Ahmed Sonbol

Monero miners: A NetWitness perspective

Blog Post created by Ahmed Sonbol Employee on Sep 14, 2017

In our introductory post to Cryptocurrency, we mentioned that one of the threats to organizations these days is malware distributing cryptocurrency mining software. In this blog post we will discuss the host and network behavior of two malware samples used to drop or download Monero mining software. According to its website, Monero is an open source, secure, private and untraceable cryptocurrency. At the time of this writing, one monero is valued a little above $98 [1].


Before we delve into the topic of this threat advisory, it is worth mentioning that mining software itself is not malicious. Guaranteed it has a major impact on system resources but that's the "price" you pay for running such software. However, if you have no idea it is running on your system then it is a different story. An attacker infecting systems left and right to enroll them in a botnet to mine coins and enrich his wallet, that's certainly malicious.


First, let's take a look at a Smoke Loader variant. Smoke Loader first appeared on the black market in 2011. It is used to download malware to an infected system [2]. Upon infecting a system, the following network events take place.



Initially was a POST request to 21072206[.]ru



In response to that request, the server is sending a 404 Error. However, it is not you average 404 page. Session reconstruction shows an obfuscated payload. It was quickly followed by another POST request to download an executable.




Here is the populated meta under Service Analysis and File Analysis for those HTTP sessions in NetWitness Packets:



According to VirusTotal analysis results, the binary is a coin miner. Embedded strings suggest that it is an XMRig variant. XMRig is a high performance Monero CPU miner.



When the miner runs, it starts communicating with a pooled mining server at



Pooled mining allows machines with limited resources to join others in contributing to generate a block. The reward for the block generation is then split among the clients based on their processing power contribution [3]. The clients communicate with the server using a protocol called Stratum [4]. It is basically JSON-RPC over TCP as shown in the screenshot above. After authenticating to the server, the client waits for new mining jobs.


Next, let's take a look at an XMRig dropper. When it infects a system, the process (sample.exe in this case) starts the following chain of events on the host:



  • It drops an executable lasse.exe in C:\Windows\System32 (SHA256: 8acdb1fae3a564d1e1145e37e1933dea18bd9722f0889b4bf00a2bbb441a9a25)
  • It uses sc.exe and net.exe to start a new service using the dropped file above
  • It modifies the registry in order for lasse.exe to gain persistency on the system
  • lasse.exe drops another executable kernel.exe in C:\Windows\Temp and starts it in the background passing the username and password to connect to the pooled mining server.


kernel.exe (sha256: 9e5b3da1e5ece578ff99525d1ea565df458cdd62b305404336303ca8ca97f562) is another XMRig variant. You can find its VirusTotal analysis results here


The following screenshots from NetWitness Endpoint give us even more information:







Here is another look at the process tree:



XMRig comes with a help switch making it easier to understand the command line arguments:




Smoke Loader (SHA256):

  • 9770669d4b864a167dd0a4b684126d6b077889b8cb903dd969b5c5929e565584


XMRig dropper (SHA256):

  • da21bef9cb9721e632b7deebfdf6190169be7fe2fa7fd574f741dc3272a594e9


XMRig miners (SHA256):

  • 954e8e88740fd3e659fd4ad0502982dd173db2d90cfca0718bfc739bf886d51c
  • 9e5b3da1e5ece578ff99525d1ea565df458cdd62b305404336303ca8ca97f562



  1. https://www.worldcoinindex.com/coin/monero 
  2. https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/ 
  3. https://en.bitcoin.it/wiki/Pooled_mining 
  4. https://en.bitcoin.it/wiki/Stratum_mining_protocol