Malware Analysis Report (AR22-174A)

MAR-10382254-1.v1 – XMRIG Cryptominer

Click to Tweet.
Click to send to Facebook.
Click to Share.
 

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This CISA submission included one unique file. This file is a malicious loader that contains an embedded executable. This embedded executable is a Remote Access Tool (RAT) that provides a vast array of Command and Control (C2) capabilities. These C2 capabilities include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The malware can also function as a proxy, allowing a remote operator to pivot to other systems.

For a downloadable copy of IOCs, see: MAR-10382254-1.v1.stix

Submitted Files (2)

6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349 (hmsvc.exe)

6e3840f11aa02f391edd7e3e65b214f1af128fa207b4feb7f69e438014a2206d (658_dump_64.exe)

IPs (1)

192.95.20.8

Findings

6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349

Tags

trojan

Details
Name hmsvc.exe
Size 720384 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 df81145680b4deab198d9bba091d86e9
SHA1 4235d9a934d26ec688c21e3fc2e470178b7b3c21
SHA256 6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349
SHA512 de5e8164f58120e624e0546518b5c0c5df864baa9b389162f1be75547e6f684ee94f9df5738cdcf5065dd7bfcd6481c6ea45f4c1ff154edb4e0ad48ea5260d42
ssdeep 12288:g5eggD3QpKCvO5yPPGtjLFanfI2YAMinlQZUub+RdYhawaGFbhwydP76N5:ceHD3eKU+tVafVgKlQZUlRdYVdP76N5
Entropy 7.623341
Antivirus
Adaware Gen:Variant.Ulise.345018
AhnLab Trojan/Win.Generic
Avira HEUR/AGEN.1248665
Bitdefender Gen:Variant.Ulise.345018
ESET a variant of Win64/Injector.HA.gen trojan
Emsisoft Gen:Variant.Ulise.345018 (B)
IKARUS Trojan.Win64.Injector
YARA Rules
  • rule CISA_10382580_03 : loader
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10382580"
           Date = "2022-05-02"
           Last_Modified = "20220602_1200"
           Actor = "n/a"
           Category = "Loader"
           Family = "n/a"
           Description = "Detects loader samples"
           MD5_1 = "3764a0f1762a294f662f3bf86bac776f"
           SHA256_1 = "f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab"
           MD5_2 = "21fa1a043460c14709ef425ce24da4fd"
           SHA256_2 = "66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16"
           MD5_3 = "e9c2b8bd1583baf3493824bf7b3ec51e"
           SHA256_3 = "7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751"
           MD5_4 = "de0d57bdc10fee1e1e16e225788bb8de"
           SHA256_4 = "33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b"
           MD5_5 = "9b071311ecd1a72bfd715e34dbd1bd77"
           SHA256_5 = "3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0"
           MD5_6 = "05d38bc82d362dd57190e3cb397f807d"
           SHA256_6 = "4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f"
       strings:
           $s0 = { B8 01 00 00 00 48 6B C0 00 C6 44 04 20 A8 B8 01 }
           $s1 = { 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 }
           $s2 = { 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 }
           $s3 = { C0 03 C6 44 04 20 9B B8 01 00 00 00 48 6B C0 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-06-12 12:53:34-04:00
Import Hash 4f2b9ad89041fedc43298c09c8e7b948
Company Name Sysinternals - www.sysinternals.com
File Description Lists logon session information
Internal Name LogonSessions
Legal Copyright Copyright (C) 2004-2016 Mark Russinovich
Original Filename logonsessions.exe
Product Name Sysinternals LogonSessions
Product Version 1.4
PE Sections
MD5 Name Raw Size Entropy
e16f93c6b1a062a1dc2156fc770594a6 header 1024 2.888609
c4466c75f41681629fc2ead156f8de84 .text 89088 6.366960
4d9a0bcd9467b5aaee5d4d762219821b .rdata 65536 4.425938
f80417eeab656641c6a5206454b398d3 .data 6656 3.054858
e0d2510e666231c532ff97edf51abd10 .pdata 5120 4.855993
fff7f8f7be38486e0a6d01bc0472a6f2 .rsrc 550912 7.914631
bca539afcd691a4a238b78fc830dc55a .reloc 2048 4.939573
Relationships
6589a687e6... Connected_To 192.95.20.8
Description

This malware is a 64-bit Windows loader that contains an encrypted malicious executable. During runtime, this encrypted executable is decrypted and loaded into memory, never touching the system's hard disk. The encrypted executable is similar in functionality to the file "f7_dump_64.exe" (88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8), described in report MAR-10382580.

6e3840f11aa02f391edd7e3e65b214f1af128fa207b4feb7f69e438014a2206d

Tags

remote-access-trojantrojan

Details
Name 658_dump_64.exe
Size 491520 bytes
Type PE32+ executable (console) x86-64, for MS Windows
MD5 f9e6ca0bdaa43df9ed0449b964e1b8b4
SHA1 24b983856dfdd4e48eeeafc9372b70d6b53ae722
SHA256 6e3840f11aa02f391edd7e3e65b214f1af128fa207b4feb7f69e438014a2206d
SHA512 5b8bfe6f043cd6e0ee6ac6665e95751c5369ec171050497122533302f2d7f5f5b7a4a23c70618f396bd52b4ec919ff2214cc2641a0e46607707d3d393fd105eb
ssdeep 6144:F4ph6Duxm/k+DesM/uZwZLmixJwxbgaEvUhN8/bSJ40+R833OutenWRaMt:F4b6DV/k+D3MWZFXgJvBX/b0
Entropy 6.058119
Antivirus
AhnLab Trojan/Win.PWS
ESET a variant of Win64/Spy.Agent.EA trojan
YARA Rules
  • rule CISA_10382580_01 : rat
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10382580"
           Date = "2022-05-25"
           Last_Modified = "20220602_1200"
           Actor = "n/a"
           Category = "Remote Access Tool"
           Family = "n/a"
           Description = "Detects Remote Access Tool samples"
           MD5_1 = "199a32712998c6d736a05b2dbd24a761"
           SHA256_1 = "88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8"
       strings:
           $s0 = { 0F B6 40 0F 6B C8 47 41 0F B6 40 0B 02 D1 6B C8 }
           $s1 = { 35 41 0F B6 00 41 88 58 01 41 88 78 02 41 88 70 }
           $s2 = { 66 83 F8 1E }
           $s3 = { 66 83 F8 52 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2022-02-21 19:02:06-05:00
Import Hash cc2269b4f6a11e02b40a384e27ad5e8c
PE Sections
MD5 Name Raw Size Entropy
60df3f67c31781bbec2444de6daf8a2b header 4096 0.893865
9ebe1be469e63ff47601b0c714285509 .text 327680 6.393378
1cb5bcc8bcade2b3ddee4dc6c617824a .rdata 110592 4.552154
e89305f8c6e571d82fb370f352192aa2 .data 20480 3.781076
ca8c03d7af637fa213b44d065c073c75 .pdata 20480 5.309842
bab9a0fee3d912c3b866d3ca88b47510 _RDATA 4096 0.256806
9a68c3f572ae2b201926c193eeed1cab .reloc 4096 4.894447
Packers/Compilers/Cryptors
Microsoft Visual C++ 8.0 (DLL)
Description

This file is a 64-bit Windows executable that was extracted from the malware named hmsvc.exe, also included within this submission. Static analysis of this application reveals it is a RAT that provides a vast array of C2 capabilities to a remote operator, including the ability to log keystrokes, upload and execute additional payloads, function as a proxy, and have graphical user interface (GUI) access over a target Windows system's desktop. During runtime, the malware connects out to its hard coded C2 server 192[.]95[.]20[.]8 on port 443. After establishing this connection, the malware sits and waits for data to be sent back to it from the remote C2 server. Static analysis indicates the malware will receive a block of data that contains command data, and a 16-byte key. The 16-byte key will be extracted from this received data, and utilized to decrypt the command portion. The decrypted command portion of the C2 data will be checked to ensure that its first four bytes are equal to the value 0x0E03882Ah. If the values match, the malware will attempt to process the received decrypted data as a command. If the values do not match, the C2 session will be terminated and the malware will attempt to reinitiate a connection to the C2 server.

The executable is very similar in design and functionality to the file "f7_dump_64.exe" (88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8), described in report MAR-10382580.

Screenshots
Figure 1 - This screenshot illustrates the cryptographic algorithm the malware utilizes to secure its inbound and outbound communications with its hard-coded C2. Communications between this malware and its C2, if collected, may be decrypted by following this algorithm.

Figure 1 - This screenshot illustrates the cryptographic algorithm the malware utilizes to secure its inbound and outbound communications with its hard-coded C2. Communications between this malware and its C2, if collected, may be decrypted by following this algorithm.

Figure 2 - This screenshot illustrates the code structure the malware utilizes to decrypt inbound data from the remote C2, and then compare its first four bytes to the value 0x0E03882Ah. The inbound data must contain this value as its first four bytes, after decryption, in order for the C2 session to continue. The 16-byte key will be included in the inbound payload from the remote C2.

Figure 2 - This screenshot illustrates the code structure the malware utilizes to decrypt inbound data from the remote C2, and then compare its first four bytes to the value 0x0E03882Ah. The inbound data must contain this value as its first four bytes, after decryption, in order for the C2 session to continue. The 16-byte key will be included in the inbound payload from the remote C2.

Figure 3 - The screenshot illustrates the malware's hard-coded C2 server, 192[.]95[.]20[.]8.

Figure 3 - The screenshot illustrates the malware's hard-coded C2 server, 192[.]95[.]20[.]8.

192.95.20.8

Tags

command-and-control

Ports
  • 443 TCP
Whois

Queried whois.ovh.com with "ip-192-95-20.net"...

Domain Name: ip-192-95-20.net
Registry Domain ID: 1765585340_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.ovh.com
Registrar URL: https://www.ovh.com
Updated Date: 2021-12-01T02:56:46.0Z
Creation Date: 2012-12-11T13:59:05.0Z
Registrar Registration Expiration Date: 2022-12-11T13:59:05.0Z
Registrar: OVH, SAS
Registrar IANA ID: 433
Registrar Abuse Contact Email: abuse@ovh.net
Registrar Abuse Contact Phone: +33.972101007
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Hebergement OVH Inc.
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province:
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: CA
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Registrant Email: 45oplxny9ljiuizg7k3l@w.o-w-o.info
Registry Admin ID:
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Admin Email: t0xyeloj2uxkh9uyhhjh@y.o-w-o.info
Registry Tech ID:
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Tech Email: t0xyeloj2uxkh9uyhhjh@y.o-w-o.info
Name Server: dns10.ovh.ca
Name Server: ns10.ovh.ca
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/

Relationships
192.95.20.8 Connected_From 6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349
Description

The malware attempts to connect to this Internet Protocol (IP) address.

Relationship Summary

6589a687e6... Connected_To 192.95.20.8
192.95.20.8 Connected_From 6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

Revisions

June 23, 2022: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.