With the emergence of remote code execution (RCE) vulnerabilities in ubiquitous libraries and advanced social engineering techniques, threat actors started conducting widespread PowerShell-based fileless cryptojacking attacks since 2017. Threat actors have exploited this stealthy technique effectively that even if attacks are detected and the malicious scripts removed, the processes may remain operational on victim endpoints, creating a significant challenge for detection mechanisms. In the literature, there is a need for exploratory research on fileless cryptojacking that provides TTPs (tactics, techniques, and procedures) and malware types. Also there was no specific research on detecting PowerShell-based fileless cryptojacking using machine learning. To fill this gap, we conducted research structured in three phases: first, we reviewed all types of cryptojacking attacks; second, we conducted a descriptive analysis of PowerShell-based fileless cryptojacking using a uniquely collected dataset and the MITRE ATT&CK framework to examine the operational mechanisms and attack vectors; and finally, we conducted an experimental study on detecting these attacks using machine learning. First, the research flow provided one of the comprehensive systematic reviews on the types of cryptojacking attacks and added a new type to the literature, in-memory only fileless cryptojacking. Second, the study provided an extensive descriptive analysis on the collected cryptojacking scripts with a new DFIR framework to detect and mitigate the attacks effectively. Last, with enlarging the dataset and using a secondary dataset, the flow conducted an experimental study on detecting PowerShell-based fileless cryptojacking scripts. The experimental results showed that Abstract Syntax Tree (AST)-based fine-tuned CodeBERT achieved a high recall rate proving the importance of the usage of the AST integration and fine-tuned pre-trained programming language-based model.