Library
My library

+ Add to library

Profile

Trojan.BtcMine.1259

Added to the Dr.Web virus database: 2017-06-07

Virus description added:

SHA1

  • 0af86ec4340d340217c0b883a7b093a0fef2beab
  • 43fe71612f5bdf27efd2541f5c91c4b763cc56f6
  • f7ac86c1818390224f1065d869c6652f13f5f678
  • 6342f7b01717957fd3d5b55d217b291dbea4dcd6
  • 53aedce9788f594313bf66340fcd7d3f7f434058
  • 3a9c70e1e4fb9bdbe63da1b626ee3b9730a8d820
  • 4b4621365aedb32cfcc1584b37444070a4a5d5c1
  • be16d6dfe96b0d9e2d57882840eabf4f46a37e2c

Trojan that infects computers running Windows. It is designed to mine the Monero (XMR) cryptocurrency and to install BackDoor.Farfli.96. It is distributed by the loader Trojan called Trojan.DownLoader24.64313. It decrypts and loads to a memory the library stored in it.

The decrypted data has the following structure:

struct st_module
{
  char name[4];
  char ver[4];
  _DWORD size;
  _DWORD unkd;
  _DWORD hash_offset;
  _BYTE module[];
  _BYTE signature[32];
  _BYTE unkb[12];
};

The Trojan searches for the export “MinerdDll” in the library and transfers control to it. As a parameter, the following string and its length is sent:

TTTTTTTTTTTTdU44U1d7Q135/I8mevCgfmeNUJwfnL8LnEJuNy4KFDDUi8Dk9Ut1DguMO8Hs9Yt21ZHMCIkCioHzZS62mPS7G7prmi0gwHwPqCDsRSgpmBpYr2Dpme7Pts8ZRnz+qfi+wLewYUNmcD7xIUhqCpY+ZlxSnFXBYTWux+gaZSo8sYsgiWQxIh8dQaQ5wOAuTVRzCApEEdfSdyR5jwmzhJQF7POmLxEMJaL/oVH3t5UCBdgxLHrvAqSq1DAsCmhgAaMoJ5kABaEW11K7Z7Z6uBfBQsXmBJZcFZAaUfCeWGBCRboStENQfha1ebFcFHV9o093Kt3LJRs/b0kvAXNOB+KDQNvqzokKEjBbxfZwUauIOx9jzLsYvFbQHJZ2th8JWPwFCadwydiMKb18olnK+3oACGTEf7tgAS2zOz3dWRdDbYpSPYm5ZhbN+ZsoarMFrVIEyXhScEAU5iHZ1tHp5R1pLmB9QX29iNrr98uj0HiFD+Ht4MZhIZPQhSzgSHzshixW6ltP4KJI0Ft3Q4eThGLGbP6oloyxrD6nIcFVzJrFRRRi0J6k7Z/oWOXq9T0+K5UpHo72Pp3sMEdYlwEtBqUL7nitEQqD7s7jG4/PqCWOPTlj6QgCwlLHV67x5S5jah7+jtb+vrgq5xG/a4fi3EiJHJb/0jk/n7AYlc3gv0AZYglADIVKH3R3nLUpNxqm70JJVjuhR3MdwysmvvPoxNOKk0mvdPYwT9LOtNSoyJwNST3/ski6p5EnIyyIqvWszZcJQMYJ1Y53VQRD4ZkcJxFOnb/mnLn2bIDfWGWXe6eDiqRw9MCHsoHDS0MolA8C2i/CdMBx2LyuzbUDthVF

MinerdDll

The module checks the length of the string, which was transferred as a parameter, and if the string is less than 10 symbols, the module shuts down. It decrypts the configuration data. Example of the configuration:

0000000000: 76 6D 69 63 68 65 61 72 │ 74 00 48 79 70 65 72 2D  vmicheart Hyper-
0000000010: 56 20 48 65 61 72 74 62 │ 65 61 74 00 CD A8 B9 FD  V Heartbeat НЁ№э
0000000020: B6 A8 C6 DA B1 A8 B8 E6 │ BC EC B2 E2 D0 C5 BA C5  ¶ЁЖЪ+Ёёж?м?вРЕєЕ
0000000030: C0 B4 BC E0 CA D3 B4 CB │ D0 E9 C4 E2 BB FA B5 C4  А??аКУ?ЛРйДв>ъчД
0000000040: D7 B4 CC AC A1 A3 00 7A │ 75 67 71 72 76 6A 77 00  Ч?М┐Ў? zugqrvjw
0000000050: 25 53 79 73 74 65 6D 52 │ 6F 6F 74 25 5C 53 70 65  %SystemRoot%\Spe
0000000060: 65 63 68 5C 73 76 63 68 │ 6F 73 74 2E 65 78 65 00  ech\svchost.exe
0000000070: 33 36 00 68 74 74 70 3A │ 2F 2F 62 74 63 2E 62 74  36 http://btc.**
0000000080: 67 69 72 6C 2E 63 6F 6D │ 2E 63 6E 3A 35 33 31 37  ****.com.cn:5317
0000000090: 2F 62 74 63 2E 6A 70 67 │ 00 37 30 32 33 31 39 30  /btc.jpg 7023190
00000000A0: 00 2F 73 45 64 79 33 5A │ 31 39 42 35 78 4D 50 68   /sEdy3Z19B5xMPh
00000000B0: 55 64 56 79 39 41 42 70 │ 46 31 2F 4A 4D 6B 51 67  UdVy9ABpF1/JMkQg
00000000C0: 67 34 56 38 44 31 6B 6B │ 54 56 7A 56 70 4F 30 36  g4V8D1kkTVzVpO06
00000000D0: 78 4F 61 61 55 79 38 63 │ 71 74 5A 79 53 6A 51 4D  xOaaUy8cqtZySjQM
00000000E0: 4A 6C 52 30 68 4B 70 39 │ 31 57 34 5A 66 79 69 73  JlR0hKp91W4Zfyis
00000000F0: 64 77 35 71 53 74 45 2B │ 46 4B 32 75 34 69 6E 6C  dw5qStE+FK2u4inl
0000000100: 65 30 36 5A 4A 7A 74 54 │ 76 50 39 4B 62 66 69 59  e06ZJztTvP9KbfiY
0000000110: 67 2B 37 47 57 68 65 35 │ 59 53 35 47 6C 57 66 6D  g+7GWhe5YS5GlWfm
0000000120: 77 64 6A 4D 4C 44 52 7A │ 64 52 53 46 54 68 53 30  wdjMLDRzdRSFThS0
0000000130: 30 75 4B 36 39 59 6D 4F │ 53 35 64 38 35 70 48 44  0uK69YmOS5d85pHD
0000000140: 30 67 42 51 68 66 51 69 │ 4E 6A 52 70 44 50 4A 38  0gBQhfQiNjRpDPJ8
0000000150: 33 36 47 2B 52 76 55 77 │ 4E 4D 48 72 73 4A 63 53  36G+RvUwNMHrsJcS
0000000160: 5A 6A 32 63 70 30 54 31 │ 42 79 42 57 4D 65 56 6E  Zj2cp0T1ByBWMeVn
0000000170: 4F 35 39 77 74 55 6A 58 │ 72 2F 50 33 56 4F 51 4D  O59wtUjXr/P3VOQM
0000000180: 48 39 42 78 48 6A 31 6E │ 66 35 76 6B 64 59 4A 30  H9BxHj1nf5vkdYJ0
0000000190: 52 67 5A 78 39 4A 6E 65 │ 44 62 57 46 71 56 77 42  RgZx9JneDbWFqVwB
00000001A0: 45 33 38 57 67 76 6F 56 │ 50 61 6E 32 34 51 50 59  E38WgvoVPan24QPY
00000001B0: 77 63 72 32 74 61 63 6F │ 36 51 62 6F 70 49 43 48  wcr2taco6QbopICH
00000001C0: 61 55 30 33 35 49 32 68 │ 6B 47 4E 4D 51 66 7A 33  aU035I2hkGNMQfz3
00000001D0: 54 56 39 75 61 4D 2F 76 │ 4F 4A 58 52 6C 46 4E 56  TV9uaM/vOJXRlFNV
00000001E0: 43 55 53 63 4D 66 4E 4D │ 48 43 62 57 72 6E 31 68  CUScMfNMHCbWrn1h
00000001F0: 52 71 4D 50 37 73 71 4E │ 59 70 4B 42 79 59 38 2B  RqMP7sqNYpKByY8+
0000000200: 56 71 4D 71 68 37 52 54 │ 6C 73 79 50 4D 59 74 42  VqMqh7RTlsyPMYtB
0000000210: 42 4D 32 6E 45 6D 72 51 │ 34 41 4F 4E 38 52 6C 43  BM2nEmrQ4AON8RlC
0000000220: 76 2B 4D 41 79 63 47 66 │ 68 74 63 49 77 41 31 2F  v+MAycGfhtcIwA1/
0000000230: 41 4C 68 49 77 74 35 5A │ 46 78 41 54 6B 6E 4D 48  ALhIwt5ZFxATknMH
0000000240: 4D 50 35 48 33 67 4E 53 │ 2B 45 4B 6F 36 64 57 4D  MP5H3gNS+EKo6dWM
0000000250: 62 77 77 72 36 45 35 56 │ 6B 36 44 31 2B 55 30 65  bwwr6E5Vk6D1+U0e
0000000260: 38 73 71 42 46 35 78 52 │ 65 33 72 4D 56 4D 6E 6E  8sqBF5xRe3rMVMnn
0000000270: 76 66 55 53 46 5A 41 3D │ 3D 00 34 00              vfUSFZA== 4

where:

  • “vmicheart”—name of the service that the Trojan launches along with;
  • “Hyper-V Heartbeat”—displayed service name;
  • “zugqrvjw”—event name used to control relaunching of the Trojan;
  • “%SystemRoot%\Speech\svchost.exe”—installation path of the Trojan;
  • “36”—size of a buffer for generation of a random value;
  • “hxxp://btc.*****.cn:5317/btc.jpg”—configuration URL for the Trojan update;
  • “7023190”—key for decryption of the configuration obtained through the above link;
  • “base64 data”—configuration for the encrypted Trojan library;
  • “4”—number of threads.

Once launched, Trojan.BtcMine.1259 checks if its copy is running on the infected computer. If the Trojan detects one, it shuts down. When sending request to a key of a system registry HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\, the Trojan receives the number of kernels of the infected machine. If it is greater or equal to the number of threads indicated in the configuration, a separate thread is launched. In this thread, the library stored in the body of the Trojan is decrypted. The Trojan loads this library to the memory and calls export “DllFuUpgradrs”. It receives a pointer to the buffer, which contains a copy of the library, the buffer size, base64 data unit from configuration and string “DhlVipVersfs”. The library is a modified version of a remote administration system with an open source code. This system is known as Gh0st RAT (Dr.Web Anti-virus detects it as BackDoor.Farfli.96).

Update

For the installation of its own update, the Trojan loads to the memory the data, received from the website, URL of which is indicated in the configuration. Example of the configuration:

0000000000: 41 01 00 00 00 56 39 2E │ 32 00 68 74 74 70 3A 2F  A☺   V9.2 http:/
0000000010: 2F 62 74 63 2E 62 74 67 │ 69 72 6C 2E 63 6F 6D 2E  /****.com.
0000000020: 63 6E 3A 35 33 31 37 2F │ 62 74 63 2E 64 6C 6C 00  cn:5317/btc.dll
0000000030: 78 77 6A 61 4E 70 35 72 │ 70 75 70 44 2B 4D 4F 45  xwjaNp5rpupD+MOE
0000000040: 63 4A 63 48 4A 44 78 68 │ 30 6D 2B 2B 37 6B 36 43  cJcHJDxh0m++7k6C
0000000050: 53 34 70 49 64 6A 42 6C │ 7A 38 4B 62 4A 53 79 68  S4pIdjBlz8KbJSyh
0000000060: 4F 78 41 6B 69 68 48 6E │ 35 39 63 4B 42 68 32 56  OxAkihHn59cKBh2V
0000000070: 49 5A 31 79 57 4B 65 48 │ 76 6F 51 52 6A 46 48 57  IZ1yWKeHvoQRjFHW
0000000080: 36 4C 35 62 71 55 44 6F │ 4D 46 4B 41 35 65 68 34  6L5bqUDoMFKA5eh4
0000000090: 33 6C 6A 6C 78 31 35 50 │ 35 79 79 68 37 34 72 57  3ljlx15P5yyh74rW
00000000A0: 61 42 38 5A 52 48 64 5A │ 2B 49 36 72 77 30 66 76  aB8ZRHdZ+I6rw0fv
00000000B0: 55 51 50 35 71 30 77 6D │ 63 70 5A 33 48 77 4A 39  UQP5q0wmcpZ3HwJ9
00000000C0: 2B 51 34 68 65 45 37 70 │ 4A 57 4F 68 2B 63 31 37  +Q4heE7pJWOh+c17
00000000D0: 64 41 6E 38 44 46 41 52 │ 57 39 44 4C 73 6E 34 54  dAn8DFARW9DLsn4T
00000000E0: 50 2F 59 50 55 79 33 67 │ 76 6B 4D 63 4C 2F 57 32  P/YPUy3gvkMcL/W2
00000000F0: 6F 61 51 41 42 67 47 6B │ 34 6C 6D 52 69 48 65 50  oaQABgGk4lmRiHeP
0000000100: 36 4B 6C 69 32 4D 41 5A │ 4E 70 6C 33 4B 56 58 43  6Kli2MAZNpl3KVXC
0000000110: 72 70 48 2B 69 71 4A 2B │ 41 43 78 76 62 47 59 70  rpH+iqJ+ACxvbGYp
0000000120: 71 54 46 6D 30 54 6B 6B │ 56 46 69 71 77 37 35 77  qTFm0TkkVFiqw75w
0000000130: 74 66 34 58 2F 46 54 5A │ 46 44 6D 56 48 74 6B 3D  tf4X/FTZFDmVHtk=
0000000140: 00                      │

where:

  • 0000141—data size;
  • “V9.2”—Trojan’s version;
  • “hxxp://btc.***.cn:5317/btc.dll”—encrypted library, which is saved in Update.dll after decryption;
  • “base64_data”—configuration for the Dll_Walcom2 function.

Through the indicated link, The Trojan downloads the library file, decrypts it and loads to the memory, then it calls exports. First, export “Versions” is called, the result is compared with the version indicated in the configuration for update. If a version of the infected library is newer than the current one or if they are equal, KillMinerd_Data export is called, which receives an empty buffer. In a separate thread with an interval of 1 second, the Trojan terminates processes according to the available list. The list is generated by the loaded library in the buffer, transferred to KillMinerd_Data.

To terminate the operation of processes, the Trojan goes through them with the help of the Process32First/Process32Next functions and, with the help of the NtQueryInformationProcess/NtReadVirtualMemory function, it reads arguments from PEB. These arguments were used during the launch of the process. When a string from the list of the process arguments is detected, this process is terminated, and an executable process file is removed. Then the Trojan runs the Dll_Walcom2 export of the loaded library.

Update.dll

This library has three exports:

1  .10003080 Dll_Walcom2
2  .10003250 KillMinerd_Data
3  .10003240 Versions

Versions

Returns a string with the current version of the Trojan—the scanned sample includes value “V9.2”.

KillMinerd_Data

Fills the received buffer with strings:

  • “STRATUM+TCP://”
  • “ -p x”
  • “ -xmr”
  • “minergate-service.exe”
  • “tasklsv.exe”

All strings are filled with zeros until their length reaches 128 bytes.

Dll_Walcom2

Export takes on 4 arguments:

  • encrypted configuration (base64, then RC4 with a key, extended to 256 bytes);
  • size of the encrypted configuration;
  • 5 (SW_SHOW) or 0 (SW_HIDE)—sent to StartupInfo during the launch of the miner;
  • non-zero value for a 64-bit system.

Decrypted configuration looks as follows:

0000000000: 2D 61 20 63 72 79 70 74 │ 6F 6E 69 67 68 74 20 2D  -a cryptonight -
0000000010: 6F 20 73 74 72 61 74 75 │ 6D 2B 74 63 70 3A 2F 2F  o stratum+tcp://
0000000020: 78 6D 72 2D 75 73 61 2E │ 64 77 61 72 66 70 6F 6F  xmr-usa.********
0000000030: 6C 2E 63 6F 6D 3A 38 31 │ 30 30 20 2D 75 20 34 34  *.com:8100 -u 44
0000000040: 6B 5A 55 4D 35 31 4B 67 │ 51 46 64 36 34 74 67 54  kZUM51KgQFd64tgT
0000000050: 42 51 48 43 35 46 53 66 │ 53 6D 6F 39 67 6A 65 4D  BQHC5FSfSmo9gjeM
0000000060: 4C 70 37 43 42 31 59 46 │ 36 66 53 33 50 57 5A 61  Lp7CB1YF6fS3PWZa
0000000070: 54 4D 36 65 75 35 52 55 │ 48 79 35 32 6B 43 76 47  TM6eu5RUHy52kCvG
0000000080: 4D 7A 65 70 36 6E 4C 68 │ 7A 44 45 63 57 79 36 45  Mzep6nLhzDEcWy6E
0000000090: 79 35 42 7A 4D 44 4E 42 │ 6F 4B 67 75 7A 20 2D 70  y5BzMDNBoKguz -p
00000000A0: 20 78 00 38 30 00 32 34 │ 00 25 53 79 73 74 65 6D   x 80 24 %System
00000000B0: 52 6F 6F 74 25 5C 53 70 │ 65 65 63 68 5C 00 63 73  Root%\Speech\ cs
00000000C0: 72 73 73 2E 65 78 65 00 │ 33 35 00                 rss.exe 35

where:

  • “-a cryptonight -o stratum+tcp://xmr-*****.com:8100 -u 44kZUM51KgQFd64tgTBQHC5FSfSmo9gjeMLp7CB1YF6fS3PWZaTM6eu5RUHy52kCvGMzep6nLhzDEcWy6Ey5BzMDNBoKguz -p x”—parameters of the miner launch;
  • “80”—number of kernels for operation (percentage);
  • “24”—interval of restart of the miner (in hours);
  • “%SystemRoot%\Speech\”—home directory of the miner;
  • “csrss.exe”—name for the miner;
  • “35”—number of arbitrary bytes that will be written in the end of the miner file.

The Trojan launches a separate thread, which tracks launched processes. If the Trojan detects a launched process “\WINDOWS\SYSTEM32\TASKMGR.EXE” or “\360\360SAFE\NETMON\360TASKMGR.EXE”, then it shuts down the process of its miner. It saves the miner and the msvcr120.dll library at the path specified in the configuration. The Trojan contains both 32- and 64-bit versions of the miner and the library. The respective implementation of the miner is used on the infected computer depending on the bitness of the operating system. It checks the third parameter of the Dll_Walcom2 function during the launch of the miner. If it equals 0 (SW_HIDE), header of the miner window will look like “C:\\Windows\\System32\\mstsc.exe”, and in case of SW_SHOW, the header of the window will contain a version and bitness of the Trojan.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android