xmrig挖矿样本分析 miner

xmrig挖矿样本分析 miner

首先推荐这个站点：https://tria.ge/220617-wchkbscghp

搜索：f924ddf42e5f1b8102e774b68fff7e40c217acee2f0fe1c44453766af97f419b 该样本比较鲜活，是2022-06-17才上传的。

然后注册账号，下载该挖矿样本。

然后本机上，可以运行，我看到的是：

wininit.exe和notepad.exe进程二者合起来占用我cpu 100%，单看的话，占用率50%。如果kill掉二者的话，notepad会再度重启，占用你几乎100%的CPU。（我vm是2核，这玩意从下图看还是很蛋疼啊！）

 

joesandbox里跑的结果：

https://www.joesandbox.com/analysis/647899/0/html

进程树：

• System is w10x64

• 2rVBokoc2C.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\2rVBokoc2C.exe" MD5: C37FFEA9B9BA78C03A9296B73D3D55BD)
   
• wscript.exe (PID: 6332 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\install.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
   
• cmd.exe (PID: 6404 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\del.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)
   
• conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
   
• taskkill.exe (PID: 4944 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
   
• taskkill.exe (PID: 3064 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
   
• taskkill.exe (PID: 6220 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
   
• notepad.exe (PID: 6760 cmdline: C:\Windows\notepad.exe" -c "C:\ProgramData\eWTBqYYAek\cfg MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
   
• taskkill.exe (PID: 5056 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
   
• timeout.exe (PID: 6500 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
   
• wscript.exe (PID: 6616 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\delreg.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
   
• timeout.exe (PID: 6628 cmdline: timeout /t 2 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
   
• wscript.exe (PID: 6308 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killroaming.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
   
• wscript.exe (PID: 6388 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killstatrup.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
   
• wscript.exe (PID: 5100 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\deltemp.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
   
• wscript.exe (PID: 7104 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
   
• cmd.exe (PID: 6564 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)
   
• conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
   
• wininit.exe (PID: 6084 cmdline: wininit.exe MD5: 606CE310D75EE688CBFFAEAE33AB4FEE)
   
• services.exe (PID: 6588 cmdline: services.exe MD5: 0C8E76FF6BA1CC33C2A37928A1E9642B)
   
• cvtres.exe (PID: 6584 cmdline: \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe MD5: EC0A2E5708E3FC63D01C6ABFE522C1D9)
   
• AudioClip.exe (PID: 6192 cmdline: AudioClip.exe MD5: 1F22C6DBDF4806A6ADB969CB6E548400)
   
• timeout.exe (PID: 5980 cmdline: timeout /t 2 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
   
• wscript.exe (PID: 6844 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
   
• wscript.exe (PID: 6300 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\mavis9080.vbe" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
   

• services.exe (PID: 6556 cmdline: "C:\Users\user\AppData\Roaming\01Atodo\services.exe" MD5: 0C8E76FF6BA1CC33C2A37928A1E9642B)
   
• cvtres.exe (PID: 6220 cmdline: \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe MD5: EC0A2E5708E3FC63D01C6ABFE522C1D9)
   

• wscript.exe (PID: 5944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
   
• cmd.exe (PID: 7160 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
   
• conhost.exe (PID: 3944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
   
• wininit.exe (PID: 7088 cmdline: wininit.exe MD5: 606CE310D75EE688CBFFAEAE33AB4FEE)
   

• svchost.exe (PID: 6928 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
   

• svchost.exe (PID: 588 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
   

• AudioClip.exe (PID: 4772 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe" MD5: 1F22C6DBDF4806A6ADB969CB6E548400)
   

• cleanup

Mitre Att&ck Matrix （标数字表示命中）

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Scripting	1 Windows Service	1 Windows Service	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Shared Modules	12 Registry Run Keys / Startup Folder	612 Process Injection	12 Scripting	Security Account Manager	46 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Command and Scripting Interpreter	Logon Script (Mac)	12 Registry Run Keys / Startup Folder	31 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	24 Software Packing	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	2 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	131 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	121 Masquerading	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	131 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	612 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact