Win32/CoinMiner [Threat Name] go to Threat
Win32/CoinMiner.YB [Threat Variant Name]
| Category | trojan |
| Size | 424960 B |
| Aliases | Trojan.Win32.Miner.azd (Kaspersky) |
| Trojan:Win32/Adylkuzz.D (Microsoft) | |
| Trojan.Adylkuzz (Symantec) |
Short description
Win32/CoinMiner.YB is a trojan that uses the hardware resources of the infected computer for mining the Monero digital currency.
Installation
When executed, the trojan copies itself into the following location:
- %programfiles%\Hardware Driver Management\windriver.exe
The trojan registers itself as a system service using the following name:
- Windows Hardware Driver Management
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WHDMIDE]
- "Description" = "Windows Hardware Driver Management Instrumentation Driver Extensions"
- "DisplayName" = "Windows Hardware Driver Management"
- "ErrorControl" = 0
- "FailureActions" = 100E0000000000000000000001000000140000000100000060EA0000
- "ImagePath" = "%programfiles%\Hardware Driver Management\windriver.exe --server"
- "ObjectName" = "LocalSystem"
- "Start" = 2
- "Type" = 16
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WHDMIDE]
- "Description" = "Windows Hardware Driver Management Instrumentation Driver Extensions"
- "DisplayName" = "Windows Hardware Driver Management"
- "ErrorControl" = 0
- "FailureActions" = 100E0000000000000000000001000000140000000100000060EA0000
- "ImagePath" = "%programfiles%\Hardware Driver Management\windriver.exe --server"
- "ObjectName" = "LocalSystem"
- "Start" = 2
- "Type" = 16
This causes the trojan to be executed on every system start.
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Winmgmt\Parameters]
- "ServiceDllUnloadOnStop" = %variable%
The variable %variable% represents a number in the range 0-1 .
The following Registry entry is deleted:
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\WDI\Config]
- "ServerName"
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects the following information:
- installed antivirus software
- computer IP address
- malware version
- information about the operating system and system settings
- CPU information
- amount of operating memory
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (6) URLs. It listens on TCP port 1031 . The HTTP protocol is used in the communication.
It downloads the other part of the infiltration.
The file is stored in the following location:
- %programfiles%\Microsoft.NET\Primary Interop Assemblies\LMS.dat
The file is then executed.
The trojan may create the following files:
- %programfiles%\Hardware Driver Management\id.txt
- %temp%\%variable%_Miner_.log
A string with variable content is used instead of %variable% .
The trojan uses the hardware resources of the infected computer for mining the Monero digital currency.
The trojan may execute the following commands:
- cmd.exe /c taskkill /f /im LMS.dat