xmrig挖矿样本分析 miner

xmrig挖矿样本分析 miner
首先推荐这个站点：https://tria.ge/220617-wchkbscghp
搜索：f924ddf42e5f1b8102e774b68fff7e40c217acee2f0fe1c44453766af97f419b 该样本比较鲜活，是2022-06-17才上传的。
然后注册账号，下载该挖矿样本。
然后本机上，可以运行，我看到的是：
wininit.exe和notepad.exe进程二者合起来占用我cpu 100%，单看的话，占用率50%。如果kill掉二者的话，notepad会再度重启，占用你几乎100%的CPU。（我vm是2核，这玩意从下图看还是很蛋疼啊！）
 
 
 
joesandbox里跑的结果：
https://www.joesandbox.com/analysis/647899/0/html
 
进程树：

• System is w10x64
  

• 2rVBokoc2C.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\2rVBokoc2C.exe" MD5: C37FFEA9B9BA78C03A9296B73D3D55BD) 
  
  
  
  • wscript.exe (PID: 6332 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\install.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884) 
    
    
    
    • cmd.exe (PID: 6404 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\del.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D) 
      
      
      
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
        
      
      
      
      
      • taskkill.exe (PID: 4944 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1) 
        
      
      
      
      
      • taskkill.exe (PID: 3064 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1) 
        
      
      
      
      
      • taskkill.exe (PID: 6220 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1) 
        
        
        
        • notepad.exe (PID: 6760 cmdline: C:\Windows\notepad.exe" -c "C:\ProgramData\eWTBqYYAek\cfg MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2) 
          
        
        
      
      
      
      
      • taskkill.exe (PID: 5056 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1) 
        
      
      
      
      
      • timeout.exe (PID: 6500 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659) 
        
      
      
      
      
      • wscript.exe (PID: 6616 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\delreg.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884) 
        
      
      
      
      
      • timeout.exe (PID: 6628 cmdline: timeout /t 2 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659) 
        
      
      
      
      
      • wscript.exe (PID: 6308 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killroaming.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884) 
        
      
      
      
      
      • wscript.exe (PID: 6388 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killstatrup.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884) 
        
      
      
      
      
      • wscript.exe (PID: 5100 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\deltemp.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884) 
        
      
      
      
      
      • wscript.exe (PID: 7104 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884) 
        
        
        
        • cmd.exe (PID: 6564 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D) 
          
          
          
          • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
            
          
          
          
          
          • wininit.exe (PID: 6084 cmdline: wininit.exe MD5: 606CE310D75EE688CBFFAEAE33AB4FEE) 
            
          
          
        
        
      
      
      
      
      • services.exe (PID: 6588 cmdline: services.exe MD5: 0C8E76FF6BA1CC33C2A37928A1E9642B) 
        
        
        
        • cvtres.exe (PID: 6584 cmdline: \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe MD5: EC0A2E5708E3FC63D01C6ABFE522C1D9) 
          
        
        
      
      
      
      
      • AudioClip.exe (PID: 6192 cmdline: AudioClip.exe MD5: 1F22C6DBDF4806A6ADB969CB6E548400) 
        
      
      
      
      
      • timeout.exe (PID: 5980 cmdline: timeout /t 2 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659) 
        
      
      
      
      
      • wscript.exe (PID: 6844 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884) 
        
      
      
      
      
      • wscript.exe (PID: 6300 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\mavis9080.vbe" MD5: 7075DD7B9BE8807FCA93ACD86F724884) 
        
      
      
    
    
  
  

• services.exe (PID: 6556 cmdline: "C:\Users\user\AppData\Roaming\01Atodo\services.exe" MD5: 0C8E76FF6BA1CC33C2A37928A1E9642B) 
  
  
  
  • cvtres.exe (PID: 6220 cmdline: \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe MD5: EC0A2E5708E3FC63D01C6ABFE522C1D9) 
    
  
  

• wscript.exe (PID: 5944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) 
  
  
  
  • cmd.exe (PID: 7160 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
    
    
    
    • conhost.exe (PID: 3944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
      
    
    
    
    
    • wininit.exe (PID: 7088 cmdline: wininit.exe MD5: 606CE310D75EE688CBFFAEAE33AB4FEE) 
      
    
    
  
  

• svchost.exe (PID: 6928 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA) 
  

• svchost.exe (PID: 588 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA) 
  

• AudioClip.exe (PID: 4772 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe" MD5: 1F22C6DBDF4806A6ADB969CB6E548400) 
  

• cleanup
  

 
Mitre Att&ck Matrix （标数字表示命中）

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactValid Accounts1
Windows Management Instrumentation1
DLL Side-Loading1
DLL Side-Loading11
Disable or Modify ToolsOS Credential Dumping1
System Time DiscoveryRemote Services11
Archive Collected DataExfiltration Over Other Network Medium1
Ingress Tool TransferEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System PartitionDefault Accounts12
Scripting1
Windows Service1
Windows Service11
Deobfuscate/Decode Files or InformationLSASS Memory3
File and Directory DiscoveryRemote Desktop Protocol1
Clipboard DataExfiltration Over Bluetooth1
Encrypted ChannelExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice LockoutDomain Accounts1
Shared Modules12
Registry Run Keys / Startup Folder612
Process Injection12
ScriptingSecurity Account Manager46
System Information DiscoverySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Non-Standard PortExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device DataLocal Accounts2
Command and Scripting InterpreterLogon Script (Mac)12
Registry Run Keys / Startup Folder31
Obfuscated Files or InformationNTDS1
Query RegistryDistributed Component Object ModelInput CaptureScheduled Transfer2
Non-Application Layer ProtocolSIM Card Swap Carrier Billing FraudCloud AccountsCronNetwork Logon ScriptNetwork Logon Script24
Software PackingLSA Secrets241
Security Software DiscoverySSHKeyloggingData Transfer Size Limits2
Application Layer ProtocolManipulate Device Communication Manipulate App Store Rankings or RatingsReplication Through Removable MediaLaunchdRc.commonRc.common1
DLL Side-LoadingCached Domain Credentials2
Process DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of Service Abuse Accessibility FeaturesExternal Remote ServicesScheduled TaskStartup ItemsStartup Items1
File DeletionDCSync131
Virtualization/Sandbox EvasionWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access Points Data Encrypted for ImpactDrive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job121
MasqueradingProc Filesystem1
Remote System DiscoveryShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure Protocols Generate Fraudulent Advertising RevenueExploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)131
Virtualization/Sandbox Evasion/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base Station Data DestructionSupply Chain CompromiseAppleScriptAt (Windows)At (Windows)612
Process InjectionNetwork SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer Protocols  Data Encrypted for Impact


免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！