Analysis of SeroMiner Trojan, combine multiple anti-analytic techniques

Mar 22, 2019kate
Learn more about 360 Total Security

Foreword

Recently, 360 security brain intercepted a mining Trojan ‘SeroMiner’. The Trojan behavior is too concealed to be discovered its mining behavior from the security people, and its daemon process will continue to traverse the system process while mining. When it found the task manager process (taskmgr.exe) is running, the mining process will be killed immediately. What’s more, the mining process is going to start again while the task manager process ends.

In addition to using UPX to protect the shell, Virus Writer uses the code obfuscator written in .Net to encrypt the virus module in a PNG format image. It will bypass the static killing technology of anti-virus software when it decrypts the executable file from the image and executes it.

Apart from this, SeroMiner implements anti-debugging through IsDebuggerPresent and detection time difference, detecting common virtual machines and anti-virus sandboxes. It also runs the detecting anti-virus software during operation. And it has done its utmost in combating security analysis.

The following figure is the execution flow chart of the SeroMiner Trojan:

the execution flow chart of the SeroMiner Trojan

Detailed analysis

newstart.zip

Newstart.zip is an Autoit script that registers itself as newstart.zipa self-starting item “superloaver” and releases superstart.exe to the C:\streamerdata\superstarta\ directory for execution. Related code logic, like below:

Code obfuscator

Extract hidden encrypted data from pixels in the image:

 Extract hidden encrypted data from pixels

Decrypt encrypted data to PE image CyaX.exe:

Decrypt encrypted data to PE image CyaX.exe

CyaX.exe

CyaX.exe will detect the current running environment first. For example, it is in the environment of debugging, in virtual machine, sandbox, etc., the subsequent virus logic will not be executed. Related anti-debugging logic, as shown below:

CyaX.exe

Detect virtual machine environment of VirtualBox, VMware, wine, QEMU etc.

Detect virtual machine environment of VirtualBox, VMware, wine, QEMU etc.

Detect SandBox and some common anti-virus sandbox environments:

Detect SandBox and some common anti-virus sandbox environments

Then create a scheduled task to implement self-starting:

create a scheduled task to implement self-starting

It is then executed by injecting superhero.exe into its own memory. Related injection logic, like below:

It is then executed by injecting superhero.exe into its own memory

 

superhero.exe

Superhero.exe is the daemon of the mining module. The mining configuration information is encrypted by base64 and saved to the C:\ProgramData\jWSZEPNxKf\cfgi file. The decrypted configuration information is as follows:

 superhero.exe

Check if the related process of Emsisoft anti-virus software is running. If not, it will release r.vbs to C:\ProgramData\jWSZEPNxKf\ directory:

Then detect the following soft kill process and execute r.vbs:

soft kill process and execute r.vbs

The contents of r.vbs are as follows. An Internet shortcut will be created in the startup directory to implement self-starting of superhero.exe.

The contents of r.vbs

Superhero.exe will traverse the process. Once the process of the task manager is found running, the mining process will be end. Otherwise, the mining process will be created.

Superhero.exe will traverse the process

Decrypt the PE image of the mining module and inject it into the process to execute:

Decrypt the PE image of the mining module and inject it into the process to execute

The decryption function is as follows:

The decryption function

The Virus Writer used the UPX protecting the shell to reduce the probability of the miner being killed by anti-virus software:

Suggestions

360 total security have supported killing such Trojans, and it is recommended that poisoned users install 360 total security anti-virus software and kill the Trojans:

360 total security

IOC

md5

636f675c5c358af1dc0e9b5287e26e8c

Learn more about 360 Total Security