Win32/CoinMiner [Threat Name] go to Threat

Win32/CoinMiner.YB [Threat Variant Name]

Category trojan
Size 424960 B
Detection created Jun 18, 2015
Detection database version 11808
Aliases Trojan.Win32.Miner.azd (Kaspersky)
  Trojan:Win32/Adylkuzz.D (Microsoft)
  Trojan.Adylkuzz (Symantec)
Short description

Win32/CoinMiner.YB is a trojan that uses the hardware resources of the infected computer for mining the Monero digital currency.

Installation

When executed, the trojan copies itself into the following location:

  • %programfiles%\­Hardware Driver Management\­windriver.exe

The trojan registers itself as a system service using the following name:

  • Windows Hardware Driver Management

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­services\­WHDMIDE]
    • "Description" = "Windows Hardware Driver Management Instrumentation Driver Extensions"
    • "DisplayName" = "Windows Hardware Driver Management"
    • "ErrorControl" = 0
    • "FailureActions" = 100E0000000000000000000001000000140000000100000060EA0000
    • "ImagePath" = "%programfiles%\­Hardware Driver Management\­windriver.exe --server"
    • "ObjectName" = "LocalSystem"
    • "Start" = 2
    • "Type" = 16
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­services\­WHDMIDE]
    • "Description" = "Windows Hardware Driver Management Instrumentation Driver Extensions"
    • "DisplayName" = "Windows Hardware Driver Management"
    • "ErrorControl" = 0
    • "FailureActions" = 100E0000000000000000000001000000140000000100000060EA0000
    • "ImagePath" = "%programfiles%\­Hardware Driver Management\­windriver.exe --server"
    • "ObjectName" = "LocalSystem"
    • "Start" = 2
    • "Type" = 16

This causes the trojan to be executed on every system start.


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­services\­Winmgmt\­Parameters]
    • "ServiceDllUnloadOnStop" = %variable%

The variable %variable% represents a number in the range 0-1 .


The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Control\­WDI\­Config]
    • "ServerName"

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • installed antivirus software
  • computer IP address
  • malware version
  • information about the operating system and system settings
  • CPU information
  • amount of operating memory

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (6) URLs. It listens on TCP port 1031 . The HTTP protocol is used in the communication.


It downloads the other part of the infiltration.


The file is stored in the following location:

  • %programfiles%\­Microsoft.NET\­Primary Interop Assemblies\­LMS.dat

The file is then executed.


The trojan may create the following files:

  • %programfiles%\­Hardware Driver Management\­id.txt
  • %temp%\­%variable%_Miner_.log

A string with variable content is used instead of %variable% .


The trojan uses the hardware resources of the infected computer for mining the Monero digital currency.


The trojan may execute the following commands:

  • cmd.exe /c taskkill /f /im LMS.dat

Please enable Javascript to ensure correct displaying of this content and refresh this page.