NewsSecurity Vulnerabilities

Smominru And WannaMine Cryptominer Botnets

Updated 08-10-2019 – Updated IOC list.

A new malware has been observed that aims to enrol devices into botnets, known alternatively as Smominru or WannaMine, for the purpose of mining cryptocurrency.

Smominru and WannaMine are very similar, with only slight differences during operation. Both are fileless, using the Windows Management Instrumentation scripting application to maintain persistence across reboots, and use the EternalBlue SMB exploit to propagate. WannaMine will deploy the Mimikatz credential harvester before moving to another device.

Unlike other cryptomining malware, Smominru/WannaMine heavily impact a system’s resources. The attackers behind them appear to prefer mining as fast as possible, overusing the CPU to the point that the system may crash.

Indicators of Compromise

IP Addresses

  • 103[.]213[.]246[.]23
  • 103[.]95[.]28[.]54
  • 139[.]5[.]177[.]10
  • 45[.]58[.]135[.]106
  • 74[.]222[.]14[.]61

URLs

  • ftp[.]oo000oo[.]me
  • js[.]mykings[.]top:280/helloworld[.]msi
  • js[.]mykings[.]top:280/v[.]sct
  • ok[.]xmr6b[.]ru
  • wmi[.]mykings[.]top:8888

Filenames

  • b2.exe
  • item.dat
  • item.rar
  • msief.exe
  • upsupx.exe
  • blueps.txt
  • S.ps1
  • s.txt
  • s.jpg
  • 1.txt
  • 2.txt
  • 3.txt
  • l.txt
  • up.txt
  • my1.bat
  • v.sct
  • 123.bat

SHA256 File Hashes

  • 4958c38ba2d7def9ba44c5382f2c5a41c619d5a5eedfb8ac4697dbf75c306933
  • 6315657fd523118f51e294e35158f6bd89d032b26fe7749a4de985edc81e5f86
  • 674f2df2cdadab5be61271550605163a731a2df8f4c79732481cad532f00525d
  • 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
  • 79bcb0b7ba00c4c65bf9b41cfe193fd917d92ab1d41456ac775836cec5cadc9a
  • 7a4f2f2702fababb0619556e67a41d0a09e01fbfdb84d47b4463decdbb360980
  • 7ec433dd0454553b09f11c39944e251e3ee32e4981f52f02adc3011eb0ce6537
  • 80f8ba7992a5dbaa4a2f76263258d5d7bf3bb8994f9e8a4a5294f70ab8e38ea4
  • 80f8ba7992a5dbaa4a2f76263258d5d7bf3bb8994f9e8a4a5294f70ab8e38ea4
  • 8246293a368a1da86aba696bea93460705ca4c40aa4c75dde909b8d9dff5efcb
  • 8c5bb89596cd732af59693b8da021a872fee9b3696927b61d4387b427834c461
  • 9ec520eba82b8eaeb11bc00612748c6db210e6753d8e87905747270ebcfa9eb2
  • a095f60ff79470c99752b73f8286b78926bc46eb2168b3ecd4783505a204a3b0
  • a3bb132ab1ba3e706b90d6fb514504105f174c4e444e87be7bce1995f798044d
  • a3bb132ab1ba3e706b90d6fb514504105f174c4e444e87be7bce1995f798044d
  • ab26a859633d1ec68e021226fab47870ed78fc2e6a58c70a7a7060be51247c1d
  • be5e698bd72fd58a8d202e511cf356924f0a1200e91bd25dcb5442e33a7b4f14
  • d5f907f9d2001ee5013c4c1af965467714bbc0928112e54ba35d142c8eab68bf
  • e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b
  • e8ddefd237646a47debc01df9aa02fbcae40686f96b7860511c73798c7546201
  • e8ddefd237646a47debc01df9aa02fbcae40686f96b7860511c73798c7546201
  • f37a0d5f11078ef296a7c032b787f8fa485d73b0115cbd24d62cdf2c1a810625

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.