{"id":20683,"date":"2024-06-13T15:51:29","date_gmt":"2024-06-13T15:51:29","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=20683"},"modified":"2024-06-13T21:39:36","modified_gmt":"2024-06-13T21:39:36","slug":"hellminer-exe-malware-analysis","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/hellminer-exe-malware-analysis\/","title":{"rendered":"Hellminer.exe Coin Miner"},"content":{"rendered":"

Hellminer.exe is a process you can see in the Task Manager that indicates a malicious software activity<\/strong>. It stands out by the high CPU load it creates, making the system much less responsive. Let\u2019s figure out what this process is, and how to get rid of it.<\/p>\n

<\/p>\n

Hellminer malware has a potential to attack a wide range of devices<\/strong>, from IoT to server clusters. The final target of its activity is bringing profit to its masters with the use of your hardware. Ignoring the activity of this malicious program may lead to premature hardware failure and overall performance deterioration<\/strong>.<\/p>\n

Modern malware samples often come in packs<\/strong>, meaning that one thing may signify the presence of several others. Do not hesitate with removal: scan your device with GridinSoft Anti-Malware and remove all the threats in one click. \ud83d\udc49\ud83c\udffc Get your system cleaned up<\/a>.<\/div><\/div>\n

What is the Hellminer.exe process?<\/h2>\n

This is a process associated with a malicious coin miner<\/strong>. Such malware aims at exploiting the system\u2019s hardware to mine cryptocurrencies, mainly DarkCoin and Monero. To maximize profits, hackers who stand behind this malware establish huge networks of infected computers. Hellminer takes up to 80% of CPU power in order to get substantial mining performance, making the system sluggish and uncomfortable to use.<\/p>\n

\"Hellminer
Hellminer.exe process in Task Manager<\/figcaption><\/figure>\n

Malicious miners like this one typically get into the user systems through malvertising on the Web, or with the use of dropper malware<\/a>. Both spreading ways though are commonly used by other malware<\/strong>, which means the risk that Hellminer is not the only infection running in the system.<\/p>\n

This malware appears to be different from other miners, as it is not based on XMRig<\/a>, a popular open-source mining software. Instead, it appears to be written in Python, and is likely a private development. Let\u2019s check out other interesting stuff<\/strong> I\u2019ve found during the analysis.<\/p>\n

Hellminer Malware Analysis<\/h2>\n

It is not completely clear how Hellminer gets into the system; I suspect it is not much different from how malware miners typically spread \u2013 via dropper malware and malvertising. After the launch, the malware begins with a selection of anti-VM and anti-debug checks<\/a>.<\/p>\n

\"Hellminer<\/p>\n

Using the calls to WMI, it gets the info about the CPU, trying to find any signs of virtualization. Why I don\u2019t think it is just an immediate info gathering is because the very next step is listing the services and processes<\/strong>. Hellminer specifically seeks for traces of the VMWare virtualization environment. After these checks, the main payload is unfolded. Though, malware may as well use the info collected at this stage, to configure the mining process or as a part of the system fingerprint<\/strong>.<\/p>\n

wmic cpu get Name,CurrentClockSpeed,L2CacheSize,L3CacheSize,Description,Caption,Manufacturer \/format:list<\/code><\/p>\n

Fingerprinting starts with another call to WMIC, wmic os get Version<\/em><\/strong>. Malware attempts to receive quite a basic, if not scarce, set of data \u2013 just the info about the operating system. After that, malware gains persistence through the manipulation with another command and series of changes in Windows registry<\/strong>.<\/p>\n

%windir%\\System32\\svchost.exe -k WerSvcGroup<\/code> \u2013 starting Windows error reporting service to make it run the malware. This increases the level of privileges the malicious program has, also providing it with a disguise.<\/p>\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION<\/p>\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security<\/code> – changing network security policies.<\/p>\n

The final round of persistence<\/strong> involves another call to WMI, specifically to its Adaptation Service. Hellminer forces it to recursively launch the payload, ensuring continuous execution. This specific command is also a part of resource allocation for the mining process.<\/p>\n

wmiadap.exe \/F \/T \/R<\/code><\/p>\n

Command Server Connectivity<\/h3>\n

Same as other malware miners, Hellminer does not have any extensive C2 communication<\/strong>. After finishing the steps from the above, it sends the blob of system information to the command server, effectively notifying it about the readiness. C2 returns the configuration file, which specifies the mining pool and the IP address<\/a> to connect to.<\/p>\n

Still, there is a thing that catches an eye \u2013 the form of command servers used by this malware<\/strong>. They do not look like C2 of a classic model, instead being a peer-to-peer one<\/strong>. In such a network, the role of a command server is given to one of the infected computers. \u201cReal\u201d server sporadically communicates with one, retrieving the information about the new devices and assigning the next system to get the C2 role. This drastically increases the sustainability of the network, making it particularly hard to disrupt through the command server disruption<\/a>.<\/p>\n

During the analysis, I\u2019ve detected these command servers:<\/p>\n