Installation
Kexquod is often bundled with legitimate applications such as games and productivity tools.
Upon execution, Win32/Kexqoud drops a copy of itself to the %APPDATA% directory with a random file name, such as:
%APPDATA%\vxtwtuowmvekobpxnsq.exe
It also drops a legitimate Bitcoin-mining tool in the %TEMP% directory, also with a random file name, such as:
%TEMP%\riblekbyc.exe
Some variants of Kexqoud make the following changes to the registry, to ensure that the malware runs each time you start your computer:
In order to automatically execute on system start it adds the following registry keys
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "%AppData%\<malware filename>.exe"
Payload
Runs a Bitcoin-miner
Win32/Kexqoud runs the Bitcoin-mining client in a manner that attributes newly-generated Bitcoins to an account specified by an attacker. This means, that any Bitcoins you generate - inadvertently or purposefully, will be credited to the attacker.
Below is the Bitcoin-mining format used by Kexqoud; multiple user accounts are used to perform this operation:
%TEMP%\<malware filename>.exe -g no -o http:// <user name> : <password> @ <bitcoin server> : <port>
The mining client is configured to run with high CPU utilization, which may significantly slow the performance of your computer.
Analysis by Zarestel Ferrer
