# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://blog.malwarebytes.com/threat-analysis/2018/09/mass-wordpress-compromises-tech-support-scams/

ads.voipnewswire.net/ad.js
drupalupdates.tk/check.js
cdn.allyouwant.online/main.js
ejyoklygase.tk
examhome.net
mp3menu.org
uustoughtonma.org

# Generic detection for compromised Bitrix CMS

/lib/crypta.js
/bitrix/js/main/core/core_loader.js
/bitrix/js/main/core/core_tasker.js

# Reference: https://twitter.com/bad_packets/status/1038967603048243200
# Reference: https://www.virustotal.com/#/file/d527ea936ab99a2e3a25cf8786c66c0e07fc509b9465d48dd26065f034795f19/relations

aster18cdn.nl/app.js
feesocrald.com/app.js
istlandoll.com/app.js
soodatmish.com/app.js
play.aster18cdn.nl/app.js
play.feesocrald.com/app.js
play.istlandoll.com/app.js
play.soodatmish.com/app.js

# Reference: https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/

/2131.js
/webmr.js
/webmr-2.js
/webmr-x7.js

# Reference: https://twitter.com/ViriBack/status/1035692468459720704

/r/6jHa5
/r/Lx4er

# Reference: https://www.virustotal.com/#/domain/coinhive.com
# Reference: https://twitter.com/bad_packets/status/1042627971368939521

/lib/captcha.min.js
/lib/ch2.min.js
/lib/coinhive.min.js
/lib/miner.min.js
/lib/worker-asmjs.min.js

# Reference: https://www.virustotal.com/#/url/e2887029795c19d1b0d7e97bcd6b29fd25988ea27e8f958ef9af6f9520f97b45/detection

coinimp.com/scripts/min.js

# Reference: https://twitter.com/malwrhunterteam/status/1044950859875012608

/perfekt/perfekt.js

# Reference: https://twitter.com/VK_Intel/status/1021453551975817217

wjcqsstycdujc.eu

# Reference: https://twitter.com/ps66uk/status/1036775592371384320
# Reference: https://twitter.com/ps66uk/status/1026391185953312768
# Reference: https://pastebin.com/izi6pDs8
# Reference: https://threats.kaspersky.com/en/threat/Trojan-Downloader.JS.SLoad/

4play4girls.com/.cabinet/29rf852359-package-updated
adetailimage.com/.customer/3G5QH49725-Your-receipt
alaxvong.com/.customer-area/pack-82AK376-updated
arenaofshrugs.com/.customer-area/package-3M516645-updated
asecretenergyofmiracles.com/.customer-area/pack-42X31841-updated
atlantaseedsmentoringforgirls.com/.customer/1OC358756-your-receipt
ayca.com/.customer/FW8149101-Your-receipt
bakerassistants.com/.safe/GD8JY47086-receipt
bekahwagner.com/.customer-area/package-1GHF7189-updated
beneaththeblackrainbow.com/.customer-area/pack-0VX2107-updated
beneaththeblackrainbow.com/.customer-area/pack-7WRS_214-updated
bettingmlb.com/.customer-area/package-919R-70321-updated
bleuhaven.com/.customer-area/package-79JK8_63195-updated
bollygupshup.com/.advicedetails/0235789168-details
bostonteleprompter.com/.advice-notification/86MZ71628-complete-details
browseright.com/.customer/TI1N01666-your-Receipt
bullcityapparel.com/.safetyarea/TNF4Z521816-order-receipt
buyinggoldhq.com/.customer-area/package-11U492-updated
buzznewscenter.com/.cabinet/2dgp641-package-updated
byxaru.com/.orderdetails/92EW-60267-confirmation
comocuidarme.com/omoc/darme
comunicazionecreativaconsapevole.com/.customer-area/pack-156Q3055-updated
cumbrecapital.com/.customer/6B1R003355-Your-receipt
cumbrecapital.com/.customer/A1K414064-your-Receipt
customers.breastandbodyguidemd.com/.productdetails/8P97438-status-updated
customers.delvecchiopastafresca.com/.personal/package-1XTY6521-updated
customers.golf-classifieds.com/.clientarea/delivery-status-updated
dasheriemagazine.com/.customer-area/pack-24CG4727-updated
db.agile-kanata.com/usernotice/35Z4760-status-update
db.avonbourne.com/usernotice/9RYK9707-status-update
db.bobwu.com/usernotice/71AX0842-notifications
db.boomer-angle.com/usernotice/8T3G41905-notifications
db.careerever.com/usernotice/93I5333-notifications
db.catalinaappraisalservice.com/usernotice/1RJ6972-notifications
db.catalinaappraisalservice.com/usernotice/69V1K3619-notifications
db.digitalwizards.com/usernotice/0CW618-notifications
db.disruptivedrama.com/.safe/66B_410-Receipt
db.falsefiddle.com/.safe/H3X837846-Receipt
db.flyingelephantstudios.com/usernotice/57K5X36453-notifications
db.glennwithrow.com/usernotice/69JY81993-notifications
db.hivetastic.com/usernotice/51X768973-notifications
db.honeycombbooks.net/usernotice/484J7970-notifications
db.icmeet.com/.safe/9L7235-Receipt
db.jclbioassay.com/.safe/S2JA10415-Receipt
db.nobuwrap.com/.safe/E9B3M049671-Receipt
db.nobuwrap.com/usernotice/6L6295-notifications
db.obimfresh.net/usernotice/8O551983-notifications
db.pakkaussuunnittelu.com/usernotice/47E67189-status-update
db.preciselysoftware.com/usernotice/79OE4365-notifications
db.replayrink.com/usernotice/68SEG85567-notifications
db.serendipidance.com/usernotice/9UKS3638-notifications
db.sextoysandmen.com/usernotice/91NRI363-notifications
db.stonyrundesign.com/.safe/CJ0YU149110-receipt
db.stonyrundesign.com/usernotice/81FI02058-notifications
db.strawberryshakemovie.com/usernotice/3485145-notifications
db.whiterivercountry.com/usernotice/1WNO3384-status-update
db.whiterivercountry.com/usernotice/64AW18330-notifications
db.woodenboatgallery.com/usernotice/6CPO02141-notifications
db.yellowstonebrewingcompany.com/usernotice/08CY772-notifications
db.yourfuturebeginshere.com/usernotice/33YHT45331-notifications
dflathmann.com/.customer-area/pack-652B619488-updated
districtframesph.com/.getyourticket/81365093-ticket
drjarad.com/.customer-area/package-5Z4015-updated
durolosangeles.com/.customer-area/package-15H85328-updated
dwiby.com/.customer/3I51694269-Your-Receipt
enataihomes.com/.advice-customers/order-complete-details
eventfish.com/.safetyadvicearea/01686431953-order-Receipt
farmersce.com/.safe/PYN9005J-476356-your-New-Receipt
fitnessdetail.com/.safe/1CUS794179-Receipt
flightcasefilms.com/.customer-area/package-0GZ77952-updated
flipsandals.com/.safetyadvice/36PU815683-Receipt
forsalekentucky.com/.safe/NIUFZ748379-Receipt
forsalemontana.com/.safe/SE-37885-Receipt
foundationtour.com/.customer-area/pack-77ER586-updated
foundationtour.com/.customer-area/package-01ZK1-8120-updated
freewaydeathsquad.com/.cabinet/5ihz6840-pack-updated
fromthedeskofashigeorgia.com/.advice-customers/order-complete-details
fruchile.com/.safe/QF8267H-99740-your-New-receipt
funtimefacepainting.com/.customer-area/pack-5OR7_4582-updated
gettingsecure.com/.safe/THK11097-receipt
goldmaggot.com/.safe/L65P912030-receipt
hercrush.com/.safe/EHR168605-Receipt
holtsberrydesign.com/.customer-area/package-19YY6241-updated
horseharmonyfarm.com/.safe/RDFN509606-Receipt
hoschtonhomesforless.com/.safetyarea/16O711723-order-Receipt
hotnewreads.com/.advicedetails/7XV777-details
howelladventures.com/.safetyadvice/87YA590-Receipt
identitygift.com/.safe/WPVWT808948-receipt
iphone6backgrounds.com/.advicedetails/71PL2590-details
jennanorwood.com/.advice/delivered-status-notification
jvive.com/.customer-area/pack-3BM8_29302-updated
kentuckyinjuryaccident.com/.safe/2GN1356-Your-new-Receipt
kevinecotter.com/.safetyadvice/29K054-receipt
kivacopper.com/.cabinet/14zc_9521-pack-updated
kosmopolitanfinearts.com/.customer-area/package-8WE6996-updated
krcooking.com/.customer-area/package-54GWB-04521-updated
ladyfounder.com/.customer-area/package-830ZO_3159-updated
laibachmusic.com/.safetyarea/UVRN559091-order-receipt
laucacau.com/.safetyadvicearea/0814656528-order-Receipt
lifebyaileen.com/.advice-notification/order-complete-details
longbayhideaway.com/.safetyadvice/JO6OV00947-receipt
lonnielepp.com/.safetyarea/2VC41131-order-receipt
lonnielepp.com/.safetyarea/ENS9Y49504-order-receipt
loulouinhollywood.com/.customer/1P4FC280342-your-receipt
lrsresources.com/.safetyadvice/2MVK655933-Receipt
luchtefeld.com/.safe/CE-737941-Receipt
maloneandcompanyswededfilmfest.com/.safetyarea/003702712-order-Receipt
margotgarnick.com/.customer-area/package-6OF_22197-updated
megachief.com/.safetyadvice/77RUZ57184-Receipt
mjsmallbusinessservices.com/.safetyarea/74C56_2495-order-receipt
motomako.com/.safetyarea/EYGL699416-order-receipt
moveinmandalay.com/.cabinet/11sf_9124-pack-updated
myblagh.com/.safetyadvice/66YS2836-Receipt
northernlightssurvey.com/.productdetails/receipt-details-updated
norway2thailand.com/.customer-area/pack-60HX346-updated
norway2thailand.com/.customer-area/package-9GP_90045-updated
odedadali.com/.advicedetails/026052352956-details
okiostyle.com/.safetyarea/0409669990-order-Receipt
onenationhealing.com/.advicedetails/28MM_665-details
pacificrimbonsai.com/.advice-notification/order-complete-details
paperlovestudios.com/.advicedetails/078391277951-details
passportstatusonline.com/.orderdetails/69X99475-confirmation
pdxinjuryattorney.com/.customer-area/pack-8XD_2636-updated
perimenopausetherapy.com/.cabinet/23hu_5379-pack-updated
philasoup.com/.safetyarea/IVEU187436-order-Receipt
placeklaw.com/.advice/10HF81744-order-receipt
popnuvo.com/.safetyadvice/49RBX589238-receipt
qtheboat.com/.advicedetails/088641320452-details
rescuingchildrenhealingadults.com/.customer-area/pack-474TT-33472-updated
retroframing.com/.customer-area/pack-4RLJ0016-updated
rickyville.com/.customer-area/pack-52JT3992-updated
riideinc.com/.advice/delivered-status-notification
robdonato.com/.advice/91-673620-ticket
rontonsoup.com/.customer-area/pack-00ME-9651-updated
runningvillage.com/.advicedetails/0CQ265196-details
rynegrund.com/.customer-area/package-51QJ728660-updated
saragoldstein.com/.customer-area/pack-772M_3561-updated
saragoldstein.com/.customer-area/package-7FEQ5204-updated
sbicarolinas.com/.safetyadvice/EG778094-Receipt
scottad.com/.customer/1NNZN394864-your-receipt
seoandgrow.com/.safe/CBR00207-receipt
sethpgoldstein.com/.customer-area/package-22AX-42309-updated
sketcheleven.com/.customer-area/pack-5Z04750-updated
sketcheleven.com/.customer-area/package-7OUF_395-updated
smallscalelng.com/.customer/8JY41782-your-new-Receipt
smartglassesdataplans.com/.safe/PJ2B028923-receipt
smokeshopsinc.com/.customer-area/package-06FB3259-updated
solofront.com/.customer-area/pack-25P92664-updated
startabusinessinpa.com/.customer-area/pack-0YQM250-updated
sunandprasad.com/.safetyadvice/3XTV756223-receipt
theartofbridal.com/.customer-area/pack-315J713173-updated
theartofbridal.com/.customer-area/package-1P5212-updated
thefinancialcontrollers.com/.dXNlcLNTF7pUywsgZm5A1KDNHnNlc3ND1pBVMcjXgwhF735D0idpb/3ZG2038-receipt
thehowandwhy.com/.safetyarea/ODSW3456060-order-Receipt
thejunglejournal.com/.customer-area/package-2HH382-updated
thekindlesales.com/.customer/NGJ3494423-your-receipt
themeterminal.com/.safetyadvicearea/088432722890-order-Receipt
thepathlightcenter.com/.customer-area/pack-93IGG_25443-updated
thepynebros.com/.advice/delivered-status-notification
thequietcreatives.com/.customer-area/package-4699700-updated
theseamill.com/.safe/PDQVC123710-receipt
timharwoodmusic.com/.safe/U6N2P16610-Receipt
tinynaps.com/.advicedetails/7F25947-details
top-costumes.com/.safe/P9SVQ222688-Receipt
twobulletsleft.com/.safetyarea/ZNMP57074-order-Receipt
uberdragon.com/.safetyadvice/6O46703705-receipt
urban-meditations.com/.advice/03BEN7818-order-Receipt
valbridgetucson.com/.cabinet/98cg814-pack-updated
valbridgetucson.com/.cabinet/9d5080138-pack-updated
veterantruckingjobs.com/.customer-area/pack-8UVL_62500-updated
videosforwhatsapp.com/.safetyadvice/2LY9480-receipt
wewalk4you.com/.customer-area/pack-864O_5167-updated
whataresquingies.com/.safetyadvicearea/0405470695-order-receipt
wildhowlz.com/.advicedetails/027380256-details
yokosukadoula.com/.advicedetails/0864668306-detail
zenartfree.com/.advicedetails/1Z2-510491-details

# Reference: https://www.symantec.com/security-center/writeup/2018-092007-1208-99
# Reference: https://www.virustotal.com/#/ip-address/212.109.222.157

# Generic callback detection

/js/altmanluggage.js
/js/aureliaskincare.js
/js/bluerooster.js
/js/bvibe.js
/js/caremax.js
/js/craftalley.js
/js/curediva.js
/js/deluxecomfort.js
/js/deroosbv.js
/js/dragonkayak.js
/js/gopestfree.js
/js/hello1010.js
/js/herbsnpuja.js
/js/horusrc.js
/js/indiamags.js
/js/justbuttons.js
/js/kitchenstuff.js
/js/labohemecafe.js
/js/lavignery.js
/js/mitoq.js
/js/mototorque.js
/js/notinshops.js
/js/probanners.js
/js/ramybrook.js
/js/rss_pt.js
/js/siamflorist.js
/js/simplygems.js
/js/singerstore.js
/js/sparxxrx.js
/js/storageshedsoutlet.js
/js/themotley.js
/js/thesingularbathroom.js
/js/totaram.js
/js/tradeplumbing.js
/js/ussi.js
/js/vladofootwear.js
/js/wallerbmx.js

# Reference: https://www.symantec.com/security-center/writeup/2018-092007-1208-99 (JSCoffe domains)

beachyripe.com
coffetea.org
energycoffe.org
energytea.org
lightbulbs-direct.org
teacoffe.net
ukcoffe.com

# Reference: https://twitter.com/unmaskparasites/status/1049723562746146816

/wp-load.js

# Reference: https://twitter.com/malware_traffic/status/1051999693780262912

/flashplayer_41.22_plugin.js

# Reference: https://twitter.com/securitydoggo/status/938750437913776128

/SexyHot19.js

# Reference: https://twitter.com/securitydoggo/status/919906367254728706

/chronopost-colis-suivi.js

# Reference: https://twitter.com/securitydoggo/status/856526428933943296

/Consulta FGTS.js

# Reference: https://threatpost.com/card-skimming-google-analytics-angular/142264/

google-analytics.cm/analytics.js
gooqletagmanager.com/gtm.js

# Reference: https://blog.sucuri.net/2018/12/localization-and-customization-of-credit-card-stealing-malware.html

kinfirighbetted.host
sales4reason.com
greatwebstat.com

# Reference: https://twitter.com/bad_packets/status/1106430758179110912

blockchainanalyticscdn.com
5b0c4f7f0587346ad14b9e59704c1d9a.top
925e40815f619e622ef71abc6923167f.top

# Reference: https://www.group-ib.com/media/js-sniffer/

gmo.li

# Reference: https://twitter.com/VK_Intel/status/1104109897531224065

host.moresecurity.kz/host/info

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-06-12 Charming Kitten waterhole)

178.32.48.50:8443/node.js

# Reference: https://blog.attacker.net/a-new-wave-of-the-simpleoneline-malware

simpleoneline.online

# Reference: https://twitter.com/p5yb34m/status/1111707577685991424

givemejs.cc/jquery_ui.js

# Reference: https://twitter.com/natmchugh/status/1118851237351497734

so.youneverfind.com/statistics.js

# Reference: https://twitter.com/bad_packets/status/976677742862200832

/5992203285ab3219.3.n.2.1.l60.js

# Reference: https://twitter.com/jeromesegura/status/1121811483195633670
# Reference: https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/

/mage/master/mage.js

# Reference: https://securelist.com/muddywaters-arsenal/90659/

dzoz.us/js/js.js

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/tech-support-scam-employs-new-trick-by-using-iframe-to-freeze-browsers/
# Reference: https://otx.alienvault.com/pulse/5cc71ac7631c3a2f3c67ba7f

/assests/eng_edge_new.html

# Reference: https://twitter.com/gwillem/status/1127617495911804935
# Reference: https://twitter.com/CERTA_intNsec/status/1127849427572527104

assets.pcrl.co/js/jstracker.min.js

# Reference: https://twitter.com/gwillem/status/1127619061725241349

code.cloudcms.com/alpaca/1.5.17/bootstrap/alpaca.min.css

# Reference: https://twitter.com/gwillem/status/1127890329175244800

d20iczrsxk7wft.cloudfront.net/botwverified/badge.js

# Reference: https://twitter.com/_mmeltzer/status/1128311225228648449

cdn.ryviu.com/js/reviews.js
ww1-filecloud.com

# Reference: https://twitter.com/jeromesegura/status/1133160126561394688
# Reference: https://blog.malwarebytes.com/cybercrime/2019/05/skimmer-acts-as-payment-service-provider-via-rogue-iframe/

modest4ever.com/assets/newbalance.js

# Reference: https://twitter.com/KorbenD_Intel/status/1133469852579106816

/thecry.js

# Reference: https://www.fortinet.com/blog/threat-research/payment-card-details-stolen-magecart.html
# Reference: https://www.virustotal.com/gui/ip-address/178.33.231.184/relations

/ausliebezumduft.js
/bigmusicshop.js
/brain-payment.js
/darussalam.js
/dotsport.js
/hepler.js
/iloveskininc.js
/kimon.js
/klarna.js
/mycigara.js
/relightdepot.js
/sanasafinaz.js
/stutterheim.js
/turtlecase.js
/whinkel.js

# Reference: https://twitter.com/eComscan/status/1136181192796061697

/baypre.js
/cashionrods.js
/dans.js

# Reference: https://twitter.com/Racco42/status/1136621446053150720

/0001.js

# Reference: https://twitter.com/rootsrv1/status/1136763516285702146

jqueryextd.at

# Reference: https://twitter.com/jeromesegura/status/1137087208630833152

jquers.com
jqueres.com

# Reference: https://twitter.com/luc4m/status/1138430833533104128

/tkeezwbzpl.js

# Reference: https://twitter.com/Racco42/status/1139461501113311232

/urgente.js

# Reference: https://twitter.com/marcelmalware/status/1140723183584272386
# Reference: https://www.virustotal.com/gui/domain/jquery.su/relations

jquery.su

# Reference: https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/

/mhtexp.js
