ioc[.]one - OSINT Cyber Threat Intelligence Database

WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years

Tags

cmtmf-attack-pattern:	Data Manipulation
country:	China United States Of America
attack-pattern:	Data Direct Cloud Account - T1087.004 Cloud Account - T1136.003 Credentials - T1589.001 Cron - T1053.003 Data Manipulation - T1641 Data Manipulation - T1565 Domains - T1583.001 Domains - T1584.001 Exploits - T1587.004 Exploits - T1588.005 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Connection Proxy - T1090 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	9958fe48-2e7f-4da3-9cbe-37d771845338
Fingerprint	ad01919b853faec5
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 17, 2021, 2 p.m.
Added to db	Feb. 18, 2023, 12:16 a.m.
Last updated	Nov. 17, 2024, 6:31 p.m.
Headline	WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years
Title	WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years
Detected Hints/Tags/Attributes	75/3/221

Source URLs

	Redirection	Url
Details	Source	https://unit42.paloaltonetworks.com/watchdog-cryptojacking/

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	unit42.paloaltonetworks.com

Attributes

Details	Type	#Events	Value
Details	CVE	17	cve-2015-1427
Details	CVE	15	cve-2014-3120
Details	CVE	13	cve-2018-1273
Details	CVE	81	cve-2017-10271
Details	Domain	9	xmr.f2pool.com
Details	Domain	4	xmr-eu2.nanopool.org
Details	Domain	4	xmr.pool.gntl.co.uk
Details	Domain	1	de.gengine.com.de
Details	Domain	2	de.gsearch.com.de
Details	Domain	2	global.bitmex.com.de
Details	Domain	1	ipzse.com
Details	Domain	1	py2web.store
Details	Domain	1	sjjjv.xyz
Details	Domain	1	us.gsearch.com.de
Details	Domain	4	newdat.sh
Details	Domain	30	init.sh
Details	Domain	3	newinit.sh
Details	Domain	18	update.sh
Details	Domain	1	forum.90sec.com
Details	Domain	3	bsh.sh
Details	Domain	4	is.sh
Details	Domain	1	saltmin.sh
Details	Domain	2	xmr.ipzse.com
Details	Domain	1	bd.sh
Details	Domain	4	rs.sh
Details	File	153	config.json
Details	File	1	ip_cn.txt
Details	File	1	ips_cn.txt
Details	File	19	4.tar
Details	File	131	tar.gz
Details	sha256	1	ad3efb9bfd49c379a002532f43cc4867a4f0b1cd52b6f438bb7a8feb8833b8f8
Details	sha256	1	0a48bd0d41052c1e3138d558fc06ebde8d6f15b8d866200b8f00b214a73eb5b9
Details	sha256	1	0c4aa6afd2a81fd15f3bd65adcbd4f649fbc58ef12dd2d528125435169555901
Details	sha256	1	1f65569b77f21f47256db339700b4ff33b7570e44e1981b5c213b7b2e65b0f6c
Details	sha256	1	2b52288383588f65803a5dc9583171103be79f0b196d01241b5cd3a8cf69b190
Details	sha256	1	2eeac2b9577047a9eef2d164c13ace5e826ac85990a3a915871d6b0c2fc8fe67
Details	sha256	2	2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed
Details	sha256	1	37492d1897f77371f2eb431b9be7c861b81e97f04a091d8c6d63719171eda2ac
Details	sha256	1	3ab7cf786eeb23ebd11e86e0fc48b0a9b37a427d5d730d774c9ed8d98a925c6f
Details	sha256	1	43d7b29668786731f1bbbb3ae860487e84604195b186c1b7b253f99156d7f57a
Details	sha256	2	49366ae4766492d94136ca1f715a37554aa6243686c66bf3c6fbb9da9cb2793d
Details	sha256	3	51de345f677f46595fc3bd747bfb61bc9ff130adcbec48f3401f8057c8702af9
Details	sha256	1	55c92d64ffa9d170e340e0528dc8ea1fa9be98f91db891869947c5b168a728c8
Details	sha256	1	55dd539d8fe94648294e91df89b005f1dba330b432ceda25775963485bae7def
Details	sha256	1	67d0f77adf98ac34a6db78110c78652a9b7f63e22ae5ab7df4f57d3413e48822
Details	sha256	1	68cedf2a018c0830655dc9bb94aadf6492ab31196cbc83ceb44defae0a02d3dc
Details	sha256	1	6a7109481e113fd92ff98534e780f47a32b64bfa5692f7bd7da33c84033a9028
Details	sha256	1	758dbfda2b7d2e97caba294089c4c836ab447d7c9ceef510c667526fd873e161
Details	sha256	1	80b1a70d7ec5d1944787afff3c2feac3aa40ec8c64177886481d96623bc786bf
Details	sha256	1	818c16d1921572ffee6853c16c5c9158d2f217b6adbb5154cbb7daf945db493c
Details	sha256	1	82815c61402cfc0edd6ce3be37848259711ef07e3391e74c85fbdaa676d95c0c
Details	sha256	2	849f86a8fd06057eeb1ae388789881516239282dd4cb079b8281f995035874e1
Details	sha256	1	895e994dafaa00009a46f3b56ca0d563e066a14e77f5030b1331fc9b3f9f6478
Details	sha256	2	96fe63c25e7551a90051431aeddb962f05d82b7dd2940c0e8e1282273ba81e22
Details	sha256	2	a322dc6af6fed1326b04ec966e66b68dd8ef22374edd286569710afc65ccc741
Details	sha256	1	ac719447894b2f5029f493c7395d128f710a3ba7b31c199558f3ee00fb90ea12
Details	sha256	1	ad05d09e6ed4bd09fe1469e49885c5169458635a1a33f2579cb7caa221b43fce
Details	sha256	1	b6a5790a9bfaf159af68c4dbb09de9c2c0c2371c886fdb28223d40e6984b1dd7
Details	sha256	1	bd3506b86452d46d395b38aa807805097da1291c706318b5fe970fe4b20f5406
Details	sha256	1	c67881c1f05477939b8964ad26f1a467762a19c2c7d1a1656b338d8113ca1ac1
Details	sha256	1	c8ca3ab0ae00a1bf197086370ab5994264ac5bc1fcf52b2ddf8c9fcacc4402ff
Details	sha256	1	d54157bb703b360bb911363d9bb483a2ee00ee619d566d033a8c316f06cf26cc
Details	sha256	1	d6cf2d54e3bb564cb15638b58d2dd124ae7acd40e05af42d1bdc0588a8d5211d
Details	sha256	1	e3cbb08913493e54d74081349972423444cbc0f4853707b84409131d19cad15b
Details	sha256	3	e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7
Details	sha256	1	ed1e49cb05c375cc1149c349880ed077b6ee75cb7e5c6cae9cbd4bd086950c93
Details	IPv4	7	80.211.206.105
Details	IPv4	2	39.100.33.209
Details	IPv4	1	45.153.240.58
Details	IPv4	2	45.9.148.37
Details	IPv4	1	93.115.23.117
Details	IPv4	1	95.182.122.199
Details	IPv4	3	106.15.74.113
Details	IPv4	1	107.173.159.206
Details	IPv4	2	146.71.79.230
Details	IPv4	2	185.181.10.234
Details	IPv4	1	185.232.65.124
Details	IPv4	1	185.232.65.191
Details	IPv4	1	185.232.65.192
Details	IPv4	1	185.247.117.64
Details	IPv4	1	198.98.57.187
Details	IPv4	3	199.19.226.117
Details	IPv4	1	204.44.105.168
Details	IPv4	1	205.209.152.78
Details	IPv4	1	208.109.11.21
Details	IPv4	1	83.97.20.90
Details	IPv4	40	10.3.6.0
Details	IPv4	39	12.1.3.0
Details	IPv4	3	12.2.1.1
Details	IPv4	10	12.2.1.2
Details	IPv4	2	176.123.10.57
Details	IPv4	1	209.182.218.161
Details	IPv4	2	47.253.42.213
Details	IPv4	1	82.202.66.50
Details	Url	1	http://83.97.20.90/cccf67356/ip_cn.txt
Details	Url	1	http://83.97.20.90/cccf67356/ips_cn.txt
Details	Url	1	http://107.173.159.206:8880/tatavx1hym9z928m/bsh.sh
Details	Url	1	http://107.173.159.206:8880/tatavx1hym9z928m/config.json
Details	Url	1	http://107.173.159.206:8880/tatavx1hym9z928m/sysupdate
Details	Url	1	http://107.173.159.206:8880/tatavx1hym9z928m/update.sh
Details	Url	1	http://146.71.79.230/363a3edc10a2930dvnice/config.json
Details	Url	1	http://146.71.79.230/363a3edc10a2930dvnice/networkservice
Details	Url	1	http://146.71.79.230/363a3edc10a2930dvnice/sysguard
Details	Url	1	http://146.71.79.230/363a3edc10a2930dvnice/sysupdate
Details	Url	1	http://146.71.79.230/363a3edc10a2930dvnice/update.sh
Details	Url	1	http://176.123.10.57/cf67356/config.json
Details	Url	1	http://176.123.10.57/cf67356/networkmanager
Details	Url	1	http://176.123.10.57/cf67356/newinit.sh
Details	Url	1	http://176.123.10.57/cf67356/phpguard
Details	Url	1	http://176.123.10.57/cf67356/zzh
Details	Url	1	http://185.181.10.234/e5db0e07c3d7be80v520/config.json
Details	Url	1	http://185.181.10.234/e5db0e07c3d7be80v520/networkservice
Details	Url	1	http://185.181.10.234/e5db0e07c3d7be80v520/sysguard
Details	Url	1	http://185.181.10.234/e5db0e07c3d7be80v520/sysupdate
Details	Url	1	http://185.181.10.234/e5db0e07c3d7be80v520/update.sh
Details	Url	1	http://185.232.65.124/update.sh
Details	Url	1	http://185.232.65.191/cf67356/config.json
Details	Url	1	http://185.232.65.191/cf67356/newinit.sh
Details	Url	1	http://185.232.65.191/cf67356/zzh
Details	Url	1	http://185.232.65.191/config.json
Details	Url	1	http://185.232.65.191/trace
Details	Url	1	http://185.232.65.191/update.sh
Details	Url	1	http://185.232.65.192/cf67356/networkmanager
Details	Url	1	http://185.232.65.192/cf67356/phpguard
Details	Url	1	http://185.232.65.192/config.json
Details	Url	1	http://185.232.65.192/trace
Details	Url	1	http://185.247.117.64/cf67356/config.json
Details	Url	1	http://185.247.117.64/cf67356/networkmanager
Details	Url	1	http://185.247.117.64/cf67356/newdat.sh
Details	Url	1	http://185.247.117.64/cf67356/phpguard
Details	Url	1	http://185.247.117.64/cf67356/phpupdate
Details	Url	1	http://198.98.57.187/config.json
Details	Url	1	http://198.98.57.187/trace
Details	Url	1	http://198.98.57.187/update.sh
Details	Url	1	http://204.44.105.168:66/config.json
Details	Url	1	http://204.44.105.168:66/networkmanager
Details	Url	1	http://204.44.105.168:66/newdat.sh
Details	Url	1	http://204.44.105.168:66/phpguard
Details	Url	1	http://204.44.105.168:66/phpupdate
Details	Url	1	http://205.209.152.78:8000/sysupdate
Details	Url	1	http://205.209.152.78:8000/update.sh
Details	Url	1	http://209.182.218.161:80/363a3edc10a2930d/config.json
Details	Url	1	http://209.182.218.161:80/363a3edc10a2930d/networkservice
Details	Url	1	http://209.182.218.161:80/363a3edc10a2930d/sysguard
Details	Url	1	http://209.182.218.161:80/363a3edc10a2930d/sysupdate
Details	Url	1	http://209.182.218.161:80/363a3edc10a2930d/update.sh
Details	Url	1	http://39.100.33.209/b2f628/config.json
Details	Url	1	http://39.100.33.209/b2f628/newinit.sh
Details	Url	1	http://39.100.33.209/b2f628/zzh
Details	Url	1	http://39.100.33.209/b2f628fff19fda999999999/is.sh
Details	Url	1	http://45.153.240.58/n3dn0e09c5d9bu70v1720/config.json
Details	Url	1	http://45.153.240.58/n3dn0e09c5d9bu70v1720/networkservice
Details	Url	1	http://45.153.240.58/n3dn0e09c5d9bu70v1720/sysguard
Details	Url	1	http://45.153.240.58/n3dn0e09c5d9bu70v1720/sysupdate
Details	Url	1	http://45.153.240.58/n3dn0e09c5d9bu70v1720/update.sh
Details	Url	1	http://45.9.148.37/cf67356a3333e6999999999/1.0.4.tar.gz
Details	Url	1	http://45.9.148.37/cf67356a3333e6999999999/config.json
Details	Url	1	http://45.9.148.37/cf67356a3333e6999999999/is.sh
Details	Url	1	http://45.9.148.37/cf67356a3333e6999999999/networkmanager
Details	Url	1	http://45.9.148.37/cf67356a3333e6999999999/newdat.sh
Details	Url	1	http://45.9.148.37/cf67356a3333e6999999999/phpguard
Details	Url	1	http://45.9.148.37/cf67356a3333e6999999999/phpupdate
Details	Url	1	http://47.253.42.213/b2f628/config.json
Details	Url	1	http://47.253.42.213/b2f628/newinit.sh
Details	Url	1	http://47.253.42.213/b2f628/zzh
Details	Url	1	http://82.202.66.50/cf67356/config.json
Details	Url	1	http://82.202.66.50/cf67356/networkmanager
Details	Url	1	http://82.202.66.50/cf67356/newinit.sh
Details	Url	1	http://82.202.66.50/cf67356/phpguard
Details	Url	1	http://82.202.66.50/cf67356/zzh
Details	Url	1	http://83.97.20.90/cf67356/config.json
Details	Url	1	http://83.97.20.90/cf67356/networkmanager
Details	Url	1	http://83.97.20.90/cf67356/newinit.sh
Details	Url	1	http://83.97.20.90/cf67356/phpguard
Details	Url	1	http://83.97.20.90/cf67356/zzh
Details	Url	1	http://93.115.23.117/n3dn0e09c5d9bu70v1720/config.json
Details	Url	1	http://93.115.23.117/n3dn0e09c5d9bu70v1720/networkservice
Details	Url	1	http://93.115.23.117/n3dn0e09c5d9bu70v1720/sysguard
Details	Url	1	http://93.115.23.117/n3dn0e09c5d9bu70v1720/sysupdate
Details	Url	1	http://93.115.23.117/n3dn0e09c5d9bu70v1720/update.sh
Details	Url	1	http://95.182.122.199/e5db0e07c3d7be80v52/config.json
Details	Url	1	http://95.182.122.199/e5db0e07c3d7be80v52/networkservice
Details	Url	1	http://95.182.122.199/e5db0e07c3d7be80v52/saltmin.sh
Details	Url	1	http://95.182.122.199/e5db0e07c3d7be80v52/sysupdate
Details	Url	1	http://95.182.122.199/init.sh
Details	Url	1	http://global.bitmex.com.de/cf67355a3333e6/config.json
Details	Url	1	http://global.bitmex.com.de/cf67355a3333e6/is.sh
Details	Url	1	http://global.bitmex.com.de/cf67355a3333e6/networkmanager
Details	Url	1	http://global.bitmex.com.de/cf67355a3333e6/newdat.sh
Details	Url	1	http://global.bitmex.com.de/cf67355a3333e6/phpguard
Details	Url	1	http://global.bitmex.com.de/cf67355a3333e6/phpupdate
Details	Url	1	http://py2web.store/7356a3333e6999999999/networkmanager
Details	Url	1	http://py2web.store/7356a3333e6999999999/phpguard
Details	Url	1	http://py2web.store/cf67356/config.json
Details	Url	1	http://py2web.store/cf67356/newinit.sh
Details	Url	1	http://py2web.store/cf67356/zzh
Details	Url	1	http://xmr.ipzse.com:66/bd.sh
Details	Url	1	http://xmr.ipzse.com:66/config.json
Details	Url	1	http://xmr.ipzse.com:66/is.sh
Details	Url	1	http://xmr.ipzse.com:66/networkmanager
Details	Url	1	http://xmr.ipzse.com:66/newdat.sh
Details	Url	1	http://xmr.ipzse.com:66/phpguard
Details	Url	1	http://xmr.ipzse.com:66/phpupdate
Details	Url	1	http://xmr.ipzse.com:66/rs.sh
Details	Url	1	https://de.gengine.com.de/api/config.json
Details	Url	1	https://de.gengine.com.de/api/networkservice
Details	Url	1	https://de.gengine.com.de/api/sysguard
Details	Url	1	https://de.gengine.com.de/api/sysupdate
Details	Url	1	https://de.gengine.com.de/api/update.sh
Details	Url	1	https://de.gsearch.com.de/api/config.json
Details	Url	1	https://de.gsearch.com.de/api/networkservice
Details	Url	1	https://de.gsearch.com.de/api/sysguard
Details	Url	1	https://de.gsearch.com.de/api/sysupdate
Details	Url	1	https://de.gsearch.com.de/api/update.sh
Details	Url	1	https://sjjjv.xyz/sysupdate
Details	Url	1	https://sjjjv.xyz/update.sh
Details	Url	1	https://us.gsearch.com.de/api/config.json
Details	Url	1	https://us.gsearch.com.de/api/networkservice
Details	Url	1	https://us.gsearch.com.de/api/sysguard
Details	Url	1	https://us.gsearch.com.de/api/sysupdate
Details	Url	1	https://us.gsearch.com.de/api/update.sh