Sophos X-Ops Investigation Findings
Following a certification test, Sophos X-Ops found an unexpected guest had hitched a ride
www.sophos.com
The malicious payload me.exe (SHA-256: e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721) is an XMRig-derived cryptocurrency miner identified by security software as Troj/GoMiner-B. Upon execution, the binary duplicates itself to C:\Program Files\Hola\HolaMonitorService.exe and establishes persistence by registering an automatic startup service named "hola_monitor_svc". Embedded text strings within the code—such as "killed orphan miner pid %d", "user active, stopping miner", and "m/cmd/xmrig-idle"—reveal that the malware tracks user presence to blend in. To evade detection and run efficiently, it manipulates Windows Defender to add security exclusions and restricts its mining operations to periods when the host system is completely idle. Furthermore, the binary is entirely unsigned, employs obfuscation techniques to mask its intent, and features capabilities to write directly to system memory.
DFIR Artifacts
Forensic evidence of this activity includes Windows System event logs capturing the unauthorized creation of the "hola_monitor_svc" service, alongside file system telemetry showing unexpected file writes within the Hola installation directory that do not align with legitimate software components. Additionally, process execution logs confirm that HolaMonitorService.exe actively ran and initiated outbound network connections to external cryptocurrency mining pools.
Threat Hunting Strategy
To proactively detect this threat, hunt across the environment for unauthorized and unsigned executables residing within standard software installation directories. Prioritize the investigation of any anomalies that attempt to register system services or manipulate antivirus exclusion lists.
