佐川急便のフィッシングサイトを調べてみた / Analysis of sagawa fishing site

ࠤ઒ٸศϑΟογϯά αΠτΛௐ΂ͯΈͨ 2018/08/14 ηΩϡϦςΟΩϟϯϓ શࠃେձ 2018 Tomoyuki KOYAMA

ࣗݾ঺հ • ͜΍· ͱ΋Ώ͖ • ౦ژ޻Պେ 2೥ • શࠃେձ 2017मྃ
• NOCνϡʔλʔ • PyCon JP ελοϑ Twitter: @tmyk_kym Blog: blog.koyama.me

͖͔͚ͬ TBHBXBNNDPN

sagawa-mm.com

औಘ/ൺֱ $ curl -s http://www.sagawa-exp.co.jp/  > white # ਖ਼نαΠτ  $
curl -s http://sagawa-mm.com/   > black # ِαΠτ $ vim -d white black # ൺֱ

$ vim -d black white

ൺֱ:ِαΠτʹͷΈଘࡏ <body onclick="  document.getElementById('downloadapk').click();">  <a href="sagawa.apk" id="downloadapk" css="display:none;" download="sagawa.apk"></a> ʙলུʙ
<dd class=“input"><center> <a href="sagawa.apk">  <div class="toiawaseNo jq-placeholder">  <font><b>Πϯετʔϧ</b> </div> </a> <p class="note"></p> </dd>

υϝΠϯͷௐࠪ

υϝΠϯॴ༗ऀΛௐࠪ(ൈਮ) $ whois sagawa-mm.com ߋ৽೔࣌: 2018-07-18T11:24:40.0Z ొ࿥೔: 2018-07-18T11:24:40.0Z ొ࿥ۀऀ: Chengdu
west dimension digital technology Co., LTD ొ࿥ऀ໊: mengmeng li // தࠃͷঁ༏: Meng Li ొ࿥૊৫: li meng meng ొ࿥ॅॴ1: Tan Cheng Zhen Deng Qiao She Q ొ࿥ॅॴ2: Meng Cheng Xian ొ࿥༣ศ൪߸: 010000 ొ࿥ࠃ: cn ొ࿥ి࿩൪߸: +86.13614466925 // தࠃ ٢ྛল ന৓ࢢ ొ࿥Fax: +86.13614466925 ొ࿥ϝʔϧ: mantianxing0111@yahoo.co.jp

ॴ༗ऀΛௐࠪ • RISKIQ, DomainBigData, DomainWatchͰௐࠪ

102 Domains whois৘ใʹ mantianxing0111@yahoo.co.jp   ؚ͕·ΕΔsagawaܥυϝΠϯ

υϝΠϯͷҰ෦ • sagawa-anu\.com // sagawa-??? • sagawa-expr\.com // expressͷදه •
saggawa-exp\.com // ΞϧϑΝϕοτॏͶ • sagawa-co-jp\.com // .Λ-Ͱදݱ • sagawajp\.com // ҧ࿨ײ͕ͳ͍

APKϑΝΠϧͷௐࠪ ಈతղੳ

ݕূ؀ڥ/ݕମ • Nexus 7 2013 Wi-Fi • Android 6.0.1 •
sagawa.apk • sagawa-mm\.comΑΓऔಘ • SHA-256: 580a027109ac70b32e4423623dfff5b4c6d52220a 905125332c0af0e231e0387 ˞஫҆શͳ؀ڥͰ  ݕূ͍ͯͩ͘͠͞ɻ ݕূ࣌ʹ͸ωοτϫʔΫ ͷִ཭ͳͲे෼ʹ஫ҙ͠ ͍ͯͩ͘͞ɻ

APKϑΝΠϧ - ಈతղੳ(1)

APKϑΝΠϧ - ಈతղੳ(2) όοΫάϥ΢ϯυ  Ͱ઀ଓΛzҡ࣋z Ṗͷന͍ΞϓϦ͕ ৗற ࠤ઒ٸศ͕ফ͑ͨ

APKϑΝΠϧ - ಈతղੳ(3) Կ΋දࣔ͞Εͣ αʔϏεEH.BJO4FSWJDFΛ  ΋ͭྨࣅ"1,ϑΝΠϧΛൃݟ 4)" BDGBEG CDCEGDEBEEGF GCECGF

APKϑΝΠϧ - ಈతղੳ(4) • tPacketCaptureͰύέοτΩϟϓνϟ ΍ΓऔΓ͕ແ͍

APKϑΝΠϧͷௐࠪ ੩తղੳ

APKΛղੳ(1) 1. apktoolΛΠϯετʔϧ 2. apk͔ΒresσΟϨΫτϦΛऔΓग़͢  $ apktool d sagawa.apk

APKΛղੳ(2) 1. ϑΝΠϧ classes.dex ΛऔΓग़͢  $ unzip sagawa.apk 2. dex2jar
ΛΠϯετʔϧ 3. dexϑΝΠϧ͔ΒjarϑΝΠϧΛੜ੒  $ bash d2j-dex2jar.sh ../unziped/classes.dex

APKΛղੳ(3) 1. jarϑΝΠϧΛల։  $ unzip classes-dex2jar.jar 2. JavaDecompiler ΛΠϯετʔϧ 3.
JavaDecompiler Ͱ1ͷιʔεΛ։͘

σίϯύΠϥͰιʔεΛಡΉ

ϑΝΠϧҰཡ • gfer/DhsActivity$1.java • gfer/DhsActivity.java // ΤϯτϦϙΠϯτ • tog/essMyApplication$1.java •
tog/essMyApplication$a.java • tog/vtdMyWebActivity.java • tog/essMyApplication.java • gig/dgMainService.java • a.java • goda/eeftMyReceiver.java

ଞͷυϝΠϯ • ϝʔϧΞυϨε: 21449497@qq.com

佐川急便のフィッシングサイトを調べてみた / Analysis of sagawa fishi...

佐川急便のフィッシングサイトを調べてみた / Analysis of sagawa fishing site

Tomoyuki KOYAMA

More Decks by Tomoyuki KOYAMA

Other Decks in Technology

Featured

Transcript

ࠤ઒ٸศϑΟογϯά αΠτΛௐ΂ͯΈͨ 2018/08/14 ηΩϡϦςΟΩϟϯϓ શࠃେձ 2018 Tomoyuki KOYAMA

ࣗݾ঺հ • ͜΍· ͱ΋Ώ͖ • ౦ژ޻Պେ 2೥ • શࠃେձ 2017मྃ

͖͔͚ͬ TBHBXBNNDPN

sagawa-mm.com

औಘ/ൺֱ $ curl -s http://www.sagawa-exp.co.jp/  > white # ਖ਼نαΠτ  $

$ vim -d black white

ൺֱ:ِαΠτʹͷΈଘࡏ <body onclick="  document.getElementById('downloadapk').click();">  <a href="sagawa.apk" id="downloadapk" css="display:none;" download="sagawa.apk"></a> ʙলུʙ

υϝΠϯͷௐࠪ

υϝΠϯॴ༗ऀΛௐࠪ(ൈਮ) $ whois sagawa-mm.com ߋ৽೔࣌: 2018-07-18T11:24:40.0Z ొ࿥೔: 2018-07-18T11:24:40.0Z ొ࿥ۀऀ: Chengdu

ॴ༗ऀΛௐࠪ • RISKIQ, DomainBigData, DomainWatchͰௐࠪ

102 Domains whois৘ใʹ mantianxing0111@yahoo.co.jp   ؚ͕·ΕΔsagawaܥυϝΠϯ

υϝΠϯͷҰ෦ • sagawa-anu\.com // sagawa-??? • sagawa-expr\.com // expressͷදه •

APKϑΝΠϧͷௐࠪ ಈతղੳ

ݕূ؀ڥ/ݕମ • Nexus 7 2013 Wi-Fi • Android 6.0.1 •