# Copyright (c) 2014-2018 Miroslav Stampar (@stamparm)
# See the file 'LICENSE' for copying permission

# Reference: https://blog.malwarebytes.com/threat-analysis/2018/09/mass-wordpress-compromises-tech-support-scams/

ads.voipnewswire.net/ad.js
drupalupdates.tk/check.js
cdn.allyouwant.online/main.js
ejyoklygase.tk
examhome.net
mp3menu.org
uustoughtonma.org

# Generic detection for compromised Bitrix CMS

/lib/crypta.js
/bitrix/js/main/core/core_loader.js
/bitrix/js/main/core/core_tasker.js

# Reference: https://twitter.com/bad_packets/status/1038967603048243200
# Reference: https://www.virustotal.com/#/file/d527ea936ab99a2e3a25cf8786c66c0e07fc509b9465d48dd26065f034795f19/relations

aster18cdn.nl/app.js
feesocrald.com/app.js
istlandoll.com/app.js
soodatmish.com/app.js
play.aster18cdn.nl/app.js
play.feesocrald.com/app.js
play.istlandoll.com/app.js
play.soodatmish.com/app.js

# Reference: https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/

/2131.js
/webmr.js
/webmr-2.js
/webmr-x7.js

# Reference: https://twitter.com/ViriBack/status/1035692468459720704

/r/6jHa5
/r/Lx4er

# Reference: https://twitter.com/bad_packets/status/1042627971368939521

/lib/coinhive.min.js

# Reference: https://www.virustotal.com/#/domain/coinhive.com

/lib/captcha.min.js
/lib/ch2.min.js
/lib/coinhive.min.js
/lib/miner.min.js
/lib/worker-asmjs.min.js

# Reference: https://www.virustotal.com/#/url/e2887029795c19d1b0d7e97bcd6b29fd25988ea27e8f958ef9af6f9520f97b45/detection

coinimp.com/scripts/min.js

# Reference: https://twitter.com/malwrhunterteam/status/1044950859875012608

/perfekt/perfekt.js

# Reference: https://twitter.com/VK_Intel/status/1021453551975817217

wjcqsstycdujc.eu

# Reference: https://twitter.com/ps66uk/status/1036775592371384320
# Reference: https://twitter.com/ps66uk/status/1026391185953312768
# Reference: https://pastebin.com/izi6pDs8
# Reference: https://threats.kaspersky.com/en/threat/Trojan-Downloader.JS.SLoad/

4play4girls.com/.cabinet/29rf852359-package-updated
adetailimage.com/.customer/3G5QH49725-Your-receipt
alaxvong.com/.customer-area/pack-82AK376-updated
arenaofshrugs.com/.customer-area/package-3M516645-updated
asecretenergyofmiracles.com/.customer-area/pack-42X31841-updated
atlantaseedsmentoringforgirls.com/.customer/1OC358756-your-receipt
ayca.com/.customer/FW8149101-Your-receipt
bakerassistants.com/.safe/GD8JY47086-receipt
bekahwagner.com/.customer-area/package-1GHF7189-updated
beneaththeblackrainbow.com/.customer-area/pack-0VX2107-updated
beneaththeblackrainbow.com/.customer-area/pack-7WRS_214-updated
bettingmlb.com/.customer-area/package-919R-70321-updated
bleuhaven.com/.customer-area/package-79JK8_63195-updated
bollygupshup.com/.advicedetails/0235789168-details
bostonteleprompter.com/.advice-notification/86MZ71628-complete-details
browseright.com/.customer/TI1N01666-your-Receipt
bullcityapparel.com/.safetyarea/TNF4Z521816-order-receipt
buyinggoldhq.com/.customer-area/package-11U492-updated
buzznewscenter.com/.cabinet/2dgp641-package-updated
byxaru.com/.orderdetails/92EW-60267-confirmation
comocuidarme.com/omoc/darme
comunicazionecreativaconsapevole.com/.customer-area/pack-156Q3055-updated
cumbrecapital.com/.customer/6B1R003355-Your-receipt
cumbrecapital.com/.customer/A1K414064-your-Receipt
customers.breastandbodyguidemd.com/.productdetails/8P97438-status-updated
customers.delvecchiopastafresca.com/.personal/package-1XTY6521-updated
customers.golf-classifieds.com/.clientarea/delivery-status-updated
dasheriemagazine.com/.customer-area/pack-24CG4727-updated
db.agile-kanata.com/usernotice/35Z4760-status-update
db.avonbourne.com/usernotice/9RYK9707-status-update
db.bobwu.com/usernotice/71AX0842-notifications
db.boomer-angle.com/usernotice/8T3G41905-notifications
db.careerever.com/usernotice/93I5333-notifications
db.catalinaappraisalservice.com/usernotice/1RJ6972-notifications
db.catalinaappraisalservice.com/usernotice/69V1K3619-notifications
db.digitalwizards.com/usernotice/0CW618-notifications
db.disruptivedrama.com/.safe/66B_410-Receipt
db.falsefiddle.com/.safe/H3X837846-Receipt
db.flyingelephantstudios.com/usernotice/57K5X36453-notifications
db.glennwithrow.com/usernotice/69JY81993-notifications
db.hivetastic.com/usernotice/51X768973-notifications
db.honeycombbooks.net/usernotice/484J7970-notifications
db.icmeet.com/.safe/9L7235-Receipt
db.jclbioassay.com/.safe/S2JA10415-Receipt
db.nobuwrap.com/.safe/E9B3M049671-Receipt
db.nobuwrap.com/usernotice/6L6295-notifications
db.obimfresh.net/usernotice/8O551983-notifications
db.pakkaussuunnittelu.com/usernotice/47E67189-status-update
db.preciselysoftware.com/usernotice/79OE4365-notifications
db.replayrink.com/usernotice/68SEG85567-notifications
db.serendipidance.com/usernotice/9UKS3638-notifications
db.sextoysandmen.com/usernotice/91NRI363-notifications
db.stonyrundesign.com/.safe/CJ0YU149110-receipt
db.stonyrundesign.com/usernotice/81FI02058-notifications
db.strawberryshakemovie.com/usernotice/3485145-notifications
db.whiterivercountry.com/usernotice/1WNO3384-status-update
db.whiterivercountry.com/usernotice/64AW18330-notifications
db.woodenboatgallery.com/usernotice/6CPO02141-notifications
db.yellowstonebrewingcompany.com/usernotice/08CY772-notifications
db.yourfuturebeginshere.com/usernotice/33YHT45331-notifications
dflathmann.com/.customer-area/pack-652B619488-updated
districtframesph.com/.getyourticket/81365093-ticket
drjarad.com/.customer-area/package-5Z4015-updated
durolosangeles.com/.customer-area/package-15H85328-updated
dwiby.com/.customer/3I51694269-Your-Receipt
enataihomes.com/.advice-customers/order-complete-details
eventfish.com/.safetyadvicearea/01686431953-order-Receipt
farmersce.com/.safe/PYN9005J-476356-your-New-Receipt
fitnessdetail.com/.safe/1CUS794179-Receipt
flightcasefilms.com/.customer-area/package-0GZ77952-updated
flipsandals.com/.safetyadvice/36PU815683-Receipt
forsalekentucky.com/.safe/NIUFZ748379-Receipt
forsalemontana.com/.safe/SE-37885-Receipt
foundationtour.com/.customer-area/pack-77ER586-updated
foundationtour.com/.customer-area/package-01ZK1-8120-updated
freewaydeathsquad.com/.cabinet/5ihz6840-pack-updated
fromthedeskofashigeorgia.com/.advice-customers/order-complete-details
fruchile.com/.safe/QF8267H-99740-your-New-receipt
funtimefacepainting.com/.customer-area/pack-5OR7_4582-updated
gettingsecure.com/.safe/THK11097-receipt
goldmaggot.com/.safe/L65P912030-receipt
hercrush.com/.safe/EHR168605-Receipt
holtsberrydesign.com/.customer-area/package-19YY6241-updated
horseharmonyfarm.com/.safe/RDFN509606-Receipt
hoschtonhomesforless.com/.safetyarea/16O711723-order-Receipt
hotnewreads.com/.advicedetails/7XV777-details
howelladventures.com/.safetyadvice/87YA590-Receipt
identitygift.com/.safe/WPVWT808948-receipt
iphone6backgrounds.com/.advicedetails/71PL2590-details
jennanorwood.com/.advice/delivered-status-notification
jvive.com/.customer-area/pack-3BM8_29302-updated
kentuckyinjuryaccident.com/.safe/2GN1356-Your-new-Receipt
kevinecotter.com/.safetyadvice/29K054-receipt
kivacopper.com/.cabinet/14zc_9521-pack-updated
kosmopolitanfinearts.com/.customer-area/package-8WE6996-updated
krcooking.com/.customer-area/package-54GWB-04521-updated
ladyfounder.com/.customer-area/package-830ZO_3159-updated
laibachmusic.com/.safetyarea/UVRN559091-order-receipt
laucacau.com/.safetyadvicearea/0814656528-order-Receipt
lifebyaileen.com/.advice-notification/order-complete-details
longbayhideaway.com/.safetyadvice/JO6OV00947-receipt
lonnielepp.com/.safetyarea/2VC41131-order-receipt
lonnielepp.com/.safetyarea/ENS9Y49504-order-receipt
loulouinhollywood.com/.customer/1P4FC280342-your-receipt
lrsresources.com/.safetyadvice/2MVK655933-Receipt
luchtefeld.com/.safe/CE-737941-Receipt
maloneandcompanyswededfilmfest.com/.safetyarea/003702712-order-Receipt
margotgarnick.com/.customer-area/package-6OF_22197-updated
megachief.com/.safetyadvice/77RUZ57184-Receipt
mjsmallbusinessservices.com/.safetyarea/74C56_2495-order-receipt
motomako.com/.safetyarea/EYGL699416-order-receipt
moveinmandalay.com/.cabinet/11sf_9124-pack-updated
myblagh.com/.safetyadvice/66YS2836-Receipt
northernlightssurvey.com/.productdetails/receipt-details-updated
norway2thailand.com/.customer-area/pack-60HX346-updated
norway2thailand.com/.customer-area/package-9GP_90045-updated
odedadali.com/.advicedetails/026052352956-details
okiostyle.com/.safetyarea/0409669990-order-Receipt
onenationhealing.com/.advicedetails/28MM_665-details
pacificrimbonsai.com/.advice-notification/order-complete-details
paperlovestudios.com/.advicedetails/078391277951-details
passportstatusonline.com/.orderdetails/69X99475-confirmation
pdxinjuryattorney.com/.customer-area/pack-8XD_2636-updated
perimenopausetherapy.com/.cabinet/23hu_5379-pack-updated
philasoup.com/.safetyarea/IVEU187436-order-Receipt
placeklaw.com/.advice/10HF81744-order-receipt
popnuvo.com/.safetyadvice/49RBX589238-receipt
qtheboat.com/.advicedetails/088641320452-details
rescuingchildrenhealingadults.com/.customer-area/pack-474TT-33472-updated
retroframing.com/.customer-area/pack-4RLJ0016-updated
rickyville.com/.customer-area/pack-52JT3992-updated
riideinc.com/.advice/delivered-status-notification
robdonato.com/.advice/91-673620-ticket
rontonsoup.com/.customer-area/pack-00ME-9651-updated
runningvillage.com/.advicedetails/0CQ265196-details
rynegrund.com/.customer-area/package-51QJ728660-updated
saragoldstein.com/.customer-area/pack-772M_3561-updated
saragoldstein.com/.customer-area/package-7FEQ5204-updated
sbicarolinas.com/.safetyadvice/EG778094-Receipt
scottad.com/.customer/1NNZN394864-your-receipt
seoandgrow.com/.safe/CBR00207-receipt
sethpgoldstein.com/.customer-area/package-22AX-42309-updated
sketcheleven.com/.customer-area/pack-5Z04750-updated
sketcheleven.com/.customer-area/package-7OUF_395-updated
smallscalelng.com/.customer/8JY41782-your-new-Receipt
smartglassesdataplans.com/.safe/PJ2B028923-receipt
smokeshopsinc.com/.customer-area/package-06FB3259-updated
solofront.com/.customer-area/pack-25P92664-updated
startabusinessinpa.com/.customer-area/pack-0YQM250-updated
sunandprasad.com/.safetyadvice/3XTV756223-receipt
theartofbridal.com/.customer-area/pack-315J713173-updated
theartofbridal.com/.customer-area/package-1P5212-updated
thefinancialcontrollers.com/.dXNlcLNTF7pUywsgZm5A1KDNHnNlc3ND1pBVMcjXgwhF735D0idpb/3ZG2038-receipt
thehowandwhy.com/.safetyarea/ODSW3456060-order-Receipt
thejunglejournal.com/.customer-area/package-2HH382-updated
thekindlesales.com/.customer/NGJ3494423-your-receipt
themeterminal.com/.safetyadvicearea/088432722890-order-Receipt
thepathlightcenter.com/.customer-area/pack-93IGG_25443-updated
thepynebros.com/.advice/delivered-status-notification
thequietcreatives.com/.customer-area/package-4699700-updated
theseamill.com/.safe/PDQVC123710-receipt
timharwoodmusic.com/.safe/U6N2P16610-Receipt
tinynaps.com/.advicedetails/7F25947-details
top-costumes.com/.safe/P9SVQ222688-Receipt
twobulletsleft.com/.safetyarea/ZNMP57074-order-Receipt
uberdragon.com/.safetyadvice/6O46703705-receipt
urban-meditations.com/.advice/03BEN7818-order-Receipt
valbridgetucson.com/.cabinet/98cg814-pack-updated
valbridgetucson.com/.cabinet/9d5080138-pack-updated
veterantruckingjobs.com/.customer-area/pack-8UVL_62500-updated
videosforwhatsapp.com/.safetyadvice/2LY9480-receipt
wewalk4you.com/.customer-area/pack-864O_5167-updated
whataresquingies.com/.safetyadvicearea/0405470695-order-receipt
wildhowlz.com/.advicedetails/027380256-details
yokosukadoula.com/.advicedetails/0864668306-detail
zenartfree.com/.advicedetails/1Z2-510491-details

# Reference: https://www.symantec.com/security-center/writeup/2018-092007-1208-99
# Reference: https://www.virustotal.com/#/ip-address/212.109.222.157

# Generic callback detection

/js/altmanluggage.js
/js/aureliaskincare.js
/js/bluerooster.js
/js/bvibe.js
/js/caremax.js
/js/craftalley.js
/js/curediva.js
/js/deluxecomfort.js
/js/deroosbv.js
/js/dragonkayak.js
/js/gopestfree.js
/js/hello1010.js
/js/herbsnpuja.js
/js/horusrc.js
/js/indiamags.js
/js/justbuttons.js
/js/kitchenstuff.js
/js/labohemecafe.js
/js/lavignery.js
/js/mitoq.js
/js/mototorque.js
/js/notinshops.js
/js/probanners.js
/js/ramybrook.js
/js/rss_pt.js
/js/siamflorist.js
/js/simplygems.js
/js/singerstore.js
/js/sparxxrx.js
/js/storageshedsoutlet.js
/js/themotley.js
/js/thesingularbathroom.js
/js/totaram.js
/js/tradeplumbing.js
/js/ussi.js
/js/vladofootwear.js
/js/wallerbmx.js

# Reference: https://www.symantec.com/security-center/writeup/2018-092007-1208-99 (JSCoffe domains)

beachyripe.com
coffetea.org
energycoffe.org
energytea.org
lightbulbs-direct.org
teacoffe.net
ukcoffe.com

# Reference: https://twitter.com/unmaskparasites/status/1049723562746146816

/wp-load.js

# Reference: https://twitter.com/malware_traffic/status/1051999693780262912

/flashplayer_41.22_plugin.js
