MadoMiner Part 2 - Mask

October 29, 2018  |  James Quinn

This is a guest post by independent security researcher James Quinn.      

If you have not yet read the first part of the MadoMiner analysis, please do so now.  This analysis will pick up where Part 1 left off, while also including  a brief correction.  The x64 version of the Install module was listed as identical to the x86 Install module.  However, this is not correct.  The x64 Install module is identical in run-through to the 360Safe.exe module, which will be discussed later in this analysis.

In addition, take care with this portion of the malware.  The batch script for Mask.exe, DemC.bat, appears to run if it detects any copies of itself during runtime, or if you run the x64 version of install on a 32 bit machine.

Where Install.exe was in charge of infecting new victims with MadoMiner, it seems Mask.exe is where the real payoff lies.  Mask.exe utilizes XMRig miners in order to mine for XMR which it then sells for profit.  While madominer was earning $6,000 a month as of the last analysis,

Around 10/14, MineXMR closed the old address due to botnet reports.  A new address has been identified at 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433, mining through minexmr.com again.  Currently, the hashrate is at 109Kh/s, and steadily rising.

Also, around the time that the address changed, MadoMiner also became drastically different.

Malware Analysis

Where Install.exe only downloaded 1 file from a remote host, Mask.exe downloads two files.  In addition, the servers used to download the files are also different than Install.exe, increasing the proposed size of the botnet.

Domains

In addition to the 2 domains identified in part 1, a new domain has also been identified for a distribution server:

  • http://d.honker[dot]info

However, the domain is currently dead.  In addition, the mining server currently used is pool.minexmr[dot]com

A C2 server(newly updated version):

  • http://qq.honker[dot]info

Previously identified distribution domains:

  • http://da[dot]alibuf.com:3/
  • http://bmw[dot]hobuff.info:3/

Previously Identified IPs:

  • 61.130.31.174

Previously identified mining servers:

  • http://gle[dot]freebuf.info
  • http://etc[dot]freebuf.info
  • http://xmr[dot]freebuf.info
  • http://xt[dot]freebuf.info
  • http://boy[dot]freebuf.info
  • http://liang[dot]alibuf.com
  • http://dns[dot]alibuf.com
  • http://x[dot]alibuf.com

In addition, http://da[dot]alibuf.com:3, the main distribution server, seems to have been registered by bodfeo[at]hotmail.com in early October 2017. According to an analysis by Steve Butt of DomainTools, this email was linked to APT19/c0d0s0, however it was most likely due to domain reselling.

Exploits

During the execution of sogou.exe, the following exploits are used to install on new victims’ PCs:

  • CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
  • CVE-2017-0143, SMB exploit
  • CVE-2017-0146, SMB exploit

Installation

Mask.exe ends up on a victim’s computer after either x86.dll or x64.dll downloads mado.exe or dst.exe, respectively.  However, unlike with Install.exe, it doesn’t matter which file is downloaded because they are the same files (They have the same file hash).

Setup

Once Mask.exe is on a victim’s computer, it attempts to connect to one of the distribution servers identified above (bmw[dot]hobuff.info).  Once a connection is established, it attempts to download two files, sogou.exe and 360safe.exe.  Sogou.exe is the payload that contains the CPUInfo scanner, however, it has been set to scan for IPV6 addresses.  Sogou is saved as Conhost.exe in C:\Windows\Installer.  360Safe.exe is the payload that contains the XMRig miners as well as the service manager (NSSM).  360Safe is saved as Makes.exe

Mask.exe

Mask.exe seems to be the profitable part of MadoMiner.  Because of this, there are a lot more anti-debug tricks used during Mask.exe’s runthrough.  Mask.exe seems to be in charge of downloading/executing Sogou.exe and 360Safe.exe.  Each of the modules also have batch scripts that will be discussed in the analysis that are run during different stages of the execution. 

MadoMiner generates money by mining for XMR using Mask.exe, 360Safe.exe, and XMRig.  Mask.exe installs 360Safe.exe which in turn installs XMRig.  MadoMiner uses the service manager NSSM in order to install the necessary services for runtime and persistence.  In addition, in Sogou.exe, MadoMiner appears to search for IPV6 addresses that are vulnerable to EternalBlue, as well as installs some tasks.

If Mask.exe detects another copy of itself, demC.Bat is run (see removal section for information).  DemC.Bat is just like the DemC in Part 1, where it attempts to delete the malware from as an attempt at anti-debugging.  It also seems to close any open ports so that you can’t be reinfected --- how thoughtful!

Sogou.exe runtime analysis

Sogou.exe appears to be another propagation module for MadoMiner, which answers the question of “Since x64.dll installed a miner during Install.exe, how did the x64 version of the malware propagate?” 

Sogou.exe, once downloaded by Mask.exe, saves itself to C:\%Windows%\Installer\conhost.exe, and then executes. However, Sogou.exe is more of a dropper than the full malware itself.  Sogou.exe drops FileFtp.exe into C:\Program Files\Windowsd.  FileFtp.exe appears to be a partially encrypted propagation module that uses the same exploits as ZombieBoyTools, which it drops into \Windowsd. However, this propagation module has a bit more in the way of hiding.  Just like in all other modules of MadoMiner, FileFtp includes a script to delete itself from the filesystem.  However, as any forensic investigator can tell you, when a file is deleted, it isn’t really gone, at least not immediately.  However, with FileFtp.exe, prior to deleting itself after installing the propagation exploits and the executable used to spread, runs cmd /c cipher /w:C , which begins overwriting unallocated space, where deleted files are stored.  Not only does FileFTP.exe delete itself, it also wipes itself from the system entirely.

Tasks and batch scripts used by Sogou.exe

AutoKMSK is used by sogou.exe to execute a copy of itself saved as C:\Windows\Installer\conhost.exe every 15 minute.  It does this by using the command

schtasks /create /sc minute /mo 15 /tn “AutoKMSK” /tr “C:\windows\Installer\conhost.exe” /ru “system” /f

AutoKMSKK is used by sogou.exe to execute a script known as “free.bat”, which is very similar to Install.exe’s free.bat.  However, this script will essentially delete all files installed by conhost.exe every 26 mins.  This is used by the malware in order to evade detection. The command for this is as follows

schtasks /create /sc minute /mo 26 /tn “AutoKMSKK” /tr “C:\Windows\Installer\free.bat” /ru “system” /f

Mask.exe’s Free.bat

360Safe.exe Brief Overview

Where Sogou.exe appears to be a propagation module, 360Safe.exe is a pure mining module.  360Safe.exe begins on a computer after having been downloaded from bmw.hobuff[dot]info and executed by Mask.exe.  As the main mining payload for MadoMiner, 360Safe is in charge of installing the service manager used by MadoMiner, and then dropping and installing the miner.  However, 360Safe does this in a fairly modular and interesting way, because not only does 360Safe consist of both the x86 and x64 versions of the service manager used and the miner used, but it also identifies the architecture of the host PC and then dynamically creates a payload based on the architecture identified.  In addition, 360Safe uses a number of anti-vm techniques, such as changing the base language of the files used by the service manager and using complete information when setting up registry keys (such as official looking descriptions and error messages upon tampering with malware).

360Safe Service Manager

360Safe uses NSSM as its service manager (Non-Sucking Service Manager).  NSSM allows it to quickly and easily install services to the system using simple commands like NSSM install .  However, 360Safe uses some techniques to hide the fact that it is NSSM.  First, 360Safe changes the base language of the installation information for NSSM.  The information is changed to the Host’s language during runtime using the MessageBoxEx Windows API command.  However, the result of this is that the strings are semi-unreadable when a basic string analysis is performed.

NSSM strings information

In addition, once the architecture has been identified and the NSSM installer selected, a different installation location is used.  In 360Safe’s use of NSSM, it installs the service manager to the directory C:\%Windows%\Fonts as “svchost.exe”, with the registry keys 

  • “HKLM\SYSTEM\CurrentControlSet\Services\EventLog\”
  • “HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application”
  • “HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\NSSM”

\NSSM values

  •  “EventMessageFile = C:\Windows\Fonts\svchost.exe”
  •  “TypesSupported = 0x00000007”

All of these can be used as IOCs.

In addition, any windows opened by NSSM are hidden so that the host doesn’t suspect anything.  Anytime that 360Safe needs to install a service, it calls “C:\windows\Fonts\svchost.exe” in order to do so.

NSSM Registry Installation

360Safe Miner Installation

Just like the rest of 360Safe, the mining portion also installs all of its executables to C:\%Windows%\Fonts.  However, it doesn’t use just one executable to install the miners.  First, 360Safe.exe drops Conhost.exe into C:\%Windows%\Fonts.  In addition to dropping conhost into C:\%Windows%\Fonts, a new service is created called ServiceMaims, which serves for persistence for Conhost. 

The Display Name (EG: the Name that shows on Task manager) for ServiceMaims is “Network Location Service”, and the Description is “Provides performance library information from Windows Management”.

ServiceMaims is then started which in turn starts Conhost.

Registry Keys:

  • “HKLM\SYSTEM\CurrentControlSet\Services\ServiceMaims”
  • “HKLM\SYSTEM\CurrentControlSet\Services\ServiceMaims\Parameters”
  • “HKLM\SYSTEM\CurrentControlSet\Services\ServiceMaims\Parameters\AppExit”

Values in \ServiceMaims\

  • “DisplayName = ServiceMaims”
  • “ErrorControl = 0x00000001”
  • “ImagePath = C:\windows\Fonts\svchost.exe”
  • “ObjectName = LocalSystem”
  • “PreshutdownTimeout = 0x0002bf20”
  • “Start = 0x00000002”
  • “Type = 0x00000010”

Values in \ServiceMaims\Parameters\:

  • “AppDirectory: C:\windows\Fonts”
  • “Application: C:\windows\Fonts\conhost.exe”
  • “AppParameters: “

Values in \ServiceMaims\Parameters\AppExit\:

  • “(Default): Restart”

360Safe Conhost

Conhost.exe in C:\%Windows%\Fonts is used as a backup/dropper for the miner that will be installed.  Conhost consists of the x86 version of XMRig, the x64 version of XMRig, and a dropper.  The dropper has some installation scripts that are used for persistence, and also drops only one version of the miner, either x86 or x64 depending on your OS.

On first runtime, conhost enumerates the victim’s OS architecture and then creates a file in C:\%Windows%\Fonts, called “rundllhost.exe”, where it saves either the x86 miner or the x64 miner, depending on your OS.  It then runs a script to save the miner as a Service, as well as save the mining information into registry so that it can be passed to the miner during execution.

The DisplayName = “WMI Performance Services”

The Description = “Identify Computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed”

The script then runs ServiceMais so that the miner can be executed.

Note:  This miner only mines at 50% power, but was giving the authors over $6,000 a month before minexmr shut down the address.  The new address is earning around $2,000 a month, and has only been active for a few days, however I’ll get more into that below.

Registry Keys:

  • “HKLM\SYSTEM\CurrentControlSet\Services\ServiceMais”
  • “HKLM\SYSTEM\CurrentControlSet\Services\ServiceMais\Parameters”
  • “HKLM\SYSTEM\CurrentControlSet\Services\ServiceMais\Parameters\AppExit”

Values in \ServiceMais\:

  • “DisplayName = ServiceMais”
  • “ErrorControl = 0x00000001”
  • “ImagePath = C:\windows\Fonts\svchost.exe”
  • “ObjectName = LocalSystem”
  • “PreshutdownTimeout = 0x0002bf20”
  • “Start = 0x00000002”
  • “Type = 0x00000010”

Values in \ServiceMais\Parameters\:

  • “AppDirectory: “
  • “Application = rundllhost.exe”
  • “AppParameters = -o pool.minexmr.com:443 -u 45WVNRZkKoR55thZWviZ3diXBLAcNRp4yFCtDCnCLRL7bq9E7XqQ7GX5auuc8thCvgUv1av6MpgC5gFVECYGHmx1VKkfEnp -p x -k --donate-level=1 --max-cpu-usage = 50

Mask.exe Removal

Disclaimer regarding updated malware:  While MadoMiner did update itself around 10/14-10/16, 2018, it doesn’t look like it can update the current bots that are already deployed, only new ones.  For this reason, while IOCs regarding the new malware will be listed at the bottom, a removal section for the old malware will still be included.  Just keep in mind that if your infection occurs after 10/16/2018, the file names listed in this guide may not be entirely accurate. 

Warning Regarding Batch Scripts

Before attempting to remove this malware, the batch files should be brought up and treated with care.  Make sure that all of your files are backed up.  This malware deletes files and then wipes unallocated space, so file recovery is incredibly difficult.

DemC is mainly used by the malware to disable analysis attempts.  If another copy of it is detected, or if you try to run the 64bit version of Install.exe on a 32 bit system, it scans your system for several different files and folders used in multiple different malware campaigns and makes them inaccessible.  It also closes any open ports that are vulnerable to its campaigns.  It also changes the Image File Execution Options, making it impossible to run the malware again.

Removal Steps - Sogou.exe

Sogou.exe installs 2 tasks during installation, which will need to be stopped, favorably before the free.bat task is allowed to run.  The tasks, known as “AutoKMSK” and “AutoKKMSK”, can be located by opening the Windows tool “Task Scheduler”.  These tasks will need to be stopped and deleted, however, note what files are executed by the tasks in the “Actions” tab of the task description.  In this case, it would be “C:\%Windows%\Installer\conhost.exe” and “C:\%Windows%\Installer\free.bat”

In C:\%Windows%\, you’ll want to locate a folder known as “Installer”.  For Sogou.exe, this is the main installation folder.  Inside Installer, you’ll want to locate both “Conhost.exe” and “free.bat”.  Delete them. 

In C:\Program Files\, you’ll want to locate a folder known as “Windowsd”.  This is where Sogou.exe installs FileFTP.exe and all subsequent files dropped by FileFTP.exe.  If the file deletion script hasn’t already come through and removed them, you’ll want to remove this entire folder.  Note:  Windowsd may or may not contain over 70 different files for propagation to other systems.

Removal Steps - 360Safe.exe

360Safe.exe appears to install more files into registry than Sogou.exe.  First, as 360Safe.exe installs several services, those will need to be stopped using the Service manager, and then deleted from registry.

Service Name: Eventlog

Regkey: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\

Image Location: C:\%windows%\Fonts\svchost.exe

Service Name: ServiceMaims

Regkey: HKLM\SYSTEM\CurrentControlSet\Services\ServiceMaims

Image Location: C:\%windows%\Fonts\conhost.exe

Service Name: ServiceMais

Regkey: HKLM\SYSTEM\CurrentControlSet\Services\ServiceMais

Image Location: C:\%windows%\Fonts\rundllhost.exe

360Safe saves itself to C:\%Windows%\ as makes.exe, which will need to be deleted as well. 

Removal Steps - Install.exe (x64)

As the x64 version is a near identical miner to the x86 and x64 versions of mask.exe, the only things that have changed are the services installed.  Removal steps are below however (order is respective.  RpcEptManger = ServiceMaims, and Samserver = ServiceMais)

Service Name: Eventlog

Regkey: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\

Image Location: C:\%windows%\Fonts\svchost.exe

Service Name = RpcEptManger

RegKey = SYSTEM/CurrentControlSet/Services/RpcEptManger/

Image Location = C:\%WindowsDirectory%\Fonts\wininit.exe

Service Name = Samserver

RegKey = SYSTEM/CurrentControlSet/Services/Samserver/

Image Location = C:\%WindowsDirectory%\Fonts\rundllhost.exe

Removal - DemC Has Been Run

In the case that DemC is run, removal becomes more complex.  DemC’s purpose is to hide MadoMiner from analysis and thus makes directories/takes ownership of current directories in order to hide.

Specifically

  • Removes the %Windows%\SpeechsTracing directory (if it exists)
  • Removes the %Windows%\SecureBootThemes directory (If It exists)
  • Removes the %Windows%\sysprepthemes directory (if it exists)
  • Makes a new directory at %Windows%\SpeechsTracing\Microsoft and then proceeds to make that directory inaccessible for everyone
  • Makes a new directory at %Windows%\SecureBootThemes and then proceeds to make that directory inaccessible for everyone.
  • Makes a new directory at %Windows%\sysprepthemes and then proceeds to make that directory inaccessible for everyone
  • Makes the file C:\ProgramData\Natihial\svshostr.exe inaccessible for everyone
  • Makes the file C:\ProgramData\new\csrss inaccessible for everyone
  • Makes the file C:\ProgramData\Microsoft\Natihial\cmd.exe inaccessible for everyone
  • Makes the file C:\ProgramData\expl0rer.exe inaccessible for everyone
  • Makes the file C:\windows\svchost.exe inaccessible for everyone
  • Makes the directory C:\%windows%\svchost.exe and then proceeds to make that directory inaccessible for everyone
  • Makes the directory C:\%windows%\tasksche.exe and then proceeds to make that directory inaccessible for everyone
  • Makes the directory C:\program files (x86)\stormii\server.exe and then proceeds to make that directory inaccessible for everyone

For the files made inaccessible, you’ll need to take ownership of them, either by using the built in security manager GUI, or by using the sysinternals suite TakeOwn.

Indicators of Compromise

Samples

Md5

Size

IP

IOC

Mask.exe

4ae31911c1ef2ca4eded1fdbaa2c7a49

741.4 KB

bmw.hobuff[dot]info:3/

C:\%Windows%\tem.vbs

C:\%Windows%\demc.bat

360Safe.exe

ce606d80b44ea2aae81056b9088ba1e4

3.6 MB

pool.minexmr[dot]com:443

Services:

EventLog

ServiceMaims

ServiceMais

 

Regkeys: 

  +HKLM\SYSTEM\CurrentControlSet\Services\EventLog\

 +  HKLM\SYSTEM\CurrentControlSet\Services\ServiceMaims

 + HKLM\SYSTEM\CurrentControlSet\Services\ServiceMais\

 

Executables:

 + C:\%windows%\Fonts\svchost.exe

 + C:\%windows%\Fonts\conhost.exe

 + C:\%windows%\Fonts\rundllhost.exe

 

Connection to pool.minexmr.com:443

 

Scripts:

C:\%Windows%\tem.vbs

360Safe_svchost_x86.exe

0a7d7ed55c4202f5106824f11ecb22fa

299 KB

-

Regkeys: 

  +HKLM\SYSTEM\CurrentControlSet\Services\EventLog\

 

Executables:

 + C:\%windows%\Fonts\svchost.exe

 

360Safe_svchost_x64.exe

081f10718d76c9b3b19901f0ee630960

292KB

-

Services

EventLog

 

Regkeys: 

  +HKLM\SYSTEM\CurrentControlSet\Services\EventLog\

 

Executables:

 + C:\%windows%\Fonts\svchost.exe

 

360Safe_conhost.exe

9c59ea0f58c5143b0860ec434d646780

2.3 MB

-

Services

ServiceMaims

 

Regkeys:

+  HKLM\SYSTEM\CurrentControlSet\Services\ServiceMaims

 

Executables:

+ C:\%windows%\Fonts\conhost.exe

 

360Safe_rundllhost_x86.exe

467d7dfe3a1fe82d12b38d997df5cfbe

1.6 MB

pool.minexmr[dot]com:443

Services:

ServiceMais

 

Regkeys:

 + HKLM\SYSTEM\CurrentControlSet\Services\ServiceMais\

 

 

Executables:

 + C:\%windows%\Fonts\rundllhost.exe

 

Connection to pool.minexmr.com:443

 

360Safe_rundllhost_x64.exe

e41f5e79400c985e8d8a25f0711095f15302e8dd

481 KB

pool.minexmr[dot]com:443/

Regkeys:

 + HKLM\SYSTEM\CurrentControlSet\Services\ServiceMais\

 

 

Executables:

 + C:\%windows%\Fonts\rundllhost.exe

 

Connection to pool.minexmr.com:443

Sogou.exe

edfa66accd958eb87a6e8ef1eb708d2f

3.9 MB

-

Folder:

C:\%Program Files%\Windowsd

 

Tasks:

AutoKMSK

AutoKKMSK

 

Executables:

C:\%Windows%\Installer\conhost.exe

 

C:\%Windows%\Windowsd\FileFtp.exe

 

Assorted executables needed for spreading found in \Windowsd

 

Scripts:

C:\%Windows%\free.bat

FileFtp.exe

1188f935979806545cbf118e22416be5

8.9 MB

-

C:\%Windows%\Windowsd\FileFtp.exe

 

Assorted executables needed for spreading found in \Windowsd

 

Installx64.exe

d8470f5c12f5a5fee89de4d4c425d614

1.3 MB

x.alibuff[dot]com

Services:

EventLog

RpcEptManger

Samserver

 

RegKey:

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptManger\

HKLM\SYSTEM\CurrentControlSet\Services\Samserver\

 

Executables: C:\%windows%\Fonts\svchost.exe

C:\%WindowsDirectory%\Fonts\wininit.exe

C:\%WindowsDirectory%\Fonts\rundllhost.exe

Installx64_svchost.exe

081f10718d76c9b3b19901f0ee630960

299 KB

-

Services:

EventLog

 

RegKey:

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\

 

Executables:

C:\%windows%\Fonts\svchost.exe

 

Installx64_wininit.exe

081f10718d76c9b3b19901f0ee630960

490 KB

-

Services:

RpcEptManger

 

RegKey:

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptManger\

 

 

Executables:

C:\%WindowsDirectory%\Fonts\wininit.exe

Installx64_rundllhost.exe

e41f5e79400c985e8d8a25f0711095f15302e8dd

481 KB

x.alibuff[dot]com

Services:

Samserver

 

RegKey:

HKLM\SYSTEM\CurrentControlSet\Services\Samserver\

 

Executables:

C:\%WindowsDirectory%\Fonts\rundllhost.exe

MadoMiner_New_445.exe

d4d8f87c61051c28ca3cee7e38bf839d

2.1 MB

a.f2pool[dot]info:13531

Task named “GooglePingInCongifs” executing C:\windows\lsass.exe

C:\%WindowsDirectory%\Install.exe

C:\%WindowsDirectory%\lsass.bat

Mining at a.f2pool[dot]info

MadoMiner_New_445_Lsass.exe

1dd1550f2586411766cba953badf76f7

4.5 MB

a.f2pool[dot]info:13531

C:\%WindowsDirectory%\lsass.exe

 

MadoMiner_New_Dst.exe

4ace52693bdeace5b285d35e47be6cfc

102.4 kb

qq.honker[dot]info

Service:

Jklmno

 

Regkey:

HKLM\SYSTEM\CurrentControlSet\Services\Jklmno

 

Executable:

C:\%Windows%\svchost.exe

MadoMiner_New_Dst_DecryptedRAT.exe

01374ea3c48b69876d9375a2baba76ce

51.6 kb

qq.honker[dot]info

Service:

Jklmno

 

Regkey:

HKLM\SYSTEM\CurrentControlSet\Services\Jklmno

 

Executable:

C:\%Windows%\svchost.exeds

MadoMiner_New_Mask.exe

345239f58ddfd522ff04ad67009d15e9

4.5 MB

l.f2pool[dot]info:443/

C:\%WindowsDirectory%\Fonts\lsass.exe

C:\%WindowsDirectory%\Fonts\svchost.exe

C:\%WindowsDirectory%\Fonts\runhost.exe

 

MadoMiner_New_Mask_lsass.exe

0ef0a7198444a43be51948e10cc15c53

3.5 MB

l.f2pool[dot]info:443/

C:\%WindowsDirectory%\Fonts\lsass.exe

MadoMiner_New_Mask_svchost.exe

8a44626c2ca26a84764e7ad771143d44

89.1 kb

-

C:\%WindowsDirectory%\Fonts\svchost.exe

Share this with others

Get price Free trial