Shulou(Shulou.com)06/02 Report--

This article introduces the WMAMiner mining worm case analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Overview

Lanyun Technology Galaxy Lab has detected many similar unknown threat events with the "Blue Eye next Generation threat perception system" at several monitoring sites, and the detection rate of antivirus software is very low. After analysis, it is found that this is a broiler update program for a mining botnet. In order to avoid the detection and killing of antivirus software, the main control program is specially encrypted and put into resources. Samples are spread through MS17-010 (Eternal Blue) vulnerability, and connect with ClearC regularly to accept commands and update modules. The main purpose is to mine Monroe coins. Based on the typical behavior of mining Trojans, the botnet built by this worm is named WMAMiner botnet.

Detection screenshot of Lanzhou current generation threat awareness system

VirusTotal detection screenshot

0x1 releases master sample

Through the analysis, it is found that the botnet has malicious components of x86 and x64 platforms. Here, taking the x86 platform as the analysis, the sample first obtains the system directory and splices it with the following string, which is stitched as follows:

C:\ WINDOWS\ system32\ EnrollCertXaml.dll

C:\ WINDOWS\ system32\ wmassrv.dll

C:\ WINDOWS\ system32\ WMASTrace.ini

First delete the above three files

After that, get the resource, create and write it to the file C:\ WINDOWS\ system32\ EnrollCertXaml.dll

This file is not an executable file

First read the contents of the file and then decrypt it and write the decrypted content to C:\ WINDOWS\ system32\ wmassrv.dll

It can be found that the decrypted file is an executable file.

After that, get the file time of C:\ WINDOWS\ system32\ svchost.exe and set it to the file time of wmassrv.dll and EnrollCertXaml.dll

You can see that the modification time of this file is roughly the same as that of other files in the system, which has a certain confusing effect on the host check.

After that, set wmassrv.dll as the service program and set the persistence

Finally, delete yourself

0x2 main control module

Flow chart of main control module

As the master module of the service, C:\ WINDOWS\ system32\ WMASTrace.ini is first created and a plus sign is written

Some services will be stopped first, some of which are services left by botnets.

After initialization, multithreading is started, and each thread is a module.

0x2.1 update module

Connect sand.lcones.com and plam.lcones.com addresses every 5 hours

If the connection is successful, the sample will first connect to the sand.lcones.com/resource

If there is any content, plam.lcones.com/modules.dat will be downloaded.

If the return value is equal to 200

Write to EnrollCertXaml.dll file

0x2.2 communication module

There are two C addresses in this sample, one is to communicate through the http protocol, and the other is to communicate through the tcp protocol

0x2.2.1 HTTP communication

The mailing address is tecate.traduires.com, and you don't connect every 5 hours.

Collect system information

Splice it together as shown in the following figure and send

There are three commands for parsing by returning data

Command 0 starts a process

Command 1 download and execute via regsvr32.exe

Command 2 download to temporary folder and execute

0x2.2.2 TCP communication

The TCP communication module is also connected every 5 hours.

The domain name of the connection is split.despcartes.tk. Interestingly, some indirect calls are made here, hiding some key functions.

Connect, port 8080

The connection successfully received data

Collected sending system information

0x2.3 mining module

Release TasksHostServices.exe after analysis, this is the open source Monroe coin mining tool https://github.com/xmrig/xmrig/releases.

Start with the following parameters

0x2.4 propagation module

Release C:\ WINDOWS\ SpeechsTracing\ spoolsv.exe and execute, the module will first release Crypt, which is actually a ZIP package

After decompression, we found that it was a vulnerability exploit package leaked by NSA.

Spread by scanning port 445 of the intranet

Configuration file

After the transmission is successful, you will use x86.dll or 64.dll as payload, and continue to look at the functions of x86.dll.

First, port 52137 will be monitored.

At this point, spoolsv.exe will read the EnrollCertXaml.dll, connect and send.

X86 receives EnrollCertXaml.dll and decrypts wmassrv.dll registration as a service to start the next round of propagation

0x2.5 prevent stop module

The sample still checks whether the task manager is open in the computer in real time, and if so, it will be closed.

0x2.6 web server module

The open source WebHost\\ mongoose tool will be installed as a server to listen on port 63257

If the connection is successful, an EnrollCertXaml.dll will be sent

In recent years, with the rise of blockchain technology and the popularity of blockchain coins, hackers pay more and more attention to the economic benefits brought by mining, and the corresponding threat of mining is becoming more and more serious. This kind of Trojan horse is highly hidden and spreads actively in the intranet. Customers are advised to deploy corresponding security equipment, patch them in time, close ports such as 445, and guard against mining threats in advance.

On the WMAMiner mining worm case analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.