# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/

api.goallbandungtravel.com
bugcheck.xigncodeservice.com
dump.gxxservice.com
nw.infestexe.com
checkin.travelsanignacio.com
/Common/Lib/Common_bsod.php
/Common/Lib/Common_Include.php

# Reference: https://www.symantec.com/security-center/writeup/2011-102716-2809-99

lp.apanku.com
ad.jcrsoft.com
rh.jcrsoft.com
bot.timewalk.me
b0t.meibu.com

# Reference: https://securelist.com/winnti-more-than-just-a-game/37029/

jp.xxoo.co
kr.xxoo.co
us.nhntech.com
newpic.dyndns.tv
lp.zzsoft.info
ru.gcgame.info
update.ddns.net
lp.gasoft.us
kr.jcrsoft.com
nd.jcrsoft.com
eya.jcrsoft.com
wm.ibm-support.net
cc.nexoncorp.us
ftpd.9966.org
fs.nhntech.com
kr.zzsoft.info
docs.nhnclass.com
as.cjinternet.us
wi.gcgame.info
rh.jcrsoft.com
ca.zzsoft.info
tcp.nhntech.com
wm.nhntech.com
sn.jcrsoft.com
ka.jcrsoft.com
wm.myxxoo.com
lp.apanku.com
my.zzsoft.info
ka.zzsoft.info
sshd.8866.org
jp.jcrsoft.com
ad.jcrsoft.com
ftpd.6600.org
su.cjinternet.us
my.gasoft.us
tcpiah.googleclick.net
vn.gcgame.info 	
rss.6600.org
ap.nhntech.com

# Reference: https://medium.com/@Sebdraven/winnti-uses-the-rtf-exploit-8-t-too-targets-vietnam-13300d432272
# Reference: https://otx.alienvault.com/pulse/5d3754868fc025df351b747e
# Reference: https://www.virustotal.com/gui/ip-address/58.64.184.209/relations

58.64.184.209:80
bkavutil.com
eofficeupdate.com
eofficeupdating.com
goog1eupdate.com
iatupdate.com
iumsvc.com
mdnsresponder.com
mfaupdate.com
nissrv.com

# Reference: https://twitter.com/daphiel/status/1162875379872387075

google-searching.com

# Reference: https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf
# Reference: https://otx.alienvault.com/pulse/5da4528788ac7149ce4894b7

dns1-1.7release.com
ssl.dyn-dns.co
ssl.dyn-dns.com
svn-dns.ahnlabinc.com
xp101.dyn-dns.co
xp101.dyn-dns.com

# Reference: https://www.verfassungsschutz.de/de/oeffentlichkeitsarbeit/publikationen/pb-cyberabwehr/broschuere-2019-12-bfv-cyber-brief-2019-01
# Reference: https://twitter.com/hatr/status/1202870566413357056
# Reference: https://otx.alienvault.com/pulse/5dea7c18581fca35d1977514
# Reference: https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/

dick.mooo.com

# Reference: https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
# Reference: https://otx.alienvault.com/pulse/5e3404fe524c3e16fa0d416c

dnslookup.services
livehost.live

# Reference: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
# Reference: https://otx.alienvault.com/pulse/5e4bbe896e6393eb79a1d2c9

185.173.92.141:33579
35.220.232.71:53
35.220.232.71:554
45.77.41.49:53
45.77.41.49:500
45.77.41.49:80
betwln520.com
dropboxbeta.com
facebooknavigation.com
googldevice.com
googlerenewals.net
ipv4-cisco.com
kkxx888666.com
microsoftbetastore.com
mircosofdevice.com
microsoftdnsdown.com
microsoftdnsupdate.com
pwdump.ac
safedog.co
shopingchina.net
updatesrvers.org

# Reference: https://twitter.com/cci_forensics/status/1230686753083707393
# Reference: https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/

139.28.37.102:443
185.161.208.28:443
185.161.209.234:53
185.161.211.188:53
185.161.211.97:443
185.236.78.15:443
185.236.78.28:443
80.82.67.6:443
91.235.128.90:443

# Reference: https://twitter.com/Sebdraven/status/1239853425594155008
# Reference: https://app.any.run/tasks/7c8751cc-15d5-48dd-a2bb-63299b459f06/
# Reference: https://otx.alienvault.com/pulse/5e70b90b7001067032f079b9

45.76.218.232:3010
brands.newst.dnsabr.com
exp100.strangled.net
ru.mst.dns-cloud.net
ux6p.strangled.net

# Reference: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ (# PipeMon)

n8.ahnlabinc.com
owa.ahnlabinc.com
ssl2.ahnlabinc.com
www2.dyn.tracker.com
ssl2.dyn-tracker.com
client.gnisoft.com
nmn.nhndesk.com
