2015-08-28 - BIZCN GATE ACTOR EXAMPLES

PCAPS:

• ZIP archive of all 11 traffic examples:  2015-08-28-BizCN-gate-actor-all-traffic-examples.zip

 

NOTES:

• More follow-up traffic for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• I wasn't able to generate any Nuclear EK this time, but I did find some more compromised websites, and I got to a Nuclear EK landing page on 2 occasions.

• My previous blog posts tracking the BizCN gate actor using Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK on 107.191.63.163 - various domains
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92 - newsolar.ga
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187.29 - alefreed.ml
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220.196 - joston2.xyz
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167.124 - andrian2.xyz
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131.131 - foundhere.xyz & namesoizze.xyz
• 2015-07-16 - BizCN gate actor Nuclear EK on 216.170.114.126 - imhed.xyz
• 2015-07-17 - BizCN gate actor Nuclear EK on 188.166.120.33 - andsoresto.link
• 2015-07-30 - BizCN gate actor Nuclear EK on 46.101.18.39 - mukasore.xyz & florenses.xyz
• 2015-08-14 - BizCN gate actor Nuclear EK on 89.238.181.74 - free3dprint.cf
• 2015-08-19 - BizCN gate actor Nuclear EK on 31.214.157.20 - blizfone.cf
• 2015-08-28 - BizCN gate actor examples  (this blog post)

 

EXAMPLES

EXAMPLE 1 OF 11:

• 2015-08-28 15:10:02 UTC - forums.macnn.com - GET /
• 2015-08-28 15:10:03 UTC - 136.243.224.10 - kroentro.com - GET /pMXZPUJ_/PItM_igGSRWlqzjJNTor/uhwrPoZSgNM-X-KsHRn.php?8zN-3Rv=e385t9&
  97_NCs_Fu=9sbe0b_&K-FP=d
• 2015-08-28 15:10:07 UTC - 5.175.196.167 - bidgerhol.ml - GET /search?q=bFVVZHC&DA3G7=cl0NHF5Z&7Wr0YK=2b896ab0&0FydT=2e4fa94d1&
  RU1N=aC1wFV0tJBEIOTgJJAFs

 

EXAMPLE 2 OF 11:

• 2015-08-28 15:17:14 UTC - www.hidenanalytical.com - GET /en/
• 2015-08-28 15:17:16 UTC - 136.243.25.245 - blackkinas.com - GET /lTy--wMohJsKxu_PpV__kH/O_g-vuoHmPSsWnZ-YLVRjw/z-YgXUrwiG/NLp/
  vVn-yZwSmGQ.php?Fx-H=j1ktd&M_1Q=0o6&PTNZfR_=0H3&q8m3Tb=e0G&H-gL-VE=69w&Yn=TfSc&-O=b9&4-R_=d-7&wzaVXuM=cHe&Y2huwK=6c

 

EXAMPLE 3 OF 11:

• 2015-08-28 15:34:37 UTC - www.copypastas.com - GET /
• 2015-08-28 15:34:40 UTC - 136.243.224.9 - janbettino.com - GET /-_XPQJgxLGsINvnH_r-Z/mXZRW--OGVJNw-_-Ih-q_lnT.php?gT-td0Fqx=8es97xe0q7O&
  LCI=b491f4-3&K=17lbRflafk1&OGoWNFn=c

 

EXAMPLE 4 OF 11:

• 2015-08-28 15:39:35 UTC - forums.macnn.com - GET /
• 2015-08-28 15:39:36 UTC - 136.243.224.10 - kroentro.com - GET /yZri-n-YKXL_TsoO_HmQtW/_OkrinXmvIQ_.js?oBSfq=bbk0-8&mo6-h-=ee_c9P&_fRl-s=dM28rcN&
  HPLqaXkD=a5Ke1&5ux-EF2B=egfqe7-&--NR=8b03
• 2015-08-28 15:39:43 UTC - 5.175.196.167 - bidgerhol.ml - GET /search?q=cxZ&Rrh6=f&ZumVf=gN&WAxj=aC1wFV0tJCwcTWlpRHgM&U08dY=bdUFpRBVcTWl&OM9uD=e8&
  Zp7H=dTF&M9Xo1p=7267a1d4&G7oaukp=80622b8

 

EXAMPLE 5 OF 11:

• 2015-08-28 15:43:06 UTC - intelligencesquaredus.org - GET /
• 2015-08-28 15:43:07 UTC - 136.243.25.245 - kilianandfox.pw - GET /rPvjx_nG--WUH/zr-ISHjV.php?XlQ9-a=f7&xah=T2k6&JkbBanx=4J7&W0Bby3=3-4t&-=0-9u&
  Yij-N=w38&gYK-pTv=4f&GO=b7&0iCbFN-O-=9o4

 

EXAMPLE 6 OF 11:

• 2015-08-28 15:47:29 UTC - www.airsoftforum.com - GET /
• 2015-08-28 15:47:31 UTC - 136.243.25.242 - bestreciptess.com - GET /vI/_io-h_lmGrkVvMuy-.js?xDW--P8-S=36_65&UB=d29i7&NSj=r9t18xLa&1JGUL=8005o&
  PTv-_FN=43bY3W&5-=i10q17&TMDbc7=1-j6Z

 

EXAMPLE 7 OF 11:

• 2015-08-28 15:56:41 UTC - www.marksdailyapple.com - GET /forum/forum5.html
• 2015-08-28 15:56:52 UTC - 136.243.25.245 - fillianslo.com - GET /S-mROn_/Zzovkwh-qSLt--xNnVy-s_W/lhYx_Ng--I/STr--qxmK_JUwn-glRj.js?yYGEc-k=9w9cS3n1&
  2SDbauRne=92e96

 

EXAMPLE 8 OF 11:

• 2015-08-28 16:01:26 UTC - www.rawartists.org - GET /
• 2015-08-28 16:01:27 UTC - 136.243.25.245 - clockziniher.com - GET /mhSVI-uyoRvJsgKtzQY_n/NSQstIqx-WXgpYr-T_RKmU/W--X.php?sX=ddQ-70&
  I_4=2H3ofX0&-_=a4W62&rx2=7Na-84&9UZ_FL=1O4V25&a-lTEym=f7_y6-8&6BKy-=9bf0&vW_3=2-ak

 

EXAMPLE 9 OF 11:

• 2015-08-28 16:13:02 UTC - www.bestdestinationwedding.com - GET /
• 2015-08-28 16:13:03 UTC - 136.243.25.241 - flowergaleery.com - GET /zWJXq-ZItrG_Ys/ovkrtxKXnTM-_iy-QpHl_G.js?-ZCTAF_8e=0j48Z18bJ41Hb-dfq2Y0a38od

 

EXAMPLE 10 OF 11:

• 2015-08-28 16:15:41 UTC - rugerforum.net - GET /
• 2015-08-28 16:15:42 UTC - 136.243.25.241 - sansaiaarias.com - GET /h-KqP-yZMrn/ZhvTu---_zMt/ls-pTR/YPNMpoHi-TR-lh-.js?QBiFcap=k3qf8_5T0V&
  z0_-eL=bI7711&QJweU=73d-0wd&MK_wO4-Ld=3gba-89&32bQLjou=4Sdlc21

 

EXAMPLE 11 OF 11:

• 2015-08-28 16:19:33 UTC - hacknmod.com - GET /
• 2015-08-28 16:19:34 UTC - 136.243.25.242 - kivinionlon.com - GET /tNRgxLu_h-KpZqIznj_kwiW/pMQ-RvmHO-P-l_NI-rUV.php?5FnTAj6=8R8cq2j5_4n47fc-104490Mf_6mJ8

 

FINAL NOTES

Once again, here is the zip archive:

• ZIP archive of all 11 traffic examples:  2015-08-28-BizCN-gate-actor-all-traffic-examples.zip

NOTE:  All ZIP archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.