Trojan.XMRig Analysis

Example.exe

    MD5 – 60d7e7d1522a81917dde26bb9b5f4260

    SHA256 – 9017dc9b43b1e8442dd4d423bec02820fde2a0efef05dc81926762e0ff8f263c

I took a quick look at Malshare today and saw this interesting file named example.exe and I decided to analyze it. Let’s start with some static analysis.

On Malshare, it was reported to have a UPX Packer YARA hit. I took a look at it in Exeinfo PE and it seems to report UPX but it doesn’t state the version.

I decided to also analyze it using Detect It Easy 2.03 to see if it had anything different to show. According to DIE, it’s packed using UPX version 3.91.

So I managed to unpack it using UPX v3.95.

Now that the executable is unpacked, let’s take a look at the strings. There was an extensive amount of strings. Something to note though were the numerous mentions of AutoIt. AutoIt is a scripting language used typically to automate GUI actions but it can also be used to write basic scripts as well.

I then tried opening this executable in PE Studio but it kept crashing while analyzing so I used CFF Explorer instead.

We can see that this executable was compiled with Microsoft Visual C++ 8 and that it’s a 32 bit executable.

Now that we have some basic information about this executable, let’s run it and see what happens. The tools I’m using are as follows:

    FakeNet – answers any outbound calls that the malware might make

    ProcMon – captures each action the executable makes

    Regshot – captures any registry changes and files added

    ProcDot – takes the captured actions from ProcMon and graphs them

Upon running the executable, I immediately got this AutoIt error.

—————————————-

RegShot

From the packets as well as what I see in the task list, it looks like it tries to ping outbound and connect somewhere. It looks like it then spawns a couple of rundll32.exe processes which then spawn a number of shell32.exe processes. Let’s try running it with some network connectivity.

I utilized the Any.Run sandbox environment to take a look at the networking information. There seems to be a couple of things occurring here.

First, the program pings outbound to make sure it’s able to connect outbound. It then seemingly acquires some certs from 188.121.36.237 and 205.185.216.42.

It looks like the malware also acquires two more executables. Example2.exe was grabbed from 69.175.7.162 and example3.exe was grabbed from 91.196.149.73. I grabbed these executables for further analysis. It seems like the original example.exe was simply a downloader.

—————————————-

Example2.exe

    MD5 – 7b0dfa51dc847dab847b141334cea536

    SHA256 – 7c0ed0a86835e8b7d260c27104dd4436a3495f2b2aca5d8053cc8badb73a34c8

This was a strange executable. As we can see below, there’s a mention of base_library.zip as well as some file extensions. From the strings, I wasn’t quite sure what this executable did.

After a bit of research, I believe this could be a modified version of the Trojan.Seaduke virus or something very similar.

Below are the files that are created by the Trojan. Most of these are the same, if not very similar to the files created by this example2.exe.

—————————————-

Below are the RegShot results of files added on my Sandbox machine.

—————————————-

I performed a Wireshark trace while running the malware from my sandbox. An IP address that stuck out to me was 151.139.128.14. I then took a look at this using PassiveTotal.

In PassiveTotal I noticed a large amount of hashes for HybridAnalysis for very recently, including today.

—————————————-

I followed the full TCP stream and I noticed the very strange GET requests and the Microsoft Crypto API User-Agent which could indicate a proxy server.

I also found another interesting IP Address at 104.25.218.21 and it seems to be a bit busier according to PassiveTotal.

Note that the urls there like wireshark.org are actually being spelled with an L like wlreshark.org.

Here’s a bit of the TCP Stream from that IP.

So it looks like this piece of malware creates a backdoor to a C&C server or perhaps multiple C&C servers and grabs some certs.

—————————————-

This leads us to the executable example3.exe.

Example3.exe

    MD5 – 031371044f0270ef380cd1e8e7251280

    SHA256 – f7e7bbd0ef20a1e55dc764191b16e818a7b56e7c3d7bb6402bdadbc7f03c757b

This was rather easy to understand as soon as it was opened in PE Studio. It’s an XMRig CPU Miner and is a very popular attack currently. At least it seems that way from the number of XMRig attacks I see on ThreatCloud’s Live Map.

I was unable to find any configuration file for this executable. I tried running it standalone but it needs information for things like username and password for the mining pool as well as possibly a wallet address.

My guess would be the attackers manually set that information through their C&C servers as to spread out their funds between multiple wallets and avoid detection. I might revisit this malware next weekend to see if I can find any sort of config file.

For now, at least we understand the behavior of this malware. Below is the flow for a quick tl;dr.

  1. Malware is executed
  2. Creates multiple processes to connect outbound
  3. Downloads multiple executables and certificates
  4. Executable 2 establishes a backdoor and connects to one or more C&C servers
  5. Executable 2 downloads certificates
  6. Executable 3 uses a config file created by attackers to mine XMR crypto

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s