Detonating a miner #743
gustavo-iniguez-goya
started this conversation in
Show and tell
Detonating a miner
#743
Replies: 1 comment
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
-
A workmate handed me recently a malware that was dropped and detonated on a server so I could study it. Nowadays, almost all malware tries to phone home, so let's see what opensnitch is able to intercept:
miner2.webm
Firstly it tries to connect to 45.10.88.102 (18 times). After a few seconds it launches a second binary
kdevtmpfsi(embedded inside the dropper) that is the real miner, which tries to connect to several others IPs, including the host pool.minexmr.com.The host pool.minexmr.com is included in several blocklists like osid and 1hosts.
Some of the IPs (91.215.169.111) used by the miner/dropper are classified as gambling-porn-fakenews by the stevenblack blocklist
Learn how to use blocklists to block domains and IPs 👉 https://github.com/evilsocket/opensnitch/wiki/block-lists
Beta Was this translation helpful? Give feedback.
All reactions