W32/CoinMiner.EAD6!tr

Analysis

W32/CoinMiner.EAD6!tr is a highly generic detection for a set of Miners Trojans. Since this is a generic detection, malware that are detected as W32/CoinMiner.EAD6!tr may have varying behaviour.
Below are examples of some of these behaviours:

• Some instances of this malware will spawn numerous processes, including possible Injection to hosts processes, this will cause affected hosts to a high CPU usage:
  

  Figure 1: Conhost Spawned processes.

  
  

  Figure 2: Multiple Spawned processes.



• Below are some of the miscellaneous behavior for some instances of this malware:
  

  Figure 1: Some instances of this malware has been observed to displays a none sense graphic image.

  
  

  Figure 2: There were some malware instance which prompted for password.



• Some instances of this malware are in RAR SFX format. Within the RAR packages are command line tools that are the actual miners, some of these tools can accept various parameters such as: mining algorithm, recepient emaill address, protocol, mining URL site, and keys/wallets.


• Some instances of this malware are dependent on some form of Javascript/VBS codes to perform a network connection or utilize the functionalities of bitcoin mining from a known javascript/VBS module or codes in addition to dropping the javascript/vbs file itself, the malware will be often observed to spawn/execute an instance of wscript.exe (Windows hosting script).


• Some instances of this miner were observed to connect to:
  
  • xm{Removed}.pool.minergate.com
  • eu1-zcas{Removed}.flypool.org

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.