Security home

 

Home / malwarePDF  

Trojan:PowerShell/WannaMine.A


First posted on 09 February 2018.
Source: Microsoft

Aliases :

There are no other names known for Trojan:PowerShell/WannaMine.A.

Explanation :

This threat is a form of a fileless malware attack which involves invoking Windows Management Instrumentation (WMI) objects and scheduling clean-up tasks through PowerShell without your consent.

Installation


We have observed this threat being distributed through EternalBlue exploit and Mimikatz.

This threat registers permanent events, to persist in your PC, relating instances with the following event filter named:

  • DCMEventLog

This threat also creates the Thread Mutex, MMLOLSacnner after a succesful connection to port 9.9.9.9.



WMI Object values:
  • i17 – network scanning information
  • ipsu – network scanning information
  • funs – EternalBlue exploit distrubution
  • mimi – Mimikatz malware distribution
  • mon – Monero CPU minner
  • sc – yastcat scheduled task (clean-up %system%\temp\y1.bat)
  • vcp – downloads msvcp120.dll
  • vcr – downloads msvcr120.dll


Payload

Connects to a remote host

We have seen this threat connect to a remote host, including the following IPs:
  • 93[.]174[.]93[.]73
  • 195[.]22[.]129[.]157
In this case, this threat downloads the following information from the following port:
  • /info3.ps1 (port: 8000)
  • /api.php?data= (port: 8000)


Malware connects to a remote host to allow backdoor access and control of and send stolen information from your PC to the malicious hacker or cybercriminal.

Allows backdoor access and control

This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
  • Downloading and uploading files
  • Enumerating running processes
  • Executing arbitrary commands
  • Gathering system information such as IP address and computer name
  • Changing some of your device settings

Last update 09 February 2018

 

TOP

Malware :

Family: