KingMiner Cryptocurrency Miner
KingMiner is a newly observed cryptocurrency miner that targets Microsoft Internet Information Services (IIS) and Microsoft SQL servers.
At the time of publication, it is unclear how the malware is distributed. It is known that the malware will obtain the server’s credentials via a brute force attack when it is executed. Following this, KingMiner will download a Windows Scriptlet file .sct, which will scan and detect the CPU architecture and download a tailored payload for the CPU.
KingMiner uses anti-detection techniques including payload obfuscation. KingMiner was designed to use 75% of CPU resources to avoid detection; however due to an error in its code, it uses 100% of CPU resources.
Indicators of Compromise
SHA256 File Hashes
- dea32433519c4628deeac802c0f1435a1b0d27d89f1ae5c1729ec7223f9eb04d
- 147d572d7f6664c8adf42ef92e4dbad06c5d21cc820a20163d814c77136cfbab
- 122b7906a359deb22bf777c602ac2619ca5ea156c4937dcdf96583210677db52
- c5894d2afc946c064f8c2b58791fe64b48e26f0da5bdcc6ef9ba147f334f43f9
- e61fbe58c28720ac4c0a1822d5da9a622a24f352d34e6c1cf5f704dbdd9b9b34
- 2b54329a13c4f79bea3886a21a7ba5fe19c4418596b774893fdef020e03ed07d
- f128a63c107c3006ebf448d6ec743d11eb491ecb508e4ce63ba084f9792c25da
- 7357bdf70d042f246de1f830de783499d75e61388eed93d9ce74180ce06524d0
- 956a1231726503d840794af61fb6ac9bc326296597eff1c8da636f84e3c32874
- 8fa8cdb771d7c66406a7116e9c09ed18030afb1f94430c807782274f3847cb92
- a3598d3301630ba64aa7663980296b59df243f5f17ed1b4fd56dcbcab599231c
Domains
- http://q.112adfdae[.]tk/
- http://a.1b051fdae[.]tk/
- http://a.869d4fdae[.]tk/
- http://a.qwerr[.]ga/
- w.homewrt[.]com:9760
IP Addresses
- 95.179.131[.]54:9760
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.