Cryptocurrency miners generate popular digital currencies like Bitcoin, Monero, and Ethereum. When used willingly, they can be a valuable income source. However, malware creators have designed threats that exploit accessible mining software to harness another user’s computing resources without consent — a practice known as cryptojacking.
file coinminer.exe
coinminer.exe: PE32+ executable (GUI) x86-64, for MS Windows
Score vt 33/49 for this PE32+ exe
Static Analysis :
PS C:\Users\Julien\Desktop\bads\CoinMiner > & $exiftoolPath $targetFile
ExifTool Version Number : 13.00
File Name : coinminer.exe
Directory : C:/Users/Julien/Desktop/bads/CoinMiner
File Size : 5.8 MB
File Modification Date/Time : 2024:11:01 18:43:14+01:00
File Access Date/Time : 2024:11:02 14:22:58+01:00
File Creation Date/Time : 2024:11:02 13:26:14+01:00
File Permissions : -rw-rw-rw-
File Type : Win64 EXE
File Type Extension : exe
MIME Type : application/octet-stream
Machine Type : AMD AMD64
Time Stamp : 2024:02:01 17:53:31+01:00
Image File Characteristics : Executable, Large address aware
PE Type : PE32+
Linker Version : 14.0
Code Size : 41984
Initialized Data Size : 5228032
Uninitialized Data Size : 0
Entry Point : 0x1140
OS Version : 6.0
Image Version : 0.0
Subsystem Version : 6.0
Subsystem : Windows GUI
File Version Number : 70.0.3538.110
Product Version Number : 70.0.3538.110
File Flags Mask : 0x0000
File Flags : (none)
File OS : Unknown (0)
Object File Type : Unknown
File Subtype : 0
Language Code : English (U.S.)
Character Set : Windows, Latin1
Company Name : Google Inc.
File Title : chrome.exe
File Description : Google Chrome
File Version : 70,0,3538,110
Legal Copyright : Copyright 2017 Google Inc. All rights reserved.
Legal Trademark :
Product Name : Google Chrome
Product Version : 70,0,3538,110
-- press ENTER --
A quick use of Floss to retrieve the important strings:
The analysis of the processes reveals a well-orchestrated strategy to maintain presence on the system while avoiding detection. This involves modifying system settings and stopping several Windows services. The execution of CoinMiner.exe clearly indicates the use of mining software. Additionally, the commands utilizing wusa.exe and powershell.exe seem aimed at excluding certain paths from Windows Defender’s monitoring and uninstalling specific updates, likely to evade detection. Lastly, the creation and management of the “JVNIRHNX” service highlight an effort to ensure persistence through a hidden executable, reinforcing the malicious nature of the observed activities.
In this context, file 1 (fqwofdtexigy.exe) has also been observed in the wild during the same period, linked to a sample of another Coinminer: w2EhpArSUP.exe (SHA256: a2d7b3a0425ac23b1fda3c12674ead2d7cd06ac36ce98b5fe04e1469d618ce3a). This indicates that the same threat actor is widely distributing multiple Coinminers:
The reported YARA detection rules indicate the presence of the “XMRIG” cryptominer based on macOS.
Threat intel :
An analysis published in 2023 indicates that XMRig is a command-line cryptomining tool (for Monero) commonly used for legitimate purposes. However, due to its flexibility and open-source code, it is also highly favored by malicious actors. It is also noted that a trojan may execute in this manner under the guise of Final Cut Pro, the video editing software developed by Apple.
This deceptive marketing technique is known as “bundling.” Often, “bundling” is used to introduce multiple potentially unwanted programs (PUAs) into a system simultaneously. Therefore, it is highly likely that the XMRIG virus arrived alongside various adware-type applications that display intrusive ads and collect sensitive information.
TTPs :
### TTPs of coinminer.exe
| ATT&CK ID | Tactic | Technique | Details |
|------------|--------------------|----------------------------------------|------------------------------------------------------------------------------------------------------------|
| T1553.002 | Defense Evasion | Invalid Certificate | The input sample is signed with an invalid certificate. Error: The operation completed successfully. (0x0) |
| T1036 | Defense Evasion | Drops Executable Files | File type "PE32+ executable (GUI) x86-64 for MS Windows" dropped at "%ALLUSERSPROFILE%\xhzmmmxzrrwn\fqwofdtexigy.exe" |
| T1036 | Defense Evasion | Masquerading | Additional evasion technique used to obscure true identity of the executable. |
| T1569.002 | Execution | Starts Security-Related Services | Process "sc.exe" with commandline "start 'JVNIRHNX'" |
| T1543.003 | Privilege Escalation | Windows Service | Elevated privileges gained through service manipulation. |
| T1105 | Command and Control| Installation/Persistence | Drops "fqwofdtexigy.exe" (PE32+ executable) at "%ALLUSERSPROFILE%\xhzmmmxzrrwn\fqwofdtexigy.exe" |
| T1018 | Discovery | Identifies Remote Systems | Found string "ping 0, GenuineInte%" |
| T1057 | Discovery | Process Discovery | Enumerates running processes on the system. |
| T1497 | Discovery | Virtualization/Sandbox Evasion | Detects virtualized environments to avoid analysis in sandboxes. |
| T1070.004 | Defense Evasion | Marks Files for Deletion | "CoinMiner.exe" marked "C:\Windows\System32\MRT.exe" for deletion |
| T1055.005 | Defense Evasion | Opens File with Deletion Access Rights | "CoinMiner.exe" has TLS callbacks with entrypoints at 0x40001760, 0x1, 0x400017e0 |
| T1129 | Defense Evasion | Looks up Procedures from Modules | Procedures from ntdll.dll |
| T1027 | Defense Evasion | Compiler/Packer Signature | "CoinMiner.exe" detected as "Microsoft Linker" |
| T1560 | Collection | Archive Collected Data | Archives gathered information for exfiltration or later use. |
| T1543.003 | Persistence | Windows Service | Maintains persistence by creating or manipulating a Windows service. |
| T1574.002 | Persistence | DLL Side-Loading | Persists by loading malicious DLLs into trusted applications. |
The presence of files generated by CoinMiner, such as fqwofdtexigy.exe, and their execution via PowerShell from unusual startup paths indicates a clever strategy to maintain a foothold on the system while avoiding detection by blending in with legitimate processes.
To protect against threats associated with XMRig, which is a legitimate Monero mining tool, it is crucial to block all known threat indicators related to its misuse within your security controls.
Conduct searches for Indicators of Compromise (IOCs) linked to unauthorized XMRig infections within your environment, using your available security tools. Ensure that all platforms and software are promptly patched and updated, focusing on vulnerabilities that may be exploited by malicious actors distributing counterfeit versions of XMRig. This should be a core component of your security policy.
In addition to hardening networks and systems, implement code hardening measures for web applications and software to safeguard your organization against potential threats from malicious XMRig distributions. Use vulnerability testing tools to detect weaknesses in deployed code that could be exploited by these counterfeit versions.
Strengthen your cyber hygiene by keeping antivirus software up to date and following a structured patch management lifecycle. To further mitigate risk, consider using ad blockers and disabling JavaScript in web browsers to reduce exposure to malicious downloads often associated with unauthorized XMRig distributions.
Finally, remain vigilant regarding counterfeit software and suspicious download links, particularly those found on torrent sites. These sources may offer fake versions of XMRig or other mining tools, which can lead to malware infections. Always use software from trusted and verified sources to ensure security.