Trojan:PowerShell/Wannamine

This threat is a form of a fileless malware attack which involves invoking Windows Management Instrumentation (WMI) objects and scheduling clean-up tasks through PowerShell without your consent. 

Installation

We have observed this threat being distributed through EternalBlue exploit and Mimikatz. 

This threat registers permanent events, to persist in your PC, relating instances with the following event filters named:

• DSMEventLog
• DCMEventLog  

WMI  Object values:

• i17  – network scanning information
• ipsu – network scanning information
• funs –  EternalBlue exploit distrubution
• mimi –  Mimikatz malware  distribution
• mon – Monero CPU minner
• sc – yastcat scheduled task (clean-up %system%\temp\y1.bat)
• vcp – downloads msvcp120.dll
• vcr – downloads msvcr120.dll

Payload

Connects to a remote host

We have seen this threat connect to a remote host, including the following IPs:

• 93[.]174[.]93[.]73
• 195[.]22[.]129[.]157
  

• /info3.ps1 (port: 8000)
• /api.php?data= (port: 8000)

Malware connects to a remote host to allow backdoor access and control of and send stolen information from your PC to the malicious hacker or cybercriminal.

Allows backdoor access and control

This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:

• Downloading and uploading files
• Enumerating running processes
• Executing arbitrary commands
• Gathering system information such as IP address and computer name
• Changing some of your device settings