Return to Level1Techs.com

Adventures of poking at a cpu miner

windows
cryptocurrency

#2

This might be relevant…


#3

Not really. This is a cpu miner embedded into notepad not about notepad itself


#4

I’m willing to bet this is not the notepad exe that’s had a payload injected, rather it’s just the malicious exe disguising itself as notepad.

Confirmed. It’s the legit notepad exe - signature and hash even matches.
The real miner is hiding elsewhere or is a memory resident loaded from an entirely different file.


#5

Ye. Would only open notepad if it was in C:\Windows which is strange. It could atleast try and pretend to be a regular notepad executable XD


#6

Figures. Is a reason why i included the dump along with it. Know this kinda of shit exsists. Strange that task manager said it was running from notepad.exe


#7

My Windows 10 notepad.exe

e9f2fbe8e1bc49d107df36ef09f6d0aeb8901516980d3fe08ee73ab7b4a2325f

Your notepad.exe (Windows 7 SP1)

933e1778b2760b3a9194c2799d7b76052895959c3caedefb4e9d764cbb6ad3b5

Windows 7 SP1 legit checksum from my W7 test system

933e1778b2760b3a9194c2799d7b76052895959c3caedefb4e9d764cbb6ad3b5

So yeah, legit notepad file, the real process is just disguising itself. It’s very easy to fake a process name in windows/inject yourself into legit notepad.exe memory.

https://www.virustotal.com/#/file/933e1778b2760b3a9194c2799d7b76052895959c3caedefb4e9d764cbb6ad3b5/details

Might poke the dump file just now


#8

Enjoy. Feel free to report on anything you find as im curious what it was


#9

I’m about 99.99995% sure that the Debian operating system does not have this same notepad.exe bug. You should make the switch. Your security depends on it! :stuck_out_tongue:


#10

Somehow I think she’d prefer Fedora :stuck_out_tongue:

Screenshot%20from%202018-07-14_10%3A49%3A17


#11

Somehow I think she’d prefer Fedora :stuck_out_tongue:

Based on the flair alone, I too would surmise she prefers Fedora.

But here we are… in a thread about #WindowsProblems. :joy:


#12

Dumped the memory

Working with minidump files is a bit more annoying than full dumps
But found an IP address+Port it’s connecting to pretty fast:

185.144.29.36:5450 

Hmm interesting, this should look familiar to any crypto miners

[2018-07-13 21:31:55] new job from 185.144.29.36:5450 diff 120001 algo cn/1

LOL

XMRig 2.6.2
 built on May  6 2018 with GCC
 %d.%d.%d
 features: 64-bit AES

How convenient - know I know how the xmrig commands without looking it up!

Usage: xmrig [OPTIONS]
Options:
  -a, --algo=ALGO          specify the algorithm to use
                             cryptonight
                             cryptonight-lite
                             cryptonight-heavy
  -o, --url=URL            URL of mining server
  -O, --userpass=U:P       username:password pair for mining server
  -u, --user=USERNAME      username for mining server
  -p, --pass=PASSWORD      password for mining server
      --rig-id=ID          rig identifier for pool-side statistics (needs pool support)
  -t, --threads=N          number of miner threads
  -v, --av=N               algorithm variation, 0 auto select
  -k, --keepalive          send keepalived for prevent timeout (need pool support)
  -r, --retries=N          number of times to retry before switch to backup server (default: 5)
  -R, --retry-pause=N      time to pause between retries (default: 5)
      --cpu-affinity       set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
      --cpu-priority       set process priority (0 idle, 2 normal to 5 highest)
      --no-huge-pages      disable huge pages support
      --no-color           disable colored output
      --variant            algorithm PoW variant
      --donate-level=N     donate level, default 5%% (5 minutes in 100 minutes)
      --user-agent         set custom user-agent string for pool
  -B, --background         run the miner in the background
  -c, --config=FILE        load a JSON-format configuration file
  -l, --log-file=FILE      log all output to a file
      --max-cpu-usage=N    maximum CPU usage for automatic threads mode (default 75)
      --safe               safe adjust threads and av settings for current CPU
      --nicehash           enable nicehash/xmrig-proxy support
      --print-time=N       print hashrate report every N seconds
      --api-port=N         port for the miner API
      --api-access-token=T access token for API
      --api-worker-id=ID   custom worker-id for API
      --api-ipv6           enable IPv6 support for API
      --api-no-restricted  enable full remote access (only if API token set)
  -h, --help               display this help and exit
  -V, --version            output version information and exit

Ok what’s this? Some json messages

{"jsonrpc
:"2.0
,"method
:"job
,"params
:{"blob
:"0707ebcda6da05d4e7f7099dd9a07523ea3d1947567940c8f7b57636f313b58d64432a2c8e00c300000097d66d6dae552c3287e9c235cab543ea97e8e3fed1e98c890a23e56759febbcf6309
,"job_id
:"14209970
,"target
:"cf8b0000
,"algo
:"cn/1
,"variant
:1}}
201970
,"target
:"cf8b0000
,"algo
:"cn/1
,"variant
:1},"extensions
:["algo
,"nicehash
]},"status
:"OK
185.144.29.36

So It’s mining CN/1 (CryptoNight?) and using that IP as a job server

There’s a bunch of other funky addresses as well

m09zr.fde.zarid.com:6666
m09zr.fde.zarid.com:80
emergency.z0e.aqkig.com:5555

Most of these are unreachable

EYYYY! Now we’ve got the miner password etc, very secure…

>x;6 
        "algo": "cryptonight",
        "background": false,
        "colors": true,
        "retries": 5,
        "retry-pause": 5,
        "syslog": false,
        "print-time": 60,
        "av": 0,
        "safe": false,
        "cpu-priority": null,
        "cpu-affinity": null,
        "threads": 8,
        "pools": [
                        "url": "185.144.29.36:5450",
                        "user": "4f6b8090-05d4-4e5d-9137-f502d5de0749",
                        "pass": "x",
                        "keepalive": false,
                        "nicehash": false,
                        "variant": 1
        "api": {
                "port": 0,
                "access-token": null,
                "worker-id": null

In fact I can actually see hashes in memory also

So congrats you got hit with xmrig miner malware somehow.
Given that it’s only a minidump I’m limited to just this one process’s memory and can’t tell you how it got onto the system etc, just what it’s currently doing.

But yeah kinda neat :smiley:


#13

So where is that IP you may ask?

Chelyabinsk in the Russian Federation of course!

;; ANSWER SECTION:
36.29.144.185.in-addr.arpa. 3600 IN     PTR     vps.joko.xyz.

;; AUTHORITY SECTION:
29.144.185.in-addr.arpa. 172799 IN      NS      ns2.profitserver.ru.
29.144.185.in-addr.arpa. 172799 IN      NS      ns1.profitserver.ru.

They’ve even got their own nameservers so it’s really easy to get the specific DNS name for that machine :stuck_out_tongue:

That server in turn has an open RDP, SMB everything

PORT      STATE SERVICE       REASON  VERSION
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Service
49154/tcp open  msrpc         syn-ack Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

So I speculate that even that machine is a compromised machine belonging to someone else.


#14

that is a deep rabbit hole


#15

I’ve reported it to [email protected] - it seems to be a russian VPS host.
Hopefully they are a legit company and not part of the cryptomining operation.

Additionally I’ve added the IP and some signatures of the memory to a few blacklists & AV lists which should soon make their way to AV vendors.


#16

I’m not a Windows person, so correct me if I’m wrong…

In this thread, we’ve confirmed malware masquerading as Microsoft Notepad, initiating remote connections to zarid.com and aqkig.com, utlizing the CN/1 (cryptonite) algorhythm to quietly mine Monero on the hardware of victims infected with ‘xmrig’ malware.

Do I follow?


#17

Pretty much yes and @Dje4321 hasn’t even come back to notice yet :slight_smile:

The Main IP used is: 185.144.29.36
And xmrig is technically a legit xmr mining application, just here its merely only a modified payload of another piece of malware and masquerading as notepad.exe


#18

I also found someone else that found the exact some cryptominer 2 days ago

It drops it’s files in C:\ProgramData\fWyfnSWdrs\cfgi
Something I’ve also seen with yours.

Very basic over all though. Almost no attempt at obfuscation.


#19

Yeah, could’ve put its stuff in C:\Program Files\NotAVirus\bin


#20

i would 100% not notice if it set the affinity to a couple of threads and capped execution at 5-10% XD


#21

something like 40% of xmr is mined with malware after the asic delay fork.

this seems like a pretty lazy attempt at it of the one’s i’ve seen though