UnamSanctam / SilentXMRMiner

A Silent (Hidden) Monero (XMR) Miner Builder
MIT License
570 stars 163 forks source link

. #339

Closed freakovision closed 3 years ago

freakovision commented 3 years ago

Miner doesn't work when try to run it on RAT-infected computers. I use AsyncRAT by NyanCat. When I tried do drop it on disk and run through reverse shell it said "MpPreference not found" or something like that, it was a long ass error, can't tell exactly rn. I tried miner with and without admin privilege, RAT had admin privilege, all computers had Windows 10 64 bit on it.

P.S. It works on my PC tho.

freakovision commented 3 years ago

Aight, I managed to run it without admin privilege, but can't confirm if it's working. For some reason Process Manager doesn't show conhost.exe in which I inject miner even tho sihost64.exe is running.

UnamSanctam commented 3 years ago

Hmm, since sihost64.exe is running then it should be working, can't you see any conhost.exe at all? Also, you can execute files through the file browser thing, you don't need to use a reverse shell.

freakovision commented 3 years ago

Yeah I know. Just wanted to see if there is any errors.

freakovision commented 3 years ago

Could you please test my build on Win10 virtual machine? I just can't use any VM with my low specs. https://dropmefiles.com/3RRvl Password is admin.

UnamSanctam commented 3 years ago

Yes it works for me, are you using an older version of the builder?

freakovision commented 3 years ago

Weird! I'm using the last version. That Add-MpPreference error was only on one of the slaves. The others just refused to work after the first phase. I mean the executable works for like 30 seconds that I used as delay and never drops a payload in system32 or a fallback location.

UnamSanctam commented 3 years ago

It doesn't drop services64.exe into System32? Yours does for me.

freakovision commented 3 years ago

Same for me but not for slaves. Probably a RAT issue?

UnamSanctam commented 3 years ago

Might be.

freakovision commented 3 years ago

What is the most optimal CPU load?

UnamSanctam commented 3 years ago

20-40% Max CPU for the maximum amount of stealth and 60-80% Idle CPU is good. I have it set to 20% Max CPU and 80% Idle CPU as default because it's the most stealthily.

freakovision commented 3 years ago

I have a few suggestions. Add fake error and most important ability to start the miner in the next session so it don't start to rape the fans instantly.

UnamSanctam commented 3 years ago

Well, you could add one line in the code to add a fake error in Loader.cs (though you'd probably have to check if it's in the install location or not, could possibly add detections). 20% Max CPU shouldn't even make the fans move so that shouldn't be a problem.

freakovision commented 3 years ago

I target not the best computers, they have like 3-4 logical processors on average, so the load is always 25-33% which is pretty noticeable and suspicious especially in summer. And yeah, I already added fake error in loader. Just wanted to see it in your release :)

freakovision commented 3 years ago

Aren't you afraid to host online download links on your site? You can be charged for being involved in malware activity.

UnamSanctam commented 3 years ago

Well, I only host the URLs which leads to GitHub and nothing more, if I hypothetically would get charged for anything then would it not be for the miner you're currently writing in an issue on?

freakovision commented 3 years ago

I don't think cops is that stupid. Btw have you heard of icanhazip.com owner? He almost got in prison because his site was used in malware activity even tho it's only shows external IP.

UnamSanctam commented 3 years ago

Well, you are correct, though I don't really "own" any of it, neither the domain nor the server.

freakovision commented 3 years ago

I don't really "own" any of it

I hope the police will have the same opinion :P

UnamSanctam commented 3 years ago

True the police does ignore the law a lot, especially here.

freakovision commented 3 years ago

Can I add prefix to random worker name? Like this: walletadress.Boobs_{%RANDOM%}

UnamSanctam commented 3 years ago

Yes that will work fine.

freakovision commented 3 years ago

Also it would be great to have an IP logger in it. So we can know the ration of downloads/runs. Will this line of code increase the detections?

UnamSanctam commented 3 years ago

It could increase detections, it's better to add that yourself since I don't really want to support any special kind of external service, you could theoretically use an IPLogger redirect to the config for the 'Remote Configuration' so it logs the computer before getting the 'Remote Configuration'.

freakovision commented 3 years ago

Miner stops working after some time. Most likely after donation. I can see sihost64 on several computers and there is no task manager or similar apps open, but no shares submitted to nanopool.

UnamSanctam commented 3 years ago

I haven't really changed anything much with the donation from the original XMRig so if that one works then this one will work as well. Are you using {%COMPUTERNAME%} to check? Since nanopool has a very high share difficulty (400 000) it can take between 5-30 minutes per share to be submitted depending on the CPU and the Max CPU percentage.

freakovision commented 3 years ago

It was like 4 hour, no shares from any running PC.

UnamSanctam commented 3 years ago

None at all? Try another pool then, I have a miner running 24/7 and have had it running for 2 years now (I update it with each release) and it's still working.

freakovision commented 3 years ago

It loads the CPU on all computers but I don't get any shares. Why?

UnamSanctam commented 3 years ago

Try another pool if you use 'Remote Configuration', I can't know why you're not getting shares, it shouldn't have anything to do with the miner at least.

freakovision commented 3 years ago

The injected miner just keeps closing and staring again. What could be wrong?

UnamSanctam commented 3 years ago

The XMR miner? The explorer.exe opens and closes? Only reason that could happen is if the connection settings are wrong or if they can't connect I guess though I have never seen that happen before.

freakovision commented 3 years ago

Now the memory usage fluctuate a lot. What the hell?

UnamSanctam commented 3 years ago

Do you use 'Remote Configuration'? Make sure that keepalive is set to false since nanopool has issues with it.

freakovision commented 3 years ago

It's false

UnamSanctam commented 3 years ago

Hmm, try setting it to another pool, only thing which could do that is if there is something wrong with the pool connection.

freakovision commented 3 years ago

Changed to Minergate. It mines but memory usage is still crazy. conhost.exe 14704 Console 1 2,407,860 K

Edit. Ok, it's fine. Memory usage doesn't fluctuate now.

UnamSanctam commented 3 years ago

2GB you mean? The RandomX algorithm (Monero) uses 2GB of RAM for the huge pages feature and is normal, without huge pages the hashrate would be really low. If you want less RAM usage then you can mine some other cryptocurrency which uses some other algorithm, you can see the algorithms supported here: https://xmrig.com/docs/algorithms.

freakovision commented 3 years ago

But why I had problems with nanopool, do you have any idea? I'm pinging nanopool and it's responding, so nothing blocks it. What the hell?

UnamSanctam commented 3 years ago

Good question, I believe it should work and haven't seen any problems. When you changed pool did any workers appear?

freakovision commented 3 years ago

When I manually killed the miner process on slave PC it appeared,

UnamSanctam commented 3 years ago

Yeah the XMR miner will only retrieve the 'Remote Configure' on the startup of the miner. If it appeared then there was something wrong with the pool connection, very weird.

freakovision commented 3 years ago

Process died again.

UnamSanctam commented 3 years ago

Hmm, the XMR miner should theoretically never close itself due to how XMRig works and I've never seen it happen either so I'm not sure how that is happening. Try using something other than MinerGate since they are notorious for having bad servers.

freakovision commented 3 years ago

Could VPN be the source of the problem?

UnamSanctam commented 3 years ago

Yes definitely, the pool could be blocking the VPN IP which isn't that uncommon or there could be some other thing blocking or interfering with the connection.

freakovision commented 3 years ago

I keep getting views on pastebin but there is no hashrate.

UnamSanctam commented 3 years ago

Try running it yourself, does it use any CPU usage? Also make sure that all the settings are correct in the pastebin.

freakovision commented 3 years ago

Everything works on my PC.

UnamSanctam commented 3 years ago

Then it should work, it can't use any CPU unless it gets a job from the pool, can you send the pastebin content here but censor the wallet address in case anything is incorrect?