.. | |||
dhpcd_detection.sh | Loading last commit info... | ||
file_paths.txt | |||
hash_list.txt | |||
mining_pool_domains.txt | |||
readme.md |
readme.md
dhpcd Campaign IoCs
This repository contains a list of IoCs to detect the dhpcd cryptominer. You can read about the campaign in this blogpost.
Content List
- File names related to dhpcd cryptomining capmaign
- File hashes
- The mining pool domain list that the cryptominer used on Akamai threat sensors network
- A bash script to detect dhpcd activity on linux machines.
Detection Script - dhpcd_detection.sh
Running the script
To run the script, open a Linux terminal and run:
./dhpcd_detection.sh
Script Results
The script tests 4 parameters:
- Is the malware process running?
- By looking for the process name in the running processes list.
- Does the binary path exist?
- By looking for a dhpcd file under the /bin directory.
- Persistency
- By looking for dhpcd traces in the rc.local script file
- Backdoor
- By looking for its SSH key in the ~/.ssh/authorized_keys file.
The script will print which parameters were found on the machine and eventually print the result - whether the machine is infected or not.
user@user-Virtual-Machine:~/dhpcd$ ./dhpcd_detection.sh
Dhpcd Cryptominer Detection Script by Akamai Threat Labs
[*] Dhpcd process detected
[*] Dhpcd binary path detected
[*] Dhpcd persistence method detected
[*] Dhpcd backdoor method detected
[*] Dhpcd detected on this machine