issuer: C=US O=Let's Encrypt CN=E5 <br>Subject: CN=*.na8.me </td> </tr> <tr> <td> 7 </td> <td> 35[.]188[.]13[.]52 </td> <td> 2025/3/8 </td> <td> 396982 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/GOOGLE">GOOGLE</a>-CLOUD-PLATFORM </td> <td> Issuer: C=US O=Let's Encrypt CN=E5 <br>Subject: CN=*.na3.to </td> </tr> <tr> <td> 8 </td> <td> 34[.]85[.]195[.]5 </td> <td> 2025/3/9 </td> <td> 396982 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/GOOGLE">GOOGLE</a>-CLOUD-PLATFORM </td> <td> Subject: CN=autoparts-online.uk <br>Issuer: C=US O=Let's Encrypt CN=E6 </td> </tr> </tbody> </table> <p>公開されているオープン<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%C7%A5%A3%A5%EC%A5%AF%A5%C8">ディレクト</a>リの構成として最も多かったのは、下記のような html、part、parts の3つの<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%C7%A5%A3%A5%EC%A5%AF%A5%C8">ディレクト</a>リで構成されたパターンでした。   The <a class="keyword" href="https://d.hatena.ne.jp/keyword/most">most</a> common structure of the open directories that were made public was the pattern made up of the three directories html, part, and parts, as shown below.</p> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250310/20250310221351.png" width="834" height="511" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p>また、それ以外の構成も確認されており、下記のような 4つの<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%C7%A5%A3%A5%EC%A5%AF%A5%C8">ディレクト</a>リ からなるケースもありました。   In addition, other configurations have also been confirmed, and there have been cases where it consisted of the following four directories.</p> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250310/20250310221332.png" width="1003" height="587" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <p>Censys Query</p> <pre class="code" data-lang="" data-unlink>services.http.response.html_title=&#34;WsgiDAV - Index of / &#34; and services.port=&#34;8080&#34;</pre> <p>参考までにCensysの検索クエリを記載しましたが、このクエリは比較的粗いため、ヒットした各ホストについては追加調査が必要です。<br/> 次回は、より詳細なサンプル分析を実施する予定です。</p> <p>For reference, we have included the Censys search query, but this query is relatively rough, so additional investigation is required for each host that was hit.<br/> We plan to conduct a more detailed sample analysis next time.</p> <p>フィードバックなどがあれば、XのDMでご連絡ください。<br/> If you have any feedback, please contact us via X's DM.</p> </div> <footer class="entry-footer"> <div class="entry-tags-wrapper"> <div class="entry-tags"> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/DFIR" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">DFIR</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/CTI" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">CTI</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/malware" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">malware</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">セキュリティ</span> </a> </span> </div> </div> <p class="entry-footer-section track-inview-by-gtm" data-gtm-track-json="{&quot;area&quot;: &quot;finish_reading&quot;}"> <span class="author vcard"><span class="fn" data-load-nickname="1" data-user-name="disconinja" >disconinja</span></span> <span class="entry-footer-time"><a href="https://disconinja.hatenablog.com/entry/2025/03/11/123138"><time data-relative datetime="2025-03-11T03:31:38Z" title="2025-03-11T03:31:38Z" class="updated">2025-03-11 12:31</time></a></span> <span class=" entry-footer-subscribe " data-test-blog-controlls-subscribe> <a href="https://blog.hatena.ne.jp/disconinja/disconinja.hatenablog.com/subscribe?utm_source=blogs_entry_footer&amp;utm_medium=button&amp;utm_campaign=subscribe_blog"> 読者になる </a> </span> </p> <div class="hatena-star-container" data-hatena-star-container data-hatena-star-url="https://disconinja.hatenablog.com/entry/2025/03/11/123138" data-hatena-star-title="MetaStealer, which I found by chance Part1" data-hatena-star-variant="profile-icon" data-hatena-star-profile-url-template="https://blog.hatena.ne.jp/{username}/" ></div> <div class="social-buttons"> <div class="social-button-item"> <a href="https://b.hatena.ne.jp/entry/s/disconinja.hatenablog.com/entry/2025/03/11/123138" class="hatena-bookmark-button" data-hatena-bookmark-url="https://disconinja.hatenablog.com/entry/2025/03/11/123138" data-hatena-bookmark-layout="vertical-balloon" data-hatena-bookmark-lang="ja" title="この記事をはてなブックマークに追加"><img src="https://b.st-hatena.com/images/entry-button/button-only.gif" alt="この記事をはてなブックマークに追加" width="20" height="20" style="border: none;" /></a> </div> <div class="social-button-item"> <div class="fb-share-button" data-layout="box_count" data-href="https://disconinja.hatenablog.com/entry/2025/03/11/123138"></div> </div> <div class="social-button-item"> <a class="entry-share-button entry-share-button-twitter test-share-button-twitter" href="https://x.com/intent/tweet?hashtags=DFIR&amp;hashtags=CTI&amp;hashtags=malware&amp;hashtags=%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3&amp;text=MetaStealer%2C+which+I+found+by+chance+Part1+-+Weekend+Researcher+Tsurezure+Diary&amp;url=https%3A%2F%2Fdisconinja.hatenablog.com%2Fentry%2F2025%2F03%2F11%2F123138" title="X(Twitter)で投稿する" ></a> </div> </div> <div class="google-afc-image test-google-rectangle-ads"> <div id="google_afc_user_container_1" class="google-afc-user-container google_afc_blocklink2_5 google_afc_boder" data-test-unit="/4374287/blog_user_2nd"></div> <a href="http://blog.hatena.ne.jp/guide/pro" class="open-pro-modal" data-guide-pro-modal-ad-url="https://hatena.blog/guide/pro/modal/ad">広告を非表示にする</a> </div> <div class="customized-footer"> </div> <div class="comment-box js-comment-box"> <ul class="comment js-comment"> <li class="read-more-comments" style="display: none;"><a>もっと読む</a></li> </ul> <a class="leave-comment-title js-leave-comment-title">コメントを書く</a> </div> </footer> </div> </article> <article class="entry hentry test-hentry js-entry-article date-first autopagerize_page_element chars-1200 words-200 mode-markdown entry-odd" id="entry-6802418398335411312" data-keyword-campaign="" data-uuid="6802418398335411312" data-publication-type="entry"> <div class="entry-inner"> <header class="entry-header"> <div class="date entry-date first"> <a href="https://disconinja.hatenablog.com/archive/2025/03/10" rel="nofollow"> <time datetime="2025-03-10T12:22:48Z" title="2025-03-10T12:22:48Z"> <span class="date-year">2025</span><span class="hyphen">-</span><span class="date-month">03</span><span class="hyphen">-</span><span class="date-day">10</span> </time> </a> </div> <h1 class="entry-title"> <a href="https://disconinja.hatenablog.com/entry/2025/03/10/212248" class="entry-title-link bookmark">日本におけるC2サーバ調査(Week 10 2025)</a> </h1> </header> <div class="entry-content hatenablog-entry"> <h1 id="Hunting-for-enemy-infrastructure-in-Japan">Hunting for enemy infrastructure in Japan</h1> <p>Censysを使い、C2とラベルされた日本の<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%A4%A5%F3%A5%D5%A5%E9%A5%B9%A5%C8%A5%E9%A5%AF%A5%C1%A5%E3%A1%BC">インフラストラクチャー</a>を集計しました。<br/> 期間は3月3日から3月9日です。<br/> I used Censys to tabulate the infrastructure labeled C2 and located in Japan. The period is from 3/3 to 3/9.</p> <h2 id="Total-period">Total period</h2> <p>3/3~3/9</p> <h2 id="Total-number-of-c2-servers-found">Total number of c2 servers found</h2> <p>9IP</p> <h2 id="Type-of-C2-servers-found">Type of C2 servers found</h2> <table> <thead> <tr> <th> C2 </th> <th> Numbers </th> </tr> </thead> <tbody> <tr> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> <td> 6 </td> </tr> <tr> <td> Brute Ratel C4 </td> <td> 2 </td> </tr> <tr> <td> NetSupportManager RAT . </td> <td> 1 </td> </tr> </tbody> </table> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250310/20250310212148.png" width="833" height="514" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <h2 id="Aggregate-Data">Aggregate Data</h2> <table> <thead> <tr> <th> No </th> <th> Date </th> <th> IP </th> <th> Autonomous System Number </th> <th> Autonomous System Label </th> <th> Censys label </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> 3月3日 </td> <td> 64[.]176[.]38[.]139 </td> <td> 20473 </td> <td> AS-VULTR </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 2 </td> <td> 3月3日 </td> <td> 57[.]180[.]221[.]59 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> Brute Ratel C4 </td> </tr> <tr> <td> 3 </td> <td> 3月3日 </td> <td> 52[.]198[.]46[.]216 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> Brute Ratel C4 </td> </tr> <tr> <td> 4 </td> <td> 3月4日 </td> <td> 198[.]13[.]33[.]74 </td> <td> 20473 </td> <td> AS-VULTR </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 5 </td> <td> 3月6日 </td> <td> 45[.]77[.]15[.]155 </td> <td> 20473 </td> <td> AS-VULTR </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 6 </td> <td> 3月7日 </td> <td> 38[.]54[.]50[.]228 </td> <td> 138915 </td> <td> Kaopu Cloud HK Limited </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 7 </td> <td> 3月8日 </td> <td> 54[.]168[.]200[.]156 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT . </td> </tr> <tr> <td> 8 </td> <td> 3月8日 </td> <td> 144[.]48[.]4[.]219 </td> <td> 61414 </td> <td> Edgenap Ltd </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 9 </td> <td> 3月9日 </td> <td> 47[.]79[.]41[.]42 </td> <td> 45102 </td> <td> Alibaba US Technology Co., Ltd. </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> </tbody> </table> <h2 id="Special-Thanks">Special Thanks</h2> <p>この調査はCensys社のResearch <a class="keyword" href="https://d.hatena.ne.jp/keyword/Access">Access</a>で行っております。<br/> Research <a class="keyword" href="https://d.hatena.ne.jp/keyword/Access">Access</a>を提供していただきありがとうございます。</p> <p><a href="https://support.censys.io/hc/en-us/articles/360038761891-Research-Access-to-Censys-Data">Research Access to Censys Data &ndash; Censys</a></p> </div> <footer class="entry-footer"> <div class="entry-tags-wrapper"> <div class="entry-tags"> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/DFIR" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">DFIR</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/CTI" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">CTI</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Security" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Security</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Censys" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Censys</span> </a> </span> </div> </div> <p class="entry-footer-section track-inview-by-gtm" data-gtm-track-json="{&quot;area&quot;: &quot;finish_reading&quot;}"> <span class="author vcard"><span class="fn" data-load-nickname="1" data-user-name="disconinja" >disconinja</span></span> <span class="entry-footer-time"><a href="https://disconinja.hatenablog.com/entry/2025/03/10/212248"><time data-relative datetime="2025-03-10T12:22:48Z" title="2025-03-10T12:22:48Z" class="updated">2025-03-10 21:22</time></a></span> <span class=" entry-footer-subscribe " data-test-blog-controlls-subscribe> <a href="https://blog.hatena.ne.jp/disconinja/disconinja.hatenablog.com/subscribe?utm_campaign=subscribe_blog&amp;utm_medium=button&amp;utm_source=blogs_entry_footer"> 読者になる </a> </span> </p> <div class="hatena-star-container" data-hatena-star-container data-hatena-star-url="https://disconinja.hatenablog.com/entry/2025/03/10/212248" data-hatena-star-title="日本におけるC2サーバ調査(Week 10 2025)" data-hatena-star-variant="profile-icon" data-hatena-star-profile-url-template="https://blog.hatena.ne.jp/{username}/" ></div> <div class="social-buttons"> <div class="social-button-item"> <a href="https://b.hatena.ne.jp/entry/s/disconinja.hatenablog.com/entry/2025/03/10/212248" class="hatena-bookmark-button" data-hatena-bookmark-url="https://disconinja.hatenablog.com/entry/2025/03/10/212248" data-hatena-bookmark-layout="vertical-balloon" data-hatena-bookmark-lang="ja" title="この記事をはてなブックマークに追加"><img src="https://b.st-hatena.com/images/entry-button/button-only.gif" alt="この記事をはてなブックマークに追加" width="20" height="20" style="border: none;" /></a> </div> <div class="social-button-item"> <div class="fb-share-button" data-layout="box_count" data-href="https://disconinja.hatenablog.com/entry/2025/03/10/212248"></div> </div> <div class="social-button-item"> <a class="entry-share-button entry-share-button-twitter test-share-button-twitter" href="https://x.com/intent/tweet?hashtags=DFIR&amp;hashtags=CTI&amp;hashtags=Security&amp;hashtags=Censys&amp;text=%E6%97%A5%E6%9C%AC%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8BC2%E3%82%B5%E3%83%BC%E3%83%90%E8%AA%BF%E6%9F%BB(Week+10+2025)+-+Weekend+Researcher+Tsurezure+Diary&amp;url=https%3A%2F%2Fdisconinja.hatenablog.com%2Fentry%2F2025%2F03%2F10%2F212248" title="X(Twitter)で投稿する" ></a> </div> </div> <div class="google-afc-image test-google-rectangle-ads"> <div id="google_afc_user_container_2" class="google-afc-user-container google_afc_blocklink2_5 google_afc_boder" data-test-unit="/4374287/blog_user_2nd"></div> <a href="http://blog.hatena.ne.jp/guide/pro" class="open-pro-modal" data-guide-pro-modal-ad-url="https://hatena.blog/guide/pro/modal/ad">広告を非表示にする</a> </div> <div class="customized-footer"> </div> <div class="comment-box js-comment-box"> <ul class="comment js-comment"> <li class="read-more-comments" style="display: none;"><a>もっと読む</a></li> </ul> <a class="leave-comment-title js-leave-comment-title">コメントを書く</a> </div> </footer> </div> </article> <article class="entry hentry test-hentry js-entry-article date-first autopagerize_page_element chars-1600 words-200 mode-markdown entry-even" id="entry-6802418398333452759" data-keyword-campaign="" data-uuid="6802418398333452759" data-publication-type="entry"> <div class="entry-inner"> <header class="entry-header"> <div class="date entry-date first"> <a href="https://disconinja.hatenablog.com/archive/2025/03/03" rel="nofollow"> <time datetime="2025-03-03T10:10:41Z" title="2025-03-03T10:10:41Z"> <span class="date-year">2025</span><span class="hyphen">-</span><span class="date-month">03</span><span class="hyphen">-</span><span class="date-day">03</span> </time> </a> </div> <h1 class="entry-title"> <a href="https://disconinja.hatenablog.com/entry/2025/03/03/191041" class="entry-title-link bookmark">日本におけるC2サーバ調査(Week 9 2025)</a> </h1> </header> <div class="entry-content hatenablog-entry"> <h1 id="Hunting-for-enemy-infrastructure-in-Japan">Hunting for enemy infrastructure in Japan</h1> <p>Censysを使い、C2とラベルされた日本の<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%A4%A5%F3%A5%D5%A5%E9%A5%B9%A5%C8%A5%E9%A5%AF%A5%C1%A5%E3%A1%BC">インフラストラクチャー</a>を集計しました。<br/> 期間は2月24日から3月2日です。<br/> I used Censys to tabulate the infrastructure labeled C2 and located in Japan.<br/> The period is from 2/24 to 3/2.</p> <h2 id="Total-period">Total period</h2> <p>2/24~3/2</p> <h2 id="Total-number-of-c2-servers-found">Total number of c2 servers found</h2> <p>12IP</p> <h2 id="Type-of-C2-servers-found">Type of C2 servers found</h2> <table> <thead> <tr> <th> C2 </th> <th> Numbers </th> </tr> </thead> <tbody> <tr> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> <td> 3 </td> </tr> <tr> <td> Mythic </td> <td> 2 </td> </tr> <tr> <td> byob </td> <td> 1 </td> </tr> <tr> <td> DcRat </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT . </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT 5 </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT 6 </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT 7 </td> <td> 1 </td> </tr> <tr> <td> Pupy RAT </td> <td> 1 </td> </tr> </tbody> </table> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250303/20250303190844.png" width="833" height="514" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <h2 id="Aggregate-Data">Aggregate Data</h2> <table> <thead> <tr> <th> No </th> <th> Date </th> <th> IP </th> <th> Autonomous System Number </th> <th> Autonomous System Label </th> <th> Censys label </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> 2月25日 </td> <td> 54[.]95[.]202[.]23 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT 5 </td> </tr> <tr> <td> 2 </td> <td> 2月25日 </td> <td> 74[.]176[.]106[.]50 </td> <td> 8075 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/MICROSOFT">MICROSOFT</a>-CORP-MSN-AS-BLOCK </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 3 </td> <td> 2月26日 </td> <td> 149[.]28[.]23[.]91 </td> <td> 20473 </td> <td> AS-VULTR </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 4 </td> <td> 2月26日 </td> <td> 13[.]208[.]127[.]239 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT 7 </td> </tr> <tr> <td> 5 </td> <td> 2月26日 </td> <td> 13[.]208[.]243[.]209 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT 6 </td> </tr> <tr> <td> 6 </td> <td> 2月27日 </td> <td> 139[.]162[.]104[.]144 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 7 </td> <td> 2月28日 </td> <td> 35[.]78[.]206[.]139 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT . </td> </tr> <tr> <td> 8 </td> <td> 3月1日 </td> <td> 38[.]54[.]89[.]17 </td> <td> 138915 </td> <td> Kaopu Cloud HK Limited </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 9 </td> <td> 3月1日 </td> <td> 45[.]8[.]114[.]228 </td> <td> 3258 </td> <td> xTom Japan Co., Ltd. </td> <td> Mythic </td> </tr> <tr> <td> 10 </td> <td> 3月2日 </td> <td> 23[.]106[.]133[.]239 </td> <td> 25820 </td> <td> IT7NET </td> <td> Pupy RAT </td> </tr> <tr> <td> 11 </td> <td> 3月2日 </td> <td> 8[.]209[.]249[.]160 </td> <td> 45102 </td> <td> Alibaba US Technology Co., Ltd. </td> <td> Mythic </td> </tr> <tr> <td> 12 </td> <td> 3月2日 </td> <td> 202[.]61[.]136[.]134 </td> <td> 152194 </td> <td> CTG Server Limited </td> <td> DcRat </td> </tr> </tbody> </table> <h2 id="Appendix">Appendix</h2> <h2 id="Censys-query">Censys query</h2> <h3 id="DcRat">DcRat</h3> <pre class="code" data-lang="" data-unlink>services.tls.certificates.leaf_data.subject_dn=&#34;CN=DcRat&#34;</pre> <pre class="code" data-lang="" data-unlink>services.tls.certificates.leaf_data.issuer.common_name=&#34;DcRat Server&#34;</pre> <h2 id="Special-Thanks">Special Thanks</h2> <p>この調査はCensys社のResearch <a class="keyword" href="https://d.hatena.ne.jp/keyword/Access">Access</a>で行っております。<br/> Research <a class="keyword" href="https://d.hatena.ne.jp/keyword/Access">Access</a>を提供していただきありがとうございます。</p> <p><iframe src="https://hatenablog-parts.com/embed?url=https%3A%2F%2Fsupport.censys.io%2Fhc%2Fen-us%2Farticles%2F360038761891-Research-Access-to-Censys-Data" title="Research Access to Censys Data" class="embed-card embed-webcard" scrolling="no" frameborder="0" style="display: block; width: 100%; height: 155px; max-width: 500px; margin: 10px 0px;" loading="lazy"></iframe><cite class="hatena-citation"><a href="https://support.censys.io/hc/en-us/articles/360038761891-Research-Access-to-Censys-Data">support.censys.io</a></cite></p> </div> <footer class="entry-footer"> <div class="entry-tags-wrapper"> <div class="entry-tags"> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/DFIR" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">DFIR</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/CTI" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">CTI</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Security" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Security</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Censys" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Censys</span> </a> </span> </div> </div> <p class="entry-footer-section track-inview-by-gtm" data-gtm-track-json="{&quot;area&quot;: &quot;finish_reading&quot;}"> <span class="author vcard"><span class="fn" data-load-nickname="1" data-user-name="disconinja" >disconinja</span></span> <span class="entry-footer-time"><a href="https://disconinja.hatenablog.com/entry/2025/03/03/191041"><time data-relative datetime="2025-03-03T10:10:41Z" title="2025-03-03T10:10:41Z" class="updated">2025-03-03 19:10</time></a></span> <span class=" entry-footer-subscribe " data-test-blog-controlls-subscribe> <a href="https://blog.hatena.ne.jp/disconinja/disconinja.hatenablog.com/subscribe?utm_campaign=subscribe_blog&amp;utm_medium=button&amp;utm_source=blogs_entry_footer"> 読者になる </a> </span> </p> <div class="hatena-star-container" data-hatena-star-container data-hatena-star-url="https://disconinja.hatenablog.com/entry/2025/03/03/191041" data-hatena-star-title="日本におけるC2サーバ調査(Week 9 2025)" data-hatena-star-variant="profile-icon" data-hatena-star-profile-url-template="https://blog.hatena.ne.jp/{username}/" ></div> <div class="social-buttons"> <div class="social-button-item"> <a href="https://b.hatena.ne.jp/entry/s/disconinja.hatenablog.com/entry/2025/03/03/191041" class="hatena-bookmark-button" data-hatena-bookmark-url="https://disconinja.hatenablog.com/entry/2025/03/03/191041" data-hatena-bookmark-layout="vertical-balloon" data-hatena-bookmark-lang="ja" title="この記事をはてなブックマークに追加"><img src="https://b.st-hatena.com/images/entry-button/button-only.gif" alt="この記事をはてなブックマークに追加" width="20" height="20" style="border: none;" /></a> </div> <div class="social-button-item"> <div class="fb-share-button" data-layout="box_count" data-href="https://disconinja.hatenablog.com/entry/2025/03/03/191041"></div> </div> <div class="social-button-item"> <a class="entry-share-button entry-share-button-twitter test-share-button-twitter" href="https://x.com/intent/tweet?hashtags=DFIR&amp;hashtags=CTI&amp;hashtags=Security&amp;hashtags=Censys&amp;text=%E6%97%A5%E6%9C%AC%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8BC2%E3%82%B5%E3%83%BC%E3%83%90%E8%AA%BF%E6%9F%BB(Week+9+2025)+-+Weekend+Researcher+Tsurezure+Diary&amp;url=https%3A%2F%2Fdisconinja.hatenablog.com%2Fentry%2F2025%2F03%2F03%2F191041" title="X(Twitter)で投稿する" ></a> </div> </div> <div class="google-afc-image test-google-rectangle-ads"> <script> (valve = window.valve || []).push(function(v) { v.displayDFPSlot('google_afc_user_container_3'); }); </script> <div id="google_afc_user_container_3" class="google-afc-user-container google_afc_blocklink2_5 google_afc_boder" data-test-unit="/4374287/blog_user_2nd"></div> <a href="http://blog.hatena.ne.jp/guide/pro" class="open-pro-modal" data-guide-pro-modal-ad-url="https://hatena.blog/guide/pro/modal/ad">広告を非表示にする</a> </div> <div class="customized-footer"> </div> <div class="comment-box js-comment-box"> <ul class="comment js-comment"> <li class="read-more-comments" style="display: none;"><a>もっと読む</a></li> </ul> <a class="leave-comment-title js-leave-comment-title">コメントを書く</a> </div> </footer> </div> </article> <article class="entry hentry test-hentry js-entry-article date-first autopagerize_page_element chars-3200 words-400 mode-markdown entry-odd" id="entry-6802418398331435855" data-keyword-campaign="" data-uuid="6802418398331435855" data-publication-type="entry"> <div class="entry-inner"> <header class="entry-header"> <div class="date entry-date first"> <a href="https://disconinja.hatenablog.com/archive/2025/02/24" rel="nofollow"> <time datetime="2025-02-24T03:00:55Z" title="2025-02-24T03:00:55Z"> <span class="date-year">2025</span><span class="hyphen">-</span><span class="date-month">02</span><span class="hyphen">-</span><span class="date-day">24</span> </time> </a> </div> <h1 class="entry-title"> <a href="https://disconinja.hatenablog.com/entry/2025/02/24/120055" class="entry-title-link bookmark">日本におけるC2サーバ調査(Week 8 2025)</a> </h1> </header> <div class="entry-content hatenablog-entry"> <h1 id="Hunting-for-enemy-infrastructure-in-Japan">Hunting for enemy infrastructure in Japan</h1> <p>Censysを使い、C2とラベルされた日本の<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%A4%A5%F3%A5%D5%A5%E9%A5%B9%A5%C8%A5%E9%A5%AF%A5%C1%A5%E3%A1%BC">インフラストラクチャー</a>を集計しました。 期間は2月17日から2月23日です。<br/> I used Censys to tabulate the infrastructure labeled C2 and located in Japan.<br/> The period is from 2/17 to 2/23 .</p> <h2 id="Total-period">Total period</h2> <p>2/17~2/23</p> <h2 id="Total-number-of-c2-servers-found">Total number of c2 servers found</h2> <p>28IP</p> <h2 id="Type-of-C2-servers-found">Type of C2 servers found</h2> <table> <thead> <tr> <th> C2 </th> <th> Numbers </th> </tr> </thead> <tbody> <tr> <td> byob </td> <td> 16 </td> </tr> <tr> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> <td> 4 </td> </tr> <tr> <td> Brute Ratel C4 </td> <td> 2 </td> </tr> <tr> <td> BianLian </td> <td> 1 </td> </tr> <tr> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Empire">Empire</a> </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT 1 </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT 7 </td> <td> 1 </td> </tr> <tr> <td> VIPER </td> <td> 1 </td> </tr> </tbody> </table> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250224/20250224120034.png" width="833" height="514" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <h2 id="Aggregate-Data">Aggregate Data</h2> <table> <thead> <tr> <th> No </th> <th> Date </th> <th> IP </th> <th> Autonomous System Number </th> <th> Autonomous System Label </th> <th> Censys label </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> 2月17日 </td> <td> 139[.]162[.]82[.]239 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 2 </td> <td> 2月17日 </td> <td> 172[.]233[.]76[.]115 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 3 </td> <td> 2月17日 </td> <td> 139[.]162[.]82[.]222 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 4 </td> <td> 2月17日 </td> <td> 172[.]233[.]76[.]76 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 5 </td> <td> 2月17日 </td> <td> 172[.]233[.]91[.]45 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 6 </td> <td> 2月17日 </td> <td> 20[.]40[.]99[.]133 </td> <td> 8075 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/MICROSOFT">MICROSOFT</a>-CORP-MSN-AS-BLOCK </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 7 </td> <td> 2月17日 </td> <td> 139[.]162[.]82[.]232 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 8 </td> <td> 2月17日 </td> <td> 172[.]234[.]85[.]135 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 9 </td> <td> 2月18日 </td> <td> 5[.]253[.]41[.]69 </td> <td> 44477 </td> <td> Stark Industries Solutions Ltd </td> <td> VIPER </td> </tr> <tr> <td> 10 </td> <td> 2月18日 </td> <td> 139[.]162[.]112[.]46 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 11 </td> <td> 2月18日 </td> <td> 139[.]162[.]112[.]41 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 12 </td> <td> 2月18日 </td> <td> 149[.]28[.]17[.]188 </td> <td> 20473 </td> <td> AS-VULTR </td> <td> BianLian </td> </tr> <tr> <td> 13 </td> <td> 2月18日 </td> <td> 54[.]64[.]181[.]201 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> Brute Ratel C4 </td> </tr> <tr> <td> 14 </td> <td> 2月18日 </td> <td> 172[.]105[.]203[.]215 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 15 </td> <td> 2月18日 </td> <td> 130[.]33[.]35[.]118 </td> <td> 8075 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/MICROSOFT">MICROSOFT</a>-CORP-MSN-AS-BLOCK </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Empire">Empire</a> </td> </tr> <tr> <td> 16 </td> <td> 2月18日 </td> <td> 139[.]162[.]112[.]20 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 17 </td> <td> 2月18日 </td> <td> 139[.]162[.]112[.]61 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 18 </td> <td> 2月18日 </td> <td> 139[.]180[.]193[.]31 </td> <td> 20473 </td> <td> AS-VULTR </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 19 </td> <td> 2月18日 </td> <td> 57[.]181[.]102[.]240 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> Brute Ratel C4 </td> </tr> <tr> <td> 20 </td> <td> 2月19日 </td> <td> 43[.]165[.]133[.]147 </td> <td> 132203 </td> <td> Tencent Building, Kejizhongyi Avenue </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 21 </td> <td> 2月19日 </td> <td> 15[.]168[.]189[.]7 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT 1 </td> </tr> <tr> <td> 22 </td> <td> 2月<a class="keyword" href="https://d.hatena.ne.jp/keyword/20%C6%FC">20日</a> </td> <td> 172[.]104[.]101[.]55 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 23 </td> <td> 2月<a class="keyword" href="https://d.hatena.ne.jp/keyword/20%C6%FC">20日</a> </td> <td> 45[.]143[.]233[.]205 </td> <td> 3258 </td> <td> xTom Japan Co., Ltd. </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 24 </td> <td> 2月<a class="keyword" href="https://d.hatena.ne.jp/keyword/20%C6%FC">20日</a> </td> <td> 172[.]104[.]101[.]21 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 25 </td> <td> 2月<a class="keyword" href="https://d.hatena.ne.jp/keyword/20%C6%FC">20日</a> </td> <td> 43[.]165[.]191[.]146 </td> <td> 132203 </td> <td> Tencent Building, Kejizhongyi Avenue </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 26 </td> <td> 2月<a class="keyword" href="https://d.hatena.ne.jp/keyword/20%C6%FC">20日</a> </td> <td> 172[.]104[.]101[.]84 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 27 </td> <td> 2月<a class="keyword" href="https://d.hatena.ne.jp/keyword/20%C6%FC">20日</a> </td> <td> 139[.]162[.]82[.]160 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> byob </td> </tr> <tr> <td> 28 </td> <td> 2月21日 </td> <td> 56[.]155[.]36[.]56 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT 7 </td> </tr> </tbody> </table> <h2 id="Appendix">Appendix</h2> <h2 id="Censys-query">Censys query</h2> <h3 id="Brute-Ratel-C4">Brute Ratel C4</h3> <pre class="code" data-lang="" data-unlink>services.banner_hashes=&#34;sha256:9b2f1d047496a5986f3df4bfff572cc13406014a50003c02d4e55ad4f87243a5&#34; and services.http.response.body_hashes=&#34;sha256:96d0095b3dba19672e50a7c9d75b9b76fe8cbcbd27b58d58d64669a097c56660&#34;</pre> <h3 id="VIPER">VIPER</h3> <pre class="code" data-lang="" data-unlink>services.http.response.favicons.md5_hash=&#34;a7469955bff5e489d2270d9b389064e1&#34; and services.banner_hashes=&#34;sha256:14090fe157022af0fe99a62bdbbfb204d2ebb1b7a19727be25233d2c8957d66b&#34; and services.http.response.body_hashes=&#34;sha256:748ebb050a2869bc29d48510eca68fba43670a10e49daab10c5fdab389e13bf6&#34;</pre> <h2 id="Special-Thanks">Special Thanks</h2> <p>この調査はCensys社のResearch <a class="keyword" href="https://d.hatena.ne.jp/keyword/Access">Access</a>で行っております。<br/> Research <a class="keyword" href="https://d.hatena.ne.jp/keyword/Access">Access</a>を提供していただきありがとうございます。</p> <p><iframe src="https://hatenablog-parts.com/embed?url=https%3A%2F%2Fsupport.censys.io%2Fhc%2Fen-us%2Farticles%2F360038761891-Research-Access-to-Censys-Data" title="Research Access to Censys Data" class="embed-card embed-webcard" scrolling="no" frameborder="0" style="display: block; width: 100%; height: 155px; max-width: 500px; margin: 10px 0px;" loading="lazy"></iframe><cite class="hatena-citation"><a href="https://support.censys.io/hc/en-us/articles/360038761891-Research-Access-to-Censys-Data">support.censys.io</a></cite></p> </div> <footer class="entry-footer"> <div class="entry-tags-wrapper"> <div class="entry-tags"> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/DFIR" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">DFIR</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/CTI" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">CTI</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Security" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Security</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">セキュリティ</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Censys" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Censys</span> </a> </span> </div> </div> <p class="entry-footer-section track-inview-by-gtm" data-gtm-track-json="{&quot;area&quot;: &quot;finish_reading&quot;}"> <span class="author vcard"><span class="fn" data-load-nickname="1" data-user-name="disconinja" >disconinja</span></span> <span class="entry-footer-time"><a href="https://disconinja.hatenablog.com/entry/2025/02/24/120055"><time data-relative datetime="2025-02-24T03:00:55Z" title="2025-02-24T03:00:55Z" class="updated">2025-02-24 12:00</time></a></span> <span class=" entry-footer-subscribe " data-test-blog-controlls-subscribe> <a href="https://blog.hatena.ne.jp/disconinja/disconinja.hatenablog.com/subscribe?utm_campaign=subscribe_blog&amp;utm_source=blogs_entry_footer&amp;utm_medium=button"> 読者になる </a> </span> </p> <div class="hatena-star-container" data-hatena-star-container data-hatena-star-url="https://disconinja.hatenablog.com/entry/2025/02/24/120055" data-hatena-star-title="日本におけるC2サーバ調査(Week 8 2025)" data-hatena-star-variant="profile-icon" data-hatena-star-profile-url-template="https://blog.hatena.ne.jp/{username}/" ></div> <div class="social-buttons"> <div class="social-button-item"> <a href="https://b.hatena.ne.jp/entry/s/disconinja.hatenablog.com/entry/2025/02/24/120055" class="hatena-bookmark-button" data-hatena-bookmark-url="https://disconinja.hatenablog.com/entry/2025/02/24/120055" data-hatena-bookmark-layout="vertical-balloon" data-hatena-bookmark-lang="ja" title="この記事をはてなブックマークに追加"><img src="https://b.st-hatena.com/images/entry-button/button-only.gif" alt="この記事をはてなブックマークに追加" width="20" height="20" style="border: none;" /></a> </div> <div class="social-button-item"> <div class="fb-share-button" data-layout="box_count" data-href="https://disconinja.hatenablog.com/entry/2025/02/24/120055"></div> </div> <div class="social-button-item"> <a class="entry-share-button entry-share-button-twitter test-share-button-twitter" href="https://x.com/intent/tweet?hashtags=DFIR&amp;hashtags=CTI&amp;hashtags=Security&amp;hashtags=%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3&amp;hashtags=Censys&amp;text=%E6%97%A5%E6%9C%AC%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8BC2%E3%82%B5%E3%83%BC%E3%83%90%E8%AA%BF%E6%9F%BB(Week+8+2025)+-+Weekend+Researcher+Tsurezure+Diary&amp;url=https%3A%2F%2Fdisconinja.hatenablog.com%2Fentry%2F2025%2F02%2F24%2F120055" title="X(Twitter)で投稿する" ></a> </div> </div> <div class="google-afc-image test-google-rectangle-ads"> <script> (valve = window.valve || []).push(function(v) { v.displayDFPSlot('google_afc_user_container_4'); }); </script> <div id="google_afc_user_container_4" class="google-afc-user-container google_afc_blocklink2_5 google_afc_boder" data-test-unit="/4374287/blog_user_2nd"></div> <a href="http://blog.hatena.ne.jp/guide/pro" class="open-pro-modal" data-guide-pro-modal-ad-url="https://hatena.blog/guide/pro/modal/ad">広告を非表示にする</a> </div> <div class="customized-footer"> </div> <div class="comment-box js-comment-box"> <ul class="comment js-comment"> <li class="read-more-comments" style="display: none;"><a>もっと読む</a></li> </ul> <a class="leave-comment-title js-leave-comment-title">コメントを書く</a> </div> </footer> </div> </article> <article class="entry hentry test-hentry js-entry-article date-first autopagerize_page_element chars-2400 words-400 mode-markdown entry-even" id="entry-6802418398329612503" data-keyword-campaign="" data-uuid="6802418398329612503" data-publication-type="entry"> <div class="entry-inner"> <header class="entry-header"> <div class="date entry-date first"> <a href="https://disconinja.hatenablog.com/archive/2025/02/17" rel="nofollow"> <time datetime="2025-02-17T09:56:57Z" title="2025-02-17T09:56:57Z"> <span class="date-year">2025</span><span class="hyphen">-</span><span class="date-month">02</span><span class="hyphen">-</span><span class="date-day">17</span> </time> </a> </div> <h1 class="entry-title"> <a href="https://disconinja.hatenablog.com/entry/2025/02/17/185657" class="entry-title-link bookmark">日本におけるC2サーバ調査(Week 7 2025)</a> </h1> </header> <div class="entry-content hatenablog-entry"> <h1 id="Hunting-for-enemy-infrastructure-in-Japan">Hunting for enemy infrastructure in Japan</h1> <p>Censysを使い、C2とラベルされた日本の<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%A4%A5%F3%A5%D5%A5%E9%A5%B9%A5%C8%A5%E9%A5%AF%A5%C1%A5%E3%A1%BC">インフラストラクチャー</a>を集計しました。<br/> 期間は2月10日から2月16日です。<br/> I used Censys to tabulate the infrastructure labeled C2 and located in Japan.<br/> The period is from 2/10 to 2/16 .</p> <h2 id="Total-period">Total period</h2> <p>2/10~2/16</p> <h2 id="Total-number-of-c2-servers-found">Total number of c2 servers found</h2> <p>16IP</p> <h2 id="Type-of-C2-servers-found">Type of C2 servers found</h2> <table> <thead> <tr> <th> C2 </th> <th> Numbers </th> </tr> </thead> <tbody> <tr> <td> Sliver </td> <td> 3 </td> </tr> <tr> <td> Brute Ratel C4 </td> <td> 2 </td> </tr> <tr> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> <td> 2 </td> </tr> <tr> <td> Metasploit </td> <td> 1 </td> </tr> <tr> <td> Mythic </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT 1 </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT 2 </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT 8 </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT 9 </td> <td> 1 </td> </tr> <tr> <td> ShadowPad </td> <td> 1 </td> </tr> <tr> <td> VIPER </td> <td> 1 </td> </tr> </tbody> </table> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250217/20250217183647.png" width="833" height="514" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <h2 id="Aggregate-Data">Aggregate Data</h2> <table> <thead> <tr> <th> No </th> <th> Date </th> <th> IP </th> <th> Autonomous System Number </th> <th> Autonomous System Label </th> <th> Censys label </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> 2月10日 </td> <td> 172[.]233[.]83[.]149 </td> <td> 63949 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Akamai">Akamai</a> Connected Cloud </td> <td> Metasploit </td> </tr> <tr> <td> 2 </td> <td> 2月10日 </td> <td> 54[.]238[.]247[.]179 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 3 </td> <td> 2月10日 </td> <td> 13[.]230[.]72[.]86 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> Sliver </td> </tr> <tr> <td> 4 </td> <td> 2月11日 </td> <td> 43[.]206[.]123[.]192 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT 9 </td> </tr> <tr> <td> 5 </td> <td> 2月11日 </td> <td> 35[.]189[.]154[.]103 </td> <td> 396982 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/GOOGLE">GOOGLE</a>-CLOUD-PLATFORM </td> <td> MITRE CALDERA </td> </tr> <tr> <td> 6 </td> <td> 2月11日 </td> <td> 57[.]180[.]194[.]188 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> Brute Ratel C4 </td> </tr> <tr> <td> 7 </td> <td> 2月11日 </td> <td> 54[.]178[.]158[.]125 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> Brute Ratel C4 </td> </tr> <tr> <td> 8 </td> <td> 2月11日 </td> <td> 64[.]176[.]35[.]214 </td> <td> 20473 </td> <td> AS-VULTR </td> <td> ShadowPad </td> </tr> <tr> <td> 9 </td> <td> 2月12日 </td> <td> 165[.]192[.]82[.]179 </td> <td> 36351 </td> <td> SOFTLAYER </td> <td> Sliver </td> </tr> <tr> <td> 10 </td> <td> 2月12日 </td> <td> 18[.]183[.]132[.]204 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> Mythic </td> </tr> <tr> <td> 11 </td> <td> 2月14日 </td> <td> 166[.]88[.]98[.]221 </td> <td> 149440 </td> <td> Evoxt Enterprise </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 12 </td> <td> 2月16日 </td> <td> 35[.]78[.]180[.]139 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT 2 </td> </tr> <tr> <td> 13 </td> <td> 2月16日 </td> <td> 13[.]208[.]181[.]173 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT 8 </td> </tr> <tr> <td> 14 </td> <td> 2月16日 </td> <td> 23[.]27[.]169[.]4 </td> <td> 149440 </td> <td> Evoxt Enterprise </td> <td> VIPER </td> </tr> <tr> <td> 15 </td> <td> 2月16日 </td> <td> 103[.]27[.]186[.]143 </td> <td> 134835 </td> <td> Starry Network Limited </td> <td> Sliver </td> </tr> <tr> <td> 16 </td> <td> 2月16日 </td> <td> 13[.]208[.]165[.]189 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT 1 </td> </tr> </tbody> </table> <h2 id="Appendix">Appendix</h2> <h2 id="Censys-query">Censys query</h2> <h3 id="Brute-Ratel-C4">Brute Ratel C4</h3> <pre class="code" data-lang="" data-unlink>services.http.response.body_hashes=&#34;sha256:96d0095b3dba19672e50a7c9d75b9b76fe8cbcbd27b58d58d64669a097c56660&#34;</pre> <h3 id="ShadowPad">ShadowPad</h3> <pre class="code" data-lang="" data-unlink>services.tls.certificates.leaf_fp_sha_256=&#34;a5ea2cb4a80032c27b56ba49b0c42fd6e44c0f65e246910395cd89307e078457&#34;</pre> <pre class="code" data-lang="" data-unlink>services.tls.certificates.leaf_data.subject_dn=&#34;C=US, ST=Texas, L=Round Rock, O=Dell Technologies Inc., OU=Dell Data Vault, CN=Dell Technologies Inc.&#34;</pre> <h3 id="VIPER">VIPER</h3> <pre class="code" data-lang="" data-unlink>services.http.response.favicons.md5_hash=&#34;a7469955bff5e489d2270d9b389064e1&#34;</pre> <h2 id="Special-Thanks">Special Thanks</h2> <p>この調査はCensys社のResearch <a class="keyword" href="https://d.hatena.ne.jp/keyword/Access">Access</a>で行っております。<br/> Research <a class="keyword" href="https://d.hatena.ne.jp/keyword/Access">Access</a>を提供していただきありがとうございます。</p> <p><a href="https://support.censys.io/hc/en-us/articles/360038761891-Research-Access-to-Censys-Data">Research Access to Censys Data &ndash; Censys</a></p> </div> <footer class="entry-footer"> <div class="entry-tags-wrapper"> <div class="entry-tags"> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/DFIR" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">DFIR</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/CTI" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">CTI</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Security" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Security</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Censys" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Censys</span> </a> </span> </div> </div> <p class="entry-footer-section track-inview-by-gtm" data-gtm-track-json="{&quot;area&quot;: &quot;finish_reading&quot;}"> <span class="author vcard"><span class="fn" data-load-nickname="1" data-user-name="disconinja" >disconinja</span></span> <span class="entry-footer-time"><a href="https://disconinja.hatenablog.com/entry/2025/02/17/185657"><time data-relative datetime="2025-02-17T09:56:57Z" title="2025-02-17T09:56:57Z" class="updated">2025-02-17 18:56</time></a></span> <span class=" entry-footer-subscribe " data-test-blog-controlls-subscribe> <a href="https://blog.hatena.ne.jp/disconinja/disconinja.hatenablog.com/subscribe?utm_source=blogs_entry_footer&amp;utm_medium=button&amp;utm_campaign=subscribe_blog"> 読者になる </a> </span> </p> <div class="hatena-star-container" data-hatena-star-container data-hatena-star-url="https://disconinja.hatenablog.com/entry/2025/02/17/185657" data-hatena-star-title="日本におけるC2サーバ調査(Week 7 2025)" data-hatena-star-variant="profile-icon" data-hatena-star-profile-url-template="https://blog.hatena.ne.jp/{username}/" ></div> <div class="social-buttons"> <div class="social-button-item"> <a href="https://b.hatena.ne.jp/entry/s/disconinja.hatenablog.com/entry/2025/02/17/185657" class="hatena-bookmark-button" data-hatena-bookmark-url="https://disconinja.hatenablog.com/entry/2025/02/17/185657" data-hatena-bookmark-layout="vertical-balloon" data-hatena-bookmark-lang="ja" title="この記事をはてなブックマークに追加"><img src="https://b.st-hatena.com/images/entry-button/button-only.gif" alt="この記事をはてなブックマークに追加" width="20" height="20" style="border: none;" /></a> </div> <div class="social-button-item"> <div class="fb-share-button" data-layout="box_count" data-href="https://disconinja.hatenablog.com/entry/2025/02/17/185657"></div> </div> <div class="social-button-item"> <a class="entry-share-button entry-share-button-twitter test-share-button-twitter" href="https://x.com/intent/tweet?hashtags=DFIR&amp;hashtags=CTI&amp;hashtags=Security&amp;hashtags=Censys&amp;text=%E6%97%A5%E6%9C%AC%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8BC2%E3%82%B5%E3%83%BC%E3%83%90%E8%AA%BF%E6%9F%BB(Week+7+2025)+-+Weekend+Researcher+Tsurezure+Diary&amp;url=https%3A%2F%2Fdisconinja.hatenablog.com%2Fentry%2F2025%2F02%2F17%2F185657" title="X(Twitter)で投稿する" ></a> </div> </div> <div class="google-afc-image test-google-rectangle-ads"> <script> (valve = window.valve || []).push(function(v) { v.displayDFPSlot('google_afc_user_container_5'); }); </script> <div id="google_afc_user_container_5" class="google-afc-user-container google_afc_blocklink2_5 google_afc_boder" data-test-unit="/4374287/blog_user_2nd"></div> <a href="http://blog.hatena.ne.jp/guide/pro" class="open-pro-modal" data-guide-pro-modal-ad-url="https://hatena.blog/guide/pro/modal/ad">広告を非表示にする</a> </div> <div class="customized-footer"> </div> <div class="comment-box js-comment-box"> <ul class="comment js-comment"> <li class="read-more-comments" style="display: none;"><a>もっと読む</a></li> </ul> <a class="leave-comment-title js-leave-comment-title">コメントを書く</a> </div> </footer> </div> </article> <article class="entry hentry test-hentry js-entry-article date-first autopagerize_page_element chars-1600 words-200 mode-markdown entry-odd" id="entry-6802418398327585665" data-keyword-campaign="" data-uuid="6802418398327585665" data-publication-type="entry"> <div class="entry-inner"> <header class="entry-header"> <div class="date entry-date first"> <a href="https://disconinja.hatenablog.com/archive/2025/02/10" rel="nofollow"> <time datetime="2025-02-10T09:42:04Z" title="2025-02-10T09:42:04Z"> <span class="date-year">2025</span><span class="hyphen">-</span><span class="date-month">02</span><span class="hyphen">-</span><span class="date-day">10</span> </time> </a> </div> <h1 class="entry-title"> <a href="https://disconinja.hatenablog.com/entry/2025/02/10/184204" class="entry-title-link bookmark">日本におけるC2サーバ調査(Week 6 2025)</a> </h1> </header> <div class="entry-content hatenablog-entry"> <h1 id="Hunting-for-enemy-infrastructure-in-Japan">Hunting for enemy infrastructure in Japan</h1> <p>Censysを使い、C2とラベルされた日本の<a class="keyword" href="https://d.hatena.ne.jp/keyword/%A5%A4%A5%F3%A5%D5%A5%E9%A5%B9%A5%C8%A5%E9%A5%AF%A5%C1%A5%E3%A1%BC">インフラストラクチャー</a>を集計しました。<br/> 期間は2月3日から2月9日です。<br/> I used Censys to tabulate the infrastructure labeled C2 and located in Japan.<br/> The period is from 2/3 to 2/9 .</p> <h2 id="Total-period">Total period</h2> <p>2/3~2/9</p> <h2 id="Total-number-of-c2-servers-found">Total number of c2 servers found</h2> <p>7IP</p> <h2 id="Type-of-C2-servers-found">Type of C2 servers found</h2> <table> <thead> <tr> <th> C2 </th> <th> Numbers </th> </tr> </thead> <tbody> <tr> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> <td> 2 </td> </tr> <tr> <td> Brute Ratel C4 </td> <td> 1 </td> </tr> <tr> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Empire">Empire</a> </td> <td> 1 </td> </tr> <tr> <td> NetSupportManager RAT 2 </td> <td> 1 </td> </tr> <tr> <td> NHAS Reverse <a class="keyword" href="https://d.hatena.ne.jp/keyword/SSH">SSH</a> </td> <td> 1 </td> </tr> <tr> <td> Octopus </td> <td> 1 </td> </tr> </tbody> </table> <p><span itemscope itemtype="http://schema.org/Photograph"><img src="https://cdn-ak.f.st-hatena.com/images/fotolife/d/disconinja/20250210/20250210184103.png" width="833" height="514" loading="lazy" title="" class="hatena-fotolife" itemprop="image"></span></p> <h2 id="Aggregate-Data">Aggregate Data</h2> <table> <thead> <tr> <th> No </th> <th> Date </th> <th> IP </th> <th> Autonomous System Number </th> <th> Autonomous System Label </th> <th> Censys label </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> 2月5日 </td> <td> 13[.]208[.]245[.]242 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> NetSupportManager RAT 2 </td> </tr> <tr> <td> 2 </td> <td> 2月5日 </td> <td> 18[.]178[.]51[.]37 </td> <td> 16509 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/AMAZON">AMAZON</a>-02 </td> <td> Brute Ratel C4 </td> </tr> <tr> <td> 3 </td> <td> 2月5日 </td> <td> 74[.]<a class="keyword" href="https://d.hatena.ne.jp/keyword/226">226</a>[.]247[.]135 </td> <td> 8075 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/MICROSOFT">MICROSOFT</a>-CORP-MSN-AS-BLOCK </td> <td> Octopus </td> </tr> <tr> <td> 4 </td> <td> 2月6日 </td> <td> 45[.]66[.]<a class="keyword" href="https://d.hatena.ne.jp/keyword/218">218</a>[.]244 </td> <td> 3258 </td> <td> xTom Japan Co., Ltd. </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 5 </td> <td> 2月7日 </td> <td> 92[.]38[.]178[.]197 </td> <td> 202422 </td> <td> G-Core Labs S.A. </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Cobalt">Cobalt</a> Strike </td> </tr> <tr> <td> 6 </td> <td> 2月7日 </td> <td> 48[.]<a class="keyword" href="https://d.hatena.ne.jp/keyword/218">218</a>[.]60[.]118 </td> <td> 8075 </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/MICROSOFT">MICROSOFT</a>-CORP-MSN-AS-BLOCK </td> <td> <a class="keyword" href="https://d.hatena.ne.jp/keyword/Empire">Empire</a> </td> </tr> <tr> <td> 7 </td> <td> 2月8日 </td> <td> 107[.]148[.]0[.]86 </td> <td> 398993 </td> <td> PEG-TY </td> <td> NHAS Reverse <a class="keyword" href="https://d.hatena.ne.jp/keyword/SSH">SSH</a> </td> </tr> </tbody> </table> <h2 id="Appendix">Appendix</h2> <h2 id="Censys-query">Censys query</h2> <h3 id="Empire"><a class="keyword" href="https://d.hatena.ne.jp/keyword/Empire">Empire</a></h3> <pre class="code" data-lang="" data-unlink>services.http.response.body_hashes=&#34;sha1:dcb32e6256459d3660fdc90e4c79e95a921841cc&#34;</pre> <h3 id="NHAS-Reverse-SSH">NHAS Reverse <a class="keyword" href="https://d.hatena.ne.jp/keyword/SSH">SSH</a></h3> <pre class="code" data-lang="" data-unlink>services.tls.certificates.leaf_data.issuer_dn=&#34;C=US, O=Cloudflare\\, Inc, CN=:3232&#34;</pre> <h3 id="Octopus">Octopus</h3> <pre class="code" data-lang="" data-unlink>services.http.response.body_hashes=&#34;sha256:26f76fcfac4b29f4508615d74244793cef02d7f3027e410fe192d96c05c52d1d&#34;</pre> <h2 id="Special-Thanks">Special Thanks</h2> <p>この調査はCensys社のResearch <a class="keyword" href="https://d.hatena.ne.jp/keyword/Access">Access</a>で行っております。<br/> Research <a class="keyword" href="https://d.hatena.ne.jp/keyword/Access">Access</a>を提供していただきありがとうございます。</p> <p><a href="https://support.censys.io/hc/en-us/articles/360038761891-Research-Access-to-Censys-Data">Research Access to Censys Data &ndash; Censys</a></p> </div> <footer class="entry-footer"> <div class="entry-tags-wrapper"> <div class="entry-tags"> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/DFIR" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">DFIR</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/CTI" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">CTI</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Security" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Security</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">セキュリティ</span> </a> </span> <span class="entry-tag"> <a href="https://d.hatena.ne.jp/keyword/Censys" class="entry-tag-link"> <span class="entry-tag-icon">#</span><span class="entry-tag-label">Censys</span> </a> </span> </div> </div> <p class="entry-footer-section track-inview-by-gtm" data-gtm-track-json="{&quot;area&quot;: &quot;finish_reading&quot;}"> <span class="author vcard"><span class="fn" data-load-nickname="1" data-user-name="disconinja" >disconinja</span></span> <span class="entry-footer-time"><a href="https://disconinja.hatenablog.com/entry/2025/02/10/184204"><time data-relative datetime="2025-02-10T09:42:04Z" title="2025-02-10T09:42:04Z" class="updated">2025-02-10 18:42</time></a></span> <span class=" entry-footer-subscribe " data-test-blog-controlls-subscribe> <a href="https://blog.hatena.ne.jp/disconinja/disconinja.hatenablog.com/subscribe?utm_campaign=subscribe_blog&amp;utm_source=blogs_entry_footer&amp;utm_medium=button"> 読者になる </a> </span> </p> <div class="hatena-star-container" data-hatena-star-container data-hatena-star-url="https://disconinja.hatenablog.com/entry/2025/02/10/184204" data-hatena-star-title="日本におけるC2サーバ調査(Week 6 2025)" data-hatena-star-variant="profile-icon" data-hatena-star-profile-url-template="https://blog.hatena.ne.jp/{username}/" ></div> <div class="social-buttons"> <div class="social-button-item"> <a href="https://b.hatena.ne.jp/entry/s/disconinja.hatenablog.com/entry/2025/02/10/184204" class="hatena-bookmark-button" data-hatena-bookmark-url="https://disconinja.hatenablog.com/entry/2025/02/10/184204" data-hatena-bookmark-layout="vertical-balloon" data-hatena-bookmark-lang="ja" title="この記事をはてなブックマークに追加"><img src="https://b.st-hatena.com/images/entry-button/button-only.gif" alt="この記事をはてなブックマークに追加" width="20" height="20" style="border: none;" /></a> </div> <div class="social-button-item"> <div class="fb-share-button" data-layout="box_count" data-href="https://disconinja.hatenablog.com/entry/2025/02/10/184204"></div> </div> <div class="social-button-item"> <a class="entry-share-button entry-share-button-twitter test-share-button-twitter" href="https://x.com/intent/tweet?hashtags=DFIR&amp;hashtags=CTI&amp;hashtags=Security&amp;hashtags=%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3&amp;hashtags=Censys&amp;text=%E6%97%A5%E6%9C%AC%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8BC2%E3%82%B5%E3%83%BC%E3%83%90%E8%AA%BF%E6%9F%BB(Week+6+2025)+-+Weekend+Researcher+Tsurezure+Diary&amp;url=https%3A%2F%2Fdisconinja.hatenablog.com%2Fentry%2F2025%2F02%2F10%2F184204" title="X(Twitter)で投稿する" ></a> </div> </div> <div class="google-afc-image test-google-rectangle-ads"> <script> (valve = window.valve || []).push(function(v) { v.displayDFPSlot('google_afc_user_container_6'); }); </script> <div id="google_afc_user_container_6" class="google-afc-user-container google_afc_blocklink2_5 google_afc_boder" data-test-unit="/4374287/blog_user_2nd"></div> <a href="http://blog.hatena.ne.jp/guide/pro" class="open-pro-modal" data-guide-pro-modal-ad-url="https://hatena.blog/guide/pro/modal/ad">広告を非表示にする</a> </div> <div class="customized-footer"> </div> <div class="comment-box js-comment-box"> <ul class="comment js-comment"> <li class="read-more-comments" style="display: none;"><a>もっと読む</a></li> </ul> <a class="leave-comment-title js-leave-comment-title">コメントを書く</a> </div> </footer> </div> </article> <!-- rakuten_ad_target_end --> <!-- google_ad_section_end --> <div class="pager autopagerize_insert_before"> <span class="pager-next"> <a href="https://disconinja.hatenablog.com/?page=1739180524" rel="next">次のページ</a> </span> </div> </div> </div> <aside id="box1"> <div id="box1-inner"> </div> </aside> </div><!-- #wrapper --> <aside id="box2"> <div id="box2-inner"> <div class="hatena-module hatena-module-profile"> <div class="hatena-module-title"> プロフィール </div> <div class="hatena-module-body"> <a href="https://disconinja.hatenablog.com/about" class="profile-icon-link"> <img src="https://cdn.profile-image.st-hatena.com/users/disconinja/profile.png" alt="id:disconinja" class="profile-icon" /> </a> <span class="id"> <a href="https://disconinja.hatenablog.com/about" class="hatena-id-link"><span data-load-nickname="1" data-user-name="disconinja">id:disconinja</span></a> </span> <div class="hatena-follow-button-box btn-subscribe js-hatena-follow-button-box" > <a href="#" class="hatena-follow-button js-hatena-follow-button"> <span class="subscribing"> <span class="foreground">読者です</span> <span class="background">読者をやめる</span> </span> <span class="unsubscribing" data-track-name="profile-widget-subscribe-button" data-track-once> <span class="foreground">読者になる</span> <span class="background">読者になる</span> </span> </a> <div class="subscription-count-box js-subscription-count-box"> <i></i> <u></u> <span class="subscription-count js-subscription-count"> </span> </div> </div> <div class="profile-about"> <a href="https://disconinja.hatenablog.com/about">このブログについて</a> </div> </div> </div> <div class="hatena-module hatena-module-search-box"> <div class="hatena-module-title"> 検索 </div> <div class="hatena-module-body"> <form class="search-form" role="search" action="https://disconinja.hatenablog.com/search" method="get"> <input type="text" name="q" class="search-module-input" value="" placeholder="記事を検索" required> <input type="submit" value="検索" class="search-module-button" /> </form> </div> </div> <div class="hatena-module hatena-module-links"> <div class="hatena-module-title"> リンク </div> <div class="hatena-module-body"> <ul class="hatena-urllist"> <li> <a href="https://hatena.blog/">はてなブログ</a> </li> <li> <a href="https://hatena.blog/guide?via=200109">ブログをはじめる</a> </li> <li> <a href="http://blog.hatenablog.com">週刊はてなブログ</a> </li> <li> <a href="https://hatena.blog/guide/pro">はてなブログPro</a> </li> </ul> </div> </div> <div class="hatena-module hatena-module-recent-entries "> <div class="hatena-module-title"> <a href="https://disconinja.hatenablog.com/archive"> 最新記事 </a> </div> <div class="hatena-module-body"> <ul class="recent-entries hatena-urllist "> <li class="urllist-item recent-entries-item"> <div class="urllist-item-inner recent-entries-item-inner"> <a href="https://disconinja.hatenablog.com/entry/2025/03/16/172354" class="urllist-title-link recent-entries-title-link urllist-title recent-entries-title">Spotted a Fake CAPTCHA – Let’s Analyze It!</a> </div> </li> <li class="urllist-item recent-entries-item"> <div class="urllist-item-inner recent-entries-item-inner"> <a href="https://disconinja.hatenablog.com/entry/2025/03/11/123138" class="urllist-title-link recent-entries-title-link urllist-title recent-entries-title">MetaStealer, which I found by chance Part1</a> </div> </li> <li class="urllist-item recent-entries-item"> <div class="urllist-item-inner recent-entries-item-inner"> <a href="https://disconinja.hatenablog.com/entry/2025/03/10/212248" class="urllist-title-link recent-entries-title-link urllist-title recent-entries-title">日本におけるC2サーバ調査(Week 10 2025)</a> </div> </li> <li class="urllist-item recent-entries-item"> <div class="urllist-item-inner recent-entries-item-inner"> <a href="https://disconinja.hatenablog.com/entry/2025/03/03/191041" class="urllist-title-link recent-entries-title-link urllist-title recent-entries-title">日本におけるC2サーバ調査(Week 9 2025)</a> </div> </li> <li class="urllist-item recent-entries-item"> <div class="urllist-item-inner recent-entries-item-inner"> <a href="https://disconinja.hatenablog.com/entry/2025/02/24/120055" class="urllist-title-link recent-entries-title-link urllist-title recent-entries-title">日本におけるC2サーバ調査(Week 8 2025)</a> </div> </li> </ul> </div> </div> <div class="hatena-module hatena-module-archive" data-archive-type="default" data-archive-url="https://disconinja.hatenablog.com/archive"> <div class="hatena-module-title"> <a href="https://disconinja.hatenablog.com/archive">月別アーカイブ</a> </div> <div class="hatena-module-body"> <ul class="hatena-urllist"> <li class="archive-module-year archive-module-year-hidden" data-year="2025"> <div class="archive-module-button"> <span class="archive-module-hide-button">▼</span> <span class="archive-module-show-button">▶</span> </div> <a href="https://disconinja.hatenablog.com/archive/2025" class="archive-module-year-title archive-module-year-2025"> 2025 </a> <ul class="archive-module-months"> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2025/03" class="archive-module-month-title archive-module-month-2025-3"> 2025 / 3 </a> </li> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2025/02" class="archive-module-month-title archive-module-month-2025-2"> 2025 / 2 </a> </li> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2025/01" class="archive-module-month-title archive-module-month-2025-1"> 2025 / 1 </a> </li> </ul> </li> <li class="archive-module-year archive-module-year-hidden" data-year="2024"> <div class="archive-module-button"> <span class="archive-module-hide-button">▼</span> <span class="archive-module-show-button">▶</span> </div> <a href="https://disconinja.hatenablog.com/archive/2024" class="archive-module-year-title archive-module-year-2024"> 2024 </a> <ul class="archive-module-months"> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2024/12" class="archive-module-month-title archive-module-month-2024-12"> 2024 / 12 </a> </li> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2024/11" class="archive-module-month-title archive-module-month-2024-11"> 2024 / 11 </a> </li> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2024/10" class="archive-module-month-title archive-module-month-2024-10"> 2024 / 10 </a> </li> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2024/09" class="archive-module-month-title archive-module-month-2024-9"> 2024 / 9 </a> </li> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2024/08" class="archive-module-month-title archive-module-month-2024-8"> 2024 / 8 </a> </li> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2024/06" class="archive-module-month-title archive-module-month-2024-6"> 2024 / 6 </a> </li> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2024/03" class="archive-module-month-title archive-module-month-2024-3"> 2024 / 3 </a> </li> </ul> </li> <li class="archive-module-year archive-module-year-hidden" data-year="2023"> <div class="archive-module-button"> <span class="archive-module-hide-button">▼</span> <span class="archive-module-show-button">▶</span> </div> <a href="https://disconinja.hatenablog.com/archive/2023" class="archive-module-year-title archive-module-year-2023"> 2023 </a> <ul class="archive-module-months"> <li class="archive-module-month"> <a href="https://disconinja.hatenablog.com/archive/2023/10" class="archive-module-month-title archive-module-month-2023-10"> 2023 / 10 </a> </li> </ul> </li> </ul> </div> </div> </div> </aside> </div> </div> </div> </div> <footer id="footer" data-brand="hatenablog"> <div id="footer-inner"> <address class="footer-address"> <a href="https://disconinja.hatenablog.com/"> <img src="https://cdn.image.st-hatena.com/image/square/c949dbb8f54b121ec1d69262177cd75c08ddd306/backend=imagemagick;height=128;version=1;width=128/https%3A%2F%2Fcdn.user.blog.st-hatena.com%2Fblog_custom_icon%2F159169622%2F1690811193910326" width="16" height="16" alt="Weekend Researcher Tsurezure Diary"/> <span class="footer-address-name">Weekend Researcher Tsurezure Diary</span> </a> </address> <p class="services"> Powered by <a href="https://hatena.blog/">Hatena Blog</a> | <a href="https://blog.hatena.ne.jp/-/abuse_report?target_url=https%3A%2F%2Fdisconinja.hatenablog.com%2F" class="report-abuse-link test-report-abuse-link" target="_blank">ブログを報告する</a> </p> </div> </footer> <script async src="https://s.hatena.ne.jp/js/widget/star.js"></script> <script> if (typeof window.Hatena === 'undefined') { window.Hatena = {}; } if (!Hatena.hasOwnProperty('Star')) { Hatena.Star = { VERSION: 2, }; } </script> <div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/ja_JP/sdk.js#xfbml=1&appId=719729204785177&version=v17.0"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <div class="quote-box"> <div class="tooltip-quote tooltip-quote-stock"> <i class="blogicon-quote" title="引用をストック"></i> </div> <div class="tooltip-quote tooltip-quote-tweet js-tooltip-quote-tweet"> <a class="js-tweet-quote" target="_blank" data-track-name="quote-tweet" data-track-once> <img src="https://cdn.blog.st-hatena.com/images/admin/quote/quote-x-icon.svg?version=5fa31e35d1ab9280564e15ff7dbf6f" title="引用して投稿する" > </a> </div> </div> <div class="quote-stock-panel" id="quote-stock-message-box" style="position: absolute; z-index: 3000"> <div class="message-box" id="quote-stock-succeeded-message" style="display: none"> <p>引用をストックしました</p> <button class="btn btn-primary" id="quote-stock-show-editor-button" data-track-name="curation-quote-edit-button">ストック一覧を見る</button> <button class="btn quote-stock-close-message-button">閉じる</button> </div> <div class="message-box" id="quote-login-required-message" style="display: none"> <p>引用するにはまずログインしてください</p> <button class="btn btn-primary" id="quote-login-button">ログイン</button> <button class="btn quote-stock-close-message-button">閉じる</button> </div> <div class="error-box" id="quote-stock-failed-message" style="display: none"> <p>引用をストックできませんでした。再度お試しください</p> <button class="btn quote-stock-close-message-button">閉じる</button> </div> <div class="error-box" id="unstockable-quote-message-box" style="display: none; position: absolute; z-index: 3000;"> <p>限定公開記事のため引用できません。</p> </div> </div> <script type="x-underscore-template" id="js-requote-button-template"> <div class="requote-button js-requote-button"> <button class="requote-button-btn tipsy-top" title="引用する"><i class="blogicon-quote"></i></button> </div> </script> <div id="hidden-subscribe-button" style="display: none;"> <div class="hatena-follow-button-box btn-subscribe js-hatena-follow-button-box" > <a href="#" class="hatena-follow-button js-hatena-follow-button"> <span class="subscribing"> <span class="foreground">読者です</span> <span class="background">読者をやめる</span> </span> <span class="unsubscribing" data-track-name="profile-widget-subscribe-button" data-track-once> <span class="foreground">読者になる</span> <span class="background">読者になる</span> </span> </a> <div class="subscription-count-box js-subscription-count-box"> <i></i> <u></u> <span class="subscription-count js-subscription-count"> </span> </div> </div> </div> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> <script src="https://b.st-hatena.com/js/bookmark_button.js" charset="utf-8" async="async"></script> <script type="text/javascript" src="https://cdn.blog.st-hatena.com/js/external/jquery.min.js?v=1.12.4&amp;version=5fa31e35d1ab9280564e15ff7dbf6f"></script> <script src="https://cdn.blog.st-hatena.com/js/texts-ja.js?version=5fa31e35d1ab9280564e15ff7dbf6f"></script> <script id="vendors-js" data-env="production" src="https://cdn.blog.st-hatena.com/js/vendors.js?version=5fa31e35d1ab9280564e15ff7dbf6f" crossorigin="anonymous"></script> <script id="hatenablog-js" data-env="production" src="https://cdn.blog.st-hatena.com/js/hatenablog.js?version=5fa31e35d1ab9280564e15ff7dbf6f" crossorigin="anonymous" data-page-id="index"></script> <script>Hatena.Diary.GlobalHeader.init()</script> <script id="valve-dmp" data-service="blog" src="https://cdn.pool.st-hatena.com/valve/dmp.js" data-test-id="dmpjs" async></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10