Skip to content
Reverse engineer a malware which infected my PC. Dissected every part of it.
Batchfile PowerShell Visual Basic .NET
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CONDITIONAL DOWNLOAD
LOCALAPPDATA
.gitignore
Readme.md
bcmuarchive15.zip
build.bat
powershell.txt
ppuarchive4.zip
schtask.txt
svchostc_task.xml
tmg.ps1
udp.bat

Readme.md

INFORMATION

The company registered behind the domain is Nice IT Services Group Inc. REGISTRANT CONTACT Organization:Nice IT Services Group Inc. State:Dominica Country:DM

Domain:31b4bd31fg1x2.org Registrar:Namesilo, LLC Registration Date:2018-06-29 Expiration Date:2019-06-29 Updated Date:2018-08-29 Status:clientTransferProhibited Name Servers:ns1.dendrite.network ns2.dendrite.network

Domain Name: 31B4BD31FG1X2.ORG Registry Domain ID: D402200000006634079-LROR Registrar WHOIS Server: whois.namesilo.com Registrar URL: www.namesilo.com Updated Date: 2018-08-29T03:47:18Z Creation Date: 2018-06-29T20:00:06Z Registry Expiry Date: 2019-06-29T20:00:06Z Registrar Registration Expiration Date: Registrar: Namesilo, LLC Registrar IANA ID: 1479 Registrar Abuse Contact Email: email@namesilo.com Registrar Abuse Contact Phone: +1.4805240066 Reseller: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Nice IT Services Group Inc. Registrant State/Province: Dominica Registrant Country: DM Name Server: NS1.DENDRITE.NETWORK Name Server: NS2.DENDRITE.NETWORK DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)

INFORMATION

The site to which it was making requests http://31b4bd31fg1x2.org/ https://wiki.theory.org/index.php/BitTorrentSpecification

MINER

https://github.com/fireice-uk/xmr-stak

SOLUTION

I am keeping the thread in case someone faces the same trouble

Find svchostc.exe (not svchost.exe) in task manager & delete it from the original location. Also, clean up the registry & delete temporary files from %temp% The svchostc.exe executed the following bat files and downloaded the virus files in the temp folder and all is history.

CRYPTO WALLET DETAILS

This is the crypto wallet details I found "pool_list" : [ {"pool_address":"23.152.0.126:443", "wallet_address":"x", "rig_id" : "", "pool_password" : "x", "use_nicehash" : false, "use_tls" : false, "tls_fingerprint" : "", "pool_weight" : 1 }, ], "currency" : "bestalgo7",

You can’t perform that action at this time.