Malware-Traffic-Analysis.net - 2015-10-05 - Nuclear EK from 108.61.189[.]157

2015-10-05 - NUCLEAR EK FROM 108.61.189[.]157 - 2WHNXTJ0AX1NUDV.SPOOLHOSTZ[.]ML

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSSOCIATED FILES:

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

randomremodeling[.]com - Compromised website
187.45.195[.]139 port 80 - alphameioambiente[.]com[.]br - Gate (redirect)
108.61.189[.]157 port 80 - 2whnxtj0ax1nudv.spoolhostz[.]ml - Nuclear EK
193.105.240[.]62 port 80 - film24hd[.]us - Post-infection traffic caused by the malware

INFECTION TRAFFIC:

2015-10-05 16:21:01 UTC - randomremodeling[.]com - GET /

2015-10-05 16:21:02 UTC - alphameioambiente[.]com[.]br - GET /templates/beez_20/dcxjtpq4.php?id=1210128

2015-10-05 16:21:04 UTC - 2whnxtj0ax1nudv.spoolhostz[.]ml - GET /url?sa=i&rct=x&q=&esrc=u&source=web&cd=3&ved=bHChQGQBdFFA&url=https%3A%2F%2F
db84dd6a[.]com&MlCV=7a27d2ad6&ZmG=aDQ8GU0FKC1kHTEUEGFMVXldOEAtSV0E&Aw1sRi=44218b2&NX61rR6=c4NWlFZF&Fwb3=dxUYGFRa

2015-10-05 16:21:05 UTC - 2whnxtj0ax1nudv.spoolhostz[.]ml - GET /file?RBFWy3h=cWBg8EVFdWSl9aVw..&Dj3Ou=aARkSSlYOARseBEUHGFMVXldOEAtSV0EHC
hQGQBdFFA4NWlFZFxUYGFRa&PddA174=4c8182db1&S6FLGHa=92427b62d&Q5X=bGFRMAAsYUU9QBUUHUFV

2015-10-05 16:21:06 UTC - 2whnxtj0ax1nudv.spoolhostz[.]ml - GET /favicon.ico

2015-10-05 16:21:06 UTC - 2whnxtj0ax1nudv.spoolhostz[.]ml - POST /test?17g3G=bDABdMRUlZCw0KWUpCHk&35h2J7r=c8PWkUDSldQGAwYVlIe&Wpy=
aAAk9XEpKC1kHTEUEEwkMTk1cVAAaB1d&SuPV=04de428e25&EOm6=fAk&H4zvWY=e0CUFFUB&421Ojc=dBw&M2HH=54a23ee7&O2J=gAUB1Q

2015-10-05 16:21:08 UTC - 2whnxtj0ax1nudv.spoolhostz[.]ml - GET /test?YY7=bTBdbCB1XGA8ESlRMBApKVVVWAgkAVlFU&CE9ET=586857f93d&7jp=
cAkUBGCoO&Lv2=aAggOU0VZXAQYSgtKVR1QQVFYHBUIBlhOVQ8XUk8YFxENWVVeCxIW&81FGAYb=523c63451&A4cRc=dbHVQGFA.

2015-10-05 16:22:39 UTC - film24hd[.]us - POST /filmy_2013/viewlist.php

Click here to return to the main page.