Malware used to generate electronic Money – Bitcoins

The use of malicious software to bitcoin mining has been increasing. There are reports of cases where the software propagates itself through the Skype service; however it is not limited to this service, computers can get infected by different media, such as websites or by using infected USB devices

Bitcoin refers to the electronic money that enables anyone to make transfers in a decentralized way. Its acceptance as means of payment to different services has been increasing considerably. Some providers allow you to change bitcoins to its equivalent value in money. This turns out to be attractive for the acquisition of distinct services or products on the black market.

The validation of the file type and its md5 hash is shown below.

After executing the malicious file, the following processes were started, in the same order as shown on the image.

Once the last process tree was executed, the shell.exe process and macromedia.exe established a connection to the server 54.215.X.X using the port 3333.

After the connection was established, the computer presented a remarkable decrease on its performance. Using the ProcessExplorer tool, we observed the execution mode of the processes, as shown below.

Process cmd.exe

Process cscript.exe

Process shell.exe

Process macromedia.exe

On the previous imagesthere are two important factors, displayed in red,  to consider: the first is the path “C:\Documents and Setting\Administrator\Program Data\WindowsPID” from which programs are executed, the second factor is the execution mode of the started processes.

We could also observe the CPU load of each process. On the next image it can be observed that the macromedia.exe process was consuming almost 100% of the processor resources; meanwhile, the shell.exe process presented a larger amount of data transferred (I/O). This is the behavior expected when a computer is used for bitcoin mining.

It is important to notice the execution mode of the processes; both of them received the following parameters: a domain name associated to the port 3333, -u for the user and –p for the password used to authenticate to the server.

The network activity showed that the local host connected to the domain stratum.x.x using the method mining.subscribe.

Afterwards, the infected computer authenticates to the server, as mentioned before, using the user and the password displayed on the next image, on the “params” option. After this it starts to send data to the server.

As for the file system , we observed the creation of the directory WindowsPID on the path “C:\Documents and Settings\Administrator\Program Data\”. Inside this directory, we observed a large amount of created files, 909 in total, as shown below.

As seen on the previous image, the file skype.lnk was added to the directory “C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\”. This way, the malicious file assures its execution on every system startup. On the next image, it can be observed that the file is a direct access that points to the file usf_ext.exe.vbs.

When the sample was executed and during the time the processes were started, there was no network activity registered; however, given the amount of executable files that were started, it was most likely that they were contained in the miner.exe file. An analysis of miner.exe with the tool ExeInfoPE determined that it had been packed with the RAR format.

The files contained in miner.exe are shown below.

With the ProcessMonitor tool we observed the registry keys WinRAR SFX, that were created from the sample’s execution. This fact corroborates that the sample is a self extracting file. The creation of executable files with compression tools is relatively easy and allows malware creators to configure the execution process of the files it contains.

More information is available on this link: http://www.winrar.es/soporte/manual/HELPArcSFX

An analysis of the log created with the tool ProcessMonitor reveals that the first file executed was the script put.vbs (vbs – visual basic script) generated from wscript.exe (Windows-based script), which is installed by default on the Windows operating systems and permits the execution of files with extension .wsf, .vbs, .js.

Next, the analysis of the files that were added to the system, in order of execution, is described (these files were also obtained after the decompression of miner.exe).

Analysis of the file put.vbs

The first line of code creates an object “oShell” of type “Wscript.shell”, which can be used when a program needs to be executed locally, to manipulate the contents of the registry, to create direct accesses or to have access to system directories.

The following two lines correspond to the declaration of a variable (strku4kagataga) to which the string that contains the command cmd /c kill.bat is assigned.

Finally, “oShell.Run” was used to execute an instruction, in this case the variable that contains the command to execute passed as the first parameter, the second parameter (0) established that the program must be executed without displaying any window and being unnoticed by the user and the “false” parameter executed the command without waiting for the started process to be terminated completely.

Analysis of the kill.bat file.

 

The first line executed the command “taskkill” that comes by default on Windows systems and that is used to terminate one or more processes. The option “/im” is used to terminate the process received.

Subsequently, it changed to the “min” directory, called a batch program named “compile.bat”, renames the file “miner.ddl_par1” to “miner.dll” and then moves it to the parent directory.

The previous process was carried out on the files that were stored in the directories “shell” and “macro”. Then, we observed the repetitive execution of the command “taskkill” with the option “/f” to force the termination of the processes called: wscript.exe, cscript.exe, macromedia.exe and shell.exe.

Later, the command “ping” was executed with the option “-n 5”, ensuring that the number of requests to send was equal to 5. It was used to proportionate enough time so that the processes called with “taskkill” terminate during that lapse.

Analysis of the file usft_ext.exe.vbs

 

The file usft_ext.exe.vbs is executed through the program cscript.exe, which is a command line version of the program wscript.exe. This file is the one that gets called on every system startup. It’s in this file where the domain name, ports, user names and password used to establish connection were defined. In addition, it defined a cycle that continuously tries to establish communication with the server stratum.x.x in case that the processes were not started correctly.

 

The files “compile.bat” found in the directories shell, macro and miner are shown below.

In them, it can be observed the copy ofall the parts of the files extracted with the "/b" option, which is used to copy binary files. After executing thefile "compile.bat" against each of the mentioned directories, the executable files, observed during the execution of the sample, were generated.

It is important to mention that when the computer restarted and the malicious sample got executed, it tried to establish a connection to a different IP address, but keeping the same domain name.

The md5 signature of each of the files is shown below:

b324f971c2357f5d0ebcf585473e8596 *macromedia.exe

b324f971c2357f5d0ebcf585473e8596 *shell.exe

e4ffa50d2d55d86e7c14c49962d269ea *usft_ext.exe.vbs

8bdf872a5d2253f0d1dffd4e5c4fb2a1 *miner.exe

 

As it can be seen on the md5 signatures of the files Macromedia.exe and shell.exe validate that it is the same file, although during their execution they both receive different parameters.

The detection rates of the antivirus engines are shown below.