Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Petoovee

Cryptominer trojan investigaion - winlogui

Recommended Posts

Posted · Original PosterOP

Heyo, yesterday was a quite offline day for me, had a barbecue and all but somehow, it appears I contracted a cryptominer trojan.

 

Since my internet activity was almost non-existant yesterday this could prove to be an excellent opportunity to alert the right people and do some fun research of our own! I strictly reinstall the whole OS whenever I find one so it's not like I can wreck it more than what I already consider it is.

 

So, what does it do? It utilizes about 50% of the CPU, and does nothing on the GPU. It also disregards any user activity, however it ceases immediately whenever sysmon or task manager is started and seems to have a delayed startup after that. This makes it almost impossible for unsuspecting users to find root it out, however after noticing said pattern twice this morning it became quite clear without a doubt what was happening so playing some whack a mole with sysmon I managed to find it, winlogui.exe. Oddly enough, I could not run a windows defender scan to find the virus either, which send my noggin' joggin' and sparked some interest.

 

Investigation on the web confirmed it was a cryptominer and a malwarebytes scan shone further light on the subject.

 

Spoiler

image.png.1ea71f496e959d0cc4e13c19cb78a2a9.png

This explains why the defender was acting up. So then, when did I get this odd virus?

Spoiler

Screenshot_4.png.c5aae53032c68d81e4a9aabf40262518.png

Hmm, yesterday! Could it be one of the two files I downloaded?

Spoiler

image.png.f156c6803c2914a627da7b64f1b021d1.png

Possibly, but probably not. Could it had somehow broken through what we're told is impenetrable, our beloved web browser?

Spoiler

image.png.f32c8017cce9509c5ebb342d77172db2.png

Naaah, this browser history seems to innocent for that...

Wait! There's a backdoor in that malwarebyte report!

Spoiler

image.png.d0a411e35cfa7e7fdda22838fc869214.png

Ah, so maybe I've been helping DDoS kiddos from their fortnite games for a while and now they decided that my computer ought to mine some crypto while I'm at it?

Spoiler

image.png.c260e2c01f5d6177747016ac83de79ba.png

11.40... So the backdoor and the trojan are connected, but the backdoor didn't lead to the trojan. Well, now I'm running out of leads...

Scanning the devices connected to this LAN in the last 24 hours showed no related viruses either. Back to the browsing history I guess?

We can assume Alphabet and Steam keeps their servers in check and aren't malevolent enough to spread this plague yet

Spoiler

image.png.2d9711096c735622d7ceb5691307d652.png

Before I delve into those sites, let's have a look at who we're mining for...


Excuse my broken keyboard

Spoiler

CPU - Intel 3750k @ 5.2 GHz

GPU - Asus STRIX r9 285 2gb

SSD - Samsung 840 Pro 248gb

HDD - Some 6yr old WD 1TB,

                20k+ hours with failing sectors :)

                Cached with 60GBs from the SSD

Mobo - Asus Maximus IV

RAM - 2x4gig + 2x2gig DDR3 Corsair XMS3 1600MHz

PSU - Corsair RM1000x

 

Link to post
Share on other sites
Posted · Original PosterOP

As soon as I started WireShark the trojan dissapeared. I can't seem to start up the miner manually either. This might be the end of this short lived experiment.

 

Revisiting above sites gave me no new copy of the files. However this here showed me that the winlogui was not in fact the malicious code, but just a piece of the puzzle, possibly some abused microsoft code.

Spoiler

image.png.3cc9202b2f644dba8efcdc149cc662a2.png

Marked .dll file no longer exists.

 

UPDATE: Neither Recuva nor EaseUS Data Recovery could find a trace of the .dll file, so whatever removed it, did so well. I'll be reinstalling the system now. I'll need it tomorrow. Three lessons can be learned here. First, while Windows Defender totally and irreparably disintegrated without notice, both Eset and Malwarebytes reacted to the virus. Secondly, do periodicly keep an eye on your computers activity. A modern computer does not spend half of it's capacity on browsing with one tab. And lastly, you need not download to catch a trojan, and you don't even have to visit shady sites. Even normal sites can inadvertently share malware.


Excuse my broken keyboard

Spoiler

CPU - Intel 3750k @ 5.2 GHz

GPU - Asus STRIX r9 285 2gb

SSD - Samsung 840 Pro 248gb

HDD - Some 6yr old WD 1TB,

                20k+ hours with failing sectors :)

                Cached with 60GBs from the SSD

Mobo - Asus Maximus IV

RAM - 2x4gig + 2x2gig DDR3 Corsair XMS3 1600MHz

PSU - Corsair RM1000x

 

Link to post
Share on other sites

Why do you made that complex investigation if you install your system again anyway? Point of investigation should be find and removing virus. Now it's like tutorial "how to fix broken sink" when right after fix you destroy your house and build new one.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×