From 5acbe618fe1b1d0cbe9741b2d4e4219dc13297de Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Thu, 11 May 2023 01:14:44 +0530
Subject: [PATCH] Update and rename miscellaneous/crypto-mining-malware.yaml to
 http/miscellaneous/crypto-mining-malware.yaml

---
 .../miscellaneous}/crypto-mining-malware.yaml  | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)
 rename {miscellaneous => http/miscellaneous}/crypto-mining-malware.yaml (84%)

diff --git a/miscellaneous/crypto-mining-malware.yaml b/http/miscellaneous/crypto-mining-malware.yaml
similarity index 84%
rename from miscellaneous/crypto-mining-malware.yaml
rename to http/miscellaneous/crypto-mining-malware.yaml
index 2ce8300d1d..f77c108aae 100644
--- a/miscellaneous/crypto-mining-malware.yaml
+++ b/http/miscellaneous/crypto-mining-malware.yaml
@@ -1,14 +1,16 @@
 id: crypto-mining-malware
 
 info:
-  name: Check for crypto-mining malware
+  name: Crypto Mining Malware
   author: geeknik
   severity: info
-  description: Checks websites for crypto-mining malware.
-  reference: https://github.com/xd4rker/MinerBlock/blob/master/assets/filters.txt
-  tags: malware,crypto,mining
+  description: |
+    Checks websites for crypto-mining malware.
+  reference:
+    - https://github.com/xd4rker/MinerBlock/blob/master/assets/filters.txt
+  tags: malware,crypto,mining,misc
 
-requests:
+http:
   - method: GET
     path:
       - "{{BaseURL}}"
@@ -18,13 +20,13 @@ requests:
     matchers:
       - type: regex
         part: body
-        condition: or
         regex:
           - '(?mi)cryptonight\.wasm|deepMiner|proxy\=ws|coinhive\.min\.js|wpupdates\.github\.io\/ping|cryptonight\.asm\.js|coin-hive\.com|jsecoin\.com|cryptoloot\.pro'
           - '(?mi)webassembly\.stream|monero\-miner|wasmminer|cn\-asmjs\.min\.js|aj(\-?)cryptominer|wp\-monero\-miner\-pro|crlt\.js|pool\/direct\.js|n\.2\.1\.(js|l.*)'
           - '(?mi)ppoi\.org|xmrstudio|webmine\.pro|miner\.start|allfontshere\.press|upgraderservices\.cf|vuuwd\.com|gridcash\.js|worker\-asmjs\.min\.js|perfekt\=wss\:'
           - '(?mi)coin\-hive\.com|coinhive|CoinHive|var\ miner|miner\.start|me0w\.js|web(x?)mr(4?)\.js|miner\.js|static\/js\/tpb\.js|lib\/crypta\.js'
           - '(?mi)bitrix\/js\/main\/core\/core\_(tasker|loader)\.js'
+        condition: or
 
       - type: word
         part: header
@@ -33,8 +35,8 @@ requests:
 
       - type: word
         part: body
-        condition: or
-        negative: true
         words:
           - "<title>Access Denied</title>"
           - "You don't have permission to access"
+        condition: or
+        negative: true