Introduction
This post explains how to execute a malware specimen in a controlled environment (Sandbox) to identify indicators of compromise (IOC). It doesn't cover initial infection vector, propagation and recovery of infected system
Adylkuzz CryptoMiner
Adylkuzz is described as a piece of malware that infects computers through the same means as WannaCry but, instead of locking files on computers, hides in the background and digitally makes money. It does not interfere with a user's files but remains behind the scenes. The "symptoms" of the attack include loss of access to shared resources on Windows plus computers and servers running slowly.Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.
Disclaimer
MD5: f2e1d236c5d2c009e1749fc6479a9ede
Tools
A windows 7 virtual machine was set up with all tools. Let's run process hacker, process monitor, wireshark and captureBAT in the background and run the adylkuzz specimen with admin privileges as it generally gets admin privileges. A quick look at process hacker showed adylkuzz was launched by explorer
Adylkuzz launched many command prompts upon the execution and these could be seen in process hacker. As mentioned, the aim to is find out indicators of compromise so lets look at process monitor and wireshark further to check for process creation and network connections
As shown in process hacker, some suspicious process were spotted and also getting terminated upon the execution via command prompt. Let's have a quick look at the Process monitor procmon output, just filter the output with Operation is Process Create and spot the adylkuzz initial execution by explorer.exe and adylkuzz created various sub processes by invoking command line arguments
As shown, explorer process launched adylkuzz binary, later adylkuzz launched number of sub processes by invoking command line arguments through cmd.exe, the first thing it did was killing hdmanger.exe, mmc,exe and also stopped a service called WELM and deleted that later
It was also observed some new firewall rules added via command line arguments, the most interesting part was blocking 445(SMB) port from where the malware came through. Since this is a crypto mining malware which exceptionally use all computer resources to compute hard mathematical functions, it restricts and blocks port 445 (SMB) being exploited by any other malware so that all resources can be used by itself
As shown below, number of process were killed and more firewall rules were added. Most interestingly it had some filesystem activity by creating few files in TEMP folder and had access to Fonts directory (happens rarely). It was also observed that another process with a batch file and a pinging localhost.
Here is the captured process monitor file for further exploration
procmon file: https://mega.nz/#F!9nxBAKbZ!Uwu73mULkDty8xIG4h-FTg
MD5: e7d69cb1050b25c6ac08fbabfbba6ff4
Meanwhile,a quick look at wireshark with filter http.request.method==GET && not udp showed few interesting http requests with command instructions and file downloads
Follow TCP stream for GET request /install/start HTTP/1.1,the infected host contacted server to convey it's presence and it got 200 OK
Follow the TCP stream for next GET request for /mine.txt, the infected host received 200 OK with a set of crypto mining instructions
Looking at the next GET request, the malware pulled a binary 64.exe from server and then sent a report with system information like system architecture, cpu frequency, the number of cpu calls and memory etc. This will let the malware authors know what type of system is infected and what type of resources can be used for various computational purpose.
It was observed that the previous response contains a resource location with a lua script which was fetched in next GET request. It was also found that malware pulls a binary from server and requests for mine.txt to get the mining instructions
All HTTP objects were extracted in wireshark by File-->Export Objects -->HTTP
Pcap: https://mega.nz/#!tnQwjCTD!0Ej9db8JMbmB6GAmVMJpoFVYUuLVaV0KZCKlUO5RTS8
MD5: 34723c7c5c54d6ff22cad74c7921c937
It was evident that adylkuzz completely consumes all resources and also detects the presence of task manager taskmgr.exe so that it can show the normal system usage while taskmgr is running in the background
As shown below, adylkuzz shows different system usage information while taskmgr.exe running in background
Have a quick look at the captureBAT output, below are the created, modified and deleted files
adylkuzz created a log file for crypto mining operations
Indicators of Compromise
This is just an explanatory post to leverage basic dynamic malware analysis to find indicators of compromise
This post explains how to execute a malware specimen in a controlled environment (Sandbox) to identify indicators of compromise (IOC). It doesn't cover initial infection vector, propagation and recovery of infected system
Adylkuzz CryptoMiner
Adylkuzz is described as a piece of malware that infects computers through the same means as WannaCry but, instead of locking files on computers, hides in the background and digitally makes money. It does not interfere with a user's files but remains behind the scenes. The "symptoms" of the attack include loss of access to shared resources on Windows plus computers and servers running slowly.Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.
Disclaimer
- You are dealing with real malware samples
- Don’t expose them to internal networks or internet
- Analyze them in a controlled environments (sandboxes)
- We are not responsible for any consequences of damage if you fail to obey the rules
MD5: f2e1d236c5d2c009e1749fc6479a9ede
Tools
- Process hacker
- Process monitor
- Wireshark
- CaptureBAT
- Hashmyfiles
- Windows 7 VM
A windows 7 virtual machine was set up with all tools. Let's run process hacker, process monitor, wireshark and captureBAT in the background and run the adylkuzz specimen with admin privileges as it generally gets admin privileges. A quick look at process hacker showed adylkuzz was launched by explorer
Adylkuzz launched many command prompts upon the execution and these could be seen in process hacker. As mentioned, the aim to is find out indicators of compromise so lets look at process monitor and wireshark further to check for process creation and network connections
As shown in process hacker, some suspicious process were spotted and also getting terminated upon the execution via command prompt. Let's have a quick look at the Process monitor procmon output, just filter the output with Operation is Process Create and spot the adylkuzz initial execution by explorer.exe and adylkuzz created various sub processes by invoking command line arguments
As shown, explorer process launched adylkuzz binary, later adylkuzz launched number of sub processes by invoking command line arguments through cmd.exe, the first thing it did was killing hdmanger.exe, mmc,exe and also stopped a service called WELM and deleted that later
It was also observed some new firewall rules added via command line arguments, the most interesting part was blocking 445(SMB) port from where the malware came through. Since this is a crypto mining malware which exceptionally use all computer resources to compute hard mathematical functions, it restricts and blocks port 445 (SMB) being exploited by any other malware so that all resources can be used by itself
As shown below, number of process were killed and more firewall rules were added. Most interestingly it had some filesystem activity by creating few files in TEMP folder and had access to Fonts directory (happens rarely). It was also observed that another process with a batch file and a pinging localhost.
Here is the captured process monitor file for further exploration
procmon file: https://mega.nz/#F!9nxBAKbZ!Uwu73mULkDty8xIG4h-FTg
MD5: e7d69cb1050b25c6ac08fbabfbba6ff4
Meanwhile,a quick look at wireshark with filter http.request.method==GET && not udp showed few interesting http requests with command instructions and file downloads
Follow TCP stream for GET request /install/start HTTP/1.1,the infected host contacted server to convey it's presence and it got 200 OK
Follow the TCP stream for next GET request for /mine.txt, the infected host received 200 OK with a set of crypto mining instructions
Looking at the next GET request, the malware pulled a binary 64.exe from server and then sent a report with system information like system architecture, cpu frequency, the number of cpu calls and memory etc. This will let the malware authors know what type of system is infected and what type of resources can be used for various computational purpose.
It was observed that the previous response contains a resource location with a lua script which was fetched in next GET request. It was also found that malware pulls a binary from server and requests for mine.txt to get the mining instructions
All HTTP objects were extracted in wireshark by File-->Export Objects -->HTTP
Pcap: https://mega.nz/#!tnQwjCTD!0Ej9db8JMbmB6GAmVMJpoFVYUuLVaV0KZCKlUO5RTS8
MD5: 34723c7c5c54d6ff22cad74c7921c937
It was evident that adylkuzz completely consumes all resources and also detects the presence of task manager taskmgr.exe so that it can show the normal system usage while taskmgr is running in the background
As shown below, adylkuzz shows different system usage information while taskmgr.exe running in background
Have a quick look at the captureBAT output, below are the created, modified and deleted files
adylkuzz created a log file for crypto mining operations
Indicators of Compromise
- 08.super5566.com
- aa1.super5566.com
- 107.170.200.222
- 1.32.192.16
- 07.lua
- 445.bat
- 445.exe
- 86.exe
- msiexev.exe
- mine.txt
- s1f0.1_.exe
- s1f0._Miner_.log
- 5e97bc06c438d9c393e67591029ee1e4
- 0711b1d7523f0e02be2505f2e0b39fae
- 2d001c3d5e3509a7e7d4a72aa6e423ce
- 4557e4533a41c8e36a347450f4b58a76
- d8f508c5af84df89d73ae9c4173c1cdb
- 4557e4533a41c8e36a347450f4b58a76
- 2d001c3d5e3509a7e7d4a72aa6e423ce
- 6343af71615d2f1c51f654863f6136f2
This is just an explanatory post to leverage basic dynamic malware analysis to find indicators of compromise
This information is meaningful and magnificent which you have shared here about the Cryptocurrency Mining. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here. Crypto Loan Calculator Online
ReplyDeleteThe trading sessions of Bitcoin will last as long as the user wants. So experts advise new users to identify the peak trading period in their countries and trade at that time.
ReplyDeleteI changed into amazingly curious about the article. It's moving I need to yield. I like visiting your site page on record that I by and large occur in the wake of refreshing articles like this one. How to sell bitcoin in Canada
ReplyDeleteThank you for writing this post
ReplyDelete