Adventures of poking at a cpu miner

This might be relevant…

Not really. This is a cpu miner embedded into notepad not about notepad itself

1 Like

I’m willing to bet this is not the notepad exe that’s had a payload injected, rather it’s just the malicious exe disguising itself as notepad.

Confirmed. It’s the legit notepad exe - signature and hash even matches.
The real miner is hiding elsewhere or is a memory resident loaded from an entirely different file.


Ye. Would only open notepad if it was in C:\Windows which is strange. It could atleast try and pretend to be a regular notepad executable XD

Figures. Is a reason why i included the dump along with it. Know this kinda of shit exsists. Strange that task manager said it was running from notepad.exe

My Windows 10 notepad.exe


Your notepad.exe (Windows 7 SP1)


Windows 7 SP1 legit checksum from my W7 test system


So yeah, legit notepad file, the real process is just disguising itself. It’s very easy to fake a process name in windows/inject yourself into legit notepad.exe memory.

Might poke the dump file just now


Enjoy. Feel free to report on anything you find as im curious what it was

1 Like

I’m about 99.99995% sure that the Debian operating system does not have this same notepad.exe bug. You should make the switch. Your security depends on it! :stuck_out_tongue:

Somehow I think she’d prefer Fedora :stuck_out_tongue:



Somehow I think she’d prefer Fedora :stuck_out_tongue:

Based on the flair alone, I too would surmise she prefers Fedora.

But here we are… in a thread about #WindowsProblems. :joy:

Dumped the memory

Working with minidump files is a bit more annoying than full dumps
But found an IP address+Port it’s connecting to pretty fast: 

Hmm interesting, this should look familiar to any crypto miners

[2018-07-13 21:31:55] new job from diff 120001 algo cn/1


XMRig 2.6.2
 built on May  6 2018 with GCC
 features: 64-bit AES

How convenient - know I know how the xmrig commands without looking it up!

Usage: xmrig [OPTIONS]
  -a, --algo=ALGO          specify the algorithm to use
  -o, --url=URL            URL of mining server
  -O, --userpass=U:P       username:password pair for mining server
  -u, --user=USERNAME      username for mining server
  -p, --pass=PASSWORD      password for mining server
      --rig-id=ID          rig identifier for pool-side statistics (needs pool support)
  -t, --threads=N          number of miner threads
  -v, --av=N               algorithm variation, 0 auto select
  -k, --keepalive          send keepalived for prevent timeout (need pool support)
  -r, --retries=N          number of times to retry before switch to backup server (default: 5)
  -R, --retry-pause=N      time to pause between retries (default: 5)
      --cpu-affinity       set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
      --cpu-priority       set process priority (0 idle, 2 normal to 5 highest)
      --no-huge-pages      disable huge pages support
      --no-color           disable colored output
      --variant            algorithm PoW variant
      --donate-level=N     donate level, default 5%% (5 minutes in 100 minutes)
      --user-agent         set custom user-agent string for pool
  -B, --background         run the miner in the background
  -c, --config=FILE        load a JSON-format configuration file
  -l, --log-file=FILE      log all output to a file
      --max-cpu-usage=N    maximum CPU usage for automatic threads mode (default 75)
      --safe               safe adjust threads and av settings for current CPU
      --nicehash           enable nicehash/xmrig-proxy support
      --print-time=N       print hashrate report every N seconds
      --api-port=N         port for the miner API
      --api-access-token=T access token for API
      --api-worker-id=ID   custom worker-id for API
      --api-ipv6           enable IPv6 support for API
      --api-no-restricted  enable full remote access (only if API token set)
  -h, --help               display this help and exit
  -V, --version            output version information and exit

Ok what’s this? Some json messages


So It’s mining CN/1 (CryptoNight?) and using that IP as a job server

There’s a bunch of other funky addresses as well

Most of these are unreachable

EYYYY! Now we’ve got the miner password etc, very secure…

        "algo": "cryptonight",
        "background": false,
        "colors": true,
        "retries": 5,
        "retry-pause": 5,
        "syslog": false,
        "print-time": 60,
        "av": 0,
        "safe": false,
        "cpu-priority": null,
        "cpu-affinity": null,
        "threads": 8,
        "pools": [
                        "url": "",
                        "user": "4f6b8090-05d4-4e5d-9137-f502d5de0749",
                        "pass": "x",
                        "keepalive": false,
                        "nicehash": false,
                        "variant": 1
        "api": {
                "port": 0,
                "access-token": null,
                "worker-id": null

In fact I can actually see hashes in memory also

So congrats you got hit with xmrig miner malware somehow.
Given that it’s only a minidump I’m limited to just this one process’s memory and can’t tell you how it got onto the system etc, just what it’s currently doing.

But yeah kinda neat :smiley:


So where is that IP you may ask?

Chelyabinsk in the Russian Federation of course!


;; AUTHORITY SECTION: 172799 IN      NS 172799 IN      NS

They’ve even got their own nameservers so it’s really easy to get the specific DNS name for that machine :stuck_out_tongue:

That server in turn has an open RDP, SMB everything

135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Service
49154/tcp open  msrpc         syn-ack Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

So I speculate that even that machine is a compromised machine belonging to someone else.


that is a deep rabbit hole


I’ve reported it to [email protected] - it seems to be a russian VPS host.
Hopefully they are a legit company and not part of the cryptomining operation.

Additionally I’ve added the IP and some signatures of the memory to a few blacklists & AV lists which should soon make their way to AV vendors.


I’m not a Windows person, so correct me if I’m wrong…

In this thread, we’ve confirmed malware masquerading as Microsoft Notepad, initiating remote connections to and, utlizing the CN/1 (cryptonite) algorhythm to quietly mine Monero on the hardware of victims infected with ‘xmrig’ malware.

Do I follow?

Pretty much yes and @Dje4321 hasn’t even come back to notice yet :slight_smile:

The Main IP used is:
And xmrig is technically a legit xmr mining application, just here its merely only a modified payload of another piece of malware and masquerading as notepad.exe


I also found someone else that found the exact some cryptominer 2 days ago

It drops it’s files in C:\ProgramData\fWyfnSWdrs\cfgi
Something I’ve also seen with yours.

Very basic over all though. Almost no attempt at obfuscation.


Yeah, could’ve put its stuff in C:\Program Files\NotAVirus\bin


i would 100% not notice if it set the affinity to a couple of threads and capped execution at 5-10% XD

1 Like

something like 40% of xmr is mined with malware after the asic delay fork.

this seems like a pretty lazy attempt at it of the one’s i’ve seen though