Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

k8h3d
active

Variants

First seen in Guardicore Centra

2019-02-23

Last seen in Guardicore Centra

2020-08-02

The k8h3d attack campaign combines a Monero cryptominer and a worm module which exploits EternalBlue to gain lateral movement. Initially, the attacker breaches victim machines via MS-SQL. Then, the attacker creates a new user named “k8h3d” with password “k8d3j9SjfS7”, and changes the MS-SQL system admin password to a random string. After the backdoor user is created, it is used by the attacker to connect to the machine over SMB and drop multiple malicious scripts and binary files. These include a dropper, Trojan horse, Monero cryptominer and an EternalBlue worm, among others. Malicious payloads remain persistent by installing scheduled tasks and services (names include “Autocheck”, “Autoscan”, “Bluetooths”, “DnsScan”, “WebServers” and “Ddriver”). In addition, system information is sent to the attacker’s command-and-control servers, from which additional payloads can be downloaded and executed.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Associated Files

PathHashSize

C:\adRhGFvP.exe, C:\AFtSjdJC.exe, C:\AGTgJjbO.exe…

3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

55.00 KB

C:\WINDOWS\Temp\_MEI13522\python27.dll, C:\Windows\Temp\_MEI13642\python27.dll, C:\WINDOWS\Temp\_MEI13922\python27.dll…

e3eed66221a6552d4b9ae7350b3dc30de238a6029efae060514d2780c02fedb4

2.52 MB

c:\windows\guiwcg.exe, c:\windows\hkxzwz.exe, c:\windows\mipr.exe…

7d317cb1ee2c6afabe13387f240f330773dc2f107ce93b32214596bafc694cbb

12.08 MB

C:\Windows\Temp\bnjsriz.exe, C:\Windows\Temp\mnsv.exe, C:\Windows\temp\svchost.exe

fa0978b3d14458524bb235d6095358a27af9f2e9281be7cd0eb1a4d2123a8330

6.64 MB

C:\Windows\bcZf.exe, C:\Windows\NcLZVVk.exe, C:\Windows\temp\svchost.exe…

45176261a7362c49abe4c3e668235e206e8bad44f66d428caf9d9e5118d83210

5.98 MB

C:\installed2.exe, c:\windows\system32\drivers\svchost.exe, c:\windows\syswow64\drivers\svchost.exe…

bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc

197.05 KB

C:\WINDOWS\Temp\_MEI13522\msvcr90.dll, C:\WINDOWS\Temp\_MEI13922\msvcr90.dll, C:\WINDOWS\Temp\_MEI24442\msvcr90.dll…

8e7fe1a1f3550c479ffd86a77bc9d10686d47f8727025bb891d8f4f0259354c8

637.83 KB

C:\Windows\System32\config\systemprofile\AppData\Roaming\7981e734ce2a4433b20fd12aafcf2e0c$dpx$.tmp\86ad355955734945be2e6ccb5f76f902.tmp, C:\Windows\System32\config\systemprofile\AppData\Roaming\f371f6b7fb5241cd8551c53d2fb32c7d$dpx$.tmp\975cd435570c8144a2e21787be589462.tmp, c:\windows\system32\config\systemprofile\appdata\roaming\opencl.dll…

2ee4104c24d9c4c5a00e9d705e14d5a29ef94f56673e2779025e5539fa7c8f20

111.00 KB

C:\Windows\Temp\_MEI4962\_ctypes.pyd, C:\Windows\Temp\_MEI5322\_ctypes.pyd, C:\Windows\Temp\_MEI6162\_ctypes.pyd…

11c739d28227773d70c3941d2e979b9d4cee12f1d53cc94daf77b62a4d3a0327

71.50 KB

C:\windows\temp\msInstall.exe, C:\windows\temp\svchost.exe, C:\Windows\temp\svchost.exe

c50186852c138cdedaff387e0982cd3c63bfe930ea6872903b8b5ec488c08d70

63.48 KB

C:\windows\temp\msInstall.exe, C:\windows\temp\svchost.exe, C:\Windows\temp\svchost.exe

245855cd9c89326b531c7ce02aa313320a2a61b26771c389b6e0f997cf248e58

126.95 KB

c:\windows\system32\wmiex.exe, c:\windows\syswow64\wmiex.exe, c:\windows\temp\ttt.exe…

b771267551961ce840a1fbcd65e8f5ecd0a21350387f35bbcd4c24125ec04530

72.05 KB

C:\Windows\Temp\_MEI5322\select.pyd, C:\Windows\Temp\_MEI5802\select.pyd, C:\Windows\Temp\_MEI6162\select.pyd…

385e7a3cf5dd7b65590b064e7bc09f901db7ddc8542396af6bb60048a30993f0

11.50 KB

C:\Windows\IsZN.exe, C:\Windows\rOkU.exe, C:\Windows\temp\svchost.exe

69ff04aa3967dd2747e33cd97e7517026d49eaf13340774b6a0d5d7fd95ac35f

6.64 MB

C:\Windows\System32\config\systemprofile\AppData\Roaming\f371f6b7fb5241cd8551c53d2fb32c7d$dpx$.tmp\03faf8f33cd4d24f918c73305775f1b5.tmp, c:\windows\system32\config\systemprofile\appdata\roaming\ucrtbase.dll, C:\Windows\Temp\2e5cd024627846a09a294b47f9cab077$dpx$.tmp\7919324c906ecf4299403c00b3860470.tmp…

4c5b8e529854cedfa8f46cd6906952400cdbbf25efc4cf37dda2c42d8e96ddcb

973.69 KB

Attack Flow

Breached Services

MSSQL

SMB

Tags

SMB Share Connect

User Added to Group

Execute MsSql Shell Command

MSSQL

Service Creation

Download File

Successful MSSQL Login

Service Start

IDS – Attempted User Privilege Gain

Download and Execute

User Created

File Operation By CMD

Successful SMB Login

SMB

CMD

Incident Summary

IDS detected Attempted User Privilege Gain : SQL sp_configure – configuration change

IDS – Attempted User Privilege Gain

IDS detected Attempted User Privilege Gain : sp_password – password change

IDS – Attempted User Privilege Gain

IDS detected Attempted User Privilege Gain : xp_cmdshell – program execution

IDS – Attempted User Privilege Gain

A user logged in using MSSQL with the following credentials: sa / ****** – Authentication policy: White List

Successful MSSQL Login

A user logged in using MSSQL with the following credentials: sa / ****** – Authentication policy: Previously Approved User

Successful MSSQL Login

MSSQL executed 1 shell commands

Execute MsSql Shell Command

User k8h3d was created with the password *********** added to groups: Administrators and logged in using SMB

Successful SMB Login

User Added to Group

User Created

A user logged in using SMB with the following username: k8h3d – Authentication policy: Correct Password

Successful SMB Login

The file C:\Windows\LtXTflwR.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started %systemroot%\ltxtflwr.exe as a service named DyqE under service group None

Service Start

Service Creation

C:\Windows\temp\svchost.exe was downloaded

Download File

Connection was closed due to user inactivity