This one hit a weblogic honeypot.
Wallet ID: 43ZSpXdMerQGerimDrUviDN6qP3vkwnkZY1vvzTV22AbLW1oCCBDstNjXqrT3anyZ22j7DEE74GkbVcQFyH2nNiC3fchGfc
Uses minexmr.com and supportxmr.com
#Update
$WmiName = 'root\cimv2:PowerShell_Command'
Nicholas Albright nma-io
nma-io
/ gist:4fd73f5031a5012bf0063ca962f6d3f0
Created
May 23, 2018 15:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am nma-io on github. | |
| * I am nma_io (https://keybase.io/nma_io) on keybase. | |
| * I have a public key ASB5e6gJqexrjBxhz6XjWxjilUicAEpypPaWsY_RFu7ZhQo | |
| To claim this, I am signing this object: |
nma-io
/ CryptoMiner Found in wild
Last active
November 2, 2018 22:44
This was observed through our SOC via an unsuccessful JexBoss attack. We're calling it NineBooms
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $counters = (Get-Counter '\Process(*)\% Processor Time').CounterSamples | |
| $malwares = "Kilence","alm","vag_pag","office","pws_lotinfo_trans","aspnet_state","tasksvr","ekrn","iems","secscan","mysql","trustedinstaller","safedogsiteiis","write","360cleanhelper","sw_magik_gss","wd160session","smsservice","360rps","win1nit","npinst","xmrig","mrservicehost","360rp","hrate","xmr","laozi","csrs","postgres","csrv","safedogguardcenter","sl_gps_msg","javaservice","lsass","taskngr","dc","aipcopywlh64","xqjxke","sl_gps_rule","svhosts","qqexternal","streamserver","qv","sapstartsrv","avgcsrva","360se","alarmservice","nscpucnminer64","thunderplatform","xmrig32","ntrtscan","arp","a8service","msiexev","rsturboball","sl_join_bb808","ramdial","sl_upload809_1","beasvcx64","ptzproxyservice","connect","runtimebroker","system64","win1ogin","sql31","vmware","systemiissec","werfault","w3wp","snmpd","conhosts","taskhots","icrawlers_fbs_cjd","systmss","calcserviced","wmiprvser","bcompare","helppanc","memcached","qqpctray","see64","sl_join |
nma-io
/ Security_Docker_101.md
Last active
August 26, 2020 00:48
A quick guide to deploying some Security Docker Containers.
Grab a copy of Docker for your platform here: https://www.docker.com/community-edition#/download Follow the installation guide and tune the docker system to run with as much memory and CPU as you're willing to feed to it.
Local Debian instance: debian:latest
Metasploit: remnux/metasploit