reference-cryptocurrency-strings.yml

rule:
  meta:
    name: reference cryptocurrency strings
    namespace: impact/cryptocurrency
    authors:
      - moritz.raabe@mandiant.com
    scope: file
    att&ck:
      - Impact::Resource Hijacking [T1496]
    references:
      - https://github.com/ctxis/CAPE/blob/master/modules/signatures/cryptomining.py
  features:
    - or:
      - string: "stratum+tcp://"
      - string: "xmrig"
      - string: "xmr-stak"
      - string: "supportxmr.com:"
      - string: "dwarfpool.com:"
      - string: "minergate"
      - string: "xmr."
      - string: "monero."
      - string: "Bitcoin"
      - string: "BitcoinGold"
      - string: "BtcCash"
      - string: "Ethereum"
      - string: "BlackCoin"
      - string: "ByteCoin"
      - string: "EmerCoin"
      - string: "ReddCoin"
      - string: "Peercoin"
      - string: "Ripple"
      - string: "Miota"
      - string: "Cardano"
      - string: "Lisk"
      - string: "Stratis"
      - string: "Waves"
      - string: "Qtum"
      - string: "Stellar"
      - string: "ViaCoin"
      - string: "Electroneum"
      - string: "Dash"
      - string: "Doge"
      - string: "Monero"
      - string: "Graft"
      - string: "Zcash"