Adventures of poking at a cpu miner

Blog
,
#1

Mostly ramblings of me poking at a cpu miner with a stick. Making of thread because someone might like it. Will sound a bit rambly because it is. Sorry

So my windows install has been running fairly hot and loud lately but whenever i end up open task manager it reveals that the cpu usage is at what would be normal for idle.

The dip is me opening task manager
cpu-miner-windows-sad

Copying taskmgr to the desktop and renaming it tricks whatever is running into thinking its now open. This means i can see the true culprit

lel-cpu-miner-windows
lel-cpu-miner-windows870×458 55.1 KB

So time to rename a random binary. Lets go with rufus

rufus-taskmgr-cpu-miner
rufus-taskmgr-cpu-miner1330×411 60.1 KB

And that works. So i now know whats its looking for when it comes to deciding when it should and shouldnt mine.

Lets poke at it with task manager some

cpu-miner-notepad-priority
cpu-miner-notepad-priority718×393 24.7 KB

Well. Its atleast nice enough to set itself to below normal priority.

hmmm. Something fishy is going on with notepad for sure

cpu-miner-fishy-dates-notepad
cpu-miner-fishy-dates-notepad800×64 9.3 KB

Was last modified on 2015 but was created on 5/30/2018. And no notepad is not signed by microsoft

A few notes so far.

  • Killed the process and removed notepad with a bit of good timing (process respawns). Notepad no longer runs outside of the Windows folder. Putting something else called notepad does not cause it to be ran. Placing the OG notepad file back into the folder causes it to be immediately ran. So some kind of finger printing must be going on here.
  • Dumping the strings of the file doesnt reveal anything of interest. Mostly random garbage it thinks is strings and some product info from microsoft.
  • Notepad.exe process just simply dissapears whenever something is ran with the filename “taskmgr.exe”

Thats about the extent of my knowledge/willingness to poke at it. Ive uploaded both the binary and a process dump incase anyone else wants to take a look at it. Also @Cavemanthe0ne. Found out why my laptop was always running hot in windows XD

https://drive.google.com/open?id=1nrF6fCpdg7j8eDhmjtZf_s9Pl3NJGYoP

Im nuking my install from orbit so wont be able to provide much info to you (ok a backup from a fresh install but close enough)

2 Likes
The Lounge 0001 [From the Beginning]
#2

Somewhat confused but ok lol
Also how did you mamage to get… Notepad malware? Then again not surprised lol
Good that you found it though because would explain weird performance and all that

1 Like
#3

Catsay gave it a look over and it wasnt notepad that was bad. Just something hiding as notepad

1 Like
#4

… K
Personally I havent ever needed antimalware because a) if I’m doing something and I’m stupid enough to download malware then I’ll deal with it and b) I dont generally download anything with the remotest chance of being malware lol so this isnt something i delve into much usually :stuck_out_tongue:

#5

Dealt with it by nuking the install from orbit

Same here. First malware ive had in 3-4 years

I just wanted to poke at it and see whats what. Install was at the nuking period anyway and it needed to be done

1 Like
#6

An update on this to keep it relevant. Catsay went through the memory dump and found the IP address and port of the server it is communicating with:

185.144.29.36:5450

It is a VPS running Windows Server 2008 R2 in the Russian Federation hosted by profiteserver.ru and It also turns out that the server has RDP and SMB open to the internet XD

And that it was using the XMRig miner with CyptoNight with the dump also containing the password for the miner.

XMRig 2.6.2
 built on May  6 2018 with GCC
 %d.%d.%d
 features: 64-bit AES

It has now also been reported to the VPS host for abuse and the ip address and memory signatures forwarded to blacklist so this can hopefully be caught by security software in future.

All together a pretty good result from a little bit of poking and snooping :smiley:

Sources:



2 Likes