Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to analyze the new mining virus based on Linux and Window. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

This is a very popular mining virus recently. Based on both Linux and Windows platforms, the main programs are written in go language and spread through a number of vulnerabilities. It is estimated that many servers in China have been infected. The author recently found that it has been updated and captured its latest script. Through analysis, download server URL address:

Https://us.gsearch.com.de/api/sysupdate

Http://209.182.218.161:80/363A3EDC10A2930D/sysupdate

Https://us.gsearch.com.de/api/update.sh

Http://209.182.218.161:80/363A3EDC10A2930D/update.sh

Https://us.gsearch.com.de/api/config.json

Http://209.182.218.161:80/363A3EDC10A2930D/config.json

Https://us.gsearch.com.de/api/networkservice

Http://209.182.218.161:80/363A3EDC10A2930D/networkservice

Https://us.gsearch.com.de/api/sysguard

Http://209.182.218.161:80/363A3EDC10A2930D/sysguard

The corresponding profile mining address and wallet address are as follows:

Cryptonightr.usa.nicehash.com:3375

1NYTak57oEYJwzTrG9wwAtM9Q44DwMBFLq.usa

Cryptonightr.eu.nicehash.com:3375

1NYTak57oEYJwzTrG9wwAtM9Q44DwMBFLq.eu

Cryptonightr.jp.nicehash.com:3375

1NYTak57oEYJwzTrG9wwAtM9Q44DwMBFLq.jp

Cryptonightr.hk.nicehash.com:3375

1NYTak57oEYJwzTrG9wwAtM9Q44DwMBFLq.hk

Cryptonightr.br.nicehash.com:3375

1NYTak57oEYJwzTrG9wwAtM9Q44DwMBFLq.br

Cryptonightr.in.nicehash.com:3375

1NYTak57oEYJwzTrG9wwAtM9Q44DwMBFLq.in

Xmr.f2pool.com:13531

43zqYTWj1JG1H1idZFQWwJZLTos3hbJ5iR3tJpEtwEi43UBbzPeaQxCRysdjYTtdc8aHao7csiWa5BTP9PfNYzyfSbbrwoR.nice

The main function of the script is to end other mining programs, and then download three main programs: sysupdate, networkservice and sysguard from the server, and analyze the 64-bit main programs under the three Linux in detail.

Sysupdate detailed analysis

Sysupdate is the Monroe coin mining procedure, as follows:

The version number is: 2.15.1-beta, as shown below:

Load the config.json configuration program, mining pool, wallet address, and so on, as follows:

Start digging, as follows:

Config.json profile information, as follows:

Pool address: xmr.f2pool.com:13531

Wallet address:

84wSxADJuSCEPGu7FyRPa2UAgs2YkTad1izUTLWJNmyvNFLU9PpTnwYUCn66cSK5v6cfRAvDdxMzpPdirw6njjt5AcRwReU.xmrxmr2019

The screenshot of the run is as follows:

The network traffic packet was captured as follows:

Networkservice detailed analysis

The networkservice vulnerability scan propagator is shown below:

1. Initialize the scan IP address field, as follows:

Download the corresponding IP segment data from the remote server, server address: https://23.175.0.142/api/download/I9RRye. The downloaded IP address field is a numeric integer, and the file name is ips_cn.txt, as shown below:

The numbers are converted to IP addresses, as follows:

16909568 16909823-- > 1.2.5.0 1.2.5.255

737878016 737879039-> 43.251.32.0 43.251.35.255

1733261312 1733262335-> 103.79.120.0 103.79.123.255

2525131776 2525132799-> 150.130.116.0 150.130.119.255

3670879488 3670879999-> 218.205.45.0 218.205.46.255

two。 Decrypt the corresponding PowerShell script from memory, as follows:

The decrypted address of the PowerShell script http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/init.ps1 is as follows:

The corresponding dissemination and mining procedures can be performed in windows, as follows:

3. Create a scheduled task and update it, as follows:

4. Update the execution of the mining procedure as follows:

5. Perform the scanning and propagation program, as follows:

6. At the same time, you can download a self-cleanup script for self-purging, as follows:

7. Perform various scan host operations, as follows:

8.redis unauthorized access vulnerability scanning, as follows:

9.Drupal framework CVE-2018-7600 vulnerability scan, as follows:

10.Hadoop unauthorized vulnerability scanning, as follows:

11.Spring framework CVE-2018-1273 vulnerability scan, as follows:

Scan for high-risk vulnerabilities in the 12.thinkphp framework TP5, as follows:

13.WebLogic framework CVE-2017-10271 vulnerability scan, as follows:

Scan for vulnerabilities of xcmd_shell and SP_OACreate injection in 14.SQLServer framework, as shown below:

15.Elasticsearch framework CVE-2015-1427, CVE-2014-3120 remote code execution vulnerability scanning, as follows:

Sysguard detailed analysis

Sysguard downloads and executes different payload code depending on the version of the operating system, as follows:

1. The memory decrypts the PowerShell script, as shown below:

Then concatenate the PowerShell script as follows:

two。 Encode the above PowerShell script with Base64, as follows:

Determine whether it is a windows platform, and if the above PowerShell script is executed for the windows platform, as follows:

Call to execute the PowerShell script, as follows:

3. If it is a Linux platform, obtain host root permissions:

4. Then, by judging the different operating system versions, communicate with the remote server CC to perform operations such as downloading Payload, scanning, persisting host, updating, and so on, as follows:

5. Determine different operating systems and execute different scanners, as follows:

Under the windows operating system, start the scanner networkservice, as follows:

And write the corresponding payload command to the BAT script with a random file name in the% temp% directory, as follows:

Start the scanner, as follows:

Capture the appropriate traffic packet, as follows:

6. Different operating systems perform different persistence operations, as follows:

Under the windows operating system, create the corresponding scheduled task, as follows:

The scheduled task created is as follows:

Under the Linux operating system, create the corresponding crontab self-boot, as follows:

7. Detect each file and update it, as follows:

Execute the update Payload and call the PowerShell script in the task plan to execute the update, as shown below:

8. Communicate with the remote server as follows:

The CC server URL obtained is as follows:

Http:///6HqJB0SPQqbFbHJD/pi?module=account&action=txlist&address=0xb017eFb3339FfE0EB3dBF799Db6cb065376fFEda&star

Tblock=0&endblock=99999999&sort=asc&apikey=ADQAMwAuADIANAA1AC4AMgAyADIALgA1ADcAOgA4ADYANgA3AC8ANgBIAHEASgBCADAAUwBQAFEAcQBiAEYAYgBIAEoARAAvAGkAbgBpAHQALgBwAHMAMQAnACkA

Execute the PowerShell script for downloading payload and write it to the% temp% directory, and the corresponding PowerShell script, as shown below:

After executing the Payload, it is as follows:

The above is how to analyze the new mining virus based on Linux and Window. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.