Malware-Traffic-Analysis.net - 2019-01-09 - Fake AV page/tech support scam popup

2019-01-09 - FAKE AV PAGE/TECH SUPPORT SCAM POPUP

ASSOCIATED FILES:

Shown above: Flow chart for today's traffic.

Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains, URLs, and partial URLs:

Shown above: Traffic filtered in Wireshark.

TRAFFIC RELATED TO THE FAKE AV/TECH SUPPORT SCAM POPUP:

134.249.116[.]78 port 80 - 134.249.116[.]78 - GET /jquery.js
198.134.112[.]243 port 443 (HTTPS) - sd5doozry8[.]com - GET /ykwnsxwz29?key=9a98439e5dcdf4fd2a011f7cbc76b00d
174.137.155[.]139 port 80 - clk.verblife-3[.]co - GET /click?i=jwu9aD62G*M_0
104.27.184[.]14 port 443 - site.topwebsite4[.]xyz - GET /?browser=[long string of information]
68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /?browser=[long string of information]
68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/
68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/img/bg-1.jpg
68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/img/bg-3.jpg
68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/img/defender.png
port 443 - code.jquery[.]com - non-malicious traffic caused by fake AV page
68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/sound/err.mp3
68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/img/bg-2.jpg
68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/security.php

MALWARE FROM AN INFECTED WINDOWS HOST:

Shown above: Fake AV/tech support scam page without the popup windows.

Shown above: Fake AV/tech support scam page with the popup windows.

Once again, here are the associated files:

Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.