# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: hexmen, mykings, smominru, king miner    (Reference: https://www.csoonline.com/article/3439400/secrets-of-latest-smominru-botnet-variant-revealed-in-new-attack.html)
# Note: "Smominru Monero mining botnet"             (Reference: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators)
# Note: "MyKings == Smominru"                       (Reference: https://news.sophos.com/en-us/2019/12/18/mykings-botnet-spreads-headaches-cryptominers-and-forshare-malware/)

# Reference: https://github.com/guardicore/labs_campaigns/blob/master/Smominru/connect_backs.md

bee12.bumblebeeservers.com
d20.xtrmserver.com
down.1226bye.pw
gamesoxalic.com
ftp.0603bye.info
garrafa8.itaucredicard.tk
grinknowledge.com
js.1226bye.xyz
pc.pc0416.xyz
server.triangleww.com
wmi.1217bye.host
worldsender.info

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/

js.mykings.top
down.mysking.info
ok.xmr6b.ru
ftp.ftp0118.info

# Reference: https://www.virustotal.com/gui/domain/ok.mymyxmra.ru/relations
# Reference: https://www.virustotal.com/gui/domain/64.mymyxmra.ru/relations
# Reference: https://www.virustotal.com/gui/file/51b2e2689bd489e910d7d7e9e1a52cfaee55bace7c72d25b172c7d9ebc47d70c/behavior/Tencent%20HABO
# Reference: https://www.virustotal.com/gui/file/865e781dc4f9d8560dd6d26407b327a1af629aeeaf6c23d331822247854fad83/behavior/Tencent%20HABO

mymyxmra.ru
http://45.58.135.106/xpdown.dat
http://103.95.28.54/xpdown.dat
http://103.213.246.23/xpdown.dat
http://74.222.14.61/xpdown.dat

# Reference: https://www.virustotal.com/gui/file/8b9bbb66b441769bc97700dead974aa558cbe1ce2fae85cf951dab7dc83aca8e/behavior/Tencent%20HABO

http://103.213.246.23/xpdown.dat

# Reference: https://github.com/guardicore/labs_campaigns/blob/master/Hexmen/domains.md
# Reference: https://www.guardicore.com/2017/12/beware-the-hex-men/

cct119.com
cyg2016.xyz
msns.cn
mykings.top
mys2016.info
mys2018.xyz
down.mys2016.info
js.mys2016.info
js.mykings.top
www.cyg2016.xyz
hc58.msns.cn
down.mys2018.xyz
js.mys2018.xyz

# Reference: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators

64.mymyxmra.ru
64.myxmr.pw
down.down0116.info
down.my0115.ru
down.my0709.xyz
down.mys2016.info
down.oo000oo.club
ftp.ftp0118.info
ftp.oo000oo.me
ftp.ruisgood.ru
js.my0115.ru
js.mys2016.info
wmi.my0115.ru
wmi.my0709.xyz
wmi.mykings.top.info
wmi.oo000oo.club
www.cyg2016.xyz
xmr.5b6b7b.ru
xmr.xmr5b.ru

# Reference: https://twitter.com/360Netlab/status/1083232080065105921
# Reference: https://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/

100.43.155.171:280
104.37.245.82:8888
118.190.50.141:8888
209.58.186.145:8888
213.23.167.180:9999
23.27.127.254:8888
47.52.0.176:8888
47.88.216.68:8888
67.229.144.218:8888
b591.com
b5w91.com
cnc.f321y.com
down0116.info
f4321y.com
ftp0118.info
ftp.ftp0118.info
kill1234.com
mysking.info
mykings.pw
mykings.top
oo000oo.club
oo00oo.info
oo000oo.me

# Reference: https://twitter.com/DissectMalware/status/985712345669357573

wmi.oo000oo.club
js.oo000oo.club

# Reference: https://www.virustotal.com/gui/file/49ec786759920dd3116fddcd45e0b14936a0954c21f272527754659c31cde86d/behavior/Dr.Web%20vxCube
# Reference: https://www.virustotal.com/gui/file/ac99d6ecf20ede3c1064a5790ea66d4080776c7369dc7f878c3dcd658dc7d5ee/detection

179.178.9.126:5552

# Reference: https://www.virustotal.com/gui/file/eaef82223eeb8cf404a1d46613d36b9e582304b215201b5e557db578dd73e04e/behavior/Dr.Web%20vxCube

xmr.xmr6b.ru

# Reference: https://www.virustotal.com/gui/file/eaef82223eeb8cf404a1d46613d36b9e582304b215201b5e557db578dd73e04e/behavior/Dr.Web%20vxCube

45.58.135.106:13000

# Reference: https://research.checkpoint.com/kingminer-the-new-and-improved-cryptojacker/

a.1b051fdae.tk
a.869d4fdae.tk
a.qwerr.ga
q.112adfdae.tk

95.179.131.54:9760
w.homewrt.com

# Reference: https://twitter.com/faisalusuf/status/1202098388151525377

103.106.250.161:8161
103.106.250.162:8162
167.88.180.175:8175
172.83.155.170:8170
192.236.160.237:8237
80.85.158.117:8117
wmi.1103.xyz

# Reference: https://www.okcode.net/article/87061

js.0603bye.info
wmi.1103bye.xyz

# Reference: https://litl-admin.ru/bezopasnost/ostavil-sistemu-bez-zashhity-v-internet.html

http://139.5.177.19/s.jpg
http://173.208.139.170/s.txt
http://173.208.139.170/2.txt
http://139.5.177.19/3.txt

# Reference: https://www.virustotal.com/gui/file/7f78d8a2cf889230fcd0dcd3d12418835c6c2e37ea396c13ae5222eccd978e8a/behavior/Dr.Web%20vxCube

http://45.58.135.106/xpdown.dat
http://45.58.135.106/ok/down.html
http://45.58.135.106/ok/64.html
http://45.58.135.106/ok/vers.html
http://64.32.3.186/kill.txt
http://64.32.3.186/down.txt
http://208.51.63.150/down.exe
http://64.32.3.186/item.dll
http://64.32.3.186/b.exe
http://45.58.135.106/vers1.txt
http://64.32.3.186/64.rar
http://66.117.2.182/xpxmr.dat
http://45.58.135.106/xpxmr.dat
http://45.58.135.106/ok/xmrok.html
http://45.58.135.106/xmrok.txt
http://64.32.3.186/downs.txt
http://208.51.63.150/downs.exe
http://174.128.239.250/kill.txt
http://174.128.239.250/downs.txt
http://174.128.239.250/down.txt
http://174.128.239.250/64.rar
http://45.58.135.106/kill.txt
http://45.58.135.106/down.txt
http://185.112.156.92/down.exe
http://66.117.6.174/ups.rar
http://174.128.248.10/b.exe
http://174.128.248.10/64work.rar
http://198.148.90.34/0228.rar
http://174.128.248.10/64.rar
http://223.25.247.240/ok/ups.html

# Reference: https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf
# Reference: https://github.com/sophoslabs/IoCs/blob/master/malware-MyKings
# Reference: https://otx.alienvault.com/pulse/5dfa53868beb2b5dae6335ec

0603bye.info
0814ok.info
1103bye.xyz
1217bye.host
1226bye.xyz
5b6b7b.ru
b591.com
b5w91.com
down0116.info
f321y.com
f4321y.com
ftp1202.site
ioad.pw
jpgo.ru
kill0604.ru
kill1234.com
kr1s.ru
kriso.ru
my0115.ru
my0709.xyz
mykings.pw
mymyxmra.ru
mys2016.info
mys2018.xyz
mysking.info
myxmr.pw
oo000oo.club
pc0416.xyz
rucop.ru
ruisgood.ru
tftp0930.host
uf4321y.com
ums1128.site
upme0611.info
wpd0126.info
wpdtest1017.site
xmr5b.ru
xmr6b.ru
zcop.ru

# Generic

/xpdown.dat
/xpwpd.dat
/xpxmr.dat
/xmrok.txt
/ok/64.html
/ok/down.html
/ok/ups.html
/0228.rar
/64work.rar
/power.txt
/s.txt
