SANS Internet Storm Center

Bitcoin Miner File Upload via FTP
I wrote a diary six months ago about using INetSim as a honeypot. Over the past few weeks I have captured only one package type uploaded through the FTP service to my honeypot, Bitcoin Miner. As for the web service, I have been getting several times the same command (captured as a file) as an ASCII encoded command (cmd=): cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74 The command translate into a UNIX command as follow: cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt Some of the web GET/POST traffic captured over HTTP/SSL: url=http://192.168.152.84/robots.txt url=http://192.168.152.84/sitemap.xml url=http://testp3.pospr.waw.pl/testproxy.php url=http://192.168.152.84:8080/manager/html url=http://www.7777757.com/ url=http://192.168.152.84/xmlrpc.php url=http://192.168.152.84:8080/ url=http://www.aszw8.com/ url=http://www.7777757.com/ url=http://testp4.pospr.waw.pl/testproxy.php url=http://testp4.pospr.waw.pl/testproxy.php url=http://192.168.152.84:8080/manager/html url=https://192.168.152.84:443/ url=http://www.aszw8.com/ url=http://192.168.152.84:8080/script url=https://192.168.152.84/ url=http://192.168.152.84:8080/manager/html url=http://192.168.152.84:8080/manager/html url=http://testp4.pospr.waw.pl/testproxy.php The first 5 files are all the same file; the file was uploaded via FTP multiple times and is a well known Bitcoin Miner package. The last file was also uploaded a few days ago and is also a new type of Bitcoin Miner package (zip): [1] 1578496 Oct 25 00:49 2288866c1ed93431bc46df5c83977dda64272144 [2] 1578496 Oct 29 05:39 63a61c7878e5a6265c7b13c1d59bd5661f4e282e [3] 1578496 Oct 30 11:42 8bf6f9ce6816efe45b2088ca0bb8ed3dfce9b66d [4] 1578496 Oct 31 05:10 30e4c2bb076f87b3e6f2dd996eb8d204f006e642 [5] 1578496 Oct 31 16:35 89bc907d3dcb89eefa36d718fc796f2e709223c0 [6] 3528005 Nov 8 10:21 412b618589ce9eed3d893b81be20a3f2c51d5ce4 (zip file contains IMG001.scr and information.vbe) Virustotal Results [1][2][3][4][5] https://www.virustotal.com/en/file/807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d/analysis/ [6] https://www.virustotal.com/en/file/7126b9932dc0cdfe751340edfa7c4a14b69262eb1afd0530e6d1fdb2e25986dd/analysis/ [7] https://isc.sans.edu/forums/diary/INetSim+as+a+Basic+Honeypot/21055 [8] http://www.rapidtables.com/convert/number/hex-to-ascii.htm ----------- Guy Bruneau IPSS Inc. Twitter: GuyBruneau gbruneau at isc dot sans dot edu	Guy 515 Posts ISC Handler Nov 13th 2016
Thread locked Subscribe	Nov 13th 2016 5 years ago
Again I know my lack of knowledge on this subject will stand out, but what is x3610cker?	jACKtheRipper 67 Posts
Quote	Nov 14th 2016 5 years ago
According to https://www.protectwise.com/blog/observing-large-scale-router-exploit-attempts.html this is an attempt to ID vulnerable home routers	jACKtheRipper 1 Posts
Quote	Nov 14th 2016 5 years ago
This command cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt attempts to create a file in /var/tmp x3610cker and then try to read it.	Guy 515 Posts ISC Handler
Quote	Nov 15th 2016 5 years ago
ahhh im pretty on point with bash scripting, but sometimes stuff just flys right by me. I think it might be that in the dairy it is read to me as (this is due to font im sure) cd /var/tmp && echo -ne \|\|x3610cker > 610cker.txt && cat 610cker.txt idk, thats what threw me off. edit: ahhhhh its cause it was all italicized and \\ italicized is \|\|	jACKtheRipper 67 Posts
Quote	Nov 15th 2016 5 years ago