Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
SystemTen "kerberods"/"khugepageds" ELF trojan installer, miner, RCE bot-client and rootkit ((ex-Rocke) - The IOC data
Category Rype Comment vValue to_ids date object_relation attribute_tag object_uuid object_name object_meta_category
External analysis link Vulnerability information https://isc.sans.edu/diary/rss/24916 0 1557084322
External analysis link Vulnerability information https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html 0 1557084322
External analysis link Vulnerability information https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc 0 1557084322
External analysis link Security Advisory https://jenkins.io/security/advisory/2019-01-08/ 0 1557084322
External analysis link Security Advisory https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html 0 1557084322
External analysis link MMD analysis incidents Mar-Apr 2019 https://imgur.com/a/H7YuWuj 0 1557082910
External analysis link MMD analysis incidents Mar-Apr 2019 https://old.reddit.com/r/LinuxMalware/comments/bfaea2/fun_in_dissecting_lsd_packer_elf_golang_miner/ 0 1557082910
External analysis link MMD analysis incidents Mar-Apr 2019 https://community.atlassian.com/t5/Confluence-questions/How-come-my-confluence-installation-was-hacked-by-Kerberods/qaq-p/1054605#M141274 0 1557084322
Payload delivery vulnerability Service vulnerability aimed CVE-2018-1000861 0 1557084003
Payload delivery vulnerability Service vulnerability aimed CVE-2019-3395 0 1557084003
Payload delivery vulnerability Service vulnerability aimed CVE-2019-3396 0 1557084003
Payload delivery vulnerability Service vulnerability aimed CVE-2019-1003033 0 1557084003
Payload delivery vulnerability Service vulnerability aimed CVE-2019-1003030 0 1557084003
Payload delivery vulnerability Service vulnerability aimed CVE-2019-1003029 0 1557084003
Artifacts dropped md5 Malicious payload hash aaccd774ad12d683554866dcf144ad73 0 1557083319
Artifacts dropped md5 Malicious payload hash 8ecf8e7653e6a67d61ff03e0c61f3825 0 1557083319
Artifacts dropped md5 Malicious payload hash d8dfa3690186ca8ab80cb1028b01a770 0 1557083281
Artifacts dropped md5 Malicious payload hash b39d9cbe6c63d7a621469bf13f3ea466 0 1557083273
Artifacts dropped md5 Malicious payload hash a1e0e218b3b7c063bbf3f21003763548 0 1557083329
Artifacts dropped md5 Malicious payload hash bedc270205ee06817ab6b3d58f260794 0 1557083348
Artifacts dropped md5 Malicious payload hash 5301972a7ef320e894274a38f0bb2b2c 0 1557083358
Artifacts dropped md5 Malicious payload hash 17e9e888b8d0f374b5c623ae6b6d6cc6 0 1557083339
Payload delivery filename elf trojan installer /tmp/kerberods 0 1557083018
Payload delivery filename elf monero miner xmrig /tmp/khugepageds 0 1557083018
Payload delivery filename elf trojan bot /tmp/kthrotlds 0 1557083018
Payload delivery filename elf trojan bot /tmp/kintegrityds 0 1557083018
Payload delivery filename elf trojan installer /tmp/kpsmouseds 0 1557083019
Payload delivery filename elf trojan bot /tmp/kerb 0 1557083019
Payload delivery filename persistence /etc/cron.d/tomcat 0 1557083019
Payload delivery filename persistence /etc/cron.d/root 0 1557083019
Payload delivery filename persistence /var/spool/cron/root 0 1557083019
Payload delivery filename persistence /var/spool/cron/crontabs/root 0 1557083019
Payload delivery filename elf trojan bot /usr/sbin/kthrotlds 0 1557083019
Payload delivery filename elf trojan bot /usr/sbin/kintegrityds 0 1557083019
Payload delivery filename elf trojan installer /usr/sbin/kerberods 0 1557083019
Payload delivery filename elf trojan installer /usr/sbin/kpsmouseds 0 1557083019
Payload delivery filename persistence /etc/rc.d/init.d/kthrotlds 0 1557083019
Payload delivery filename persistence /etc/rc.d/init.d/kerberods 0 1557083019
Payload delivery filename persistence /etc/rc.d/init.d/kpsmouseds 0 1557083019
Payload delivery filename persistence /etc/rc.d/init.d/kintegrityds 0 1557083019
Payload delivery filename rootkit module/preload /etc/ld.so.preload 0 1557083019
Payload delivery filename rootkit module/preload /tmp/ld.so.preload 0 1557083019
Payload delivery filename rootkit module/preload /usr/local/lib/libpamcd.so 0 1557083019
Payload delivery filename rootkit module/preload /usr/local/lib/libcset.so 0 1557083019
Payload delivery filename rootkit module/preload /usr/local/lib/libdb-0.1.so 0 1557083019
Payload delivery filename rootkit module/preload /usr/local/lib/libdaemond.so 0 1557083019
Network activity hostname Malware C2 hostnames gwjyhs.com 1 1557083198
Network activity hostname Malware C2 hostnames img.sobot.com 1 1557083198
Network activity hostname Malware C2 hostnames d.heheda.tk 1 1557083198
Network activity hostname Malware C2 hostnames c.heheda.tk 1 1557083198
Network activity hostname Malware C2 hostnames dd.heheda.tk 1 1557083198
Network activity hostname Malware C2 hostnames systemten.org 1 1557083198
Network activity hostname Malware C2 hostnames w.3ei.xyz 1 1557083198
Network activity hostname Malware C2 hostnames w.21-3n.xyz 1 1557083198
Network activity hostname Malware C2 hostnames t.w2wz.cn 1 1557083198
Network activity hostname Malware C2 hostnames 1.z9ls.com 1 1557083198
Network activity hostname Malware C2 hostnames yxarsh.shop 1 1557083198
Network activity hostname Malware C2 hostnames i.ooxx.ooo 1 1557083198
Network activity hostname Malware C2 hostnames baocangwh.cn 1 1557083198
Network activity hostname Malware C2 hostnames img.sobot.com 1 1557083198
Network activity hostname Malware C2 hostnames sowcar.com 1 1557083198
Network activity ip-dst Original C2 IP 42.56.76.104 1 1557083487
Network activity ip-dst Original C2 IP 47.90.213.21 1 1557083487
Network activity ip-dst Original C2 IP 47.90.213.22 1 1557083487
Network activity ip-dst Original C2 IP 116.62.232.226 1 1557083487
Network activity ip-dst Original C2 IP 211.91.160.238 1 1557083487
Network activity ip-dst Original C2 IP 221.204.60.69 1 1557083487
Network activity ip-dst Original C2 IP 103.52.216.35 1 1557083487
Network activity ip-dst Original C2 IP 45.63.0.102 1 1557083487
Network activity ip-dst Original C2 IP 104.238.151.101 1 1557083487
Network activity ip-dst Original C2 IP 104.248.53.213 1 1557083487
Network activity ip-dst Original C2 IP 134.209.104.20 1 1557083487
Network activity ip-dst Original C2 IP 198.204.231.250 1 1557083487
Network activity bgp attacker network 211.91.160.238,AS4837,211.91.160.0/20,CHINA169,CN 1 1557083487
Network activity bgp attacker network 221.204.60.69,AS4837,221.204.0.0/15,CHINA169,CN 1 1557083487
Network activity bgp attacker network 42.56.76.104,AS4837,42.56.0.0/14,CHINA169,CN 1 1557083487
Network activity bgp attacker network 47.90.213.21,AS45102,47.90.192.0/18,CNNIC-ALIBABA-US-NET,CN 1 1557083487
Network activity bgp attacker network 47.95.85.22,AS37963,47.94.0.0/15,CNNIC-ALIBABA-CN-NET,CN 1 1557083487
Network activity bgp attacker network 116.62.232.226,AS37963,116.62.128.0/17,CNNIC-ALIBABA-CN-NET,CN 1 1557083487
Network activity bgp attacker network 103.52.216.35,AS132203,103.52.216.0/23,TENCENT-NET-AP,CN 1 1557083487
Network activity bgp attacker network 45.63.0.102,AS20473,45.63.0.0/20,AS-CHOOPA,US 1 1557083487
Network activity bgp attacker network 104.238.151.101,AS20473,104.238.148.0/22,AS-CHOOPA,US 1 1557083487
Network activity bgp attacker network 104.248.53.213,AS14061,104.248.48.0/20,DIGITALOCEAN-ASN,US 1 1557083487
Network activity bgp attacker network 104.248.53.213,AS14061,104.248.48.0/20,DIGITALOCEAN-ASN,US 1 1557083487
Network activity bgp attacker network 134.209.104.20,AS14061,134.209.96.0/20,DIGITALOCEAN-ASN,US 1 1557083487
Network activity bgp attacker network 198.204.231.250,AS33387,198.204.224.0/19,DataShack,US 1 1557083487
Network activity ip-dst|port Malware used DNS lookup 1.1.1.1|53 0 1557085456
Network activity ip-dst|port Malware used DNS lookup 8.8.8.8|53 0 1557085456
Network activity ip-dst|port Malware used DNS lookup 208.67.222.222|5353 0 1557085456
Network activity ip-dst|port Malware used DNS lookup 208.67.222.222|443 0 1557085456
Social network github-repository Attacker's account helegedada 0 1557083619
Social network pastebin-repository Attacker's account https://pastebin.com/u/SYSTEMTEN 0 1557083694
Social network whois-registrant-email payload domains gwjyhs.com,baocangwh.cn 4592248@qq.com 0 1557083619
Social network whois-registrant-email payload domains w2wz.cn 4592248@gmail.com 0 1557083619
Internal reference text Process to be grep'ed/killed by malware hwlh3wlh44lh Circle_MI xmr xig ddgs qW3xT wnTKYg t00ls.ru sustes thisxxs hashfish kworkerds tmp/devtool systemctI plfsbce luyybce 6Tx3Wq dblaunchs vmlinuz get.bi-chi.com hashvault.pro nanopool.org 119.9.106.27 104.130.210.206 0 1557084127
Payload delivery Certificate ELF Malware Client Certificate -----BEGIN CERTIFICATE----- MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny 50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH /f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ 7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA== -----END CERTIFICATE----- 0 1557084480
Network activity SSL Malware SSL Server Certificate Handshake Protocol: Certificate Certificate Length: 1374 Certificate (id-at-commonName=d.heheda.tk) version: v3 (2) serialNumber : 0x0391959ec679153960186df2c0768f78425e signature (sha256WithRSAEncryption) Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption) rdnSequence: 3 items (id-at-commonName=Let's Encrypt Authority X3, id-at-organizationName=Let's Encrypt, id-at-countryName=US ) Validity not before: utcTime: 19-04-22 01:13:26 (UTC) Validity not after: utcTime: 19-07-21 01:13:26 (UTC) issuer: rdnSequence (0) rdnSequence: 2 items (id-at-commonName=DST Root CA X3, id-at-organizationName=Digital Signature Trust Co.) 0 1557084590
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.