How Cyber Criminals Use Malware To Mine LiteCoins
Recently I came across not so well known downloader trojan . While analysing many interesting things were revealed. Download starts by enumerating a specific list of mutexes opened by all process and if found that particular process is terminated .
Followed by generating Install ID and Installer Subroutine . Install ID is generated using a call to GetTickCount() API
It makes connections to a list of c2 server hardcoded in the binary itself . List may contain 2-3 c2 servers . URI is formatted in this way FOLDER/?user=[InstallID]&id=1&type=5&key=[randomly generated key]
key is generated using a sequence of (GetTickCount() * 1664525 ). This key is later on used to decode a payload sent by c2 server .
C2 replies with an encoded binary buffer . This Buffer is decoded using the same key mentioned above
To decode the payload , we will use a very nice 010 Editor Script...