Skip to main content

Behavioural analysis of Adylkuzz Cryptocurrency Mining Malware

This post explains how to execute a malware specimen in a controlled environment (Sandbox) to identify indicators of compromise (IOC).  It doesn't cover initial infection vector, propagation and recovery of infected system

Adylkuzz CryptoMiner
Adylkuzz is described as a piece of malware that infects computers through the same means as WannaCry but, instead of locking files on computers, hides in the background and digitally makes money. It does not interfere with a user's files but remains behind the scenes. The "symptoms" of the attack include loss of access to shared resources on Windows plus computers and servers running slowly.Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

  • You are dealing with real malware samples
  • Don’t expose them to internal networks or internet
  • Analyze them in a controlled environments (sandboxes)
  • We are not responsible for any consequences of damage if you fail to obey the rules
Binary Hash
MD5:  f2e1d236c5d2c009e1749fc6479a9ede

  • Process hacker 
  • Process monitor 
  • Wireshark
  • CaptureBAT
  • Hashmyfiles 
  • Windows 7 VM
A windows 7 virtual machine was set up with all tools. Let's run process hacker, process monitor, wireshark and captureBAT in the background and run the adylkuzz specimen with admin privileges as it generally gets admin privileges. A quick look at process hacker showed adylkuzz was launched by explorer

Adylkuzz launched many command prompts upon the execution and these could be seen in process hacker. As mentioned, the aim to is find out indicators of compromise so lets look at process monitor and wireshark further to check for process creation and network connections
 As shown in process hacker, some suspicious process were spotted and also getting terminated upon the execution via command prompt.  Let's have a quick look at the Process monitor procmon output, just filter the output with Operation is Process Create and spot the adylkuzz initial execution by explorer.exe and adylkuzz created various sub processes by invoking command line arguments
As shown, explorer process launched adylkuzz binary, later adylkuzz launched number of sub processes by invoking command line arguments through cmd.exe, the first thing it did was killing hdmanger.exe, mmc,exe and also stopped a service called WELM and deleted that later
It was also observed some new firewall rules added via command line arguments, the most interesting part was blocking 445(SMB) port from where the malware came through. Since this is a crypto mining  malware which exceptionally use all computer resources to  compute hard mathematical functions, it restricts and blocks port 445 (SMB) being exploited by any other malware so that all resources can be used by itself
As shown below, number of process were killed and more firewall rules were added. Most interestingly it had some filesystem activity by creating few files in TEMP folder and had access to Fonts directory (happens rarely). It was also observed that another process with a batch file and a pinging localhost.
Here is the captured process monitor file for further exploration
procmon file:!9nxBAKbZ!Uwu73mULkDty8xIG4h-FTg
MD5: e7d69cb1050b25c6ac08fbabfbba6ff4

Meanwhile,a quick look at wireshark with filter http.request.method==GET && not udp showed few interesting http requests with command instructions and file downloads
Follow TCP stream for GET request  /install/start HTTP/1.1,the infected host contacted server to convey it's presence and it got 200 OK
Follow the TCP stream for next GET request for /mine.txt, the infected host received 200 OK with a set of crypto mining instructions
Looking at the next GET request, the malware pulled a binary 64.exe from server and then sent a report with system information like system architecture, cpu frequency, the number of cpu calls and memory etc. This will let the malware authors know what type of system is infected and what type of resources can be used for various computational purpose.
It was observed that the previous  response contains a resource location with a lua script which was fetched in next GET request. It was also found that malware pulls a binary from server and requests for mine.txt to get the mining instructions
All HTTP objects were extracted in wireshark by File-->Export Objects -->HTTP 

MD5: 34723c7c5c54d6ff22cad74c7921c937

It was evident that adylkuzz completely consumes all resources and also detects the presence of task manager taskmgr.exe so that it can show the normal system usage while taskmgr is running in the background 

As shown below, adylkuzz shows different system usage information while taskmgr.exe running in background

 Have a quick look at the captureBAT output, below are the created, modified and deleted files
adylkuzz created a log file for  crypto mining operations

Indicators of Compromise 
  • 07.lua
  • 445.bat
  • 445.exe
  • 86.exe
  • msiexev.exe
  •  mine.txt
  • s1f0.1_.exe
  • s1f0._Miner_.log
  • 5e97bc06c438d9c393e67591029ee1e4
  • 0711b1d7523f0e02be2505f2e0b39fae
  • 2d001c3d5e3509a7e7d4a72aa6e423ce
  • 4557e4533a41c8e36a347450f4b58a76
  • d8f508c5af84df89d73ae9c4173c1cdb
  • 4557e4533a41c8e36a347450f4b58a76
  • 2d001c3d5e3509a7e7d4a72aa6e423ce
  • 6343af71615d2f1c51f654863f6136f2
Disclaimer: These IPs may subject to change in future 

This is just an explanatory post to leverage basic dynamic malware analysis to find indicators of compromise



Post a Comment

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC) 

WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale.

You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlled environme…

Memory dump analysis of Donny's System


This post solves the mystery of Donny's System  and outlines how to utilize memory forensics methodology to uncover artifacts from memory dumps

Tools: Volatility, Yara  & Windows Powershell


Six-step investigative methodology by SANS

Identify rogue processes Analyze process DLLs and handles  Review network artifacts Look for evidence of code injection Check for signs of rootkitDump suspicious processes and drivers  Run volatility imageinfo plugin  to identify profile  PS C:\volatility> .\vol.exe -f .\unknown.vmem imageinfo
Run Volatility pslist plugin to see active running processes
PS C:\volatility> .\vol.exe -f .\unknown.vmem --profile=WinXPSP3x86 pslist
Just to remind that all process creation and termination timings are specified in UTC. Ensure to change them to system timezone while correlating the events with other sources of evidence
game.exe clearly looks suspicious as it ran and exit in a short span of time. The most interesting part was explor…

Malicious document analysis Part - 1

A basic and quick approach to analyse phishing documents to identify indicators of maliciousness. FYI this post doesn't cover complete & in depth analysis of malicious documents

Didier Stevens Suite sudo pip install oletools Yara - A pattern matching Swiss knife Analysis  All document samples are pulled from Hybrid Analysis - a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology. 
Hash 1: e07c84f98332b07ae40a22f15c32cbf794586e26576a7539def667881e15beae

Download above mentioned sample and check the integrity
Check the file properties using native Linux file command which gives quick idea about sample
Download Didier Stevens Suite and check for yara rules.
Run various rules against the sample document to identify any sort of maliciousness
The below rule can identify an executable file embedded in OLE objects
 Run above yara rule against the downloaded document
Observe the below mald…