{
	"id": "2975a95f-0552-4bed-87fe-8d7a4dcc0178",
	"created_at": "2026-04-06T00:19:43.771442Z",
	"updated_at": "2026-04-10T13:11:57.470505Z",
	"deleted_at": null,
	"sha1_hash": "195ee842c6b350f61df0a123ee96c3d2c4b67618",
	"title": "Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2397816,
	"plain_text": "Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High\r\nand Critical Vulnerabilities to Infect Windows Devices\r\nBy Ken Hsu, Durgesh Sangvikar, Zhibin Zhang, Chris Navarrete\r\nPublished: 2020-06-24 · Archived: 2026-04-02 12:25:46 UTC\r\nExecutive Summary\r\nOn May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents\r\nof CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable\r\nof conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts. The first wave\r\nof the campaign stopped on June 10, 2020. The attacker then resumed their campaign on June 11, 2020, spreading an\r\nupgraded version of the malware and wreaking havoc. The sample was compiled on Thursday, June 11, 2020 10:39:47 PM\r\nUTC and caught by Palo Alto Networks Next-Generation Firewall. At the time of writing, the campaign’s still ongoing.\r\nLucifer is quite powerful in its capabilities. Not only is it capable of dropping XMRig for cryptojacking Monero, it’s also\r\ncapable of command and control (C2) operation and self-propagation through the exploitation of multiple vulnerabilities and\r\ncredential brute-forcing. Additionally, it drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against\r\nvulnerable targets for intranet infections.\r\nThe exhaustive list of weaponized exploits includes CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, ThinkPHP\r\nRCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE,\r\nCVE-2017-0144, CVE-2017-0145, and CVE-2017-8464. These vulnerabilities have either “high” or “critical” ratings due to\r\ntheir trivial-to-exploit nature and their tremendous impact inflicted on the victim. Once exploited, the attacker can execute\r\narbitrary commands on the vulnerable device. In this case, the targets are Windows hosts on both the internet and intranet,\r\ngiven that the attacker is leveraging certutil utility in the payload for malware propagation. Fortunately, the patches for these\r\nvulnerabilities are readily available.\r\nWhile the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a\r\nmessage to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible,\r\neliminate weak credentials, and have a layer of defenses for assurance.\r\nAt the time of writing this blog, the XMR wallet has paid 0.493527 XMR, which converts to approximately $32 USD.\r\nPalo Alto Networks Next-Generation Firewalls can detect and block all the exploit attempts from this kind of malware\r\nfamily.\r\nThis blog includes a detailed analysis of Lucifer and the comparison of version 1 and version 2.\r\nLucifer: Cryptojacking and DDoS Campaign\r\nA quick note on the name: While the malware author named their malware Satan DDoS, there’s another malware, Satan\r\nRansomware, bearing that devious name already. An alternative alias was given to this malware to avoid confusion. As a\r\nresult of staying faithful to the unique strings in the binary, we are calling this Lucifer.\r\nWe identified two versions of Lucifer in our research - we focus first on version 1 and then highlight the changes made to\r\nversion 2 in the following section.\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 1 of 30\n\nLucifer contains three resource sections, each of which contains a binary for a specific purpose. The X86 resource section\r\ncontains a UPX-packed x86 version of XMRig 5.5.0. The X64 resource section contains a UPX-packed x64 version of\r\nXMRig 5.5.0. The SMB section contains a binary, in which there’s a lot of Equation Group’s exploits like EternalBlue and\r\nEternalRomance, and of course the infamous DoublePulsar backdoor implant.\r\nX86: 8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8\r\nX64: Ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301\r\nSMB: 5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994\r\nUpon execution, the malware first decrypts its C2 IP address using a xor-incremental encryption and then creates a mutant,\r\nusing its C2 IP address as the mutant’s name.\r\nThe decrypted C2 IP address is 122[.]112[.]179[.]189.\r\nThe name of the mutant object is \\Sessions\\1\\BaseNamedObjects\\122[.]112[.]179[.]189\r\nThe pseudo-code for the decryption algorithm is shown in the figure below.\r\nFigure 1. Decryption routine\r\nThe malware then proceeds to persist itself by setting the following registry key values.\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %malware binary path%\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %malware binary path%\r\nThe binary also uses schtasks to set up itself as a task running periodically, ensuring additional layer of persistence. The\r\ncommand executed is shown in Figure 2.\r\nFigure 2. Execution of schtasks\r\nOnce the malware has persisted itself, it then checks whether there’s any existing stratum mining information stored in the\r\nfollowing registry key value:\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr - %stratum info%\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 2 of 30\n\nThe mining information stored in this registry key value takes precedence if the data is present and legit. Otherwise, the\r\nmalware falls back to its default data embedded in the binary.\r\nThe malware enables itself with debug privilege and starts several threads to carry out its operation in concurrent fashion.\r\nThe following table summarizes the function of each thread.\r\nFunction\r\nAddress\r\nDescription\r\n0x0041C970\r\nClear event logs, remove a log file, terminate the miner process, and repeat its cleaning routine every\r\n18000 second.\r\n0x00414B60 Collect interface info and send miner status to its C2 server.\r\n0x00419BC0\r\nCheck the remote address and remote port of all TCP connections. If there’s a match and the\r\nconnection-owning process is not the malware itself and the process’s module path is not\r\nC:\\ProgramData\\spreadXfghij.exe, the malware kills that process and deletes that file. The allow list\r\nof ports and IP address are in the Appendix.\r\n0x0041A780\r\nGet or initialize its miner parameter, kill miner and Taskmgr process if necessary, drop the miner\r\nbinary, and execute the miner binary with the values of the arguments based on the host’s memory\r\nusage. Both the x86 or x64 bit version of the miner is saved as C:\\\\ProgramData\\\\spreadXfghij.exe\r\n0x00418DC0\r\nPropagate through brute-forcing credentials and exploitation. Also drop the Equation Group’s exploits\r\nand launch them to propagate through exploiting years old SMB vulnerabilities.\r\n0x0041C840 Copy and save the malware as C:\\\\ProgramData\\\\spread.txt\r\nTable 1. Worker Thread Description\r\nThe malware employs different propagation strategies.\r\nThe malware scans for both open TCP ports 135 (RPC) and 1433(MSSQL) against the target, be it internal or external, and\r\nprobes for the credential weakness in attempt to gain unauthorized access.\r\nIf the target has the RPC port open, the malware brute-forces the login using the default username administrator and its\r\nembedded password list. It then copies and runs the malware binary on the remote host upon successful authentication.\r\nWhen the malware detects that the target has TCP port 1433 open, it tries to brute-force its way in using its embedded list of\r\nusernames and passwords. Upon successful login, the malware then issues shell commands to download and execute a\r\nreplica of itself on the victim. The aforementioned list of usernames and passwords can be found in the appendix section.\r\nIn addition to brute-forcing the credentials, the malware leverages exploitation for self-propagation. For intranet infection, it\r\ndrops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against the target when the target has TCP port\r\n445 (SMB) open. Upon successful exploitation, certutil is used to propagate the malware.\r\nThe following figures show the parameters passed to launch the exploits and the backdoor implant.\r\nFigure 3. EternalBlue and DoublePulsar combo (for non-XP targets)\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 3 of 30\n\nFigure 4. EternalBlue and DoublePulsar combo (for XP targets)\r\nFigure 5. EternalRomance and DoublePulsar combo (all targets)\r\nIn order to infect external hosts, the malware first generates a non-private IP address, and then probes this randomly-selected\r\nvictim with HTTP requests over a number of ports. The list of ports is available in the Appendix. When the malware receives\r\na valid HTTP response from the victim, it then tries to exploit the target based on the conditions shown in the following\r\ntable.\r\nCondition Exploit\r\nHFS found in the HTTP response CVE-2014-6287\r\nJetty found in the HTTP response CVE-2018-1000861\r\nServlet found in the HTTP response CVE-2017-10271\r\nNo keywords found in the HTTP response\r\nThinkPHP remote code execution (RCE) vulnerabilities\r\nCVE-2018-7600\r\nCVE-2017-9791\r\nCVE-2019-9081\r\nPHPStudy Backdoor remote code execution (RCE)\r\nTable 2. Exploit conditions and CVEs\r\nSince the same vulnerability (e.g ThinkPHP RCE) may be triggered in different endpoints (i.e via different URLs), the\r\nmalware tries all hardcoded URLs against the victim for each vulnerability before it proceeds to the next target or next\r\nexploit attempt.\r\nAll the exploits contain the payload that downloads a replica of the malware onto the victim via certutil. The following\r\nfigures show examples of the attack traffic.\r\nFigure 6. CVE-2019-9081 traffic\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 4 of 30\n\nFigure 7. ThinkPHP RCE traffic\r\nAfter the malware has launched all its worker threads, the malware enters an infinite loop to handle its C2 operation, with a\r\nsleep interval of five seconds.\r\nAn example of the initial request to its C2 server is shown in Figure 8.\r\nFigure 8. Initial request to C2 server\r\nOnce the malware has established a TCP connection with its C2 server on port 15888, the malware saves that same socket\r\nfor subsequent C2 control as well as the miner’s status report.\r\nThe initial C2 request contains a magic header \\x04\\x02\\x02 and encrypted system information like the host IP address, the\r\nsystem type, system architecture, username, number of processors, and processor frequency. The malware does a\r\ndecremental-xor encryption on this piece of information before it sends the encrypted data over the wire. The encrypted data\r\ncan be decrypted using the decryption routine described in Figure 1. For example, the decrypted host IP address in Figure 8\r\nis 192.168.56[.]52. The decrypted Windows system is Windows 7 64Bit, and the decrypted username is Lebron James.\r\nUnlike its very first C2 request message, the rest of the miner’s status report messages are actually clear text. An example\r\npacket of the miner’s status report is shown in Figure 9 below.\r\nFigure 9. Miner’s status report sent to C2 Server\r\nTable 3 summarizes the control codes received from the C2 server and their corresponding functionalities.\r\nC2\r\nCommand\r\nDescription\r\n4 Perform TCP/UDP/HTTP DoS attack.\r\n5 Reenable DoS attack.\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 5 of 30\n\n6\r\nDownload and execute a file from its C2 server. The file’s saved as %TEMP%\\\u003c4 random lower case\r\ncharacters\u003e.exe\r\n7 Execute the received command from its C2 server.\r\n8 Disable the miner’s status report functionality.\r\n9 Enable the miner’s status report functionality.\r\n10\r\nSet the data of the registry key value\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr, and terminate the miner\r\nprocess.\r\n11 Enable both flags related to is_miner_killed and start_fresh\r\n12 Reset flags and terminate the miner process.\r\nTable 3. C2 description\r\nThe communication between the cryptojacking bot and its mining server is made by using the Stratum protocol on port\r\n10001 and is controlled by the execution of the spreadXfghij.exe program. This program accepts different parameters that\r\ncontrol configuration settings of the running miner such as username, password, CPU usage, priority, threads, and algorithm\r\nnames respectively.\r\nFigure 10. XMRig Command-Line parameters\r\nThe Stratum protocol is mainly used by miner software to connect to a centralized server, which coordinates the workload\r\nbetween the clients. This protocol satisfies the requirements of the JSON RPC 2.0 specification. The JSON-RPC requests\r\nand responses can be seen in Figure 11.\r\nFigure 11. Lucifer bot exchanging the mining information.\r\nLucifer: Version 2\r\nVersion 2 of Lucifer is similar to its predecessor in terms of its overall capabilities and behaviors; It drops XMRig for\r\ncryptojacking, handles C2 operation, and propagates itself through exploitation and brute-forcing credentials.\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 6 of 30\n\nWhile version 2 and version 1 share a lot of behavioral similarities, version 2 does have exclusive differences that are worth\r\nhighlighting.\r\nThe malware possesses anti-sandbox capability by checking the username and the computer name of the infected host. If it\r\nfinds a match in its predefined list of names as shown in Table 4, the malware halts itself from proceeding further.\r\nNMSDBOX Avira\r\nWILBERT-SC COMPUTERNAME\r\nXPAMASTC CWSX\r\nKappa VBOX\r\nXXXX-OS cuckoo\r\ncwsx- nmsdbox\r\nqemu sandbox\r\nvirtual wilbert-sc\r\nxpamast-sc xxxx - ox\r\ncuckoosandbox\r\nTable 4. List of Names\r\nLucifer also checks for the presence of following device drivers, DLLs, and virtual devices. If any of these objects are\r\ndetected, the malware enters an infinite loop, stopping its execution from going further.\r\nSbieDrv.sys Sandboxie.sys\r\nSbieDll.dll VBoxHook.dll\r\n\\\\.\\VBoxMiniRdrDN Dir_watch.dll\r\n\\\\.\\pipe\\cuckoo\r\nTable 5. List of Driver Names\r\nIn addition to its anti-sandbox techniques, version 2 possesses an anti-debugger technique that can thwart the analysis by\r\npassing a format string to OutputDebugStringA() and crashing the debugger.\r\nOnce Lucifer has passed all the checks, it decrypts its C2 URL and creates a mutex based on its C2 URL. The new C2 URL\r\nis qf2020[.]top, and the decryption algorithm is shown in Figure 1.\r\nThere’s an additional LNK resource section, in which there’s a CVE-2017-8464 exploit used for infection. The binaries in\r\nthe resource section are encrypted using the aforementioned xor-incremental encryption. The decrypted X86, X64, and SMB\r\nbinaries are the same as those embedded in version 1 of Lucifer.\r\nLNK (encrypted): 84b0f2e4d222b0a2e34224e60b66340071e0d03c5f1a2af53b6005a3d739915f\r\nLNK (decrypted): 4c729b343ed3186dffdf80a8e3adfea7c2d56a7a06081333030fb4635e09d540\r\nSMB (encrypted): F2d9d7703a5983ae3b7767c33ae79de1db093ea30f97d6b16bb5b62f03e99638\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 7 of 30\n\nSMB (decrypted): 5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994\r\nX64 (encrypted): 4365c2ba5505afeab2c479a9c546ed3cbc07ace184fe5019947823018feb4265\r\nX64 (decrypted): ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301\r\nX86 (encrypted): b6d4b4ef2880238dc8e322c7438f57b69cec6d44c0599875466a1edb8d093e15\r\nX86 (decrypted): 8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8\r\nIn contrast to version 1, version 2 of Lucifer has added CVE-2017-8464 to its arsenal and taken out CVE-2018-1000861,\r\nCVE-2017-10271, and CVE-2017-9791.\r\nThe malware infects its targets through IPC, WMI, SMB, and FTP by brute-forcing the credentials, in addition to MSSQL,\r\nRPC, and network shares.\r\nThe dropped miner’s name is also different; it’s C:\\\\ProgramData\\\\Svchocpu.exe instead of\r\nC:\\\\ProgramData\\\\spreadXfghij.exe.\r\nRight before proceeding to its C2 operation, Lucifer checks if the host's default language is 0x804 (zh-CN). If it is, the\r\nmalware sets Internet Explorer's Start Page to www[.]yzzswt[.]com, and starts a thread that keeps killing and visiting that\r\nURL in Internet Explorer. The trigger depends on the system's idle time.\r\nWhile Lucifer version 2 has new C2 at qf2020[.]top:19370, its C2 operation is still the same.\r\nConclusion\r\nLucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform\r\nmalicious activities on Windows platforms. Applying the updates and patches to the affected software are strongly advised.\r\nThe vulnerable software includes Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel\r\nframework, and Microsoft Windows. Strong passwords are also encouraged to prevent dictionary attacks.\r\nPalo Alto Networks customers are protected from the attacks by the following products and services:\r\nNext-Generation Firewalls with Threat Prevention licenses can block the exploits and C2 traffic with best\r\npractice configuration.\r\nWildFire can stop the malware with static signature detections.\r\nAutoFocus customers can track this activity with the Lucifer tag.\r\nIoCs (Lucifer Version1)\r\nNBI\r\nMalware Hosting Site:\r\n180[.]126[.]161[.]27\r\n210[.]112[.]41[.]71\r\nMining Protocol\r\n1. stratum+tcp://pool.supportxmr.com:3333\r\n2. stratum+tcp://gulf.moneroocean.stream:10001\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 8 of 30\n\nC2\r\n122[.]112[.]179[.]189:15888 (version 1)\r\nHBI\r\nSHA256 - Malware\r\n94f0e2aa41e1703e37341cba0601441b2d9fa2e11615cad81ba5c93042c8f58c spread.txt (version 1)\r\nSHA256 - Embedded Binaries in the Resource Section\r\n8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8 X86\r\nAc530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301 X64\r\n5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994 SMB\r\nSHA256 - Binaries Extracted from SMB.exe\r\nff8c9d8c6f16a466d8e598c25829ec0c2fb4503b74d17f307e13c28fd2e99b93 Shellcode.ini\r\n7417daf85e6215dedfd85ca8bfafcfd643c8afe0debcf983ad4bacdb4d1a6dbc X64.dll\r\nde23da87e7fbecb2eaccbb85eeff465250dbca7c0aba01a2766761e0538f90b6 X86.dll\r\nf06d02359666b763e189402b7fbf9dfa83ba6f4da2e7d037b3f9aebefd2d5a45 adfw-2.dll\r\nc51bce247bee4a6f4cd2d7d45483b5b1d9b53f8cc0e04fb4f4221283e356959d adfw.dll\r\nd3db1e56360b25e7f36abb822e03c18d23a19a9b5f198e16c16e06785fc8c5fa cnli-0.dll\r\ndb0831e19a4e3a736ea7498dadc2d6702342f75fd8f7fbae1894ee2e9738c2b4 cnli-1.dll\r\n0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887 coli-0.dll\r\nb556b5c077e38dcb65d21a707c19618d02e0a65ff3f9887323728ec078660cc3 crli-0.dll\r\n9b8ec5d0c10ccdd3933b7712ba40065d1b0dd3ffa7968fb28ad426cd5eee5001 dmgd-1.dll\r\n50f329e034db96ba254328cd1e0f588af6126c341ed92ddf4aeb96bc76835937 dmgd-4.dll\r\n19690e5b862042d9011dbdd92504f5012c08d51efca36828a5e9bdfe27d88842 esco-0.dll\r\n3fcffe9eae90ec365efb361674613ac95de50b2ccfd634c24491923f85c309a5 etch-0.dll\r\nfe4640fefa4bef02041a771a206f9184adb38de051f0d8726c4579736fe13bb6 etchCore-0.x64.dll\r\n3596e8fa5e19e860a2029fa4ab7a4f95fadf073feb88e4f82b19a093e1e2737c etchCore-0.x86.dll\r\n7ddbade1f4fcb48f254e7defa1ab5ec568e8ff0403693860b76870e11816aee6 eteb-2.dll\r\n8a5cce25f1bf60e716709c724b96630b95e55cc0e488d74d60ea50ffba7d6946 etebCore-2.x64.dll\r\n609ed51631da2defa34d58f60dc2a0f38e1574d8cf07647b844fc8b95de4bd8c etebCore-2.x86.dll\r\n15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9 exma-1.dll\r\nc977ac10aa3d2250a1af39630f532184a5185f505bcd5f03ea7083a3a701a969 exma.dll\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 9 of 30\n\nb1d48e8185d9d366dce8c723ba765d6c593b7873cb43d77335084b58bbc7cb4d iconv.dll\r\nd3c6985d965cad5bff6075677ed8c2cafee4c3a048fb5af81b442665c76dff7b libcurl.dll\r\n5f30aa2fe338191b972705412b8043b0a134cdb287d754771fc225f2309e82ee libeay32.dll\r\n36b0fa6c0da7434707e7e330f40316458c0c1edc39b80e2fe58745cd77955eb3 libiconv-2.dll\r\naceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3 libxml2.dll\r\ndf9200ba0d967487b9eb9627078d7faa88072c493b6d9e2b68211c14b06e9f4e pcla-0.dll\r\n17d6dde8a6715b9311734cb557b76160a22e340785b3950eae23aae67b0af6a8 pcre-0.dll\r\n93f0a1fe486ad222b742e451f25f4c9219b1e0f5b4273a15ce08dd714827745a pcrecpp-0.dll\r\n1c8100aca288483d5c29dcf33df887e72513f9b1cb6d0c96045401981351307c pcreposix-0.dll\r\ncde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb posh-0.dll\r\n47e16f7db53d9adf24d193ff4d523b1bc7ae59ff8520cfa012365bdb947c96f9 posh.dll\r\nf8ee4c00a3a53206d8d37abe5ed9f4bfc210a188cd5b819d3e1f77b34504061e riar-2.dll\r\n55039ab48c0916a38f1ceee08ba9f9cf5f292064cf3ee6631f22becde5e74b2d riar.dll\r\n15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13 serverlong.exe\r\na46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f serverlong.fb\r\ncf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de serverlong.xml\r\nbe8eb97d8171b8c91c6bc420346f7a6d2d2f76809a667ade03c990feffadaad5 ssleay32.dll\r\n85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5 svchostlong.exe\r\nad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41 svchostlong.fb\r\n756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380 svchostlong.xml\r\nb99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b svchostromance.exe\r\n6c55b736646135c0acbad702fde64574a0a55a77be3f39287774c7e518de3da9 svchostromance.xml\r\n52e88433f2106cc9a3a961cd8c3d0a8939d8de28f2ef3ee8ea648534a8b036a4 tibe-1.dll\r\nca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362 tibe-2.dll\r\na418edc5f1fb14fbf9398051225f649810fa75514ca473610be44264bf3c663c tibe.dll\r\n6775d627d99733f3f02494db7e13935b505132f43c56e7f8850c54e6627691de trch-0.dll\r\n0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f trch-1.dll\r\n06c031f0d905cdeb0d9c172c27ae0c2d25bbf0d08db27a4aa98ec540a15306e7 trch.dll\r\na4c460b27d03daf7828f6b6db87e0ff3ee851fdb1b8654b0a778b4c34953a3dc trfo-0.dll\r\nb2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa trfo-2.dll\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 10 of 30\n\n96edea8d08ab10eee86776cfb9e32b4701096d21c39dbffeb49bd638f09d726a trfo.dll\r\ncf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12 tucl-1.dll\r\n36107f74be98f15a45ff716e37dad70f1ff9515bc72a0a1ec583b803c220aa92 tucl.dll\r\nf0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a ucl.dll\r\nb7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68 xdvl-0.dll\r\n70dbb0b5562cd034c6b70a4a86a346b0f0039acf1b09f5814c42895963e12ea0 zibe.dll\r\naa8adf96fc5a7e249a6a487faaf0ed3e00c40259fdae11d4caf47a24a9d3aaed zlib1.dll\r\nMutex\r\n\\Sessions\\1\\BaseNamedObjects\\122.112.179.189\r\n4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBw\r\nAdded/Modified Registry Key Value\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %malware binary path%\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %malware binary path%\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr - %stratum info%\r\nDeleted Registry Key\r\nHKCU\\Software\\RealVNC\\vncviewer\\KnownHosts\r\nHKCU\\Software\\RealVNC\\vncviewer\\MRU\r\nCreated Files\r\nC:\\\\ProgramData\\\\spread.txt\r\nC:\\\\ProgramData\\\\index.html\r\nC:\\\\ProgramData\\\\spreadXfghij.exe\r\nC:\\\\ProgramData\\\\SMB.exe\r\nC:\\\\ProgramData\\\\svchostlong.exe\r\nC:\\\\ProgramData\\\\X86.dll\r\nC:\\\\ProgramData\\\\X64.dll\r\n%TEMP%\\\\\u003c4-random-lower-case-characters\u003e.exe\r\nDeleted Files\r\nC:\\\\Windows\\\\SysWOW64\\\\rserver30\\\\Radm_log.htm\r\nC:\\\\ProgramData\\\\X86.dll\r\nC:\\\\ProgramData\\\\X64.dll\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 11 of 30\n\nIoCs (Lucifer Version2)\r\nNBI\r\nMalware Hosting Site\r\n121[.]206[.]143[.]140\r\nMining Protocol\r\n1. stratum+tcp://pool.supportxmr.com:8080\r\n2. stratum+tcp://gulf.moneroocean.stream:10001\r\nC2\r\nqf2020[.]top:19370\r\nHBI\r\nSHA256 - Malware\r\n66d619ca5e848ce0e4bcb1252ff8a4f0a060197a94810de85873c76fa3826c1e spread.txt\r\nSHA256 - Embedded Binaries in the Resource Section\r\n84b0f2e4d222b0a2e34224e60b66340071e0d03c5f1a2af53b6005a3d739915f LNK encrypted\r\n4c729b343ed3186dffdf80a8e3adfea7c2d56a7a06081333030fb4635e09d540 LNK decrypted\r\nf2d9d7703a5983ae3b7767c33ae79de1db093ea30f97d6b16bb5b62f03e99638 SMB encrypted\r\n5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994 SMB decrypted\r\n4365c2ba5505afeab2c479a9c546ed3cbc07ace184fe5019947823018feb4265 X64 encrypted\r\nac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301 X64 decrypted\r\nb6d4b4ef2880238dc8e322c7438f57b69cec6d44c0599875466a1edb8d093e15 X86 encrypted\r\n8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8 X86 decrypted\r\nSHA256 - Binaries Extracted from SMB.exe\r\n\u003cSame as version 1\u003e\r\nSHA256 - Files Extracted from decrypted LNK\r\n45d943c1a4e3615a52f7561791c331cd7d996dd6ddc5421fab78c2d734fed6b6 AIGrEPvEOTXqjEaw_O.lnk\r\n478021e127232f6c6bad31b342486c88d58ab299e6c1336bbf3da00f3c38f1c8 CJqsRymyTEMnBoEC_T.lnk\r\n42e1a05ab55d4a209d6198454718e6aaf0ac63b1778ccfc648b7791d06eddc44 DNfOzAatoSkUAZpM_E.lnk\r\n5d181f72ca116b2925151416d5cc6d8f7ab29242be9030ec927e7175c764f56f FNqWxGJfjXHWtsOf_S.lnk\r\n00f49b9f5e2d0156017dd5421c9301cf62b0a023d45f36455cf1d287c7f061cb FavqRrpXeqruoJwm_M.lnk\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 12 of 30\n\n5c75ac1a0f824cb3b14a84b5b2dba0a52ed150e2e410850eafa08338dd596198 LdhMQIbWZpcSeVNj_Z.lnk\r\nfe9f693a81ceed943854896543406edd1a6e4c2ee6a84abf196659fc8617f22e LqFWHUlZTWlULatC_G.lnk\r\n8b4b3f131d70922502e61e7ef294f69916d289f72fe3dcccca7e2ebb904de018 MkGTeIIFLYOjZclX_I.lnk\r\nd690b048e3984f9f8305ba0d3fb4eeea490a1461796b6927a31d0beffdafbc8b NfMIupIogETQsWra_V.lnk\r\nd05609b368bc35d4795cc220ef42ea06d9ac8284e49b218c64789876ccdacb2e OuWZjtdbLqFVMSLF.dll\r\n52da4c4c3ac7237ee803a5aa3250d9ca1b571876d46d725135079a866b4a554d QZwHXICgEbiMtEwe_S.lnk\r\n3a3344f89ce8c459c11b7d480db274e8ea438cacedfe60332b1b2b65e82dfab1 QjcZPYwkZKEVQvgs_W.lnk\r\n64af944e3ca7dec9a5673df3043d24064351de33a6ecc61ad2d288956a570bff SAmbRRbbdmzXwBQm_J.lnk\r\n0be5db462b912cc4207e47c7fe0a80153e1f15a327a486fb2ba3e0c1efa2978a SDtTgoPxAguJyxBw_T.lnk\r\n686eb63c8b5c07040f22e6fee0cc76baabe283fcffc0926df1bf3b802aeb8cfe TFjoAQJOJqTTlynz_W.lnk\r\n39e8a25b0875e2ba1906b83b2d0c2cfd0762a5f1a670e6d736cc3873125b807c TeNENqdfbnkTNers_O.lnk\r\n2dfd7a838abcf46e420e418af04413ba53cc5592ec18b8a6fe35cab161baeb48 TpzgiaCNXaSnzlKx_K.lnk\r\nab0c0471fd57e3ed03bbb5c5e4564c3843d62d0b7b88a15a18cd2d057a22a9f6 TywZFloXXLcMoUVP_P.lnk\r\nab8511ed01a0601e974809c8f3f92094ebf6669679228ce6daea6027ab59e554 VhfYGmTcCCcrfTaY_Y.lnk\r\n32d18553602309c19b5f88a1761bc1598f346124915c2c38e1129b7c5cf94a42 WmOXSshkpQfaLVED.dll\r\n0a4d0fb773e9251bd420e3998605500881bca21119d7af44f06b002de2cdc8fe YSfBenPxsQHppZuM_E.lnk\r\nab9e4c3c4827896a309a16b289e97ae848113590c8db2a62b931833ab83d9099 ZMLUEPWbhtajeFvU_F.lnk\r\n5ae7d87b81db21da2b6212ff1229264093b5954f2d6ffb273420f898141c611d aQRlCerEgjVIRYLQ_N.lnk\r\nd29841ebebeb48fc3da7e23ce4a0a4d3e48c1602485e9fbe913cb2ff8eb9d0dd bzimVhTxVSVAvqWW_H.lnk\r\nb64712d39bd2ce26bb24f6cd5877554bee39240bd5994a1a6143bba660c34e2b cRTvZQMkUULYLGmW_F.lnk\r\n02981319f54847a5587fc9cb4e32c54a76bdcfe583bc3059ee79a40c4a4409d7 emeDxGEdARUmzHYN_X.lnk\r\nb585e210997e38741c4842979472b38e704c187a11565e32d549d0aab181ad3a fXtYTHUBPuuoBWrl_P.lnk\r\n5def9f81ea8187a2716c77fe21a709b9c760762973fc3bbe62203e2b5897f1cc gBsceXqQIqhXHySi_N.lnk\r\n74254df16012b0ffee18f02c96820e507b961cc6a7bcb5cc2a5f43064291d0a4 gXRyeJymkCbmiXIR_H.lnk\r\nb8a24d8aa9b936413be925091ff551a9e872c634e9aef28df0f19363645e1224 gyhbcKquCWLSOUSd_U.lnk\r\n04d17a702b485ae343287239b0b6201ebcaea3dd24188579800d21a16f9b35c6 gzTXwmTukBDryAPx_L.lnk\r\nfc0997022f3b02556362ff87c59ba6db6751070aa7e73a42ac634af0eaab6ca5 hRAVeKFdQFfUWWqf_D.lnk\r\n7a08530d46fd2bd0e61cb5ebeae8a32b6020cda5555290d5e7d8b2838127d0f6 iWYfETBuIkffMlgp_Z.lnk\r\nb13cb42cb21efe404a88501e9ecca74f695b527a42934e62625ddf11fefcea9a joJczkptYQtfkMNm_J.lnk\r\n57d1f4287e36c4b109afb797d50d693329d92e6d9ee69822242e55cac3c422f7 juHLixrdaEoaGDcL_I.lnk\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 13 of 30\n\n5e8bfc88a5643c40d6efd4462cd918573e9be6fd934222a0bccc64d3e789fdfc lHGRXkTVRihDzkjl_R.lnk\r\n21167b8443213332b519140e364cf25043b2b9171ac8ab3ce4b591e62c3b5f89 lPfkoJiWxgsoSrsD_V.lnk\r\n7857ecefa14ab3d86a699700b313c85d6d3b106fe5375f5a5e938784271fb1dd laTnMsKakEOKsJHf_R.lnk\r\n6791024c02a9045b237f9bf09e2ca7a7e3503d81a59f4691e5442670be21b0c1 lvdfRmNKdkMexTNn_G.lnk\r\n8995c73fe107b3c4dad829db8e7a6b9b2bee29811d73909a9bf67ad5bd5acacb nChCLwgSBXaEiwIR_Q.lnk\r\n4a928ff8904640733cff08bd5f70e23ee2466cb8f925a1764e9ad61bbf006efd qIeuxAOnUEVJWOEe_K.lnk\r\n18267b8425c9dbcf4de44b22c80712ac58ddff7e3fa54839252bd5337778859f rxTDIbsrdXcyLvYA_Y.lnk\r\n24437f92578b3632452e1e9a97341c781d36dae544d4d6827e5831c71e0f34db sHEofvMNSNPGPxnI_X.lnk\r\n782d840f3dc7f648f8404de3e4039882e05fcf8cd2cba1509136835f6cb547d0 uZfBVEFQdlRgsvpT_D.lnk\r\n437064714d5b080673fbdeae792a5376fbd8be361a6783a8bda78d944975f055 vnvlkoVTAEtCfPYX_Q.lnk\r\nc735098987b555b3aa3adb58e0691d9280c2b593307072d7d731e02cd338d7ac wDxKJhyBflVPXlwA_L.lnk\r\n33c14ef70be64290bcd9bd5abc72f2e39f50bfa567c5f521ee5d3406deb80a93 xWiOFoWnpbAxeKSr_U.lnk\r\n3c9b80de476f842c4325580ab628ddebae4a7261ffaee52c3df0514a368d3c11 xXIRjCUwUvcECnmO_M.lnk\r\nMutex\r\nqf2020.top\r\nAdded/Modified Registry Key Value\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %malware binary path%\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %malware binary path%\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr - %stratum info%\r\nHKCU\\Software\\Microsoft\\Internet Explorer\\MAIN\\Start Page - http://www[.]yzzswt[.]com\r\nHKLM\\Software\\Microsoft\\Internet Explorer\\MAIN\\Start Page - http://www[.]yzzswt[.]com\r\nDeleted Registry Key\r\n\u003cSame as version 1\u003e\r\nCreated Files\r\nC:\\\\ProgramData\\\\spread.txt\r\nC:\\\\ProgramData\\\\index.html\r\nC:\\\\ProgramData\\\\spreadXfghij.exe\r\nC:\\\\ProgramData\\\\SMB.exe\r\nC:\\\\ProgramData\\\\svchostlong.exe\r\nC:\\\\ProgramData\\\\X86.dll\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 14 of 30\n\nC:\\\\ProgramData\\\\X64.dll\r\n%TEMP%\\\\\u003c4-random-lower-case-characters\u003e.exe\r\nK:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\spread.exe\r\nK:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\spread.exe\r\n%ROOT PATH%\\\\OuWZjtdbLqFVMSLF.dll\r\nC:\\\\ProgramData\\\\CVE147159.exe\r\nC:\\\\CVE\\\\\r\nDeleted Files\r\nC:\\\\Windows\\\\SysWOW64\\\\rserver30\\\\Radm_log.htm\r\nC:\\\\ProgramData\\\\X86.dll\r\nC:\\\\ProgramData\\\\X64.dll\r\nK:\\\\spread.txt\r\nC:\\\\ProgramData\\\\CVE147159.exe\r\nC:\\\\CVE\\\\\r\nAppendix\r\nAllow list of Remote IP Addresses\r\n94.23.23.52\r\n91.121.140.167\r\n149.202.83.171\r\n139.99.124.170\r\n37.187.95.110\r\n94.23.247.226\r\n139.99.125.38\r\n18.180.72.219\r\n3.0.193.200\r\n139.180.131.153\r\n45.32.24.80\r\n116.203.73.240\r\n44.202.105.45\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 15 of 30\n\n95.179.220.100\r\n139.99.100.250\r\n149.28.17.136\r\n45.76.206.51\r\n142.44.240.132\r\n94.23.23.52\r\n139.99.123.196\r\n94.130.12.27\r\n178.63.100.197\r\n107.178.104.10\r\n92.110.160.114\r\n94.130.12.30\r\n37.59.52.83\r\n104.140.201.102\r\n95.216.46.125\r\n3.253.40.188\r\n3.253.40.189\r\n45.125.194.18\r\n45.125.194.34\r\n78.47.158.234\r\n47.101.30.124\r\n203.107.32.162\r\n47.102.39.92\r\n47.102.251.102\r\n47.110.199.70\r\n139.224.168.24\r\n47.110.190.245\r\n139.224.219.119\r\n139.224.20.173\r\n203.107.40.49\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 16 of 30\n\n116.211.169.162\r\n218.11.2.44\r\n107.191.99.221\r\n107.191.99.95\r\n3.112.214.88\r\n47.241.2.137\r\n206.189.33.65\r\n161.117.192.8\r\n47.244.176.59\r\n210.1.226.51\r\n116.203.61.78\r\n35.163.175.186\r\n178.128.107.204\r\n45.77.31.97\r\n172.104.91.217\r\n103.101.30.10\r\n139.99.72.56\r\n176.9.4.26\r\n149.202.214.40\r\n37.59.43.136\r\n37.59.44.193\r\n37.59.43.131\r\n88.99.242.92\r\n88.99.193.240\r\n94.130.165.85\r\n94.130.165.87\r\n91.121.2.76\r\n37.59.54.205\r\n37.59.55.60\r\n37.59.44.93\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 17 of 30\n\n37.187.154.79\r\n37.59.45.174\r\n176.9.53.68\r\n78.46.91.134\r\n94.23.41.130\r\n176.9.2.144\r\n178.63.48.196\r\n78.46.89.102\r\n37.59.56.102\r\n94.23.212.204\r\n188.165.254.85\r\n46.105.103.169\r\n76.9.50.126\r\n37.59.51.212\r\n91.121.87.10\r\n94.130.206.79\r\n188.165.199.78\r\n176.31.117.82\r\n188.165.214.95\r\n94.23.206.130\r\n176.9.63.166\r\n94.130.164.60\r\n78.46.91.171\r\n188.165.214.76\r\n37.59.44.68\r\n94.23.8.105\r\n37.59.49.7\r\n183.201.229.131\r\n117.139.17.68\r\n223.167.166.51\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 18 of 30\n\n111.7.68.222\r\nAllow list of Remote Ports\r\n3333\r\n5555\r\n7777\r\n45700\r\n45560\r\n13531\r\n2222\r\nList of Usernames - Credential Brute-Forcing\r\nsa\r\nSA\r\nsu\r\nkisadmin\r\nSQLDebugger\r\nmssql\r\nChred1433\r\nList of Passwords - Credential Brute-Forcing\r\n“\\x20”\r\nadministrator\r\nsa\r\nSA\r\n123456\r\n1\r\n123\r\n123123\r\n112233\r\n1234\r\n12345\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 19 of 30\n\n1234567\r\n12345678\r\n123456789\r\n1234567890\r\n0123456789\r\na123456\r\nadmin\r\nqaz123\r\n1sanjose\r\n123.com\r\n525464\r\n123.qwe\r\nprocess\r\ntemp\r\n1234qwer\r\n123asd\r\nChred1433\r\nadmin888\r\n1qaz3edc\r\n1qaz4rfv\r\n3edc4rfv\r\n4rfv5tgb\r\n5tgb6yhn\r\n6yhn7ujm\r\n7ujm8ik,\r\naaa123!@#\r\ntest1234\r\n1qaz@wsx#edc\r\nadmin123456789\r\nqazwsx123\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 20 of 30\n\nqaz123wsx\r\nadmin123\r\npassword\r\nqwe123\r\nqweqwe\r\naaa123\r\npass@word1\r\nPassword1234\r\nasd@123\r\nSa@123\r\n!QAZxsw2\r\nmasterkey\r\nsa123!@#\r\nabc@123\r\n!QAZ1qaz\r\n123@abcd\r\n111\r\n111111\r\n11111111\r\n11111111111\r\n1111\r\n888\r\n888888\r\n8888\r\n88888888\r\n666\r\n6666\r\n666666\r\n66666666\r\nabc123\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 21 of 30\n\n123abc\r\n1ab2c3\r\nzxcvbn\r\nzxcvbnm\r\nasdasd\r\nasdfghjkl\r\nasd123\r\nqweasd\r\nqweasdzxc\r\nQAZWSX\r\n123qwe@#\r\nadmin@123\r\n123abc!@#\r\n1qaz2ws\r\nzaq12wsx\r\nP@SSW0rd\r\na123\r\na111111\r\na123456789\r\na1234\r\np@ssw0rd\r\nP@ssW0rd\r\nP@ssw0rd\r\naa123456\r\n1234abcd\r\nqwer1234!@#$\r\n159357\r\n336699\r\n1qaz2wsx\r\npaSSword\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 22 of 30\n\npassword1\r\n654321\r\nqwerty\r\n123456a\r\npa$$word\r\npassw0rd\r\nPasswOrd\r\nqwe.123\r\nzxc123!@#\r\nroot\r\na1b2c3\r\nadmin123456\r\npass\r\npass123\r\nzxc123\r\nuser\r\n11223344\r\nasd123456\r\npassword123\r\n121212\r\nmonkey\r\nprincess\r\nguest\r\n123123123\r\nqazwsx\r\ncomputer\r\n12345a\r\n1111222\r\n111222\r\n123456789a\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 23 of 30\n\n000000\r\n1qazXSW@\r\n1qaz@WSX\r\n123!@#qwe\r\n1q2w3e4r5t\r\nqwertyuiop\r\nq1w2e3\r\n123321\r\n123qwe\r\n1q2w3e4r\r\n7777777\r\n987654321\r\nqwerty1\r\n222222\r\n1g2w3e4r\r\nzag12wsx\r\nsystem\r\n555555\r\n1q2w3e\r\nadmin123!@#\r\nP@$$w0rd\r\n123698745\r\nasdfjkl\r\n21212121\r\n456852\r\na12345678\r\nmoney123\r\n1qazxsw2\r\n1234rewq\r\n12qwaszx\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 24 of 30\n\n22222222\r\nzxcvbnm123\r\npassword11\r\nzxcv\r\na1b2c3d4\r\nqqqqqq\r\naaa111\r\n111aaa\r\n369369369\r\n369369\r\n123454321\r\nqw123321\r\nasdasdasd\r\n111222333\r\nasdfghj\r\nypbwkfyjhyhgzj\r\nly1234\r\nvice_1433 vice\r\nsa@123\r\nAdmin123\r\n123qweASD\r\nAbc123\r\nSa123456\r\nsa123456\r\nsa123\r\ntarget123\r\nroot123\r\nmssql\r\nsqlserver\r\nserver\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 25 of 30\n\nclient\r\nlogin\r\ntest\r\nqq123456\r\na123123\r\n18n28n24a5\r\ntest1\r\nQAZ123\r\nAa123456.\r\ntest123\r\nsuper\r\ntext\r\nvice\r\nifuckyounow\r\nzXJl@mwZ\r\n!qaz1QAZ\r\n!qaz2WSX\r\n!qaz3wsx\r\n!qaz@WSX\r\nqqaazz\r\nz123456\r\nzaqwsx\r\n1qwerty\r\nmusica\r\n!QAZ2wsx\r\nabcd1234\r\n123456aa\r\n1234321\r\n123zxc\r\n123321a\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 26 of 30\n\n123qaz\r\nqwer123\r\nqwerty123\r\nzxcvbnm,./\r\nq1w2Q!W@\r\n1qazxcvbnm,./\r\nbw99588399\r\nhuweishen.com\r\nhuweishen\r\nzkeys\r\npiress\r\nletmein\r\nMaster\r\nmaster\r\nmodel\r\ntempdb\r\nzjsxidc123\r\n0okmnji9\r\nmsdb\r\nsuperman\r\nsql123456\r\nbaseball\r\nwelcome\r\nsa@qaz\r\nsa@qazwsx\r\n123qweasd\r\nwelcometo\r\nmypassword\r\ncaonima\r\n147258\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 27 of 30\n\nqwe!@#123\r\n123qwe!@#\r\nqaz#@!321\r\nqwe123123\r\na123.321\r\na321.123\r\na123.123\r\na321.321\r\nzaq1xsw2\r\nqwert12345\r\nPassWord\r\nzxcasd\r\nqaswed\r\n1qaz@2wsx\r\nqaz1wsx2\r\nqwaszx!@#\r\nqazwsx!@#\r\nqwe123456\r\n1314520\r\n147258369\r\nidc123456\r\n123.654\r\n123.456\r\n123.456.789\r\n123.456.789a\r\n123.456a\r\nPASSWORD\r\n1qw23er4\r\naaaaaa\r\nzaq!@wsx\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 28 of 30\n\naabbcc\r\na12345\r\nzxcmnb\r\nzxcv1234\r\n2wsxdr5\r\n2wsx3edc\r\n2w3e4r\r\n234fd\r\nenkj.1qazxdr5\r\n123!@#\r\nidc123!@#\r\n3dgidc@))*\r\nywinidc56#@!\r\naini\r\ngjp\r\naini1314520\r\ncaonimagebi\r\nfootball\r\nfootball123\r\nadministrator\r\nList of Ports for Vulnerability Scanning and Exploitation\r\n80\r\n81\r\n88\r\n89\r\n8080\r\n8081\r\n8088\r\n8090\r\n8888\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 29 of 30\n\n8899\r\n8989\r\n9999\r\n7001\r\nSource: https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nhttps://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/\r\nPage 30 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/"
	],
	"report_names": [
		"lucifer-new-cryptojacking-and-ddos-hybrid-malware"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434783,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/195ee842c6b350f61df0a123ee96c3d2c4b67618.pdf",
		"text": "https://archive.orkl.eu/195ee842c6b350f61df0a123ee96c3d2c4b67618.txt",
		"img": "https://archive.orkl.eu/195ee842c6b350f61df0a123ee96c3d2c4b67618.jpg"
	}
}