Dumped the memory
Working with minidump files is a bit more annoying than full dumps
But found an IP address+Port it’s connecting to pretty fast:
185.144.29.36:5450
Hmm interesting, this should look familiar to any crypto miners
[2018-07-13 21:31:55] new job from 185.144.29.36:5450 diff 120001 algo cn/1
LOL
XMRig 2.6.2
built on May 6 2018 with GCC
%d.%d.%d
features: 64-bit AES
How convenient - know I know how the xmrig commands without looking it up!
Usage: xmrig [OPTIONS]
Options:
-a, --algo=ALGO specify the algorithm to use
cryptonight
cryptonight-lite
cryptonight-heavy
-o, --url=URL URL of mining server
-O, --userpass=U:P username:password pair for mining server
-u, --user=USERNAME username for mining server
-p, --pass=PASSWORD password for mining server
--rig-id=ID rig identifier for pool-side statistics (needs pool support)
-t, --threads=N number of miner threads
-v, --av=N algorithm variation, 0 auto select
-k, --keepalive send keepalived for prevent timeout (need pool support)
-r, --retries=N number of times to retry before switch to backup server (default: 5)
-R, --retry-pause=N time to pause between retries (default: 5)
--cpu-affinity set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
--cpu-priority set process priority (0 idle, 2 normal to 5 highest)
--no-huge-pages disable huge pages support
--no-color disable colored output
--variant algorithm PoW variant
--donate-level=N donate level, default 5%% (5 minutes in 100 minutes)
--user-agent set custom user-agent string for pool
-B, --background run the miner in the background
-c, --config=FILE load a JSON-format configuration file
-l, --log-file=FILE log all output to a file
--max-cpu-usage=N maximum CPU usage for automatic threads mode (default 75)
--safe safe adjust threads and av settings for current CPU
--nicehash enable nicehash/xmrig-proxy support
--print-time=N print hashrate report every N seconds
--api-port=N port for the miner API
--api-access-token=T access token for API
--api-worker-id=ID custom worker-id for API
--api-ipv6 enable IPv6 support for API
--api-no-restricted enable full remote access (only if API token set)
-h, --help display this help and exit
-V, --version output version information and exit
Ok what’s this? Some json messages
{"jsonrpc
:"2.0
,"method
:"job
,"params
:{"blob
:"0707ebcda6da05d4e7f7099dd9a07523ea3d1947567940c8f7b57636f313b58d64432a2c8e00c300000097d66d6dae552c3287e9c235cab543ea97e8e3fed1e98c890a23e56759febbcf6309
,"job_id
:"14209970
,"target
:"cf8b0000
,"algo
:"cn/1
,"variant
:1}}
201970
,"target
:"cf8b0000
,"algo
:"cn/1
,"variant
:1},"extensions
:["algo
,"nicehash
]},"status
:"OK
185.144.29.36
So It’s mining CN/1 (CryptoNight?) and using that IP as a job server
There’s a bunch of other funky addresses as well
m09zr.fde.zarid.com:6666
m09zr.fde.zarid.com:80
emergency.z0e.aqkig.com:5555
Most of these are unreachable
EYYYY! Now we’ve got the miner password etc, very secure…
>x;6
"algo": "cryptonight",
"background": false,
"colors": true,
"retries": 5,
"retry-pause": 5,
"syslog": false,
"print-time": 60,
"av": 0,
"safe": false,
"cpu-priority": null,
"cpu-affinity": null,
"threads": 8,
"pools": [
"url": "185.144.29.36:5450",
"user": "4f6b8090-05d4-4e5d-9137-f502d5de0749",
"pass": "x",
"keepalive": false,
"nicehash": false,
"variant": 1
"api": {
"port": 0,
"access-token": null,
"worker-id": null
In fact I can actually see hashes in memory also
So congrats you got hit with xmrig miner malware somehow.
Given that it’s only a minidump I’m limited to just this one process’s memory and can’t tell you how it got onto the system etc, just what it’s currently doing.
But yeah kinda neat 