This might be relevant…
Not really. This is a cpu miner embedded into notepad not about notepad itself
1 Like
I’m willing to bet this is not the notepad exe that’s had a payload injected, rather it’s just the malicious exe disguising itself as notepad.
Confirmed. It’s the legit notepad exe - signature and hash even matches.
The real miner is hiding elsewhere or is a memory resident loaded from an entirely different file.
3 Likes
Ye. Would only open notepad if it was in C:\Windows which is strange. It could atleast try and pretend to be a regular notepad executable XD
Figures. Is a reason why i included the dump along with it. Know this kinda of shit exsists. Strange that task manager said it was running from notepad.exe
My Windows 10 notepad.exe
e9f2fbe8e1bc49d107df36ef09f6d0aeb8901516980d3fe08ee73ab7b4a2325f
Your notepad.exe (Windows 7 SP1)
933e1778b2760b3a9194c2799d7b76052895959c3caedefb4e9d764cbb6ad3b5
Windows 7 SP1 legit checksum from my W7 test system
933e1778b2760b3a9194c2799d7b76052895959c3caedefb4e9d764cbb6ad3b5
So yeah, legit notepad file, the real process is just disguising itself. It’s very easy to fake a process name in windows/inject yourself into legit notepad.exe memory.
Might poke the dump file just now
2 Likes
Enjoy. Feel free to report on anything you find as im curious what it was
1 Like
I’m about 99.99995% sure that the Debian operating system does not have this same notepad.exe bug. You should make the switch. Your security depends on it! 
Somehow I think she’d prefer Fedora
3 Likes
Somehow I think she’d prefer Fedora
Based on the flair alone, I too would surmise she prefers Fedora.
But here we are… in a thread about #WindowsProblems. 
Dumped the memory
Working with minidump files is a bit more annoying than full dumps
But found an IP address+Port it’s connecting to pretty fast:
185.144.29.36:5450
Hmm interesting, this should look familiar to any crypto miners
[2018-07-13 21:31:55] new job from 185.144.29.36:5450 diff 120001 algo cn/1
LOL
XMRig 2.6.2
built on May 6 2018 with GCC
%d.%d.%d
features: 64-bit AES
How convenient - know I know how the xmrig commands without looking it up!
Usage: xmrig [OPTIONS]
Options:
-a, --algo=ALGO specify the algorithm to use
cryptonight
cryptonight-lite
cryptonight-heavy
-o, --url=URL URL of mining server
-O, --userpass=U:P username:password pair for mining server
-u, --user=USERNAME username for mining server
-p, --pass=PASSWORD password for mining server
--rig-id=ID rig identifier for pool-side statistics (needs pool support)
-t, --threads=N number of miner threads
-v, --av=N algorithm variation, 0 auto select
-k, --keepalive send keepalived for prevent timeout (need pool support)
-r, --retries=N number of times to retry before switch to backup server (default: 5)
-R, --retry-pause=N time to pause between retries (default: 5)
--cpu-affinity set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
--cpu-priority set process priority (0 idle, 2 normal to 5 highest)
--no-huge-pages disable huge pages support
--no-color disable colored output
--variant algorithm PoW variant
--donate-level=N donate level, default 5%% (5 minutes in 100 minutes)
--user-agent set custom user-agent string for pool
-B, --background run the miner in the background
-c, --config=FILE load a JSON-format configuration file
-l, --log-file=FILE log all output to a file
--max-cpu-usage=N maximum CPU usage for automatic threads mode (default 75)
--safe safe adjust threads and av settings for current CPU
--nicehash enable nicehash/xmrig-proxy support
--print-time=N print hashrate report every N seconds
--api-port=N port for the miner API
--api-access-token=T access token for API
--api-worker-id=ID custom worker-id for API
--api-ipv6 enable IPv6 support for API
--api-no-restricted enable full remote access (only if API token set)
-h, --help display this help and exit
-V, --version output version information and exit
Ok what’s this? Some json messages
{"jsonrpc
:"2.0
,"method
:"job
,"params
:{"blob
:"0707ebcda6da05d4e7f7099dd9a07523ea3d1947567940c8f7b57636f313b58d64432a2c8e00c300000097d66d6dae552c3287e9c235cab543ea97e8e3fed1e98c890a23e56759febbcf6309
,"job_id
:"14209970
,"target
:"cf8b0000
,"algo
:"cn/1
,"variant
:1}}
201970
,"target
:"cf8b0000
,"algo
:"cn/1
,"variant
:1},"extensions
:["algo
,"nicehash
]},"status
:"OK
185.144.29.36
So It’s mining CN/1 (CryptoNight?) and using that IP as a job server
There’s a bunch of other funky addresses as well
m09zr.fde.zarid.com:6666
m09zr.fde.zarid.com:80
emergency.z0e.aqkig.com:5555
Most of these are unreachable
EYYYY! Now we’ve got the miner password etc, very secure…
>x;6
"algo": "cryptonight",
"background": false,
"colors": true,
"retries": 5,
"retry-pause": 5,
"syslog": false,
"print-time": 60,
"av": 0,
"safe": false,
"cpu-priority": null,
"cpu-affinity": null,
"threads": 8,
"pools": [
"url": "185.144.29.36:5450",
"user": "4f6b8090-05d4-4e5d-9137-f502d5de0749",
"pass": "x",
"keepalive": false,
"nicehash": false,
"variant": 1
"api": {
"port": 0,
"access-token": null,
"worker-id": null
In fact I can actually see hashes in memory also
So congrats you got hit with xmrig miner malware somehow.
Given that it’s only a minidump I’m limited to just this one process’s memory and can’t tell you how it got onto the system etc, just what it’s currently doing.
But yeah kinda neat 
6 Likes
So where is that IP you may ask?
Chelyabinsk in the Russian Federation of course!
;; ANSWER SECTION:
36.29.144.185.in-addr.arpa. 3600 IN PTR vps.joko.xyz.
;; AUTHORITY SECTION:
29.144.185.in-addr.arpa. 172799 IN NS ns2.profitserver.ru.
29.144.185.in-addr.arpa. 172799 IN NS ns1.profitserver.ru.
They’ve even got their own nameservers so it’s really easy to get the specific DNS name for that machine
That server in turn has an open RDP, SMB everything
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Service
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49155/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
So I speculate that even that machine is a compromised machine belonging to someone else.
4 Likes
that is a deep rabbit hole
3 Likes
I’ve reported it to [email protected] - it seems to be a russian VPS host.
Hopefully they are a legit company and not part of the cryptomining operation.
Additionally I’ve added the IP and some signatures of the memory to a few blacklists & AV lists which should soon make their way to AV vendors.
5 Likes
I’m not a Windows person, so correct me if I’m wrong…
In this thread, we’ve confirmed malware masquerading as Microsoft Notepad, initiating remote connections to zarid.com and aqkig.com, utlizing the CN/1 (cryptonite) algorhythm to quietly mine Monero on the hardware of victims infected with ‘xmrig’ malware.
Do I follow?
Pretty much yes and @Dje4321 hasn’t even come back to notice yet 
The Main IP used is: 185.144.29.36
And xmrig is technically a legit xmr mining application, just here its merely only a modified payload of another piece of malware and masquerading as notepad.exe
2 Likes
I also found someone else that found the exact some cryptominer 2 days ago
It drops it’s files in C:\ProgramData\fWyfnSWdrs\cfgi
Something I’ve also seen with yours.
Very basic over all though. Almost no attempt at obfuscation.
2 Likes
Yeah, could’ve put its stuff in C:\Program Files\NotAVirus\bin
2 Likes
i would 100% not notice if it set the affinity to a couple of threads and capped execution at 5-10% XD
1 Like
something like 40% of xmr is mined with malware after the asic delay fork.
this seems like a pretty lazy attempt at it of the one’s i’ve seen though
2 Likes