Coinminer.Win64.MALXMR.K

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It connects to certain websites to send and receive information. It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.

Arrival Details

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Coinminer drops the following files:

• %Program Files%\Hola\app\HolaMonitorService.exe → self-copy
• %Program Files%\Hola\app\hola_updater_service.exe → Patched XMRIG miner

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %Program Files%\Hola\ → parent directory
• %Program Files%\Hola\app\ → install directory

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Coinminer registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\hola_monitor_svc
Start = 0x03 → SERVICE_DEMAND_START (Manual)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\hola_monitor_svc
ErrorControl = 0x01 → SERVICE_ERROR_NORMAL

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\hola_monitor_svc
ImagePath = "%Program Files%\Hola\app\HolaMonitorService.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\hola_monitor_svc
DisplayName = "Hola Monitor Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\hola_monitor_svc
Description = "Hola Monitor Service runs when the PC is idle."

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\hola_monitor_svc
Type = 0x10 → SERVICE_WIN32_OWN_PROCESS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\hola_monitor_svc
ObjectName = "LocalSystem"

Other System Modifications

This Coinminer adds the following registry entries:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\EventLog\Application\
hola_monitor_svc
CustomSource = 1

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\EventLog\Application\
hola_monitor_svc
EventMessageFile = %System%\EventCreate.exe

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\EventLog\Application\
hola_monitor_svc
TypesSupported = 7

Propagation

This Coinminer does not have any propagation routine.

Backdoor Routine

This Coinminer does not have any backdoor routine.

Rootkit Capabilities

This Coinminer does not have rootkit capabilities.

Download Routine

This Coinminer downloads the file from the following URL and renames the file when stored in the affected system:

• https://{BLOCKED}.com/xmrig/xmrig/releases/download/v6.25.0/xmrig-6.25.0-windows-x64.zip → XMRIG miner renamed to hola_updater_service.exe (detected as Coinminer.Win64.MALXMR.L)

Information Theft

This Coinminer gathers the following data:

• Public IP Address
• CPU specifications (model, cores, features)
• System idle/active status
• Worker/rig identifier

Other Details

This Coinminer connects to the following website to send and receive information:

• https://api.{BLOCKED}a.net/
• https://apis.{BLOCKED}e.io/api/v1/resolve
• https://1rpc.io/{BLOCKED}h
• https://0xrpc.io/{BLOCKED}h
• https://eth.{BLOCKED}c.org
• https://eth.{BLOCKED}e.io
• https://eth.{BLOCKED}c.com
• https://rpc.{BLOCKED}r.io
• https://ethereum.{BLOCKED}s.xyz
• https://public-eth.{BLOCKED}s.io
• https://eth.api.{BLOCKED}t.network
• https://ethereum.{BLOCKED}e.com
• https://ethereum-rpc.{BLOCKED}u.com
• https://ethereum.rpc.{BLOCKED}b.com
• https://eth-protect.rpc.{BLOCKED}n.com
• https://eth.api.{BLOCKED}y.io/public
• https://ethereum-json-rpc.{BLOCKED}y.io

It does the following:

• It adds and runs the following services:
  • Service key: "hola_monitor_svc"
    Display Name: "Hola Monitor Service"
    Image Path = "%Program Files%\Hola\app\HolaMonitorService.exe"
    Description: "Hola Monitor Service runs when the PC is idle."
• It registers itself as a Windows service for persistence
• It controls miner execution by launching/terminating it as a child process.
• It monitors idle time and starts/stops the miner process accordingly. It stops the miner when it meets the following conditions:
  • User becomes active
  • Detects that the task manager is open in the foreground to hide CPU usage

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It does not exploit any vulnerability.

It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency. This behavior makes the system run abnormally slow.