Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

How to Investigate a Bitcoin Mining Malware Infection

How to Investigate a Bitcoin Mining Malware Infection bitcoins
RNa
July 18, 2014 / Ryan Nolette

In my previous blog, I explained Bitcoin mining and provided an overview of a new type of malware used by malicious Bitcoin miners. In today’s post, I take a closer look at a specific sample of this new breed of malware.

Sample Used:

http://ow.ly/ziXlt

SHA-256:

94FE198E4614BEC6233585D518ADDE34A01DC0A35C7115C79532564B9E0E4080

MD5:

8BDF872A5D2253F0D1DFFD4E5C4FB2A1

What does a Bitcoin mining malware look like on a system?

For this analysis I executed the sample above on a Windows 7 host. The Windows system was fully up-to-date on patches (as of 05/30/2014). I intentionally am not running any specialized tools like ethereal, encase, procmon (or even Bit9) to demonstrate that simple analysis can be done even using standard utilities that are part of the Windows operating system.

bitcoininline1

In the dir output above, the sample has a bin file extension and is a Win32 EXE file type. This means I can still execute it by double clicking on it even though it is not an .exe. To start my detonation and monitoring I just double click on the sample. Immediately after the execution of this file I can see the creation of some new files on my test system.

How to search for newly created files on the test system using common command line tools

1: Find any files created recently

I used the utility “forfiles” for this stage. The command I used was “forfiles /S /D +05/30/2014 /c “cmd /c echo @fdate @ftime @path” > forfilesSearch_05-30-14_1300.txt”. This command searches for file modifications recursively for any file modifications after the specified date. The extra cmd portion specifies the output I wanted. This will output the date, time and full file path for all files that meet the criteria specified and write them all out to a text file for easy parsing. You can also pipe the output to “find” and filter the results in the command prompt, but if the list is too long you will be unable to scroll back far enough to view it. Below is a sample of the content in the output file “forfilesSearch_05-30-14_1300.txt”.

bitcoininline2

2: In the output above you can see some files in the directory

“C:\Users\win7\AppData\Roaming\WindowsPID” that all seem to be created in the same second. To get more information on these files I used the utility “xcopy” to find any files changed in appdata to confirm the findings from the “forfiles” output.

bitcoininline3

3. Once the findings were confirmed in the output above from “xcopy”, I used the utility “dir” to output everything else I had missed in this newly created directory. The command I used was “dir /a /od /t:c”.

bitcoininline4

From the output from the “dir” command we are able to see newly created executables. To see if they are running I used the task manager. In the screenshot below, we can also see these newly created files already running and trying to mine Bitcoins. You can also use the command line argument tasklist | find “shell.exe” to find any running executables. You would have to repeat this process for every executable you found to check if it was in the tasklist. Because of this limitation, I choose to use task manager.

Bitcoin malware1

How to search for newly created registry values using command line tools

Now that we have found some file artifacts on the system we can search the registry for values linking back to these artifacts. We can do this using reg.exe and regedit.

Reg query

To search the registry via the command line I used “reg query.” Below are the five queries I ran to find any registry values linking back to “WindowsPID.”

reg query HKLM /f “*WindowsPID*” /s
reg query HKCU /f “*WindowsPID*” /s
reg query HKCR /f “*WindowsPID*” /s
reg query HKU /f “*WindowsPID*” /s
reg query HKCC /f “*WindowsPID*” /s

For a search that returned results, I expect to see something like:

C:\Users\win7>reg query hkcu /f “*WindowsPID*” /s
HKEY_CURRENT_USER\Software\WinRAR SFX
C%%Users%win7%AppData%Roaming%WindowsPID REG_SZ C:\Users\win7\AppData\Roaming\WindowsPID

End of search: 1 match(es) found.

For a search that did not return results, I expect to see something like:

C:\Users\win7>reg query hklm /f “*windowspid*” /s
End of search: 0 match(es) found.

My preference is to use the “reg query” to search for each file artifact in each of the five registry locations. I repeat the above process for each of the file artifacts. I prefer this method because I can just copy everything into a text file and then paste it all to the command prompt to do one search after another without my interaction. I could also create a bash script, but that takes just about as long as the copy-paste method.

Regedit

Another method for searching the registry is to use regedit. I repeated the searches in the above section and found the same registry artifacts. The malware creates two registry values under the software key of “WinRar SFX.” Winrar SFX (or “WinRAR Self-Extracting Archive”) is actually a legitimate application that this malware is pretending to be. In our case, the malware creates the following registry values. To find these values we simply use the built in search feature of regedit to search for “WindowsPID.”

bitcoinmalware2

HKEY_CURRENT_USER\Software\WinRAR SFX

bitcoinmalware3

HKEY_USERS\S-1-5-21-1581004485-488565272-3498079395-1000\Software\WinRAR SFX

bitcoinmalware4

Compiled executables:

Going back to the file artifacts that we found in the first search stage, the directories “macro”, “min”, and “shel” in the parent directory of “C:\Users\win7\AppData\Roaming\WindowsPID” are all compiler directories that have scripts named compile.bat. These bat files are just simple concatenation scripts. A sample of the content of these files is:

bitcoininline5

This shows the compile.bat script concatenating the soon to be active executable out of smaller parts of “macromedia.exe”, then task-killing the image name of the process doing the compiling, “PEEEEEEEEssxxRAS.exe”. The other files compiled were “shell.exe” and “miner.dll” and their compile scripts were the same method.

VBS scripts

There were also some VBS scripts in this group. Put.vbs creates the object wscript.shell, which is then used by usft_ext.exe.vbs to create a shortcut artifact named “Skype” in “C:\Users\win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup” that opens up “usft_ext.exe.vbs” in “C:\Users\win7\AppData\Roaming\WindowsPID.”3 This could be a form of persistence and gives us another file artifact that will need to be removed or banned later.

bitcoininline6

Next the script starts the Bitcoin mining applications. This code is a loop that will constantly restart the mining applications and tries to get the scripts to connect to the Bitcoin mining server.

bitcoininline7

Note: Everything I did above is possible for any user to do as long as they have local admin rights on their system. I ran commands to search for new files (by date), enumerated new directories found, and used Regedit to query for references to any of the new paths/files. I then opened up my task manager and expanded it to view all running processes and look for matching names. While these methods are not very high tech or very informative, this is something any user can do regardless of what security software you are running.

Part three in this blog series, coming up next week, will be an analysis of this malware leveraging Carbon Black.

TAGS: bitcoin / bitcoin mining malware / cybersecurity / malware / mining

Related Posts