① 網路流量威脅-xmrig協議PCAP分析
1、xmrig木馬
挖礦木馬成為黑產團伙的主要獲利方式之一,也成為了企業內部安全的主要威脅之一。門羅幣很多僵屍網路也把挖礦作為主要的獲利手段。本文分析挖礦連接的行為。
2、具體樣本
樣本具有連接xmrig礦池通信行為,xmrig協議通信;
3、PCAP分析
相關實驗的 xmrig通信PCAP
DNS Standard query A xmr.pool.minergate.com
xmrig協議格式【1】
request:
{"id":x,"jsonrpc":"2.0","method":"login","params":{"login":"xxxxxx","pass":"x","agent":"xxxxx","algo":["xxx","xxx","xxx"]}}
{"id":x,"jsonrpc":"2.0","method":"submit","params":{"id":"xxxx","job_id":"xx","nonce":"xxxx","result":"xxxxxxx"}}
response:
{"params":{"blob":"xxxxxx","taget":"xxxx","job_id":"xxxxx"},"method":"xxx"}
本次抓包具體例子:
{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"xxx","pass":"x","agent":"Static XMRig/2.13.1 (Linux x86_64) libuv/1.24.1 gcc/6.4.0","algo":["cn","cn/r","cn/wow","cn/2","cn/1","cn/0","cn/half","cn/xtl","cn/msr","cn/xao","cn/rto","cn/gpu"]}}