This study, conducted after analysing a sample of malware from the WannaMine family, with the main purpose of identifying the actions it performs and how it spreads, as well as identifying the family it belongs to and possible destructive effects it may cause, to know it and be able to take adequate prevention and response action.
The main purpose of WannaMine is cryptojacking, using the affected machines to carry out cryptocurrency mining. It is made up of various artifacts, and it is able to extract credentials from the affected systems using Mimikatz, and to exploit the EternalBlue vulnerability.
The sample subject to this analysis, developed by the INCIBE-CERT team, is a malicious Powershell artifact, which was detected in the systems of at least one national body.
Also available in this analysis is a script that removes WannaMine from the system, an IOC rule and a Yara rule to help with detecting samples belonging to the WannaMine family.
The technical report includes:
- General information.
- Summary of actions.
- Detailed analysis.
- Lateral movement.
- Cryptocurrency mining.
- System cleaning.