xmrig挖矿样本分析 miner

xmrig挖矿样本分析 miner

首先推荐这个站点:https://tria.ge/220617-wchkbscghp

搜索:f924ddf42e5f1b8102e774b68fff7e40c217acee2f0fe1c44453766af97f419b 该样本比较鲜活,是2022-06-17才上传的。

然后注册账号,下载该挖矿样本。

然后本机上,可以运行,我看到的是:

wininit.exe和notepad.exe进程二者合起来占用我cpu 100%,单看的话,占用率50%。如果kill掉二者的话,notepad会再度重启,占用你几乎100%的CPU。(我vm是2核,这玩意从下图看还是很蛋疼啊!)

 

 

 

joesandbox里跑的结果:

https://www.joesandbox.com/analysis/647899/0/html

 

进程树:

  • System is w10x64
  • 2rVBokoc2C.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\2rVBokoc2C.exe" MD5: C37FFEA9B9BA78C03A9296B73D3D55BD)
     
    • wscript.exe (PID: 6332 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\install.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
       
      • cmd.exe (PID: 6404 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\del.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)
         
        • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
           
        • taskkill.exe (PID: 4944 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
           
        • taskkill.exe (PID: 3064 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
           
        • taskkill.exe (PID: 6220 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
           
          • notepad.exe (PID: 6760 cmdline: C:\Windows\notepad.exe" -c "C:\ProgramData\eWTBqYYAek\cfg MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
             
        • taskkill.exe (PID: 5056 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
           
        • timeout.exe (PID: 6500 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
           
        • wscript.exe (PID: 6616 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\delreg.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
           
        • timeout.exe (PID: 6628 cmdline: timeout /t 2 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
           
        • wscript.exe (PID: 6308 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killroaming.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
           
        • wscript.exe (PID: 6388 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killstatrup.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
           
        • wscript.exe (PID: 5100 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\deltemp.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
           
        • wscript.exe (PID: 7104 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
           
          • cmd.exe (PID: 6564 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)
             
            • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
               
            • wininit.exe (PID: 6084 cmdline: wininit.exe MD5: 606CE310D75EE688CBFFAEAE33AB4FEE)
               
        • services.exe (PID: 6588 cmdline: services.exe MD5: 0C8E76FF6BA1CC33C2A37928A1E9642B)
           
          • cvtres.exe (PID: 6584 cmdline: \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe MD5: EC0A2E5708E3FC63D01C6ABFE522C1D9)
             
        • AudioClip.exe (PID: 6192 cmdline: AudioClip.exe MD5: 1F22C6DBDF4806A6ADB969CB6E548400)
           
        • timeout.exe (PID: 5980 cmdline: timeout /t 2 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
           
        • wscript.exe (PID: 6844 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
           
        • wscript.exe (PID: 6300 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\mavis9080.vbe" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
           
  • services.exe (PID: 6556 cmdline: "C:\Users\user\AppData\Roaming\01Atodo\services.exe" MD5: 0C8E76FF6BA1CC33C2A37928A1E9642B)
     
    • cvtres.exe (PID: 6220 cmdline: \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe MD5: EC0A2E5708E3FC63D01C6ABFE522C1D9)
       
  • wscript.exe (PID: 5944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
     
    • cmd.exe (PID: 7160 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
       
      • conhost.exe (PID: 3944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
         
      • wininit.exe (PID: 7088 cmdline: wininit.exe MD5: 606CE310D75EE688CBFFAEAE33AB4FEE)
         
  • svchost.exe (PID: 6928 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
     
  • svchost.exe (PID: 588 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
     
  • AudioClip.exe (PID: 4772 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe" MD5: 1F22C6DBDF4806A6ADB969CB6E548400)
     
  • cleanup

 

Mitre Att&ck Matrix (标数字表示命中)

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts 1
Windows Management Instrumentation		 1
DLL Side-Loading		 1
DLL Side-Loading		 11
Disable or Modify Tools		 OS Credential Dumping 1
System Time Discovery		 Remote Services 11
Archive Collected Data		 Exfiltration Over Other Network Medium 1
Ingress Tool Transfer		 Eavesdrop on Insecure Network Communication Remotely Track Device Without Authorization Modify System Partition
Default Accounts 12
Scripting		 1
Windows Service		 1
Windows Service		 11
Deobfuscate/Decode Files or Information		 LSASS Memory 3
File and Directory Discovery		 Remote Desktop Protocol 1
Clipboard Data		 Exfiltration Over Bluetooth 1
Encrypted Channel		 Exploit SS7 to Redirect Phone Calls/SMS Remotely Wipe Data Without Authorization Device Lockout
Domain Accounts 1
Shared Modules		 12
Registry Run Keys / Startup Folder		 612
Process Injection		 12
Scripting		 Security Account Manager 46
System Information Discovery		 SMB/Windows Admin Shares Data from Network Shared Drive Automated Exfiltration 1
Non-Standard Port		 Exploit SS7 to Track Device Location Obtain Device Cloud Backups Delete Device Data
Local Accounts 2
Command and Scripting Interpreter		 Logon Script (Mac) 12
Registry Run Keys / Startup Folder		 31
Obfuscated Files or Information		 NTDS 1
Query Registry		 Distributed Component Object Model Input Capture Scheduled Transfer 2
Non-Application Layer Protocol		 SIM Card Swap   Carrier Billing Fraud
Cloud Accounts Cron Network Logon Script Network Logon Script 24
Software Packing		 LSA Secrets 241
Security Software Discovery		 SSH Keylogging Data Transfer Size Limits 2
Application Layer Protocol		 Manipulate Device Communication   Manipulate App Store Rankings or Ratings
Replication Through Removable Media Launchd Rc.common Rc.common 1
DLL Side-Loading		 Cached Domain Credentials 2
Process Discovery		 VNC GUI Input Capture Exfiltration Over C2 Channel Multiband Communication Jamming or Denial of Service   Abuse Accessibility Features
External Remote Services Scheduled Task Startup Items Startup Items 1
File Deletion		 DCSync 131
Virtualization/Sandbox Evasion		 Windows Remote Management Web Portal Capture Exfiltration Over Alternative Protocol Commonly Used Port Rogue Wi-Fi Access Points   Data Encrypted for Impact
Drive-by Compromise Command and Scripting Interpreter Scheduled Task/Job Scheduled Task/Job 121
Masquerading		 Proc Filesystem 1
Remote System Discovery		 Shared Webroot Credential API Hooking Exfiltration Over Symmetric Encrypted Non-C2 Protocol Application Layer Protocol Downgrade to Insecure Protocols   Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application PowerShell At (Linux) At (Linux) 131
Virtualization/Sandbox Evasion		 /etc/passwd and /etc/shadow System Network Connections Discovery Software Deployment Tools Data Staged Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Web Protocols Rogue Cellular Base Station   Data Destruction
Supply Chain Compromise AppleScript At (Windows) At (Windows) 612
Process Injection		 Network Sniffing Process Discovery Taint Shared Content Local Data Staging Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol File Transfer Protocols     Data Encrypted for Impact
posted @ 2022-06-25 11:23  bonelee  阅读(1246)  评论(3编辑  收藏  举报