# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://news.sophos.com/en-us/2020/08/25/lemon_duck-cryptominer-targets-cloud-apps-linux/
# Reference: https://github.com/sophoslabs/IoCs/blob/master/Trojan-LDMiner.csv
# Reference: https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html
# Reference: https://otx.alienvault.com/pulse/5f85cce401067cfef71f580b
# Reference: https://app.any.run/tasks/5984f91c-c654-4dd6-a937-85a160678934/

bddp.net
d.ackng.com
info.ackng.com
info.amynx.com
info.zz3r0.com
jdjdcjq.top
lplp.ackng.com
p.awcna.com
p.b69kq.com
p.k3qh4.com
t.amynx.com
t.jdjdcjq.top
t.tr2q.com
t.zer2.com
t.zer9g.com
t.zz3r0.com 
w.zz3r0.com

# Reference: https://twitter.com/craiu/status/1370331555575574528
# Reference: https://twitter.com/craiu/status/1370373495176192000

cdn.chatcdn.net
p.estonine.com

# Reference: https://twitter.com/smii_mondher/status/1372814578036379651

down.sqlnetcat.com
t.netcatkit.com
t.sqlnetcat.com

# Reference: https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html

t.bb3u9.com
t.hwqloan.com
d.hwqloan.com
t.ouler.cc
ps2.jusanrihua.com
aeon-pool.sqlnetcat.com
apis.890.la
wakuang.eatuo.com
dqIUHfNYL.kr
vTr1RG2d9jQ.jp
f56Ov2bn.cn
zd0OVCFb.jp
eEy8QwB.jp
eiv0VGAD.cn
XnxA8pv.jp
aV4Rq7lNZ.kr
EMYDH4vzVK.cn
QlhcXbC.kr
RuesiAlJTCg.kr
Mua1s5tV.kr
CUQmXrN2Ac.jp
d2btrgUkxO.jp
gktTpF.cn
ikKGVEgplC.kr
9o6XVWm.kr
g9Ve5b6T4.cn
7M03nX.jp

# Reference: https://otx.alienvault.com/pulse/609c462f9597c178baaed88d

api.890.la
cs2.sqlnetcat.com
ps2.hwqloan.com
vhosts.hwqloan.com

# Reference: https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/
# Reference: https://github.com/craiu/iocs/blob/main/lemonduck/hashes.txt
# Reference: https://otx.alienvault.com/pulse/610151adc4b4722cd17e9a3b

js88.ag
amynx.com
b69kq.com
bb3u9.com
cdnimages.xyz
hwqloan.com
netcatkit.com
pp6r1.com
sqlnetcat.com
zer9g.com
zz3r0.com

# Generic

/kr.bin
/m6.bin
/m6g.bin
/nvd.zip
/if_mail.bin
/xr.zip