Domains used by the malware:
34324325kgkgfkgf.com
dsffdsk323721372131.com
fdshjfsh324332432.com
jdsiwiqweiqwyreqwi.com 80.242.123.208
HTTP Requests:
URI:
http://jdsiwiqweiqwyreqwi.com/dffgbDFGvf465/YYf.php
DATA:
POST /dffgbDFGvf465/YYf.php HTTP/1.0
Host: jdsiwiqweiqwyreqwi.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 272
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
samples:
80.242.123.211:888/darky.exe
80.242.123.211:888/1.exe
80.242.123.211:888/run.exe
Hosting infos:
http://whois.domaintools.com/80.242.123.208