首页 > 其他分享> 文章详细

xmrig挖矿样本分析 miner

2022-06-25 11:34:11 阅读：490 来源： 互联网

标签：exe Users Windows miner PID cmdline xmrig 挖矿 MD5

xmrig挖矿样本分析 miner

首先推荐这个站点：https://tria.ge/220617-wchkbscghp

搜索：f924ddf42e5f1b8102e774b68fff7e40c217acee2f0fe1c44453766af97f419b 该样本比较鲜活，是2022-06-17才上传的。

然后注册账号，下载该挖矿样本。

然后本机上，可以运行，我看到的是：

wininit.exe和notepad.exe进程二者合起来占用我cpu 100%，单看的话，占用率50%。如果kill掉二者的话，notepad会再度重启，占用你几乎100%的CPU。

joesandbox里跑的结果：

https://www.joesandbox.com/analysis/647899/0/html

进程树：

System is w10x64

2rVBokoc2C.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\2rVBokoc2C.exe" MD5: C37FFEA9B9BA78C03A9296B73D3D55BD)

wscript.exe (PID: 6332 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\install.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 6404 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\del.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 4944 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

taskkill.exe (PID: 3064 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

taskkill.exe (PID: 6220 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

notepad.exe (PID: 6760 cmdline: C:\Windows\notepad.exe" -c "C:\ProgramData\eWTBqYYAek\cfg MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)

taskkill.exe (PID: 5056 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

timeout.exe (PID: 6500 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

wscript.exe (PID: 6616 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\delreg.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

timeout.exe (PID: 6628 cmdline: timeout /t 2 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

wscript.exe (PID: 6308 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killroaming.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 6388 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killstatrup.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 5100 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\deltemp.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 7104 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 6564 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wininit.exe (PID: 6084 cmdline: wininit.exe MD5: 606CE310D75EE688CBFFAEAE33AB4FEE)

services.exe (PID: 6588 cmdline: services.exe MD5: 0C8E76FF6BA1CC33C2A37928A1E9642B)

cvtres.exe (PID: 6584 cmdline: \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe MD5: EC0A2E5708E3FC63D01C6ABFE522C1D9)

AudioClip.exe (PID: 6192 cmdline: AudioClip.exe MD5: 1F22C6DBDF4806A6ADB969CB6E548400)

timeout.exe (PID: 5980 cmdline: timeout /t 2 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

wscript.exe (PID: 6844 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 6300 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\mavis9080.vbe" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

services.exe (PID: 6556 cmdline: "C:\Users\user\AppData\Roaming\01Atodo\services.exe" MD5: 0C8E76FF6BA1CC33C2A37928A1E9642B)

cvtres.exe (PID: 6220 cmdline: \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe MD5: EC0A2E5708E3FC63D01C6ABFE522C1D9)

wscript.exe (PID: 5944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cmd.exe (PID: 7160 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wininit.exe (PID: 7088 cmdline: wininit.exe MD5: 606CE310D75EE688CBFFAEAE33AB4FEE)

svchost.exe (PID: 6928 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 588 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

AudioClip.exe (PID: 4772 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe" MD5: 1F22C6DBDF4806A6ADB969CB6E548400)

cleanup

标签：exe,Users,Windows,miner,PID,cmdline,xmrig,挖矿,MD5
来源： https://www.cnblogs.com/bonelee/p/16410998.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

ICode9

xmrig挖矿样本分析 miner