Avast WEBforum
Other => Viruses and worms => Topic started by: polonus on December 26, 2018, 12:45:58 AM
-
Mining detected?
Flagged: https://urlquery.net/report/208888a4-da0a-4b35-8ce9-09c4264bb3c1
See: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Ll58bl1uZlt9ey5eXW1gXmZue3dgYG1dI3Vse3MucGhwYFtuI3t4LnBocA%3D%3D~enc
while website has outdated PHP: https://sitecheck.sucuri.net/results/www.canonfire.com/cf/index.php
On IP: https://tracker.fumik0.com/search=188.120.224.18
Many detect: https://www.virustotal.com/#/url/1f565a49a43577c255fb12fa7df842dbb0c46023d1d6587d1fac742ad36b5069/detection
and avast detects as: Win32:Malware-gen
polonus
-
Real interesting background read on Haruko's detection:
-https://tracker.fumik0.com/learning
Disclaimer: Examples of commands used by Attackers
For DFIR / CERT / SOC Analysts, this is a good start for signatures and learning some stuff
Disclamer : This is real cases of commands. (good or malicious)
I am not responsible for your acts
(for educational purposes only by ethical security researchers).
As there are other tools, like: -https://manalyzer.org/report/fdc1a95188cf00160a05ea4a1d50e84c
(security researchers can revive the link ;) from: -https://tracker.fumik0.com/links
polonus
-
What malware resides here?
Coinminer
https://www.virustotal.com/#/file/f6a335b317073b793529f994c85e5db770228d3a4131ea9e29e0deae3cfc40d5/detection
-
Is this obfuscated miner detected and being blocked?
-https://authedmine.com/lib/authedmine.min.js
Given as a low-security risk for this optional miner: https://sitecheck.sucuri.net/results/https/authedmine.com/lib/authedmine.min.js
See: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=fHV0aHsjbVtuey5eXW1gbFtiYHx1dGh7I21bbnsubVtuLmpz~enc
polonus
-
Is this obfuscated miner detected and being blocked?
URL blacklist check > authedmine.com/lib/authedmine.min.js
https://www.virustotal.com/#/url/36e027fbb6d7d5b685c06155fd09bb566144a5fee8f1639127509ca43f635135/detection
File scan > authedmine.com/lib/authedmine.min.js
https://www.virustotal.com/#/file/041c727ed0160536c361715b1e9ee7eafc7fe5838f0a4722e6ed01941f7d6ede/detection
Domaine blacklist check > authedmine.com/
https://www.virustotal.com/#/url/b6b6242a9507fcfaa11c49790e2bcb4334c03b086c87876dfd045cf02094148c/detection
File scan > output.114021424.txt
https://www.virustotal.com/#/file/b2a81b90c589408775a0622d3f5458a3f9d25011fc12e883699178ec2cb37b77/detection
-
Thank you, Pondus, that is overtly clear then.
Miners optional or not, are all frowned upon, and all are being alerted too.
Let there be no doubt about it that AV does not like mining code.
polonus