Skip to main content

Behavioural analysis of Adylkuzz Cryptocurrency Mining Malware

This post explains how to execute a malware specimen in a controlled environment (Sandbox) to identify indicators of compromise (IOC).  It doesn't cover initial infection vector, propagation and recovery of infected system

Adylkuzz CryptoMiner
Adylkuzz is described as a piece of malware that infects computers through the same means as WannaCry but, instead of locking files on computers, hides in the background and digitally makes money. It does not interfere with a user's files but remains behind the scenes. The "symptoms" of the attack include loss of access to shared resources on Windows plus computers and servers running slowly.Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

  • You are dealing with real malware samples
  • Don’t expose them to internal networks or internet
  • Analyze them in a controlled environments (sandboxes)
  • We are not responsible for any consequences of damage if you fail to obey the rules
Binary Hash
MD5:  f2e1d236c5d2c009e1749fc6479a9ede

  • Process hacker 
  • Process monitor 
  • Wireshark
  • CaptureBAT
  • Hashmyfiles 
  • Windows 7 VM
A windows 7 virtual machine was set up with all tools. Let's run process hacker, process monitor, wireshark and captureBAT in the background and run the adylkuzz specimen with admin privileges as it generally gets admin privileges. A quick look at process hacker showed adylkuzz was launched by explorer

Adylkuzz launched many command prompts upon the execution and these could be seen in process hacker. As mentioned, the aim to is find out indicators of compromise so lets look at process monitor and wireshark further to check for process creation and network connections
 As shown in process hacker, some suspicious process were spotted and also getting terminated upon the execution via command prompt.  Let's have a quick look at the Process monitor procmon output, just filter the output with Operation is Process Create and spot the adylkuzz initial execution by explorer.exe and adylkuzz created various sub processes by invoking command line arguments
As shown, explorer process launched adylkuzz binary, later adylkuzz launched number of sub processes by invoking command line arguments through cmd.exe, the first thing it did was killing hdmanger.exe, mmc,exe and also stopped a service called WELM and deleted that later
It was also observed some new firewall rules added via command line arguments, the most interesting part was blocking 445(SMB) port from where the malware came through. Since this is a crypto mining  malware which exceptionally use all computer resources to  compute hard mathematical functions, it restricts and blocks port 445 (SMB) being exploited by any other malware so that all resources can be used by itself
As shown below, number of process were killed and more firewall rules were added. Most interestingly it had some filesystem activity by creating few files in TEMP folder and had access to Fonts directory (happens rarely). It was also observed that another process with a batch file and a pinging localhost.
Here is the captured process monitor file for further exploration
procmon file:!9nxBAKbZ!Uwu73mULkDty8xIG4h-FTg
MD5: e7d69cb1050b25c6ac08fbabfbba6ff4

Meanwhile,a quick look at wireshark with filter http.request.method==GET && not udp showed few interesting http requests with command instructions and file downloads
Follow TCP stream for GET request  /install/start HTTP/1.1,the infected host contacted server to convey it's presence and it got 200 OK
Follow the TCP stream for next GET request for /mine.txt, the infected host received 200 OK with a set of crypto mining instructions
Looking at the next GET request, the malware pulled a binary 64.exe from server and then sent a report with system information like system architecture, cpu frequency, the number of cpu calls and memory etc. This will let the malware authors know what type of system is infected and what type of resources can be used for various computational purpose.
It was observed that the previous  response contains a resource location with a lua script which was fetched in next GET request. It was also found that malware pulls a binary from server and requests for mine.txt to get the mining instructions
All HTTP objects were extracted in wireshark by File-->Export Objects -->HTTP 

MD5: 34723c7c5c54d6ff22cad74c7921c937

It was evident that adylkuzz completely consumes all resources and also detects the presence of task manager taskmgr.exe so that it can show the normal system usage while taskmgr is running in the background 

As shown below, adylkuzz shows different system usage information while taskmgr.exe running in background

 Have a quick look at the captureBAT output, below are the created, modified and deleted files
adylkuzz created a log file for  crypto mining operations

Indicators of Compromise 
  • 07.lua
  • 445.bat
  • 445.exe
  • 86.exe
  • msiexev.exe
  •  mine.txt
  • s1f0.1_.exe
  • s1f0._Miner_.log
  • 5e97bc06c438d9c393e67591029ee1e4
  • 0711b1d7523f0e02be2505f2e0b39fae
  • 2d001c3d5e3509a7e7d4a72aa6e423ce
  • 4557e4533a41c8e36a347450f4b58a76
  • d8f508c5af84df89d73ae9c4173c1cdb
  • 4557e4533a41c8e36a347450f4b58a76
  • 2d001c3d5e3509a7e7d4a72aa6e423ce
  • 6343af71615d2f1c51f654863f6136f2
Disclaimer: These IPs may subject to change in future 

This is just an explanatory post to leverage basic dynamic malware analysis to find indicators of compromise



  1. This information is meaningful and magnificent which you have shared here about the Cryptocurrency Mining. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here. Crypto Loan Calculator Online

  2. The trading sessions of Bitcoin will last as long as the user wants. So experts advise new users to identify the peak trading period in their countries and trade at that time.


Post a comment

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC) 

WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale.

You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlled environme…

Decoding Metasploit and CobaltStrike shells

This post is about how to decode one type of shellcode generated by Metasploit framework and CobaltStrike to get the C2 domain/IP address so that the incident responder can able to identify and block the further adversary activity. FYI this post doesn't cover the initial infection vector (like phishing thorough office maldoc) or how the shellcode will get generated (like from Metasploit framework or Cobaltstrike).

It leverages CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg emulator to get the IP address of C2 or an adversary

Here we have the encoded powershell command 


Memory dump analysis of Donny's System


This post solves the mystery of Donny's System  and outlines how to utilize memory forensics methodology to uncover artifacts from memory dumps

Tools: Volatility, Yara  & Windows Powershell


Six-step investigative methodology by SANS

Identify rogue processes Analyze process DLLs and handles  Review network artifacts Look for evidence of code injection Check for signs of rootkitDump suspicious processes and drivers  Run volatility imageinfo plugin  to identify profile  PS C:\volatility> .\vol.exe -f .\unknown.vmem imageinfo
Run Volatility pslist plugin to see active running processes
PS C:\volatility> .\vol.exe -f .\unknown.vmem --profile=WinXPSP3x86 pslist
Just to remind that all process creation and termination timings are specified in UTC. Ensure to change them to system timezone while correlating the events with other sources of evidence
game.exe clearly looks suspicious as it ran and exit in a short span of time. The most interesting part was explor…