Shadowsocks Miner Trojan
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 20,280 |
| Threat Level: | 90 % (High) |
| Infected Computers: | 472 |
| First Seen: | October 10, 2017 |
| Last Seen: | February 4, 2026 |
| OS(es) Affected: | Windows |
The Shadowsocks Miner Trojan is a detection name given to a program that is used for mining digital crypto-currencies like Monero, Dashcoin, DarkNetCoin and others. The Shadowsocks Miner Trojan is a CPU reliant miner that is very similar to the Moloko CPU Miner and the Gplyra Miner that we covered earlier in 2017. The Shadowsocks Miner Trojan is a threat that was discovered on October 10th, 2017. Computer security researchers alert that the Shadowsocks CPU Miner may be deployed to systems via software bundles and manual hacking of targeted computers. The Shadowsocks Miner Trojan is observed to hijack a little more than 70% of the compromised system's resources for its needs. PC users may notice clues that point to an infection with the Shadowsocks Miner Trojan that include:
- The window resizing may be slow.
- The games may not run smoothly.
- The videos may stutter and open slower.
- Yje program launching may be delayed.
You may be interested to know that the Shadowsocks Miner Trojan appears to be using a modified copy of the Shadowsocks open-source proxy service for its network communications. Hence, the creator of the Shadowsocks Miner Trojan can hide the source of commands to the Trojan. Researchers reported that the Shadowsocks Miner Trojan might be listed as 'Websock.exe' in the Task Manager and feature the description 'CPU Utility.' Soon after 'Websock.exe' is loaded, users may notice a second process dubbed 'Service.exe,' which has the description 'taskxmr.' Both processes are connected to the Shadowsocks Miner Trojan and serve as a communication module and the engine that handles the digital mining operations.
The rise in prices for Bitcoin and other digital currencies, as well as the expanding support for digital payments recorded from February 2017 to September 2017, may explain why we are seeing many new Trojan miners on the threat landscape. It is not surprising that threat creators may seek to take advantage of the modern day "Gold fever" and use spam emails, zero-day exploits and fake software updates to spread programs like the Shadowsocks Miner Trojan. It is recommended that PC users employ the services of a reputable anti-malware solution that can prevent Trojan miners from hijacking your system resources for the benefit of Black Hat hackers.
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Zegost.F |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
f925e64ea86b4dbf9940e5ad4264c163
SHA1:
090f9a26d04da3727c067af15511b6afe5ef24d7
SHA256:
FE27FC9C18EA97AD932ED79BF4F662AC935C2FBCCAB1F685273DD7C60E9F3AF5
File Size:
2.45 MB, 2453670 bytes
|
|
MD5:
82c05c81b7a5dec2a32e14b364856fb0
SHA1:
128e66307776ff494f59ab6c0800d45d804aa36a
SHA256:
08DA684E9DA2E772C11BE2A7853D21B100D5ADA01DA380D20EFB172692D47F21
File Size:
225.20 KB, 225197 bytes
|
|
MD5:
e6df7038c5be94c2d36118a1089cfd2b
SHA1:
fe1b8e99d60738aaee3b69a91001acea238215de
SHA256:
9E0E15E06DF4CA6BFC957A874922EFF4AE08E1C671A7B00FB345C7CF7E427428
File Size:
1.26 MB, 1261606 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
File Traits
- big overlay
- No Version Info
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 15 |
|---|---|
| Potentially Malicious Blocks: | 0 |
| Whitelisted Blocks: | 13 |
| Unknown Blocks: | 2 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
