恶意挖矿样本分析与矿池地址捕获技术详解<\/h1>

样本基础信息<\/h2>

样本指纹<\/strong>：<\/p>

SHA256: 938c187c0c566d3ecd0ca594d027cff745688b409d6ab18e7d836d9ef1bd30de<\/code><\/li>
MD5: 8bb9f094a5c3e8358d931200092e3412<\/code><\/li>
SHA1: fced1103ababf08ea6435f43f597240ac6c357e8<\/code><\/li> <\/ul> 静态分析<\/h2> 导入表分析<\/h3> 使用IDA查看导入表发现以下关键API：<\/p> 敏感API：CreateMutex<\/code>, GetLastError<\/code>, Sleep<\/code>, fopen<\/code>, fseek<\/code>, malloc<\/code>, ftell<\/code>, fwrite<\/code>, fputs<\/code>, CreateProcess<\/code><\/li> 网络连接相关API：ws2_32.dll<\/code>中的网络功能函数<\/li> <\/ul> 执行流程分析<\/h3> 主函数关键逻辑<\/strong>：<\/p> 互斥体检查<\/strong>：<\/p> CreateMutex(NULL, FALSE, "MutexName"<\/span>); <\/span><\/span>if<\/span> (GetLastError() ==<\/span> ERROR_ALREADY_EXISTS) { <\/span><\/span> Sleep(1000<\/span>); <\/span><\/span> return<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre> 通过创建互斥体防止程序重复执行<\/li> 如果互斥体已存在则休眠后退出<\/li> <\/ul> <\/li> 文件操作<\/strong>：<\/p> FILE*<\/span> file =<\/span> fopen("自身路径"<\/span>, "rb"<\/span>); <\/span><\/span>fseek(file, 0<\/span>, SEEK_END); <\/span><\/span>long<\/span> fileSize =<\/span> ftell(file); <\/span><\/span>void<\/span>*<\/span> buffer =<\/span> malloc(fileSize); <\/span><\/span>fseek(file, 0<\/span>, SEEK_SET); <\/span><\/span>fread(buffer, 1<\/span>, fileSize, file); <\/span><\/span>fclose(file); <\/span><\/span><\/code><\/pre> 读取样本自身文件内容到内存<\/li> 推测可能包含第二阶段恶意代码<\/li> <\/ul> <\/li> 文件内容解析<\/strong>：<\/p> 从文件末尾倒数第8字节读取DWORD值<\/li> 从文件末尾倒数第4字节读取DWORD值<\/li> 使用R13<\/code>(文件大小)和R14<\/code>(内存起始地址)进行操作<\/li> <\/ul> <\/li> 文件写入<\/strong>：<\/p> fwrite(buffer, 1<\/span>, fileSize -<\/span> 256<\/span> -<\/span> 8<\/span>, newFile); <\/span><\/span><\/code><\/pre> 写入大小为文件总大小减去256再减去8字节的数据<\/li> <\/ul> <\/li> 自我复制<\/strong>：<\/p> char<\/span> randomName[MAX_PATH]; <\/span><\/span>GenerateRandomName(randomName); <\/span><\/span>fputs(randomName, file); <\/span><\/span>CreateProcess(randomName, ...); <\/span><\/span><\/code><\/pre> 生成随机文件名<\/li> 将自身复制到新文件并执行<\/li> 循环复制到C:\Windows\System\<\/code>目录<\/li> <\/ul> <\/li> <\/ol> 动态分析技巧<\/h2> 绕过循环复制<\/h3> 调试方法<\/strong>：<\/p> 在复制代码区域外设置断点<\/li> 运行到断点位置跳过循环<\/li> <\/ul> <\/li> 寄存器修改<\/strong>：<\/p> 循环通过js<\/code>指令判断次数<\/li> 结果存储在SF<\/code>寄存器<\/li> 双击SF<\/code>寄存器设置为1可跳过循环<\/li> <\/ul> <\/li> <\/ol> 矿池程序识别<\/h3> 发现xmrig<\/code>相关代码：知名开源矿工程序<\/li> 微软Defender识别为挖矿木马<\/li> 实际功能为隐蔽挖矿而非CS木马<\/li> <\/ul> 矿池地址捕获技术<\/h2> 方法一：字符串分析<\/h3> 在IDA中搜索字符串<\/p> <\/li> 发现关键配置信息：<\/p> { <\/span><\/span> "algo"<\/span>: "cn\/r"<\/span>, <\/span><\/span> "url"<\/span>: "3.120.209.58:8080"<\/span>, <\/span><\/span> "pools"<\/span>: [...<\/span>] <\/span><\/span>} <\/span><\/span><\/code><\/pre> cn\/r<\/code>：CryptoNightR算法，常用于门罗币挖矿<\/li> url<\/code>字段即为矿池地址<\/li> <\/ul> <\/li> 威胁情报验证：<\/p> 微步显示安全<\/li> VirusTotal有标记为"Miner"<\/li> <\/ul> <\/li> <\/ol> 方法二：动态调试捕获<\/h3> 断点设置<\/strong>：<\/p> 在ws2_32.dll<\/code>中的网络API设置断点<\/li> 重点关注GetAddrInfoW<\/code>等函数<\/li> <\/ul> <\/li> API分析<\/strong>：<\/p> int<\/span> GetAddrInfoW<\/span>( <\/span><\/span> PCWSTR pNodeName, \/\/ 主机名\/IP地址 <\/span><\/span><\/span><\/span> PCWSTR pServiceName, \/\/ 端口\/服务名 <\/span><\/span><\/span><\/span> const<\/span> ADDRINFOW*<\/span> pHints, <\/span><\/span> PADDRINFOW*<\/span> ppResult <\/span><\/span>); <\/span><\/span><\/code><\/pre> x64调用约定：第一个参数在RCX<\/code>寄存器<\/li> 动态调试时查看RCX<\/code>值即为矿池地址<\/li> <\/ul> <\/li> 调试过程<\/strong>：<\/p> 断在GetAddrInfoW<\/code>时查看寄存器<\/li> 确认3.120.209.58:8080<\/code>为矿池地址<\/li> <\/ul> <\/li> <\/ol> 总结与防护建议<\/h2> 技术要点总结<\/h3> 样本使用自我复制和互斥体确保持久化<\/li> 采用多阶段加载方式隐藏真实功能<\/li> 使用开源xmrig进行加密货币挖矿<\/li> 矿池地址可通过静态字符串和动态调试捕获<\/li> <\/ol> 防护建议<\/h3> 检测<\/strong>：<\/p> 监控CreateMutex<\/code>和自复制行为<\/li> 检测ws2_32.dll<\/code>的异常网络连接<\/li> 关注C:\Windows\System\<\/code>目录的可疑文件<\/li> <\/ul> <\/li> 防御<\/strong>：<\/p> 更新防病毒软件规则<\/li> 限制不明程序的网络访问<\/li> 监控系统资源异常消耗<\/li> <\/ul> <\/li> 分析<\/strong>：<\/p> 结合静态和动态分析方法<\/li> 重点关注文件操作和网络行为<\/li> 利用威胁情报验证可疑地址<\/li> <\/ul> <\/li> <\/ol> 通过以上详细分析流程，安全研究人员可以有效地识别和分析此类挖矿恶意软件，并采取相应的防护措施。<\/p>