Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Trojan:Win32/Maener.A creates the following files on your PC:
c:\Trash-100\ActivateDesktop.exe - malware copy
c:\Trash-100\notafile.exe - malware copy
c:\Trash-100\db\miner_exe_name - contains the name of the coin miner tool (connost.exe)
c:\Trash-100\db\miners_info - contains the URL where coin miner tool can be downloaded/extracted (1.<removed>.z8.ru/XCN/CPU32.mining or 1.<removed>.z8.ru/XDN/CPU64.mining)
c:\Trash-100\db\mining_info - contains the URLs where coin miner tool can be downloaded/extracted (1.<removed>.z8.ru/XCN/CPU32.mining or 1.<removed>.z8.ru/XDN/CPU64.mining)
c:\Trash-100\db\last_miner_link - contains the URL where the coinminer tool can be downloaded/extracted (1.<removed>.z8.ru/XCN/CPU32.mining)
c:\Trash-100\db\last_regwrite_link - contains the URL where the encrypted registry_tool.exe can be downloaded (1.<removed>.z8.ru/tools/RegWriter.exe.raum_encrypted)
c:\Trash-100\db\backup_url - contains the URL it connects to (1.<removed>.z8.ru/)
c:\Trash-100\db\framework_exe - contains the name of the malware copy (ActivateDesktop.exe)
c:\Trash-100\db\update_info - contains the URL where the encrypted registry_tool.exe can be downloaded (1.<removed>.z8.ru/updates/0050.lalka.raum_encrypted)
c:\Trash-100\unpacked\options - parameter used in mining (-a m7 -o stratum+tcp://<removed>.1gh.com:7333 -u <user> -p <password>)
c:\Trash-100\registry_tool.exe - deleted after execution
c:\Trash-100\mining.archive - contains the binary coin miner tool
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\CurrentVersion\Run Sets value: GoogleUpdate_CF4A51A46014ACCDC56E3A64BAC64B76 With data: c:\Trash-100\ActivateDesktop.exe
Payload
Uses your PC to mine for Bitcoins
Trojan:Win32/Maener.A can download Bitcoin mining software onto your PC. This can make your PC run slower than usual.
The trojan runs under the file name ActivateDesktop.exe. It connects to a remote server to download and install the Bitcoin miner components. The miner is installed as connost.exe and is used to abuse the system’s computing resources to generate Bitcoins.
Contacts remote host
Trojan:Win32/Maener.A might contact a remote host at spock.z8.ru. Commonly, malware does this to:
Report a new infection to its author
Receive configuration or other data
Download and run files, including updates or other malware
In subkey: HKCU\Software\Microsoft\CurrentVersion\Run Sets value: GoogleUpdate_CF4A51A46014ACCDC56E3A64BAC64B76 With data: c:\Trash-100\ActivateDesktop.exe
