COINMINER_SILVERSPACEETN.A-WIN32

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Coinminer drops the following copies of itself into the affected system:

• %AppDataLocal%\qnCiCEuVhg\myhost.exe

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• b7b336ff7c12351cc4ac

Autostart Technique

This Coinminer adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
HGFTHNgRMG = "%AppDataLocal%\qnCiCEuVhg\myhost.exe"

It drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

• %User Startup%\Windows Defender.vbs

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Other Details

This Coinminer does the following:

• Terminates itself when found to be running to any of the following Virtual Environment related strings:
  • Microsoft Hv → Microsoft's HyperVisor
  • VMwareVMware → VMware
  • XenVMMXenVMM → Xen's HyperVisor
  • prl hyperv → Perl HyperVisor
  • KVMKVMKVM → Kernel-based Virtual Machine
  • GenuineIntel
• Checks for the following AV related process:
  • avastsvc.exe
  • avastui.exe
  • avgsvc.exe
  • avgui.exe
• Terminates itself if malware path contains the following strings:
  • self
  • sample
  • sandbox
  • virus
  • malware
• Terminates itself if it finds the following process(es):
  • procexp64.exe
  • procmon64.exe
  • procmon.exe
  • ollydbg.exe
  • procexp.exe
  • windbg.exe
• Check for the following flags in its PEB structure:
  • IsDebugging
• It execute and injects its coin mining component in the following file:
  • %System%\wuapp.exe
• Terminates its coin mining component if the following process is found:
  • taskmgr.exe
• Connects to the following URL to get the configuration file for its coin mining component:
  • http://{BLOCKED}ine.ru/config.txt
• It executes two instances of itself with the following intention:
  • The first process executes its auto-start and coin mining function.
  • The second process executes its anti-analysis and anti-debugging function.
• It perform its coin mining component using the following command:
  • "%System%\wuapp.exe" -o {URL of mining server} -u {username for mining server} -p {password for mining server} -v {algorithm variation, 0 auto select} -t {number of miner threads}
    Where:
    • username for mining server = etn{BLOCKED}NJmGZXrXm3b5GMne5WA2diFffDrUKk14UB49i2tLx9mWeJ5o1Z9dM1EATx6a82e3Y
    • password for mining server = x
    • URL of mining server = pool.etn.{BLOCKED}ools.org:1111