ET SHELLCODE Rothenburg Shellcode flood in log...

jagdtigger

sigh

0000   94 c6 91 a1 08 cb 90 e2 ba 0b 1b a2 08 00 45 00   ..............E.
0010   05 dc 00 00 40 00 3f 06 8e b9 0a 7d d2 17 c0 a8   ....@.?....}....
0020   0a 26 0c bc b8 a6 37 33 83 2b b5 01 b0 da 80 10   .&....73.+......
0030   60 00 fc be 00 00 01 01 08 0a 1a 51 d6 bd d8 51   `..........Q...Q
0040   3c 59 79 00 73 00 74 00 65 00 6d 00 33 00 32 00   <Yy.s.t.e.m.3.2.
0050   5c 00 77 00 69 00 6e 00 6d 00 65 00 6d 00 73 00   \.w.i.n.m.e.m.s.
0060   2e 00 65 00 78 00 65 00 68 00 74 00 74 00 70 00   ..e.x.e.h.t.t.p.
0070   3a 00 2f 00 2f 00 77 00 77 00 77 00 2e 00 7a 00   :././.w.w.w...z.
0080   76 00 30 00 35 00 2e 00 63 00 6f 00 6d 00 2f 00   v.0.5...c.o.m./.
0090   73 00 79 00 73 00 32 00 21 23 41 4c 46 3a 54 72   s.y.s.2.!#ALF:Tr
00a0   6f 6a 61 6e 3a 55 45 46 49 2f 4d 6f 73 61 69 63   ojan:UEFI/Mosaic
00b0   52 65 67 72 65 73 73 6f 72 2e 43 00 02 00 00 00   Regressor.C.....
00c0   0f b4 00 10 dc ad 5c 4c 61 bf 00 00 51 09 ee f9   ......\La...Q...
00d0   d0 fe 60 ab 98 97 bb 25 47 e6 52 7f f0 1d dc a3   ..`....%G.R.....
00e0   73 00 65 00 74 00 75 00 70 00 69 00 6e 00 66 00   s.e.t.u.p.i.n.f.
00f0   2e 00 6c 00 6f 00 67 00 69 00 6e 00 74 00 65 00   ..l.o.g.i.n.t.e.
0100   6c 00 75 00 70 00 64 00 61 00 74 00 65 00 2e 00   l.u.p.d.a.t.e...
0110   65 00 78 00 65 00 2e 00 5c 00 75 00 73 00 65 00   e.x.e...\.u.s.e.
0120   72 00 73 00 5c 00 70 00 72 00 6f 00 67 00 72 00   r.s.\.p.r.o.g.r.
0130   61 00 6d 00 64 00 61 00 74 00 61 00 5c 00 6d 00   a.m.d.a.t.a.\.m.
0140   69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00   i.c.r.o.s.o.f.t.
0150   5c 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00   \.w.i.n.d.o.w.s.
0160   5c 00 73 00 74 00 61 00 72 00 74 00 20 00 6d 00   \.s.t.a.r.t. .m.
0170   65 00 6e 00 75 00 5c 00 70 00 72 00 6f 00 67 00   e.n.u.\.p.r.o.g.
0180   72 00 61 00 6d 00 73 00 21 23 48 53 54 52 3a 54   r.a.m.s.!#HSTR:T
0190   72 6f 6a 61 6e 3a 57 69 6e 33 32 2f 55 72 73 6e   rojan:Win32/Ursn
01a0   69 66 2e 53 53 32 21 4d 54 42 00 02 00 00 00 10   if.SS2!MTB......
01b0   b4 00 10 eb 88 be ab 61 c0 00 00 0b 57 42 fc 72   .......a....WB.r
01c0   92 3b 6e 8f c7 61 75 99 18 69 dc d1 40 14 70 21   .;n..au..i..@.p!
01d0   74 68 69 73 20 2d 37 61 66 72 61 6d 20 63 61 6e   this -7afram can
01e0   6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 64 6f   not be run in do
01f0   73 20 6d 6f 64 65 40 2e 66 65 69 67 6a 3a 5c 77   s mode@.feigj:\w
0200   69 74 74 69 66 69 65 64 5c 68 61 74 74 65 6d 69   ittified\hattemi
0210   73 74 5c 75 6e 64 65 72 64 65 61 63 6f 6e 5c 70   st\underdeacon\p
0220   65 6c 65 61 6e 5c 67 61 72 65 77 61 69 74 65 2e   elean\garewaite.
0230   70 64 62 68 3a 5c 68 79 70 65 72 64 65 6c 69 63   pdbh:\hyperdelic
0240   61 63 79 5c 63 79 73 74 6f 73 65 5c 64 69 73 67   acy\cystose\disg
0250   75 69 73 65 6d 65 6e 74 5c 74 61 74 74 65 72 64   uisement\tatterd
0260   65 6d 61 6c 69 6f 6e 72 79 5c 70 65 6e 69 6e 76   emalionry\peninv
0270   61 72 69 61 6e 74 2e 70 64 62 21 23 41 4c 46 3a   ariant.pdb!#ALF:
0280   48 53 54 52 3a 4c 75 74 69 6d 61 6e 69 53 44 4b   HSTR:LutimaniSDK
0290   2e 41 00 02 00 00 00 11 b4 00 10 2e ab 62 5f 61   .A...........b_a
02a0   ca 00 00 8d 5c 8e ad 98 04 7d 4a 74 43 96 49 bc   ....\....}JtC.I.
02b0   b1 5f 7f 64 4b 99 35 5c 6c 75 6d 69 6e 61 74 69   ._.dK.5\luminati
02c0   70 00 65 00 72 00 72 00 2e 00 6c 00 75 00 6d 00   p.e.r.r...l.u.m.
02d0   2d 00 73 00 64 00 6b 00 2e 00 69 00 6f 00 6c 00   -.s.d.k...i.o.l.
02e0   75 00 6d 00 5f 00 73 00 64 00 6b 00 36 00 34 00   u.m._.s.d.k.6.4.
02f0   5f 00 63 00 6c 00 72 00 2e 00 64 00 6c 00 6c 00   _.c.l.r...d.l.l.
0300   6c 75 6d 5f 73 64 6b 5f 61 70 69 5f 69 6e 69 74   lum_sdk_api_init
0310   5f 61 75 74 6f 72 75 6e 5f 63 6c 75 6d 5f 73 64   _autorun_clum_sd
0320   6b 5f 61 70 69 5f 69 6e 69 74 5f 6d 6f 6e 69 74   k_api_init_monit
0330   6f 72 5f 63 62 75 69 6c 64 2e 61 70 70 5f 77 69   or_cbuild.app_wi
0340   6e 36 34 72 5f 6c 75 6d 5c 70 6b 67 5c 77 69 6e   n64r_lum\pkg\win
0350   5c 73 64 6b 5c 6c 75 6d 5f 73 64 6b 36 34 2e 64   \sdk\lum_sdk64.d
0360   6c 6c 2e 70 64 62 21 23 41 6c 6c 6f 77 4c 69 73   ll.pdb!#AllowLis
0370   74 3a 54 65 73 6c 61 43 72 79 70 74 44 65 63 6f   t:TeslaCryptDeco
0380   64 65 72 00 02 00 00 00 12 b4 00 10 99 14 75 ba   der...........u.
0390   61 c5 00 00 1d 04 2e 02 9e 10 cc f4 89 d6 c1 e2   a...............
03a0   6a 24 40 be 26 a9 60 e4 33 00 36 00 30 00 6e 00   j$@.&.`.3.6.0.n.
03b0   65 00 74 00 62 00 61 00 73 00 65 00 2e 00 64 00   e.t.b.a.s.e...d.
03c0   6c 00 6c 00 33 00 36 00 30 00 64 00 65 00 63 00   l.l.3.6.0.d.e.c.
03d0   72 00 79 00 70 00 74 00 6f 00 72 00 5f 00 70 00   r.y.p.t.o.r._.p.
03e0   72 00 69 00 76 00 61 00 74 00 65 00 6b 00 65 00   r.i.v.a.t.e.k.e.
03f0   79 00 2e 00 69 00 6e 00 69 00 33 00 36 00 30 00   y...i.n.i.3.6.0.
0400   2e 00 63 00 6e 00 20 00 69 00 6e 00 63 00 74 00   ..c.n. .i.n.c.t.
0410   65 00 73 00 6c 00 61 00 63 00 72 00 79 00 70 00   e.s.l.a.c.r.y.p.
0420   74 00 64 00 65 00 63 00 6f 00 64 00 65 00 72 00   t.d.e.c.o.d.e.r.
0430   2e 00 64 00 6c 00 6c 00 72 65 6c 65 61 73 65 5c   ..d.l.l.release\
0440   74 65 73 6c 61 63 72 79 70 74 64 65 63 6f 64 65   teslacryptdecode
0450   72 2e 70 64 62 21 23 48 53 54 52 3a 62 6f 74 5f   r.pdb!#HSTR:bot_
0460   65 78 70 6c 6f 69 74 5f 77 69 6e 73 00 02 00 00   exploit_wins....
0470   00 13 b4 00 10 0e 26 ab 84 61 cb 00 00 c3 04 5c   ......&..a.....\
0480   3f eb 60 2d ac b9 e2 5a 90 a0 44 c0 1e d3 fa 54   ?.`-...Z..D....T
0490   9a 25 73 20 25 73 3a 20 66 61 69 6c 65 64 20 74   .%s %s: failed t
04a0   6f 20 63 72 65 61 74 65 20 73 6f 63 6b 65 74 25   o create socket%
04b0   73 20 25 73 3a 20 73 65 6c 65 63 74 20 65 72 72   s %s: select err
04c0   6f 72 25 73 20 25 73 3a 20 63 6f 6e 6e 65 63 74   or%s %s: connect
04d0   69 6f 6e 20 66 61 69 6c 65 64 25 73 20 25 73 3a   ion failed%s %s:
04e0   20 63 6f 6e 6e 65 63 74 65 64 3a 20 25 73 25 73    connected: %s%s
04f0   20 25 73 3a 20 73 65 6e 64 20 65 72 72 6f 72 20    %s: send error 
0500   31 33 c9 83 e9 af d9 ee d9 74 24 f4 5b 81 73 13   13.......t$.[.s.
0510   bb 1e d3 6a 83 eb fc e2 f4 67 74 38 25 73 e7 2c   ...j.....gt8%s.,
0520   95 64 7e 78 06 9f 3a 78 2f 87 95 af 6f c3 1f 3c   .d~x..:x/...o..<
0530   e1 f4 06 78 35 9b 1f 38 89 8b 77 78 5e 30 1f 3d   ...x5..8..wx^0.=
0540   5b 21 23 48 53 54 52 3a 57 69 6e 33 32 2f 53 61   [!#HSTR:Win32/Sa
0550   6e 64 62 6f 78 50 72 6f 64 75 63 74 49 64 00 02   ndboxProductId..
0560   00 00 00 14 b4 00 10 84 28 4f f0 61 c6 00 00 96   ........(O.a....
0570   79 bb 0a 5e 22 ba ef 31 cf 8e 41 19 c7 e1 20 a5   y..^"..1..A... .
0580   9e fb 39 37 36 34 38 37 2d 36 34 34 2d 33 31 37   ..976487-644-317
0590   37 30 33 37 2d 32 33 35 31 30 00 37 36 34 38 37   7037-23510.76487
05a0   2d 33 33 37 2d 38 34 32 39 39 35 35 2d 32 32 36   -337-8429955-226
05b0   31 34 00 37 36 34 38 37 2d 36 34 30 2d 31 34 35   14.76487-640-145
05c0   37 32 33 36 2d 32 33 38 33 37 00 37 36 34 38 37   7236-23837.76487
05d0   2d 36 34 30 2d 31 34 36 34 35 31 37 2d 32 33 32   -640-1464517-232
05e0   35 39 00 37 36 34 39 37 2d 36                     59.76497-6

#ALF:Trojan:UEFI/MosaicRegressor.C

Time to ditch the VM....

/EDIT
While installing new vm new alert popped up:
ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral Movement

From proxmox to NAS, dst port 3260 (iscsi).... :S Im going to bed, ill have the NAS download a fresh iso from MS (synology av didnt found anything during the system scan).

jagdtigger

0000   94 c6 91 a1 08 cb 90 e2 ba 0b 1b a2 08 00 45 00   ..............E.
0010   04 e4 00 00 40 00 3f 06 8f b1 0a 7d d2 17 c0 a8   ....@.?....}....
0020   0a 26 0c bc b8 a6 d3 cf 86 5b 1f 22 6c 4a 80 18   .&.......[."lJ..
0030   60 00 c8 fa 00 00 01 01 08 0a 1a 9f 78 db db 59   `...........x..Y
0040   af 87 5d dc 8f 4d 59 bd 57 ac cd 66 4e d2 8a 14   ..]..MY.W..fN...
0050   01 80 f2 9a 88 10 40 4e 75 f4 8a 14 08 80 f2 9a   ......@Nu.......
0060   88 11 41 4e 75 f4 8b 68 fc 8b 30 2b ce 83 e9 05   ..ANu..h..0+....
0070   89 68 f8 8b 68 fc 2b 08 83 e9 05 89 68 f8 74 04   .h..h.+.....h.t.
0080   2c 05 eb 02 2c 0a 88 84 0d 66 6f 6e 74 73 5c 67   ,...,....fonts\g
0090   90 03 02 02 74 68 62 6d 90 00 26 7a 6f 6e 65 3d   ....thbm..&zone=
00a0   25 73 26 73 65 72 76 65 72 3d 25 73 26 6e 61 6d   %s&server=%s&nam
00b0   65 3d 25 73 26 70 61 73 73 88 21 53 77 69 7a 7a   e=%s&pass.!Swizz
00c0   6f 72 2e 55 00 cc 21 56 42 49 6e 6a 65 63 74 2e   or.U..!VBInject.
00d0   67 65 6e 21 41 44 00 a4 21 48 61 62 64 2e 41 00   gen!AD..!Habd.A.
00e0   88 21 42 61 6e 63 6f 73 2e 58 00 8c 21 44 65 6c   .!Bancos.X..!Del
00f0   72 61 70 63 61 2e 41 00 da 81 57 6f 66 74 65 65   rapca.A...Woftee
0100   6d 2e 41 00 da 81 57 6f 66 74 65 65 6d 2e 42 00   m.A...Wofteem.B.
0110   da 81 57 6f 66 74 65 65 6d 2e 43 00 a6 81 41 75   ..Wofteem.C...Au
0120   74 6f 72 75 6e 2e 4c 00 a6 81 41 75 74 6f 72 75   torun.L...Autoru
0130   6e 2e 4d 00 8a 81 48 61 6c 6f 66 69 2e 41 00 8a   n.M...Halofi.A..
0140   81 48 61 6c 6f 66 69 2e 42 00 8a 81 48 61 6c 6f   .Halofi.B...Halo
0150   66 69 2e 43 00 8a 81 48 61 6c 6f 66 69 2e 44 00   fi.C...Halofi.D.
0160   90 21 45 6d 65 67 72 61 62 2e 41 00 02 00 00 00   .!Emegrab.A.....
0170   e9 1d 02 80 d5 8b ea 08 78 80 01 00 55 4a d2 6f   ........x...UJ.o
0180   3f f1 82 1c 79 50 1e ce 81 c4 55 4f 5a 57 db 7f   ?...yP....UOZW..
0190   6a 06 6a 01 6a 02 ff 15 90 01 02 01 05 8b e8 83   j.j.j...........
01a0   fd ff 0f 84 90 01 02 00 00 68 d6 04 00 00 66 c7   .........h....f.
01b0   44 24 08 02 00 90 00 81 39 52 61 72 21 75 06 b8   D$......9Rar!u..
01c0   01 00 00 00 c3 8a 01 3c 37 75 0c 80 79 01 7a 75   .......<7u..y.zu
01d0   06 b8 02 00 00 00 c3 3c 42 75 0c ff d6 8b 44 24   .......<Bu....D$
01e0   90 01 01 33 d2 b9 4e 15 00 00 f7 f1 8b c2 3d 13   ...3..N.......=.
01f0   09 00 00 7d 0e 47 81 ff e8 03 00 00 7c da b8 13   ...}.G......|...
0200   09 00 00 90 00 2e 30 2d 39 2d 5d 7b 31 2c 7d 2e   ......0-9-]{1,}.
0210   28 3f 3a 69 6e 66 6f 7c 72 75 7c 6e 65 74 7c 62   (?:info|ru|net|b
0220   69 7a 7c 63 6f 6d 7c 73 75 7c 6f 72 67 29 29 39   iz|com|su|org))9
0230   34 2e 37 35 2e 90 10 03 00 2e 90 10 03 00 00 90   4.75............
0240   00 3f 62 61 73 65 3d 00 00 69 6e 64 65 78 2e 70   .?base=..index.p
0250   68 70 00 00 00 47 45 54 20 2f 00 45 6d 61 69 6c   hp...GET /.Email
0260   47 72 61 62 62 65 72 2e 65 78 65 00 46 54 50 5f   Grabber.exe.FTP_
0270   47 52 41 42 42 45 52 31 00 70 63 72 65 5f 63 61   GRABBER1.pcre_ca
0280   6c 6c 6f 75 74 00 70 63 72 65 5f 63 6f 6d 70 69   llout.pcre_compi
0290   6c 65 00 70 63 72 65 5f 63 6f 6d 70 69 6c 65 32   le.pcre_compile2
02a0   00 70 63 72 65 5f 65 78 65 63 00 70 63 72 65 5f   .pcre_exec.pcre_
02b0   66 72 65 65 00 70 63 72 65 5f 6d 61 6c 6c 6f 63   free.pcre_malloc
02c0   00 70 63 72 65 5f 73 74 61 63 6b 5f 66 72 65 65   .pcre_stack_free
02d0   00 70 63 72 65 5f 73 74 61 63 6b 5f 6d 61 6c 6c   .pcre_stack_mall
02e0   6f 63 00 a4 21 41 6c 6f 6d 69 6d 2e 41 00 02 00   oc..!Alomim.A...
02f0   00 00 ea 1d 02 80 c6 9c 22 6c 78 e2 00 00 df f3   ........"lx.....
0300   01 d9 99 23 31 06 5e d3 24 1a ac 5a 78 2d 8a dd   ...#1.^.$..Zx-..
0310   75 97 31 c9 83 e9 da d9 ee d9 74 24 f4 5b 81 73   u.1.......t$.[.s
0320   13 89 fa fc a2 83 eb fc e2 f4 75 12 b8 a2 89 fa   ..........u.....
0330   77 e7 b5 71 80 a7 f1 fb 13 29 c6 e2 77 fd a9 fb   w..q.....)..w...
0340   17 eb 02 ce 77 a3 67 cb 3c 3b 25 7e 3c d6 8e 3b   ....w.g.<;%~<..;
0350   36 af 88 38 17 56 b2 ae d8 a6 fc 1f 77 fd ad fb   6..8.V......w...
0360   17 c4 02 f6 b7 29 d6 e6 fd 49 02 e6 77 a3 62 73   .....)...I..w.bs
0370   a0 86 8d 39 cd 62 ed 71 bc 92 0c 3a 84 ae 02 ba   ...9.b.q...:....
0380   f0 29 f9 e6 51 29 e1 f2 17 ab 02 7a 4c a2 89 fa   .)..Q).....zL...
0390   77 ca b5 a5 cd 54 e9 ac 75 5a 0a 3a 87 f2 e1 0a   w....T..uZ.:....
03a0   76 a6 d6 92 64 5c 03 f4 ab 5d 6e 89 88 c3 fb 8e   v...d\...]n.....
03b0   dc e1 b3 a6 8f c7 fb 8c 8f c7 e7 9e d2 c7 f1 9f   ................
03c0   fc a2 61 69 6d 3a 67 6f 69 6d 3f 73 63 72 65 65   ..aim:goim?scree
03d0   6e 6e 61 6d 65 3d 90 02 10 26 6d 65 73 73 61 67   nname=...&messag
03e0   65 90 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   e...aRootkitdrv.
03f0   4d 41 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MA..aRootkitdrv.
0400   4d 42 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MB..aRootkitdrv.
0410   4d 43 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MC..aRootkitdrv.
0420   4d 44 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MD..aRootkitdrv.
0430   4d 45 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   ME..aRootkitdrv.
0440   4d 46 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MF..aRootkitdrv.
0450   4d 47 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MG..aRootkitdrv.
0460   4d 48 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MH..aRootkitdrv.
0470   4d 49 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MI..aRootkitdrv.
0480   4d 4a 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MJ..aRootkitdrv.
0490   4d 4b 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MK..aRootkitdrv.
04a0   4d 4c 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   ML..aRootkitdrv.
04b0   4d 4d 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MM..aRootkitdrv.
04c0   4d 4e 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MN..aRootkitdrv.
04d0   4d 4f 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MO..aRootkitdrv.
04e0   4d 50 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e   MP..aRootkitdrv.
04f0   4d 51                                             MQ

What the actual F?! All i did after clearing out the usual bloatware is to download firefox staright from mozilla's site....

bmeeks

You appear to have a real mystery on your hands here. Perhaps the malware was not totally eradicated, or else you have other infected hosts that are quickly re-establishing the infection.

jagdtigger

I deleted the VM so in theory that purged every bit of it. No other windows machine is running ATM so IDK how it gets infected. Also no other alarm from suricata that could imply i have a compromised host.....

/EDIT
Suricata alert log:

08/23/2021-17:13:32.799962  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:13:32.963161  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:14:28.261221  [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:23:41.258658  [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:26:28.712807  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:38:58.081742  [**] [1:2014819:3] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 31.46.5.80:80 -> 192.168.10.105:50603
08/23/2021-17:39:01.034485  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.105:50615 -> 31.46.5.80:80
08/23/2021-17:39:01.734259  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 31.46.5.18:80 -> 192.168.10.105:50614
08/23/2021-17:39:38.226988  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:39:49.058505  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:39:49.067656  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:39:49.086628  [**] [1:2017318:5] ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip)  download command [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:40:00.414606  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:40:06.774212  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.10.38:47270 -> 10.125.210.23:3260
08/23/2021-17:40:56.119765  [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:43:01.073513  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:43:01.096700  [**] [1:2017318:5] ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip)  download command [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:43:03.541890  [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270
08/23/2021-17:43:32.355036  [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 205.185.216.10:80 -> 192.168.10.105:50673
08/23/2021-17:44:58.130630  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.42:80 -> 192.168.10.105:50704
08/23/2021-17:44:58.270305  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.10:80 -> 192.168.10.105:50705
08/23/2021-17:44:59.587323  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.42:80 -> 192.168.10.105:50707

Dumped hex packet hex for matches:
https://www.dropbox.com/s/4u03qz1lsy39f2z/hex.txt?dl=0

(Nothing is on that pc so i dont mind.)

/EDIT3
Directly exposed services (to the internet i mean):
haproxy (running on pfsense)
minecraft server
apache webserver (exposed through haproxy, extremely limited setup, only capable of serving files)

Cool_Corona

@jagdtigger Stop the minecraft server and log again....

jagdtigger

@cool_corona
Will do, ill get back to this tomorrow. I think i have a pcengines apu board somewhere so i can basically use suricata to do the logging then use my switch to do the capture via port mirroring.

jagdtigger

Ill have to postpone to tomorrow, darned apu board is a real slowpoke when it comes to updating, installing stuff, and applying settings.....

jagdtigger

Okay, apu board in transparent bridge mode and suricata running on the bridge, straight between the proxmox minipc and switch. I set up an another minipc to dump the mirrored traffic to a hdd. Left the minecraft jail up just to see if it is really what is causing the issues. (Im not worried about leaving it up, the network it is on is specifically used for stuff that is exposed to the net, it is restricted from talking to anything besides 2 NAS, but those have proper FW rules in place to not expose the mgmt interface to this network .) Ill reinstall windows (in a new vm) and let it sit overnight while capturing traffic. (During install the VM wont have internet to get around the pesky ms account enforcement.)

jagdtigger

Okay, stopped capture and downloaded suricata alert log. Capture anded up 68 GB in size. I can already see the same alerts but i noticed something strange. They started showing up during install, when i have the virtual nic disconnected. The ISO is downloaded directly from MS so i dont think it could be infected...

jagdtigger

Still crawling through the capture concentrating on traffic from the VM, so far its only chatter between w10 and MS, plus the traffic resulting from installing ff and steam. No suspicious domain names or ip addresses so far.

Cool_Corona

@jagdtigger LEft over from the Solarwinds attack??

jagdtigger

@cool_corona
Which is lingering to this day in their iso downloads? (Im just a simple home user who likes to tinker with things so i never used their products.) So far the only thing that is out of place is in the traffic between proxmox and the nas hosting the iscsi share.... Could it be defender reading its database?

jagdtigger

Finished crawling though the capture, only looked at the VM's traffic. Nothing out of the ordinary. A lot of chatter between ms and windows, some from AVG (<i installed it after i seen the alerts in suricata) and the rest of the installed sw. Did not spot any suspicious IP or DNS name.... I still have the apu board inspecting the traffic bu8t since i shut off the vm the only warning it generates is triggered by proxmox looking for updates.

tomhumar

I see you're dealing with the Rothenburg shellcode flood in your logs. That sounds frustrating! Have you tried analyzing the logs to see if you can identify patterns or signatures specific to this shellcode? It might help you create filters or rules to block or mitigate the flood. Also, ensuring your system is up-to-date with patches and using strong passwords can help prevent future attacks. You can find more detailed guides and discussions about shellcode and security on https://guidedhacking.com/threads/how-to-find-shellcode-in-malware-memory.20588/ . They have a supportive community that can offer insights and advice based on their experiences.