Trojan.BtcMine.815

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '' = '%APPDATA%\NsMiner\IMG001.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '' = '%APPDATA%\NsMiner\IMG001.exe'

Creates or modifies the following files

%APPDATA%\microsoft\windows\start menu\programs\startup\run.lnk
%WINDIR%\tasks\uac.job
<SYSTEM32>\tasks\uac

Creates the following files on removable media

<Drive name for removable media>:\img001.exe

Malicious functions

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /f /im tftp.exe

Modifies file system

Creates the following files

%TEMP%\info.zip
%TEMP%\tftp.exe
%APPDATA%\nsminer\img001.exe
%APPDATA%\nsminer\nscpucnminer32.exe
%APPDATA%\nsminer\nscpucnminer64.exe
%APPDATA%\nsminer\pools.txt
C:\img001.exe
D:\img001.exe

Deletes the following files

%WINDIR%\tasks\uac.job

Network activity

Connects to

'38.#6.174.3':21
'14#.#16.70.4':21
'15#.#09.109.4':21
'61.#5.102.4':21
'19#.#29.165.4':21
'19#.#60.122.4':21
'20#.#06.53.4':21
'10#.12.99.4':21
'46.##9.165.4':21
'16#.#13.112.4':21
'26.##1.106.4':21
'17#.38.24.4':21
'12#.#42.187.4':21
'54.##5.135.4':21
'28.##6.129.4':21
'49.##9.135.4':21
'1.##9.109.4':21
'84.##6.158.4':21
'45.#90.96.4':21
'45.#03.83.4':21
'19#.2.96.4':21
'46.##0.151.4':21
'87.#05.93.4':21
'13#.#94.254.4':21
'22#.27.87.4':21
'27.##7.176.4':21
'14#.28.73.4':21
'97.##0.181.4':21
'84.#00.99.4':21
'23#.#35.99.4':21
'23#.#83.135.4':21
'14#.9.132.4':21
'17#.#39.83.4':21
'20#.#77.158.4':21
'24#.#21.75.4':21
'11#.#44.191.4':21
'12#.42.67.4':21
'81.#73.5.4':21
'5.##1.217.4':21
'25#.68.83.4':21
'4.##6.93.4':21
'23#.#5.247.4':21
'13.#86.96.4':21
'99.#8.125.4':21
'23#.#32.184.4':21
'16#.#5.116.4':21
'23.##2.231.4':21
'0.##.33.4':21
'16#.#39.27.4':21
'10#.#83.53.4':21
'21#.12.76.4':21
'20#.#51.14.4':21
'46.#70.47.4':21
'16#.55.63.4':21
'96.##2.204.4':21
'37.##6.116.4':21
'57.#00.99.4':21
'12#.15.93.4':21
'12#.#34.165.4':21
'14#.#90.27.4':21
'0.#.80.4':21
'23#.#70.158.4':21
'42.#00.63.4':21
'96.#5.93.4':21
'66.##4.204.4':21
'10.#79.37.4':21
'16#.#57.125.4':21
'52.#4.50.4':21
'14#.#55.217.4':21
'17.##8.132.3':21
'60.#22.44.3':21
'22#.#9.151.3':21
'24#.#8.251.3':21
'14#.#5.210.3':21
'19#.45.21.3':21
'19#.#54.223.3':21
'10#.#93.80.3':21
'10#.#54.119.3':21
'39.#06.80.3':21
'16.##3.132.3':21
'13#.#19.119.3':21
'19#.#34.145.3':21
'10#.32.18.3':21
'23#.#49.60.3':21
'94.#70.8.3':21
'17#.40.96.3':21
'23#.#69.225.3':21
'17#.28.98.3':21
'13#.#7.213.3':21
'15#.#2.202.3':21
'11#.#02.210.3':21
'23#.#21.31.3':21
'19#.19.50.3':21
'22#.#8.204.3':21
'22#.#11.223.3':21
'16#.#60.40.3':21
'19#.#60.93.3':21
'20#.#45.89.3':21
'17.#2.174.3':21
'23#.92.99.3':21
'21#.#06.213.3':21
'85.#73.14.3':21
'13#.#47.151.4':21
'23#.#09.57.4':21
'13#.#90.44.4':21
'21.#42.86.4':21
'27.##7.138.4':21
'20#.#35.73.4':21
'23#.#13.132.4':21
'3.##.109.4':21
'10#.#08.181.4':21
'19#.6.5.4':21
'19#.#47.158.4':21
'19.#93.44.4':21
'92.#8.89.4':21
'69.##0.220.4':21
'21#.#22.86.4':21
'21#.#64.116.4':21
'93.#5.106.4':21
'21#.#9.145.3':21
'2.##0.178.4':21
'84.#54.86.4':21
'80.#5.50.4':21
'68.#1.178.4':21
'10#.#15.227.4':21
'42.#00.11.4':21
'16#.#00.165.4':21
'42.#13.86.4':21
'15#.#8.109.4':21
'14#.#06.191.4':21
'53.##2.102.4':21
'23#.#06.138.4':21
'21#.#80.99.4':21
'18#.#19.135.3':21
'15.#34.53.4':21
'68.##0.138.4':21

TCP

'14#.72.93.2':21
'14#.#39.174.3':21

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%TEMP%\tftp.exe'
'%APPDATA%\nsminer\img001.exe'
'%WINDIR%\syswow64\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe' (with hidden window)
'%TEMP%\tftp.exe' ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "%APPDATA%\NsMiner\IMG001.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "%APPDATA%\NsMiner\IMG001.exe" /t REG_SZ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "%APPDATA%\NsMiner\IMG001.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "%APPDATA%\NsMiner\IMG001.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca833...' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe
'%WINDIR%\syswow64\cmd.exe' /c "%APPDATA%\NsMiner\IMG001.exe"
'%WINDIR%\syswow64\cmd.exe' /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "%APPDATA%\NsMiner\IMG001.exe" /t REG_SZ
'%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "%APPDATA%\NsMiner\IMG001.exe"
'%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "%APPDATA%\NsMiner\IMG001.exe"
'%WINDIR%\syswow64\cmd.exe' /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca833...
'%WINDIR%\syswow64\schtasks.exe' /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "%APPDATA%\NsMiner\IMG001.exe"
'%WINDIR%\syswow64\powercfg.exe' /CHANGE -standby-timeout-ac 0
'%WINDIR%\syswow64\schtasks.exe' /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "%APPDATA%\NsMiner\IMG001.exe"
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "%APPDATA%\NsMiner\IMG001.exe" /t REG_SZ
'%WINDIR%\syswow64\powercfg.exe' /CHANGE -hibernate-timeout-ac 0
'%WINDIR%\syswow64\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000