Return to Level1Techs.com

Adventures of poking at a cpu miner

Mostly ramblings of me poking at a cpu miner with a stick. Making of thread because someone might like it. Will sound a bit rambly because it is. Sorry


So my windows install has been running fairly hot and loud lately but whenever i end up open task manager it reveals that the cpu usage is at what would be normal for idle.

The dip is me opening task manager
cpu-miner-windows-sad

Copying taskmgr to the desktop and renaming it tricks whatever is running into thinking its now open. This means i can see the true culprit

So time to rename a random binary. Lets go with rufus


And that works. So i now know whats its looking for when it comes to deciding when it should and shouldnt mine.

Lets poke at it with task manager some
cpu-miner-notepad-priority
Well. Its atleast nice enough to set itself to below normal priority.

hmmm. Something fishy is going on with notepad for sure


Was last modified on 2015 but was created on 5/30/2018. And no notepad is not signed by microsoft

A few notes so far.

  • Killed the process and removed notepad with a bit of good timing (process respawns). Notepad no longer runs outside of the Windows folder. Putting something else called notepad does not cause it to be ran. Placing the OG notepad file back into the folder causes it to be immediately ran. So some kind of finger printing must be going on here.
  • Dumping the strings of the file doesnt reveal anything of interest. Mostly random garbage it thinks is strings and some product info from microsoft.
  • Notepad.exe process just simply dissapears whenever something is ran with the filename “taskmgr.exe”

Thats about the extent of my knowledge/willingness to poke at it. Ive uploaded both the binary and a process dump incase anyone else wants to take a look at it. Maybe @catsay would be interested =P

https://drive.google.com/open?id=1nrF6fCpdg7j8eDhmjtZf_s9Pl3NJGYoP

Im nuking my install from orbit so wont be able to provide much info to you (ok a backup from a fresh install but close enough)

5 Likes

This might be relevant…

Not really. This is a cpu miner embedded into notepad not about notepad itself

1 Like

I’m willing to bet this is not the notepad exe that’s had a payload injected, rather it’s just the malicious exe disguising itself as notepad.

Confirmed. It’s the legit notepad exe - signature and hash even matches.
The real miner is hiding elsewhere or is a memory resident loaded from an entirely different file.

3 Likes

Ye. Would only open notepad if it was in C:\Windows which is strange. It could atleast try and pretend to be a regular notepad executable XD

Figures. Is a reason why i included the dump along with it. Know this kinda of shit exsists. Strange that task manager said it was running from notepad.exe

My Windows 10 notepad.exe

e9f2fbe8e1bc49d107df36ef09f6d0aeb8901516980d3fe08ee73ab7b4a2325f

Your notepad.exe (Windows 7 SP1)

933e1778b2760b3a9194c2799d7b76052895959c3caedefb4e9d764cbb6ad3b5

Windows 7 SP1 legit checksum from my W7 test system

933e1778b2760b3a9194c2799d7b76052895959c3caedefb4e9d764cbb6ad3b5

So yeah, legit notepad file, the real process is just disguising itself. It’s very easy to fake a process name in windows/inject yourself into legit notepad.exe memory.

https://www.virustotal.com/#/file/933e1778b2760b3a9194c2799d7b76052895959c3caedefb4e9d764cbb6ad3b5/details

Might poke the dump file just now

2 Likes

Enjoy. Feel free to report on anything you find as im curious what it was

1 Like

I’m about 99.99995% sure that the Debian operating system does not have this same notepad.exe bug. You should make the switch. Your security depends on it! :stuck_out_tongue:

Somehow I think she’d prefer Fedora :stuck_out_tongue:

Screenshot%20from%202018-07-14_10%3A49%3A17

3 Likes

Somehow I think she’d prefer Fedora :stuck_out_tongue:

Based on the flair alone, I too would surmise she prefers Fedora.

But here we are… in a thread about #WindowsProblems. :joy:

Dumped the memory

Working with minidump files is a bit more annoying than full dumps
But found an IP address+Port it’s connecting to pretty fast:

185.144.29.36:5450 

Hmm interesting, this should look familiar to any crypto miners

[2018-07-13 21:31:55] new job from 185.144.29.36:5450 diff 120001 algo cn/1

LOL

XMRig 2.6.2
 built on May  6 2018 with GCC
 %d.%d.%d
 features: 64-bit AES

How convenient - know I know how the xmrig commands without looking it up!

Usage: xmrig [OPTIONS]
Options:
  -a, --algo=ALGO          specify the algorithm to use
                             cryptonight
                             cryptonight-lite
                             cryptonight-heavy
  -o, --url=URL            URL of mining server
  -O, --userpass=U:P       username:password pair for mining server
  -u, --user=USERNAME      username for mining server
  -p, --pass=PASSWORD      password for mining server
      --rig-id=ID          rig identifier for pool-side statistics (needs pool support)
  -t, --threads=N          number of miner threads
  -v, --av=N               algorithm variation, 0 auto select
  -k, --keepalive          send keepalived for prevent timeout (need pool support)
  -r, --retries=N          number of times to retry before switch to backup server (default: 5)
  -R, --retry-pause=N      time to pause between retries (default: 5)
      --cpu-affinity       set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
      --cpu-priority       set process priority (0 idle, 2 normal to 5 highest)
      --no-huge-pages      disable huge pages support
      --no-color           disable colored output
      --variant            algorithm PoW variant
      --donate-level=N     donate level, default 5%% (5 minutes in 100 minutes)
      --user-agent         set custom user-agent string for pool
  -B, --background         run the miner in the background
  -c, --config=FILE        load a JSON-format configuration file
  -l, --log-file=FILE      log all output to a file
      --max-cpu-usage=N    maximum CPU usage for automatic threads mode (default 75)
      --safe               safe adjust threads and av settings for current CPU
      --nicehash           enable nicehash/xmrig-proxy support
      --print-time=N       print hashrate report every N seconds
      --api-port=N         port for the miner API
      --api-access-token=T access token for API
      --api-worker-id=ID   custom worker-id for API
      --api-ipv6           enable IPv6 support for API
      --api-no-restricted  enable full remote access (only if API token set)
  -h, --help               display this help and exit
  -V, --version            output version information and exit

Ok what’s this? Some json messages

{"jsonrpc
:"2.0
,"method
:"job
,"params
:{"blob
:"0707ebcda6da05d4e7f7099dd9a07523ea3d1947567940c8f7b57636f313b58d64432a2c8e00c300000097d66d6dae552c3287e9c235cab543ea97e8e3fed1e98c890a23e56759febbcf6309
,"job_id
:"14209970
,"target
:"cf8b0000
,"algo
:"cn/1
,"variant
:1}}
201970
,"target
:"cf8b0000
,"algo
:"cn/1
,"variant
:1},"extensions
:["algo
,"nicehash
]},"status
:"OK
185.144.29.36

So It’s mining CN/1 (CryptoNight?) and using that IP as a job server

There’s a bunch of other funky addresses as well

m09zr.fde.zarid.com:6666
m09zr.fde.zarid.com:80
emergency.z0e.aqkig.com:5555

Most of these are unreachable

EYYYY! Now we’ve got the miner password etc, very secure…

>x;6 
        "algo": "cryptonight",
        "background": false,
        "colors": true,
        "retries": 5,
        "retry-pause": 5,
        "syslog": false,
        "print-time": 60,
        "av": 0,
        "safe": false,
        "cpu-priority": null,
        "cpu-affinity": null,
        "threads": 8,
        "pools": [
                        "url": "185.144.29.36:5450",
                        "user": "4f6b8090-05d4-4e5d-9137-f502d5de0749",
                        "pass": "x",
                        "keepalive": false,
                        "nicehash": false,
                        "variant": 1
        "api": {
                "port": 0,
                "access-token": null,
                "worker-id": null

In fact I can actually see hashes in memory also

So congrats you got hit with xmrig miner malware somehow.
Given that it’s only a minidump I’m limited to just this one process’s memory and can’t tell you how it got onto the system etc, just what it’s currently doing.

But yeah kinda neat :smiley:

6 Likes

So where is that IP you may ask?

Chelyabinsk in the Russian Federation of course!

;; ANSWER SECTION:
36.29.144.185.in-addr.arpa. 3600 IN     PTR     vps.joko.xyz.

;; AUTHORITY SECTION:
29.144.185.in-addr.arpa. 172799 IN      NS      ns2.profitserver.ru.
29.144.185.in-addr.arpa. 172799 IN      NS      ns1.profitserver.ru.

They’ve even got their own nameservers so it’s really easy to get the specific DNS name for that machine :stuck_out_tongue:

That server in turn has an open RDP, SMB everything

PORT      STATE SERVICE       REASON  VERSION
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Service
49154/tcp open  msrpc         syn-ack Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

So I speculate that even that machine is a compromised machine belonging to someone else.

4 Likes

that is a deep rabbit hole

3 Likes

I’ve reported it to [email protected] - it seems to be a russian VPS host.
Hopefully they are a legit company and not part of the cryptomining operation.

Additionally I’ve added the IP and some signatures of the memory to a few blacklists & AV lists which should soon make their way to AV vendors.

5 Likes

I’m not a Windows person, so correct me if I’m wrong…

In this thread, we’ve confirmed malware masquerading as Microsoft Notepad, initiating remote connections to zarid.com and aqkig.com, utlizing the CN/1 (cryptonite) algorhythm to quietly mine Monero on the hardware of victims infected with ‘xmrig’ malware.

Do I follow?

Pretty much yes and @Dje4321 hasn’t even come back to notice yet :slight_smile:

The Main IP used is: 185.144.29.36
And xmrig is technically a legit xmr mining application, just here its merely only a modified payload of another piece of malware and masquerading as notepad.exe

2 Likes

I also found someone else that found the exact some cryptominer 2 days ago

It drops it’s files in C:\ProgramData\fWyfnSWdrs\cfgi
Something I’ve also seen with yours.

Very basic over all though. Almost no attempt at obfuscation.

2 Likes

Yeah, could’ve put its stuff in C:\Program Files\NotAVirus\bin

2 Likes

i would 100% not notice if it set the affinity to a couple of threads and capped execution at 5-10% XD

1 Like