Virus

JS/Coinminer.SX!tr

Analysis



JS/Coinminer.SX!tr is a generic detection for a Javascript coinminer. Since this is a generic detection, malware that are detected as JS/Coinminer.SX!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • Uses the following JSON object "CoinHive.CONFIG" as configuration information:
    • LIB_URL: hxxps://coinhiv{Removed}.com/lib/
    • ASMJS_NAME : worker-asmjs.min.js : This is possibly the hashing library
    • REQUIRES_AUTH : false
    • WEBSOCKET_SHARDS : [Array of URLs] wss://ws[3DIGITS].coinhive.com/proxy
    • CAPTCHA_URL : hxxps://coinhiv{Removed}.com/captcha/
    • MINER_URL : hxxps://coinhiv{Removed}.com/media/miner.html
    • AUTH_URL : hxxps://authedmin{Removed}.com/authenticate.html

  • Checks for to see if the browser has WASM support. Otherwise will attempt to use ASMJS. It is likely that one of these modules contain the hashing algorithm.

  • Creates a "job thread" to perform the hashing, which makes use of the Cryptonight hashing algorithm.

  • The hashing algorithm may be called "CRYPTONIGHT_WORKER_BLOB" and looks as the following:

    • Figure 1: The beginning of the worker algorithm.



Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.