HKTL_COINMINE.GN

 Analysis by: John Anthony Banes

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

  TECHNICAL DETAILS

File Size:

4,144 bytes

File Type:

Script

Memory Resident:

No

Initial Samples Received Date:

25 Dec 2017

Payload:

Deletes files, Terminates processes, Connects to URLs/IPs

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Hacking Tool creates the following folders:

  • /var/tmp

Other System Modifications

This Hacking Tool deletes the following files:

  • /dev/shm/jboss
  • /var/tmp/ysjswirmrm.conf
  • /var/tmp/sshd

Propagation

This Hacking Tool does not have any propagation routine.

Backdoor Routine

This Hacking Tool does not have any backdoor routine.

Rootkit Capabilities

This Hacking Tool does not have rootkit capabilities.

Process Termination

This Hacking Tool terminates processes or services that contain any of the following strings if found running in the affected system's memory:

  • "./sshd"
  • "/tmp/" without "grep" or "ovpvwbvtat"
  • "/tmp/httpd.conf"
  • "/tmp/m"
  • "\./" with "httpd.conf"
  • "\-p x" without "grep"
  • "108.61.186.224"
  • "128.199.86.57"
  • "142.4.124.164"
  • "192.99.56.117"
  • "accounts-daemon"
  • "acpid"
  • "AnXqV.yam"
  • "askdljlqw"
  • "atd"
  • "bb"
  • "BI5zj"
  • "bonn.sh"
  • "bonns"
  • "carbon"
  • "conn.sh"
  • "conns"
  • "cryptonight" without "grep"
  • "crypto-pool"
  • "ddg"
  • "donns"
  • "Duck.sh"
  • "Guard.sh"
  • "ir29xc1"
  • "irqba2anc1"
  • "irqba5xnc1"
  • "irqbalance"
  • "irqbnc1"
  • "JnKihGjn"
  • "jva"
  • "kw.sh"
  • "kworker34"
  • "kxjd"
  • "minerd"
  • "minergate"
  • "minergate-cli"
  • "mixnerdx"
  • "mule"
  • "mutex"
  • "myatd"
  • "mysql_dump" without "grep"
  • "NXLAi"
  • "performedl"
  • "polkitd"
  • "pro.sh"
  • "pubg"
  • "sleep"
  • "snapd" without "grep"
  • "stratum" without "grep"
  • "tratum"
  • "watch-smart"
  • "XJnRj"
  • "yam"
  • "ysaydh"
  • "ysjswirmrm" without "grep"

Download Routine

This Hacking Tool connects to the following URL(s) to download its configuration file:

  • http://{BLOCKED}.{BLOCKED}.215.212:8220/config_1.json
  • http://{BLOCKED}.{BLOCKED}.215.212:8220/c1.json
  • http://{BLOCKED}.{BLOCKED}.215.212:8220/kworker.json

It connects to the following URL(s) to download its component file(s):

  • http://{BLOCKED}.{BLOCKED}.215.212:8220/gcc
  • http://{BLOCKED}.{BLOCKED}.215.212:8220/minerd
  • http://{BLOCKED}.{BLOCKED}.215.212:8220/atd2
  • http://{BLOCKED}.{BLOCKED}.215.212:8220/atd3
  • http://{BLOCKED}.{BLOCKED}.215.212:8220/yam

It saves the files it downloads using the following names:

  • /var/tmp/config.json - configuration file
  • /var/tmp/jvs - coinminer component

Other Details

This Hacking Tool does the following:

  • The downloaded configuration file contains credentials for the mining server. This configuration file is required by the downloaded component to generate bitcoins.
  • This hacking tool creates a scheduled task that downloads and execute a script from http://{BLOCKED}.{BLOCKED}.215.212:8220/logo{number}.jpg . The scheduled task executes the hacking tool every minute. As of this writing, the downloaded script is similar to this hacking tool.
  • It executes the downloaded component file using one of the following commands:
    • nohup ./jvs -c config.json -t `echo $cores` >/dev/null
    • nohup ./jvs -c x -M stratum
    • +tcp://{BLOCKED}cVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo:x@pool.{BLOCKED}r.com:4444/xmr >/dev/null
  • This hacking tool suspends processes contain any of the following strings:
    • kube-apis
    • nginx78

It does not exploit any vulnerability.

  SOLUTION

Minimum Scan Engine:

9.850

Scan your computer with your Trend Micro product to delete files detected as HKTL_COINMINE.GN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.