Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

Smominru
active

Variants

First seen in Guardicore Centra

2018-12-26

Last seen in Guardicore Centra

2020-07-12

Smominru botnet and its different variants – Hexmen and Mykings – have been active since 2017. The attack compromises Windows machines using an EternalBlue exploit and brute-force on various services, including MS-SQL, RDP, Telnet and more. In its post-infection phase, it steals victim credentials, installs a Trojan module and a cryptominer and propagates inside the network.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Associated Files

PathSHA256Size

c:\windows\system\msinfo.exe, C:\Windows\System\msinfo.exe

7ec433dd0454553b09f11c39944e251e3ee32e4981f52f02adc3011eb0ce6537

4.66 MB

C:\Windows\System32\max.exe, C:\Windows\SysWOW64\drivers\64.exe, c:\windows\temp\v.exe…

fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5

647.00 KB

C:\Windows\SysWOW64\wpcap.dll

b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

275.74 KB

C:\Windows\SysWOW64\npptools.dll

366b77df76729d08687051c1ec4b718ba1d650bca5b16eb15ec5c11570d6ff16

47.00 KB

C:\Windows\System32\drivers\npf.sys

4bfaa99393f635cd05d91a64de73edb5639412c129e049f0fe34f88517a10fc6

35.74 KB

C:\ProgramData\{01365068-0136-0136-013650683264}\lsm.exe, C:\ProgramData\{04092203-0409-0409-040922039122}\lsm.exe, C:\ProgramData\{04442307-0444-0444-044423071210}\lsm.exe…

7c2143421354c1c802d535b8820f0329d42765076e7cf9eb827ac4e64de1deec

200.00 KB

C:\Windows\System32\upsupx.exe, C:\Windows\Temp\conhost.exe

790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd

216.00 KB

C:\Windows\System32\ok.exe

a3bb132ab1ba3e706b90d6fb514504105f174c4e444e87be7bce1995f798044d

2.14 MB

C:\Windows\debug\item.dat

80f8ba7992a5dbaa4a2f76263258d5d7bf3bb8994f9e8a4a5294f70ab8e38ea4

3.20 MB

C:\Windows\System32\u.exe, c:\windows\system\cab.exe, C:\Windows\System\cab.exe…

46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044

37.00 KB

c:\windows\system\msinfo.exe, C:\Windows\System\msinfo.exe

0ec4653e8322a95a6999cf4dc636d691de9d1a9c2cb383296335923405b77b12

5.75 MB

C:\Windows\Inf\lsmm.exe

8246293a368a1da86aba696bea93460705ca4c40aa4c75dde909b8d9dff5efcb

1.21 MB

c:\windows\system\msinfo.exe, C:\Windows\System\msinfo.exe

782e9f3c1526cc8b1b9f57b873c17a647b1c0de41e40ca960c33086ad61d97d0

4.68 MB

C:\Windows\Inf\msief.exe, C:\Windows\Inf\msiefs.exe

e8ddefd237646a47debc01df9aa02fbcae40686f96b7860511c73798c7546201

298.12 KB

C:\Windows\Inf\msief.exe

3e79be51a78170ac177641b8225b22d37548617800ea0362733eeadc77445b98

298.13 KB

Attack Flow

Breached Services

HadoopYARN

MSSQL

SMB

Tags

MSSQL Null Session Login

Access Suspicious Domain

File Operation By CMD

Create MsSql Procedure

CMD

Execute MsSql Shell Command

Successful MSSQL Login

Drop MsSql Table

MSSQL

IDS – Attempted User Privilege Gain

Persistency – Logon

DNS Query

MSSQL Brute Force

Incident Summary

A user logged in using MSSQL with the following credentials: sa / ****** – Authentication policy: White List (Part of a Brute Force Attempt)

Successful MSSQL Login

MSSQL Brute Force

MSSQL procedures were created: sp_addextendedproc , sp_addlogin , sp_addsrvrolemember , sp_droplogin and sp_password

Create MsSql Procedure

IDS detected Attempted User Privilege Gain : sp_password – password change

IDS – Attempted User Privilege Gain

IDS detected Attempted User Privilege Gain : xp_reg* – registry access

IDS – Attempted User Privilege Gain

IDS detected Attempted User Privilege Gain : xp_cmdshell – program execution

IDS – Attempted User Privilege Gain

IDS detected Attempted User Privilege Gain : SQL sp_configure – configuration change

IDS – Attempted User Privilege Gain

MSSQL tables were dropped: #A0F48136 , #A2DCC9A8 and #A4C5121A

Drop MsSql Table

IDS detected Attempted User Privilege Gain : sp_start_job – program execution

IDS – Attempted User Privilege Gain

Process c:\windows\system32\ftp.exe attempted to access suspicious domains: down.1226bye.pw

DNS Query

Access Suspicious Domain

Process c:\windows\system32\regsvr32.exe attempted to access suspicious domains: js.1226bye.pw

DNS Query

Access Suspicious Domain

c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line cmd /c start /min c:\windows\system32\wbem\123.bat to run using Persistency – Logon

Persistency – Logon

MSSQL executed 2 shell commands

Execute MsSql Shell Command

IDS detected Attempted User Privilege Gain : MS-SQL SQL Injection closing string plus line comment

IDS – Attempted User Privilege Gain

Connection was closed due to timeout