Behavioural analysis of Adylkuzz Cryptocurrency Mining Malware

Introduction
This post explains how to execute a malware specimen in a controlled environment (Sandbox) to identify indicators of compromise (IOC).  It doesn't cover initial infection vector, propagation and recovery of infected system

Adylkuzz CryptoMiner
Adylkuzz is described as a piece of malware that infects computers through the same means as WannaCry but, instead of locking files on computers, hides in the background and digitally makes money. It does not interfere with a user's files but remains behind the scenes. The "symptoms" of the attack include loss of access to shared resources on Windows plus computers and servers running slowly.Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

Disclaimer
  • You are dealing with real malware samples
  • Don’t expose them to internal networks or internet
  • Analyze them in a controlled environments (sandboxes)
  • We are not responsible for any consequences of damage if you fail to obey the rules
Binary Hash
MD5:  f2e1d236c5d2c009e1749fc6479a9ede

Tools  
  • Process hacker 
  • Process monitor 
  • Wireshark
  • CaptureBAT
  • Hashmyfiles 
  • Windows 7 VM
Analysis
A windows 7 virtual machine was set up with all tools. Let's run process hacker, process monitor, wireshark and captureBAT in the background and run the adylkuzz specimen with admin privileges as it generally gets admin privileges. A quick look at process hacker showed adylkuzz was launched by explorer

Adylkuzz launched many command prompts upon the execution and these could be seen in process hacker. As mentioned, the aim to is find out indicators of compromise so lets look at process monitor and wireshark further to check for process creation and network connections
 As shown in process hacker, some suspicious process were spotted and also getting terminated upon the execution via command prompt.  Let's have a quick look at the Process monitor procmon output, just filter the output with Operation is Process Create and spot the adylkuzz initial execution by explorer.exe and adylkuzz created various sub processes by invoking command line arguments
As shown, explorer process launched adylkuzz binary, later adylkuzz launched number of sub processes by invoking command line arguments through cmd.exe, the first thing it did was killing hdmanger.exe, mmc,exe and also stopped a service called WELM and deleted that later
It was also observed some new firewall rules added via command line arguments, the most interesting part was blocking 445(SMB) port from where the malware came through. Since this is a crypto mining  malware which exceptionally use all computer resources to  compute hard mathematical functions, it restricts and blocks port 445 (SMB) being exploited by any other malware so that all resources can be used by itself
As shown below, number of process were killed and more firewall rules were added. Most interestingly it had some filesystem activity by creating few files in TEMP folder and had access to Fonts directory (happens rarely). It was also observed that another process with a batch file and a pinging localhost.
Here is the captured process monitor file for further exploration
procmon file: https://mega.nz/#F!9nxBAKbZ!Uwu73mULkDty8xIG4h-FTg
MD5: e7d69cb1050b25c6ac08fbabfbba6ff4

Meanwhile,a quick look at wireshark with filter http.request.method==GET && not udp showed few interesting http requests with command instructions and file downloads
Follow TCP stream for GET request  /install/start HTTP/1.1,the infected host contacted server to convey it's presence and it got 200 OK
Follow the TCP stream for next GET request for /mine.txt, the infected host received 200 OK with a set of crypto mining instructions
Looking at the next GET request, the malware pulled a binary 64.exe from server and then sent a report with system information like system architecture, cpu frequency, the number of cpu calls and memory etc. This will let the malware authors know what type of system is infected and what type of resources can be used for various computational purpose.
It was observed that the previous  response contains a resource location with a lua script which was fetched in next GET request. It was also found that malware pulls a binary from server and requests for mine.txt to get the mining instructions
All HTTP objects were extracted in wireshark by File-->Export Objects -->HTTP 

Pcap:  https://mega.nz/#!tnQwjCTD!0Ej9db8JMbmB6GAmVMJpoFVYUuLVaV0KZCKlUO5RTS8
MD5: 34723c7c5c54d6ff22cad74c7921c937

It was evident that adylkuzz completely consumes all resources and also detects the presence of task manager taskmgr.exe so that it can show the normal system usage while taskmgr is running in the background 

As shown below, adylkuzz shows different system usage information while taskmgr.exe running in background

 Have a quick look at the captureBAT output, below are the created, modified and deleted files
adylkuzz created a log file for  crypto mining operations

Indicators of Compromise 
  • 08.super5566.com
  • aa1.super5566.com
  • 107.170.200.222
  • 1.32.192.16 
  • 07.lua
  • 445.bat
  • 445.exe
  • 86.exe
  • msiexev.exe
  •  mine.txt
  • s1f0.1_.exe
  • s1f0._Miner_.log
  • 5e97bc06c438d9c393e67591029ee1e4
  • 0711b1d7523f0e02be2505f2e0b39fae
  • 2d001c3d5e3509a7e7d4a72aa6e423ce
  • 4557e4533a41c8e36a347450f4b58a76
  • d8f508c5af84df89d73ae9c4173c1cdb
  • 4557e4533a41c8e36a347450f4b58a76
  • 2d001c3d5e3509a7e7d4a72aa6e423ce
  • 6343af71615d2f1c51f654863f6136f2
Disclaimer: These IPs may subject to change in future 


This is just an explanatory post to leverage basic dynamic malware analysis to find indicators of compromise

  






Comments

Post a Comment

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Memory dump analysis of Donny's System

Malicious document analysis Part - 1