Coinminer - Malware Analysis

Coinminer’s presentation 🪙

Cryptocurrency miners generate popular digital currencies like Bitcoin, Monero, and Ethereum. When used willingly, they can be a valuable income source. However, malware creators have designed threats that exploit accessible mining software to harness another user’s computing resources without consent — a practice known as cryptojacking.

Download: https://bazaar.abuse.ch/download/b56608aa06ded2deaf07/

$hashMD5 = Get-FileHash .\coinminer.exe -Algorithm MD5
$hashSHA256 = Get-FileHash .\coinminer.exe -Algorithm SHA256
$hashMD5, $hashSHA256 | Format-Table Algorithm, Hash

Algorithm Hash
--------- ----
MD5       61CC7E8A49ED8D3B193E9394907B7081
SHA256    3AEAB6E4D9FB1E51C0D94069517FD681EBC9CB4AB5A945650C17E50A19C958A2

File identification :

 file coinminer.exe
coinminer.exe: PE32+ executable (GUI) x86-64, for MS Windows

Score vt 33/49 for this PE32+ exe

Static Analysis :

PS C:\Users\Julien\Desktop\bads\CoinMiner > & $exiftoolPath $targetFile
ExifTool Version Number         : 13.00
File Name                       : coinminer.exe
Directory                       : C:/Users/Julien/Desktop/bads/CoinMiner
File Size                       : 5.8 MB
File Modification Date/Time     : 2024:11:01 18:43:14+01:00
File Access Date/Time           : 2024:11:02 14:22:58+01:00
File Creation Date/Time         : 2024:11:02 13:26:14+01:00
File Permissions                : -rw-rw-rw-
File Type                       : Win64 EXE
File Type Extension             : exe
MIME Type                       : application/octet-stream
Machine Type                    : AMD AMD64
Time Stamp                      : 2024:02:01 17:53:31+01:00
Image File Characteristics      : Executable, Large address aware
PE Type                         : PE32+
Linker Version                  : 14.0
Code Size                       : 41984
Initialized Data Size           : 5228032
Uninitialized Data Size         : 0
Entry Point                     : 0x1140
OS Version                      : 6.0
Image Version                   : 0.0
Subsystem Version               : 6.0
Subsystem                       : Windows GUI
File Version Number             : 70.0.3538.110
Product Version Number          : 70.0.3538.110
File Flags Mask                 : 0x0000
File Flags                      : (none)
File OS                         : Unknown (0)
Object File Type                : Unknown
File Subtype                    : 0
Language Code                   : English (U.S.)
Character Set                   : Windows, Latin1
Company Name                    : Google Inc.
File Title                      : chrome.exe
File Description                : Google Chrome
File Version                    : 70,0,3538,110
Legal Copyright                 : Copyright 2017 Google Inc. All rights reserved.
Legal Trademark                 :
Product Name                    : Google Chrome
Product Version                 : 70,0,3538,110
-- press ENTER --

A quick use of Floss to retrieve the important strings:

floss .\coinminer.exe > abcd.txt
INFO: floss: extracting static strings
finding decoding function features: 100%|█████████████████████| 79/79 [00:00<00:00, 2591.26 functions/s, skipped 0 library functions]
INFO: floss.stackstrings: extracting stackstrings from 53 functions
extracting stackstrings: 100%|███████████████████████████████████████████████████████████████| 53/53 [00:05<00:00, 10.57 functions/s]
INFO: floss.tightstrings: extracting tightstrings from 5 functions...
extracting tightstrings from function 0x14000aff0: 100%|███████████████████████████████████████| 5/5 [00:00<00:00, 16.01 functions/s]
INFO: floss.string_decoder: decoding strings
emulating function 0x140002660 (call 3/3): 100%|█████████████████████████████████████████████| 22/22 [00:16<00:00,  1.37 functions/s]
INFO: floss: finished execution after 43.11 seconds
INFO: floss: rendering results

Results:

FLARE FLOSS RESULTS (version v3.1.0-0-gdb9af41)

+------------------------+----------------------------------------------------+
| file path              | coinminer.exe                                      |
| identified language    | unknown                                            |
| extracted strings      |                                                    |
|  static strings        | 268739 (1486301 characters)                        |
|   language strings     |      0 (      0 characters)                        |
|  stack strings         | 0                                                  |
|  tight strings         | 0                                                  |
|  decoded strings       | 0                                                  |
+------------------------+----------------------------------------------------+

We managed to extract many strings, but nothing particularly interesting (http, cmd, ip, etc.).

Pestudio provided information on several techniques related to CoinMiner and at least one embedded file:

techniques (2)

file embedded

To gain more insights on these points, we decided to submit CoinMiner to a dynamic analysis.

Dynamic Analysis :

let’s run it

After analysis, 150+ processes, 2 files extracted, and a more comprehensive overview of the TTPs used:

 Main processes:

 CoinMiner.exe (PID: 752)  13/23
 powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force (PID: 736)
 cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart (PID: 8352)
 wusa.exe wusa /uninstall /kb:890830 /quiet /norestart (PID: 340) 
 sc.exe stop UsoSvc (PID: 416)
 sc.exe stop WaaSMedicSvc (PID: 3900)
 sc.exe stop wuauserv (PID: 2444)
 sc.exe stop bits (PID: 2304)
 sc.exe stop dosvc (PID: 3388)
 powercfg.exe /x -hibernate-timeout-dc 0 (PID: 5268) 
 powercfg.exe /x -hibernate-timeout-ac 0 (PID: 6992) 
 powercfg.exe /x -standby-timeout-ac 0 (PID: 5316) 
 sc.exe delete "JVNIRHNX" (PID: 6492)
 powercfg.exe /x -standby-timeout-dc 0 (PID: 6688) 
 sc.exe create "JVNIRHNX" binpath= "%ALLUSERSPROFILE%\xhzmmmxzrrwn\fqwofdtexigy.exe" start= "auto" (PID: 7068)
 sc.exe stop eventlog (PID: 9020)
 sc.exe start "JVNIRHNX" (PID: 4888)
 cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\CoinMiner.exe" (PID: 8464)
 choice.exe choice /C Y /N /D Y /T 3 (PID: 4868) 
 cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart (PID: 1748)
 sc.exe stop UsoSvc (PID: 7336)
 sc.exe stop WaaSMedicSvc (PID: 4400)
 sc.exe stop wuauserv (PID: 1256)
 sc.exe stop bits (PID: 3148)
 sc.exe stop dosvc (PID: 8872)

Behavior graph

The analysis of the processes reveals a well-orchestrated strategy to maintain presence on the system while avoiding detection. This involves modifying system settings and stopping several Windows services. The execution of CoinMiner.exe clearly indicates the use of mining software. Additionally, the commands utilizing wusa.exe and powershell.exe seem aimed at excluding certain paths from Windows Defender’s monitoring and uninstalling specific updates, likely to evade detection. Lastly, the creation and management of the “JVNIRHNX” service highlight an effort to ensure persistence through a hidden executable, reinforcing the malicious nature of the observed activities.

Files identified:

File 1 : fqwofdtexigy.exe
  
MD5: 444e574f23ea438cb1649f24e3315ebd
SHA1: 3772b0565ade82696b4382d783a96ee4691438ce
SHA256: 9abd58c7fbd548a574a9d99c9048e9269428a7c2fa1324d63e177e2460f88eae
 
(PID) Process: (5948) fqwofdtexigy.exe 
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation: write Name: DontOfferThroughWUAU
Value: 1


File 2 : StartupProfileData-NonInteractive
   
MD5: 446dd1cf97eaba21cf14d03aebc79f27
SHA1: 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256: a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

In this context, file 1 (fqwofdtexigy.exe) has also been observed in the wild during the same period, linked to a sample of another Coinminer: w2EhpArSUP.exe (SHA256: a2d7b3a0425ac23b1fda3c12674ead2d7cd06ac36ce98b5fe04e1469d618ce3a). This indicates that the same threat actor is widely distributing multiple Coinminers:

w2EhpArSUP.exe > fqwofdtexigy.exe

The reported YARA detection rules indicate the presence of the “XMRIG” cryptominer based on macOS.

Yara rules matched

Threat intel :

An analysis published in 2023 indicates that XMRig is a command-line cryptomining tool (for Monero) commonly used for legitimate purposes. However, due to its flexibility and open-source code, it is also highly favored by malicious actors. It is also noted that a trojan may execute in this manner under the guise of Final Cut Pro, the video editing software developed by Apple.

This deceptive marketing technique is known as “bundling.” Often, “bundling” is used to introduce multiple potentially unwanted programs (PUAs) into a system simultaneously. Therefore, it is highly likely that the XMRIG virus arrived alongside various adware-type applications that display intrusive ads and collect sensitive information.

TTPs :

### TTPs of coinminer.exe

| ATT&CK ID  | Tactic             | Technique                              | Details                                                                                                    |
|------------|--------------------|----------------------------------------|------------------------------------------------------------------------------------------------------------|
| T1553.002  | Defense Evasion    | Invalid Certificate                    | The input sample is signed with an invalid certificate. Error: The operation completed successfully. (0x0) |
| T1036      | Defense Evasion    | Drops Executable Files                 | File type "PE32+ executable (GUI) x86-64 for MS Windows" dropped at "%ALLUSERSPROFILE%\xhzmmmxzrrwn\fqwofdtexigy.exe" |
| T1036      | Defense Evasion    | Masquerading                           | Additional evasion technique used to obscure true identity of the executable.                              |
| T1569.002  | Execution          | Starts Security-Related Services       | Process "sc.exe" with commandline "start 'JVNIRHNX'"                                                       |
| T1543.003  | Privilege Escalation | Windows Service                      | Elevated privileges gained through service manipulation.                                                   |
| T1105      | Command and Control| Installation/Persistence               | Drops "fqwofdtexigy.exe" (PE32+ executable) at "%ALLUSERSPROFILE%\xhzmmmxzrrwn\fqwofdtexigy.exe"           |
| T1018      | Discovery          | Identifies Remote Systems              | Found string "ping 0, GenuineInte%"                                                                        |
| T1057      | Discovery          | Process Discovery                      | Enumerates running processes on the system.                                                                |
| T1497      | Discovery          | Virtualization/Sandbox Evasion         | Detects virtualized environments to avoid analysis in sandboxes.                                           |
| T1070.004  | Defense Evasion    | Marks Files for Deletion               | "CoinMiner.exe" marked "C:\Windows\System32\MRT.exe" for deletion                                          |
| T1055.005  | Defense Evasion    | Opens File with Deletion Access Rights | "CoinMiner.exe" has TLS callbacks with entrypoints at 0x40001760, 0x1, 0x400017e0                          |
| T1129      | Defense Evasion    | Looks up Procedures from Modules       | Procedures from ntdll.dll                                                                                   |
| T1027      | Defense Evasion    | Compiler/Packer Signature              | "CoinMiner.exe" detected as "Microsoft Linker"                                                             |
| T1560      | Collection         | Archive Collected Data                 | Archives gathered information for exfiltration or later use.                                               |
| T1543.003  | Persistence        | Windows Service                        | Maintains persistence by creating or manipulating a Windows service.                                       |
| T1574.002  | Persistence        | DLL Side-Loading                       | Persists by loading malicious DLLs into trusted applications.                                              |

IOCs :

MD5: 61cc7e8a49ed8d3b193e9394907b7081
SHA: f8bda1038a396707475a9a8db0003e524030fd4f
SHA256: 3aeab6e4d9fb1e51c0d94069517fd681ebc9cb4ab5a945650c17e50a19c958a2
SHA256: 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA256: 20B3BE3AA8F0130B85379E7862946C6FB6C179A58137AC7DBBCB21A0F4D321CF
 
File namme: VPS64.exe 
File name: fqwofdtexigy.exe
File name: WinRing0.sys
File name: f8bda1038a396707475a9a8db0003e524030fd4f.exe

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT

Detection & Hunting :

Yara:

rule CoinMiner {
   meta:
      description = "CoinMiner.exe - 3aeab6e4d9fb1e51c0d94069517fd681ebc9cb4ab5a945650c17e50a19c958a2"
      date = "2024-11-03"
      hash1 = "3aeab6e4d9fb1e51c0d94069517fd681ebc9cb4ab5a945650c17e50a19c958a2"
   strings:
      $s1 = "; 2\"+,2*" fullword ascii /* score: '9.00'*/ /* hex encoded string '"' */
      $s2 = "\"/\"$#2!1?" fullword ascii /* score: '9.00'*/ /* hex encoded string '!' */
      $s3 = ":?6==,D >" fullword ascii /* score: '9.00'*/ /* hex encoded string 'm' */
      $s4 = "%,!63#*,#%" fullword ascii /* score: '9.00'*/ /* hex encoded string 'c' */
      $s5 = "3^:.^)>B#,?!$6=8,:" fullword ascii /* score: '9.00'*/ /* hex encoded string ';h' */
      $s6 = ";*-3/%+>0" fullword ascii /* score: '9.00'*/ /* hex encoded string '0' */
      $s7 = "2/<*D<'52" fullword ascii /* score: '9.00'*/ /* hex encoded string '-R' */
      $s8 = "^&>\"745.6" fullword ascii /* score: '9.00'*/ /* hex encoded string 'tV' */
      $s9 = "\"?:=2.&7+" fullword ascii /* score: '9.00'*/ /* hex encoded string ''' */
      $s10 = "_7('7/\"?" fullword ascii /* score: '9.00'*/ /* hex encoded string 'w' */
   condition:
      uint16(0) == 0x5a4d and filesize < 6252KB and filesize > 5116KB and
      all of ($s*)
}

Dropped files:

PID 3964 > nslookup.exe > C:\Windows\System32\nslookup.exe
PID 5220 > powershell.exe > C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
PID 5948 > fqwofdtexigy.exe > C:\Windows\Temp\lvvrmxqkwnox.sys
PID 6976 > powershell.exe > C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
PID 7028 > f8bda1038a396707475a9a8db0003e524030fd4f.exe > C:\ProgramData\xhzmmmxzrrwn\fqwofdtexigy.exe

The presence of files generated by CoinMiner, such as fqwofdtexigy.exe, and their execution via PowerShell from unusual startup paths indicates a clever strategy to maintain a foothold on the system while avoiding detection by blending in with legitimate processes.

Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT

Mitigation Measures:

• To protect against threats associated with XMRig, which is a legitimate Monero mining tool, it is crucial to block all known threat indicators related to its misuse within your security controls.

• Conduct searches for Indicators of Compromise (IOCs) linked to unauthorized XMRig infections within your environment, using your available security tools. Ensure that all platforms and software are promptly patched and updated, focusing on vulnerabilities that may be exploited by malicious actors distributing counterfeit versions of XMRig. This should be a core component of your security policy.

• In addition to hardening networks and systems, implement code hardening measures for web applications and software to safeguard your organization against potential threats from malicious XMRig distributions. Use vulnerability testing tools to detect weaknesses in deployed code that could be exploited by these counterfeit versions.

• Strengthen your cyber hygiene by keeping antivirus software up to date and following a structured patch management lifecycle. To further mitigate risk, consider using ad blockers and disabling JavaScript in web browsers to reduce exposure to malicious downloads often associated with unauthorized XMRig distributions.

• Finally, remain vigilant regarding counterfeit software and suspicious download links, particularly those found on torrent sites. These sources may offer fake versions of XMRig or other mining tools, which can lead to malware infections. Always use software from trusted and verified sources to ensure security.

Thank you for reading! :) Julien