Cryptominer trojan investigaion - winlogui

[Petoovee]

Heyo, yesterday was a quite offline day for me, had a barbecue and all but somehow, it appears I contracted a cryptominer trojan.

 

Since my internet activity was almost non-existant yesterday this could prove to be an excellent opportunity to alert the right people and do some fun research of our own! I strictly reinstall the whole OS whenever I find one so it's not like I can wreck it more than what I already consider it is.

 

So, what does it do? It utilizes about 50% of the CPU, and does nothing on the GPU. It also disregards any user activity, however it ceases immediately whenever sysmon or task manager is started and seems to have a delayed startup after that. This makes it almost impossible for unsuspecting users to find root it out, however after noticing said pattern twice this morning it became quite clear without a doubt what was happening so playing some whack a mole with sysmon I managed to find it, winlogui.exe. Oddly enough, I could not run a windows defender scan to find the virus either, which send my noggin' joggin' and sparked some interest.

 

Investigation on the web confirmed it was a cryptominer and a malwarebytes scan shone further light on the subject.

 

Spoiler

This explains why the defender was acting up. So then, when did I get this odd virus?

Spoiler

Hmm, yesterday! Could it be one of the two files I downloaded?

Spoiler

Possibly, but probably not. Could it had somehow broken through what we're told is impenetrable, our beloved web browser?

Spoiler

Naaah, this browser history seems to innocent for that...

Wait! There's a backdoor in that malwarebyte report!

Spoiler

Ah, so maybe I've been helping DDoS kiddos from their fortnite games for a while and now they decided that my computer ought to mine some crypto while I'm at it?

Spoiler

11.40... So the backdoor and the trojan are connected, but the backdoor didn't lead to the trojan. Well, now I'm running out of leads...

Scanning the devices connected to this LAN in the last 24 hours showed no related viruses either. Back to the browsing history I guess?

We can assume Alphabet and Steam keeps their servers in check and aren't malevolent enough to spread this plague yet

Spoiler

Before I delve into those sites, let's have a look at who we're mining for...

[Petoovee]

As soon as I started WireShark the trojan dissapeared. I can't seem to start up the miner manually either. This might be the end of this short lived experiment.

 

Revisiting above sites gave me no new copy of the files. However this here showed me that the winlogui was not in fact the malicious code, but just a piece of the puzzle, possibly some abused microsoft code.

Spoiler

Marked .dll file no longer exists.

 

UPDATE: Neither Recuva nor EaseUS Data Recovery could find a trace of the .dll file, so whatever removed it, did so well. I'll be reinstalling the system now. I'll need it tomorrow. Three lessons can be learned here. First, while Windows Defender totally and irreparably disintegrated without notice, both Eset and Malwarebytes reacted to the virus. Secondly, do periodicly keep an eye on your computers activity. A modern computer does not spend half of it's capacity on browsing with one tab. And lastly, you need not download to catch a trojan, and you don't even have to visit shady sites. Even normal sites can inadvertently share malware.

[Aljaxus]

Linux time.

[homeap5]

Why do you made that complex investigation if you install your system again anyway? Point of investigation should be find and removing virus. Now it's like tutorial "how to fix broken sink" when right after fix you destroy your house and build new one.