Analysis
W32/CoinMiner.AKE!tr is a generic detection for a Miner trojan.
Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- C:\log\32.exe : This file is detected as VBS/BitMin.AA!tr
- C:\ProgramData\Windows\[Random]_log.txt : This file is a log file that shows it is trying to connect to xmr.pool.miner{Removed}.com
- C:\ProgramData\Windows\csrs.exe : This file will be detected as W32/CoinMiner.AKE!tr.
- C:\ProgramData\Windows\start.bat : This file is a batch file that may run the file csrs.exe and connect to xmr.pool.miner{Removed}.com
- C:\ProgramData\Windows\svchost.vbs : This file is a script file that may run the file csrs.exe and connect to xmr.pool.miner{Removed}.com
- %UserProfile%\Start Menu\Programs\Startup\explorer.lnk : This file is a shortcut to run the file svchost.vbs on startup.
- This malware may connect to the following site(s):
- xmr.pool.miner{Removed}.com
- Some instances of this file are in RAR SFX form.