HKTL_COINMINE.GN

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Hacking Tool creates the following folders:

• /var/tmp

Other System Modifications

This Hacking Tool deletes the following files:

• /dev/shm/jboss
• /var/tmp/ysjswirmrm.conf
• /var/tmp/sshd

Propagation

This Hacking Tool does not have any propagation routine.

Backdoor Routine

This Hacking Tool does not have any backdoor routine.

Rootkit Capabilities

This Hacking Tool does not have rootkit capabilities.

Process Termination

This Hacking Tool terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• "./sshd"
• "/tmp/" without "grep" or "ovpvwbvtat"
• "/tmp/httpd.conf"
• "/tmp/m"
• "\./" with "httpd.conf"
• "\-p x" without "grep"
• "108.61.186.224"
• "128.199.86.57"
• "142.4.124.164"
• "192.99.56.117"
• "accounts-daemon"
• "acpid"
• "AnXqV.yam"
• "askdljlqw"
• "atd"
• "bb"
• "BI5zj"
• "bonn.sh"
• "bonns"
• "carbon"
• "conn.sh"
• "conns"
• "cryptonight" without "grep"
• "crypto-pool"
• "ddg"
• "donns"
• "Duck.sh"
• "Guard.sh"
• "ir29xc1"
• "irqba2anc1"
• "irqba5xnc1"
• "irqbalance"
• "irqbnc1"
• "JnKihGjn"
• "jva"
• "kw.sh"
• "kworker34"
• "kxjd"
• "minerd"
• "minergate"
• "minergate-cli"
• "mixnerdx"
• "mule"
• "mutex"
• "myatd"
• "mysql_dump" without "grep"
• "NXLAi"
• "performedl"
• "polkitd"
• "pro.sh"
• "pubg"
• "sleep"
• "snapd" without "grep"
• "stratum" without "grep"
• "tratum"
• "watch-smart"
• "XJnRj"
• "yam"
• "ysaydh"
• "ysjswirmrm" without "grep"

Download Routine

This Hacking Tool connects to the following URL(s) to download its configuration file:

• http://{BLOCKED}.{BLOCKED}.215.212:8220/config_1.json
• http://{BLOCKED}.{BLOCKED}.215.212:8220/c1.json
• http://{BLOCKED}.{BLOCKED}.215.212:8220/kworker.json

It connects to the following URL(s) to download its component file(s):

• http://{BLOCKED}.{BLOCKED}.215.212:8220/gcc
• http://{BLOCKED}.{BLOCKED}.215.212:8220/minerd
• http://{BLOCKED}.{BLOCKED}.215.212:8220/atd2
• http://{BLOCKED}.{BLOCKED}.215.212:8220/atd3
• http://{BLOCKED}.{BLOCKED}.215.212:8220/yam

It saves the files it downloads using the following names:

• /var/tmp/config.json - configuration file
• /var/tmp/jvs - coinminer component

Other Details

This Hacking Tool does the following:

• The downloaded configuration file contains credentials for the mining server. This configuration file is required by the downloaded component to generate bitcoins.
• This hacking tool creates a scheduled task that downloads and execute a script from http://{BLOCKED}.{BLOCKED}.215.212:8220/logo{number}.jpg . The scheduled task executes the hacking tool every minute. As of this writing, the downloaded script is similar to this hacking tool.
• It executes the downloaded component file using one of the following commands:
  • nohup ./jvs -c config.json -t `echo $cores` >/dev/null
  • nohup ./jvs -c x -M stratum
  • +tcp://{BLOCKED}cVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo:x@pool.{BLOCKED}r.com:4444/xmr >/dev/null
• This hacking tool suspends processes contain any of the following strings:
  • kube-apis
  • nginx78

It does not exploit any vulnerability.