# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.virustotal.com/en/file/0687cd8d38c334a970b81b1ba9bb2e18aa66424edba3f33b61f7d03e35d5db20/analysis/
# Reference: https://isc.sans.edu/forums/diary/Crypto+Mining+Is+More+Popular+Than+Ever/24050
# Reference: https://www.alibabacloud.com/blog/jbossminer-mining-malware-analysis_593804
# Reference: https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html
# Reference: https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/

3g2upl4pq6kufc4m.tk
a.ssvs.space
aybc.so
blockbitcoin.com
d3goboxon32grk2l.tk
d20blzxlz9ydha.cloudfront.net
dazqc4f140wtl.cloudfront.net
dwn.rundll32.ml
enjoytopic.tk
realtimenews.tk
sydwzl.cn

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/linux-coin-miner-copied-scripts-from-korkerds-removes-all-other-malware-and-miners/

drnfbu.xyz
yxarsh.shop

# Reference: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
# Reference: https://otx.alienvault.com/pulse/5c8bff7c52e568275bf09e0b

sowcar.com
thyrsi.com
w2wz.com

# Generic link path signs for sh-loaders of ELF-coinminer

/bonn.sh
/conn.sh
/Duck.sh
/kw.sh
/lower.sh
/lowerv2.sh
/lowerv3.sh
/pro.sh
/r88.sh
/root.sh
/rootv2.sh
/rootv3.sh

# Reference: https://twitter.com/bad_packets/status/1106094104520253441
# Reference: https://www.virustotal.com/#/file/5c1439c0db107cb5f3a9b9c239652b26935a2badaf1d840812702267290ebcac/detection

/a_thk.sh

# Reference: https://twitter.com/SugitaMuchi/status/1075352914221121537

103.55.13.68:13333

# Generic link path signs for ELF-coinminer

/accounts-daemon
/askdljlqw
/AnXqV.yam
/bashf
/bashg
/BI5zj
/bonns
/conns
/cranberry
/cryptonight
/crypto-pool
/ddg
/donns
/gekoCrw
/gekoCrw32
/gekoba2anc1
/gekoba5xnc1
/gekobalanc1
/gekobalance
/gekobalanq1
/gekobnc1
/ihhnk
/ir29xc1
/jaav
/jIuc2ggfCAvYmluL2Jhc2gi
/JnKihGjn
/jva
/KGlJwfWDbCPnvwEJupeivI1FXsSptuyh
/kworker
/kworker34
/kxjd
/lexarbalanc1
/ltcminerd
/minerd
/minergate
/minergate-cli
/minerd
/mixnerdx
/minerd64_s
/minexmr
/nativesvc
/NXLAi
/oanacroner
/pubg
/pvv
/rig
/rig1
/rig2
/servcesa
/stratum
/sourplum
/t0mcat
/thisxxs
/watch-smart
/watch-smartd
/xig
/xige
/XJnRj
/xmrig
/xmrig2
/xmrig_s
/yam
/yam32
/ysaydh
/zbjnu

# Reference: https://twitter.com/bad_packets/status/1123473023313616896

45.67.14.152:1337

# Reference: https://twitter.com/liuya0904/status/1135901420958281729
# Reference: https://pastebin.com/5Ee4Xevs
# Reference: https://www.virustotal.com/gui/domain/pixeldra.in/relations

220.194.237.43:43768
pixeldra.in
w.21-3n.xyz
w.3ei.xyz
w.lazer-n.com

# Reference: https://otx.alienvault.com/pulse/5d0773672ba7e7853c4ad5cf

51.15.56.161:443
51.38.133.232:80
51.38.133.232:201
http://107.173.102.59
http://107.174.47.156
http://107.174.47.181
http://51.15.56.161