Skip to content

Latest commit

 

History

History

Crackonosh

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 

IOC for Crackonosh

Malware analysis and more technical informations at https://decoded.avast.io/danielbenes/crackonosh-a-new-malware-distributed-in-cracked-software/

Table of Contents

Samples (SHA-256)

startupchecklibrary.dll

556EC95A6BF60B3CE1CF8BB81E7619A958EF775B24D81F40F08D5083CE05F8FA 2018-05-07
499D4A507DEC01BABCB42A56AAC60B6B248F90EA983C437EE9BFCF578F50F48D 2018-06-12
84BFE91B63CFA65C45FD804C4B3E186280044A050D9384398FA2CC58E9A45BAC 2018-06-12
8E1260BBF43E54EF60672FC2EFAC525E961B5DEE67146063AEFCFDA2D7161D89 2018-06-12
CF849FCA88F2ED4F2704E4B76297A57F74C1E8DC861CFF4149827EF659FD5643 2018-07-07
29B06E1E0CA0318B3E876C8ED8BA58AC0C39728D656DD640B80B5E43F5BF926C 2018-07-19
76F8E1450196BEA25D2A2D9724C1B5CF8F2D57D73FB77986F51D4F17FF267E4F 2018-08-11
8F8C635949FD4A315DC7C2D30FC9A6A18149621E72B9598ABF50D54A4BF116AC 2018-08-11
9121B60939749C1C00F7B4C4BD0FE54E3FA36F3E5C2E7D5969539CB1F75A7D27 2018-08-11
CE090105E40E4611A3077856F46B8F37D02982D39B7341A9812088FF5B70EF2A 2018-08-11
F2A667D6D222A100B65A01E9FA3E4DB6FEB12AEC3E351304F8F988D2655DCD5D 2018-08-11
D2D0ACAAEFC0EDFB7F3240C5DD5BE27420B89D472BDFB6440CF6D01B690F2461 2018-08-11
94C68E943E2E5AD6EA33594C8ACC409EC3338BB1A3008A49C82F5F5F5BD92F11 2018-08-11
BE8F1F6D3E192352882D0BF038C6AAC610568A1D8E4AC6458A3DC3FF348B2E55 2018-08-11
AF4484BD7865438DDAEC1BE410F16DDB584E825D6FF360B4D04D76705F011D24 2018-08-11
3B047F66D905DC85C0E3CBAF3165A38F8971B273C0BBE868134216F76666FECE 2018-08-11
A0B49FE19A097681DA73BA0CB5EF82D92313BBD0FFDF849FE845D4D7DBEC6588 2018-08-11

winscomrssrv.dll

A9ABB0E7589A727C42FF10FBB982FD9A8D2E666CE6B1B9938D58A10AB2E13C9A 2019-02-23
0C15423E9F6A14DAD4085732D32C895D7B540067F6279BA32A97868608D649B4 2019-03-20
2A2ADF308EBEA5B0CC4B8CFF6C706C902965899751A40A3A8DD781B0B549148B 2019-03-20
43DFC87AC3B7E92F4DC2E7E34055F92D126FA4440ABCA3F0FEEBDAC6329FBEE7 2019-03-20
E1383F50464A3BE26B1F2C56E4D7E2275247BED31134562B96192BB23D9E8B54 2019-03-20

7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450(B)

13FA34A83690B35125F3A4BC1959FCB52C0BCD2600A6501C0E898ED93115FE9B
5AB27EAB926755620C948E7F7A1FDC957C657AEB285F449A4A32EF8B1ADD92AC

useraccountcontrolsettingsdevice.dat

0FB57247173A9890753EC628B24725061E54A17EC8E40972DD19DC936144EE23
68EBF511B59B349AD0351AA5D3661A919DC33D718FC74FE1D209F9DFA1EC4229
8D7544F7F11406AEA2A39DCAD66250E6EE10D5CC8D030753A1BA9E6973568A6E
C9C41EA8FEE15985E7BB40439D0409E27440249A6000B6CC5863A1EC8985A78A

winlogui.exe, diskdriver.exe

C54E4EDFC5C6544097A1E8DC7502A14AFD1E96D9DD23CA9B71248025A12E35AE 2018-06-09
26CBA4A1E74016E69E7FF4D80523AEF1A56710CC849CDBD6CBBD2054D45339F0 2018-07-29
54BD65A9BB49912AB6A28267955E16DFC5FDC2F346D9B6633BDCF6207183418D 2018-07-29
134860F8193313CA0E660C518F1B4D86FB7B26377CBD425209A4FA65F9F127D4 2018-08-11
35D6BF58FCF05A0560D5DDC66061677810CDF6EB1936B3A25760940DF5E78378 2018-08-19
9F56AA1759E7B9BC37B6155C3EC051DEADB5618F96EA1688AB0015B6F5881BE0 2018-08-19
4114FC78B438AC9571B71B6125D8FF4556FD8C244BA92D8BF4631476A8A32077 2018-10-10
AD77E8563E4C2EB38D0B6683C3C7A7977C13FA275C16F516C953A277F53F9F0E 2018-10-14
0D6345CA88BA0F43E3C3016E39364F2EAE75938FFD225C59BB711DB172592C24 2019-02-23
159DBCDAE1C484B2A6DB775241AAB86369639B6F8BFEC020A61466E660450D17 2019-02-23
C88201298F2B7FB87583732881CD7CD37917C92BDA3003AF964A1FA178E59B44 2019-02-23
E46417CD2AAB69EE848409D474BD50AE755668B21F8ADF856EA2120AC701E0E0 2019-02-23
91BFB82ED5C32979368EDDCD34861B631926D2352D16ADF189944C4BA8CCF4E1 2019-11-16

winrmsrv

9F836B5C68DFCA1A25C3CFFC2333848C52BAB4BA09100CC9DDCE755ABE993A62 2019-11-24
AAF2770F78A3D3EC237CA14E0CB20F4A05273EAD04169342DDB989431C537E83 2019-11-09
542A9374C0E411CB949F3FF9E651E7C7A287C9649CB80D3B47C7E31ACCEA305F 2019-11-24
5B85CEB558BAADED794E4DB8B8279E2AC42405896B143A63F8A334E6C6BBA3FB 2019-11-24
E82FF178A28F1114B0B0548246B4048A20957A9ECCCAD0DCB136FE1FDDF229E8 2019-11-24

wksprtcli.dll

6B79B9B830102329DC9E8E77D0A0490618ECC2DD2A177197E14AC54977F1AD04 2018-10-13
A2D053F68DE15ED472C6F510DD73161E56BD6D7FC0E8ED51A63E1D2534CB5031 2018-12-27
194A9F10B8D32FE4208929C6C8942A860EDD04202C2709FE6BAC47C9DD2EF395 2019-02-24
6D036BDFAD7343A93E5B45DD3C5B868D0EB96FA9302B617737FDA92245C195AA 2019-03-10
FA87982F9C1981674A60E684B3F0330163BE4EAAF9D99D4005E8BFD271B7BC2D 2019-03-22
D9EE256F00F49E82345E410043D66355D4ADEA8DA90C6D57D37F8644229550CA 2019-11-24
5C8B185B1CBF503645AE9FE2E6F6B7EFA3F4DB8D57FC61AE27578B3929917F3D 2020-11-20

windfn

E2B2760CE91DB3513E9270C28EA80A7E1C5B2EAF2AEF5CDB236DF865E59A8CBA 2018-02-08
9423C964679D60EB3BBD0CAADA4E059C59CB07AD9BB559E0230460A4AAAA547A 2018-05-08

serviceinstaller.msi, install.msi

 6FB358CA92033B634E04CC53B286E08641108884E72DB537FF1CA2A9A0ABE0CF
 E8686710C016A87D923BF617CE4D5723B790C53481C5369614286D27A03ECCD2
 FAB673215DD7B655675DD704D8E1FDBBE2C7687145DA0BEAE4FE19865FB9863B

serviceinstaller.exe

01403392FD0F735DA91D16B6EA1926F79F4BECBA7B0CF2C0CD05E33C946BDC24 2018-01-31
E4C3222435085AB38148BE821D45BFC009B4AEEB4732924FA459F39308C4F37A 2018-02-08
3ADA6A50AE712A067F6A852459C82FF769D1490B4BC95A2DC4773EF44C785E61 2018-05-08
CE46F9E36C3FCF9F74E14001A5A05CF62B265CEE401ACE99E8078903164FFC58 2018-06-12
D6331DAAAC4054EF4A7578FE123A33140E2FB92BD1DC02A8E99FF07096E884A8 2018-07-01
C631DBBA94B002604CCFDCFDBD42BC0E3619A113830FBE5FD3AF90DDB4FD0EA4 2018-07-07
5D0EFC04545B3FD5E0ACC604864839622B4FEC17AC25066F63AB974DF7F07EDE 2018-07-09
5C0E781BDED22B917DB86FC05C9889B5171667DBB6961AC839C5FBF5C14BA9DE 2018-07-19
1E09BCD17C037017B34B2FC6803A6B73BF7C25AD01445FEC812F02C8398EF43D 2018-07-29
5B2A44E0B2066FB082220577A0BD1432C9A07855981C407B67609D858D00D63D 2018-08-11
64297CA530CD9EAF318DD45665AD6A777FB5F1948740E1179A964B832E25954D 2018-08-19
FDE0BB0B67ACB9369E3AD1DDA30813C0CEC4576D01DA5DF74DD82A4D183C858D 2018-09-01
6050623EBD8A6A9D3C1A4383E8984511A18172D048970465915EAB69865A1C49 2018-09-09
CA134BB13792D35BB0EC223A56B946CEEFDF9060370089114A03D7FB989503E3 2018-09-29
635DEAB28A75A0E04A87E3E081904CADD094FF57D2E6CFC745E327AF03E23C93 2018-10-14
BF21C2D1B60948A247B94CE5001EE433D3E6BC534D6105B8AD51FCE6C12DD1B4 2018-10-30
5A64795052D38046BD3F7AFC0C794586AAC776E8EDDD308BFEBBF57204A00196 2018-11-07
D520EBD1056469777C0FF4D3ECDD7935B5D055C7A6B8EA0A2F1DE2C9F6121563 2018-11-13
3552DD73B3803AF8B66DA1C637D2E024AC967EF698D832DF281EF1DC7039655C 2018-11-26
4424C72C0E97C5630D36AA51A780DFD6AE0FD0710ABE07001345EE79C0BB09FD 2018-12-20
60A04635F44090364DAAEC8BB4CBB73CD6C4584B85A6E5203F202B3EA7D5C8EA 2018-12-20
AEFBE845AF6CD6E0147ED5E4CCA80BFC65354B1F7AD6040CAFFCD6E7236721F5 2018-12-20
560D28705D53ADA959BA31FA718F8E9A48F631E517B5A31DB7C83F4C5875B535 2019-02-19
AA0CD62879BEFF9DE4168A650E9A2B72C71C79CC72BE7DE12B6098551CE6D771 2019-03-05
2CF764AF2B29397B83F057B62EE27F6F0C8AB616781626B45D0A545A8C50405A 2019-12-09
09849775796A3487F889CE5FC9A0906DBA851660A70E70CF41D75A270416AED7 2019-12-30
3B089ECECF0F54A15B3F09167208218E34D93C42E1BA9A23F2ECE0177510F9BB 2019-12-30
5AEACB4679C805B11B1F707B48E7AA29BACCFA4479C42518662EA34FE18F515E 2019-12-30
FFED5BEA3B2367946ECCF950A55BC160477E2FECFB0D8D5093818377DDDE9D46 2020-11-23

startupcheck.vbs maintenance.vbs,install.vbs

0D04955B555667254D874E36A871FF0DCE2CBB8A356C74D54CDFADA5F72B74AC
136537BF894049C6B8828A061FB9A0CCA08B41125673C719F73867AC1356A3DA
1F58AC652CB02FA5ADF821A82AF87A9630D61A5C9555EFC9C153E55CA34966C6
5839EC6A81517997108CD471EAE97639233B34DB246FB8DBDAEC035BE09D477C
67F8F372B2E4F3483D4664DE80DD26ECD719AE2935A644D4DC20D16C9646A902
7AEBC0E9C5DD8B8C46A58895B0921AF472CD66E0FB30080CBC918A9328737E69
7B5296AF3112087611DAC57DC3303E614A06FAADAB68AE68E548E3D4AE834514
8A2A6BAEA5D37BAB7D162E07E245A7D926682AF24351E54A2AB0820BC5E2B958
8D3D5EE309CAE71ABD797603EA24C93D65A50074D90A637D814EA65C4BE7D652
A32A505403FC0D26EC8797F817F0D2E3E73FB4091B38560CF72094C2848F921B
ACB29EE4DC7BBE1644740E907831D7235CB19ADBC25BF5ED0917168C53892B09
AE789E6CA4D60AE4611B9D2D76F6796BD4C741C632A8604C0CE51E5A3321B99B
C2C331192824E60F05080C632CFCCB95BFA6A4E8AB871D6DF4B03961CC4CFE5E
CEC39F42FDB9D73D1C0AA682897A9446CF088C4FF828270ACF897E07BE588239
DF2E522DB666C6A195ED18DFCCF02C6D68070B3AEE33F9FD743BF4767D103F49
EDC9289A799524F5BA214B4D724C2BEB44B889142910A6E91FFA0BEF6AEA7E81
F2E5E77B2DA13E920840024892212F42A596089AC18A278449796E202E473A6F
FD03137CBBA6B24E24916E8B957E23EF880136BC71DFA4EF29D3119B46EADC0F
FD03137CBBA6B24E24916E8B957E23EF880136BC71DFA4EF29D3119B46EADC0F

Setup.exe (Installation built with Inno Setup.)

08C1DB6806ADB46801B710371CF14292F7EBDBE583AE2AED8B8F2A48922A5210
091419119883706BADE822823139C8E1B6E32F34535B7FA38BFEDE474E9CC213
13EF67F1D0DFA844A530F71AB2BD25CE2C25DF166D644A82AA3135814A571520
37CF651ECF0E3B04088BD4BC1B7CEB632279FB7A5370BD47938C7BFB1B3FAE3E
4309B296B92FC55C702D1EFBED398E285AC4CA31FF7DD5BC0D9D28235907235F
45664B5197C7D5639F6A5716A03204D1AF61B2DB487064668B8C6F32C5826BA3
493C8BE64095BACBAEB845FEEE33FC7D732C743DFB5AF044FCAA613E5AF01DC7
778678068A9513BE36961205CC3DAF26A01B00410201DFF7D16C14B14CF2D3CC
81AAB3E077AEBFAD771FD42536920934351AA104AEA2BB82AEA8335E13DBF3A5
9183F644FF87D704EA9FB511F6D0E20172A5C8243968BFE53B8528A39B21F970
A00A1B9EE5E484176627E19196EBF4729E2657C77B9A1EAE47C65519E6FC6D58
C9D2089D2B9B67128B8B4C58910620F5697A63B299A421C91CA598AA090336C7
D54A16D90AB361BB4CE46EDC9B1EFB63F4FF944B29006B2BA7935138E122F5EF
F3501343EDC0E0B77A0A3926828CDC8E60539727F1425BC498C1814BAD15D99C
F49D979B15B79A40EEBC17C039EAE200EAF9BDFEC9F42DB1A4427C89E20B0D91
FB461A7B9BAAD1EADCC85EA1B8F6B581CE90887552D5A1D6EF44B0D7B4A6D546

infected installers of these games

E497EE189E16CAEF7C881C1C311D994AE75695C5087D09051BE59B0F0051A6CF
65F39206FE7B706DED5D7A2DB74E900D4FAE539421C3167233139B5B5E125B8A
4B01A9C1C7F0AF74AA1DA11F8BB3FC8ECC3719C2C6F4AD820B31108923AC7B71
7F836B445D979870172FA108A47BA953B0C02D2076CAC22A5953EB05A683EDD4
93A3B50069C463B1158A9BB3A8E3EDF9767E8F412C1140903B9FE674D81E32F0
9EC3DE9BB9462821B5D034D43A9A5DE0715FF741E0C171ADFD7697134B936FA3
D8C092DE1BF9B355E9799105B146BAAB8C77C4449EAD2BDC4A5875769BB3FB8A
6A3C8A3CA0376E295A2A9005DFBA0EB55D37D5B7BF8FCF108F4FFF7778F47584
D7A9BF98ACA2913699B234219FF8FDAA0F635E5DD3754B23D03D5C3441D94BFB
8C52E5CC07710BF7F8B51B075D9F25CD2ECE58FD11D2944C6AB9BF62B7FBFA05
C6817D6AFECDB89485887C0EE2B7AC84E4180323284E53994EF70B89C77768E1

##MSASCuiL.exe

FF183B40B63ADB3F391FCECE277A64671E5AAD421D1E857B01453C5191C4B893

Network indicators

mining sites

pool[.]minexmr[.]com
pool[.]supportxmr[.]com
xmrpool[.]eu
monerohash[.]com

TXT DNS

anter[.]roboticseldomfutures[.]info
any[.]tshirtcheapbusiness[.]net
lef[.]loadtubevideos[.]com
levi[.]loadtubevideos[.]com
gof[.]planetgoodimages[.]info
dus[.]bridgetowncityphotos[.]org
ofl[.]bridgetowncityphotos[.]org
duo[.]motortestingpublic[.]com
asw[.]animegogofilms[.]info
wc[.]animegogofilms[.]info
enu[.]andromediacenter[.]net
dnn[.]duckduckanimesdownload[.]net
vfog[.]duckduckanimesdownload[.]net
sto[.]genomdevelsites[.]org
sc[.]stocktradingservices[.]org
ali[.]stocktradingservices[.]org
fgo[.]darestopedunno[.]com
dvd[.]computerpartservices[.]info
efco[.]computerpartservices[.]info
plo[.]antropoledia[.]info
lp[.]junglewearshirts[.]net
um[.]junglewearshirts[.]net
fri[.]rainbowobservehome[.]net
internal[.]videoservicesxvid[.]com
daci[.]videoservicesxvid[.]com
dow[.]moonexploringfromhome[.]info
net[.]todayaniversarygifts[.]info
sego[.]todayaniversarygifts[.]info
pol[.]motorcyclesonthehighway[.]com
any[.]andycopyprinter[.]net
onl[.]andycopyprinter[.]net
cvh[.]cheapjewelleryathome[.]info
df[.]dvdstoreshopper[.]org
efr[.]dvdstoreshopper[.]org
Sdf[.]expensivecarshomerepair[.]com
download[.]universalwebsolutions[.]info
download[.]getnewupdatesdownload[.]net
download[.]webpublicservices[.]org
first[.]universalwebsolutions[.]info
first[.]getnewupdatesdownload[.]net
first[.]webpublicservices[.]org
second[.]universalwebsolutions[.]info
second[.]getnewupdatesdownload[.]net
second[.]webpublicservices[.]org

File names

C:\Windows\System32\7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450
C:\Windows\System32\7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450B
C:\Windows\System32\StartupCheckLibrarry.dll
UserAccountControlSettingsDevice.dat
C:\Windows\System32\diskdriver.exe
C:\Windows\System32\install.vbs
C:\Windows\System32\maintenance.vbs
C:\Windows\System32\serviceinstaller.exe
C:\Windows\System32\serviceinstaller.msi
C:\Windows\System32\startupcheck.vbs
C:\Windows\System32\windfn.exe
C:\Windows\System32\winrmsrv.exe
C:\Windows\System32\winscomrssrv.dll
C:\Windows\System32\wksprtcli.dll

Registry keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogui /t REG_SZ /d "C:\WINDOWS\system32\winlogui.exe -o pool.minexmr.com:4444 -u 47KYx6QmWdbVotVxXTttQBQCQ2uX8vnkZNSnu6xuJNweYNC99pdCrk42ke5AeAMx1aYDyz8vbQKXs8oQkc9v9xMjBtN7R9W"
HKLM\SOFTWARE\Microsoft\Windows\CurrentControlSet\services\ServiceInstaller

Mutexes

winrmsrvdbl

Monero Wallet addresses

89gJHf6BNgXjatQME14pGVQNXh6jcLXM7PEsPCrQGCcy3jaQ9nvK3zXDeQ9bmkpJecWPBQRhTh64MJVXGv6vwuiWT5nHVyb
423WmQaXRhsDNNf6jFKwyj79iLPTRraTZAHFoyWmE4csHVfa9A97P2n8dyaHdQHzYa1nzbA1vKcdrVWbxKTjcAgkNvktp9u
4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQr2cM6dRYBvTiv1U3V