W32/CoinMiner.ASH!tr

Analysis

W32/CoinMiner.ASH!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/CoinMiner.ASH!tr may have varying behaviour.
Below are examples of some of these behaviours:

• This malware may drop any of the following file(s):
  
  • %Temp%\KAV2.dll : During the time of our tests, this file was a 0 byte file.
  • %Temp%\license.key : This file is non-malicious.
  • %AppData%\[Random]\Pablo_v2_JUNZRD.exe : This file is detected as Adware/FileTour.
  • %AppData%\[Random]\winhost.exe : This file is detected as W32/CoinMiner.ASH!tr.
  • %AppData%\Microsoft\Windows\winhost.exe: This file is detected as W32/CoinMiner.ASH!tr.


• This malware may connect to any of the following remote sites(s):
  
  • tuomine{Removed}.ru
  • hxxp://tuomine{Removed}.ru/archive.zip


• This malware may issue a command line that may have any of the following effects:
  
  • issue a parameter for the dropped file Pablo_v2_JUNZRD using /SL5=.
  • scheduled task under the name System\SecurityService causing to run winhost.exe daily.


• Based on these behaviours this malware has been thought to be part of bitcoin mining.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.