Oracle Server Exploited to Deliver Monero Miners
Tags
attack-pattern: Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Mshta - T1218.005 Powershell - T1059.001 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Social Media - T1593.001 Software - T1592.002 Vulnerabilities - T1588.006 Mshta - T1170 Powershell - T1086 Scheduled Task - T1053
Show in Graph
Common Information
Type Value
UUID c8cfc165-584d-4a63-b3c7-493c28c57a68
Fingerprint b6a0b939b63f868f
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 26, 2018, midnight
Added to db Jan. 18, 2023, 9:05 p.m.
Last updated Nov. 18, 2024, 1:38 a.m.
Headline Oracle Server Exploited to Deliver Monero Miners
Title Oracle Server Exploited to Deliver Monero Miners
Detected Hints/Tags/Attributes 50/1/49
Source URLs
Redirection Url
Details Source https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerability-exploited-deliver-double-monero-miner-payloads/
Details Source https://www.trendmicro.com/en_ca/research/18/b/oracle-server-vulnerability-exploited-deliver-double-monero-miner-payloads.html
URL Provider
Details Provider Source level domain
Details trendmicro.com www.trendmicro.com
Details trendmicro.com blog.trendmicro.com
Attributes
Details Type #Events CTI Value
Details CVE 81 
cve-2017-10271
Details Domain 339 
system.net
Details Domain 11 
eu.minerpool.pw
Details Domain 1 
zxcvb.pw
Details File 1 
javaupd.exe
Details File 50 
3.exe
Details File 1209 
powershell.exe
Details File 1 
check.ps1
Details File 1 
msta.exe
Details File 456 
mshta.exe
Details File 2127 
cmd.exe
Details File 1 
c:\programdata\javaupd.exe
Details File 18 
logonui.exe
Details File 119 
sqlservr.exe
Details File 1 
spoosvc.exe
Details File 9 
2.ps1
Details File 7 
z.exe
Details File 1 
botloaderx32.exe
Details File 1 
botloaderx64.exe
Details File 1 
mainmodulex32.dll
Details File 1 
mainmodulex64.dll
Details File 59 
2.exe
Details File 1 
getsettings.php
Details sha256 1 
28e9f5d3768cdccbd886b37964f17754c8b1875c588ced775849a0874e8c2375
Details sha256 1 
4b2f0e3165090121e4029908d552a8c559e1b3ee0bb3e679830b5bf91f0ab796
Details sha256 1 
55221771041707c190ddfe322301876a432eb4a5d23888bf150864bcd1c7e709
Details sha256 1 
7ecee91336977c324d5b74e3900de36a356702acc526f3b684d599f931bde47b
Details sha256 1 
8a01dc99ac4e197c9c238ad33c3259c1ee124e5f8b5514766af45f29cf299653
Details sha256 1 
9d08c4c50c8fc0efab2ca749b86292077f51f4a157e6ac02ecacf282c5da28eb
Details sha256 1 
bab77860c4d7ccbdfc4f546ea348f68ae05c6e18c5a8f88460d09712138f5b88
Details sha256 1 
d3f0b7b903d7879d0ef1c39c423d2a04dfd61f407dc1844446d7395e033c75ab
Details sha256 1 
d7cf45c50a201199d5e1c3fca8338ad369ef1e8db9efcb8004210d4f06217e25
Details sha256 1 
dc71b4e84d39407892e700bda587abf1c921563aaa3fddd074225f5a1068f8bc
Details sha256 1 
e390c72b226c7a6d7443074a9ccd54cf4ccf8acd68eea20da8f8a1dfd57a652d
Details sha256 1 
f05721fc5a4686fef1ea1a82a9065f530ce96aaa693bd00088b67d89606de9c4
Details IPv4 1 
107.181.174.248
Details Url 1 
http://107.181.174.248/web/p.hta
Details Url 1 
http://107.181.174.248/web/check.ps1
Details Url 1 
http://107.181.174.248/web/2.ps1
Details Url 1 
http://107.181.174.248/web/javaupd.exe
Details Url 1 
http://107.181.174.248/web/startup.cmd
Details Url 1 
http://107.181.174.248/z.exe
Details Url 1 
http://107.181.174.248/panelnew/botloaderx32.exe
Details Url 1 
http://107.181.174.248/panelnew/botloaderx64.exe
Details Url 1 
http://107.181.174.248/panelnew/mainmodulex32.dll
Details Url 1 
http://107.181.174.248/panelnew/mainmodulex64.dll
Details Url 1 
http://107.181.174.248/123/2.exe
Details Url 1 
http://107.181.174.248/web/kil.hta
Details Url 1 
http://zxcvb.pw/api/bot/getsettings.php