KingMiner Cryptocurrency Miner

KingMiner is a newly observed cryptocurrency miner that targets Microsoft Internet Information Services (IIS) and Microsoft SQL servers.

At the time of publication, it is unclear how the malware is distributed. It is known that the malware will obtain the server’s credentials via a brute force attack when it is executed. Following this, KingMiner will download a Windows Scriptlet file .sct, which will scan and detect the CPU architecture and download a tailored payload for the CPU.

KingMiner uses anti-detection techniques including payload obfuscation. KingMiner was designed to use 75% of CPU resources to avoid detection; however due to an error in its code, it uses 100% of CPU resources.

Indicators of Compromise 

SHA256 File Hashes

  • dea32433519c4628deeac802c0f1435a1b0d27d89f1ae5c1729ec7223f9eb04d
  • 147d572d7f6664c8adf42ef92e4dbad06c5d21cc820a20163d814c77136cfbab
  • 122b7906a359deb22bf777c602ac2619ca5ea156c4937dcdf96583210677db52
  • c5894d2afc946c064f8c2b58791fe64b48e26f0da5bdcc6ef9ba147f334f43f9
  • e61fbe58c28720ac4c0a1822d5da9a622a24f352d34e6c1cf5f704dbdd9b9b34
  • 2b54329a13c4f79bea3886a21a7ba5fe19c4418596b774893fdef020e03ed07d
  • f128a63c107c3006ebf448d6ec743d11eb491ecb508e4ce63ba084f9792c25da
  • 7357bdf70d042f246de1f830de783499d75e61388eed93d9ce74180ce06524d0
  • 956a1231726503d840794af61fb6ac9bc326296597eff1c8da636f84e3c32874
  • 8fa8cdb771d7c66406a7116e9c09ed18030afb1f94430c807782274f3847cb92
  • a3598d3301630ba64aa7663980296b59df243f5f17ed1b4fd56dcbcab599231c

Domains

  • http://q.112adfdae[.]tk/
  • http://a.1b051fdae[.]tk/
  • http://a.869d4fdae[.]tk/
  • http://a.qwerr[.]ga/
  • w.homewrt[.]com:9760

IP Addresses

  • 95.179.131[.]54:9760

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: