One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 869226 |
| Date de publication | 2018-10-29 17:00:00 (vue: 2018-10-29 19:00:38) |
| Titre | MadoMiner Part 2 - Mask |
| Texte |
This is a guest post by independent security researcher James Quinn.
If you have not yet read the first part of the MadoMiner analysis, please do so now. This analysis will pick up where Part 1 left off, while also including a brief correction. The x64 version of the Install module was listed as identical to the x86 Install module. However, this is not correct. The x64 Install module is identical in run-through to the 360Safe.exe module, which will be discussed later in this analysis.
In addition, take care with this portion of the malware. The batch script for Mask.exe, DemC.bat, appears to run if it detects any copies of itself during runtime, or if you run the x64 version of install on a 32 bit machine.
Where Install.exe was in charge of infecting new victims with MadoMiner, it seems Mask.exe is where the real payoff lies. Mask.exe utilizes XMRig miners in order to mine for XMR which it then sells for profit. While madominer was earning $6,000 a month as of the last analysis,
Around 10/14, MineXMR closed the old address due to botnet reports. A new address has been identified at 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433, mining through minexmr.com again. Currently, the hashrate is at 109Kh/s, and steadily rising.
Also, around the time that the address changed, MadoMiner also became drastically different.
Malware Analysis
Where Install.exe only downloaded 1 file from a remote host, Mask.exe downloads two files. In addition, the servers used to download the files are also different than Install.exe, increasing the proposed size of the botnet.
 Domains
In addition to the 2 domains identified in part 1, a new domain has also been identified for a distribution server:
http://d.honker[dot]info
However, the domain is currently dead. In addition, the mining server currently used is pool.minexmr[dot]com
A C2 server(newly updated version):
http://qq.honker[dot]info
Previously identified distribution domains:
http://da[dot]alibuf.com:3/
http://bmw[dot]hobuff.info:3/
Previously Identified IPs:
61.130.31.174
Previously identified mining servers:
http://gle[dot]freebuf.info
http://etc[dot]freebuf.info
http://xmr[dot]freebuf.info
http://xt[dot]freebuf.info
http://boy[dot]freebuf.info
http://liang[dot]alibuf.com
http://dns[dot]alibuf.com
http://x[dot]alibuf.com
In addition, http://da[dot]alibuf.com:3, the main distribution server, seems to have been registered by bodfeo[at]hotmail.com in early October 2017. According to an analysis by Steve Butt of DomainTools, this email was linked to APT19/c0d0s0, however it was most likely due to domain reselling.
Exploits
During the execution |
| Envoyé | Oui |
| Condensat | 01374ea3c48b69876d9375a2baba76ce 081f10718d76c9b3b19901f0ee630960 0ef0a7198444a43be51948e10cc15c53 102 1dd1550f2586411766cba953badf76f7 299 345239f58ddfd522ff04ad67009d15e9 445 481 490 4ace52693bdeace5b285d35e47be6cfc 8a44626c2ca26a84764e7ad771143d44 alibuff bat com currentcontrolset d4d8f87c61051c28ca3cee7e38bf839d decryptedrat dot dst e41f5e79400c985e8d8a25f0711095f15302e8dd eventlog exe executable: executables: executing exeds f2pool fonts hklm honker icstallx64 info info:13531 info:443/ install installx64 jklmno lsass madominer mask mining named new part regkey: rpceptmanger rundllhost runhost samserver service: services services: svchost system task windows windowsdirectory wininit |
| Tags | |
| Stories | APT 19 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.