W32/CoinMiner.AKE!tr

Analysis

W32/CoinMiner.AKE!tr is a generic detection for a Miner trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware may drop any of the following file(s):
  
  • C:\log\32.exe : This file is detected as VBS/BitMin.AA!tr
  • C:\ProgramData\Windows\[Random]_log.txt : This file is a log file that shows it is trying to connect to xmr.pool.miner{Removed}.com
  • C:\ProgramData\Windows\csrs.exe : This file will be detected as W32/CoinMiner.AKE!tr.
  • C:\ProgramData\Windows\start.bat : This file is a batch file that may run the file csrs.exe and connect to xmr.pool.miner{Removed}.com
  • C:\ProgramData\Windows\svchost.vbs : This file is a script file that may run the file csrs.exe and connect to xmr.pool.miner{Removed}.com
  • %UserProfile%\Start Menu\Programs\Startup\explorer.lnk : This file is a shortcut to run the file svchost.vbs on startup.


• This malware may connect to the following site(s):
  
  • xmr.pool.miner{Removed}.com


• Some instances of this file are in RAR SFX form.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.