Malware Analysis of a Cryptocurrency Miner — Part 5

Malware Analysis of a Cryptocurrency Miner — Part 5

November 29, 2023


In this write-up, I want to bypass some checks our binary does. I’ll be using x32dbg…..Well…let’s just dive straight in.

Debugging a bitcoin miner

From the previous analysis, we know we need to concentrate on bypassing the following 2 conditions:

So let’s load the binary into x32dbg and set 2 breaks points, one at each condition:


but I will skip the first condition by filling the condition with NOPs:

This way, we can bypass the size check.
Just before the call to “strstr”, we can see that “haystack” and “needle” being passed in, which is something I covered in the last writeup.

As I tried to continue to see what will happen (before changing the passed arguments), I recevied an “expection_access_violation” —

After a bit of researching and going through each instruction step by step, I found that the instruction causing the issue:

test ecx,3 — and the problem was that ecx held no value which looks to have caused the violation. This will be due to the Malware getting a HTTP response it’s not expecting.
I had put in a value that I saw it used in a previous test: sjlj_once and then I was able to get past it, but I had hit “run” and then got the following error :

From here we see the name: “NsCpuCNMiner32.exe. Now if you Google the exe you will find a lot of information about this miner.
Now, thankfully I had Wireshark running which shows:

From the research I did on this Malware, I can tell that it’s trying to find an open FTP port (21) across the internet and if it can log in, it will copy itself to that machine! This could explain all the username and password strings we saw in our static analysis. (This shows the importance of running Malware within a secure network!)


So, it was not too hard to find the location of the call being made. By checking the strings tab in IDA and finding it in the .data section, we can do a XREF (cross-reference) to find where it’s used:

and it takes us to:

The “sub_40DAE0” function takes 3 parameters, just before it we see 3 push instructions. ESI holds the stafftest. ru string and then we see previously a declared pointer variables being set. Note I won’t be delving into the subroutines you see because that will be time-consuming.

Further down, we can see InternetOpenA being called and on success:

Thanks to IDA, we can see the following string “http://%s/test.html?%d and from our dynamic analysis, we know that it will replace %s with a new host and %d will keep incrementing IF a certain condtion is not met. In the above screenshot we can the intrusction “rep movsd”, so taking all this into considartion, we know we are in a do-while loop.

But what is the condition to get past the loop we couldn’t in our dynamic anaylysis:

It does a “cmp ebp+dwNumberOfBytesRead, 800h (2048)”, if the defined “numberofbytesread” is below fo equal then it will jump, if not then it will go to 00402019 (JBE= jump if below or equal-

And then it will do a “strstr” which will find a “needle in a haystack” ( — so a string within a larger string) and in this case the string needle is “Sr&w09.”

and then it calls strlen on it and compares it to “400h” and if it’s the lenght is above “400h” then it will jump to loc_40207C which is outside of the loop.
Also, a note, it won’t call “InternetCloseHandle” but it will if it fails (meaning, we’re going to close this connection because we did not get what we want, so let’s try another url and increase the parameter we are passing).


This may be a short write up but it did take me some time to analyse but with this information I want to try and debug the binary, get to the above and see if we can play around with the values to get past this loop.

Leave A Comment

Haq Security

Over A Decade Years Of Experience Coupled With Certificates!

Over A Decade Years Of Experience Coupled With Certificates!

We have experience in working with different platforms, systems, and devices to create products that are compatible and accessible.