Look at the video analysis of malicious behavior.

Look at the video analysis of malicious behavior.

Recently, GPU has a high occupancy rate of computer users, computer temperature, fan noise increases etc.. The phenomenon of computer can use space C dips, and in Ethash folder, found that there are lots of junk files about 1G; computer idle when the fan speed is increased, computer fever increased, GPU utilization rate reached 100%. Non idle state, return to normal. After the remote debugging is to look at the video analysis found in the background secretly using user computer resources for Ethernet (a currency digital currency like bitcoin mining lead).

 

[see video version] and company information

Look at the video after the installation, the Explorer add-on will register the component%APP_DATA%VideoLegendRBCProgramRBCShellExternal.dll to the registry, and boot load operation, and then through the Lua script control, download to use a local GPU mining mining module, the whole process as shown in the following figure:

 

[see video mining behavior overall flow diagram]

RBCShellExternal.dll analysis

This component is a business function module, RBC is the abbreviation for RemoteBussinessControl. As the name implies, this module can control the user’s computer through remote configuration running on different modules, such as upgrading, repair, installation, promotion advertising popups, including mining.

RBCShellExternal.dll uses rundll32.exe to load the RBCEntry.dll module, and the command line parameters to detect debugging tools.

 

[RBCEntry.dll] command line load

Complete command line as follows:

Rundll32.exe “%APP_DATA%VideoLegendRBCProgramRbcEntry.dll” Control_RunDLL/thread/src….XarRbc.xar/killex/priority0/checktime/delay1/idle%d/busy%d/debug/bkwndlist “MicrosoftVisual; HTTPAnalyzer; WinDBG; OllyDebug; Fiddler; SmartSniff; ttttttttSpy++; Spy; ATL/MFC; task manager; DebugView; ProcessExplorer; FileMonitor; RegistryMonitor; Wireshark; OllyICE; OllyDBG; Sysinternals” /bkprocesslist “fiddler.exe; windbg.exe; devenv.exe; taskmgr.exe; wireshark.exe; ttttttttthttpanalyzer.exe; smsniff.exe; filemon.exe; regmon.exe; procmon.exe; ollydbg.exe; softice.exe; cis.exe; ttttttttttasklist.exe; procexp.exe; ollyice.exe; processspy.exe; spyxx.exe; winspy.exe; cv.exe”

The /src parameter specifies the Lua script module to be loaded (has been packaged into a Xar format), through the Lua script to control task; the /bkwndlist parameter specifies the search window title, to find the /bkprocesslist parameter specifies the name of the process, once the enumeration to the window or the specified process, the end of the process immediately, to prevent users found.

LUA script analysis

RbcEntry.dll encapsulates the LUA engine, after loading the first Rbc.xar, and then call the onload.lua, start the script. Rbc.xar is the task scheduling module, the core function is downloaded from the cloud task control script and loading operation.

Rbc.xar unpack the directory tree as follows:

Rbc.xar

Scott

– Layout

/ onload.lua

Scott

– luacode

Kkp.curl.lua

Rbc.base.lua

Rbc.eventsource.lua

Rbc.filter.lua

Rbc.helper.lua

Rbc.lua

Rbc.scheduler.lua

Rbc.setting.lua

Rbc.task.lua

Rbc.version.lua

The main function of onload.lua is loaded each script code is as follows:

   

[onLoad.lua loading Script]

Finally, loading the rbc.scheduler.lua which contains a remote configuration script task url:http:/***.kankan.com/rbc/taskschedule_v1.2.dat

   

[rbc.scheduler.lua scheduling Script]

From each function name can be seen, the script is the main function is task scheduling operation. The script taskschedule_v1.2.dat is the real task script.

Taskschedule_v1.2.dat in the configuration parameters of the various tasks, including parameter configuration tasks following mining block:

   

Mining task configuration script [block]

Where link is the task module download address, usually Xar package; frequency is the implementation of googleid and cnzzid are active frequency; statistical indicator. Configurl is a remote configuration script using the DLL module, mainly mining download address and MD5, specific details please see below.

The task module download file in the%APP_DATA%VideoLegendRBCTask directory:

 

The task of [%APP_DATA%VideoLegendRBCTask generated directory]

Finish all tasks URL, as follows:

Http://***.kankan.com/rbc/fixrbclaunch_v1.2.cab

Http://***.kankan.com/rbc/startip_v3.2.cab

Http://***.kankan.com/rbc/upkkp_v1.20.cab

Http://***.kankan.com/rbc/uprbc_v1.11.cab

Http://***.kankan.com/rbc/uprbcxar_v1.1.cab

Http://***.kankan.com/rbc/checkintegrity_v1.9.xar

Http://***.kankan.com/rbc/arkkp_v5.2.cab

Http://***.kankan.com/rbc/aikkp_v6.1.xar

Http://***.kankan.com/rbc/arfix_v1.0.xar

Http://***.kankan.com/rbc/dc_fixplugin_v4.2.lua

Http://***.kankan.com/rbc/fixplugin_v12.0.cab

Http://***.kankan.com/rbc/fixplugin_v11.5.cab

Http://***.kankan.com/rbc/launchkkp_v10.1.xar

Http://***.kankan.com/rbc/launchkkp_v20.1.cab

Http://***.kankan.com/rbc/rbctip_v5.10.cab

Http://***.kankan.com/rbc/newstip_v2.21.cab

Http://***.kankan.com/rbc/rbcbiz_v3.3.cab

Http://***.kankan.com/rbc/rbcbizlite_v1.3.cab

Http://***.kankan.com/rbc/biztask_v2.1.cab

Http://***.kankan.com/rbc/fixpusher_v1.3.cab

Http://***.kankan.com/rbc/dc_task_v5.3.xar

Http://***.kankan.com/rbc/partnerlink_v2.2.cab

Http://***.kankan.com/rbc/partnerdll_v2.11.xar

Http://***.kankan.com/rbc/arbrowserlink_v2.9.xar

Http://***.kankan.com/rbc/dc_arbrowserlink_v2.3.xar

Http://***.kankan.com/rbc/arbrowserlinkq_v1.6.xar

Http://***.kankan.com/rbc/dc_arbrowserlinkq_v1.2.xar

Where http://***.kankan.com/rbc/partnerdll_v2.11.xar is the mining task control script, MD5 8EF1948C5EA9B8113706CBFF1EBB8CF5; unpack only a onload.lua script, the main function is according to the configuration parameter configurl deploy64.dll download to the%TEMP% directory and loading operation. Deploy64.dll is the main module of the mining.

The script configurl configuration is as follows:

   

DLL download [address] the mining task script configuration

Inside the configuration of the deploy.dll 3 caburl, caburl_without, caburl_withoutwithdll download address, in which caburl is compiled with OpenCL, caburl_without is not compiled OpenCL, caburl_withoutwithdll is not OpenCL but OpenCl.dll compiler package. But the script is always to download caburl, and call rundll32.exe load Deploy64.dll operation:

 

[script called rundll32.exe loading Deploy64.dll]

Complete command line as follows:

C:windowssystem32rundll32.exe “%TEMP%Deploy64.dll” Control_RunDLLindex_class_d=%d

The parameter index_class_d in the taskschedule_v1.2.dat task parameters specified in the configuration block.

Deploy64.dll began to implement the real mining code loaded up after the real culprit is the result of the GPU usage increased, computer overheating, C available space becomes small.

Deploy64.dll analysis

After loading the Deploy64.dll creates 2 threads: CSafeRT:: MonitorThread and EthThread. CSafeRT:: MonitorThread is the monitor thread, and EthThread is the mining thread.

CSafeRT:: MonitorThread

This thread will create a window, the window class name is __deploy_CSafeRTImpl, the window name for the __deploy_CSafeRTImpl_i_1_5, and then in the window procedure function detection and enumeration of the debugger window, if detected by debugging or testing tools are out of the window.

   

[detected debug exit]

   

[detected above the window title exit]

EthThread

Ethread is the main thread of execution of mining, mining first download the configuration file http://***.kankan.com/deploy/dtask%d_.ini, which is%d by the incoming index_class_d parameter is specified, the current 0-7 effective. The configuration file is as follows:

[profile].

Using the AES128 algorithm decryption reads the configuration field, get

P= “http://eth-asia1.nanopool.org:8888” us= “0x7016df7C2d2AcF0DAc218A410e61002A66837151;

0xEaABAF0384EE73bca43c2A698e240d64de09081b;

0x0af856fbEd6e93A01b3c4557D64edc99C5a5d46B;

0x669F588F103764f98b94ceBFB6fB93bbd5dF2CFc;

0xedC148759dFdFfA3EEfF01Ea64B2aBf20642799f;

0xfE7c793eD4F16B6d05eC763D98389590b0c812E1;

0xc556d14247A59d1E0886bB21b4fAe1481C744191;

0xb1d42965F539eAF688938A16be47558053D57A52;

0x6563b8A0a6238edc8c3bBD7E23AB6174DED92165;

0x9C3dc3Bc89a0f16B1CBc2bA8b35427d286F783ec;

0xFfB6faEF01A41330425ae1795601f6D3F7c1d762″

   

[] the decryption mining parameters

Then spliced http://eth-asia1.nanopool.org:8888/0xFfB6faEF01A41330425ae1795601f6D3F7c1d762.

 

[start] mining parameters

Pass parameters to the process itself, began to dig. The -G parameter specifies the use of GPU mining, -F specifiedparameters mine url. After the start of mining will generate the Ethash directory in the user directory, the mining data file format is as follows, single file size exceeds 1.5GB. At the same time, causing the user computer GPU occupancy rate soared, increasing the phenomenon of computer fever.

[Deploy64.dll generated file mining]

The above analysis is to look at the whole process using computer video user computing resources for mining. Because see video itself belongs to the normal software, security software is usually the direct trust, which leads to such malicious behavior is difficult to find. At present, killing the malicious behavior of bully.

   

[mining] poison bully intercept killing virus

    

[clean] file data mining Duba

Source: http://www.freebuf.com/articles/system/114522.html

Leave a Reply

Your email address will not be published. Required fields are marked *