cryptojacking — methodology

what evidence exists and how fast it dies

the first 10 minutes

1. isolate the host at the network layer — security group deny, hypervisor vSwitch ACL, or physical unplug. do not reboot yet; memory is your best artifact.
2. record exact UTC time the CPU alert fired, billing anomaly opened, and any npm install or deploy that preceded the spike.
3. capture a full memory dump or targeted dump of the hot process if your IR toolkit allows it on a live Linux or Windows dev server.
4. export firewall, VPC flow, or host connection logs covering at least 72 hours before the alert — stratum keepalives are periodic and easy to miss in a one-hour slice.
5. pull DNS resolver logs from the host, forwarder, or cloud DNS audit for the same window.
6. snapshot running process list, open ports, and CPU per process — even a phone photo of top/htop beats nothing if memory capture fails.
7. copy package manifests intact: package-lock.json, yarn.lock, pnpm-lock.yaml, and the offending package folder under node_modules before npm ci or a container rebuild destroys them.
8. export scheduled tasks (Windows), crontab (Linux), and systemd unit files — miners love postinstall + scheduled respawn pairs.
9. preserve cloud billing and utilization exports (Cost Explorer, Azure Cost Management, GCP billing CSV) for the affected instance and sibling dev fleet.
10. begin the path below on forensic copies of dumps and logs, not on the live miner still hashing toward someone else's wallet.

the path

1. 1. process tree rebuilder

   memory dump with EPROCESS pool tags. reconstructs parent/child chains — svchost → powershell → xmrig is the Vega tell — and flags orphaned or masquerading branches that Task Manager flattens.why first: cryptojackers hide miners under trusted parents. the tree anchors who spawned whom before you carve binaries or chase network noise.

2. 2. memory pe extractor

   same memory slice. scans for PE headers, carves embedded executables, rebuilds structure for hash and static follow-up. catches fileless XMRig stubs never written to disk.why second: npm postinstall droppers often live only in RAM. carving gives you a portable artifact when Autoruns shows nothing suspicious.

3. 3. memory entropy analyzer

   block-level Shannon entropy across the dump. heatmaps packed miner regions, injected code caves, and XOR-obfuscated config blobs adjacent to the process you already flagged.why third: high-entropy clusters separate miner payloads from normal heap noise. narrows where in-memory-config-extractor should hunt.

4. 4. in-memory malware configuration extractor

   process memory dump. XOR-decodes JSON/XML config blocks — pool_url, wallet address, campaign tag, worker name — from carved regions and string scans.why fourth: stratum endpoints in memory beat guessing from firewall IPs alone. wallet and campaign fields tie the host to a specific operator playbook.

5. 5. network beaconing detector

   firewall connection log or PCAP export. statistical pass per host: connection intervals, jitter, periodic callback identification. surfaces 198.51.100.77:3333-style stratum keepalives.why fifth: miners phone home on a clock. host-level beacon scoring finds the pool session even when DNS and HTTP logs look boring.

6. 6. beaconing pattern detector

   Zeek conn log or PCAP. deeper periodicity and regularity scores on the flows process-tree already justified. exports interval histograms for handoff.why sixth: confirms the ~60s stratum rhythm is intentional automation, not backup software or NTP drift. pairs with the detector for defense in depth.

7. 7. dns query analyzer

   resolver log or DNS slice from PCAP. extracts query names, flags high-frequency lookups and suspicious TLD patterns — pool.vega-miner.example-class hostnames miners resolve before TCP connect.why seventh: pool operators rotate IPs; DNS names persist. resolver logs survive longer than ephemeral stratum sessions in some shops.

8. 8. c2 callback interval analyzer

   pool-beacon flow CSV or Zeek conn export. deep interval stats, jitter estimation, framework timing profiles. quantifies the keepalive cadence for reports and cross-case clustering.why last: once tree, memory, and DNS are mapped, interval math documents the beacon for billing disputes, LE packages, and fleet-wide hunts for the same operator.

common false leads

• "it's a virus, run AV." cryptominers are often classified PUA and ignored. the issue is stolen compute and outbound pool traffic, not desktop ransomware.
• high CPU means bad hardware or thermal throttling. correlate with new packages, new cron entries, and outbound 3333/4444/5555-class ports before RMAing silicon.
• legitimate CI, webpack builds, or ML training on a dev server. baseline the job schedule — miners run 24/7 with ~60s network keepalives, builds do not.
• browser tab cryptojacking only. server-side XMRig in memory does not need a victim browser; do not close the case because Chrome looks clean.
• DNS to a CDN or analytics domain mistaken for a mining pool. follow through to TCP destinations and interval analysis — pool hostnames and stratum ports tell a different story.
• reboot fixes performance so the incident is closed. persistence via postinstall or scheduled task respawns the miner; you lost memory and kept the backdoor.

what we can tell you, what we can't

we can tell you:

• process parent/child chains from memory dumps — svchost → powershell → xmrig patterns included
• carved PE stubs and embedded executables from volatile memory when headers survive
• high-entropy regions suggesting packed or injected miner code
• in-memory pool URLs, wallet addresses, worker names, and campaign tags when encoded in the dump
• statistical beaconing and periodic callback intervals from firewall or Zeek exports
• DNS query frequency and suspicious hostname shapes from resolver logs or PCAP DNS slices
• documented interval profiles suitable for fleet hunts and LE handoff packages

we can't tell you:

• recover cloud spend. billing disputes are finance and provider abuse desks — we produce technical proof of unauthorized workload, not credits.
• attribute the wallet to a named individual. blockchain analysis and legal process live elsewhere.
• prove criminal intent in court. that is counsel and law enforcement.
• capture live memory from our browser tools. you collect on the endpoint; we analyze offline exports you bring.
• guarantee every fileless miner carves cleanly. heavily obfuscated or kernel-mode miners may leave gaps — network and DNS evidence still matter.

handing it off

• cloud provider abuse / trust & safety: instance ID, region, stratum IP:port, wallet if extracted, npm package name and version, UTC install window, firewall log excerpts.
• law enforcement / IC3: unauthorized access narrative, persistence mechanism, pool and DNS IOCs, billing loss estimate, memory carve hashes — not just "slow server."
• npm registry / package maintainer: lockfile diff, postinstall script text, tarball hash if you preserved node_modules — supply-chain poison needs upstream notification.
• finance / FinOps: cost anomaly timeline tied to technical onset — they need dates and instance tags, not entropy heatmaps.
• outside counsel: chain-of-custody on memory dumps and logs if litigation, insurance, or customer notification follows a compromised dev pipeline.
• platform engineering / SRE: scoped kill of the persistence mechanism — scheduled task, poisoned package version pin, container base image tag — after evidence is copied, not before.

package artifacts as UTC timelines, IOC tables (pool IP, port, wallet, DNS names), carved binary hashes, and one-page executive summary. technical depth belongs in appendices; recipients want onset time and blast radius first.

further reading

• CISA — understanding and responding to cryptocurrency mining malware
• MITRE ATT&CK · resource hijacking (T1496)
• MITRE ATT&CK · supply chain compromise: compromise software supply chain (T1195.002)
• MITRE ATT&CK · command and scripting interpreter: PowerShell (T1059.001)
• Microsoft Defender — XMRig cryptomining detection guidance

reference investigation