Smominru And WannaMine Cryptominer Botnets
Updated 08-10-2019 – Updated IOC list.
A new malware has been observed that aims to enrol devices into botnets, known alternatively as Smominru or WannaMine, for the purpose of mining cryptocurrency.
Smominru and WannaMine are very similar, with only slight differences during operation. Both are fileless, using the Windows Management Instrumentation scripting application to maintain persistence across reboots, and use the EternalBlue SMB exploit to propagate. WannaMine will deploy the Mimikatz credential harvester before moving to another device.
Unlike other cryptomining malware, Smominru/WannaMine heavily impact a system’s resources. The attackers behind them appear to prefer mining as fast as possible, overusing the CPU to the point that the system may crash.
Indicators of Compromise
IP Addresses
- 103[.]213[.]246[.]23
- 103[.]95[.]28[.]54
- 139[.]5[.]177[.]10
- 45[.]58[.]135[.]106
- 74[.]222[.]14[.]61
URLs
- ftp[.]oo000oo[.]me
- js[.]mykings[.]top:280/helloworld[.]msi
- js[.]mykings[.]top:280/v[.]sct
- ok[.]xmr6b[.]ru
- wmi[.]mykings[.]top:8888
Filenames
- b2.exe
- item.dat
- item.rar
- msief.exe
- upsupx.exe
- blueps.txt
- S.ps1
- s.txt
- s.jpg
- 1.txt
- 2.txt
- 3.txt
- l.txt
- up.txt
- my1.bat
- v.sct
- 123.bat
SHA256 File Hashes
- 4958c38ba2d7def9ba44c5382f2c5a41c619d5a5eedfb8ac4697dbf75c306933
- 6315657fd523118f51e294e35158f6bd89d032b26fe7749a4de985edc81e5f86
- 674f2df2cdadab5be61271550605163a731a2df8f4c79732481cad532f00525d
- 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
- 79bcb0b7ba00c4c65bf9b41cfe193fd917d92ab1d41456ac775836cec5cadc9a
- 7a4f2f2702fababb0619556e67a41d0a09e01fbfdb84d47b4463decdbb360980
- 7ec433dd0454553b09f11c39944e251e3ee32e4981f52f02adc3011eb0ce6537
- 80f8ba7992a5dbaa4a2f76263258d5d7bf3bb8994f9e8a4a5294f70ab8e38ea4
- 80f8ba7992a5dbaa4a2f76263258d5d7bf3bb8994f9e8a4a5294f70ab8e38ea4
- 8246293a368a1da86aba696bea93460705ca4c40aa4c75dde909b8d9dff5efcb
- 8c5bb89596cd732af59693b8da021a872fee9b3696927b61d4387b427834c461
- 9ec520eba82b8eaeb11bc00612748c6db210e6753d8e87905747270ebcfa9eb2
- a095f60ff79470c99752b73f8286b78926bc46eb2168b3ecd4783505a204a3b0
- a3bb132ab1ba3e706b90d6fb514504105f174c4e444e87be7bce1995f798044d
- a3bb132ab1ba3e706b90d6fb514504105f174c4e444e87be7bce1995f798044d
- ab26a859633d1ec68e021226fab47870ed78fc2e6a58c70a7a7060be51247c1d
- be5e698bd72fd58a8d202e511cf356924f0a1200e91bd25dcb5442e33a7b4f14
- d5f907f9d2001ee5013c4c1af965467714bbc0928112e54ba35d142c8eab68bf
- e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b
- e8ddefd237646a47debc01df9aa02fbcae40686f96b7860511c73798c7546201
- e8ddefd237646a47debc01df9aa02fbcae40686f96b7860511c73798c7546201
- f37a0d5f11078ef296a7c032b787f8fa485d73b0115cbd24d62cdf2c1a810625
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.