├── CopyKittens
├── UnobfuscatedStrings.txt
└── decryptRoutine.py
├── Emotet
└── Domains.txt
├── MinerKiller
├── MinerKiller.ps1
├── MinerKiller.sh
└── README.md
├── ObfuscatedAutoItDecrypter
└── AutoIt_dec.py
├── PuffStealer
├── AutoIt_dec.py
└── README.md
└── README.md
/CopyKittens/UnobfuscatedStrings.txt:
--------------------------------------------------------------------------------
1 | 11ZTMckLyMjUFNdd : USER32.DLL
2 | 1wETE5CdF5USOlVd : WININET.DLL
3 | MxEcuIzMJBdQWcUQ : ADVAPI32.DLL
4 | MxEcuIzMMdkTSdVS : KERNEL32.DLL
5 | 11ZIsxGAuIzMpBXYzc3d : Wtsapi32.dll
6 | 1wGbk5SawF20sh2e : shlwapi.dll
7 | sxGAuIzMlx2b : ole32.dll
8 | sxGAuIzMpc2A : gdi32.dll
9 | 1eFRvJUAnF2ezdWT : MessageBoxW
10 | XAG0ulmewN30 : wsprintfW
11 | 11Z0jdmbu92QVBXblcH0BcXAuJXAV5WS : InternetAttemptConnect
12 | 1kXALd2evx2QndmU : RegCloseKey
13 | 11wdlxWaGcHRl5EAulmc : FindNextFileW
14 | 11wdl=WYOJXAVdHet92QVd2c : GetComputerNameW
15 | 1ZXAlx2U : Sleep
16 | 11ZAJN3elN2byBF0udmeyd3QVd2c : GetCurrentProcessId
17 | 11Z0jdmai9UAs0mbpNlevAE0pF2d : WaitForSingleObject
18 | 1QnblAXcVd2U : SetEvent
19 | y9meydE0zFGTVd2c : GetLastError
20 | 11Z0udm0FcXAzdmU : ResetEvent
21 | XcnblAXclcXYlJ3Q : CreateEventW
22 | 11wdV5WA2dkblB3T : OpenEventW
23 | 1UGbk5WYId2evx2Q : CloseHandle
24 | 11weVNWAqJ2TlxGepcHb==kevAE0pF2d : WaitForMultipleObjects
25 | 11wdlxGAuFGSlxW0k9WTVd2c : GetModuleHandleW
26 | lN3bsNEAulmc : FindClose
27 | V9GazBXYuNlMzZHblhGbv9GdlcXYlJ3Q : CreateToolhelp32Snapshot
28 | XhXAVdXTlcXYlJ3Q : CreateMutexW
29 | 1eF0zJXaGJzMlxW0k9WT : Module32FirstW
30 | 1QnblNXAyBlel02A=JWAENXS : IsDebuggerPresent
31 | 11ZbjFGcy9G0wlmejNXAElH0pJX0jd2UVd2U : SetSecurityDescripto
32 | 11wdVhXAOJzMlxW0k9WT : Module32NextW
33 | 11gevcHepJ3YzdGc5cXayd3YlNdA6lGbhlG0p5WS : InitializeSecuri
34 | X9mAulEe=cnehc3UVd2c : GetStartupInfoW
35 | 4dG0==UAzFWAsdmU : ReleaseMutex
36 | kFWAyhGdlcXYlJ3Q : CreateThread
37 | 1edAslmcVNnepAEAulmc : FindFirstFileW
38 | 11wdzd2ezd2YvJHUlcXYydWb=5WcTc=d : WTSEnumerateProcessesW
39 | 11QRy9Wbl=UAlJncTc=d : WTSFreeMemory
40 | 11wd4dG0==kblB3T : OpenMutexW
41 | BdmbpxEAuFWbt92QVd2c : GetCommandLineA
42 | 11Z0ud2elJHUlJX0VFWAGJ3bzNXAj9meQNXS : IsProcessorFeaturePr
43 | 1UWAyAEehdGS : HeapFree
44 | j9GbsFEehdGS : HeapAlloc
45 | klEAhdmeocF0udmeyd3QVd2c : GetCurrentThreadId
46 | 1M3elN2byBF0udmeyd3QVd2c : GetCurrentProcess
47 | XdW0sFmdl0WAslm0pJHUwd3av9GT : LookupPrivilegeValueW
48 | X0mbpJH0T0W0idGcVdHeVd3T : OutputDebugStringW
49 | 11gblt2bUN3elN2byBlblB3T : OpenProcessToken
50 | zd2AlxWa2lmeQ5WAr9GdVNX0qcWQ : AdjustTokenPrivileges
51 | XNXAVdnYpJH0VFUAslmcVd2U : SetFileAttributesW
52 | 1e=ezd2YvJHUlcXYlJ3Q : CreateProcessW
53 | kFWAyhGdlc3btdmUlcXYlJ3Q : CreateRemoteThread
54 | XdWbh5UAslmclxW0k9WTVd2c : GetModuleFileNameW
55 | 1eFRFNXAVdnYpJH0VFUAslmcVd2c : GetFileAttributesExW
56 | 1edAtFmTlxWaGcmbpAEaVFGU : PathFindFileNameW
57 | 11wdl0WYzNXANh2YVFGezlGc : DispatchMessageW
58 | 1gXclc2bjlmbd9Gd : ToUnicodeEx
59 | klVezd2YvJHUkFWAyhGd39GAul2dVd2c : GetWindowThreadProcessId
60 | 11ZRFt2bvhVe39GAul2dr92bo5Wd : UnhookWindowsHookEx
61 | 1eFRFt2bvhVe39GAul2dVd2U : SetWindowsHookExW
62 | XcHRlcdAtFmT5d2SVd2c : GetKeyNameTextW
63 | 11QYVFGckJXYvJGepx2QVd2c : GetClipboardData
64 | 11ZAyF2biBXasNkblB3T : OpenClipboard
65 | 1QX0vlXYMcmeh9mY5d2SVd2c : GetKeyboardLayout
66 | 11w0vcmbp0FAud3by0WAy9mcVd2c : GetForegroundWindow
67 | 11QAVFG0Tcmeh9mY5d2SVd2c : GetKeyboardState
68 | 1gXcr92bIcHRl5EbsF2Q : CallNextHookEx
69 | 1UG0hc3U5d2SVd2c : GetKeyState
70 | ydWbpcFbsl2S : KillTimer
71 | 1edAnF2ezdWTVd2c : GetMessageW
72 | 1IXAtlGdVd2U : SetTimer
73 | 1edRltEbhdH0ylmdwFWT : MapVirtualKeyW
74 | 1Qmeh9mYwlGbDd2evx2Q : CloseClipboard
75 | 1eFaV0mblxE04dGd39GAul2dVd2c : GetWindowTextLengthW
76 | 11w0vcmbp0Fevc3azdGcVd2c : GetDesktopWindow
77 | 1MEcVd2c : GetDC
78 | lpXasFWaVlmbJ92Q : CoInitialize
79 | 1UmRpxWYpcXaulmbd92Q : CoUninitialize
80 | 11QAj5WYVNnbJdG0hdmeD92Q : CoCreateInstance
81 | 1gXclpXasFWaVlmbJ92Q : CoInitializeEx
82 | 1eF04dGd39GAul2dVd2c : GetWindowTextW
83 | 11QAnF2ezdWTlcXYsNnbhJHd : TranslateMessage
84 | 1e3bk5WaXxGblh2UVd2c : GetShellWindow
85 | 11wejlmeVdWTtdG0zl3UVd2c : GetSystemMetrics
86 | 1edA=xWYWlneldXUndmU : RegQueryValueW
87 | XdWbh5kelNXdVd2c : GetUserNameW
88 | 1eFRFdW0sFmdVd2UndmU : RegSetValueExW
89 | 11wd4dURltkblB3TndmU : RegOpenKeyExW
90 | 11wd4dUA=xWYWlneldXUndmU : RegQueryValueExW
91 | 11wd5d2SlcXYlJ3QndmU : RegCreateKeyW
92 | 1MEclcXAsdGc : DeleteDC
93 | 11gbvlG0jd2UClEclcXYlJ3Q : CreateDIBSection
94 | 11wewF2QlNWa2dGcVd2c : GetDeviceCaps
95 | VNWAqJ2TlcXAsdGc : DeleteObject
96 | VNWAqJ2TVNWAsd2U : SelectObject
97 | DcUAsJWaVFGet92QlcXYlJ3Q : CreateCompatibleDC
98 | DcUA2F2U : SaveDC
99 | DcUAy9G0zdmU : RestoreDC
100 | VxmQVlmQ : BitBlt
101 | 5J3btdWTzNXAj9meQdG0pJ3d : WriteProcessMemory
102 | 1ZXYlhVezd2YvJHUVd2c : GetProcessHeap
103 | 1M3elN2byBlblB3T : OpenProcess
104 | XdGbpAURw92Q : CopyFileW
105 | j9GbsFEbhdH0ylmd : VirtualAlloc
106 | 1gXcj9GbsFEbhdH0ylmd : VirtualAllocEx
107 | 1edAslmclcXAsdGc : DeleteFileW
108 | 1IXAV5WavBdAslmcVd2U : SetFilePointer
109 | lxWaGdG0pJ3d : WriteFile
110 | 1UGbpAEAhdmU : ReadFile
111 | 1edAslmclcXYlJ3Q : CreateFileW
112 | 1edRy9G0jdmepcE0udmeyd3QVd2c : GetCurrentDirectoryW
113 | 1e=0vcmbp0FAulmc : FindWindowW
114 | z9GUy92eyd3QVd2c : GetCursorPos
115 | 1UWAyAEbhdH0ylmd : VirtualFree
116 | s9meV52bD9WSlNWa2dGc : DeviceIoControl
117 | V5W0vNVajlGdVd2c : GetTickCount
118 | 11wd4dUAjFGeTdWAyAVazlGcVd2c : GetDiskFreeSpaceExW
119 | XNXAVdnYpJH0VFUAslmcVd2c : GetFileAttributesW
120 | 1UWbpcdAslmcVd2U : SetFileTime
121 | 1UWbpcdAslmcvcdAtlGdtdG0zl3U : SystemTimeToFileTime
122 | 1UWbpcdAslmcvcdAtlGdlxWaGxWYj9GT : LocalFileTimeToFileTime
123 | 11wd5J3bVNWAylGclcXYlJ3Q : CreateDirectoryW
124 | 11gehh2QlcWaX9GdlcXRClG0sdXT : MultiByteToWideChar
125 | 11QAVlnQpcHb==VbUJXYoNUAkl2d : WideCharToMultiByte
126 | 1UmRpNFehdGS : HeapSize
127 | 1M2bsxWQlJFehdGS : HeapReAlloc
128 | y9meydE0zFGTVd2U : SetLastError
129 | 1Qnbl=WAyNmbJcWArN2bsJXAV5WS : InterlockedIncrement
130 | 1Qnbl=WAyNWAEcWArN2bsJXAV5WS : InterlockedDecrement
131 | 142bpcHelNGRFd2epFmU : RaiseException
132 | 11wdz0mbpJH0Tcnbl=mbvJXa25WcVd2c : GetEnvironmentStringsW
133 | 1e=en5Wayc3UV5WAt52bylm0udUAlJn : FreeEnvironmentStringsW
--------------------------------------------------------------------------------
/CopyKittens/decryptRoutine.py:
--------------------------------------------------------------------------------
1 | import base64
2 | with open("obfuscatedStrings.txt","r") as f:
3 | lines = f.readlines()
4 |
5 | for encryptedString in lines:
6 | i = len(encryptedString)-1
7 | tempString =""
8 | while i >= 0:
9 | char = str(encryptedString[i])
10 | if char == "Z":
11 | char = "A"
12 | elif char == "1":
13 | char = "="
14 | elif char == "c":
15 | char = "R"
16 | elif char == "d":
17 | char = "V"
18 | elif char == "e":
19 | char = "c"
20 | elif char == "0":
21 | char = "d"
22 | elif char == "R":
23 | char = "e"
24 | elif char == "V":
25 | char = "0"
26 | elif char == "=":
27 | char = "1"
28 | elif char == "A":
29 | char = "Z"
30 | tempString += char
31 | i-=1
32 | if "\n" in tempString:
33 | print encryptedString[0:-1] + " : " + base64.b64decode(tempString[1:])
34 | else:
35 | print encryptedString[0:-1] + " : " + base64.b64decode(tempString)
36 |
37 |
38 |
--------------------------------------------------------------------------------
/Emotet/Domains.txt:
--------------------------------------------------------------------------------
1 | aussiescanners[.]com
2 | ashtralmedia[.]com
3 | earthwind[.]com
4 | episode[.]co[.]jp
5 | henkbruurs[.]nl
6 | justinhophotography[.]com
7 | kazol[.]de
8 | amysinfo[.]com
9 | russnixon[.]com
10 | mplusm[.]de
11 | bonaveri[.]it
12 | livita[.]lt
13 | tourseoulkorea[.]com
14 | peedi[.]ch
15 | freemac[.]net
16 | nicogamma[.]com
17 | legalservicenow[.]com
18 | suttoncreativestudios[.]com
19 | kwcabling[.]com
20 | accures[.]be
21 | codewordmediadesign[.]com
22 | shaniss[.]com
23 | inceptioneng[.]com
24 | pzwebbdesign[.]se
25 | creativefortress[.]com
26 | asi-instruments[.]com
27 | ramerman[.]nl
28 | inspection-source[.]com
29 | thedynamicduo[.]se
30 | arledia[.]be
31 | acarvajal[.]com
32 | itsmurder[.]co[.]uk
33 | jcdrivingschool[.]com
34 | inetsolutions[.]com[.]ar
35 | johnuesmedia[.]com
36 | knightward[.]com
37 | kilateshn[.]com
38 | ilcode[.]com
39 | appiehd[.]nl
40 | louiswalker[.]net
41 | datai[.]biz
42 | lydian[.]co[.]jp
43 | donperrin[.]com
44 | fitzw[.]com
45 | coverspi[.]com
46 | akrene[.]no
47 | 2geeks[.]ws
48 | localsrock[.]com
49 | ananyah[.]com
50 | michellerather[.]com
51 | ronchapple[.]com
52 | frampton[.]me[.]uk
53 | jimmyphan[.]net
54 | djadinolfi[.]com
55 | getaklu[.]net
56 | mecaningroup[.]com
57 | 2data[.]net
58 | jretechnology[.]com
59 | goteama[.]com
60 | rvadventure-usa[.]com
61 | imagecraft[.]co[.]nz
62 | itrium[.]lv
63 | fexlabs[.]com
64 | johnhouse[.]co[.]uk
65 | brandely[.]com
66 | lrcnet[.]com
67 | fwstation[.]com
68 | chicardo[.]com
69 | killergraffix[.]com
70 | irrationaldad[.]com
71 | eastcoastcarz[.]com
72 | radionik[.]info
73 | diow[.]com[.]br
74 | mokgolobetsi[.]co[.]za
75 | madideasdesigns[.]com
76 | makarsky[.]com
77 | makibishi[.]co[.]jp
78 | meditur[.]com
79 | meiditravel[.]com[.]my
80 | millsmotorsports[.]com
81 | usinanet[.]com
82 | videocelebrities[.]eu
83 | marinalimo[.]com
84 | vodaless[.]net
85 | mbhomes[.]com
86 | rostravernatherm[.]com
87 | designulife[.]nl
88 | afmaldives[.]org
89 | rackinfotech[.]com
90 | bummy[.]biz
91 | designstate[.]org
92 | ddtechrepairs[.]co[.]uk
93 | victor[.]lt
94 | swiatlowody[.]com[.]pl
95 | rogerschroeder[.]com
96 | alfalogistics[.]net
97 | mrsgiggles[.]com
98 | mobilenotary[.]com
99 | demonzmedia[.]com
100 | sxit[.]com
101 | rl141[.]org
102 | reachcuracao[.]com
103 | dingesgang[.]com
104 | maxxscholten[.]com
105 | marioboy[.]ro
106 | romadesignz[.]com
107 | mediaattitude[.]com[.]au
108 | capecourtesy[.]com
109 | browncowbrewery[.]co[.]uk
110 | mcsf[.]com[.]br
111 | bsn70[.]com
112 | atpeacearts[.]com
113 | melissaworthington[.]com
114 | capetek[.]com
115 | bomberjacket[.]net
116 | rogermiranda[.]pe
117 | syntios[.]com
118 | broganfamily[.]org
119 | autoblissmemphis[.]com
120 | avocet[.]co[.]nz
121 | matthewjmink[.]com
122 | haarlem-hosting[.]nl
123 | mindgroup[.]pl
124 | audre[.]com
125 | desiel[.]com
126 | tamcoproductions[.]com
127 | acosoft[.]de
128 | anosales[.]net
129 | bostonseafarms[.]com
130 | logotalks[.]com
131 | jcstudio[.]com[.]my
132 | denks[.]net
133 | sandstonesoftware[.]com[.]au
134 | chavezhomestead[.]com
135 | sagtalent[.]com
136 | jrgm[.]com
137 | rturnranch[.]com
138 | detektor[.]com[.]pl
139 | bragheto[.]com
140 | lunzer[.]de
141 | aurgelmir[.]de
142 | puikprodukties[.]nl
143 | brocke-loehr[.]de
144 | bjh[.]de
145 | schroedercreek[.]com
146 | rws-bremen[.]de
147 | timmerbeul[.]de
148 | silkfactory[.]com
149 | rockvilla[.]fi
150 | sazon[.]de
151 | indiaendurance[.]com
152 | kimko[.]co[.]za
153 | basicpr[.]net
154 | craigherbertson[.]com
155 | guysfromandromeda[.]com
156 | success-media[.]de
157 | musicmixcentral[.]com
158 | herbalpalace[.]com
159 | dieterprovoost[.]be
160 | finnfinancialgroup[.]com
161 | medecinfrancophone[.]ca
162 | benjamin-follert[.]de
163 | webagg[.]com
164 | fayvictor[.]com
165 | dubtastic[.]com
166 | huasonmid[.]com
167 | hwh-online[.]net
168 | vip-team-gmbh[.]de
169 | wladi[.]net
170 | rath-web[.]de
171 | harmonyhearing[.]com
172 | buendnis-music-records[.]com
173 | carstenmenge[.]de
174 | natzlive[.]de
175 | malermeister-pander[.]de
176 | flame-guild[.]de
177 | b1[.]ee
178 | lightimage[.]de
179 | bog-art[.]de
180 | kdbbartelt[.]de
181 | shop-wittlich[.]de
182 | schreijer-net[.]de
183 | frikko[.]de
184 | perfactory[.]de
185 | liquid-spaces[.]de
186 | zierock[.]de
187 | braun77[.]de
188 | tubadesign[.]com
189 | golini[.]de
190 | wws-warenwirtschaft[.]de
191 | lightningone[.]co[.]uk
192 | philosopherswheel[.]com
193 | adare[.]ca
194 | reese-heuer[.]de
195 | kandaloop[.]de
196 | akuil[.]nl
197 | revone[.]co[.]uk
198 | nb9m[.]com
199 | stasik[.]de
200 | dontspamme[.]net
201 | manatwork[.]ru
202 | uplinksys[.]com
203 | benjac[.]qc[.]ca
204 | skytrekkingalaska[.]com
205 | heatherfoss[.]net
206 | impulse-events[.]net
207 | nico-braun[.]de
208 | valdez-tsd[.]de
209 | hawaiinewsdaily[.]com
210 | business-solutions[.]uk[.]com
211 | enfoquesolar[.]com
212 | bkalisch[.]de
213 | lesclimats[.]com
214 | anderts[.]de
215 | mono-gusa[.]de
216 | belau[.]at
217 | rushmediacommunications[.]com
218 | fourchamberforge[.]com
219 | alloggi[.]se
220 | wavedrop[.]de
221 | myweddingfinancing[.]com
222 | little-engines[.]co[.]nz
223 | je1sgh[.]mydns[.]jp
224 | lctn[.]org
225 | materialstestingequip[.]com
226 | promacksfarm[.]com
227 | r717[.]net
228 | kailweit[.]de
229 | sirguey[.]net
230 | smoothsailingpdx[.]com
231 | nicoetc[.]co[.]za
232 | rwev[.]de
233 | bakmaz[.]de
234 | aurelijasapkiene[.]co[.]uk
235 | iparik[.]com
236 | weblog[.]vr-x[.]com
237 | m-projekt[.]net[.]pl
238 | bundesla[.]de
239 | brain-musik[.]de
240 | taggers[.]com[.]au
241 | whitecrossdispensary[.]com
242 | jaimesplace[.]com
243 | kmsigma[.]com
244 | lussos[.]com
245 | fltstatus[.]com
246 | martinwebdesign[.]co[.]uk
247 | ethanngophotography[.]com
248 | johnvale[.]com
249 | movinonupnj[.]com
250 | guarnaccia[.]com
251 | rivertowncakes[.]com
252 | lefrancophoney[.]com
253 | plugz[.]co[.]uk
254 | dscgroup[.]co[.]za
255 | nettechwi[.]com
256 | ilorcisoft[.]com
257 | stellaredgepr[.]com
258 | computerooter[.]com
259 | btcagentes[.]cl
260 | julianthompson[.]com
261 | fivecollegemovers[.]com
262 | gelbin[.]org
263 | jackmagicentertainment[.]com
264 | lab-instrument[.]com
265 | taltus[.]co[.]uk
266 | justiceseekers[.]com
267 | djzmo[.]com
268 | plutonix[.]com
269 | virtualmillers[.]com
270 | lourieconsulting[.]com
271 | chmara[.]net
272 | fiverockets[.]com
273 | genedelibero[.]com
274 | law4it[.]com
275 | vicinia[.]org
276 | maven[.]co[.]jp
277 | ct-corp[.]cn
278 | strifejester[.]com
279 | glidefx[.]com
280 | jdcarrollmusic[.]com
281 | ivanrivera[.]com
282 | macleayaircraft[.]com[.]au
283 | teddybearphoto[.]co[.]za
284 | isolat[.]org
285 | meerk[.]co[.]uk
286 | longbridge[.]biz
287 | escritoenelagua[.]com
288 | halalsecurities[.]com
289 | ladina[.]lt
290 | performancetest[.]org
291 | icglobalcorp[.]com
292 | haho[.]info
293 | fade-in[.]jp
294 | condukia[.]com
295 | juliekaplanphoto[.]com
296 | jumbosystem[.]it
297 | barcak[.]com
298 | fireguardservices[.]com
299 | fakeworks[.]com
300 | heron[.]com[.]br
301 | e-lanresources[.]com
302 | hapmag[.]com
303 | lichota[.]com[.]pl
304 | genxdesign[.]net
305 | masiiproductions[.]com
306 | kevinlombardo[.]com
307 | ellogos[.]net
308 | satutitik[.]com
309 | hotelesanticrisis[.]com
310 | harv[.]org
311 | beak[.]net
312 | broadwayartscenter[.]com
313 | internetsuccesszone[.]com
314 | hsquareddesignstudio[.]com
315 | jamesddunn[.]com
316 | merik[.]net
317 | sman5yk[.]sch[.]id
318 | flywheelstudios[.]com
319 | nemesismedia[.]co[.]uk
320 | servacom[.]net
321 | playstudio[.]pl
322 | dacres[.]org
323 | volkwein[.]de
324 | hbware[.]de
325 | grosskinsky[.]de
326 | willebrandt[.]de
327 | lettenbichler-transporte[.]de
328 | thegrosser[.]de
329 | bernd-reimann-consulting[.]de
330 | berndjung[.]de
331 | kerlkerl[.]de
332 | rallyeteam[.]de
333 | salmnet[.]com
334 | moeckesch[.]de
335 | streiger[.]com
336 | bluetonguecampers[.]com[.]au
337 | artua[.]co[.]uk
338 | the-bug[.]de
339 | tradenet-cg[.]de
340 | emilykunz[.]com
341 | dorner-leutkirch[.]de
342 | meseke[.]de
343 | boddenwerbung[.]de
344 | chrislippert[.]de
345 | bennybox[.]dk
346 | tojmanden[.]dk
347 | estevo[.]de
348 | berg-ingelheim[.]de
349 | rassmusen[.]cz
350 | locolocass[.]net
351 | poeschko[.]de
352 | risingriotrecords[.]com
353 | seviercountyhomeschoolers[.]com
354 | luebbke[.]info
355 | leentjelinders[.]nl
356 | blevy[.]co[.]uk
357 | denkewitz[.]de
358 | trostel[.]eu
359 | kurisu[.]de
360 | stlhiphop[.]com
361 | bramengaarde126[.]nl
362 | mysys[.]net
363 | gofo[.]ro
364 | tattooroyale[.]com
365 | dfc-consult[.]de
366 | kuehefuss[.]com
367 | bonell[.]de
368 | ulco[.]tv
369 | luxartscreendesign[.]de
370 | vier-stolls[.]de
371 | laurelhillinn[.]com
372 | bayernpizza[.]de
373 | lrbw-fm[.]eu
374 | sutphinfamily[.]com
375 | evergreenpictures[.]com
376 | the-eis-reich[.]de
377 | evolutio[.]org[.]ro
378 | visionhaus[.]de
379 | optimatop[.]ru
380 | wilberforce[.]net
381 | chaotics[.]net
382 | chrispaterson[.]co[.]uk
383 | nabrotzky[.]org
384 | donnellan[.]co[.]uk
385 | maasf[.]org
386 | a-bielz[.]de
387 | synchronus[.]de
388 | sissman[.]com
389 | fotostudiomico[.]nl
390 | carlimoliveira[.]com[.]br
391 | vudalfor[.]com[.]br
392 | kaufmann-org[.]de
393 | sightinc[.]com
394 | detterbeck-net[.]de
395 | gesconrisc[.]com
396 | itpsm[.]dk
397 | al-die[.]de
398 | think-pink[.]cc
399 | wisponline[.]ca
400 | bz-satellite[.]com
401 | german-aircult[.]de
402 | italtrade[.]vi[.]it
403 | welistration[.]com
404 | finuver[.]de
405 | broerart[.]de
406 | gheinemann[.]de
407 | oz-link[.]com
408 | u2285213[.]ct[.]sendgrid[.]net
409 | windsorwyeth[.]com
410 | upr-kunststoffe[.]de
411 | 24lps[.]net
412 | aleas[.]es
413 | absatec[.]com
414 | grimberger[.]de
415 | cmcuaresma[.]es
416 | feba[.]net
417 | nostrared[.]com
418 | ballpolo[.]sk
419 | fitgebit[.]nl
420 | iberperfil[.]com
421 | elprofedemicurso[.]es
422 | obdo[.]de
423 | 54jets[.]com
424 | j-gourmet[.]com
425 | bertikurz[.]de
426 | karsai[.]info
427 | aragon[.]ws
428 | dougsinning[.]com
429 | envialiabadajoz[.]com
430 | tytj[.]com[.]tw
431 | pirisport[.]com
432 | gsmanagement[.]de
433 | lasperlasdeltango[.]com[.]ar
434 | dfg[.]it
435 | justrockin[.]de
436 | 00walz[.]de
437 | kallypso[.]de
438 | ccowan[.]com
439 | tchootchoo[.]fr
440 | folkersma[.]org
441 | cvrtc[.]org
442 | fhasbargen[.]de
443 | rost[.]as
444 | boch-bau[.]de
445 | georg-valerius[.]de
446 | urbanartconstructions[.]com[.]au
447 | decox[.]de
448 | germantools[.]es
449 | plink[.]com[.]au
450 | vitsiou[.]com
451 | naturedogstore[.]nl
452 | fools-x-ing[.]de
453 | balmer-it[.]com
454 | live-etutor[.]com
455 | franklemke[.]de
456 | budden[.]de
457 | thepaperplant[.]com
458 | horseoz[.]com
459 | streetextreme[.]com[.]br
460 | turnertkg[.]com
461 | reiddust[.]com
462 | itqan[.]jo
463 | spearllc[.]com
464 | deasop[.]com
465 | syedengg[.]ac[.]in
466 | unesourisverte-france[.]fr
467 | xeqtnet[.]com
468 | cliotec[.]com
469 | andrecrom[.]de
470 | medien-markt[.]com
471 | signa5[.]com
472 | wiggee[.]com
473 | rietenau[.]de
474 | anwalt-mediator[.]com
475 | sobrosagames[.]com[.]br
476 | wildpete[.]com
477 | hejmann[.]de
478 | amt-med[.]sk
479 | e-controller[.]eu
480 | im-pro[.]dk
481 | neoneu[.]de
482 | kernick-consulting[.]com
483 | terbeck[.]de
484 | brophytech[.]com
485 | jenkrollphotography[.]com
486 | helemaalkim[.]com
487 | imdavidlee[.]com
488 | steubing[.]me
489 | vivacita[.]com[.]tw
490 | dosfuerzas[.]com
491 | kdoze[.]com[.]br
492 | bathouseforum[.]org
493 | kvdcom[.]com
494 | dubis[.]eu
495 | multimediarts[.]net
496 | ciclano[.]com[.]br
497 | lovelightlens[.]com
498 | herere[.]com
499 | faithhotelghana[.]com
500 | tekno[.]fst[.]unair[.]ac[.]id
501 | abkopanski[.]com
502 | ifpp[.]ma
503 | fundacaofadex[.]org
504 | artefaktdesign[.]com
505 | waterblasting[.]com
506 | chem[.]fst[.]unair[.]ac[.]id
507 | 15002092809[.]cn
508 | museeduvieuxlacaune[.]fr
509 | bafnasurgicals[.]com
510 | bestattungshilfedirect[.]de
511 | xn--p5baq6lxc[.]com
512 | zangall[.]com
513 | fisika[.]fst[.]unair[.]ac[.]id
514 | kafalis[.]com
515 | itravelphoto[.]net
516 | mikes-motorworks[.]com
517 | ideateinnovation[.]com
518 | engesilo[.]com[.]br
519 | betteropenhouses[.]com
520 | educationinusa[.]in
521 | sciretech[.]com
522 | zaalvoetbalommen[.]nl
523 | qadvanceservices[.]com
524 | dynamick[.]it
525 | nineplacebangkok[.]com
526 | reflektayapi[.]com
527 | summer-villas[.]com
528 | jalkranti[.]in
529 | mkimia[.]fst[.]unair[.]ac[.]id
530 | 9paranormalindonesia[.]com
531 | directkhabar[.]com
532 | tractorsetgo[.]com
533 | hasburo[.]com
534 | ladieslounge[.]org
535 | sauquoitknollsgolf[.]com
536 | 7stepstohealth[.]net
537 | dwjayy[.]cn
538 | muk-taksimo[.]ru
539 | hyundaimemphistn[.]gossetthyundaisouth[.]com
540 | permana[.]net[.]id
541 | matematika[.]fst[.]unair[.]ac[.]id
542 | shusil[.]com
543 | hardyassociate[.]com
544 | biquyettredep[.]net
545 | honeydulcet[.]com
546 | motr[.]cn
547 | meradog[.]rs
548 | sq2mkt[.]com
549 | aexco[.]es
550 | angeloeliapizza[.]com
551 | report[.]fst[.]unair[.]ac[.]id
552 | russiainvest[.]ru
553 | 15-minute-manifestation[.]com
554 | soshare[.]co
555 | pakebiznet[.]com
556 | abbruch-oetjen[.]de
557 | hondatangerangselatan[.]com
558 | termo-plaza[.]space
559 | bnaconsultancy[.]com
560 | owensconsulting[.]biz
561 | rohitgoelblog[.]com
562 | belmundo[.]eu
563 | 919dog[.]com
564 | identiviajes[.]com
565 | tourchristmaslive[.]org
566 | culturlaedele[.]de
567 | ee42[.]info
568 | masdegaly[.]info
569 | kizlardunyasi[.]com
570 | bondhuproducts[.]com
571 | matrixconsultingcc[.]com
572 | kuemo[.]ru
573 | gas-global[.]com
574 | tshirtless[.]com
575 | velokurier[.]net
576 | syntrovix[.]com
577 | stinkydogblog[.]com
578 | keep[.]com[.]pl
579 | profishtrading[.]com
580 | glt-cargo[.]com
581 | arciandmil[.]com
582 | allindiasaltmaker[.]com
583 | tourismgh[.]com
584 | elras-city[.]de
585 | arctos[.]in
586 | bookourfunction[.]com
587 | 5281ecs[.]com
588 | ltcolusgill[.]in
589 | bmkonsulting[.]com
590 | bauservice-schneider[.]de
591 | biodiscus[.]net
592 | hyperfocusedcoaching[.]com
593 | ktt2016[.]com
594 | akmeon[.]com
595 | santofilme[.]com[.]br
596 | bytesoftware[.]com[.]br
597 | bonzandcompany[.]com
598 | greymatterzmedia[.]com
599 | dennisslade[.]com
600 | abbie[.]cn
601 | suenaga[.]jp
602 | brownhathaway[.]com
603 | sanwa-id[.]com
604 | elasticmedia[.]com
605 | hellcatshockey[.]org
606 | fellr[.]net
607 | tnznursery[.]com
608 | govalle[.]com
609 | ccltalk[.]com
610 | juemanhing[.]com
611 | crossfitrhody[.]com
612 | goldfieldsgiants[.]com
613 | caphector[.]com
614 | gemuesehof[.]ch
615 | ctrl[.]net
616 | ciarapoint[.]com
617 | deadhorsemarch[.]com
618 | gmaker[.]com[.]my
619 | comquestsoftware[.]com
620 | progressiagc[.]com
621 | abbeykurtz[.]com
622 | anteor[.]com
623 | acnt[.]nl
624 | visia[.]ca
625 | dicknite[.]com
626 | danhon[.]com
627 | ortopedicaplaza[.]cr
628 | blackbox-es[.]com
629 | dadsminions[.]com
630 | dragas[.]it
631 | cettrucking[.]com
632 | canibrahim[.]com
633 | bannersakusei[.]com
634 | armenianbridal[.]com
635 | rippl[.]ch
636 | dunworth[.]com
637 | wernerbernheim[.]com[.]uy
638 | vereb[.]com
639 | hocompro[.]com
640 | okiembociana[.]pl
641 | absoluteart[.]biz
642 | dusk[.]be
643 | polishbikers[.]com
644 | glacierhills[.]org
645 | showreggaeton[.]com
646 | benekengineering[.]com
647 | singaki-meat[.]jp
648 | rumey[.]net
649 | genopsis[.]com
650 | elabora[.]org
651 | theglobetrotters[.]org
652 | kursy-bhp-sieradz[.]pl
653 | natech[.]com[.]br
654 | era[.]lt
655 | omnisrecordings[.]com
656 | net5[.]com[.]au
657 | laguapafilms[.]com
658 | emmplus[.]sk
659 | tech4bargain[.]com
660 | landsic[.]com
661 | espicusa[.]com
662 | twobrax[.]com
663 | davteks[.]com
664 | grafik[.]com[.]au
665 | pocketmex[.]com
666 | awas[.]ws
667 | telecomafrica[.]org
668 | advancedalternatives[.]co[.]th
669 | velcrotec[.]com
670 | fullaction[.]nl
671 | totalvictorymma[.]com
672 | baslerdesign[.]com
673 | earthfactory[.]com
674 | d3signs[.]com
675 | bryntel[.]com
676 | marianamengote[.]com
677 | tmjhope[.]org
678 | missbonniejane[.]com
679 | k-future[.]com
680 | czhw[.]com[.]tw
681 | mandmlandscapes[.]com
682 | devtec[.]com
683 | clickonchris[.]com
684 | braindoodle[.]com
685 | lerinc[.]ca
686 | correncephineas[.]com
687 | boycephotography[.]com
688 | motto[.]com[.]tr
689 | thony[.]us
690 | nathaninteractive[.]com
691 | badevan[.]com
692 | dmforest[.]com
693 | aksonart[.]pl
694 | southislandchoppers[.]ca
695 | techbulo[.]com
696 | shermanpool[.]com
697 | jitkla[.]com
698 | reviewspedia[.]net
699 | armadores[.]cl
700 | ccsweb[.]com[.]br
701 | funfrance[.]fr
702 | cstech[.]co[.]za
703 | ginaliberto[.]com
704 | bendiknaune[.]com
705 | ohiogolfguide[.]com
706 | danieloliveira[.]eti[.]br
707 | flashhospedagem[.]com[.]br
708 | doodlemycopy[.]com
709 | ckop[.]info
710 | chankai[.]hk
711 |
--------------------------------------------------------------------------------
/MinerKiller/MinerKiller.ps1:
--------------------------------------------------------------------------------
1 | # The function "Killer" was adapted from a miner eliminating its competitors
2 | # Can be used to fight back against this malware, alongside others
3 | # Provided with zero liability (!)
4 | #
5 | # Full details are available in our blog post:
6 | # https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless
7 |
8 | Function Killer {
9 |
10 | # Remove known miners by services names
11 | $SrvName = "xWinWpdSrv", "SVSHost", "Microsoft Telemetry", "lsass", "Microsoft", "system", "Oracleupdate", "CLR", "sysmgt", "\gm", "WmdnPnSN",
12 | "Sougoudl", "Nationaaal", "Natimmonal", "Nationaloll", "Nationalmll", "Samserver", "RpcEptManger", "NetMsmqActiv Media NVIDIA", "Sncryption Media Playeq"
13 | foreach ($Srv in $SrvName) {
14 |
15 | # Set-Service -Name $Srv -StartupType Disabled -ErrorAction SilentlyContinue
16 |
17 | # Stop-Service -Name $Srv -Force -ErrorAction SilentlyContinue
18 |
19 | $Null = SC.exe Config $Srv Start= Disabled
20 | $Null = SC.exe Stop $Srv
21 | $Null = SC.exe Delete $Srv
22 | }
23 |
24 | # Remove known miners by scheduled tasks names
25 | $TaskName = "Mysa", "Mysa1", "Mysa2", "Mysa3", "ok", "Oracle Java", "Oracle Java Update", "Microsoft Telemetry", "Spooler SubSystem Service",
26 | "Oracle Products Reporter", "Update service for products", "gm", "ngm"
27 |
28 | foreach ($Task in $TaskName) {
29 | SchTasks.exe /Delete /TN $Task /F 2> $Null
30 | }
31 |
32 |
33 | # Terminates and removes miners by indicative command line arguments
34 | $CmdLine = Get-WmiObject -Class Win32_Process | Where-Object {
35 | $_.CommandLine -like '*pool.monero.hashvault.pro*' -Or $_.CommandLine -like '*blazepool*' -Or $_.CommandLine -like '*blockmasters*' -Or $_.CommandLine -like '*blockmasterscoins*' -Or $_.CommandLine -like '*bohemianpool*' -Or $_.CommandLine -like '*cryptmonero*' -Or $_.CommandLine -like '*cryptonight*' -Or $_.CommandLine -like '*crypto-pool*' -Or $_.CommandLine -like '*--donate-level*' -Or $_.CommandLine -like '*dwarfpool*' -Or $_.CommandLine -like '*hashrefinery*' -Or $_.CommandLine -like '*hashvault.pro*' -Or $_.CommandLine -like '*iwanttoearn.money*' -Or $_.CommandLine -like '*--max-cpu-usage*' -Or $_.CommandLine -like '*mine.bz*' -Or $_.CommandLine -like '*minercircle.com*' -Or $_.CommandLine -like '*minergate*' -Or $_.CommandLine -like '*miners.pro*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*minexmr*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*mineXMR*' -Or $_.CommandLine -like '*miningpoolhubcoins*' -Or $_.CommandLine -like '*mixpools.org*' -Or $_.CommandLine -like '*mixpools.org*' -Or $_.CommandLine -like '*monero*' -Or $_.CommandLine -like '*monero*' -Or $_.CommandLine -like '*monero.lindon-pool.win*' -Or $_.CommandLine -like '*moriaxmr.com*' -Or $_.CommandLine -like '*mypool.online*' -Or $_.CommandLine -like '*nanopool.org*' -Or $_.CommandLine -like '*nicehash*' -Or $_.CommandLine -like '*-p x*' -Or $_.CommandLine -like '*pool.electroneum.hashvault.pro*' -Or $_.CommandLine -like '*pool.xmr*' -Or $_.CommandLine -like '*poolto.be*' -Or $_.CommandLine -like '*prohash*' -Or $_.CommandLine -like '*prohash.net*' -Or $_.CommandLine -like '*ratchetmining.com*' -Or $_.CommandLine -like '*slushpool*' -Or $_.CommandLine -like '*stratum+*' -Or $_.CommandLine -like '*suprnova.cc*' -Or $_.CommandLine -like '*teracycle.net*' -Or $_.CommandLine -like '*usxmrpool*' -Or $_.CommandLine -like '*viaxmr.com*' -Or $_.CommandLine -like '*xmrpool*' -Or $_.CommandLine -like '*yiimp*' -Or $_.CommandLine -like '*zergpool*' -Or $_.CommandLine -like '*zergpoolcoins*' -Or $_.CommandLine -like '*zpool*'
36 | }
37 |
38 | if ($CmdLine -ne $Null) {
39 | $PathArray = @()
40 | foreach ($m in $CmdLine) {
41 | $evid = $($m.ProcessId)
42 | # The line below is wasn't originally commented, it white-lists the miner itself
43 | # if (($evid -eq $PId) -or ($evid -eq $minerPId)) { continue }
44 | Write-Host "[i] Miner PId: $evid"
45 | Get-Process -Id $evid | Stop-Process -Force
46 |
47 |
48 | # Create an array of competing miners' paths to remove
49 | $Path = $($m.Path)
50 | if ($Path -eq "$Env:WinDir\System32\cmd.exe" -Or $Path -eq "$Env:WinDir\SysWOW64\cmd.exe" -Or $Path -eq "$Env:WinDir\Explorer.exe" -Or $Path -eq "$Env:WinDir\Notepad.exe") { continue }
51 | if ($PathArray -NotContains $Path) { $PathArray += $Path }
52 | }
53 |
54 |
55 | # Remove miners from the disk
56 | foreach ($Path in $PathArray) {
57 | for ($i = 0; $i -lt 30; $i++) {
58 | Remove-Item $Path -Force -ErrorAction SilentlyContinue
59 | if (Test-Path $Path) {
60 | Start-Sleep -Milliseconds 100
61 | }
62 | else {
63 | $Null = New-Item $Path -Type Directory -ErrorAction SilentlyContinue
64 | if ($?) {
65 | $file = Get-Item $Path -Force
66 | $file.CreationTime = '10/10/2000 10:10:10'
67 | $file.LastWriteTime = '10/10/2000 10:10:10'
68 | $file.LastAccessTime = '10/10/2000 10:10:10'
69 | $file.Attributes = "ReadOnly", "System", "Hidden"
70 | }
71 | break
72 | }
73 | }
74 | }
75 | }
76 |
77 |
78 | # Uses netstat to list all "ESTABLISHED" connections
79 | # Afterwards it filters lines containing ports associated with miners and terminates the process using it
80 | [array]$psids = Get-Process -Name PowerShell | Sort CPU -Descending | ForEach-Object {$_.Id}
81 | $tcpconn = NetStat -anop TCP
82 | if ($psids -ne $null) {
83 | foreach ($t in $tcpconn) {
84 | $line = $t.split(' ')| ? {$_}
85 | if ($line -eq $null) { continue }
86 | if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":443 ") -or $t.contains(":1111") -or $t.contains(":2222") -or $t.contains(":3333") -or $t.contains(":4444") -or $t.contains(":5555") -or $t.contains(":6666") -or $t.contains(":7777") -or $t.contains(":8888") -or $t.contains(":9999") -or $t.contains(":14433") -or $t.contains(":14444") -or $t.contains(":45560") -or $t.contains(":65333"))) {
87 | $evid = $line[-1]
88 |
89 | # The line below is wasn't originally commented, it white-lists the miner itself
90 | # if (($evid -eq $PId) -or ($evid -eq $minerPId)) { continue }
91 | Write-Host "[i] Miner PId: $evid"
92 | Get-Process -Id $evid | Stop-Process -Force
93 | }
94 | }
95 | }
96 |
97 | # Uses netstat to list all "ESTABLISHED" connections
98 | # Afterwards it lists processes connecting to remote ports associated with miners and terminates it
99 | foreach ($t in $tcpconn) {
100 | $line = $t.split(' ')| ? {$_}
101 | if (!($line -is [array])) { continue }
102 |
103 | if (($line[-3] -ne $null) -and $t.contains("ESTABLISHED") -and ($line[-3].contains(":1111") -or $line[-3].contains(":2222") -or $line[-3].contains(":3333") -or $line[-3].contains(":4444") -or $line[-3].contains(":5555") -or $line[-3].contains(":6666") -or $line[-3].contains(":6633") -or $line[-3].contains(":7777") -or $line[-3].contains(":8888") -or $line[-3].contains(":9980") -or $line[-3].contains(":9999") -or $line[-3].contains(":13333") -or $line[-3].contains(":14433") -or $line[-3].contains(":14444") -or $line[-3].contains(":16633") -or $line[-3].contains(":16666") -or $line[-3].contains(":45560") -or $line[-3].contains(":65333") -or $line[-3].contains(":55335"))) {
104 | $evid = $line[-1]
105 | # The line below is wasn't originally commented, it white-lists the miner itself
106 | # if (($evid -eq $PId) -or ($evid -eq $minerPId)) { continue }
107 | Write-Host "[i] Miner PId: $evid"
108 | Get-Process -Id $evid | Stop-Process -Force
109 | }
110 | }
111 |
112 | # Remove known miners by known process names
113 | $Miner = "msinfo", "xmrig*", "minerd", "MinerGate", "Carbon", "yamm1", "upgeade", "auto-upgeade", "svshost",
114 | "SystemIIS", "SystemIISSec", 'WindowsUpdater*', "WindowsDefender*", "update",
115 | "carss", "service", "csrsc", "cara", "javaupd", "gxdrv", "lsmosee", "secuams", "SQLEXPRESS_X64_86", "Calligrap", "Sqlceqp", "Setting", "Uninsta", "conhoste"
116 |
117 | foreach ($m in $Miner) {
118 | Get-Process -Name $m -ErrorAction SilentlyContinue | Stop-Process -Force
119 | }
120 | }
121 |
122 | Function Vacciante() {
123 | # Create the mutex 20180419, ref: https://pastebin.com/e6XvHjYr
124 | $bCreated = $false
125 | $MutexName = "Global\20180419"
126 | $hMutex = New-Object System.Threading.Mutex($true, $MutexName, [Ref]$bCreated)
127 |
128 | # Creating hidden Taskmgr to deter miners
129 | Start-Process -WindowStyle hidden -FilePath Taskmgr.exe
130 | }
131 |
132 | Killer
133 | Vaccinate
134 |
--------------------------------------------------------------------------------
/MinerKiller/MinerKiller.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | ##########################################################################################\
4 | ### A script for killing cryptocurrecncy miners in a Linux enviornment
5 | ### Provided with zero liability (!)
6 | ###
7 | ### Some of the malware used as sources for this tool:
8 | ### https://pastebin.com/pxc1sXYZ
9 | ### https://pastebin.com/jRerGP1u
10 | ### SHA256: 2e3e8f980fde5757248e1c72ab8857eb2aea9ef4a37517261a1b013e3dc9e3c4
11 | ##########################################################################################\
12 |
13 | # Killing processes by name, path, arguments and CPU utilization
14 | processes(){
15 | killme() {
16 | killall -9 chron-34e2fg;ps wx|awk '/34e|r\/v3|moy5|defunct/' | awk '{print $1}' | xargs kill -9 & > /dev/null &
17 | }
18 |
19 | killa() {
20 | what=$1;ps auxw|awk "/$what/" |awk '!/awk/' | awk '{print $2}'|xargs kill -9&>/dev/null&
21 | }
22 |
23 | killa 34e2fg
24 | killme
25 |
26 | # Killing big CPU
27 | VAR=$(ps uwx|awk '{print $2":"$3}'| grep -v CPU)
28 | for word in $VAR
29 | do
30 | CPUUSAGE=$(echo $word|awk -F":" '{print $2}'|awk -F"." '{ print $1}')
31 | if [ $CPUUSAGE -gt 60 ]; then echo BIG $word; PID=$(echo $word | awk -F":" '{print $1'});LINE=$(ps uwx | grep $PID);COUNT=$(echo $LINE| grep -P "er/v5|34e2|Xtmp|wf32N4|moy5Me|ssh"|wc -l);if [ $COUNT -eq 0 ]; then echo KILLING $line; fi;kill $PID;fi;
32 | done
33 |
34 | killall \.Historys
35 | killall \.sshd
36 | killall neptune
37 | killall xm64
38 | killall xm32
39 | killall xmrig
40 | killall \.xmrig
41 | killall suppoieup
42 |
43 | pkill -f sourplum
44 | pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
45 |
46 | ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
47 | ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
48 | ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
49 | ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9
50 | ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
51 | ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9
52 | ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9
53 | ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
54 | ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9
55 | ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
56 | ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9
57 | ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9
58 | ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9
59 | ps auxf|grep -v grep|grep "/var/tmp/java" | awk '{print $2}'|xargs kill -9
60 | ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
61 | ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
62 | ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9
63 | ps auxf|grep -v grep|grep "/var/tmp/sustes" | awk '{print $2}'|xargs kill -9
64 |
65 | ps auxf|grep xiaoyao| awk '{print $2}'|xargs kill -9
66 | ps auxf|grep named| awk '{print $2}'|xargs kill -9
67 | ps auxf|grep kernelcfg| awk '{print $2}'|xargs kill -9
68 | ps auxf|grep xiaoxue| awk '{print $2}'|xargs kill -9
69 | ps auxf|grep kernelupgrade| awk '{print $2}'|xargs kill -9
70 | ps auxf|grep kernelorg| awk '{print $2}'|xargs kill -9
71 | ps auxf|grep kernelupdates| awk '{print $2}'|xargs kill -9
72 |
73 | ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9
74 | ps ax|grep -o './[0-9]* -c'| xargs pkill -f
75 |
76 | pkill -f /usr/bin/.sshd
77 | pkill -f acpid
78 | pkill -f AnXqV.yam
79 | pkill -f apaceha
80 | pkill -f askdljlqw
81 | pkill -f bashe
82 | pkill -f bashf
83 | pkill -f bashg
84 | pkill -f bashh
85 | pkill -f bashx
86 | pkill -f BI5zj
87 | pkill -f biosetjenkins
88 | pkill -f bonn.sh
89 | pkill -f bonns
90 | pkill -f conn.sh
91 | pkill -f conns
92 | pkill -f cryptonight
93 | pkill -f crypto-pool
94 | pkill -f ddg.2011
95 | pkill -f deamon
96 | pkill -f disk_genius
97 | pkill -f donns
98 | pkill -f Duck.sh
99 | pkill -f gddr
100 | pkill -f Guard.sh
101 | pkill -f i586
102 | pkill -f icb5o
103 | pkill -f ir29xc1
104 | pkill -f irqba2anc1
105 | pkill -f irqba5xnc1
106 | pkill -f irqbalanc1
107 | pkill -f irqbalance
108 | pkill -f irqbnc1
109 | pkill -f JnKihGjn
110 | pkill -f jweri
111 | pkill -f kw.sh
112 | pkill -f kworker34
113 | pkill -f kxjd
114 | pkill -f libapache
115 | pkill -f Loopback
116 | pkill -f lx26
117 | pkill -f mgwsl
118 | pkill -f minerd
119 | pkill -f minergate
120 | pkill -f minexmr
121 | pkill -f mixnerdx
122 | pkill -f mstxmr
123 | pkill -f nanoWatch
124 | pkill -f nopxi
125 | pkill -f NXLAi
126 | pkill -f performedl
127 | pkill -f polkitd
128 | pkill -f pro.sh
129 | pkill -f pythno
130 | pkill -f qW3xT.2
131 | pkill -f sourplum
132 | pkill -f stratum
133 | pkill -f sustes
134 | pkill -f wnTKYg
135 | pkill -f XbashY
136 | pkill -f XJnRj
137 | pkill -f xmrig
138 | pkill -f xmrigDaemon
139 | pkill -f xmrigMiner
140 | pkill -f ysaydh
141 | pkill -f zigw
142 |
143 | # crond
144 | ps ax | grep crond | grep -v grep | awk '{print $1}' > /tmp/crondpid
145 | while read crondpid
146 | do
147 | if [ $(echo $(ps -p $crondpid -o %cpu | grep -v \%CPU) | sed -e 's/\.[0-9]*//g') -ge 60 ]
148 | then
149 | kill $crondpid
150 | rm -rf /var/tmp/v3
151 | fi
152 | done < /tmp/crondpid
153 | rm /tmp/crondpid -f
154 |
155 | # sshd
156 | ps ax | grep sshd | grep -v grep | awk '{print $1}' > /tmp/ssdpid
157 | while read sshdpid
158 | do
159 | if [ $(echo $(ps -p $sshdpid -o %cpu | grep -v \%CPU) | sed -e 's/\.[0-9]*//g') -ge 60 ]
160 | then
161 | kill $sshdpid
162 | fi
163 | done < /tmp/ssdpid
164 | rm -f /tmp/ssdpid
165 |
166 | # syslog
167 | ps ax | grep syslogs | grep -v grep | awk '{print $1}' > /tmp/syslogspid
168 | while read syslogpid
169 | do
170 | if [ $(echo $(ps -p $syslogpid -o %cpu | grep -v \%CPU) | sed -e 's/\.[0-9]*//g') -ge 60 ]
171 | then
172 | kill $syslogpid
173 | fi
174 | done < /tmp/syslogspid
175 | rm /tmp/syslogspid -f
176 | }
177 |
178 |
179 |
180 | # Removing miners by known path IOC
181 | files(){
182 | rm /tmp/.cron
183 | rm /tmp/.main
184 | rm /tmp/.yam* -rf
185 | rm -f /tmp/irq
186 | rm -f /tmp/irq.sh
187 | rm -f /tmp/irqbalanc1
188 | rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
189 | rm -rf /tmp/*httpd.conf
190 | rm -rf /tmp/*httpd.conf*
191 | rm -rf /tmp/*index_bak*
192 | rm -rf /tmp/.systemd-private-*
193 | rm -rf /tmp/.xm*
194 | rm -rf /tmp/a7b104c270
195 | rm -rf /tmp/conn
196 | rm -rf /tmp/conns
197 | rm -rf /tmp/httpd.conf
198 | rm -rf /tmp/java*
199 | rm -rf /tmp/kworkerds /bin/kworkerds /bin/config.json /var/tmp/kworkerds /var/tmp/config.json /usr/local/lib/libjdk.so
200 | rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
201 | rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
202 | rm -rf /tmp/xm*
203 | rm -rf /var/tmp/java*
204 | }
205 |
206 | # Vaccination for Redis, will make unusable - uncomment the call to the function if you wish to use it
207 | block_redis_port() {
208 | iptables -I INPUT -p TCP --dport 6379 -j REJECT
209 | iptables -I INPUT -s 127.0.0.1 -p tcp --dport 6379 -j ACCEPT
210 | iptables-save
211 | touch /tmp/.tables
212 | }
213 |
214 | # Killing and blocking miners by network related IOC
215 | network(){
216 | # Kill by known ports/IPs
217 | netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
218 | netstat -anp | grep 185.71.65.238 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
219 | netstat -anp | grep 140.82.52.87 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
220 | netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
221 | netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
222 | netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
223 | netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
224 | netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
225 | netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
226 | netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
227 | netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
228 | netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
229 |
230 | # Block known miner ports
231 | iptables -F
232 | iptables -X
233 |
234 | iptables -A OUTPUT -p tcp --dport 3333 -j DROP
235 | iptables -A OUTPUT -p tcp --dport 5555 -j DROP
236 | iptables -A OUTPUT -p tcp --dport 7777 -j DROP
237 | iptables -A OUTPUT -p tcp --dport 9999 -j DROP
238 | service iptables reload
239 |
240 | # uncomment the line below this one for Redis exploit vaccination , will make unusable - uncomment the call to the function if you wish to use it
241 | # block_redis_port
242 | }
243 |
244 | files
245 | processes
246 | network
247 | echo "DONE"
248 |
--------------------------------------------------------------------------------
/MinerKiller/README.md:
--------------------------------------------------------------------------------
1 | # MinerKiller
2 | These scripts were extracted from cryptomining malware.
You can use them as a resource for IOC or as a base for your own PowerShell and bash scripts to remove miners during incident response.
We added some comments to clarify the original code where we believed it was needed.
3 |
4 | **Note that the scripts are provided with no liablity and should not be used without understanding their bits and bytes!**
5 |
6 | The first script was released in this blog post:
7 | https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless
8 |
9 | The second script and an update to the first one were released in this blog post:
10 | https://blog.minerva-labs.com/ancient-chinese-wisdom-vs-cryptojacking
11 |
--------------------------------------------------------------------------------
/ObfuscatedAutoItDecrypter/AutoIt_dec.py:
--------------------------------------------------------------------------------
1 | import re
2 |
3 | # set this vars to point to the desired files
4 | input_file = "encrypted_script.au3"
5 | output_file = "decrypted_script.au3"
6 |
7 | key = 118831864
8 |
9 |
10 | def dec_func(raw_str_in):
11 |
12 | """
13 | :param raw_str_in: a string to decrypt, passed as a regex match object
14 | :return: decrypted string
15 | """
16 |
17 | try:
18 | # parsing the string to decrypt
19 | start = raw_str_in.regs[0][0]
20 | end = raw_str_in.regs[0][1]
21 | str_in = raw_str_in.string[start:end].replace("j4fi5um0su4n(\"", "").replace("\", $k3bh7fu4xx2k)", "")
22 |
23 | # implementing the decryption routine in python
24 | n = 2
25 | splitted_line = [str_in[i:i+n] for i in range(0, len(str_in), n)]
26 | splitted_line_int = []
27 | for obj in splitted_line:
28 | splitted_line_int.append(int(obj,16))
29 | str_in = ''.join(map(chr, splitted_line_int))
30 | buff1 = ""
31 | buff2 = ""
32 |
33 | for letter in str_in:
34 | buff3 = letter
35 | if letter.isdigit():
36 | buff2 += buff3
37 | else:
38 | buff1 += chr(int(buff2) - key)
39 | buff2 = ""
40 |
41 | return "\"{0}\"".format(buff1)
42 | except:
43 | return "undecryptable string"
44 |
45 |
46 | if __name__ == '__main__':
47 | # open file to decrypt
48 | with open(input_file, 'r') as f:
49 | content = f.read()
50 |
51 | # decrypt, any match is sent to the decryption function
52 | dec_func_re = re.compile(r"j4fi5um0su4n\(([^,]*),\s+\$k3bh7fu4xx2k\)")
53 | content_new = re.sub(dec_func_re, dec_func, content)
54 |
55 | # remove redundant string concatenations
56 | content_new = content_new.replace("\" & \"", "")
57 |
58 | # write the output to a new file
59 | with open(output_file, 'w+') as f:
60 | f.write(content_new)
61 |
--------------------------------------------------------------------------------
/PuffStealer/AutoIt_dec.py:
--------------------------------------------------------------------------------
1 | import re
2 |
3 | # set this vars to point to the desired files
4 | input_file = "encrypted_script.au3"
5 | output_file = "decrypted_script.au3"
6 |
7 | key = 118831864
8 |
9 |
10 | def dec_func(raw_str_in):
11 |
12 | """
13 | :param raw_str_in: a string to decrypt, passed as a regex match object
14 | :return: decrypted string
15 | """
16 |
17 | try:
18 | # parsing the string to decrypt
19 | start = raw_str_in.regs[0][0]
20 | end = raw_str_in.regs[0][1]
21 | str_in = raw_str_in.string[start:end].replace("j4fi5um0su4n(\"", "").replace("\", $k3bh7fu4xx2k)", "")
22 |
23 | # implementing the decryption routine in python
24 | n = 2
25 | splitted_line = [str_in[i:i+n] for i in range(0, len(str_in), n)]
26 | splitted_line_int = []
27 | for obj in splitted_line:
28 | splitted_line_int.append(int(obj,16))
29 | str_in = ''.join(map(chr, splitted_line_int))
30 | buff1 = ""
31 | buff2 = ""
32 |
33 | for letter in str_in:
34 | buff3 = letter
35 | if letter.isdigit():
36 | buff2 += buff3
37 | else:
38 | buff1 += chr(int(buff2) - key)
39 | buff2 = ""
40 |
41 | return "\"{0}\"".format(buff1)
42 | except:
43 | return "undecryptable string"
44 |
45 |
46 | if __name__ == '__main__':
47 | # open file to decrypt
48 | with open(input_file, 'r') as f:
49 | content = f.read()
50 |
51 | # decrypt, any match is sent to the decryption function
52 | dec_func_re = re.compile(r"j4fi5um0su4n\(([^,]*),\s+\$k3bh7fu4xx2k\)")
53 | content_new = re.sub(dec_func_re, dec_func, content)
54 |
55 | # remove redundant string concatenations
56 | content_new = content_new.replace("\" & \"", "")
57 |
58 | # write the output to a new file
59 | with open(output_file, 'w+') as f:
60 | f.write(content_new)
61 |
--------------------------------------------------------------------------------
/PuffStealer/README.md:
--------------------------------------------------------------------------------
1 | ## PuffStealer String Deobfuscator
2 | This script will deobfuscate the AutoIt script discussed in Minerva Labs' blog post:
3 | https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers
4 |
5 | It uses regular expressions to cleverly search (decrypt) and replace the obfuscated strings.
6 | Note that it seems to be a packer used by other malware as well and can be used to handle it as well, with slight modifications.
7 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # BlogPosts
2 | Code examples from recent blog posts by Minerva Research Team.
3 | www.minerva-labs.com
4 |
5 |
--------------------------------------------------------------------------------