Home / malware Trojan:PowerShell/WannaMine
First posted on 09 February 2018.
Source: MicrosoftAliases :
There are no other names known for Trojan:PowerShell/WannaMine.
Explanation :
This threat is a form of a fileless malware attack which involves invoking Windows Management Instrumentation (WMI) objects and scheduling clean-up tasks through PowerShell without your consent.
Installation
We have observed this threat being distributed through EternalBlue exploit and Mimikatz.
This threat registers permanent events, to persist in your PC, relating instances with the following event filters named:
- DSMEventLog
- DCMEventLog
This threat also creates the Thread Mutex, MMLOLSacnner after a succesful connection to port 9.9.9.9.
WMI Object values:
- i17 – network scanning information
- ipsu – network scanning information
- funs – EternalBlue exploit distrubution
- mimi – Mimikatz malware distribution
- mon – Monero CPU minner
- sc – yastcat scheduled task (clean-up %system%\temp\y1.bat)
- vcp – downloads msvcp120.dll
- vcr – downloads msvcr120.dll
Payload
Connects to a remote host
We have seen this threat connect to a remote host, including the following IPs:
In this case, this threat downloads the following information from the following port:
- 93[.]174[.]93[.]73
- 195[.]22[.]129[.]157
- /info3.ps1 (port: 8000)
- /api.php?data= (port: 8000)
Malware connects to a remote host to allow backdoor access and control of and send stolen information from your PC to the malicious hacker or cybercriminal.
Allows backdoor access and control
This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
- Downloading and uploading files
- Enumerating running processes
- Executing arbitrary commands
- Gathering system information such as IP address and computer name
- Changing some of your device settings
This analysis was published using the following file SHA1: F5493BF0C7F0CEE670BEB455D2C3B0BBEDE9F3DC692BC32F2138B6A3379DA952Last update 09 February 2018
