Home / malwarePDF  

TrojanDownloader:PowerShell/CoinMiner


First posted on 01 March 2018.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:PowerShell/CoinMiner.

Explanation :

Installation

This threat is downloaded from two URLs:

  • URL containing a miner:
    http[:]//94.177.123.123/css/6Ov4ZHOg.exe
  • URL containing itself: a PowerShell script:
    http[:]//94.177.123.123/css/bootstrap.css


It saves the downloaded files to the following locations:
  • Miner:
    %ProgramData%\spoosvc.exe
  • Powershell script:
    %ProgramData%\msupdate.ps1




Payload

Downloads and runs malware

This threat can download and run a miner component to mine Monero cryptocurency using your PC without your consent.

When run, this threat also adds the following schedule task without your consent, to ensure that it runs on system startup.

"Spooler SubSystem Service"





Analysis by Alden Pornasdoro

Last update 01 March 2018

 

TOP

Malware :