Search This Blog

Ring Ø Labs DOES NOT advocate using any of the malware, techniques, or information presented here for harm and doing so may violate the law. These topics are for mitigation and educational purposes only. We also employ browser mining to reduce the need for ADs. Read more about us here

Sunday, July 30, 2017

To Kill The Mocking Porn - Fsociety Crypto Miner

Fsociety is a crypto miner that hides behind multiple layers of obfuscation, Russian porn sites, and trickery.


Self-Extracting Rar / UPX / Autoit3
Crypto Miner

Fsociety_soft.exe is either paying homage to  Fsociety from the TV show Mr. Robot, or posing as some kind of legitimate fanboy application; regardless, the application is certainly dangerous.

We begin by extracting the main executable which is a self-extracting RAR archive. The file extracted is named WINDOWS.exe and is itself another self-extracting RAR archive (RAR-ception).

The file extracted from the 2nd archive is also named WINDOWS.exe and is UPX packed. A quick unpacking of this file reveals the final launcher and it's embedded AUTOIT3 script.

Once running, WINDOWS.exe connects to If a connection is unable to be made the program will exit. This is most likely an anti-analysis trick which is easily bypassed by setting up rules to pass traffic to the domain or simply respond with what the malware is looking for from the site.
Once connectivity is confirmed, WINDOWS.exe will connect to the following .RU domain and download additional files:

At the time of this analysis the only file hosted on the domain was 1.bat. The other files were non-existent.

Performing a directory traversal back to the main page we are greeted with the following (blurred for article):

Clicking the button at the bottom of the page we are then greeted with the following (blurred for article):

Again, clicking the button brings us to the final location which is a redirection to a Google drive file that no longer exists. This could be remnants of a past attack hosting a malicious file.

Porn site detour aside, 1.bat is a highly obfuscated batch file which is responsible for launching the crypto mining software.

Deobfuscating this VERY long script essentially boils down to the following command:
C:\ProgramData\System32\system.exe  -o stratum+tcp:// --donate-level=1 -u -p x -t 2 -k
This will launch two instances of the mining software (it repeats the command) and connects to the MINERGATE bitcoin mining pool. We can see in red the USERID of the individual where the mined bitcoin will be distributed

When running at full capacity, the two mining programs will take up significant system resources as indicated by this graph immediately after infection:


There are many VirusTotal results for the later stages of this file (after the archive is extracted and payload is unpacked from UPX). The best mitigation for the early stages of this malware is to disallow self-extracting RAR files and quarantine anything UPX packed. There's no reason to have it in a business environment.


Fsociety is a crypto miner that hides behind multiple layers of obfuscation, porn sites, and trickery. The initial stages of obfuscation should be blocked by most businesses and be sure to check AlienVaults IOC's for additional blocking.