Monero Mining

Neo23x0 · Oct 25, 2021 · 96a0697 · 96a0697
1 parent dcbc6ca
commit 96a0697
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/iocs/c2-iocs.txt b/iocs/c2-iocs.txt
@@ -1623,4 +1623,26 @@ worldhomeoutlet.com
 51.254.241.158
 51.38.85.225
 
+# Monero Mining Pools 
+pool.minexmr.com
+fr.minexmr.com
+de.minexmr.com
+sg.minexmr.com
+ca.minexmr.com
+us-west.minexmr.com
+pool.supportxmr.com
+mine.c3pool.com
+xmr-eu1.nanopool.org
+xmr-eu2.nanopool.org
+xmr-us-east1.nanopool.org
+xmr-us-west1.nanopool.org
+xmr-asia1.nanopool.org
+xmr-jp1.nanopool.org
+xmr-au1.nanopool.org
+xmr.2miners.com
+xmr.hashcity.org
+xmr.f2pool.com
+xmrpool.eu
+pool.hashvault.pro
+
 # Last Line
diff --git a/yara/pua_cryptocoin_miner.yar b/yara/pua_cryptocoin_miner.yar
@@ -44,3 +44,26 @@ rule PUA_CryptoMiner_Jan19_1 {
    condition:
       filesize < 1000KB and 1 of them
 }
+
+rule PUA_Crypto_Mining_CommandLine_Indicators_Oct21 : SCRIPT {
+   meta:
+      description = "Detects command line parameters often used by crypto mining software"
+      author = "Florian Roth"
+      reference = "https://www.poolwatch.io/coin/monero"
+      date = "2021-10-24"
+      score = 65
+   strings:
+      $s01 = " --cpu-priority="
+      $s02 = "--donate-level=0"
+      $s03 = " -o pool." ascii
+      $s04 = " -o stratum+tcp://"
+      $s05 = " --nicehash"
+      $s06 = " --algo=rx/0 "
+
+      /* base64 encoded: --donate-level= */
+      $se1 = "LS1kb25hdGUtbGV2ZWw9"
+      $se2 = "0tZG9uYXRlLWxldmVsP"
+      $se3 = "tLWRvbmF0ZS1sZXZlbD"
+   condition:
+      filesize < 5000KB and 1 of them
+}