[Mal Series #3]Monero Coinminer

The malicious sample in this story is a TeamViewer installer file which embedded with javascript and vbs. The sample has multiple stager to unload its real payload. Let’s begin the analysis!

Infection activity in brief

Drop & execute .vbs and .js file -> Powershell, the 1st stager connect to pastebin site that host the 2nd payload (dotnet file) -> The 2nd payload then create a process that execute the 3rd payload -> 3rd payload then create a process (notepad.exe) and inject the miner’s code in it and execute.

Execute command

It uses Powershell as 1st stager to download 2nd stager.

Powershell as 1st payload

2nd payload stager

file_2020–03–02_074138.jpg — A Powershell code with another .exe file inside of it. Convert these into hex editor and you will get the 3rd payload.

First few line of code
Last line of code

Extract payload from dotnet file

Extract the payload in the dotnet hex byte

Debugging

Get Machine Guid

Get Machine GUID via regkey /SOFTWARE/MICROSOFT/CRYPTOGRAPHY as username

Create Config File

It create a config file by appending multiple parameters in json format and then encode it with base64 algo.

Evasive Technique

Get current process list -> Loop thru process -> find taskmgr.exe -> If yes, process sleep / If no, create process notepad.exe

Common Evasive Technique by Coinminer Malware

Create new process (inject the payload into it)

After it passed the evasive check, a new process will be spawn in suspended state. What does the -c means? 🤔

notepad.exe -c <full filepayh of config>
The true miner finally found !

IOC lists

Dropped Files
From the Installer

%TEMP%setup.exe (The real setup)
%TEMP%dllm.vbs
%TEMP%setup.js
From last payload
cfg
cfgi
<First 10 char of Mutex>_3.0.0

Seems like a config settings for server

Config file used by the notepad.exe

Miner’s config

Sha256

95fee5658b71f8d1a5304dd07d5a036ddc69bd06a19834f4a6c04918a939dd5d

References:

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec