# IOC for Crackonosh

Malware analysis and more technical informations at <https://decoded.avast.io/danielbenes/crackonosh-a-new-malware-distributed-in-cracked-software/>


### Table of Contents
* [Samples (SHA-256)](#samples-sha-256)
* [Network indicators](#network-indicators)
* [File names](#file-names)
* [Registy keys](#registry-keys)
* [Mutexes](#mutexes)


## Samples (SHA-256)
#### startupchecklibrary.dll
```
556EC95A6BF60B3CE1CF8BB81E7619A958EF775B24D81F40F08D5083CE05F8FA 2018-05-07
499D4A507DEC01BABCB42A56AAC60B6B248F90EA983C437EE9BFCF578F50F48D 2018-06-12
84BFE91B63CFA65C45FD804C4B3E186280044A050D9384398FA2CC58E9A45BAC 2018-06-12
8E1260BBF43E54EF60672FC2EFAC525E961B5DEE67146063AEFCFDA2D7161D89 2018-06-12
CF849FCA88F2ED4F2704E4B76297A57F74C1E8DC861CFF4149827EF659FD5643 2018-07-07
29B06E1E0CA0318B3E876C8ED8BA58AC0C39728D656DD640B80B5E43F5BF926C 2018-07-19
76F8E1450196BEA25D2A2D9724C1B5CF8F2D57D73FB77986F51D4F17FF267E4F 2018-08-11
8F8C635949FD4A315DC7C2D30FC9A6A18149621E72B9598ABF50D54A4BF116AC 2018-08-11
9121B60939749C1C00F7B4C4BD0FE54E3FA36F3E5C2E7D5969539CB1F75A7D27 2018-08-11
CE090105E40E4611A3077856F46B8F37D02982D39B7341A9812088FF5B70EF2A 2018-08-11
F2A667D6D222A100B65A01E9FA3E4DB6FEB12AEC3E351304F8F988D2655DCD5D 2018-08-11
D2D0ACAAEFC0EDFB7F3240C5DD5BE27420B89D472BDFB6440CF6D01B690F2461 2018-08-11
94C68E943E2E5AD6EA33594C8ACC409EC3338BB1A3008A49C82F5F5F5BD92F11 2018-08-11
BE8F1F6D3E192352882D0BF038C6AAC610568A1D8E4AC6458A3DC3FF348B2E55 2018-08-11
AF4484BD7865438DDAEC1BE410F16DDB584E825D6FF360B4D04D76705F011D24 2018-08-11
3B047F66D905DC85C0E3CBAF3165A38F8971B273C0BBE868134216F76666FECE 2018-08-11
A0B49FE19A097681DA73BA0CB5EF82D92313BBD0FFDF849FE845D4D7DBEC6588 2018-08-11
```
#### winscomrssrv.dll
```
A9ABB0E7589A727C42FF10FBB982FD9A8D2E666CE6B1B9938D58A10AB2E13C9A 2019-02-23
0C15423E9F6A14DAD4085732D32C895D7B540067F6279BA32A97868608D649B4 2019-03-20
2A2ADF308EBEA5B0CC4B8CFF6C706C902965899751A40A3A8DD781B0B549148B 2019-03-20
43DFC87AC3B7E92F4DC2E7E34055F92D126FA4440ABCA3F0FEEBDAC6329FBEE7 2019-03-20
E1383F50464A3BE26B1F2C56E4D7E2275247BED31134562B96192BB23D9E8B54 2019-03-20
```
#### 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450(B)
```
13FA34A83690B35125F3A4BC1959FCB52C0BCD2600A6501C0E898ED93115FE9B
5AB27EAB926755620C948E7F7A1FDC957C657AEB285F449A4A32EF8B1ADD92AC
```
#### useraccountcontrolsettingsdevice.dat
```
0FB57247173A9890753EC628B24725061E54A17EC8E40972DD19DC936144EE23
68EBF511B59B349AD0351AA5D3661A919DC33D718FC74FE1D209F9DFA1EC4229
8D7544F7F11406AEA2A39DCAD66250E6EE10D5CC8D030753A1BA9E6973568A6E
C9C41EA8FEE15985E7BB40439D0409E27440249A6000B6CC5863A1EC8985A78A
```
#### winlogui.exe, diskdriver.exe
```
C54E4EDFC5C6544097A1E8DC7502A14AFD1E96D9DD23CA9B71248025A12E35AE 2018-06-09
26CBA4A1E74016E69E7FF4D80523AEF1A56710CC849CDBD6CBBD2054D45339F0 2018-07-29
54BD65A9BB49912AB6A28267955E16DFC5FDC2F346D9B6633BDCF6207183418D 2018-07-29
134860F8193313CA0E660C518F1B4D86FB7B26377CBD425209A4FA65F9F127D4 2018-08-11
35D6BF58FCF05A0560D5DDC66061677810CDF6EB1936B3A25760940DF5E78378 2018-08-19
9F56AA1759E7B9BC37B6155C3EC051DEADB5618F96EA1688AB0015B6F5881BE0 2018-08-19
4114FC78B438AC9571B71B6125D8FF4556FD8C244BA92D8BF4631476A8A32077 2018-10-10
AD77E8563E4C2EB38D0B6683C3C7A7977C13FA275C16F516C953A277F53F9F0E 2018-10-14
0D6345CA88BA0F43E3C3016E39364F2EAE75938FFD225C59BB711DB172592C24 2019-02-23
159DBCDAE1C484B2A6DB775241AAB86369639B6F8BFEC020A61466E660450D17 2019-02-23
C88201298F2B7FB87583732881CD7CD37917C92BDA3003AF964A1FA178E59B44 2019-02-23
E46417CD2AAB69EE848409D474BD50AE755668B21F8ADF856EA2120AC701E0E0 2019-02-23
91BFB82ED5C32979368EDDCD34861B631926D2352D16ADF189944C4BA8CCF4E1 2019-11-16
```
#### winrmsrv
```
9F836B5C68DFCA1A25C3CFFC2333848C52BAB4BA09100CC9DDCE755ABE993A62 2019-11-24
AAF2770F78A3D3EC237CA14E0CB20F4A05273EAD04169342DDB989431C537E83 2019-11-09
542A9374C0E411CB949F3FF9E651E7C7A287C9649CB80D3B47C7E31ACCEA305F 2019-11-24
5B85CEB558BAADED794E4DB8B8279E2AC42405896B143A63F8A334E6C6BBA3FB 2019-11-24
E82FF178A28F1114B0B0548246B4048A20957A9ECCCAD0DCB136FE1FDDF229E8 2019-11-24
```
#### wksprtcli.dll
```
6B79B9B830102329DC9E8E77D0A0490618ECC2DD2A177197E14AC54977F1AD04 2018-10-13
A2D053F68DE15ED472C6F510DD73161E56BD6D7FC0E8ED51A63E1D2534CB5031 2018-12-27
194A9F10B8D32FE4208929C6C8942A860EDD04202C2709FE6BAC47C9DD2EF395 2019-02-24
6D036BDFAD7343A93E5B45DD3C5B868D0EB96FA9302B617737FDA92245C195AA 2019-03-10
FA87982F9C1981674A60E684B3F0330163BE4EAAF9D99D4005E8BFD271B7BC2D 2019-03-22
D9EE256F00F49E82345E410043D66355D4ADEA8DA90C6D57D37F8644229550CA 2019-11-24
5C8B185B1CBF503645AE9FE2E6F6B7EFA3F4DB8D57FC61AE27578B3929917F3D 2020-11-20
```  
#### windfn
```
E2B2760CE91DB3513E9270C28EA80A7E1C5B2EAF2AEF5CDB236DF865E59A8CBA 2018-02-08
9423C964679D60EB3BBD0CAADA4E059C59CB07AD9BB559E0230460A4AAAA547A 2018-05-08
```
#### serviceinstaller.msi, install.msi
```
 6FB358CA92033B634E04CC53B286E08641108884E72DB537FF1CA2A9A0ABE0CF
 E8686710C016A87D923BF617CE4D5723B790C53481C5369614286D27A03ECCD2
 FAB673215DD7B655675DD704D8E1FDBBE2C7687145DA0BEAE4FE19865FB9863B
```
#### serviceinstaller.exe
```
01403392FD0F735DA91D16B6EA1926F79F4BECBA7B0CF2C0CD05E33C946BDC24 2018-01-31
E4C3222435085AB38148BE821D45BFC009B4AEEB4732924FA459F39308C4F37A 2018-02-08
3ADA6A50AE712A067F6A852459C82FF769D1490B4BC95A2DC4773EF44C785E61 2018-05-08
CE46F9E36C3FCF9F74E14001A5A05CF62B265CEE401ACE99E8078903164FFC58 2018-06-12
D6331DAAAC4054EF4A7578FE123A33140E2FB92BD1DC02A8E99FF07096E884A8 2018-07-01
C631DBBA94B002604CCFDCFDBD42BC0E3619A113830FBE5FD3AF90DDB4FD0EA4 2018-07-07
5D0EFC04545B3FD5E0ACC604864839622B4FEC17AC25066F63AB974DF7F07EDE 2018-07-09
5C0E781BDED22B917DB86FC05C9889B5171667DBB6961AC839C5FBF5C14BA9DE 2018-07-19
1E09BCD17C037017B34B2FC6803A6B73BF7C25AD01445FEC812F02C8398EF43D 2018-07-29
5B2A44E0B2066FB082220577A0BD1432C9A07855981C407B67609D858D00D63D 2018-08-11
64297CA530CD9EAF318DD45665AD6A777FB5F1948740E1179A964B832E25954D 2018-08-19
FDE0BB0B67ACB9369E3AD1DDA30813C0CEC4576D01DA5DF74DD82A4D183C858D 2018-09-01
6050623EBD8A6A9D3C1A4383E8984511A18172D048970465915EAB69865A1C49 2018-09-09
CA134BB13792D35BB0EC223A56B946CEEFDF9060370089114A03D7FB989503E3 2018-09-29
635DEAB28A75A0E04A87E3E081904CADD094FF57D2E6CFC745E327AF03E23C93 2018-10-14
BF21C2D1B60948A247B94CE5001EE433D3E6BC534D6105B8AD51FCE6C12DD1B4 2018-10-30
5A64795052D38046BD3F7AFC0C794586AAC776E8EDDD308BFEBBF57204A00196 2018-11-07
D520EBD1056469777C0FF4D3ECDD7935B5D055C7A6B8EA0A2F1DE2C9F6121563 2018-11-13
3552DD73B3803AF8B66DA1C637D2E024AC967EF698D832DF281EF1DC7039655C 2018-11-26
4424C72C0E97C5630D36AA51A780DFD6AE0FD0710ABE07001345EE79C0BB09FD 2018-12-20
60A04635F44090364DAAEC8BB4CBB73CD6C4584B85A6E5203F202B3EA7D5C8EA 2018-12-20
AEFBE845AF6CD6E0147ED5E4CCA80BFC65354B1F7AD6040CAFFCD6E7236721F5 2018-12-20
560D28705D53ADA959BA31FA718F8E9A48F631E517B5A31DB7C83F4C5875B535 2019-02-19
AA0CD62879BEFF9DE4168A650E9A2B72C71C79CC72BE7DE12B6098551CE6D771 2019-03-05
2CF764AF2B29397B83F057B62EE27F6F0C8AB616781626B45D0A545A8C50405A 2019-12-09
09849775796A3487F889CE5FC9A0906DBA851660A70E70CF41D75A270416AED7 2019-12-30
3B089ECECF0F54A15B3F09167208218E34D93C42E1BA9A23F2ECE0177510F9BB 2019-12-30
5AEACB4679C805B11B1F707B48E7AA29BACCFA4479C42518662EA34FE18F515E 2019-12-30
FFED5BEA3B2367946ECCF950A55BC160477E2FECFB0D8D5093818377DDDE9D46 2020-11-23
 ``` 
#### startupcheck.vbs maintenance.vbs,install.vbs
```
0D04955B555667254D874E36A871FF0DCE2CBB8A356C74D54CDFADA5F72B74AC
136537BF894049C6B8828A061FB9A0CCA08B41125673C719F73867AC1356A3DA
1F58AC652CB02FA5ADF821A82AF87A9630D61A5C9555EFC9C153E55CA34966C6
5839EC6A81517997108CD471EAE97639233B34DB246FB8DBDAEC035BE09D477C
67F8F372B2E4F3483D4664DE80DD26ECD719AE2935A644D4DC20D16C9646A902
7AEBC0E9C5DD8B8C46A58895B0921AF472CD66E0FB30080CBC918A9328737E69
7B5296AF3112087611DAC57DC3303E614A06FAADAB68AE68E548E3D4AE834514
8A2A6BAEA5D37BAB7D162E07E245A7D926682AF24351E54A2AB0820BC5E2B958
8D3D5EE309CAE71ABD797603EA24C93D65A50074D90A637D814EA65C4BE7D652
A32A505403FC0D26EC8797F817F0D2E3E73FB4091B38560CF72094C2848F921B
ACB29EE4DC7BBE1644740E907831D7235CB19ADBC25BF5ED0917168C53892B09
AE789E6CA4D60AE4611B9D2D76F6796BD4C741C632A8604C0CE51E5A3321B99B
C2C331192824E60F05080C632CFCCB95BFA6A4E8AB871D6DF4B03961CC4CFE5E
CEC39F42FDB9D73D1C0AA682897A9446CF088C4FF828270ACF897E07BE588239
DF2E522DB666C6A195ED18DFCCF02C6D68070B3AEE33F9FD743BF4767D103F49
EDC9289A799524F5BA214B4D724C2BEB44B889142910A6E91FFA0BEF6AEA7E81
F2E5E77B2DA13E920840024892212F42A596089AC18A278449796E202E473A6F
FD03137CBBA6B24E24916E8B957E23EF880136BC71DFA4EF29D3119B46EADC0F
FD03137CBBA6B24E24916E8B957E23EF880136BC71DFA4EF29D3119B46EADC0F
```
#### Setup.exe (Installation built with Inno Setup.)
```
08C1DB6806ADB46801B710371CF14292F7EBDBE583AE2AED8B8F2A48922A5210
091419119883706BADE822823139C8E1B6E32F34535B7FA38BFEDE474E9CC213
13EF67F1D0DFA844A530F71AB2BD25CE2C25DF166D644A82AA3135814A571520
37CF651ECF0E3B04088BD4BC1B7CEB632279FB7A5370BD47938C7BFB1B3FAE3E
4309B296B92FC55C702D1EFBED398E285AC4CA31FF7DD5BC0D9D28235907235F
45664B5197C7D5639F6A5716A03204D1AF61B2DB487064668B8C6F32C5826BA3
493C8BE64095BACBAEB845FEEE33FC7D732C743DFB5AF044FCAA613E5AF01DC7
778678068A9513BE36961205CC3DAF26A01B00410201DFF7D16C14B14CF2D3CC
81AAB3E077AEBFAD771FD42536920934351AA104AEA2BB82AEA8335E13DBF3A5
9183F644FF87D704EA9FB511F6D0E20172A5C8243968BFE53B8528A39B21F970
A00A1B9EE5E484176627E19196EBF4729E2657C77B9A1EAE47C65519E6FC6D58
C9D2089D2B9B67128B8B4C58910620F5697A63B299A421C91CA598AA090336C7
D54A16D90AB361BB4CE46EDC9B1EFB63F4FF944B29006B2BA7935138E122F5EF
F3501343EDC0E0B77A0A3926828CDC8E60539727F1425BC498C1814BAD15D99C
F49D979B15B79A40EEBC17C039EAE200EAF9BDFEC9F42DB1A4427C89E20B0D91
FB461A7B9BAAD1EADCC85EA1B8F6B581CE90887552D5A1D6EF44B0D7B4A6D546
```
#### infected installers of these games
```
E497EE189E16CAEF7C881C1C311D994AE75695C5087D09051BE59B0F0051A6CF
65F39206FE7B706DED5D7A2DB74E900D4FAE539421C3167233139B5B5E125B8A
4B01A9C1C7F0AF74AA1DA11F8BB3FC8ECC3719C2C6F4AD820B31108923AC7B71
7F836B445D979870172FA108A47BA953B0C02D2076CAC22A5953EB05A683EDD4
93A3B50069C463B1158A9BB3A8E3EDF9767E8F412C1140903B9FE674D81E32F0
9EC3DE9BB9462821B5D034D43A9A5DE0715FF741E0C171ADFD7697134B936FA3
D8C092DE1BF9B355E9799105B146BAAB8C77C4449EAD2BDC4A5875769BB3FB8A
6A3C8A3CA0376E295A2A9005DFBA0EB55D37D5B7BF8FCF108F4FFF7778F47584
D7A9BF98ACA2913699B234219FF8FDAA0F635E5DD3754B23D03D5C3441D94BFB
8C52E5CC07710BF7F8B51B075D9F25CD2ECE58FD11D2944C6AB9BF62B7FBFA05
C6817D6AFECDB89485887C0EE2B7AC84E4180323284E53994EF70B89C77768E1
```
##MSASCuiL.exe
```
FF183B40B63ADB3F391FCECE277A64671E5AAD421D1E857B01453C5191C4B893
```
## Network indicators
#### mining sites
```
pool[.]minexmr[.]com
pool[.]supportxmr[.]com
xmrpool[.]eu
monerohash[.]com
```
#### TXT DNS
```
anter[.]roboticseldomfutures[.]info
any[.]tshirtcheapbusiness[.]net
lef[.]loadtubevideos[.]com
levi[.]loadtubevideos[.]com
gof[.]planetgoodimages[.]info
dus[.]bridgetowncityphotos[.]org
ofl[.]bridgetowncityphotos[.]org
duo[.]motortestingpublic[.]com
asw[.]animegogofilms[.]info
wc[.]animegogofilms[.]info
enu[.]andromediacenter[.]net
dnn[.]duckduckanimesdownload[.]net
vfog[.]duckduckanimesdownload[.]net
sto[.]genomdevelsites[.]org
sc[.]stocktradingservices[.]org
ali[.]stocktradingservices[.]org
fgo[.]darestopedunno[.]com
dvd[.]computerpartservices[.]info
efco[.]computerpartservices[.]info
plo[.]antropoledia[.]info
lp[.]junglewearshirts[.]net
um[.]junglewearshirts[.]net
fri[.]rainbowobservehome[.]net
internal[.]videoservicesxvid[.]com
daci[.]videoservicesxvid[.]com
dow[.]moonexploringfromhome[.]info
net[.]todayaniversarygifts[.]info
sego[.]todayaniversarygifts[.]info
pol[.]motorcyclesonthehighway[.]com
any[.]andycopyprinter[.]net
onl[.]andycopyprinter[.]net
cvh[.]cheapjewelleryathome[.]info
df[.]dvdstoreshopper[.]org
efr[.]dvdstoreshopper[.]org
Sdf[.]expensivecarshomerepair[.]com
download[.]universalwebsolutions[.]info
download[.]getnewupdatesdownload[.]net
download[.]webpublicservices[.]org
first[.]universalwebsolutions[.]info
first[.]getnewupdatesdownload[.]net
first[.]webpublicservices[.]org
second[.]universalwebsolutions[.]info
second[.]getnewupdatesdownload[.]net
second[.]webpublicservices[.]org
```


## File names
```
C:\Windows\System32\7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450
C:\Windows\System32\7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450B
C:\Windows\System32\StartupCheckLibrarry.dll
UserAccountControlSettingsDevice.dat
C:\Windows\System32\diskdriver.exe
C:\Windows\System32\install.vbs
C:\Windows\System32\maintenance.vbs
C:\Windows\System32\serviceinstaller.exe
C:\Windows\System32\serviceinstaller.msi
C:\Windows\System32\startupcheck.vbs
C:\Windows\System32\windfn.exe
C:\Windows\System32\winrmsrv.exe
C:\Windows\System32\winscomrssrv.dll
C:\Windows\System32\wksprtcli.dll
```

## Registry keys
```
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogui /t REG_SZ /d "C:\WINDOWS\system32\winlogui.exe -o pool.minexmr.com:4444 -u 47KYx6QmWdbVotVxXTttQBQCQ2uX8vnkZNSnu6xuJNweYNC99pdCrk42ke5AeAMx1aYDyz8vbQKXs8oQkc9v9xMjBtN7R9W"
HKLM\SOFTWARE\Microsoft\Windows\CurrentControlSet\services\ServiceInstaller
```

## Mutexes
```
winrmsrvdbl
```

## Monero Wallet addresses
```
89gJHf6BNgXjatQME14pGVQNXh6jcLXM7PEsPCrQGCcy3jaQ9nvK3zXDeQ9bmkpJecWPBQRhTh64MJVXGv6vwuiWT5nHVyb
423WmQaXRhsDNNf6jFKwyj79iLPTRraTZAHFoyWmE4csHVfa9A97P2n8dyaHdQHzYa1nzbA1vKcdrVWbxKTjcAgkNvktp9u
4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQr2cM6dRYBvTiv1U3V
```