# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.virustotal.com/en/file/0687cd8d38c334a970b81b1ba9bb2e18aa66424edba3f33b61f7d03e35d5db20/analysis/
# Reference: https://isc.sans.edu/forums/diary/Crypto+Mining+Is+More+Popular+Than+Ever/24050
# Reference: https://www.alibabacloud.com/blog/jbossminer-mining-malware-analysis_593804
# Reference: https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html
# Reference: https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/

3g2upl4pq6kufc4m.tk
a.ssvs.space
aybc.so
blockbitcoin.com
d3goboxon32grk2l.tk
d20blzxlz9ydha.cloudfront.net
dazqc4f140wtl.cloudfront.net
dwn.rundll32.ml
enjoytopic.tk
realtimenews.tk
sydwzl.cn

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/linux-coin-miner-copied-scripts-from-korkerds-removes-all-other-malware-and-miners/

drnfbu.xyz
yxarsh.shop

# Reference: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
# Reference: https://otx.alienvault.com/pulse/5c8bff7c52e568275bf09e0b

sowcar.com
thyrsi.com
w2wz.com

# Generic link path signs for sh-loaders of ELF-coinminer

/bonn.sh
/conn.sh
/Duck.sh
/kw.sh
/lower.sh
/lowerv2.sh
/lowerv3.sh
/pro.sh
/r88.sh
/root.sh
/rootv2.sh
/rootv3.sh

# Reference: https://twitter.com/bad_packets/status/1106094104520253441
# Reference: https://www.virustotal.com/#/file/5c1439c0db107cb5f3a9b9c239652b26935a2badaf1d840812702267290ebcac/detection

/a_thk.sh

# Reference: https://twitter.com/SugitaMuchi/status/1075352914221121537

103.55.13.68:13333

# Generic link path signs for ELF-coinminer

/accounts-daemon
/askdljlqw
/AnXqV.yam
/bashf
/bashg
/BI5zj
/bonns
/conns
/cranberry
/cryptonight
/crypto-pool
/ddg
/donns
/gekoCrw
/gekoCrw32
/gekoba2anc1
/gekoba5xnc1
/gekobalanc1
/gekobalance
/gekobalanq1
/gekobnc1
/ihhnk
/ir29xc1
/jaav
/jIuc2ggfCAvYmluL2Jhc2gi
/JnKihGjn
/jva
/KGlJwfWDbCPnvwEJupeivI1FXsSptuyh
/kworker
/kworker34
/kxjd
/lexarbalanc1
/ltcminerd
/minerd
/minergate
/minergate-cli
/minerd
/mixnerdx
/minerd64_s
/minexmr
/nativesvc
/NXLAi
/oanacroner
/pubg
/pvv
/rig
/rig1
/rig2
/servcesa
/stratum
/sourplum
/t0mcat
/thisxxs
/watch-smart
/watch-smartd
/xig
/xige
/XJnRj
/xmrig
/xmrig2
/xmrig_s
/yam
/yam32
/ysaydh
/zbjnu

# Reference: https://twitter.com/bad_packets/status/1123473023313616896

45.67.14.152:1337

# Reference: https://twitter.com/liuya0904/status/1135901420958281729
# Reference: https://pastebin.com/5Ee4Xevs

220.194.237.43:43768
w.21-3n.xyz
w.3ei.xyz
w.lazer-n.com

# Reference: https://otx.alienvault.com/pulse/5d0773672ba7e7853c4ad5cf

51.15.56.161:443
51.38.133.232:80
51.38.133.232:201
http://107.173.102.59
http://107.174.47.156
http://107.174.47.181
http://51.15.56.161

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh/

198.98.51.104:282

# Reference: https://twitter.com/KernelD0wn/status/1144379473585983493

http://112.216.100.210

# Reference: https://twitter.com/bad_packets/status/1151785688360075264

http://185.181.10.234

# Reference: https://www.alibabacloud.com/blog/return-of-watchbog-exploiting-jenkins-cve-2018-1000861_594798
# Reference: https://otx.alienvault.com/pulse/5d35958a9983df3a51f1a3b9
# Reference: https://blog.talosintelligence.com/2019/09/watchbog-patching.html
# Reference: https://otx.alienvault.com/pulse/5d794c4a25c9e790d1f66f01

http://45.55.211.79
z5r6anrjbcasuikp.onion.to
aziplcr72qjhzvin.onion.to

# Reference: https://otx.alienvault.com/pulse/5d44442ef2bd636085171214
# Reference: https://unit42.paloaltonetworks.com/rockein-the-netflow/
# Reference: https://otx.alienvault.com/pulse/5db2e2a517e95c5c22817055
# Reference: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect

z9ls.com
gwjyhs.com
thyrsi.com
heheda.tk
systemten.org
sowcar.com
baocangwh.cn
cloudappconfig.com
w2wz.cn
iap5u1rbety6vifaxsi9vovnc9jjay2l.com

# Reference: https://twitter.com/28bit/status/1159906315642253312

http://96.32.50.131
http://188.192.40.43
/racks_s

# Reference: https://habr.com/ru/company/pt/blog/466877/ (Russian)

http://107.174.47.156
http://154.16.67.135
http://154.16.67.136

# Reference: https://blog.sucuri.net/2019/10/cryptominers-backdoors-found-in-fake-plugins.html

xfer.abcxyz.stream

# Reference: https://www.virustotal.com/gui/file/2d9fb5ea6356fba9734673ba4ed1653ff7e887875cc3bfc9da7669c80a53a93b/detection
# Reference: https://twitter.com/luc4m/status/1202311106187821056 (Note: not perl ircbot)
# Reference: https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/
# Reference: https://otx.alienvault.com/pulse/5eb984d90091572e80b24197

45.9.148.125:80
45.9.148.125:443
45.9.148.129:80
45.9.148.129:443
debian-package.center

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/outlaw-updates-kit-to-kill-older-miner-versions-targets-more-systems/
# Reference: https://otx.alienvault.com/pulse/5e42eb027242294dd0f82358

104.236.192.6:80
159.203.141.208:80
minpop.com/sk12pack/idents.php
minpop.com/sk12pack/names.php

# Reference: https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/
# Reference: https://otx.alienvault.com/pulse/5ec4066fef9efdf091b20025
# Reference: https://www.virustotal.com/gui/file/14c351d76c4e1866bca30d65e0538d94df19b0b3927437bda653b7a73bd36358/detection
# Reference: https://www.virustotal.com/gui/file/9ae6fba4d9359a85984377dc9795de422bd9fbfa41558372ba8be9d5b9c9aa14/detection

62.210.119.142:80
62.210.119.142:4444
eleethub.com

# Reference: https://unit42.paloaltonetworks.com/cryptojacking-docker-images-for-mining-monero/
# Reference: https://otx.alienvault.com/pulse/5ef4b1a819214546dc8ef774

144.202.23.108:4444
155.138.227.135:442
155.138.234.122:442
66.42.53.57:442
66.42.93.164:442
5pwcq42aa42fjzel.onion
73avhutb24chfsh6.onion
