NINE BOOMS MONERO MINER

On the afternoon of Friday, February 23rd, 2018 the Emagined Security Research team reviewed an alert passed through our Security Operations team involving a JMXInvokerServlet hit.

Based upon traffic patterns and the user agent strings, the team believes the actor is using JexBoss to automate this exploit.

Within the attack code was an obvious PowerShell Downloader pointing to 200[.]7[.]97[.]205, using port 8086. The IP address is reportedly in the Netherlands.

The team immediately captured the text file, which itself was a PowerShell file that downloaded a second stage binary.

The files noted, 32Kilences and 64Kilences.exe provide different versions of the executable file, one for 32 bit windows and another for 64 bit. In Hungarian, Kilences means "Nine."

The team also found that a "lin.txt" is present on the same host, which provides two files, for Linux OS's:

BoomBoom is a 64bit statically compiled ELF binary, while BoomBoom2 is the 32bit version.

The team set to decompile the binary; which the attackers made very easy:

32Kilences.exe: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive

After decompressing the RAR self-extracting executable we're provided two new files:

• MD5 (run.bat) = ac229848385ba895cffd5523602b7162

• MD5 (systemgo.exe) = 646cb81ec7e8aaa93a7580491edeb56e

SystemGo.exe is a popular Monero miner, and Run.bat gives us all of the important details: