COINMINER_COINHIVE.K-JS

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be hosted on a website and run when a user accesses the said website.

Arrival Details

This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be hosted on a website and run when a user accesses the said website.

Other Details

This Coinminer does the following:

• This JavaScript is embedded into websites to run a miner for Monero cryptocurrency.
• It uses the system's central processing unit (CPU) resources to mine for cryptocurrency.
• It connects to the following URL to execute the miner:
  • hxxps://{BLOCKED}ve.com/lib/coinhive.min.js

NOTES:

Checks either of the following before it runs its coinminer:

• WebAssembly
• asm.js

The script accepts the following relevant parameters:

• Target number of mining threads per tab
• Throttle rate
• Execution / Start - mode
• Target number of hashes to solve

It can have the following start modes:

• IF_EXCLUSIVE_TAB - The miner will only start if no other tabs are already mining.
• FORCE_EXCLUSIVE_TAB - The miner will always start and immediately kill all miners in other tabs that have not specified CoinHive.FORCE_MULTI_TAB.
• FORCE_MULTI_TAB - The miner will always start.

It has the capability to monitor the following events:

• open
• authed
• close
• error
• job
• found
• accepted
• optin

It sends events and other data to the following URLs/Websocket Shards:

• wss://ws001.{BLOCKED}ve.com/proxy
• wss://ws002.{BLOCKED}ve.com/proxy
• wss://ws003.{BLOCKED}ve.com/proxy
• wss://ws004.{BLOCKED}ve.com/proxy
• wss://ws005.{BLOCKED}ve.com/proxy
• wss://ws006.{BLOCKED}ve.com/proxy
• wss://ws007.{BLOCKED}ve.com/proxy
• wss://ws008.{BLOCKED}ve.com/proxy
• wss://ws009.{BLOCKED}ve.com/proxy
• wss://ws010.{BLOCKED}ve.com/proxy
• wss://ws011.{BLOCKED}ve.com/proxy
• wss://ws012.{BLOCKED}ve.com/proxy
• wss://ws013.{BLOCKED}ve.com/proxy
• wss://ws014.{BLOCKED}ve.com/proxy
• wss://ws015.{BLOCKED}ve.com/proxy
• wss://ws016.{BLOCKED}ve.com/proxy
• wss://ws017.{BLOCKED}ve.com/proxy
• wss://ws018.{BLOCKED}ve.com/proxy
• wss://ws019.{BLOCKED}ve.com/proxy
• wss://ws020.{BLOCKED}ve.com/proxy
• wss://ws021.{BLOCKED}ve.com/proxy
• wss://ws022.{BLOCKED}ve.com/proxy
• wss://ws023.{BLOCKED}ve.com/proxy
• wss://ws024.{BLOCKED}ve.com/proxy
• wss://ws024.{BLOCKED}ve.com/proxy
• wss://ws025.{BLOCKED}ve.com/proxy
• wss://ws026.{BLOCKED}ve.com/proxy
• wss://ws027.{BLOCKED}ve.com/proxy
• wss://ws028.{BLOCKED}ve.com/proxy
• wss://ws029.{BLOCKED}ve.com/proxy
• wss://ws030.{BLOCKED}ve.com/proxy
• wss://ws031.{BLOCKED}ve.com/proxy
• wss://ws032.{BLOCKED}ve.com/proxy

It accesses the following libraries:

• https://{BLOCKED}ve.com/lib/worker-asmjs.min.js?v7
• https://{BLOCKED}ve.com/captcha
• https://{BLOCKED}ve.com/media/miner.html
• https://{BLOCKED}mine.com/authenticate.html

It connects and executes https://js.{BLOCKED}s.51.la/19575631.js for reporting and sends the following information:

• Screen resolution
• If accessed on mobile
• URL where the script is embedded