ET SHELLCODE Rothenburg Shellcode flood in log...
-
@jagdtigger said in ET SHELLCODE Rothenburg Shellcode flood in log...:
@bmeeks
Found one of the offending packets:0000 0f 84 90 01 02 00 00 68 d6 04 00 00 66 c7 44 24 .......h....f.D$ 0010 08 02 00 90 00 81 39 52 61 72 21 75 06 b8 01 00 ......9Rar!u.... 0020 00 00 c3 8a 01 3c 37 75 0c 80 79 01 7a 75 06 b8 .....<7u..y.zu.. 0030 02 00 00 00 c3 3c 42 75 0c ff d6 8b 44 24 90 01 .....<Bu....D$.. 0040 01 33 d2 b9 4e 15 00 00 f7 f1 8b c2 3d 13 09 00 .3..N.......=... 0050 00 7d 0e 47 81 ff e8 03 00 00 7c da b8 13 09 00 .}.G......|..... 0060 00 90 00 2e 30 2d 39 2d 5d 7b 31 2c 7d 2e 28 3f ....0-9-]{1,}.(? 0070 3a 69 6e 66 6f 7c 72 75 7c 6e 65 74 7c 62 69 7a :info|ru|net|biz 0080 7c 63 6f 6d 7c 73 75 7c 6f 72 67 29 29 39 34 2e |com|su|org))94. 0090 37 35 2e 90 10 03 00 2e 90 10 03 00 00 90 00 3f 75.............? 00a0 62 61 73 65 3d 00 00 69 6e 64 65 78 2e 70 68 70 base=..index.php 00b0 00 00 00 47 45 54 20 2f 00 45 6d 61 69 6c 47 72 ...GET /.EmailGr 00c0 61 62 62 65 72 2e 65 78 65 00 46 54 50 5f 47 52 abber.exe.FTP_GR 00d0 41 42 42 45 52 31 00 70 63 72 65 5f 63 61 6c 6c ABBER1.pcre_call 00e0 6f 75 74 00 70 63 72 65 5f 63 6f 6d 70 69 6c 65 out.pcre_compile 00f0 00 70 63 72 65 5f 63 6f 6d 70 69 6c 65 32 00 70 .pcre_compile2.p 0100 63 72 65 5f 65 78 65 63 00 70 63 72 65 5f 66 72 cre_exec.pcre_fr 0110 65 65 00 70 63 72 65 5f 6d 61 6c 6c 6f 63 00 70 ee.pcre_malloc.p 0120 63 72 65 5f 73 74 61 63 6b 5f 66 72 65 65 00 70 cre_stack_free.p 0130 63 72 65 5f 73 74 61 63 6b 5f 6d 61 6c 6c 6f 63 cre_stack_malloc 0140 00 a4 21 41 6c 6f 6d 69 6d 2e 41 00 02 00 00 00 ..!Alomim.A..... 0150 ea 1d 02 80 c6 9c 22 6c 78 e2 00 00 df f3 01 d9 ......"lx....... 0160 99 23 31 06 5e d3 24 1a ac 5a 78 2d 8a dd 75 97 .#1.^.$..Zx-..u. 0170 31 c9 83 e9 da d9 ee **d9 74 24 f4 5b 81 73 13** 89 1.......t$.[.s.. 0180 fa fc a2 83 eb fc e2 f4 75 12 b8 a2 89 fa 77 e7 ........u.....w. 0190 b5 71 80 a7 f1 fb 13 29 c6 e2 77 fd a9 fb 17 eb .q.....)..w..... 01a0 02 ce 77 a3 67 cb 3c 3b 25 7e 3c d6 8e 3b 36 af ..w.g.<;%~<..;6. 01b0 88 38 17 56 b2 ae d8 a6 fc 1f 77 fd ad fb 17 c4 .8.V......w..... 01c0 02 f6 b7 29 d6 e6 fd 49 02 e6 77 a3 62 73 a0 86 ...)...I..w.bs.. 01d0 8d 39 cd 62 ed 71 bc 92 0c 3a 84 ae 02 ba f0 29 .9.b.q...:.....) 01e0 f9 e6 51 29 e1 f2 17 ab 02 7a 4c a2 89 fa 77 ca ..Q).....zL...w. 01f0 b5 a5 cd 54 e9 ac 75 5a 0a 3a 87 f2 e1 0a 76 a6 ...T..uZ.:....v. 0200 d6 92 64 5c 03 f4 ab 5d 6e 89 88 c3 fb 8e dc e1 ..d\...]n....... 0210 b3 a6 8f c7 fb 8c 8f c7 e7 9e d2 c7 f1 9f fc a2 ................ 0220 61 69 6d 3a 67 6f 69 6d 3f 73 63 72 65 65 6e 6e aim:goim?screenn 0230 61 6d 65 3d 90 02 10 26 6d 65 73 73 61 67 65 90 ame=...&message. 0240 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 41 ..aRootkitdrv.MA 0250 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 42 ..aRootkitdrv.MB 0260 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 43 ..aRootkitdrv.MC 0270 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 44 ..aRootkitdrv.MD 0280 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 45 ..aRootkitdrv.ME 0290 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 46 ..aRootkitdrv.MF 02a0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 47 ..aRootkitdrv.MG 02b0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 48 ..aRootkitdrv.MH 02c0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 49 ..aRootkitdrv.MI 02d0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 4a ..aRootkitdrv.MJ 02e0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 4b ..aRootkitdrv.MK 02f0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 4c ..aRootkitdrv.ML 0300 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 4d ..aRootkitdrv.MM 0310 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 4e ..aRootkitdrv.MN 0320 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 4f ..aRootkitdrv.MO 0330 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 50 ..aRootkitdrv.MP 0340 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 51 ..aRootkitdrv.MQ 0350 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 52 ..aRootkitdrv.MR 0360 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 53 ..aRootkitdrv.MS 0370 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 55 ..aRootkitdrv.MU 0380 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 56 ..aRootkitdrv.MV 0390 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 58 ..aRootkitdrv.MX 03a0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4d 59 ..aRootkitdrv.MY 03b0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 41 ..aRootkitdrv.NA 03c0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 42 ..aRootkitdrv.NB 03d0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 43 ..aRootkitdrv.NC 03e0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 44 ..aRootkitdrv.ND 03f0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 45 ..aRootkitdrv.NE 0400 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 46 ..aRootkitdrv.NF 0410 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 47 ..aRootkitdrv.NG 0420 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 48 ..aRootkitdrv.NH 0430 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 49 ..aRootkitdrv.NI 0440 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 4a ..aRootkitdrv.NJ 0450 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 4b ..aRootkitdrv.NK 0460 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 4c ..aRootkitdrv.NL 0470 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 4d ..aRootkitdrv.NM 0480 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 4f ..aRootkitdrv.NO 0490 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 50 ..aRootkitdrv.NP 04a0 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e 4e 51 ..aRootkitdrv.NQ
Well, that packet capture causes me to retract my previous statement ... . I would want to thoroughly check out that mini-PC!
-
@jagdtigger Based on the log, I would pull that offline while you examine it....
Looks like some sort of bot running on it....
-
Ok, started a win defender offline scan. IDK if its any good.
Bit more info in the meantime:
Seems like it came from the NAS......
Looks like its windows related so i assume its only the VM itself.
/EDIT
Scan finished, nothing, ill try the kav rescue disk. Lets see if defender is still junk or not./EDIT2
Nope, KAV found nothing. Running AV on synology NAS (<- iscsi for vm disks and nfs iso store) but doubt it will find anything. Suricata alert only pops up when windows vm running. -
sigh
0000 94 c6 91 a1 08 cb 90 e2 ba 0b 1b a2 08 00 45 00 ..............E. 0010 05 dc 00 00 40 00 3f 06 8e b9 0a 7d d2 17 c0 a8 ....@.?....}.... 0020 0a 26 0c bc b8 a6 37 33 83 2b b5 01 b0 da 80 10 .&....73.+...... 0030 60 00 fc be 00 00 01 01 08 0a 1a 51 d6 bd d8 51 `..........Q...Q 0040 3c 59 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 <Yy.s.t.e.m.3.2. 0050 5c 00 77 00 69 00 6e 00 6d 00 65 00 6d 00 73 00 \.w.i.n.m.e.m.s. 0060 2e 00 65 00 78 00 65 00 68 00 74 00 74 00 70 00 ..e.x.e.h.t.t.p. 0070 3a 00 2f 00 2f 00 77 00 77 00 77 00 2e 00 7a 00 :././.w.w.w...z. 0080 76 00 30 00 35 00 2e 00 63 00 6f 00 6d 00 2f 00 v.0.5...c.o.m./. 0090 73 00 79 00 73 00 32 00 21 23 41 4c 46 3a 54 72 s.y.s.2.!#ALF:Tr 00a0 6f 6a 61 6e 3a 55 45 46 49 2f 4d 6f 73 61 69 63 ojan:UEFI/Mosaic 00b0 52 65 67 72 65 73 73 6f 72 2e 43 00 02 00 00 00 Regressor.C..... 00c0 0f b4 00 10 dc ad 5c 4c 61 bf 00 00 51 09 ee f9 ......\La...Q... 00d0 d0 fe 60 ab 98 97 bb 25 47 e6 52 7f f0 1d dc a3 ..`....%G.R..... 00e0 73 00 65 00 74 00 75 00 70 00 69 00 6e 00 66 00 s.e.t.u.p.i.n.f. 00f0 2e 00 6c 00 6f 00 67 00 69 00 6e 00 74 00 65 00 ..l.o.g.i.n.t.e. 0100 6c 00 75 00 70 00 64 00 61 00 74 00 65 00 2e 00 l.u.p.d.a.t.e... 0110 65 00 78 00 65 00 2e 00 5c 00 75 00 73 00 65 00 e.x.e...\.u.s.e. 0120 72 00 73 00 5c 00 70 00 72 00 6f 00 67 00 72 00 r.s.\.p.r.o.g.r. 0130 61 00 6d 00 64 00 61 00 74 00 61 00 5c 00 6d 00 a.m.d.a.t.a.\.m. 0140 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 i.c.r.o.s.o.f.t. 0150 5c 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 \.w.i.n.d.o.w.s. 0160 5c 00 73 00 74 00 61 00 72 00 74 00 20 00 6d 00 \.s.t.a.r.t. .m. 0170 65 00 6e 00 75 00 5c 00 70 00 72 00 6f 00 67 00 e.n.u.\.p.r.o.g. 0180 72 00 61 00 6d 00 73 00 21 23 48 53 54 52 3a 54 r.a.m.s.!#HSTR:T 0190 72 6f 6a 61 6e 3a 57 69 6e 33 32 2f 55 72 73 6e rojan:Win32/Ursn 01a0 69 66 2e 53 53 32 21 4d 54 42 00 02 00 00 00 10 if.SS2!MTB...... 01b0 b4 00 10 eb 88 be ab 61 c0 00 00 0b 57 42 fc 72 .......a....WB.r 01c0 92 3b 6e 8f c7 61 75 99 18 69 dc d1 40 14 70 21 .;n..au..i..@.p! 01d0 74 68 69 73 20 2d 37 61 66 72 61 6d 20 63 61 6e this -7afram can 01e0 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 64 6f not be run in do 01f0 73 20 6d 6f 64 65 40 2e 66 65 69 67 6a 3a 5c 77 s mode@.feigj:\w 0200 69 74 74 69 66 69 65 64 5c 68 61 74 74 65 6d 69 ittified\hattemi 0210 73 74 5c 75 6e 64 65 72 64 65 61 63 6f 6e 5c 70 st\underdeacon\p 0220 65 6c 65 61 6e 5c 67 61 72 65 77 61 69 74 65 2e elean\garewaite. 0230 70 64 62 68 3a 5c 68 79 70 65 72 64 65 6c 69 63 pdbh:\hyperdelic 0240 61 63 79 5c 63 79 73 74 6f 73 65 5c 64 69 73 67 acy\cystose\disg 0250 75 69 73 65 6d 65 6e 74 5c 74 61 74 74 65 72 64 uisement\tatterd 0260 65 6d 61 6c 69 6f 6e 72 79 5c 70 65 6e 69 6e 76 emalionry\peninv 0270 61 72 69 61 6e 74 2e 70 64 62 21 23 41 4c 46 3a ariant.pdb!#ALF: 0280 48 53 54 52 3a 4c 75 74 69 6d 61 6e 69 53 44 4b HSTR:LutimaniSDK 0290 2e 41 00 02 00 00 00 11 b4 00 10 2e ab 62 5f 61 .A...........b_a 02a0 ca 00 00 8d 5c 8e ad 98 04 7d 4a 74 43 96 49 bc ....\....}JtC.I. 02b0 b1 5f 7f 64 4b 99 35 5c 6c 75 6d 69 6e 61 74 69 ._.dK.5\luminati 02c0 70 00 65 00 72 00 72 00 2e 00 6c 00 75 00 6d 00 p.e.r.r...l.u.m. 02d0 2d 00 73 00 64 00 6b 00 2e 00 69 00 6f 00 6c 00 -.s.d.k...i.o.l. 02e0 75 00 6d 00 5f 00 73 00 64 00 6b 00 36 00 34 00 u.m._.s.d.k.6.4. 02f0 5f 00 63 00 6c 00 72 00 2e 00 64 00 6c 00 6c 00 _.c.l.r...d.l.l. 0300 6c 75 6d 5f 73 64 6b 5f 61 70 69 5f 69 6e 69 74 lum_sdk_api_init 0310 5f 61 75 74 6f 72 75 6e 5f 63 6c 75 6d 5f 73 64 _autorun_clum_sd 0320 6b 5f 61 70 69 5f 69 6e 69 74 5f 6d 6f 6e 69 74 k_api_init_monit 0330 6f 72 5f 63 62 75 69 6c 64 2e 61 70 70 5f 77 69 or_cbuild.app_wi 0340 6e 36 34 72 5f 6c 75 6d 5c 70 6b 67 5c 77 69 6e n64r_lum\pkg\win 0350 5c 73 64 6b 5c 6c 75 6d 5f 73 64 6b 36 34 2e 64 \sdk\lum_sdk64.d 0360 6c 6c 2e 70 64 62 21 23 41 6c 6c 6f 77 4c 69 73 ll.pdb!#AllowLis 0370 74 3a 54 65 73 6c 61 43 72 79 70 74 44 65 63 6f t:TeslaCryptDeco 0380 64 65 72 00 02 00 00 00 12 b4 00 10 99 14 75 ba der...........u. 0390 61 c5 00 00 1d 04 2e 02 9e 10 cc f4 89 d6 c1 e2 a............... 03a0 6a 24 40 be 26 a9 60 e4 33 00 36 00 30 00 6e 00 j$@.&.`.3.6.0.n. 03b0 65 00 74 00 62 00 61 00 73 00 65 00 2e 00 64 00 e.t.b.a.s.e...d. 03c0 6c 00 6c 00 33 00 36 00 30 00 64 00 65 00 63 00 l.l.3.6.0.d.e.c. 03d0 72 00 79 00 70 00 74 00 6f 00 72 00 5f 00 70 00 r.y.p.t.o.r._.p. 03e0 72 00 69 00 76 00 61 00 74 00 65 00 6b 00 65 00 r.i.v.a.t.e.k.e. 03f0 79 00 2e 00 69 00 6e 00 69 00 33 00 36 00 30 00 y...i.n.i.3.6.0. 0400 2e 00 63 00 6e 00 20 00 69 00 6e 00 63 00 74 00 ..c.n. .i.n.c.t. 0410 65 00 73 00 6c 00 61 00 63 00 72 00 79 00 70 00 e.s.l.a.c.r.y.p. 0420 74 00 64 00 65 00 63 00 6f 00 64 00 65 00 72 00 t.d.e.c.o.d.e.r. 0430 2e 00 64 00 6c 00 6c 00 72 65 6c 65 61 73 65 5c ..d.l.l.release\ 0440 74 65 73 6c 61 63 72 79 70 74 64 65 63 6f 64 65 teslacryptdecode 0450 72 2e 70 64 62 21 23 48 53 54 52 3a 62 6f 74 5f r.pdb!#HSTR:bot_ 0460 65 78 70 6c 6f 69 74 5f 77 69 6e 73 00 02 00 00 exploit_wins.... 0470 00 13 b4 00 10 0e 26 ab 84 61 cb 00 00 c3 04 5c ......&..a.....\ 0480 3f eb 60 2d ac b9 e2 5a 90 a0 44 c0 1e d3 fa 54 ?.`-...Z..D....T 0490 9a 25 73 20 25 73 3a 20 66 61 69 6c 65 64 20 74 .%s %s: failed t 04a0 6f 20 63 72 65 61 74 65 20 73 6f 63 6b 65 74 25 o create socket% 04b0 73 20 25 73 3a 20 73 65 6c 65 63 74 20 65 72 72 s %s: select err 04c0 6f 72 25 73 20 25 73 3a 20 63 6f 6e 6e 65 63 74 or%s %s: connect 04d0 69 6f 6e 20 66 61 69 6c 65 64 25 73 20 25 73 3a ion failed%s %s: 04e0 20 63 6f 6e 6e 65 63 74 65 64 3a 20 25 73 25 73 connected: %s%s 04f0 20 25 73 3a 20 73 65 6e 64 20 65 72 72 6f 72 20 %s: send error 0500 31 33 c9 83 e9 af d9 ee d9 74 24 f4 5b 81 73 13 13.......t$.[.s. 0510 bb 1e d3 6a 83 eb fc e2 f4 67 74 38 25 73 e7 2c ...j.....gt8%s., 0520 95 64 7e 78 06 9f 3a 78 2f 87 95 af 6f c3 1f 3c .d~x..:x/...o..< 0530 e1 f4 06 78 35 9b 1f 38 89 8b 77 78 5e 30 1f 3d ...x5..8..wx^0.= 0540 5b 21 23 48 53 54 52 3a 57 69 6e 33 32 2f 53 61 [!#HSTR:Win32/Sa 0550 6e 64 62 6f 78 50 72 6f 64 75 63 74 49 64 00 02 ndboxProductId.. 0560 00 00 00 14 b4 00 10 84 28 4f f0 61 c6 00 00 96 ........(O.a.... 0570 79 bb 0a 5e 22 ba ef 31 cf 8e 41 19 c7 e1 20 a5 y..^"..1..A... . 0580 9e fb 39 37 36 34 38 37 2d 36 34 34 2d 33 31 37 ..976487-644-317 0590 37 30 33 37 2d 32 33 35 31 30 00 37 36 34 38 37 7037-23510.76487 05a0 2d 33 33 37 2d 38 34 32 39 39 35 35 2d 32 32 36 -337-8429955-226 05b0 31 34 00 37 36 34 38 37 2d 36 34 30 2d 31 34 35 14.76487-640-145 05c0 37 32 33 36 2d 32 33 38 33 37 00 37 36 34 38 37 7236-23837.76487 05d0 2d 36 34 30 2d 31 34 36 34 35 31 37 2d 32 33 32 -640-1464517-232 05e0 35 39 00 37 36 34 39 37 2d 36 59.76497-6
#ALF:Trojan:UEFI/MosaicRegressor.C
Time to ditch the VM....
/EDIT
While installing new vm new alert popped up:
ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral MovementFrom proxmox to NAS, dst port 3260 (iscsi).... :S Im going to bed, ill have the NAS download a fresh iso from MS (synology av didnt found anything during the system scan).
-
0000 94 c6 91 a1 08 cb 90 e2 ba 0b 1b a2 08 00 45 00 ..............E. 0010 04 e4 00 00 40 00 3f 06 8f b1 0a 7d d2 17 c0 a8 ....@.?....}.... 0020 0a 26 0c bc b8 a6 d3 cf 86 5b 1f 22 6c 4a 80 18 .&.......[."lJ.. 0030 60 00 c8 fa 00 00 01 01 08 0a 1a 9f 78 db db 59 `...........x..Y 0040 af 87 5d dc 8f 4d 59 bd 57 ac cd 66 4e d2 8a 14 ..]..MY.W..fN... 0050 01 80 f2 9a 88 10 40 4e 75 f4 8a 14 08 80 f2 9a ......@Nu....... 0060 88 11 41 4e 75 f4 8b 68 fc 8b 30 2b ce 83 e9 05 ..ANu..h..0+.... 0070 89 68 f8 8b 68 fc 2b 08 83 e9 05 89 68 f8 74 04 .h..h.+.....h.t. 0080 2c 05 eb 02 2c 0a 88 84 0d 66 6f 6e 74 73 5c 67 ,...,....fonts\g 0090 90 03 02 02 74 68 62 6d 90 00 26 7a 6f 6e 65 3d ....thbm..&zone= 00a0 25 73 26 73 65 72 76 65 72 3d 25 73 26 6e 61 6d %s&server=%s&nam 00b0 65 3d 25 73 26 70 61 73 73 88 21 53 77 69 7a 7a e=%s&pass.!Swizz 00c0 6f 72 2e 55 00 cc 21 56 42 49 6e 6a 65 63 74 2e or.U..!VBInject. 00d0 67 65 6e 21 41 44 00 a4 21 48 61 62 64 2e 41 00 gen!AD..!Habd.A. 00e0 88 21 42 61 6e 63 6f 73 2e 58 00 8c 21 44 65 6c .!Bancos.X..!Del 00f0 72 61 70 63 61 2e 41 00 da 81 57 6f 66 74 65 65 rapca.A...Woftee 0100 6d 2e 41 00 da 81 57 6f 66 74 65 65 6d 2e 42 00 m.A...Wofteem.B. 0110 da 81 57 6f 66 74 65 65 6d 2e 43 00 a6 81 41 75 ..Wofteem.C...Au 0120 74 6f 72 75 6e 2e 4c 00 a6 81 41 75 74 6f 72 75 torun.L...Autoru 0130 6e 2e 4d 00 8a 81 48 61 6c 6f 66 69 2e 41 00 8a n.M...Halofi.A.. 0140 81 48 61 6c 6f 66 69 2e 42 00 8a 81 48 61 6c 6f .Halofi.B...Halo 0150 66 69 2e 43 00 8a 81 48 61 6c 6f 66 69 2e 44 00 fi.C...Halofi.D. 0160 90 21 45 6d 65 67 72 61 62 2e 41 00 02 00 00 00 .!Emegrab.A..... 0170 e9 1d 02 80 d5 8b ea 08 78 80 01 00 55 4a d2 6f ........x...UJ.o 0180 3f f1 82 1c 79 50 1e ce 81 c4 55 4f 5a 57 db 7f ?...yP....UOZW.. 0190 6a 06 6a 01 6a 02 ff 15 90 01 02 01 05 8b e8 83 j.j.j........... 01a0 fd ff 0f 84 90 01 02 00 00 68 d6 04 00 00 66 c7 .........h....f. 01b0 44 24 08 02 00 90 00 81 39 52 61 72 21 75 06 b8 D$......9Rar!u.. 01c0 01 00 00 00 c3 8a 01 3c 37 75 0c 80 79 01 7a 75 .......<7u..y.zu 01d0 06 b8 02 00 00 00 c3 3c 42 75 0c ff d6 8b 44 24 .......<Bu....D$ 01e0 90 01 01 33 d2 b9 4e 15 00 00 f7 f1 8b c2 3d 13 ...3..N.......=. 01f0 09 00 00 7d 0e 47 81 ff e8 03 00 00 7c da b8 13 ...}.G......|... 0200 09 00 00 90 00 2e 30 2d 39 2d 5d 7b 31 2c 7d 2e ......0-9-]{1,}. 0210 28 3f 3a 69 6e 66 6f 7c 72 75 7c 6e 65 74 7c 62 (?:info|ru|net|b 0220 69 7a 7c 63 6f 6d 7c 73 75 7c 6f 72 67 29 29 39 iz|com|su|org))9 0230 34 2e 37 35 2e 90 10 03 00 2e 90 10 03 00 00 90 4.75............ 0240 00 3f 62 61 73 65 3d 00 00 69 6e 64 65 78 2e 70 .?base=..index.p 0250 68 70 00 00 00 47 45 54 20 2f 00 45 6d 61 69 6c hp...GET /.Email 0260 47 72 61 62 62 65 72 2e 65 78 65 00 46 54 50 5f Grabber.exe.FTP_ 0270 47 52 41 42 42 45 52 31 00 70 63 72 65 5f 63 61 GRABBER1.pcre_ca 0280 6c 6c 6f 75 74 00 70 63 72 65 5f 63 6f 6d 70 69 llout.pcre_compi 0290 6c 65 00 70 63 72 65 5f 63 6f 6d 70 69 6c 65 32 le.pcre_compile2 02a0 00 70 63 72 65 5f 65 78 65 63 00 70 63 72 65 5f .pcre_exec.pcre_ 02b0 66 72 65 65 00 70 63 72 65 5f 6d 61 6c 6c 6f 63 free.pcre_malloc 02c0 00 70 63 72 65 5f 73 74 61 63 6b 5f 66 72 65 65 .pcre_stack_free 02d0 00 70 63 72 65 5f 73 74 61 63 6b 5f 6d 61 6c 6c .pcre_stack_mall 02e0 6f 63 00 a4 21 41 6c 6f 6d 69 6d 2e 41 00 02 00 oc..!Alomim.A... 02f0 00 00 ea 1d 02 80 c6 9c 22 6c 78 e2 00 00 df f3 ........"lx..... 0300 01 d9 99 23 31 06 5e d3 24 1a ac 5a 78 2d 8a dd ...#1.^.$..Zx-.. 0310 75 97 31 c9 83 e9 da d9 ee d9 74 24 f4 5b 81 73 u.1.......t$.[.s 0320 13 89 fa fc a2 83 eb fc e2 f4 75 12 b8 a2 89 fa ..........u..... 0330 77 e7 b5 71 80 a7 f1 fb 13 29 c6 e2 77 fd a9 fb w..q.....)..w... 0340 17 eb 02 ce 77 a3 67 cb 3c 3b 25 7e 3c d6 8e 3b ....w.g.<;%~<..; 0350 36 af 88 38 17 56 b2 ae d8 a6 fc 1f 77 fd ad fb 6..8.V......w... 0360 17 c4 02 f6 b7 29 d6 e6 fd 49 02 e6 77 a3 62 73 .....)...I..w.bs 0370 a0 86 8d 39 cd 62 ed 71 bc 92 0c 3a 84 ae 02 ba ...9.b.q...:.... 0380 f0 29 f9 e6 51 29 e1 f2 17 ab 02 7a 4c a2 89 fa .)..Q).....zL... 0390 77 ca b5 a5 cd 54 e9 ac 75 5a 0a 3a 87 f2 e1 0a w....T..uZ.:.... 03a0 76 a6 d6 92 64 5c 03 f4 ab 5d 6e 89 88 c3 fb 8e v...d\...]n..... 03b0 dc e1 b3 a6 8f c7 fb 8c 8f c7 e7 9e d2 c7 f1 9f ................ 03c0 fc a2 61 69 6d 3a 67 6f 69 6d 3f 73 63 72 65 65 ..aim:goim?scree 03d0 6e 6e 61 6d 65 3d 90 02 10 26 6d 65 73 73 61 67 nname=...&messag 03e0 65 90 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e e...aRootkitdrv. 03f0 4d 41 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MA..aRootkitdrv. 0400 4d 42 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MB..aRootkitdrv. 0410 4d 43 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MC..aRootkitdrv. 0420 4d 44 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MD..aRootkitdrv. 0430 4d 45 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e ME..aRootkitdrv. 0440 4d 46 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MF..aRootkitdrv. 0450 4d 47 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MG..aRootkitdrv. 0460 4d 48 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MH..aRootkitdrv. 0470 4d 49 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MI..aRootkitdrv. 0480 4d 4a 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MJ..aRootkitdrv. 0490 4d 4b 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MK..aRootkitdrv. 04a0 4d 4c 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e ML..aRootkitdrv. 04b0 4d 4d 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MM..aRootkitdrv. 04c0 4d 4e 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MN..aRootkitdrv. 04d0 4d 4f 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MO..aRootkitdrv. 04e0 4d 50 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MP..aRootkitdrv. 04f0 4d 51 MQ
What the actual F?! All i did after clearing out the usual bloatware is to download firefox staright from mozilla's site....
-
You appear to have a real mystery on your hands here. Perhaps the malware was not totally eradicated, or else you have other infected hosts that are quickly re-establishing the infection.
-
I deleted the VM so in theory that purged every bit of it. No other windows machine is running ATM so IDK how it gets infected. Also no other alarm from suricata that could imply i have a compromised host.....
/EDIT
Suricata alert log:08/23/2021-17:13:32.799962 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:13:32.963161 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:14:28.261221 [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:23:41.258658 [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:26:28.712807 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:38:58.081742 [**] [1:2014819:3] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 31.46.5.80:80 -> 192.168.10.105:50603 08/23/2021-17:39:01.034485 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.105:50615 -> 31.46.5.80:80 08/23/2021-17:39:01.734259 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 31.46.5.18:80 -> 192.168.10.105:50614 08/23/2021-17:39:38.226988 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:39:49.058505 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:39:49.067656 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:39:49.086628 [**] [1:2017318:5] ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip) download command [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:40:00.414606 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:40:06.774212 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.10.38:47270 -> 10.125.210.23:3260 08/23/2021-17:40:56.119765 [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:43:01.073513 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:43:01.096700 [**] [1:2017318:5] ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip) download command [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:43:03.541890 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:43:32.355036 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 205.185.216.10:80 -> 192.168.10.105:50673 08/23/2021-17:44:58.130630 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.42:80 -> 192.168.10.105:50704 08/23/2021-17:44:58.270305 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.10:80 -> 192.168.10.105:50705 08/23/2021-17:44:59.587323 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.42:80 -> 192.168.10.105:50707
Dumped hex packet hex for matches:
https://www.dropbox.com/s/4u03qz1lsy39f2z/hex.txt?dl=0(Nothing is on that pc so i dont mind.)
/EDIT3
Directly exposed services (to the internet i mean):
haproxy (running on pfsense)
minecraft server
apache webserver (exposed through haproxy, extremely limited setup, only capable of serving files) -
@jagdtigger Stop the minecraft server and log again....
-
@cool_corona
Will do, ill get back to this tomorrow. I think i have a pcengines apu board somewhere so i can basically use suricata to do the logging then use my switch to do the capture via port mirroring. -
Ill have to postpone to tomorrow, darned apu board is a real slowpoke when it comes to updating, installing stuff, and applying settings.....
-
Okay, apu board in transparent bridge mode and suricata running on the bridge, straight between the proxmox minipc and switch. I set up an another minipc to dump the mirrored traffic to a hdd. Left the minecraft jail up just to see if it is really what is causing the issues. (Im not worried about leaving it up, the network it is on is specifically used for stuff that is exposed to the net, it is restricted from talking to anything besides 2 NAS, but those have proper FW rules in place to not expose the mgmt interface to this network .) Ill reinstall windows (in a new vm) and let it sit overnight while capturing traffic. (During install the VM wont have internet to get around the pesky ms account enforcement.)
-
Okay, stopped capture and downloaded suricata alert log. Capture anded up 68 GB in size. I can already see the same alerts but i noticed something strange. They started showing up during install, when i have the virtual nic disconnected. The ISO is downloaded directly from MS so i dont think it could be infected...
-
Still crawling through the capture concentrating on traffic from the VM, so far its only chatter between w10 and MS, plus the traffic resulting from installing ff and steam. No suspicious domain names or ip addresses so far.
-
@jagdtigger LEft over from the Solarwinds attack??
-
@cool_corona
Which is lingering to this day in their iso downloads? (Im just a simple home user who likes to tinker with things so i never used their products.) So far the only thing that is out of place is in the traffic between proxmox and the nas hosting the iscsi share.... Could it be defender reading its database? -
Finished crawling though the capture, only looked at the VM's traffic. Nothing out of the ordinary. A lot of chatter between ms and windows, some from AVG (<i installed it after i seen the alerts in suricata) and the rest of the installed sw. Did not spot any suspicious IP or DNS name.... I still have the apu board inspecting the traffic bu8t since i shut off the vm the only warning it generates is triggered by proxmox looking for updates.
-
I see you're dealing with the Rothenburg shellcode flood in your logs. That sounds frustrating! Have you tried analyzing the logs to see if you can identify patterns or signatures specific to this shellcode? It might help you create filters or rules to block or mitigate the flood. Also, ensuring your system is up-to-date with patches and using strong passwords can help prevent future attacks. You can find more detailed guides and discussions about shellcode and security on https://guidedhacking.com/threads/how-to-find-shellcode-in-malware-memory.20588/ . They have a supportive community that can offer insights and advice based on their experiences.