# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.virustotal.com/en/file/0687cd8d38c334a970b81b1ba9bb2e18aa66424edba3f33b61f7d03e35d5db20/analysis/ # Reference: https://isc.sans.edu/forums/diary/Crypto+Mining+Is+More+Popular+Than+Ever/24050 # Reference: https://www.alibabacloud.com/blog/jbossminer-mining-malware-analysis_593804 # Reference: https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html # Reference: https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/ 3g2upl4pq6kufc4m.tk a.ssvs.space aybc.so blockbitcoin.com d3goboxon32grk2l.tk d20blzxlz9ydha.cloudfront.net dazqc4f140wtl.cloudfront.net dwn.rundll32.ml enjoytopic.tk realtimenews.tk sydwzl.cn # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/linux-coin-miner-copied-scripts-from-korkerds-removes-all-other-malware-and-miners/ drnfbu.xyz yxarsh.shop # Reference: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang # Reference: https://otx.alienvault.com/pulse/5c8bff7c52e568275bf09e0b sowcar.com thyrsi.com w2wz.com # Generic link path signs for sh-loaders of ELF-coinminer /bonn.sh /conn.sh /Duck.sh /kw.sh /lower.sh /lowerv2.sh /lowerv3.sh /pro.sh /r88.sh /root.sh /rootv2.sh /rootv3.sh # Reference: https://twitter.com/bad_packets/status/1106094104520253441 # Reference: https://www.virustotal.com/#/file/5c1439c0db107cb5f3a9b9c239652b26935a2badaf1d840812702267290ebcac/detection /a_thk.sh # Reference: https://twitter.com/SugitaMuchi/status/1075352914221121537 103.55.13.68:13333 # Generic link path signs for ELF-coinminer /accounts-daemon /askdljlqw /AnXqV.yam /bashf /bashg /BI5zj /bonns /conns /cranberry /cryptonight /crypto-pool /ddg /donns /gekoCrw /gekoCrw32 /gekoba2anc1 /gekoba5xnc1 /gekobalanc1 /gekobalance /gekobalanq1 /gekobnc1 /ihhnk /ir29xc1 /jaav /jIuc2ggfCAvYmluL2Jhc2gi /JnKihGjn /jva /KGlJwfWDbCPnvwEJupeivI1FXsSptuyh /kworker /kworker34 /kxjd /lexarbalanc1 /ltcminerd /minerd /minergate /minergate-cli /minerd /mixnerdx /minerd64_s /minexmr /nativesvc /NXLAi /oanacroner /pubg /pvv /rig /rig1 /rig2 /servcesa /stratum /sourplum /t0mcat /thisxxs /watch-smart /watch-smartd /xig /xige /XJnRj /xmrig /xmrig2 /xmrig_s /yam /yam32 /ysaydh /zbjnu # Reference: https://twitter.com/bad_packets/status/1123473023313616896 45.67.14.152:1337 # Reference: https://twitter.com/liuya0904/status/1135901420958281729 # Reference: https://pastebin.com/5Ee4Xevs # Reference: https://www.virustotal.com/gui/domain/pixeldra.in/relations 220.194.237.43:43768 pixeldra.in w.21-3n.xyz w.3ei.xyz w.lazer-n.com # Reference: https://otx.alienvault.com/pulse/5d0773672ba7e7853c4ad5cf 51.15.56.161:443 51.38.133.232:80 51.38.133.232:201 http://107.173.102.59 http://107.174.47.156 http://107.174.47.181 http://51.15.56.161 # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh/ 198.98.51.104:282 # Reference: https://twitter.com/KernelD0wn/status/1144379473585983493 http://112.216.100.210 # Reference: https://twitter.com/bad_packets/status/1151785688360075264 http://185.181.10.234 # Reference: https://www.alibabacloud.com/blog/return-of-watchbog-exploiting-jenkins-cve-2018-1000861_594798 # Reference: https://otx.alienvault.com/pulse/5d35958a9983df3a51f1a3b9 # Reference: https://blog.talosintelligence.com/2019/09/watchbog-patching.html # Reference: https://otx.alienvault.com/pulse/5d794c4a25c9e790d1f66f01 http://45.55.211.79 z5r6anrjbcasuikp.onion.to aziplcr72qjhzvin.onion.to # Reference: https://otx.alienvault.com/pulse/5d44442ef2bd636085171214 # Reference: https://unit42.paloaltonetworks.com/rockein-the-netflow/ # Reference: https://otx.alienvault.com/pulse/5db2e2a517e95c5c22817055 # Reference: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect z9ls.com gwjyhs.com thyrsi.com heheda.tk systemten.org sowcar.com baocangwh.cn cloudappconfig.com w2wz.cn iap5u1rbety6vifaxsi9vovnc9jjay2l.com # Reference: https://twitter.com/28bit/status/1159906315642253312 http://96.32.50.131 http://188.192.40.43 /racks_s # Reference: https://habr.com/ru/company/pt/blog/466877/ (Russian) http://107.174.47.156 http://154.16.67.135 http://154.16.67.136 # Reference: https://blog.sucuri.net/2019/10/cryptominers-backdoors-found-in-fake-plugins.html xfer.abcxyz.stream # Reference: https://www.virustotal.com/gui/file/2d9fb5ea6356fba9734673ba4ed1653ff7e887875cc3bfc9da7669c80a53a93b/detection # Reference: https://twitter.com/luc4m/status/1202311106187821056 (Note: not perl ircbot) 45.9.148.125:80 45.9.148.125:443 45.9.148.129:80 45.9.148.129:443 debian-package.center # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/outlaw-updates-kit-to-kill-older-miner-versions-targets-more-systems/ # Reference: https://otx.alienvault.com/pulse/5e42eb027242294dd0f82358 104.236.192.6:80 159.203.141.208:80 minpop.com/sk12pack/idents.php minpop.com/sk12pack/names.php # Reference: https://www.lacework.com/h2miner-botnet/ # Reference: https://github.com/lacework/lacework-labs/blob/master/blog/h2miner.csv # Reference: https://otx.alienvault.com/pulse/5e7baacc3c7b8864552f6774 http://139.99.50.255 http://142.44.191.122 http://217.12.221.12 http://217.12.221.244 http://45.10.88.102 http://46.243.253.167 http://82.118.17.133 http://91.215.169.111 /kinsing /kinsing2