A Cryptominer downloaded during runtime
August 22, 2020

A malicious script and a binary are downloaded from a remote source while running the vanilla container image ubuntu:latest. Once executed the script is set to download and execute Kinsing malware.

Type IOC Details
File 69886742cf56f9fc97b97df0a19fc8f0 Path: /d.sh
File 52ca5bc47c84a748d2b349871331d36a Path: kinsing
IP address 113[.]116[.]153[.]116 Attacker’s C2 server
IP address 195[.]123[.]228[.]32 Attacker’s IP address