From 3e105ea3a7158362e29b62a37278f0937a8ef26c Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 16 May 2018 21:55:29 +0200
Subject: [PATCH] added crypto miner match

---
 scan.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scan.py b/scan.py
index 8d373d4..cc10271 100644
--- a/scan.py
+++ b/scan.py
@@ -238,6 +238,7 @@ scoring = {
   'MD5':                      (20, u'md5 strings used in malware'),
   'SOCIALS':                  (50, u'Email addresses, links and social networking'),
   'EITEST':                   (65, u'Eitest'),
+  'CRYPTO':                   (65, u'Cryptocurrency Miners'),
 }
 
 
@@ -546,6 +547,8 @@ def is_hacked(filename):
             or 'Wells Fargo Home Page' in l \
             or 'Chase Online - Logon' in l:
             score.append(('PHISHING', ''))
+        if re.compile('User-Agent.*cpuminer').match(l):
+            score.append(('CRYPTO', ''))
         previous_line = l
 
     if line_num < 20: