Threat Hunting with OSINT: Uncovering a Crypto-Mining Botnet
Preamble: Safety first
Before I begin with walking through this I want to remind everyone to remember safety first. I am working with live malware here so it's important to ensure you are using protection. I will be using multiple different VMs hosted on a Linux bare metal machine separated with a VLAN and accessed through NoVNC. I'm also using a VPN to hide my traffic to and from the C2 server later.
If you've read some of my other posts or looked at my comments on Reddit you'd know I'm not a big fan of commercial VPNs services. I feel like the VPN companies try to sell you a service to protect you during public browsing (something you don't generally need). VPNs are useful for research purposes like this because they keep me from revealing myself to the C2 server.
The post that started it all
I periodically browse Reddit hacking subs trying to stay apprised of new hacking techniques and malware. During my browsing I stumbled across this post on r/hacking_tutorials.
The post is a bit odd as it creates some questions; mainly how did the user set up remote access in such a way that someone else got access? If I had to guess I'd say they probably opened RDP up to the internet and someone brute forced their way in. At the end of the day it doesn't actually matter for this. What did matter is that the user saw the command in Windows Run AND they posted the full command. I was bored so I decided to take a look.
Grabbing the file
When I saw this post it was 4AM EST and I wasn't planning on doing analysis immediately so I grabbed the link out of the post and sent it to the waybackmachine so I could retrieve it later.
Periodically throughout this, I'll pause to explain some of my thoughts behind things I'm doing. This is one of those times. if you don't want to read my thoughts then go ahead and skip these sections.
Why the Waybackmachine?
Malware campaigns typically don't stay alive very long, usually only a few hours at most. I figured that if I had waited until I had access to my lab the campaign would be dead. By archiving it I could make sure I was able to grab a copy for analysis later.
Although not one of my original intentions archiving to the waybakmachine also provided the added benefit of not revealing who I am. Since the waybackmachine would be the one actually initiating contact with the staging server it wouldn't see my IP.
Back to the file:
I fired up my Ubuntu VM and downloaded the file off the waybackmachine.
A simple file command shows the file is a 32bit PE
Next up I took the MD5 of the file to check against VirusTotal
VirusTotal came back with information that this file is obviously malicious:
Next I wanted to see the behavior of the file. Thankfully VirusTotal has some great outputs.
Provides the outbound calls of the malware. It calls out to wipmania.com, and IP address, and feedmefile.top.
The first call out is to wipmania.com. Wipmania is a now closed project for geolocating IP addresses.
After that connection the malware makes several connections back to the IP address followed by /vnc/ an then a # 1-5.
These connections happen about every 30 seconds and attempts to download the file. When I checked through these files
I downloaded files 1 and 2 but everything 3-5 was no long there.
Both files are listed as data files with a header of NGS! (which I was not able to actually identify the file type.
The MD5 of both files is different as well
I checked these files in VirusTotal by MD5 before I uploaded them directly and got nothing. I don't actually know what these files do. I ran strings across them but got nothing of importance. My assessment if that vget needs to download all 5 files and reassemble them in some way to get the second stage payload.
After attempting the IP address and failing the vget dropper attempts to use a URL to download the files. It's already listed in the VirusTotal list but here's the PCAP.
The vget dropper attempts to access feedmefile[.]top/vnc/# to download the files. We're at a deadend here without files 3-5 I don't know how to reassmble this. So for now let's move on.
One things I noticed when doing this a few times is the the initial call to api.wipmania.com might be an anti-forensic technique. If that call is blocked the malware doesn't run the next steps. This is a common anti-forensic technique to defeat running dynamic analysis in a disconnected sandbox. My initial assumption with this was that the malware creator was probably using this API call to get a list of who has downloaded the malware, and that may be true as well.
Going back through the behavior given to us by VirusTotal we can switch our engine from cuckoofork to Jujubox. Each one of the engines provides different outputs and there's some good information from all of them.
One common technique malware uses to maintain persistence is the registry run T1547.001. Because of this one of the main things I'll look for is something being written to HKCU:Software/Microsoft/Windows/CurrentVersion/Run and HKCU:Software/Microsoft/Windows/CurrentVersion/RunOnce as well as their HKLM variants.
Sure enough there in the list of Registry edits are both the startup keys.
vget.exe renames itself to wininet.exe on the system
The random number files are an attempt at evading defenses by breaking the file up and then reassembling it on the host. However the vget dropper also attempts to disable antivirus (T1562.001)
During the execution vget creates a file in the tmp directory. This number seems to be random.
Pivoting in Virustotal with that SHA256 we can find additional information
This file seems to do some interesting stuff. So let's dive into it.
Opening up the Microsoft Sysmon Sysinternals engine in Virus total shows us what CMD line arguments are being run on this malware.
First it attempts to delete backup files
Then it disables volumeshadow copies, disables bitlocker, and empties the recycling bin.
This file particularly does not seem to make any network connections. It only runs a few dozen CMD line argments and then stops.
Discovering more about the domain
At this point I was a bit surprised the both the dropper (vget) and the second stage (1-5) were hosted at the same location so I wanted to dig into this a bit more. I went to shodan to see what ports were open on the machine.
Shodan was mostly not interesting but I learned this machine was listening on port 7777 which is odd. Port 7777 has nothing specific associated with it, so I needed to look at the domain differently. Next I went over to DNSDumpster to try and pull any other domains hosted there.
This was also mostly boring but DNSDumber has another feature which is can provide currently registered domains sharing that IP.
VirusTotal also shows domains associated with an IP but it does not differentiate between historic and current, while DNSDumpster shows current.
What really interested me about this domain was the amount of malware associated with it. Checking through VirusTotal again we can see how many different pieces of malware call out to it.
This is only the first part of the list. The ellipses at the bottom mean that the list keeps going. I got interesting in trying to figure out what was actually happening at this IP so I needed on of these file. Rather than randomly trying different files names and hoping I got one I wanted to enumerate the domain and find out what malware it's hosting.
The first thing I did was fire up my VPN and simply browse to the page.
Not surprising that the C2 server is hosting a completely unconfigured Apache2 page. That wasn't going to give me anything, so I needed to use some better tools.
I downloaded xmr.exe and went to work analyzing it. Into VirusTotal the file goes and surprise surprise the file is bad.
Checking over the behavior of the file we can see it connects to vitamind[.]top, which we already discovered and that it sends information back over port 7777 to our bad IP. AHHH now we know what that port is for.
We can also see that this file writes a program to the startup directory (not the registry key as we saw earlier)
We know this is obviously bad and VirusTotal has told us that its a miner but lets dive more into what it actually does.
Running the file causes it to spawn multiple instances of itself and eat up the system CPU/GPU, which is characteristic of what coin miners would do.
But one interesting thing is that it spawns a wscript file. Virus total tells me that operates out the the C:\ProgramData directory, so lets take a look at what's there .
winmanager.exe is the same file as xmr.exe but the two cfg files are interesting. Cfg is usually a shorthand for configuration so lets try opening them.
The == at the end is a dead giveaway that this is a base64 encoded file as base64 will pad out content with an == in order to reach the right byte size. Notepad++ is able to de-base64.
It decodes to some form of configuration file, but more interesting is at the bottom.
This configuration file specifically calls out that it's a monero coin and that it's url is vitamind[.]top:7777.
Unfortunately for us monero coin is private by default and does not allow not allow the general public to view the balance of the wallet.
Here's a snapshot of the VM CPU usage during the time when the miner was working.
The webserver went down some time this morning after I started writing this and right now only the main page seems to be connecting. I tried to wget all of the files off the website but all I get now is a connection time out.
At some point I do plan to look at the actual executables in Ghidra but right now I barely had the time to write all of this. I took a quick look at the vget.exe file in Ghidra and discovered an unused domain. www[.]w4tw4tw4tw4t4[.]jo
At the moment I'm not sure what this domain is for. The malware never attempts to call out to it, and the domain is not registered, and no DNS is assigned. This is particularly interesting because of what .jo domains are. Registering a .jo requires someone to own a brand in the country of Jordan and then register the domain with the Ministry of Trade through the law office (ref: https://dns.jo/regpolicy.aspx).
It seems very odd that someone would hardcode a domain that's so difficult to register into the malware. So far I haven't found a way to call this domain or figured out what information would be passed to
This was a fun little look at a botnet distributing crypto miners to harvest monero currency. The more I dig into it the more malware I find for mining the monero that all links back to our starting IP.
I'm not going to dig into this any further as its probably endless but this is a large campaign that's clearly been going on for a long long while.
I hadn't expected this to lead me down the rabbit hole as much as it did but that's ok. It was fun.
Hopefully, this was useful to someone out there.
Thanks for the read.