[Mal Series #3]Monero Coinminer
Infection activity in brief
Drop & execute .vbs and .js file -> Powershell, the 1st stager connect to pastebin site that host the 2nd payload (dotnet file) -> The 2nd payload then create a process that execute the 3rd payload -> 3rd payload then create a process (notepad.exe) and inject the miner’s code in it and execute.
1st stager — powershell
2nd stager — dotnet exe
3rd stager — c++ Windows exe
Below are the commands that triggers the malicious activities:
C:\Windows\System32\WScript.exe C:\Users\Slayer\AppData\Local\Temp\dllm.vbs — download the 1st powershell stager
C:\Windows\System32\WScript.exe C:\Users\Slayer\AppData\Local\Temp\setup.js —create a schedule task to keep it persistant
C:\Users\Slayer\AppData\Local\Temp\setup.exe — run the original installer
It uses Powershell as 1st stager to download 2nd stager.
2nd payload stager
file_2020–03–02_074138.jpg — A Powershell code with another .exe file inside of it. Convert these into hex editor and you will get the 3rd payload.
Extract payload from dotnet file
These are the bytes of 3rd payload, as you can see these payload printed as decimal. Let’s try to convert first few decimals to Hex and see what we got. After the convertion, the “MZ” magic header is found. This indicates that the dotnet file will execute another PE files that need to be investigate further. Another stager again 😑. Before that, we need to extract the payload from it. In this case, using hex editor and search for similar MZ magic header bytes in the hex dump. Then, crop out 1565696 bytes that starts from M to insert into a new file. Save it afterwards. ✌3rd stager Obtained ✌
Next, it’s time for debugging!!!
Get Machine Guid
Get Machine GUID via regkey
/SOFTWARE/MICROSOFT/CRYPTOGRAPHY as username
Window API involved:
Create Config File
It create a config file by appending multiple parameters in json format and then encode it with base64 algo.
Window API involved:
Get current process list -> Loop thru process -> find
taskmgr.exe -> If yes, process sleep / If no, create process
Create new process (inject the payload into it)
After it passed the evasive check, a new process will be spawn in suspended state. What does the
-c means? 🤔
Looks like there is a trampoline there that will insert the payload into the
notepad.exe and execute it. Carve out the payload from the memory and fix the PE header for further analysis.
Below are the parameter of the miner extracted from
Based on the parameter, it is believed that the miner is XMRig (Open soruce miner) and usage of
-c parameter was found!
From the Installer
%TEMP%setup.exe (The real setup)
From last payload
<First 10 char of Mutex>_3.0.0
Create Schedule Task (Persistant Technique)
C:\Windows\System32\schtasks.exe /create /sc minute /mo 30 /tn anydesk /tr “C:\Users\Slayer\AppData\Local\Temp\setup.js
Create startup item in registry (Persistant Technique)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value C:\Users\Slayer\AppData\Local\Temp\dllm.vbs
pool[.]minexmr[.]com:4444 (from nicehash pool)
Pastebin site w/ config settings
PasteBin site w/ 2nd payload
Config file used by the notepad.exe
XMR wallet address
Mining Pool Definition
A mining pool is a joint group of cryptocurrency miners who combine their computational resources over a network…
ZwQueryValueKey function (wdm.h) - Windows drivers
The ZwQueryValueKey routine returns a value entry for a registry key. NTSYSAPI NTSTATUS ZwQueryValueKey( HANDLE…
XMRig High performance, open source, cross platform RandomX, CryptoNight, AstroBWT and Argon2 CPU/GPU miner, with…