[Mal Series #3]Monero Coinminer

The malicious sample in this story is a TeamViewer installer file which embedded with javascript and vbs. The sample has multiple stager to unload its real payload. Let’s begin the analysis!

Infection activity in brief

Drop & execute .vbs and .js file -> Powershell, the 1st stager connect to pastebin site that host the 2nd payload (dotnet file) -> The 2nd payload then create a process that execute the 3rd payload -> 3rd payload then create a process (notepad.exe) and inject the miner’s code in it and execute.

1st stager — powershell
2nd stager — dotnet exe
3rd stager — c++ Windows exe

Below are the commands that triggers the malicious activities:

C:\Windows\System32\WScript.exe C:\Users\Slayer\AppData\Local\Temp\dllm.vbs — download the 1st powershell stager

C:\Windows\System32\WScript.exe C:\Users\Slayer\AppData\Local\Temp\setup.js —create a schedule task to keep it persistant

C:\Users\Slayer\AppData\Local\Temp\setup.exe — run the original installer

Execute command

It uses Powershell as 1st stager to download 2nd stager.

Powershell as 1st payload

2nd payload stager

file_2020–03–02_074138.jpg — A Powershell code with another .exe file inside of it. Convert these into hex editor and you will get the 3rd payload.

First few line of code
Last line of code

Extract payload from dotnet file

These are the bytes of 3rd payload, as you can see these payload printed as decimal. Let’s try to convert first few decimals to Hex and see what we got. After the convertion, the “MZ” magic header is found. This indicates that the dotnet file will execute another PE files that need to be investigate further. Another stager again 😑. Before that, we need to extract the payload from it. In this case, using hex editor and search for similar MZ magic header bytes in the hex dump. Then, crop out 1565696 bytes that starts from M to insert into a new file. Save it afterwards. ✌3rd stager Obtained ✌

Extract the payload in the dotnet hex byte

Next, it’s time for debugging!!!

Debugging

Get Machine Guid

Get Machine GUID via regkey /SOFTWARE/MICROSOFT/CRYPTOGRAPHY as username

Window API involved:
NtOpenKey
ZwQueryValueKey
ZwClose

Create Config File

It create a config file by appending multiple parameters in json format and then encode it with base64 algo.

Window API involved:
ZwCreateFile
ZwWriteFile
ZwClose

Evasive Technique

Get current process list -> Loop thru process -> find taskmgr.exe -> If yes, process sleep / If no, create process notepad.exe

Common Evasive Technique by Coinminer Malware

Create new process (inject the payload into it)

After it passed the evasive check, a new process will be spawn in suspended state. What does the -c means? 🤔

notepad.exe -c <full filepayh of config>

Looks like there is a trampoline there that will insert the payload into the notepad.exe and execute it. Carve out the payload from the memory and fix the PE header for further analysis.

The true miner finally found !

Below are the parameter of the miner extracted from notepad.exe:

Based on the parameter, it is believed that the miner is XMRig (Open soruce miner) and usage of -c parameter was found!

IOC lists

Dropped Files
From the Installer

%TEMP%setup.exe (The real setup)
%TEMP%dllm.vbs
%TEMP%setup.js
From last payload
cfg
cfgi
<First 10 char of Mutex>_3.0.0

Create Schedule Task (Persistant Technique)
C:\Windows\System32\schtasks.exe /create /sc minute /mo 30 /tn anydesk /tr “C:\Users\Slayer\AppData\Local\Temp\setup.js

Create startup item in registry (Persistant Technique)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value C:\Users\Slayer\AppData\Local\Temp\dllm.vbs

Mutex
083626eddd15ac3f8a72

URL
185[.]81[.]157[.]188:8080
pool[.]minexmr[.]com:4444 (from nicehash pool)
http://www[.]4up4[.]com/uploads/reemfa/file_2020-03-02_074138.jpg

Pastebin site w/ config settings
https://pastbin[.]com/raw/Yv5TP6HF

Seems like a config settings for server

PasteBin site w/ 2nd payload
https://pastbin[.]com/raw/gC5dfjh9

Config file used by the notepad.exe

Miner’s config

XMR wallet address
434PuVPN5tQ6xQA7pdB7NsNTJHWvUD5tL7rmsX7uzJgNdCAx7wo4yESiy51aqCcr13ZoYb3TFq3zw11BFQJiF1tnHibZ6EA

Sha256

95fee5658b71f8d1a5304dd07d5a036ddc69bd06a19834f4a6c04918a939dd5d

References:

--

--

--

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Create a LVM partition, and mount it on CentOS 7.7

Installing Unity & Getting Started With Game Development

12 Time-Saving Python Tricks Every Developer Must Know

Photo by John Schnobrich on Unsplash

How Feasible Is IOS Development By Swift?

Who am I?

Laravel Homestead with custom Nginx configurations

FinOps part 1 -Non-Office time

Nested Datasets Hierarchy Pattern in MySQL

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GhouLSec

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

SysInternals — The Other Way Around

Threat Asset Matrix

ShowStream Architecture

[Mal Series #21] BazarLoader

1999’s Bios-Eating Pirate Nuke