This is a guest post by independent security researcher James Quinn.

If you have not yet read the first part of the MadoMiner analysis, please do so now. This analysis will pick up where Part 1 left off, while also including a brief correction. The x64 version of the Install module was listed as identical to the x86 Install module. However, this is not correct. The x64 Install module is identical in run-through to the 360Safe.exe module, which will be discussed later in this analysis.

In addition, take care with this portion of the malware. The batch script for Mask.exe, DemC.bat, appears to run if it detects any copies of itself during runtime, or if you run the x64 version of install on a 32 bit machine.

Where Install.exe was in charge of infecting new victims with MadoMiner, it seems Mask.exe is where the real payoff lies. Mask.exe utilizes XMRig miners in order to mine for XMR which it then sells for profit. While madominer was earning $6,000 a month as of the last analysis,

Around 10/14, MineXMR closed the old address due to botnet reports. A new address has been identified at 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433, mining through minexmr.com again. Currently, the hashrate is at 109Kh/s, and steadily rising.

Also, around the time that the address changed, MadoMiner also became drastically different.

Malware Analysis

Where Install.exe only downloaded 1 file from a remote host, Mask.exe downloads two files. In addition, the servers used to download the files are also different than Install.exe, increasing the proposed size of the botnet.

Domains

In addition to the 2 domains identified in part 1, a new domain has also been identified for a distribution server:

http://d.honker[dot]info

However, the domain is currently dead. In addition, the mining server currently used is pool.minexmr[dot]com

A C2 server(newly updated version):

http://qq.honker[dot]info

Previously identified distribution domains:

http://da[dot]alibuf.com:3/
http://bmw[dot]hobuff.info:3/

Previously Identified IPs:

61.130.31.174

Previously identified mining servers:

http://gle[dot]freebuf.info
http://etc[dot]freebuf.info
http://xmr[dot]freebuf.info
http://xt[dot]freebuf.info
http://boy[dot]freebuf.info
http://liang[dot]alibuf.com
http://dns[dot]alibuf.com
http://x[dot]alibuf.com

In addition, http://da[dot]alibuf.com:3, the main distribution server, seems to have been registered by bodfeo[at]hotmail.com in early October 2017. According to an analysis by Steve Butt of DomainTools, this email was linked to APT19/c0d0s0, however it was most likely due to domain reselling.

Exploits

During the execution of sogou.exe, the following exploits are used to install on new victims’ PCs:

CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit

Installation

Mask.exe ends up on a victim’s computer after either x86.dll or x64.dll downloads mado.exe or dst.exe, respectively. However, unlike with Install.exe, it doesn’t matter which file is downloaded because they are the same files (They have the same file hash).

Setup

Once Mask.exe is on a victim’s computer, it attempts to connect to one of the distribution servers identified above (bmw[dot]hobuff.info). Once a connection is established, it attempts to download two files, sogou.exe and 360safe.exe. Sogou.exe is the payload that contains the CPUInfo scanner, however, it has been set to scan for IPV6 addresses. Sogou is saved as Conhost.exe in C:WindowsInstaller. 360Safe.exe is the payload that contains the XMRig miners as well as the service manager (NSSM). 360Safe is saved as Makes.exe

Mask.exe

Mask.exe seems to be the profitable part of MadoMiner. Because of this, there are a lot more anti-debug tricks used during Mask.exe’s runthrough. Mask.exe seems to be in charge of downloading/executing Sogou.exe and 360Safe.exe. Each of the modules also have batch scripts that will be discussed in the analysis that are run during different stages of the execution.

MadoMiner generates money by mining for XMR using Mask.exe, 360Safe.exe, and XMRig. Mask.exe installs 360Safe.exe which in turn installs XMRig. MadoMiner uses the service manager NSSM in order to install the necessary services for runtime and persistence. In addition, in Sogou.exe, MadoMiner appears to search for IPV6 addresses that are vulnerable to EternalBlue, as well as installs some tasks.

If Mask.exe detects another copy of itself, demC.Bat is run (see removal section for information). DemC.Bat is just like the DemC in Part 1, where it attempts to delete the malware from as an attempt at anti-debugging. It also seems to close any open ports so that you can’t be reinfected — how thoughtful!

Sogou.exe runtime analysis

Sogou.exe appears to be another propagation module for MadoMiner, which answers the question of “Since x64.dll installed a miner during Install.exe, how did the x64 version of the malware propagate?”

Sogou.exe, once downloaded by Mask.exe, saves itself to C:%Windows%Installerconhost.exe, and then executes. However, Sogou.exe is more of a dropper than the full malware itself. Sogou.exe drops FileFtp.exe into C:Program FilesWindowsd. FileFtp.exe appears to be a partially encrypted propagation module that uses the same exploits as ZombieBoyTools, which it drops into Windowsd. However, this propagation module has a bit more in the way of hiding. Just like in all other modules of MadoMiner, FileFtp includes a script to delete itself from the filesystem. However, as any forensic investigator can tell you, when a file is deleted, it isn’t really gone, at least not immediately. However, with FileFtp.exe, prior to deleting itself after installing the propagation exploits and the executable used to spread, runs cmd /c cipher /w:C , which begins overwriting unallocated space, where deleted files are stored. Not only does FileFTP.exe delete itself, it also wipes itself from the system entirely.

Tasks and batch scripts used by Sogou.exe

AutoKMSK is used by sogou.exe to execute a copy of itself saved as C:WindowsInstallerconhost.exe every 15 minute. It does this by using the command

schtasks /create /sc minute /mo 15 /tn “AutoKMSK” /tr “C:windowsInstallerconhost.exe” /ru “system” /f

AutoKMSKK is used by sogou.exe to execute a script known as “free.bat”, which is very similar to Install.exe’s free.bat. However, this script will essentially delete all files installed by conhost.exe every 26 mins. This is used by the malware in order to evade detection. The command for this is as follows

schtasks /create /sc minute /mo 26 /tn “AutoKMSKK” /tr “C:WindowsInstallerfree.bat” /ru “system” /f

Mask.exe’s Free.bat

360Safe.exe Brief Overview

Where Sogou.exe appears to be a propagation module, 360Safe.exe is a pure mining module. 360Safe.exe begins on a computer after having been downloaded from bmw.hobuff[dot]info and executed by Mask.exe. As the main mining payload for MadoMiner, 360Safe is in charge of installing the service manager used by MadoMiner, and then dropping and installing the miner. However, 360Safe does this in a fairly modular and interesting way, because not only does 360Safe consist of both the x86 and x64 versions of the service manager used and the miner used, but it also identifies the architecture of the host PC and then dynamically creates a payload based on the architecture identified. In addition, 360Safe uses a number of anti-vm techniques, such as changing the base language of the files used by the service manager and using complete information when setting up registry keys (such as official looking descriptions and error messages upon tampering with malware).

360Safe Service Manager

360Safe uses NSSM as its service manager (Non-Sucking Service Manager). NSSM allows it to quickly and easily install services to the system using simple commands like NSSM install <service name> <path-to-service>. However, 360Safe uses some techniques to hide the fact that it is NSSM. First, 360Safe changes the base language of the installation information for NSSM. The information is changed to the Host’s language during runtime using the MessageBoxEx Windows API command. However, the result of this is that the strings are semi-unreadable when a basic string analysis is performed.

NSSM strings information

In addition, once the architecture has been identified and the NSSM installer selected, a different installation location is used. In 360Safe’s use of NSSM, it installs the service manager to the directory C:%Windows%Fonts as “svchost.exe”, with the registry keys

“HKLMSYSTEMCurrentControlSetServicesEventLog”
“HKLMSYSTEMCurrentControlSetServicesEventLogApplication”
“HKLMSYSTEMCurrentControlSetServicesEventLogApplicationNSSM”

NSSM values

“EventMessageFile = C:WindowsFontssvchost.exe”
“TypesSupported = 0x00000007”

All of these can be used as IOCs.

In addition, any windows opened by NSSM are hidden so that the host doesn’t suspect anything. Anytime that 360Safe needs to install a service, it calls “C:windowsFontssvchost.exe” in order to do so.

NSSM Registry Installation

360Safe Miner Installation

Just like the rest of 360Safe, the mining portion also installs all of its executables to C:%Windows%Fonts. However, it doesn’t use just one executable to install the miners. First, 360Safe.exe drops Conhost.exe into C:%Windows%Fonts. In addition to dropping conhost into C:%Windows%Fonts, a new service is created called ServiceMaims, which serves for persistence for Conhost.

The Display Name (EG: the Name that shows on Task manager) for ServiceMaims is “Network Location Service”, and the Description is “Provides performance library information from Windows Management”.

ServiceMaims is then started which in turn starts Conhost.

Registry Keys:

“HKLMSYSTEMCurrentControlSetServicesServiceMaims”
“HKLMSYSTEMCurrentControlSetServicesServiceMaimsParameters”
“HKLMSYSTEMCurrentControlSetServicesServiceMaimsParametersAppExit”

Values in ServiceMaims

“DisplayName = ServiceMaims”
“ErrorControl = 0x00000001”
“ImagePath = C:windowsFontssvchost.exe”
“ObjectName = LocalSystem”
“PreshutdownTimeout = 0x0002bf20”
“Start = 0x00000002”
“Type = 0x00000010”

Values in ServiceMaimsParameters:

“AppDirectory: C:windowsFonts”
“Application: C:windowsFontsconhost.exe”
“AppParameters: “

Values in ServiceMaimsParametersAppExit:

“(Default): Restart”

360Safe Conhost

Conhost.exe in C:%Windows%Fonts is used as a backup/dropper for the miner that will be installed. Conhost consists of the x86 version of XMRig, the x64 version of XMRig, and a dropper. The dropper has some installation scripts that are used for persistence, and also drops only one version of the miner, either x86 or x64 depending on your OS.

On first runtime, conhost enumerates the victim’s OS architecture and then creates a file in C:%Windows%Fonts, called “rundllhost.exe”, where it saves either the x86 miner or the x64 miner, depending on your OS. It then runs a script to save the miner as a Service, as well as save the mining information into registry so that it can be passed to the miner during execution.

The DisplayName = “WMI Performance Services”

The Description = “Identify Computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed”

The script then runs ServiceMais so that the miner can be executed.

Note: This miner only mines at 50% power, but was giving the authors over $6,000 a month before minexmr shut down the address. The new address is earning around $2,000 a month, and has only been active for a few days, however I’ll get more into that below.

Registry Keys:

“HKLMSYSTEMCurrentControlSetServicesServiceMais”
“HKLMSYSTEMCurrentControlSetServicesServiceMaisParameters”
“HKLMSYSTEMCurrentControlSetServicesServiceMaisParametersAppExit”

Values in ServiceMais:

“DisplayName = ServiceMais”
“ErrorControl = 0x00000001”
“ImagePath = C:windowsFontssvchost.exe”
“ObjectName = LocalSystem”
“PreshutdownTimeout = 0x0002bf20”
“Start = 0x00000002”
“Type = 0x00000010”

Values in ServiceMaisParameters:

“AppDirectory: “
“Application = rundllhost.exe”
“AppParameters = -o pool.minexmr.com:443 -u 45WVNRZkKoR55thZWviZ3diXBLAcNRp4yFCtDCnCLRL7bq9E7XqQ7GX5auuc8thCvgUv1av6MpgC5gFVECYGHmx1VKkfEnp -p x -k –donate-level=1 –max-cpu-usage = 50

Mask.exe Removal

Disclaimer regarding updated malware: While MadoMiner did update itself around 10/14-10/16, 2018, it doesn’t look like it can update the current bots that are already deployed, only new ones. For this reason, while IOCs regarding the new malware will be listed at the bottom, a removal section for the old malware will still be included. Just keep in mind that if your infection occurs after 10/16/2018, the file names listed in this guide may not be entirely accurate.

Warning Regarding Batch Scripts

Before attempting to remove this malware, the batch files should be brought up and treated with care. Make sure that all of your files are backed up. This malware deletes files and then wipes unallocated space, so file recovery is incredibly difficult.

DemC is mainly used by the malware to disable analysis attempts. If another copy of it is detected, or if you try to run the 64bit version of Install.exe on a 32 bit system, it scans your system for several different files and folders used in multiple different malware campaigns and makes them inaccessible. It also closes any open ports that are vulnerable to its campaigns. It also changes the Image File Execution Options, making it impossible to run the malware again.

Removal Steps – Sogou.exe

Sogou.exe installs 2 tasks during installation, which will need to be stopped, favorably before the free.bat task is allowed to run. The tasks, known as “AutoKMSK” and “AutoKKMSK”, can be located by opening the Windows tool “Task Scheduler”. These tasks will need to be stopped and deleted, however, note what files are executed by the tasks in the “Actions” tab of the task description. In this case, it would be “C:%Windows%Installerconhost.exe” and “C:%Windows%Installerfree.bat”

In C:%Windows%, you’ll want to locate a folder known as “Installer”. For Sogou.exe, this is the main installation folder. Inside Installer, you’ll want to locate both “Conhost.exe” and “free.bat”. Delete them.

In C:Program Files, you’ll want to locate a folder known as “Windowsd”. This is where Sogou.exe installs FileFTP.exe and all subsequent files dropped by FileFTP.exe. If the file deletion script hasn’t already come through and removed them, you’ll want to remove this entire folder. Note: Windowsd may or may not contain over 70 different files for propagation to other systems.

Removal Steps – 360Safe.exe

360Safe.exe appears to install more files into registry than Sogou.exe. First, as 360Safe.exe installs several services, those will need to be stopped using the Service manager, and then deleted from registry.

Service Name: Eventlog

Regkey: HKLMSYSTEMCurrentControlSetServicesEventLog

Image Location: C:%windows%Fontssvchost.exe

Service Name: ServiceMaims

Regkey: HKLMSYSTEMCurrentControlSetServicesServiceMaims

Image Location: C:%windows%Fontsconhost.exe

Service Name: ServiceMais

Regkey: HKLMSYSTEMCurrentControlSetServicesServiceMais

Image Location: C:%windows%Fontsrundllhost.exe

360Safe saves itself to C:%Windows% as makes.exe, which will need to be deleted as well.

Removal Steps – Install.exe (x64)

As the x64 version is a near identical miner to the x86 and x64 versions of mask.exe, the only things that have changed are the services installed. Removal steps are below however (order is respective. RpcEptManger = ServiceMaims, and Samserver = ServiceMais)

Service Name: Eventlog

Regkey: HKLMSYSTEMCurrentControlSetServicesEventLog

Image Location: C:%windows%Fontssvchost.exe

Service Name = RpcEptManger

RegKey = SYSTEM/CurrentControlSet/Services/RpcEptManger/

Image Location = C:%WindowsDirectory%Fontswininit.exe

Service Name = Samserver

RegKey = SYSTEM/CurrentControlSet/Services/Samserver/

Image Location = C:%WindowsDirectory%Fontsrundllhost.exe

Removal – DemC Has Been Run

In the case that DemC is run, removal becomes more complex. DemC’s purpose is to hide MadoMiner from analysis and thus makes directories/takes ownership of current directories in order to hide.

Specifically

Removes the %Windows%SpeechsTracing directory (if it exists)
Removes the %Windows%SecureBootThemes directory (If It exists)
Removes the %Windows%sysprepthemes directory (if it exists)
Makes a new directory at %Windows%SpeechsTracingMicrosoft and then proceeds to make that directory inaccessible for everyone
Makes a new directory at %Windows%SecureBootThemes and then proceeds to make that directory inaccessible for everyone.
Makes a new directory at %Windows%sysprepthemes and then proceeds to make that directory inaccessible for everyone
Makes the file C:ProgramDataNatihialsvshostr.exe inaccessible for everyone
Makes the file C:ProgramDatanewcsrss inaccessible for everyone
Makes the file C:ProgramDataMicrosoftNatihialcmd.exe inaccessible for everyone
Makes the file C:ProgramDataexpl0rer.exe inaccessible for everyone
Makes the file C:windowssvchost.exe inaccessible for everyone
Makes the directory C:%windows%svchost.exe and then proceeds to make that directory inaccessible for everyone
Makes the directory C:%windows%tasksche.exe and then proceeds to make that directory inaccessible for everyone
Makes the directory C:program files (x86)stormiiserver.exe and then proceeds to make that directory inaccessible for everyone

For the files made inaccessible, you’ll need to take ownership of them, either by using the built in security manager GUI, or by using the sysinternals suite TakeOwn.

Indicators of Compromise

Samples	Md5	Size	IP	IOC
Mask.exe	4ae31911c1ef2ca4eded1fdbaa2c7a49	741.4 KB	bmw.hobuff[dot]info:3/	C:%Windows%tem.vbs C:%Windows%demc.bat
360Safe.exe	ce606d80b44ea2aae81056b9088ba1e4	3.6 MB	pool.minexmr[dot]com:443	Services: EventLog ServiceMaims ServiceMais Regkeys: +HKLMSYSTEMCurrentControlSetServicesEventLog + HKLMSYSTEMCurrentControlSetServicesServiceMaims + HKLMSYSTEMCurrentControlSetServicesServiceMais Executables: + C:%windows%Fontssvchost.exe + C:%windows%Fontsconhost.exe + C:%windows%Fontsrundllhost.exe Connection to pool.minexmr.com:443 Scripts: C:%Windows%tem.vbs
360Safe_svchost_x86.exe	0a7d7ed55c4202f5106824f11ecb22fa	299 KB	–	Regkeys: +HKLMSYSTEMCurrentControlSetServicesEventLog Executables: + C:%windows%Fontssvchost.exe
360Safe_svchost_x64.exe	081f10718d76c9b3b19901f0ee630960	292KB	–	Services EventLog Regkeys: +HKLMSYSTEMCurrentControlSetServicesEventLog Executables: + C:%windows%Fontssvchost.exe
360Safe_conhost.exe	9c59ea0f58c5143b0860ec434d646780	2.3 MB	–	Services ServiceMaims Regkeys: + HKLMSYSTEMCurrentControlSetServicesServiceMaims Executables: + C:%windows%Fontsconhost.exe
360Safe_rundllhost_x86.exe	467d7dfe3a1fe82d12b38d997df5cfbe	1.6 MB	pool.minexmr[dot]com:443	Services: ServiceMais Regkeys: + HKLMSYSTEMCurrentControlSetServicesServiceMais Executables: + C:%windows%Fontsrundllhost.exe Connection to pool.minexmr.com:443
360Safe_rundllhost_x64.exe	e41f5e79400c985e8d8a25f0711095f15302e8dd	481 KB	pool.minexmr[dot]com:443/	Regkeys: + HKLMSYSTEMCurrentControlSetServicesServiceMais Executables: + C:%windows%Fontsrundllhost.exe Connection to pool.minexmr.com:443
Sogou.exe	edfa66accd958eb87a6e8ef1eb708d2f	3.9 MB	–	Folder: C:%Program Files%Windowsd Tasks: AutoKMSK AutoKKMSK Executables: C:%Windows%Installerconhost.exe C:%Windows%WindowsdFileFtp.exe Assorted executables needed for spreading found in Windowsd Scripts: C:%Windows%free.bat
FileFtp.exe	1188f935979806545cbf118e22416be5	8.9 MB	–	C:%Windows%WindowsdFileFtp.exe Assorted executables needed for spreading found in Windowsd
Installx64.exe	d8470f5c12f5a5fee89de4d4c425d614	1.3 MB	x.alibuff[dot]com	Services: EventLog RpcEptManger Samserver RegKey: HKLMSYSTEMCurrentControlSetServicesEventLog HKLMSYSTEMCurrentControlSetServicesRpcEptManger HKLMSYSTEMCurrentControlSetServicesSamserver Executables: C:%windows%Fontssvchost.exe C:%WindowsDirectory%Fontswininit.exe C:%WindowsDirectory%Fontsrundllhost.exe
Installx64_svchost.exe	081f10718d76c9b3b19901f0ee630960	299 KB	–	Services: EventLog RegKey: HKLMSYSTEMCurrentControlSetServicesEventLog Executables: C:%windows%Fontssvchost.exe
Installx64_wininit.exe	081f10718d76c9b3b19901f0ee630960	490 KB	–	Services: RpcEptManger RegKey: HKLMSYSTEMCurrentControlSetServicesRpcEptManger Executables: C:%WindowsDirectory%Fontswininit.exe
Installx64_rundllhost.exe	e41f5e79400c985e8d8a25f0711095f15302e8dd	481 KB	x.alibuff[dot]com	Services: Samserver RegKey: HKLMSYSTEMCurrentControlSetServicesSamserver Executables: C:%WindowsDirectory%Fontsrundllhost.exe
MadoMiner_New_445.exe	d4d8f87c61051c28ca3cee7e38bf839d	2.1 MB	a.f2pool[dot]info:13531	Task named “GooglePingInCongifs” executing C:windowslsass.exe C:%WindowsDirectory%Install.exe C:%WindowsDirectory%lsass.bat Mining at a.f2pool[dot]info
MadoMiner_New_445_Lsass.exe	1dd1550f2586411766cba953badf76f7	4.5 MB	a.f2pool[dot]info:13531	C:%WindowsDirectory%lsass.exe
MadoMiner_New_Dst.exe	4ace52693bdeace5b285d35e47be6cfc	102.4 kb	qq.honker[dot]info	Service: Jklmno Regkey: HKLMSYSTEMCurrentControlSetServicesJklmno Executable: C:%Windows%svchost.exe
MadoMiner_New_Dst_DecryptedRAT.exe	01374ea3c48b69876d9375a2baba76ce	51.6 kb	qq.honker[dot]info	Service: Jklmno Regkey: HKLMSYSTEMCurrentControlSetServicesJklmno Executable: C:%Windows%svchost.exeds
MadoMiner_New_Mask.exe	345239f58ddfd522ff04ad67009d15e9	4.5 MB	l.f2pool[dot]info:443/	C:%WindowsDirectory%Fontslsass.exe C:%WindowsDirectory%Fontssvchost.exe C:%WindowsDirectory%Fontsrunhost.exe
MadoMiner_New_Mask_lsass.exe	0ef0a7198444a43be51948e10cc15c53	3.5 MB	l.f2pool[dot]info:443/	C:%WindowsDirectory%Fontslsass.exe
MadoMiner_New_Mask_svchost.exe	8a44626c2ca26a84764e7ad771143d44	89.1 kb	–	C:%WindowsDirectory%Fontssvchost.exe