Kexquod is often bundled with legitimate applications such as games and productivity tools.
Upon execution, Win32/Kexqoud drops a copy of itself to the %APPDATA% directory with a random file name, such as:
It also drops a legitimate Bitcoin-mining tool in the %TEMP% directory, also with a random file name, such as:
Some variants of Kexqoud make the following changes to the registry, to ensure that the malware runs each time you start your computer:
In order to automatically execute on system start it adds the following registry keys
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "%AppData%\<malware filename>.exe"
Runs a Bitcoin-miner
runs the Bitcoin-mining client in a manner that attributes newly-generated Bitcoins to an account specified by an attacker. This means, that any Bitcoins you generate - inadvertently or purposefully, will be credited to the attacker.
Below is the Bitcoin-mining format used by Kexqoud; multiple user accounts are used to perform this operation:
%TEMP%\<malware filename>.exe -g no -o http:// <user name> : <password> @ <bitcoin server> : <port>
The mining client is configured to run with high CPU utilization, which may significantly slow the performance of your computer.
Analysis by Zarestel Ferrer
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.