Advertisement
whickey

SilasCutler_JARM_Scan_CobaltStrike_Beacon_Config.json

Dec 4th, 2020
7,516
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 463.18 KB | None | 0 0
  1. {
  2. "scanner": "IPV4 JARM Scan: Silas Cutler - Beacon Config Scan: Wade Hickey",
  3. "scan_date": "2020-11-25",
  4. "100.24.69.72": {
  5. "x86": {
  6. "BeaconType": "8 (HTTPS)",
  7. "Port": "443",
  8. "Polling": "30000",
  9. "Jitter": "50",
  10. "Maxdns": "255",
  11. "C2 Server": "one.vhy.me,/__utm.gif",
  12. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  13. "HTTP Method Path 2": "/___utm.gif",
  14. "Header1": "",
  15. "Header2": "",
  16. "PipeName": "",
  17. "DNS Idle": "\\x00\\x00\\x00\\x00",
  18. "DNS Sleep": "0",
  19. "Method1": "GET",
  20. "Method2": "POST",
  21. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  22. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  23. "Proxy_AccessType": "2 (Use IE settings)"
  24. }
  25. },
  26. "100.26.209.220": {
  27. "x86": {
  28. "BeaconType": "8 (HTTPS)",
  29. "Port": "443",
  30. "Polling": "60000",
  31. "Jitter": "0",
  32. "Maxdns": "255",
  33. "C2 Server": "cdn.az.gov,/__utm.gif,cdn.zendesk.com,/__utm.gif,cdn.atlassian.com,/__utm.gif,a1.awsstatic.com,/__utm.gif,f0.awsstatic.com,/__utm.gif",
  34. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) likeGecko",
  35. "HTTP Method Path 2": "/___utm.gif",
  36. "Header1": "",
  37. "Header2": "",
  38. "PipeName": "",
  39. "DNS Idle": "\\x00\\x00\\x00\\x00",
  40. "DNS Sleep": "0",
  41. "Method1": "GET",
  42. "Method2": "POST",
  43. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  44. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  45. "Proxy_AccessType": "2 (Use IE settings)"
  46. },
  47. "x64": {
  48. "BeaconType": "8 (HTTPS)",
  49. "Port": "443",
  50. "Polling": "60000",
  51. "Jitter": "0",
  52. "Maxdns": "255",
  53. "C2 Server": "cdn.az.gov,/__utm.gif,cdn.zendesk.com,/__utm.gif,cdn.atlassian.com,/__utm.gif,a1.awsstatic.com,/__utm.gif,f0.awsstatic.com,/__utm.gif",
  54. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) likeGecko",
  55. "HTTP Method Path 2": "/___utm.gif",
  56. "Header1": "",
  57. "Header2": "",
  58. "PipeName": "",
  59. "DNS Idle": "\\x00\\x00\\x00\\x00",
  60. "DNS Sleep": "0",
  61. "Method1": "GET",
  62. "Method2": "POST",
  63. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  64. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  65. "Proxy_AccessType": "2 (Use IE settings)"
  66. }
  67. },
  68. "103.106.65.251": {
  69. "x86": {
  70. "BeaconType": "8 (HTTPS)",
  71. "Port": "443",
  72. "Polling": "60000",
  73. "Jitter": "0",
  74. "C2 Server": "103.106.65.251,/IE9CompatViewList.xml",
  75. "HTTP Method Path 2": "/submit.php",
  76. "Method1": "GET",
  77. "Method2": "POST",
  78. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  79. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  80. "Proxy_AccessType": "2 (Use IE settings)"
  81. }
  82. },
  83. "103.126.6.149": {
  84. "x86": {
  85. "BeaconType": "8 (HTTPS)",
  86. "Port": "443",
  87. "Polling": "45000",
  88. "Jitter": "37",
  89. "Maxdns": "255",
  90. "C2 Server": "103.126.6.149,/jquery-3.3.1.min.js",
  91. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  92. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  93. "Header1": "",
  94. "Header2": "",
  95. "PipeName": "",
  96. "DNS Idle": "J}\\xC4q",
  97. "DNS Sleep": "0",
  98. "Method1": "GET",
  99. "Method2": "POST",
  100. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  101. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  102. "Proxy_AccessType": "2 (Use IE settings)"
  103. }
  104. },
  105. "103.254.75.240": {
  106. "x86": {
  107. "BeaconType": "8 (HTTPS)",
  108. "Port": "443",
  109. "Polling": "60000",
  110. "Jitter": "0",
  111. "Maxdns": "255",
  112. "C2 Server": "103.254.75.240,/load",
  113. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)",
  114. "HTTP Method Path 2": "/submit.php",
  115. "Header1": "",
  116. "Header2": "",
  117. "PipeName": "",
  118. "DNS Idle": "\\x00\\x00\\x00\\x00",
  119. "DNS Sleep": "0",
  120. "Method1": "GET",
  121. "Method2": "POST",
  122. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  123. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  124. "Proxy_AccessType": "2 (Use IE settings)"
  125. },
  126. "x64": {
  127. "BeaconType": "8 (HTTPS)",
  128. "Port": "443",
  129. "Polling": "60000",
  130. "Jitter": "0",
  131. "Maxdns": "255",
  132. "C2 Server": "103.254.75.240,/__utm.gif",
  133. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
  134. "HTTP Method Path 2": "/submit.php",
  135. "Header1": "",
  136. "Header2": "",
  137. "PipeName": "",
  138. "DNS Idle": "\\x00\\x00\\x00\\x00",
  139. "DNS Sleep": "0",
  140. "Method1": "GET",
  141. "Method2": "POST",
  142. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  143. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  144. "Proxy_AccessType": "2 (Use IE settings)"
  145. }
  146. },
  147. "103.39.18.161": {
  148. "x86": {
  149. "BeaconType": "8 (HTTPS)",
  150. "Port": "443",
  151. "Polling": "60000",
  152. "Jitter": "15",
  153. "Maxdns": "255",
  154. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  155. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  156. "HTTP Method Path 2": "/mail/u/0/",
  157. "Header1": "",
  158. "Header2": "",
  159. "PipeName": "",
  160. "DNS Idle": "\\x08\\x08\\x04\\x04",
  161. "DNS Sleep": "0",
  162. "Method1": "GET",
  163. "Method2": "POST",
  164. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  165. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  166. "Proxy_AccessType": "2 (Use IE settings)"
  167. }
  168. },
  169. "103.39.18.162": {
  170. "x86": {
  171. "BeaconType": "8 (HTTPS)",
  172. "Port": "443",
  173. "Polling": "60000",
  174. "Jitter": "15",
  175. "Maxdns": "255",
  176. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  177. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  178. "HTTP Method Path 2": "/mail/u/0/",
  179. "Header1": "",
  180. "Header2": "",
  181. "PipeName": "",
  182. "DNS Idle": "\\x08\\x08\\x04\\x04",
  183. "DNS Sleep": "0",
  184. "Method1": "GET",
  185. "Method2": "POST",
  186. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  187. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  188. "Proxy_AccessType": "2 (Use IE settings)"
  189. },
  190. "x64": {
  191. "BeaconType": "8 (HTTPS)",
  192. "Port": "443",
  193. "Polling": "60000",
  194. "Jitter": "15",
  195. "Maxdns": "255",
  196. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  197. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
  198. "HTTP Method Path 2": "/mail/u/0/",
  199. "Header1": "",
  200. "Header2": "",
  201. "PipeName": "",
  202. "DNS Idle": "\\x08\\x08\\x04\\x04",
  203. "DNS Sleep": "0",
  204. "Method1": "GET",
  205. "Method2": "POST",
  206. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  207. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  208. "Proxy_AccessType": "2 (Use IE settings)"
  209. }
  210. },
  211. "103.39.18.163": {
  212. "x86": {
  213. "BeaconType": "8 (HTTPS)",
  214. "Port": "443",
  215. "Polling": "60000",
  216. "Jitter": "15",
  217. "Maxdns": "255",
  218. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  219. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  220. "HTTP Method Path 2": "/mail/u/0/",
  221. "Header1": "",
  222. "Header2": "",
  223. "PipeName": "",
  224. "DNS Idle": "\\x08\\x08\\x04\\x04",
  225. "DNS Sleep": "0",
  226. "Method1": "GET",
  227. "Method2": "POST",
  228. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  229. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  230. "Proxy_AccessType": "2 (Use IE settings)"
  231. }
  232. },
  233. "103.39.18.165": {
  234. "x86": {
  235. "BeaconType": "8 (HTTPS)",
  236. "Port": "443",
  237. "Polling": "60000",
  238. "Jitter": "15",
  239. "Maxdns": "255",
  240. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  241. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  242. "HTTP Method Path 2": "/mail/u/0/",
  243. "Header1": "",
  244. "Header2": "",
  245. "PipeName": "",
  246. "DNS Idle": "\\x08\\x08\\x04\\x04",
  247. "DNS Sleep": "0",
  248. "Method1": "GET",
  249. "Method2": "POST",
  250. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  251. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  252. "Proxy_AccessType": "2 (Use IE settings)"
  253. }
  254. },
  255. "103.39.18.168": {
  256. "x86": {
  257. "BeaconType": "8 (HTTPS)",
  258. "Port": "443",
  259. "Polling": "60000",
  260. "Jitter": "15",
  261. "Maxdns": "255",
  262. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  263. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  264. "HTTP Method Path 2": "/mail/u/0/",
  265. "Header1": "",
  266. "Header2": "",
  267. "PipeName": "",
  268. "DNS Idle": "\\x08\\x08\\x04\\x04",
  269. "DNS Sleep": "0",
  270. "Method1": "GET",
  271. "Method2": "POST",
  272. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  273. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  274. "Proxy_AccessType": "2 (Use IE settings)"
  275. },
  276. "x64": {
  277. "BeaconType": "8 (HTTPS)",
  278. "Port": "443",
  279. "Polling": "60000",
  280. "Jitter": "15",
  281. "Maxdns": "255",
  282. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  283. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
  284. "HTTP Method Path 2": "/mail/u/0/",
  285. "Header1": "",
  286. "Header2": "",
  287. "PipeName": "",
  288. "DNS Idle": "\\x08\\x08\\x04\\x04",
  289. "DNS Sleep": "0",
  290. "Method1": "GET",
  291. "Method2": "POST",
  292. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  293. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  294. "Proxy_AccessType": "2 (Use IE settings)"
  295. }
  296. },
  297. "103.39.18.170": {
  298. "x64": {
  299. "BeaconType": "8 (HTTPS)",
  300. "Port": "443",
  301. "Polling": "60000",
  302. "Jitter": "15",
  303. "Maxdns": "255",
  304. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  305. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
  306. "HTTP Method Path 2": "/mail/u/0/",
  307. "Header1": "",
  308. "Header2": "",
  309. "PipeName": "",
  310. "DNS Idle": "\\x08\\x08\\x04\\x04",
  311. "DNS Sleep": "0",
  312. "Method1": "GET",
  313. "Method2": "POST",
  314. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  315. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  316. "Proxy_AccessType": "2 (Use IE settings)"
  317. }
  318. },
  319. "103.39.18.171": {
  320. "x86": {
  321. "BeaconType": "8 (HTTPS)",
  322. "Port": "443",
  323. "Polling": "60000",
  324. "Jitter": "15",
  325. "Maxdns": "255",
  326. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  327. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  328. "HTTP Method Path 2": "/mail/u/0/",
  329. "Header1": "",
  330. "Header2": "",
  331. "PipeName": "",
  332. "DNS Idle": "\\x08\\x08\\x04\\x04",
  333. "DNS Sleep": "0",
  334. "Method1": "GET",
  335. "Method2": "POST",
  336. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  337. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  338. "Proxy_AccessType": "2 (Use IE settings)"
  339. },
  340. "x64": {
  341. "BeaconType": "8 (HTTPS)",
  342. "Port": "443",
  343. "Polling": "60000",
  344. "Jitter": "15",
  345. "Maxdns": "255",
  346. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  347. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
  348. "HTTP Method Path 2": "/mail/u/0/",
  349. "Header1": "",
  350. "Header2": "",
  351. "PipeName": "",
  352. "DNS Idle": "\\x08\\x08\\x04\\x04",
  353. "DNS Sleep": "0",
  354. "Method1": "GET",
  355. "Method2": "POST",
  356. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  357. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  358. "Proxy_AccessType": "2 (Use IE settings)"
  359. }
  360. },
  361. "103.39.18.173": {
  362. "x86": {
  363. "BeaconType": "8 (HTTPS)",
  364. "Port": "443",
  365. "Polling": "60000",
  366. "Jitter": "15",
  367. "Maxdns": "255",
  368. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  369. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  370. "HTTP Method Path 2": "/mail/u/0/",
  371. "Header1": "",
  372. "Header2": "",
  373. "PipeName": "",
  374. "DNS Idle": "\\x08\\x08\\x04\\x04",
  375. "DNS Sleep": "0",
  376. "Method1": "GET",
  377. "Method2": "POST",
  378. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  379. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  380. "Proxy_AccessType": "2 (Use IE settings)"
  381. }
  382. },
  383. "103.39.18.176": {
  384. "x86": {
  385. "BeaconType": "8 (HTTPS)",
  386. "Port": "443",
  387. "Polling": "60000",
  388. "Jitter": "15",
  389. "Maxdns": "255",
  390. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  391. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  392. "HTTP Method Path 2": "/mail/u/0/",
  393. "Header1": "",
  394. "Header2": "",
  395. "PipeName": "",
  396. "DNS Idle": "\\x08\\x08\\x04\\x04",
  397. "DNS Sleep": "0",
  398. "Method1": "GET",
  399. "Method2": "POST",
  400. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  401. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  402. "Proxy_AccessType": "2 (Use IE settings)"
  403. },
  404. "x64": {
  405. "BeaconType": "8 (HTTPS)",
  406. "Port": "443",
  407. "Polling": "60000",
  408. "Jitter": "15",
  409. "Maxdns": "255",
  410. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  411. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
  412. "HTTP Method Path 2": "/mail/u/0/",
  413. "Header1": "",
  414. "Header2": "",
  415. "PipeName": "",
  416. "DNS Idle": "\\x08\\x08\\x04\\x04",
  417. "DNS Sleep": "0",
  418. "Method1": "GET",
  419. "Method2": "POST",
  420. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  421. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  422. "Proxy_AccessType": "2 (Use IE settings)"
  423. }
  424. },
  425. "103.39.18.180": {
  426. "x86": {
  427. "BeaconType": "8 (HTTPS)",
  428. "Port": "443",
  429. "Polling": "60000",
  430. "Jitter": "15",
  431. "Maxdns": "255",
  432. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  433. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  434. "HTTP Method Path 2": "/mail/u/0/",
  435. "Header1": "",
  436. "Header2": "",
  437. "PipeName": "",
  438. "DNS Idle": "\\x08\\x08\\x04\\x04",
  439. "DNS Sleep": "0",
  440. "Method1": "GET",
  441. "Method2": "POST",
  442. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  443. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  444. "Proxy_AccessType": "2 (Use IE settings)"
  445. }
  446. },
  447. "103.39.18.181": {
  448. "x86": {
  449. "BeaconType": "8 (HTTPS)",
  450. "Port": "443",
  451. "Polling": "60000",
  452. "Jitter": "15",
  453. "Maxdns": "255",
  454. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  455. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  456. "HTTP Method Path 2": "/mail/u/0/",
  457. "Header1": "",
  458. "Header2": "",
  459. "PipeName": "",
  460. "DNS Idle": "\\x08\\x08\\x04\\x04",
  461. "DNS Sleep": "0",
  462. "Method1": "GET",
  463. "Method2": "POST",
  464. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  465. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  466. "Proxy_AccessType": "2 (Use IE settings)"
  467. }
  468. },
  469. "103.39.18.182": {
  470. "x86": {
  471. "BeaconType": "8 (HTTPS)",
  472. "Port": "443",
  473. "Polling": "60000",
  474. "Jitter": "15",
  475. "Maxdns": "255",
  476. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  477. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  478. "HTTP Method Path 2": "/mail/u/0/",
  479. "Header1": "",
  480. "Header2": "",
  481. "PipeName": "",
  482. "DNS Idle": "\\x08\\x08\\x04\\x04",
  483. "DNS Sleep": "0",
  484. "Method1": "GET",
  485. "Method2": "POST",
  486. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  487. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  488. "Proxy_AccessType": "2 (Use IE settings)"
  489. }
  490. },
  491. "103.39.18.183": {
  492. "x86": {
  493. "BeaconType": "8 (HTTPS)",
  494. "Port": "443",
  495. "Polling": "60000",
  496. "Jitter": "15",
  497. "Maxdns": "255",
  498. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  499. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  500. "HTTP Method Path 2": "/mail/u/0/",
  501. "Header1": "",
  502. "Header2": "",
  503. "PipeName": "",
  504. "DNS Idle": "\\x08\\x08\\x04\\x04",
  505. "DNS Sleep": "0",
  506. "Method1": "GET",
  507. "Method2": "POST",
  508. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  509. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  510. "Proxy_AccessType": "2 (Use IE settings)"
  511. }
  512. },
  513. "103.39.18.187": {
  514. "x86": {
  515. "BeaconType": "8 (HTTPS)",
  516. "Port": "443",
  517. "Polling": "60000",
  518. "Jitter": "15",
  519. "Maxdns": "255",
  520. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  521. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  522. "HTTP Method Path 2": "/mail/u/0/",
  523. "Header1": "",
  524. "Header2": "",
  525. "PipeName": "",
  526. "DNS Idle": "\\x08\\x08\\x04\\x04",
  527. "DNS Sleep": "0",
  528. "Method1": "GET",
  529. "Method2": "POST",
  530. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  531. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  532. "Proxy_AccessType": "2 (Use IE settings)"
  533. }
  534. },
  535. "103.39.18.189": {
  536. "x86": {
  537. "BeaconType": "8 (HTTPS)",
  538. "Port": "443",
  539. "Polling": "60000",
  540. "Jitter": "15",
  541. "Maxdns": "255",
  542. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  543. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  544. "HTTP Method Path 2": "/mail/u/0/",
  545. "Header1": "",
  546. "Header2": "",
  547. "PipeName": "",
  548. "DNS Idle": "\\x08\\x08\\x04\\x04",
  549. "DNS Sleep": "0",
  550. "Method1": "GET",
  551. "Method2": "POST",
  552. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  553. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  554. "Proxy_AccessType": "2 (Use IE settings)"
  555. }
  556. },
  557. "103.39.18.190": {
  558. "x86": {
  559. "BeaconType": "8 (HTTPS)",
  560. "Port": "443",
  561. "Polling": "60000",
  562. "Jitter": "15",
  563. "Maxdns": "255",
  564. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  565. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  566. "HTTP Method Path 2": "/mail/u/0/",
  567. "Header1": "",
  568. "Header2": "",
  569. "PipeName": "",
  570. "DNS Idle": "\\x08\\x08\\x04\\x04",
  571. "DNS Sleep": "0",
  572. "Method1": "GET",
  573. "Method2": "POST",
  574. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  575. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  576. "Proxy_AccessType": "2 (Use IE settings)"
  577. }
  578. },
  579. "103.70.137.129": {
  580. "x86": {
  581. "BeaconType": "8 (HTTPS)",
  582. "Port": "443",
  583. "Polling": "60000",
  584. "Jitter": "0",
  585. "C2 Server": "45.170.251.101,/ga.js",
  586. "HTTP Method Path 2": "/submit.php",
  587. "Method1": "GET",
  588. "Method2": "POST",
  589. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  590. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  591. "Proxy_AccessType": "2 (Use IE settings)"
  592. },
  593. "x64": {
  594. "BeaconType": "8 (HTTPS)",
  595. "Port": "443",
  596. "Polling": "60000",
  597. "Jitter": "0",
  598. "C2 Server": "45.170.251.101,/updates.rss",
  599. "HTTP Method Path 2": "/submit.php",
  600. "Method1": "GET",
  601. "Method2": "POST",
  602. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  603. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  604. "Proxy_AccessType": "2 (Use IE settings)"
  605. }
  606. },
  607. "104.131.125.114": {
  608. "x64": {
  609. "BeaconType": "8 (HTTPS)",
  610. "Port": "443",
  611. "Polling": "15000",
  612. "Jitter": "90",
  613. "Maxdns": "225",
  614. "C2 Server": "ajax.microsoft.com,/wp-content/themes/am43-6/dist/records,amp.azure.net,/api2/json/cluster/tasks,global.asazure.windows.net,/wp-content/themes/am43-6/dist/records",
  615. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  616. "HTTP Method Path 2": "/ev/prd001001",
  617. "Header1": "",
  618. "Header2": "",
  619. "PipeName": "",
  620. "DNS Idle": "h\\xD8<\\x84",
  621. "DNS Sleep": "0",
  622. "Method1": "GET",
  623. "Method2": "POST",
  624. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  625. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  626. "Proxy_AccessType": "2 (Use IE settings)"
  627. }
  628. },
  629. "104.131.167.151": {
  630. "x86": {
  631. "BeaconType": "8 (HTTPS)",
  632. "Port": "443",
  633. "Polling": "15000",
  634. "Jitter": "90",
  635. "C2 Server": "ajax.microsoft.com,/v1/buckets/default/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw/records",
  636. "HTTP Method Path 2": "/1.5/95648064/storage/tabs",
  637. "Method1": "GET",
  638. "Method2": "POST",
  639. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  640. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  641. "Proxy_AccessType": "2 (Use IE settings)"
  642. },
  643. "x64": {
  644. "BeaconType": "8 (HTTPS)",
  645. "Port": "443",
  646. "Polling": "15000",
  647. "Jitter": "90",
  648. "C2 Server": "ajax.microsoft.com,/wp-content/themes/am43-6/dist/records",
  649. "HTTP Method Path 2": "/v3/links/ping-beat/check",
  650. "Method1": "GET",
  651. "Method2": "POST",
  652. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  653. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  654. "Proxy_AccessType": "2 (Use IE settings)"
  655. }
  656. },
  657. "104.131.210.108": {
  658. "x86": {
  659. "BeaconType": "8 (HTTPS)",
  660. "Port": "443",
  661. "Polling": "60000",
  662. "Jitter": "0",
  663. "Maxdns": "255",
  664. "C2 Server": "mobilecdnprod.azureedge.net,/__utm.gif",
  665. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)",
  666. "HTTP Method Path 2": "/submit.php",
  667. "Header1": "",
  668. "Header2": "",
  669. "PipeName": "",
  670. "DNS Idle": "\\x00\\x00\\x00\\x00",
  671. "DNS Sleep": "0",
  672. "Method1": "GET",
  673. "Method2": "POST",
  674. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  675. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  676. "Proxy_AccessType": "2 (Use IE settings)"
  677. }
  678. },
  679. "104.131.76.110": {
  680. "x86": {
  681. "BeaconType": "8 (HTTPS)",
  682. "Port": "443",
  683. "Polling": "15000",
  684. "Jitter": "90",
  685. "Maxdns": "225",
  686. "C2 Server": "ajax.microsoft.com,/api2/json/cluster/tasks",
  687. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  688. "HTTP Method Path 2": "/v3/links/ping-beat/check",
  689. "Header1": "",
  690. "Header2": "",
  691. "PipeName": "",
  692. "DNS Idle": "h\\xD8<\\x84",
  693. "DNS Sleep": "0",
  694. "Method1": "GET",
  695. "Method2": "POST",
  696. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  697. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  698. "Proxy_AccessType": "2 (Use IE settings)"
  699. }
  700. },
  701. "104.131.88.156": {
  702. "x86": {
  703. "BeaconType": "8 (HTTPS)",
  704. "Port": "443",
  705. "Polling": "15000",
  706. "Jitter": "90",
  707. "Maxdns": "225",
  708. "C2 Server": "wepay.com,/en-us/store/api/checkproductinwishlist",
  709. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  710. "HTTP Method Path 2": "/u/0/_/og/botguard/get",
  711. "Header1": "",
  712. "Header2": "",
  713. "PipeName": "",
  714. "DNS Idle": "h\\xD8<\\x84",
  715. "DNS Sleep": "0",
  716. "Method1": "GET",
  717. "Method2": "POST",
  718. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  719. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  720. "Proxy_AccessType": "2 (Use IE settings)"
  721. },
  722. "x64": {
  723. "BeaconType": "8 (HTTPS)",
  724. "Port": "443",
  725. "Polling": "15000",
  726. "Jitter": "90",
  727. "Maxdns": "225",
  728. "C2 Server": "wepay.com,/api2/json/access/ticket",
  729. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  730. "HTTP Method Path 2": "/v3/links/ping-beat/check",
  731. "Header1": "",
  732. "Header2": "",
  733. "PipeName": "",
  734. "DNS Idle": "h\\xD8<\\x84",
  735. "DNS Sleep": "0",
  736. "Method1": "GET",
  737. "Method2": "POST",
  738. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  739. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  740. "Proxy_AccessType": "2 (Use IE settings)"
  741. }
  742. },
  743. "104.149.168.199": {
  744. "x86": {
  745. "BeaconType": "8 (HTTPS)",
  746. "Port": "443",
  747. "Polling": "60000",
  748. "Jitter": "0",
  749. "Maxdns": "255",
  750. "C2 Server": "104.149.168.199,/g.pixel",
  751. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
  752. "HTTP Method Path 2": "/submit.php",
  753. "Header1": "",
  754. "Header2": "",
  755. "PipeName": "",
  756. "DNS Idle": "\\x00\\x00\\x00\\x00",
  757. "DNS Sleep": "0",
  758. "Method1": "GET",
  759. "Method2": "POST",
  760. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  761. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  762. "Proxy_AccessType": "2 (Use IE settings)"
  763. },
  764. "x64": {
  765. "BeaconType": "8 (HTTPS)",
  766. "Port": "443",
  767. "Polling": "60000",
  768. "Jitter": "0",
  769. "Maxdns": "255",
  770. "C2 Server": "104.149.168.199,/g.pixel",
  771. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)",
  772. "HTTP Method Path 2": "/submit.php",
  773. "Header1": "",
  774. "Header2": "",
  775. "PipeName": "",
  776. "DNS Idle": "\\x00\\x00\\x00\\x00",
  777. "DNS Sleep": "0",
  778. "Method1": "GET",
  779. "Method2": "POST",
  780. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  781. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  782. "Proxy_AccessType": "2 (Use IE settings)"
  783. }
  784. },
  785. "104.168.140.127": {
  786. "x86": {
  787. "BeaconType": "8 (HTTPS)",
  788. "Port": "443",
  789. "Polling": "62412",
  790. "Jitter": "43",
  791. "Maxdns": "242",
  792. "C2 Server": "qw.run-upgrade.monster,/avatars.js,as.run-upgrade.monster,/fam_newspaper.js,zx.run-upgrade.monster,/avatars.js",
  793. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
  794. "HTTP Method Path 2": "/templates",
  795. "Header1": "",
  796. "Header2": "",
  797. "PipeName": "",
  798. "DNS Idle": "@\\xD9\\xA5\\x04",
  799. "DNS Sleep": "0",
  800. "Method1": "GET",
  801. "Method2": "POST",
  802. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  803. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  804. "Proxy_AccessType": "2 (Use IE settings)"
  805. },
  806. "x64": {
  807. "BeaconType": "8 (HTTPS)",
  808. "Port": "443",
  809. "Polling": "62412",
  810. "Jitter": "43",
  811. "Maxdns": "242",
  812. "C2 Server": "qw.run-upgrade.monster,/fam_newspaper.js,as.run-upgrade.monster,/fam_newspaper.js,zx.run-upgrade.monster,/avatars.js",
  813. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
  814. "HTTP Method Path 2": "/templates",
  815. "Header1": "",
  816. "Header2": "",
  817. "PipeName": "",
  818. "DNS Idle": "@\\xD9\\xA5\\x04",
  819. "DNS Sleep": "0",
  820. "Method1": "GET",
  821. "Method2": "POST",
  822. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  823. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  824. "Proxy_AccessType": "2 (Use IE settings)"
  825. }
  826. },
  827. "104.168.159.201": {
  828. "x86": {
  829. "BeaconType": "8 (HTTPS)",
  830. "Port": "443",
  831. "Polling": "55365",
  832. "Jitter": "43",
  833. "Maxdns": "255",
  834. "C2 Server": "104.168.159.201,/en",
  835. "User Agent": "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202",
  836. "HTTP Method Path 2": "/as",
  837. "Header1": "",
  838. "Header2": "",
  839. "PipeName": "",
  840. "DNS Idle": "z\\xC1]\\x0E",
  841. "DNS Sleep": "0",
  842. "Method1": "GET",
  843. "Method2": "POST",
  844. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  845. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  846. "Proxy_AccessType": "2 (Use IE settings)"
  847. }
  848. },
  849. "104.194.10.58": {
  850. "x86": {
  851. "BeaconType": "8 (HTTPS)",
  852. "Port": "443",
  853. "Polling": "30000",
  854. "Jitter": "20",
  855. "Maxdns": "255",
  856. "C2 Server": "peernew.com,/CWoNaJLBo/VTNeWw11212/",
  857. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  858. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  859. "Header1": "",
  860. "Header2": "",
  861. "PipeName": "",
  862. "DNS Idle": "\\x00\\x00\\x00\\x00",
  863. "DNS Sleep": "0",
  864. "Method1": "GET",
  865. "Method2": "POST",
  866. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  867. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  868. "Proxy_AccessType": "2 (Use IE settings)"
  869. }
  870. },
  871. "104.194.11.10": {
  872. "x86": {
  873. "BeaconType": "8 (HTTPS)",
  874. "Port": "443",
  875. "Polling": "5000",
  876. "Jitter": "10",
  877. "Maxdns": "235",
  878. "C2 Server": "simvp.com,/us/ky/louisville/312-s-fourth-st.html",
  879. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  880. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  881. "Header1": "",
  882. "Header2": "",
  883. "PipeName": "",
  884. "DNS Idle": "\\x08\\x08\\x08\\x08",
  885. "DNS Sleep": "0",
  886. "Method1": "GET",
  887. "Method2": "POST",
  888. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  889. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  890. "Proxy_AccessType": "2 (Use IE settings)"
  891. },
  892. "x64": {
  893. "BeaconType": "8 (HTTPS)",
  894. "Port": "443",
  895. "Polling": "5000",
  896. "Jitter": "10",
  897. "Maxdns": "235",
  898. "C2 Server": "simvp.com,/us/ky/louisville/312-s-fourth-st.html",
  899. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  900. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  901. "Header1": "",
  902. "Header2": "",
  903. "PipeName": "",
  904. "DNS Idle": "\\x08\\x08\\x08\\x08",
  905. "DNS Sleep": "0",
  906. "Method1": "GET",
  907. "Method2": "POST",
  908. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  909. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  910. "Proxy_AccessType": "2 (Use IE settings)"
  911. }
  912. },
  913. "104.194.8.114": {
  914. "x86": {
  915. "BeaconType": "8 (HTTPS)",
  916. "Port": "443",
  917. "Polling": "5000",
  918. "Jitter": "10",
  919. "Maxdns": "235",
  920. "C2 Server": "raills.com,/us/ky/louisville/312-s-fourth-st.html",
  921. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  922. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  923. "Header1": "",
  924. "Header2": "",
  925. "PipeName": "",
  926. "DNS Idle": "\\x08\\x08\\x08\\x08",
  927. "DNS Sleep": "0",
  928. "Method1": "GET",
  929. "Method2": "POST",
  930. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  931. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  932. "Proxy_AccessType": "2 (Use IE settings)"
  933. }
  934. },
  935. "104.194.8.36": {
  936. "x64": {
  937. "BeaconType": "8 (HTTPS)",
  938. "Port": "443",
  939. "Polling": "5000",
  940. "Jitter": "10",
  941. "Maxdns": "235",
  942. "C2 Server": "rollfx.com,/us/ky/louisville/312-s-fourth-st.html",
  943. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  944. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  945. "Header1": "",
  946. "Header2": "",
  947. "PipeName": "",
  948. "DNS Idle": "\\x08\\x08\\x08\\x08",
  949. "DNS Sleep": "0",
  950. "Method1": "GET",
  951. "Method2": "POST",
  952. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  953. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  954. "Proxy_AccessType": "2 (Use IE settings)"
  955. }
  956. },
  957. "104.236.172.121": {
  958. "x86": {
  959. "BeaconType": "8 (HTTPS)",
  960. "Port": "443",
  961. "Polling": "60000",
  962. "Jitter": "0",
  963. "Maxdns": "255",
  964. "C2 Server": "104.236.172.121,/ga.js,n00she.com,/match",
  965. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
  966. "HTTP Method Path 2": "/submit.php",
  967. "Header1": "",
  968. "Header2": "",
  969. "PipeName": "",
  970. "DNS Idle": "\\x00\\x00\\x00\\x00",
  971. "DNS Sleep": "0",
  972. "Method1": "GET",
  973. "Method2": "POST",
  974. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  975. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  976. "Proxy_AccessType": "2 (Use IE settings)"
  977. },
  978. "x64": {
  979. "BeaconType": "8 (HTTPS)",
  980. "Port": "443",
  981. "Polling": "60000",
  982. "Jitter": "0",
  983. "Maxdns": "255",
  984. "C2 Server": "104.236.172.121,/en_US/all.js,n00she.com,/activity",
  985. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LBBROWSER)",
  986. "HTTP Method Path 2": "/submit.php",
  987. "Header1": "",
  988. "Header2": "",
  989. "PipeName": "",
  990. "DNS Idle": "\\x00\\x00\\x00\\x00",
  991. "DNS Sleep": "0",
  992. "Method1": "GET",
  993. "Method2": "POST",
  994. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  995. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  996. "Proxy_AccessType": "2 (Use IE settings)"
  997. }
  998. },
  999. "104.238.133.94": {
  1000. "x86": {
  1001. "BeaconType": "8 (HTTPS)",
  1002. "Port": "443",
  1003. "Polling": "60000",
  1004. "Jitter": "0",
  1005. "Maxdns": "255",
  1006. "C2 Server": "104.238.133.94,/pixel.gif",
  1007. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)",
  1008. "HTTP Method Path 2": "/submit.php",
  1009. "Header1": "",
  1010. "Header2": "",
  1011. "PipeName": "",
  1012. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1013. "DNS Sleep": "0",
  1014. "Method1": "GET",
  1015. "Method2": "POST",
  1016. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1017. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1018. "Proxy_AccessType": "2 (Use IE settings)"
  1019. }
  1020. },
  1021. "104.238.205.115": {
  1022. "x86": {
  1023. "BeaconType": "8 (HTTPS)",
  1024. "Port": "443",
  1025. "Polling": "5000",
  1026. "Jitter": "10",
  1027. "Maxdns": "235",
  1028. "C2 Server": "resfox.com,/us/ky/louisville/312-s-fourth-st.html,zeroflip.com,/us/ky/louisville/312-s-fourth-st.html",
  1029. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1030. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1031. "Header1": "",
  1032. "Header2": "",
  1033. "PipeName": "",
  1034. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1035. "DNS Sleep": "0",
  1036. "Method1": "GET",
  1037. "Method2": "POST",
  1038. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1039. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1040. "Proxy_AccessType": "2 (Use IE settings)"
  1041. }
  1042. },
  1043. "104.238.205.44": {
  1044. "x86": {
  1045. "BeaconType": "8 (HTTPS)",
  1046. "Port": "443",
  1047. "Polling": "60000",
  1048. "Jitter": "0",
  1049. "Maxdns": "255",
  1050. "C2 Server": "syscx.com,/dot.gif",
  1051. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; ASU2JS)",
  1052. "HTTP Method Path 2": "/submit.php",
  1053. "Header1": "",
  1054. "Header2": "",
  1055. "PipeName": "",
  1056. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1057. "DNS Sleep": "0",
  1058. "Method1": "GET",
  1059. "Method2": "POST",
  1060. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1061. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1062. "Proxy_AccessType": "2 (Use IE settings)"
  1063. }
  1064. },
  1065. "104.238.205.63": {
  1066. "x86": {
  1067. "BeaconType": "8 (HTTPS)",
  1068. "Port": "443",
  1069. "Polling": "30000",
  1070. "Jitter": "20",
  1071. "Maxdns": "255",
  1072. "C2 Server": "dealeva.com,/CWoNaJLBo/VTNeWw11212/",
  1073. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  1074. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  1075. "Header1": "",
  1076. "Header2": "",
  1077. "PipeName": "",
  1078. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1079. "DNS Sleep": "0",
  1080. "Method1": "GET",
  1081. "Method2": "POST",
  1082. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1083. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1084. "Proxy_AccessType": "2 (Use IE settings)"
  1085. }
  1086. },
  1087. "104.243.33.7": {
  1088. "x64": {
  1089. "BeaconType": "8 (HTTPS)",
  1090. "Port": "443",
  1091. "Polling": "30000",
  1092. "Jitter": "20",
  1093. "Maxdns": "255",
  1094. "C2 Server": "goodroy.com,/CWoNaJLBo/VTNeWw11212/",
  1095. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  1096. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  1097. "Header1": "",
  1098. "Header2": "",
  1099. "PipeName": "",
  1100. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1101. "DNS Sleep": "0",
  1102. "Method1": "GET",
  1103. "Method2": "POST",
  1104. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1105. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1106. "Proxy_AccessType": "2 (Use IE settings)"
  1107. }
  1108. },
  1109. "104.243.40.126": {
  1110. "x86": {
  1111. "BeaconType": "8 (HTTPS)",
  1112. "Port": "443",
  1113. "Polling": "5000",
  1114. "Jitter": "10",
  1115. "Maxdns": "235",
  1116. "C2 Server": "likenic.com,/us/ky/louisville/312-s-fourth-st.html",
  1117. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1118. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1119. "Header1": "",
  1120. "Header2": "",
  1121. "PipeName": "",
  1122. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1123. "DNS Sleep": "0",
  1124. "Method1": "GET",
  1125. "Method2": "POST",
  1126. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1127. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1128. "Proxy_AccessType": "2 (Use IE settings)"
  1129. }
  1130. },
  1131. "104.243.41.123": {
  1132. "x64": {
  1133. "BeaconType": "8 (HTTPS)",
  1134. "Port": "443",
  1135. "Polling": "60000",
  1136. "Jitter": "0",
  1137. "Maxdns": "255",
  1138. "C2 Server": "cuphq.com,/cx",
  1139. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)",
  1140. "HTTP Method Path 2": "/submit.php",
  1141. "Header1": "",
  1142. "Header2": "",
  1143. "PipeName": "",
  1144. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1145. "DNS Sleep": "0",
  1146. "Method1": "GET",
  1147. "Method2": "POST",
  1148. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1149. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1150. "Proxy_AccessType": "2 (Use IE settings)"
  1151. }
  1152. },
  1153. "104.243.45.15": {
  1154. "x86": {
  1155. "BeaconType": "8 (HTTPS)",
  1156. "Port": "443",
  1157. "Polling": "5000",
  1158. "Jitter": "10",
  1159. "Maxdns": "235",
  1160. "C2 Server": "mixres.com,/us/ky/louisville/312-s-fourth-st.html",
  1161. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1162. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1163. "Header1": "",
  1164. "Header2": "",
  1165. "PipeName": "",
  1166. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1167. "DNS Sleep": "0",
  1168. "Method1": "GET",
  1169. "Method2": "POST",
  1170. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1171. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1172. "Proxy_AccessType": "2 (Use IE settings)"
  1173. },
  1174. "x64": {
  1175. "BeaconType": "8 (HTTPS)",
  1176. "Port": "443",
  1177. "Polling": "5000",
  1178. "Jitter": "10",
  1179. "Maxdns": "235",
  1180. "C2 Server": "mixres.com,/us/ky/louisville/312-s-fourth-st.html",
  1181. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1182. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1183. "Header1": "",
  1184. "Header2": "",
  1185. "PipeName": "",
  1186. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1187. "DNS Sleep": "0",
  1188. "Method1": "GET",
  1189. "Method2": "POST",
  1190. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1191. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1192. "Proxy_AccessType": "2 (Use IE settings)"
  1193. }
  1194. },
  1195. "104.243.45.45": {
  1196. "x86": {
  1197. "BeaconType": "8 (HTTPS)",
  1198. "Port": "443",
  1199. "Polling": "5000",
  1200. "Jitter": "10",
  1201. "Maxdns": "235",
  1202. "C2 Server": "mobpros.com,/us/ky/louisville/312-s-fourth-st.html",
  1203. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1204. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1205. "Header1": "",
  1206. "Header2": "",
  1207. "PipeName": "",
  1208. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1209. "DNS Sleep": "0",
  1210. "Method1": "GET",
  1211. "Method2": "POST",
  1212. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1213. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1214. "Proxy_AccessType": "2 (Use IE settings)"
  1215. }
  1216. },
  1217. "104.243.46.74": {
  1218. "x86": {
  1219. "BeaconType": "8 (HTTPS)",
  1220. "Port": "443",
  1221. "Polling": "60000",
  1222. "Jitter": "0",
  1223. "Maxdns": "255",
  1224. "C2 Server": "104.243.46.74,/IE9CompatViewList.xml",
  1225. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0)",
  1226. "HTTP Method Path 2": "/submit.php",
  1227. "Header1": "",
  1228. "Header2": "",
  1229. "PipeName": "",
  1230. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1231. "DNS Sleep": "0",
  1232. "Method1": "GET",
  1233. "Method2": "POST",
  1234. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1235. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1236. "Proxy_AccessType": "2 (Use IE settings)"
  1237. }
  1238. },
  1239. "104.247.196.106": {
  1240. "x64": {
  1241. "BeaconType": "8 (HTTPS)",
  1242. "Port": "443",
  1243. "Polling": "60000",
  1244. "Jitter": "0",
  1245. "Maxdns": "255",
  1246. "C2 Server": "104.247.196.106,/match",
  1247. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)",
  1248. "HTTP Method Path 2": "/submit.php",
  1249. "Header1": "",
  1250. "Header2": "",
  1251. "PipeName": "",
  1252. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1253. "DNS Sleep": "0",
  1254. "Method1": "GET",
  1255. "Method2": "POST",
  1256. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1257. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1258. "Proxy_AccessType": "2 (Use IE settings)"
  1259. }
  1260. },
  1261. "104.247.196.170": {
  1262. "x86": {
  1263. "BeaconType": "8 (HTTPS)",
  1264. "Port": "443",
  1265. "Polling": "5000",
  1266. "Jitter": "10",
  1267. "Maxdns": "235",
  1268. "C2 Server": "clubuz.com,/us/ky/louisville/312-s-fourth-st.html",
  1269. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1270. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1271. "Header1": "",
  1272. "Header2": "",
  1273. "PipeName": "",
  1274. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1275. "DNS Sleep": "0",
  1276. "Method1": "GET",
  1277. "Method2": "POST",
  1278. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1279. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1280. "Proxy_AccessType": "2 (Use IE settings)"
  1281. }
  1282. },
  1283. "104.248.224.90": {
  1284. "x86": {
  1285. "BeaconType": "8 (HTTPS)",
  1286. "Port": "443",
  1287. "Polling": "15000",
  1288. "Jitter": "90",
  1289. "Maxdns": "225",
  1290. "C2 Server": "www.nytimes.com,/v1/preferences,www.nytimes.com,/v1/preferences,www.nytimes.com,/idcta/translations,www.nytimes.com,/v2/preferences,www.nytimes.com,/idcta/translations",
  1291. "User Agent": "Microsoft BITS/7.8",
  1292. "HTTP Method Path 2": "/track",
  1293. "Header1": "",
  1294. "Header2": "",
  1295. "PipeName": "",
  1296. "DNS Idle": "h\\xD8<\\x84",
  1297. "DNS Sleep": "0",
  1298. "Method1": "GET",
  1299. "Method2": "POST",
  1300. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  1301. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  1302. "Proxy_AccessType": "2 (Use IE settings)"
  1303. }
  1304. },
  1305. "104.248.48.249": {
  1306. "x86": {
  1307. "BeaconType": "8 (HTTPS)",
  1308. "Port": "443",
  1309. "Polling": "15000",
  1310. "Jitter": "90",
  1311. "C2 Server": "104.248.48.249,/gp/cerberus/gv",
  1312. "HTTP Method Path 2": "/1.5/95648064/storage/tabs",
  1313. "Method1": "GET",
  1314. "Method2": "POST",
  1315. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  1316. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  1317. "Proxy_AccessType": "2 (Use IE settings)"
  1318. }
  1319. },
  1320. "104.254.128.107": {
  1321. "x86": {
  1322. "BeaconType": "8 (HTTPS)",
  1323. "Port": "443",
  1324. "Polling": "60000",
  1325. "Jitter": "0",
  1326. "C2 Server": "45.170.251.101,/ga.js",
  1327. "HTTP Method Path 2": "/submit.php",
  1328. "Method1": "GET",
  1329. "Method2": "POST",
  1330. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1331. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1332. "Proxy_AccessType": "2 (Use IE settings)"
  1333. }
  1334. },
  1335. "106.52.233.118": {
  1336. "x64": {
  1337. "BeaconType": "8 (HTTPS)",
  1338. "Port": "443",
  1339. "Polling": "60000",
  1340. "Jitter": "0",
  1341. "Maxdns": "255",
  1342. "C2 Server": "106.52.233.118,/s",
  1343. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  1344. "HTTP Method Path 2": "/S",
  1345. "Header1": "",
  1346. "Header2": "",
  1347. "PipeName": "",
  1348. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1349. "DNS Sleep": "0",
  1350. "Method1": "GET",
  1351. "Method2": "POST",
  1352. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1353. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1354. "Proxy_AccessType": "2 (Use IE settings)"
  1355. }
  1356. },
  1357. "106.55.153.204": {
  1358. "x86": {
  1359. "BeaconType": "8 (HTTPS)",
  1360. "Port": "443",
  1361. "Polling": "60000",
  1362. "Jitter": "0",
  1363. "Maxdns": "255",
  1364. "C2 Server": "106.55.153.204,/en_US/all.js",
  1365. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;SVSE)",
  1366. "HTTP Method Path 2": "/submit.php",
  1367. "Header1": "",
  1368. "Header2": "",
  1369. "PipeName": "",
  1370. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1371. "DNS Sleep": "0",
  1372. "Method1": "GET",
  1373. "Method2": "POST",
  1374. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1375. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1376. "Proxy_AccessType": "2 (Use IE settings)"
  1377. }
  1378. },
  1379. "108.177.235.180": {
  1380. "x86": {
  1381. "BeaconType": "8 (HTTPS)",
  1382. "Port": "443",
  1383. "Polling": "60000",
  1384. "Jitter": "0",
  1385. "Maxdns": "255",
  1386. "C2 Server": "mail.safeyoke.com,/ptj,feedback.safeyoke.com,/cx",
  1387. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2)",
  1388. "HTTP Method Path 2": "/submit.php",
  1389. "Header1": "",
  1390. "Header2": "",
  1391. "PipeName": "",
  1392. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1393. "DNS Sleep": "0",
  1394. "Method1": "GET",
  1395. "Method2": "POST",
  1396. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1397. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1398. "Proxy_AccessType": "2 (Use IE settings)"
  1399. }
  1400. },
  1401. "108.177.235.22": {
  1402. "x86": {
  1403. "BeaconType": "8 (HTTPS)",
  1404. "Port": "443",
  1405. "Polling": "60000",
  1406. "Jitter": "0",
  1407. "Maxdns": "255",
  1408. "C2 Server": "108.177.235.22,/fwlink",
  1409. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
  1410. "HTTP Method Path 2": "/submit.php",
  1411. "Header1": "",
  1412. "Header2": "",
  1413. "PipeName": "",
  1414. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1415. "DNS Sleep": "0",
  1416. "Method1": "GET",
  1417. "Method2": "POST",
  1418. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1419. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1420. "Proxy_AccessType": "2 (Use IE settings)"
  1421. }
  1422. },
  1423. "108.62.118.187": {
  1424. "x86": {
  1425. "BeaconType": "8 (HTTPS)",
  1426. "Port": "443",
  1427. "Polling": "5000",
  1428. "Jitter": "10",
  1429. "Maxdns": "235",
  1430. "C2 Server": "ramush.com,/us/ky/louisville/312-s-fourth-st.html,leepick.com,/us/ky/louisville/312-s-fourth-st.html",
  1431. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1432. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1433. "Header1": "",
  1434. "Header2": "",
  1435. "PipeName": "",
  1436. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1437. "DNS Sleep": "0",
  1438. "Method1": "GET",
  1439. "Method2": "POST",
  1440. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1441. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1442. "Proxy_AccessType": "2 (Use IE settings)"
  1443. },
  1444. "x64": {
  1445. "BeaconType": "8 (HTTPS)",
  1446. "Port": "443",
  1447. "Polling": "5000",
  1448. "Jitter": "10",
  1449. "Maxdns": "235",
  1450. "C2 Server": "ramush.com,/us/ky/louisville/312-s-fourth-st.html,leepick.com,/us/ky/louisville/312-s-fourth-st.html",
  1451. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1452. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1453. "Header1": "",
  1454. "Header2": "",
  1455. "PipeName": "",
  1456. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1457. "DNS Sleep": "0",
  1458. "Method1": "GET",
  1459. "Method2": "POST",
  1460. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1461. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1462. "Proxy_AccessType": "2 (Use IE settings)"
  1463. }
  1464. },
  1465. "108.62.118.37": {
  1466. "x86": {
  1467. "BeaconType": "8 (HTTPS)",
  1468. "Port": "443",
  1469. "Polling": "60000",
  1470. "Jitter": "0",
  1471. "Maxdns": "255",
  1472. "C2 Server": "amajai-technologies.trade,/ga.js",
  1473. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)",
  1474. "HTTP Method Path 2": "/submit.php",
  1475. "Header1": "",
  1476. "Header2": "",
  1477. "PipeName": "",
  1478. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1479. "DNS Sleep": "0",
  1480. "Method1": "GET",
  1481. "Method2": "POST",
  1482. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1483. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1484. "Proxy_AccessType": "2 (Use IE settings)"
  1485. },
  1486. "x64": {
  1487. "BeaconType": "8 (HTTPS)",
  1488. "Port": "443",
  1489. "Polling": "60000",
  1490. "Jitter": "0",
  1491. "Maxdns": "255",
  1492. "C2 Server": "amajai-technologies.trade,/match",
  1493. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)",
  1494. "HTTP Method Path 2": "/submit.php",
  1495. "Header1": "",
  1496. "Header2": "",
  1497. "PipeName": "",
  1498. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1499. "DNS Sleep": "0",
  1500. "Method1": "GET",
  1501. "Method2": "POST",
  1502. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1503. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1504. "Proxy_AccessType": "2 (Use IE settings)"
  1505. }
  1506. },
  1507. "108.62.141.129": {
  1508. "x64": {
  1509. "BeaconType": "8 (HTTPS)",
  1510. "Port": "443",
  1511. "Polling": "5000",
  1512. "Jitter": "10",
  1513. "Maxdns": "235",
  1514. "C2 Server": "eyedm.com,/us/ky/louisville/312-s-fourth-st.html",
  1515. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1516. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1517. "Header1": "",
  1518. "Header2": "",
  1519. "PipeName": "",
  1520. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1521. "DNS Sleep": "0",
  1522. "Method1": "GET",
  1523. "Method2": "POST",
  1524. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1525. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1526. "Proxy_AccessType": "2 (Use IE settings)"
  1527. }
  1528. },
  1529. "108.62.141.158": {
  1530. "x86": {
  1531. "BeaconType": "8 (HTTPS)",
  1532. "Port": "443",
  1533. "Polling": "5000",
  1534. "Jitter": "10",
  1535. "Maxdns": "235",
  1536. "C2 Server": "lenfree.com,/us/ky/louisville/312-s-fourth-st.html,199.127.61.74,/us/ky/louisville/312-s-fourth-st.html",
  1537. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1538. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1539. "Header1": "",
  1540. "Header2": "",
  1541. "PipeName": "",
  1542. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1543. "DNS Sleep": "0",
  1544. "Method1": "GET",
  1545. "Method2": "POST",
  1546. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1547. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1548. "Proxy_AccessType": "2 (Use IE settings)"
  1549. }
  1550. },
  1551. "108.62.141.170": {
  1552. "x64": {
  1553. "BeaconType": "8 (HTTPS)",
  1554. "Port": "443",
  1555. "Polling": "5000",
  1556. "Jitter": "10",
  1557. "Maxdns": "235",
  1558. "C2 Server": "172.82.148.202,/us/ky/louisville/312-s-fourth-st.html,resnote.com,/us/ky/louisville/312-s-fourth-st.html",
  1559. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1560. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1561. "Header1": "",
  1562. "Header2": "",
  1563. "PipeName": "",
  1564. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1565. "DNS Sleep": "0",
  1566. "Method1": "GET",
  1567. "Method2": "POST",
  1568. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1569. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1570. "Proxy_AccessType": "2 (Use IE settings)"
  1571. }
  1572. },
  1573. "108.62.141.62": {
  1574. "x86": {
  1575. "BeaconType": "8 (HTTPS)",
  1576. "Port": "443",
  1577. "Polling": "5000",
  1578. "Jitter": "10",
  1579. "Maxdns": "235",
  1580. "C2 Server": "orgsale.com,/us/ky/louisville/312-s-fourth-st.html",
  1581. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1582. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1583. "Header1": "",
  1584. "Header2": "",
  1585. "PipeName": "",
  1586. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1587. "DNS Sleep": "0",
  1588. "Method1": "GET",
  1589. "Method2": "POST",
  1590. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1591. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1592. "Proxy_AccessType": "2 (Use IE settings)"
  1593. }
  1594. },
  1595. "108.62.141.72": {
  1596. "x86": {
  1597. "BeaconType": "8 (HTTPS)",
  1598. "Port": "443",
  1599. "Polling": "5000",
  1600. "Jitter": "10",
  1601. "Maxdns": "235",
  1602. "C2 Server": "foxreps.com,/us/ky/louisville/312-s-fourth-st.html,novause.com,/us/ky/louisville/312-s-fourth-st.html",
  1603. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  1604. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  1605. "Header1": "",
  1606. "Header2": "",
  1607. "PipeName": "",
  1608. "DNS Idle": "\\x08\\x08\\x08\\x08",
  1609. "DNS Sleep": "0",
  1610. "Method1": "GET",
  1611. "Method2": "POST",
  1612. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  1613. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  1614. "Proxy_AccessType": "2 (Use IE settings)"
  1615. }
  1616. },
  1617. "109.201.142.110": {
  1618. "x86": {
  1619. "BeaconType": "8 (HTTPS)",
  1620. "Port": "443",
  1621. "Polling": "60000",
  1622. "Jitter": "0",
  1623. "Maxdns": "255",
  1624. "C2 Server": "forteupdate.com,/match",
  1625. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)",
  1626. "HTTP Method Path 2": "/submit.php",
  1627. "Header1": "",
  1628. "Header2": "",
  1629. "PipeName": "",
  1630. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1631. "DNS Sleep": "0",
  1632. "Method1": "GET",
  1633. "Method2": "POST",
  1634. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1635. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1636. "Proxy_AccessType": "2 (Use IE settings)"
  1637. }
  1638. },
  1639. "109.230.199.56": {
  1640. "x64": {
  1641. "BeaconType": "8 (HTTPS)",
  1642. "Port": "443",
  1643. "Polling": "60000",
  1644. "Jitter": "0",
  1645. "Maxdns": "255",
  1646. "C2 Server": "109.230.199.56,/dpixel",
  1647. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)",
  1648. "HTTP Method Path 2": "/submit.php",
  1649. "Header1": "",
  1650. "Header2": "",
  1651. "PipeName": "",
  1652. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1653. "DNS Sleep": "0",
  1654. "Method1": "GET",
  1655. "Method2": "POST",
  1656. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1657. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1658. "Proxy_AccessType": "2 (Use IE settings)"
  1659. }
  1660. },
  1661. "109.231.194.189": {
  1662. "x86": {
  1663. "BeaconType": "8 (HTTPS)",
  1664. "Port": "443",
  1665. "Polling": "880",
  1666. "Jitter": "0",
  1667. "Maxdns": "244",
  1668. "C2 Server": "109.231.194.189,/access/",
  1669. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:1.9) Gecko/20100101 Firefox/4.0",
  1670. "HTTP Method Path 2": "/radio/xmlrpc/v35",
  1671. "Header1": "",
  1672. "Header2": "",
  1673. "PipeName": "\\\\%s\\pipe\\msagent_%x",
  1674. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1675. "DNS Sleep": "0",
  1676. "Method1": "GET",
  1677. "Method2": "POST",
  1678. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1679. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1680. "Proxy_AccessType": "2 (Use IE settings)"
  1681. },
  1682. "x64": {
  1683. "BeaconType": "8 (HTTPS)",
  1684. "Port": "443",
  1685. "Polling": "880",
  1686. "Jitter": "0",
  1687. "Maxdns": "244",
  1688. "C2 Server": "109.231.194.189,/access/",
  1689. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:1.9) Gecko/20100101 Firefox/4.0",
  1690. "HTTP Method Path 2": "/radio/xmlrpc/v35",
  1691. "Header1": "",
  1692. "Header2": "",
  1693. "PipeName": "\\\\%s\\pipe\\msagent_%x",
  1694. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1695. "DNS Sleep": "0",
  1696. "Method1": "GET",
  1697. "Method2": "POST",
  1698. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1699. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1700. "Proxy_AccessType": "2 (Use IE settings)"
  1701. }
  1702. },
  1703. "111.229.210.49": {
  1704. "x86": {
  1705. "BeaconType": "8 (HTTPS)",
  1706. "Port": "443",
  1707. "Polling": "60000",
  1708. "Jitter": "0",
  1709. "Maxdns": "255",
  1710. "C2 Server": "111.229.210.49,/push",
  1711. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",
  1712. "HTTP Method Path 2": "/submit.php",
  1713. "Header1": "",
  1714. "Header2": "",
  1715. "PipeName": "",
  1716. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1717. "DNS Sleep": "0",
  1718. "Method1": "GET",
  1719. "Method2": "POST",
  1720. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1721. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1722. "Proxy_AccessType": "2 (Use IE settings)"
  1723. }
  1724. },
  1725. "114.118.4.189": {
  1726. "x86": {
  1727. "BeaconType": "8 (HTTPS)",
  1728. "Port": "443",
  1729. "Polling": "5000",
  1730. "Jitter": "10",
  1731. "Maxdns": "235",
  1732. "C2 Server": "114.118.4.189,/updates",
  1733. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
  1734. "HTTP Method Path 2": "/windows/mark.jsp",
  1735. "Header1": "",
  1736. "Header2": "",
  1737. "PipeName": "",
  1738. "DNS Idle": "\\x08\\x08\\x04\\x04",
  1739. "DNS Sleep": "0",
  1740. "Method1": "GET",
  1741. "Method2": "POST",
  1742. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1743. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1744. "Proxy_AccessType": "2 (Use IE settings)"
  1745. },
  1746. "x64": {
  1747. "BeaconType": "8 (HTTPS)",
  1748. "Port": "443",
  1749. "Polling": "5000",
  1750. "Jitter": "10",
  1751. "Maxdns": "235",
  1752. "C2 Server": "114.118.4.189,/updates",
  1753. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
  1754. "HTTP Method Path 2": "/windows/fly.jsp",
  1755. "Header1": "",
  1756. "Header2": "",
  1757. "PipeName": "",
  1758. "DNS Idle": "\\x08\\x08\\x04\\x04",
  1759. "DNS Sleep": "0",
  1760. "Method1": "GET",
  1761. "Method2": "POST",
  1762. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1763. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1764. "Proxy_AccessType": "2 (Use IE settings)"
  1765. }
  1766. },
  1767. "117.50.106.161": {
  1768. "x86": {
  1769. "BeaconType": "8 (HTTPS)",
  1770. "Port": "443",
  1771. "Polling": "60000",
  1772. "Jitter": "0",
  1773. "Maxdns": "255",
  1774. "C2 Server": "117.50.106.161,/pixel",
  1775. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS)",
  1776. "HTTP Method Path 2": "/submit.php",
  1777. "Header1": "",
  1778. "Header2": "",
  1779. "PipeName": "",
  1780. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1781. "DNS Sleep": "0",
  1782. "Method1": "GET",
  1783. "Method2": "POST",
  1784. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1785. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1786. "Proxy_AccessType": "2 (Use IE settings)"
  1787. }
  1788. },
  1789. "117.51.149.186": {
  1790. "x64": {
  1791. "BeaconType": "8 (HTTPS)",
  1792. "Port": "443",
  1793. "Polling": "60000",
  1794. "Jitter": "0",
  1795. "Maxdns": "255",
  1796. "C2 Server": "117.51.149.186,/fwlink",
  1797. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MATMJS)",
  1798. "HTTP Method Path 2": "/submit.php",
  1799. "Header1": "",
  1800. "Header2": "",
  1801. "PipeName": "",
  1802. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1803. "DNS Sleep": "0",
  1804. "Method1": "GET",
  1805. "Method2": "POST",
  1806. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1807. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1808. "Proxy_AccessType": "2 (Use IE settings)"
  1809. }
  1810. },
  1811. "119.28.9.129": {
  1812. "x64": {
  1813. "BeaconType": "8 (HTTPS)",
  1814. "Port": "443",
  1815. "Polling": "60000",
  1816. "Jitter": "0",
  1817. "Maxdns": "255",
  1818. "C2 Server": "119.28.9.129,/pixel.gif",
  1819. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
  1820. "HTTP Method Path 2": "/submit.php",
  1821. "Header1": "",
  1822. "Header2": "",
  1823. "PipeName": "",
  1824. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1825. "DNS Sleep": "0",
  1826. "Method1": "GET",
  1827. "Method2": "POST",
  1828. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1829. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1830. "Proxy_AccessType": "2 (Use IE settings)"
  1831. }
  1832. },
  1833. "121.196.148.36": {
  1834. "x86": {
  1835. "BeaconType": "8 (HTTPS)",
  1836. "Port": "443",
  1837. "Polling": "60534",
  1838. "Jitter": "41",
  1839. "Maxdns": "249",
  1840. "C2 Server": "121.196.148.36,/ur.js",
  1841. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
  1842. "HTTP Method Path 2": "/favicon",
  1843. "Header1": "",
  1844. "Header2": "",
  1845. "PipeName": "",
  1846. "DNS Idle": "\\xD6\\x82\\xA4E",
  1847. "DNS Sleep": "0",
  1848. "Method1": "GET",
  1849. "Method2": "POST",
  1850. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
  1851. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
  1852. "Proxy_AccessType": "2 (Use IE settings)"
  1853. }
  1854. },
  1855. "123.56.133.239": {
  1856. "x86": {
  1857. "BeaconType": "8 (HTTPS)",
  1858. "Port": "443",
  1859. "Polling": "60000",
  1860. "Jitter": "0",
  1861. "Maxdns": "255",
  1862. "C2 Server": "123.56.133.239,/activity",
  1863. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)",
  1864. "HTTP Method Path 2": "/submit.php",
  1865. "Header1": "",
  1866. "Header2": "",
  1867. "PipeName": "",
  1868. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1869. "DNS Sleep": "0",
  1870. "Method1": "GET",
  1871. "Method2": "POST",
  1872. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1873. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1874. "Proxy_AccessType": "2 (Use IE settings)"
  1875. },
  1876. "x64": {
  1877. "BeaconType": "8 (HTTPS)",
  1878. "Port": "443",
  1879. "Polling": "60000",
  1880. "Jitter": "0",
  1881. "Maxdns": "255",
  1882. "C2 Server": "123.56.133.239,/activity",
  1883. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)",
  1884. "HTTP Method Path 2": "/submit.php",
  1885. "Header1": "",
  1886. "Header2": "",
  1887. "PipeName": "",
  1888. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1889. "DNS Sleep": "0",
  1890. "Method1": "GET",
  1891. "Method2": "POST",
  1892. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1893. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1894. "Proxy_AccessType": "2 (Use IE settings)"
  1895. }
  1896. },
  1897. "123.57.235.194": {
  1898. "x64": {
  1899. "BeaconType": "8 (HTTPS)",
  1900. "Port": "443",
  1901. "Polling": "1000",
  1902. "Jitter": "37",
  1903. "Maxdns": "255",
  1904. "C2 Server": "123.57.235.194,/jquery-3.3.1.min.js",
  1905. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36",
  1906. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  1907. "Header1": "",
  1908. "Header2": "",
  1909. "PipeName": "",
  1910. "DNS Idle": "J}\\xC4q",
  1911. "DNS Sleep": "0",
  1912. "Method1": "GET",
  1913. "Method2": "POST",
  1914. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  1915. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  1916. "Proxy_AccessType": "2 (Use IE settings)"
  1917. }
  1918. },
  1919. "123.57.90.172": {
  1920. "x64": {
  1921. "BeaconType": "8 (HTTPS)",
  1922. "Port": "443",
  1923. "Polling": "60000",
  1924. "Jitter": "0",
  1925. "Maxdns": "255",
  1926. "C2 Server": "123.57.90.172,/__utm.gif",
  1927. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
  1928. "HTTP Method Path 2": "/submit.php",
  1929. "Header1": "",
  1930. "Header2": "",
  1931. "PipeName": "",
  1932. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1933. "DNS Sleep": "0",
  1934. "Method1": "GET",
  1935. "Method2": "POST",
  1936. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1937. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1938. "Proxy_AccessType": "2 (Use IE settings)"
  1939. }
  1940. },
  1941. "123.58.211.116": {
  1942. "x86": {
  1943. "BeaconType": "8 (HTTPS)",
  1944. "Port": "443",
  1945. "Polling": "60000",
  1946. "Jitter": "0",
  1947. "Maxdns": "255",
  1948. "C2 Server": "123.58.211.116,/dot.gif",
  1949. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)",
  1950. "HTTP Method Path 2": "/submit.php",
  1951. "Header1": "",
  1952. "Header2": "",
  1953. "PipeName": "",
  1954. "DNS Idle": "\\x00\\x00\\x00\\x00",
  1955. "DNS Sleep": "0",
  1956. "Method1": "GET",
  1957. "Method2": "POST",
  1958. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  1959. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  1960. "Proxy_AccessType": "2 (Use IE settings)"
  1961. }
  1962. },
  1963. "124.217.230.137": {
  1964. "x64": {
  1965. "BeaconType": "8 (HTTPS)",
  1966. "Port": "443",
  1967. "Polling": "41000",
  1968. "Jitter": "37",
  1969. "Maxdns": "255",
  1970. "C2 Server": "124.217.230.137,/jquery-3.3.1.min.js",
  1971. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)",
  1972. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  1973. "Header1": "",
  1974. "Header2": "",
  1975. "PipeName": "",
  1976. "DNS Idle": "J}\\xC4q",
  1977. "DNS Sleep": "0",
  1978. "Method1": "GET",
  1979. "Method2": "POST",
  1980. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  1981. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  1982. "Proxy_AccessType": "2 (Use IE settings)"
  1983. }
  1984. },
  1985. "128.199.180.58": {
  1986. "x86": {
  1987. "BeaconType": "8 (HTTPS)",
  1988. "Port": "443",
  1989. "Polling": "45000",
  1990. "Jitter": "37",
  1991. "Maxdns": "255",
  1992. "C2 Server": "128.199.180.58,/jquery-3.3.1.min.js",
  1993. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36/8mqQhSuL-09",
  1994. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  1995. "Header1": "",
  1996. "Header2": "",
  1997. "PipeName": "",
  1998. "DNS Idle": "J}\\xC4q",
  1999. "DNS Sleep": "0",
  2000. "Method1": "GET",
  2001. "Method2": "POST",
  2002. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  2003. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  2004. "Proxy_AccessType": "2 (Use IE settings)"
  2005. },
  2006. "x64": {
  2007. "BeaconType": "8 (HTTPS)",
  2008. "Port": "443",
  2009. "Polling": "45000",
  2010. "Jitter": "37",
  2011. "Maxdns": "255",
  2012. "C2 Server": "128.199.180.58,/jquery-3.3.1.min.js",
  2013. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36/8mqQhSuL-09",
  2014. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  2015. "Header1": "",
  2016. "Header2": "",
  2017. "PipeName": "",
  2018. "DNS Idle": "J}\\xC4q",
  2019. "DNS Sleep": "0",
  2020. "Method1": "GET",
  2021. "Method2": "POST",
  2022. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  2023. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  2024. "Proxy_AccessType": "2 (Use IE settings)"
  2025. }
  2026. },
  2027. "128.199.23.209": {
  2028. "x64": {
  2029. "BeaconType": "8 (HTTPS)",
  2030. "Port": "443",
  2031. "Polling": "60000",
  2032. "Jitter": "37",
  2033. "Maxdns": "255",
  2034. "C2 Server": "128.199.23.209,/jquery-3.3.1.min.js",
  2035. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  2036. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  2037. "Header1": "",
  2038. "Header2": "",
  2039. "PipeName": "",
  2040. "DNS Idle": "J}\\xC4q",
  2041. "DNS Sleep": "0",
  2042. "Method1": "GET",
  2043. "Method2": "POST",
  2044. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  2045. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  2046. "Proxy_AccessType": "2 (Use IE settings)"
  2047. }
  2048. },
  2049. "130.211.251.187": {
  2050. "x86": {
  2051. "BeaconType": "8 (HTTPS)",
  2052. "Port": "443",
  2053. "Polling": "60000",
  2054. "Jitter": "0",
  2055. "Maxdns": "255",
  2056. "C2 Server": "130.211.251.187,/ca",
  2057. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)",
  2058. "HTTP Method Path 2": "/submit.php",
  2059. "Header1": "",
  2060. "Header2": "",
  2061. "PipeName": "",
  2062. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2063. "DNS Sleep": "0",
  2064. "Method1": "GET",
  2065. "Method2": "POST",
  2066. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2067. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2068. "Proxy_AccessType": "2 (Use IE settings)"
  2069. }
  2070. },
  2071. "13.211.94.224": {
  2072. "x64": {
  2073. "BeaconType": "8 (HTTPS)",
  2074. "Port": "443",
  2075. "Polling": "60000",
  2076. "Jitter": "20",
  2077. "Maxdns": "235",
  2078. "C2 Server": "au.theguardianweb.com,/preload",
  2079. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  2080. "HTTP Method Path 2": "/sa",
  2081. "Header1": "",
  2082. "Header2": "",
  2083. "PipeName": "",
  2084. "DNS Idle": "\\x08\\x08\\x04\\x04",
  2085. "DNS Sleep": "0",
  2086. "Method1": "GET",
  2087. "Method2": "GET",
  2088. "Spawnto_x86": "C:\\Windows\\syswow64\\svchost.exe -k localservice -p -s fdPHost",
  2089. "Spawnto_x64": "C:\\Windows\\sysnative\\svchost.exe -k localservice -p -s fdPHost",
  2090. "Proxy_AccessType": "2 (Use IE settings)"
  2091. }
  2092. },
  2093. "134.122.21.15": {
  2094. "x86": {
  2095. "BeaconType": "8 (HTTPS)",
  2096. "Port": "443",
  2097. "Polling": "600",
  2098. "Jitter": "39",
  2099. "Maxdns": "248",
  2100. "C2 Server": "egress.ninja,/bn",
  2101. "User Agent": "",
  2102. "HTTP Method Path 2": "/br",
  2103. "Header1": "",
  2104. "Header2": "",
  2105. "PipeName": "",
  2106. "DNS Idle": "\\x08\\x08\\x08\\x08",
  2107. "DNS Sleep": "0",
  2108. "Method1": "GET",
  2109. "Method2": "POST",
  2110. "Spawnto_x86": "%windir%\\system32\\regsvr32.exe",
  2111. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  2112. "Proxy_Hostname": "http://185.46.212.88:9400",
  2113. "Proxy_AccessType": "0 (Unknown)"
  2114. },
  2115. "x64": {
  2116. "BeaconType": "8 (HTTPS)",
  2117. "Port": "443",
  2118. "Polling": "600",
  2119. "Jitter": "39",
  2120. "Maxdns": "248",
  2121. "C2 Server": "egress.ninja,/bn",
  2122. "User Agent": "",
  2123. "HTTP Method Path 2": "/br",
  2124. "Header1": "",
  2125. "Header2": "",
  2126. "PipeName": "",
  2127. "DNS Idle": "\\x08\\x08\\x08\\x08",
  2128. "DNS Sleep": "0",
  2129. "Method1": "GET",
  2130. "Method2": "POST",
  2131. "Spawnto_x86": "%windir%\\system32\\regsvr32.exe",
  2132. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  2133. "Proxy_Hostname": "http://185.46.212.88:9400",
  2134. "Proxy_AccessType": "0 (Unknown)"
  2135. }
  2136. },
  2137. "134.209.117.238": {
  2138. "x86": {
  2139. "BeaconType": "8 (HTTPS)",
  2140. "Port": "443",
  2141. "Polling": "50000",
  2142. "Jitter": "37",
  2143. "C2 Server": "jude.saintjameschurch.org,/Video",
  2144. "HTTP Method Path 2": "/search",
  2145. "Method1": "GET",
  2146. "Method2": "POST",
  2147. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2148. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2149. "Proxy_AccessType": "2 (Use IE settings)"
  2150. }
  2151. },
  2152. "134.209.165.165": {
  2153. "x86": {
  2154. "BeaconType": "8 (HTTPS)",
  2155. "Port": "443",
  2156. "Polling": "15000",
  2157. "Jitter": "90",
  2158. "Maxdns": "225",
  2159. "C2 Server": "ajax.microsoft.com,/wp-includes/js/script/indigo-migrate",
  2160. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  2161. "HTTP Method Path 2": "/gp/aw/ybh/handlers",
  2162. "Header1": "",
  2163. "Header2": "",
  2164. "PipeName": "",
  2165. "DNS Idle": "h\\xD8<\\x84",
  2166. "DNS Sleep": "0",
  2167. "Method1": "GET",
  2168. "Method2": "POST",
  2169. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  2170. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  2171. "Proxy_AccessType": "2 (Use IE settings)"
  2172. }
  2173. },
  2174. "134.209.200.91": {
  2175. "x86": {
  2176. "BeaconType": "8 (HTTPS)",
  2177. "Port": "443",
  2178. "Polling": "30000",
  2179. "Jitter": "85",
  2180. "Maxdns": "255",
  2181. "C2 Server": "134.209.200.91,/jquery-3.3.1.min.js",
  2182. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36",
  2183. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  2184. "Header1": "",
  2185. "Header2": "",
  2186. "PipeName": "",
  2187. "DNS Idle": "J}\\xC4q",
  2188. "DNS Sleep": "0",
  2189. "Method1": "GET",
  2190. "Method2": "POST",
  2191. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  2192. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  2193. "Proxy_AccessType": "2 (Use IE settings)"
  2194. }
  2195. },
  2196. "134.209.5.246": {
  2197. "x64": {
  2198. "BeaconType": "8 (HTTPS)",
  2199. "Port": "443",
  2200. "Polling": "60000",
  2201. "Jitter": "0",
  2202. "Maxdns": "255",
  2203. "C2 Server": "134.209.5.246,/j.ad",
  2204. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)",
  2205. "HTTP Method Path 2": "/submit.php",
  2206. "Header1": "",
  2207. "Header2": "",
  2208. "PipeName": "",
  2209. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2210. "DNS Sleep": "0",
  2211. "Method1": "GET",
  2212. "Method2": "POST",
  2213. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2214. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2215. "Proxy_AccessType": "2 (Use IE settings)"
  2216. }
  2217. },
  2218. "134.209.86.120": {
  2219. "x64": {
  2220. "BeaconType": "8 (HTTPS)",
  2221. "Port": "443",
  2222. "Polling": "8000",
  2223. "Jitter": "30",
  2224. "Maxdns": "255",
  2225. "C2 Server": "www.stackpath.com,/api/v2/metrics/",
  2226. "User Agent": "Microsoft-CryptoAPI/6.1",
  2227. "HTTP Method Path 2": "/api/v2/analytics/",
  2228. "Header1": "",
  2229. "Header2": "",
  2230. "PipeName": "",
  2231. "DNS Idle": "\\xAC\\xD9\\x10\\x8E",
  2232. "DNS Sleep": "0",
  2233. "Method1": "GET",
  2234. "Method2": "POST",
  2235. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  2236. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  2237. "Proxy_AccessType": "2 (Use IE settings)"
  2238. }
  2239. },
  2240. "13.64.101.24": {
  2241. "x86": {
  2242. "BeaconType": "8 (HTTPS)",
  2243. "Port": "443",
  2244. "Polling": "64489",
  2245. "Jitter": "39",
  2246. "Maxdns": "248",
  2247. "C2 Server": "http://daiwa-cm-us.azureedge.net/,/ro,13.64.101.24,/ro",
  2248. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
  2249. "HTTP Method Path 2": "/mobile-ipad-home",
  2250. "Header1": "",
  2251. "Header2": "",
  2252. "PipeName": "",
  2253. "DNS Idle": "^\\x16\\xC1\\x88",
  2254. "DNS Sleep": "0",
  2255. "Method1": "GET",
  2256. "Method2": "POST",
  2257. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  2258. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  2259. "Proxy_AccessType": "2 (Use IE settings)"
  2260. }
  2261. },
  2262. "138.124.180.52": {
  2263. "x86": {
  2264. "BeaconType": "8 (HTTPS)",
  2265. "Port": "443",
  2266. "Polling": "7000",
  2267. "Jitter": "0",
  2268. "Maxdns": "255",
  2269. "C2 Server": "gosleepaddict.com,/jquery-3.3.1.min.js",
  2270. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  2271. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  2272. "Header1": "",
  2273. "Header2": "",
  2274. "PipeName": "",
  2275. "DNS Idle": "J}\\xC4q",
  2276. "DNS Sleep": "0",
  2277. "Method1": "GET",
  2278. "Method2": "POST",
  2279. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  2280. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  2281. "Proxy_AccessType": "2 (Use IE settings)"
  2282. },
  2283. "x64": {
  2284. "BeaconType": "8 (HTTPS)",
  2285. "Port": "443",
  2286. "Polling": "7000",
  2287. "Jitter": "0",
  2288. "Maxdns": "255",
  2289. "C2 Server": "gosleepaddict.com,/jquery-3.3.1.min.js",
  2290. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  2291. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  2292. "Header1": "",
  2293. "Header2": "",
  2294. "PipeName": "",
  2295. "DNS Idle": "J}\\xC4q",
  2296. "DNS Sleep": "0",
  2297. "Method1": "GET",
  2298. "Method2": "POST",
  2299. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  2300. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  2301. "Proxy_AccessType": "2 (Use IE settings)"
  2302. }
  2303. },
  2304. "139.155.242.130": {
  2305. "x86": {
  2306. "BeaconType": "8 (HTTPS)",
  2307. "Port": "443",
  2308. "Polling": "60000",
  2309. "Jitter": "0",
  2310. "Maxdns": "255",
  2311. "C2 Server": "139.155.242.130,/load",
  2312. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)",
  2313. "HTTP Method Path 2": "/submit.php",
  2314. "Header1": "",
  2315. "Header2": "",
  2316. "PipeName": "",
  2317. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2318. "DNS Sleep": "0",
  2319. "Method1": "GET",
  2320. "Method2": "POST",
  2321. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2322. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2323. "Proxy_AccessType": "2 (Use IE settings)"
  2324. }
  2325. },
  2326. "139.162.197.65": {
  2327. "x86": {
  2328. "BeaconType": "8 (HTTPS)",
  2329. "Port": "443",
  2330. "Polling": "56943",
  2331. "Jitter": "39",
  2332. "C2 Server": "139.162.197.65,/styles",
  2333. "HTTP Method Path 2": "/RELEASE_NOTES",
  2334. "Method1": "GET",
  2335. "Method2": "POST",
  2336. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
  2337. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
  2338. "Proxy_AccessType": "2 (Use IE settings)"
  2339. }
  2340. },
  2341. "139.180.212.244": {
  2342. "x86": {
  2343. "BeaconType": "8 (HTTPS)",
  2344. "Port": "443",
  2345. "Polling": "60000",
  2346. "Jitter": "0",
  2347. "Maxdns": "255",
  2348. "C2 Server": "139.180.212.244,/pixel",
  2349. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0)",
  2350. "HTTP Method Path 2": "/submit.php",
  2351. "Header1": "",
  2352. "Header2": "",
  2353. "PipeName": "",
  2354. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2355. "DNS Sleep": "0",
  2356. "Method1": "GET",
  2357. "Method2": "POST",
  2358. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2359. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2360. "Proxy_AccessType": "2 (Use IE settings)"
  2361. }
  2362. },
  2363. "139.186.146.78": {
  2364. "x86": {
  2365. "BeaconType": "8 (HTTPS)",
  2366. "Port": "443",
  2367. "Polling": "10000",
  2368. "Jitter": "0",
  2369. "Maxdns": "255",
  2370. "C2 Server": "139.186.146.78,/geo/collect/v1,hw.x0x.in,/geo/collect/v1",
  2371. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0;) like Gecko",
  2372. "HTTP Method Path 2": "/collect/v1",
  2373. "Header1": "",
  2374. "Header2": "",
  2375. "PipeName": "",
  2376. "DNS Idle": "\\x08\\x08\\x08\\x08",
  2377. "DNS Sleep": "0",
  2378. "Method1": "GET",
  2379. "Method2": "POST",
  2380. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  2381. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  2382. "Proxy_AccessType": "2 (Use IE settings)"
  2383. }
  2384. },
  2385. "139.196.171.222": {
  2386. "x86": {
  2387. "BeaconType": "8 (HTTPS)",
  2388. "Port": "443",
  2389. "Polling": "5500",
  2390. "Jitter": "30",
  2391. "Maxdns": "240",
  2392. "C2 Server": "v.autohome.com.cn,/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d",
  2393. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177",
  2394. "HTTP Method Path 2": "/person/ithelp/bug/list",
  2395. "Header1": "",
  2396. "Header2": "",
  2397. "PipeName": "",
  2398. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2399. "DNS Sleep": "0",
  2400. "Method1": "GET",
  2401. "Method2": "POST",
  2402. "Spawnto_x86": "%windir%\\syswow64\\w32tm.exe",
  2403. "Spawnto_x64": "%windir%\\sysnative\\w32tm.exe",
  2404. "Proxy_Hostname": "http://10.37.84.125:8080",
  2405. "Proxy_Username": "paicdom\\lihongmei826",
  2406. "Proxy_Password": "Pa888888",
  2407. "Proxy_AccessType": "4 (Use proxy server)"
  2408. }
  2409. },
  2410. "139.196.224.35": {
  2411. "x86": {
  2412. "BeaconType": "8 (HTTPS)",
  2413. "Port": "443",
  2414. "Polling": "60000",
  2415. "Jitter": "0",
  2416. "Maxdns": "255",
  2417. "C2 Server": "58.215.145.112,/activity",
  2418. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
  2419. "HTTP Method Path 2": "/submit.php",
  2420. "Header1": "",
  2421. "Header2": "",
  2422. "PipeName": "",
  2423. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2424. "DNS Sleep": "0",
  2425. "Method1": "GET",
  2426. "Method2": "POST",
  2427. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2428. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2429. "Proxy_AccessType": "2 (Use IE settings)"
  2430. }
  2431. },
  2432. "139.199.185.41": {
  2433. "x64": {
  2434. "BeaconType": "8 (HTTPS)",
  2435. "Port": "443",
  2436. "Polling": "5000",
  2437. "Jitter": "10",
  2438. "Maxdns": "235",
  2439. "C2 Server": "139.199.185.41,/updates",
  2440. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
  2441. "HTTP Method Path 2": "/windowsxp/updcheck.php",
  2442. "Header1": "",
  2443. "Header2": "",
  2444. "PipeName": "",
  2445. "DNS Idle": "\\x08\\x08\\x04\\x04",
  2446. "DNS Sleep": "0",
  2447. "Method1": "GET",
  2448. "Method2": "POST",
  2449. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2450. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2451. "Proxy_AccessType": "2 (Use IE settings)"
  2452. }
  2453. },
  2454. "139.224.105.96": {
  2455. "x86": {
  2456. "BeaconType": "8 (HTTPS)",
  2457. "Port": "443",
  2458. "Polling": "62236",
  2459. "Jitter": "39",
  2460. "Maxdns": "252",
  2461. "C2 Server": "theones.me,/template.js",
  2462. "User Agent": "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202",
  2463. "HTTP Method Path 2": "/nv",
  2464. "Header1": "",
  2465. "Header2": "",
  2466. "PipeName": "",
  2467. "DNS Idle": "G\\xEB\\x88\\x8E",
  2468. "DNS Sleep": "0",
  2469. "Method1": "GET",
  2470. "Method2": "POST",
  2471. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  2472. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  2473. "Proxy_AccessType": "2 (Use IE settings)"
  2474. }
  2475. },
  2476. "139.59.230.84": {
  2477. "x86": {
  2478. "BeaconType": "8 (HTTPS)",
  2479. "Port": "443",
  2480. "Polling": "60000",
  2481. "Jitter": "0",
  2482. "Maxdns": "255",
  2483. "C2 Server": "139.59.230.84,/push",
  2484. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ESES)",
  2485. "HTTP Method Path 2": "/submit.php",
  2486. "Header1": "",
  2487. "Header2": "",
  2488. "PipeName": "",
  2489. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2490. "DNS Sleep": "0",
  2491. "Method1": "GET",
  2492. "Method2": "POST",
  2493. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2494. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2495. "Proxy_AccessType": "2 (Use IE settings)"
  2496. }
  2497. },
  2498. "139.59.73.112": {
  2499. "x86": {
  2500. "BeaconType": "8 (HTTPS)",
  2501. "Port": "443",
  2502. "Polling": "45000",
  2503. "Jitter": "37",
  2504. "Maxdns": "255",
  2505. "C2 Server": "139.59.73.112,/jquery-3.3.1.min.js",
  2506. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  2507. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  2508. "Header1": "",
  2509. "Header2": "",
  2510. "PipeName": "",
  2511. "DNS Idle": "J}\\xC4q",
  2512. "DNS Sleep": "0",
  2513. "Method1": "GET",
  2514. "Method2": "POST",
  2515. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  2516. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  2517. "Proxy_AccessType": "1 (Use direct connection)"
  2518. }
  2519. },
  2520. "139.60.161.215": {
  2521. "x86": {
  2522. "BeaconType": "8 (HTTPS)",
  2523. "Port": "443",
  2524. "Polling": "600000",
  2525. "Jitter": "28",
  2526. "Maxdns": "245",
  2527. "C2 Server": "139.60.161.215,/jquery-3.3.1.min.js",
  2528. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.3",
  2529. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  2530. "Header1": "",
  2531. "Header2": "",
  2532. "PipeName": "",
  2533. "DNS Idle": "\\x08\\x08\\x08\\x08",
  2534. "DNS Sleep": "0",
  2535. "Method1": "GET",
  2536. "Method2": "POST",
  2537. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  2538. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  2539. "Proxy_AccessType": "2 (Use IE settings)"
  2540. },
  2541. "x64": {
  2542. "BeaconType": "8 (HTTPS)",
  2543. "Port": "443",
  2544. "Polling": "600000",
  2545. "Jitter": "28",
  2546. "Maxdns": "245",
  2547. "C2 Server": "139.60.161.215,/jquery-3.3.1.min.js",
  2548. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.3",
  2549. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  2550. "Header1": "",
  2551. "Header2": "",
  2552. "PipeName": "",
  2553. "DNS Idle": "\\x08\\x08\\x08\\x08",
  2554. "DNS Sleep": "0",
  2555. "Method1": "GET",
  2556. "Method2": "POST",
  2557. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  2558. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  2559. "Proxy_AccessType": "2 (Use IE settings)"
  2560. }
  2561. },
  2562. "139.60.162.19": {
  2563. "x86": {
  2564. "BeaconType": "8 (HTTPS)",
  2565. "Port": "443",
  2566. "Polling": "60000",
  2567. "Jitter": "0",
  2568. "Maxdns": "255",
  2569. "C2 Server": "139.60.162.19,/g.pixel",
  2570. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;SVSE)",
  2571. "HTTP Method Path 2": "/submit.php",
  2572. "Header1": "",
  2573. "Header2": "",
  2574. "PipeName": "",
  2575. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2576. "DNS Sleep": "0",
  2577. "Method1": "GET",
  2578. "Method2": "POST",
  2579. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2580. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2581. "Proxy_AccessType": "2 (Use IE settings)"
  2582. }
  2583. },
  2584. "139.9.244.218": {
  2585. "x86": {
  2586. "BeaconType": "8 (HTTPS)",
  2587. "Port": "443",
  2588. "Polling": "10000",
  2589. "Jitter": "0",
  2590. "Maxdns": "255",
  2591. "C2 Server": "img.alicdn.com,/contentsvc/microsofticon,at.alicdn.com,/contentsvc/microsofticon,ald.taobao.com,/contentsvc/microsofticon,www.aliyunbaike.com,/contentsvc/microsofticon",
  2592. "User Agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)",
  2593. "HTTP Method Path 2": "/NlEditor/CloudSuggest/V1",
  2594. "Header1": "",
  2595. "Header2": "",
  2596. "PipeName": "",
  2597. "DNS Idle": "\\x08\\x08\\x08\\x08",
  2598. "DNS Sleep": "0",
  2599. "Method1": "GET",
  2600. "Method2": "POST",
  2601. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  2602. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  2603. "Proxy_AccessType": "2 (Use IE settings)"
  2604. }
  2605. },
  2606. "141.164.35.117": {
  2607. "x86": {
  2608. "BeaconType": "8 (HTTPS)",
  2609. "Port": "443",
  2610. "Polling": "5000",
  2611. "Jitter": "0",
  2612. "Maxdns": "255",
  2613. "C2 Server": "coivo2xo.livehost.live,/access/",
  2614. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  2615. "HTTP Method Path 2": "/radio/xmlrpc/v35",
  2616. "Header1": "",
  2617. "Header2": "",
  2618. "PipeName": "",
  2619. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2620. "DNS Sleep": "0",
  2621. "Method1": "GET",
  2622. "Method2": "POST",
  2623. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2624. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2625. "Proxy_AccessType": "2 (Use IE settings)"
  2626. },
  2627. "x64": {
  2628. "BeaconType": "8 (HTTPS)",
  2629. "Port": "443",
  2630. "Polling": "5000",
  2631. "Jitter": "0",
  2632. "Maxdns": "255",
  2633. "C2 Server": "coivo2xo.livehost.live,/access/",
  2634. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  2635. "HTTP Method Path 2": "/radio/xmlrpc/v35",
  2636. "Header1": "",
  2637. "Header2": "",
  2638. "PipeName": "",
  2639. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2640. "DNS Sleep": "0",
  2641. "Method1": "GET",
  2642. "Method2": "POST",
  2643. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2644. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2645. "Proxy_AccessType": "2 (Use IE settings)"
  2646. }
  2647. },
  2648. "142.202.205.57": {
  2649. "x86": {
  2650. "BeaconType": "8 (HTTPS)",
  2651. "Port": "443",
  2652. "Polling": "60000",
  2653. "Jitter": "0",
  2654. "Maxdns": "255",
  2655. "C2 Server": "142.202.205.57,/updates.rss",
  2656. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MALC)",
  2657. "HTTP Method Path 2": "/submit.php",
  2658. "Header1": "",
  2659. "Header2": "",
  2660. "PipeName": "",
  2661. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2662. "DNS Sleep": "0",
  2663. "Method1": "GET",
  2664. "Method2": "POST",
  2665. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2666. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2667. "Proxy_AccessType": "2 (Use IE settings)"
  2668. }
  2669. },
  2670. "142.202.205.88": {
  2671. "x86": {
  2672. "BeaconType": "8 (HTTPS)",
  2673. "Port": "443",
  2674. "Polling": "60000",
  2675. "Jitter": "0",
  2676. "Maxdns": "255",
  2677. "C2 Server": "142.202.205.88,/dot.gif",
  2678. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MAGWJS)",
  2679. "HTTP Method Path 2": "/submit.php",
  2680. "Header1": "",
  2681. "Header2": "",
  2682. "PipeName": "",
  2683. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2684. "DNS Sleep": "0",
  2685. "Method1": "GET",
  2686. "Method2": "POST",
  2687. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2688. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2689. "Proxy_AccessType": "2 (Use IE settings)"
  2690. },
  2691. "x64": {
  2692. "BeaconType": "8 (HTTPS)",
  2693. "Port": "443",
  2694. "Polling": "60000",
  2695. "Jitter": "0",
  2696. "Maxdns": "255",
  2697. "C2 Server": "142.202.205.88,/ptj",
  2698. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)",
  2699. "HTTP Method Path 2": "/submit.php",
  2700. "Header1": "",
  2701. "Header2": "",
  2702. "PipeName": "",
  2703. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2704. "DNS Sleep": "0",
  2705. "Method1": "GET",
  2706. "Method2": "POST",
  2707. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2708. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2709. "Proxy_AccessType": "2 (Use IE settings)"
  2710. }
  2711. },
  2712. "142.54.188.26": {
  2713. "x64": {
  2714. "BeaconType": "8 (HTTPS)",
  2715. "Port": "443",
  2716. "Polling": "5000",
  2717. "Jitter": "0",
  2718. "Maxdns": "255",
  2719. "C2 Server": "agturnfa.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  2720. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  2721. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  2722. "Header1": "",
  2723. "Header2": "",
  2724. "PipeName": "",
  2725. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2726. "DNS Sleep": "0",
  2727. "Method1": "GET",
  2728. "Method2": "POST",
  2729. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  2730. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  2731. "Proxy_AccessType": "2 (Use IE settings)"
  2732. }
  2733. },
  2734. "142.93.152.156": {
  2735. "x86": {
  2736. "BeaconType": "8 (HTTPS)",
  2737. "Port": "443",
  2738. "Polling": "60000",
  2739. "Jitter": "70",
  2740. "C2 Server": "onrnicrosoft.com,/thisisnotevil.gif",
  2741. "HTTP Method Path 2": "/send",
  2742. "Method1": "GET",
  2743. "Method2": "POST",
  2744. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
  2745. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
  2746. "Proxy_AccessType": "2 (Use IE settings)"
  2747. },
  2748. "x64": {
  2749. "BeaconType": "8 (HTTPS)",
  2750. "Port": "443",
  2751. "Polling": "60000",
  2752. "Jitter": "70",
  2753. "C2 Server": "onrnicrosoft.com,/thisisnotevil.gif",
  2754. "HTTP Method Path 2": "/send",
  2755. "Method1": "GET",
  2756. "Method2": "POST",
  2757. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
  2758. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
  2759. "Proxy_AccessType": "2 (Use IE settings)"
  2760. }
  2761. },
  2762. "142.93.187.11": {
  2763. "x86": {
  2764. "BeaconType": "8 (HTTPS)",
  2765. "Port": "443",
  2766. "Polling": "12000",
  2767. "Jitter": "35",
  2768. "C2 Server": "142.93.187.11,/u/vercheck,training42.microsoft-essentials.com,/u/vercheck",
  2769. "HTTP Method Path 2": "/u/version_status",
  2770. "Method1": "GET",
  2771. "Method2": "POST",
  2772. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  2773. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  2774. "Proxy_AccessType": "2 (Use IE settings)"
  2775. }
  2776. },
  2777. "142.93.98.6": {
  2778. "x86": {
  2779. "BeaconType": "8 (HTTPS)",
  2780. "Port": "443",
  2781. "Polling": "60000",
  2782. "Jitter": "0",
  2783. "Maxdns": "255",
  2784. "C2 Server": "360live.digital,/pixel",
  2785. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)",
  2786. "HTTP Method Path 2": "/submit.php",
  2787. "Header1": "",
  2788. "Header2": "",
  2789. "PipeName": "",
  2790. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2791. "DNS Sleep": "0",
  2792. "Method1": "GET",
  2793. "Method2": "POST",
  2794. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2795. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2796. "Proxy_AccessType": "2 (Use IE settings)"
  2797. }
  2798. },
  2799. "144.202.112.14": {
  2800. "x64": {
  2801. "BeaconType": "8 (HTTPS)",
  2802. "Port": "443",
  2803. "Polling": "5000",
  2804. "Jitter": "0",
  2805. "Maxdns": "245",
  2806. "C2 Server": "z.ziper.xyz,/image/",
  2807. "User Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) Chrome/85.0.4183.102 Safari/537.36",
  2808. "HTTP Method Path 2": "/history/",
  2809. "Header1": "",
  2810. "Header2": "",
  2811. "PipeName": "",
  2812. "DNS Idle": "\\x08\\x08\\x08\\x08",
  2813. "DNS Sleep": "0",
  2814. "Method1": "GET",
  2815. "Method2": "POST",
  2816. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2817. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2818. "Proxy_AccessType": "2 (Use IE settings)"
  2819. }
  2820. },
  2821. "144.217.207.21": {
  2822. "x64": {
  2823. "BeaconType": "8 (HTTPS)",
  2824. "Port": "443",
  2825. "Polling": "60000",
  2826. "Jitter": "0",
  2827. "Maxdns": "255",
  2828. "C2 Server": "52.188.209.63,/visit.js",
  2829. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)",
  2830. "HTTP Method Path 2": "/submit.php",
  2831. "Header1": "",
  2832. "Header2": "",
  2833. "PipeName": "",
  2834. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2835. "DNS Sleep": "0",
  2836. "Method1": "GET",
  2837. "Method2": "POST",
  2838. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2839. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2840. "Proxy_AccessType": "2 (Use IE settings)"
  2841. }
  2842. },
  2843. "145.249.107.130": {
  2844. "x86": {
  2845. "BeaconType": "8 (HTTPS)",
  2846. "Port": "443",
  2847. "Polling": "60000",
  2848. "Jitter": "0",
  2849. "Maxdns": "255",
  2850. "C2 Server": "145.249.107.130,/fwlink",
  2851. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)",
  2852. "HTTP Method Path 2": "/submit.php",
  2853. "Header1": "",
  2854. "Header2": "",
  2855. "PipeName": "",
  2856. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2857. "DNS Sleep": "0",
  2858. "Method1": "GET",
  2859. "Method2": "POST",
  2860. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2861. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2862. "Proxy_AccessType": "2 (Use IE settings)"
  2863. },
  2864. "x64": {
  2865. "BeaconType": "8 (HTTPS)",
  2866. "Port": "443",
  2867. "Polling": "60000",
  2868. "Jitter": "0",
  2869. "Maxdns": "255",
  2870. "C2 Server": "145.249.107.130,/pixel",
  2871. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)",
  2872. "HTTP Method Path 2": "/submit.php",
  2873. "Header1": "",
  2874. "Header2": "",
  2875. "PipeName": "",
  2876. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2877. "DNS Sleep": "0",
  2878. "Method1": "GET",
  2879. "Method2": "POST",
  2880. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2881. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2882. "Proxy_AccessType": "2 (Use IE settings)"
  2883. }
  2884. },
  2885. "146.56.208.33": {
  2886. "x86": {
  2887. "BeaconType": "8 (HTTPS)",
  2888. "Port": "443",
  2889. "Polling": "60000",
  2890. "Jitter": "0",
  2891. "Maxdns": "255",
  2892. "C2 Server": "146.56.208.33,/visit.js",
  2893. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
  2894. "HTTP Method Path 2": "/submit.php",
  2895. "Header1": "",
  2896. "Header2": "",
  2897. "PipeName": "",
  2898. "DNS Idle": "\\x00\\x00\\x00\\x00",
  2899. "DNS Sleep": "0",
  2900. "Method1": "GET",
  2901. "Method2": "POST",
  2902. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2903. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2904. "Proxy_AccessType": "2 (Use IE settings)"
  2905. }
  2906. },
  2907. "146.6.15.12": {
  2908. "x64": {
  2909. "BeaconType": "8 (HTTPS)",
  2910. "Port": "443",
  2911. "Polling": "60000",
  2912. "Jitter": "0",
  2913. "C2 Server": "146.6.15.12,/g.pixel",
  2914. "HTTP Method Path 2": "/submit.php",
  2915. "Method1": "GET",
  2916. "Method2": "POST",
  2917. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2918. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2919. "Proxy_AccessType": "2 (Use IE settings)"
  2920. }
  2921. },
  2922. "149.129.53.162": {
  2923. "x86": {
  2924. "BeaconType": "8 (HTTPS)",
  2925. "Port": "443",
  2926. "Polling": "5000",
  2927. "Jitter": "10",
  2928. "Maxdns": "235",
  2929. "C2 Server": "sit.watchdog3.com,/updates",
  2930. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
  2931. "HTTP Method Path 2": "/aircanada/dark.php",
  2932. "Header1": "",
  2933. "Header2": "",
  2934. "PipeName": "",
  2935. "DNS Idle": "\\x08\\x08\\x04\\x04",
  2936. "DNS Sleep": "0",
  2937. "Method1": "GET",
  2938. "Method2": "POST",
  2939. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2940. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2941. "Proxy_AccessType": "2 (Use IE settings)"
  2942. },
  2943. "x64": {
  2944. "BeaconType": "8 (HTTPS)",
  2945. "Port": "443",
  2946. "Polling": "5000",
  2947. "Jitter": "10",
  2948. "Maxdns": "235",
  2949. "C2 Server": "sit.watchdog3.com,/updates",
  2950. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
  2951. "HTTP Method Path 2": "/aircanada/dark.php",
  2952. "Header1": "",
  2953. "Header2": "",
  2954. "PipeName": "",
  2955. "DNS Idle": "\\x08\\x08\\x04\\x04",
  2956. "DNS Sleep": "0",
  2957. "Method1": "GET",
  2958. "Method2": "POST",
  2959. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2960. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2961. "Proxy_AccessType": "2 (Use IE settings)"
  2962. }
  2963. },
  2964. "149.28.20.245": {
  2965. "x86": {
  2966. "BeaconType": "8 (HTTPS)",
  2967. "Port": "443",
  2968. "Polling": "60000",
  2969. "Jitter": "20",
  2970. "Maxdns": "235",
  2971. "C2 Server": "149.28.20.245,/search/",
  2972. "User Agent": "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  2973. "HTTP Method Path 2": "/Search/",
  2974. "Header1": "",
  2975. "Header2": "",
  2976. "PipeName": "",
  2977. "DNS Idle": "\\x08\\x08\\x04\\x04",
  2978. "DNS Sleep": "0",
  2979. "Method1": "GET",
  2980. "Method2": "GET",
  2981. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  2982. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  2983. "Proxy_AccessType": "1 (Use direct connection)"
  2984. }
  2985. },
  2986. "149.28.95.180": {
  2987. "x86": {
  2988. "BeaconType": "8 (HTTPS)",
  2989. "Port": "443",
  2990. "Polling": "60000",
  2991. "Jitter": "0",
  2992. "Maxdns": "255",
  2993. "C2 Server": "149.28.95.180,/en_US/all.js",
  2994. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)",
  2995. "HTTP Method Path 2": "/submit.php",
  2996. "Header1": "",
  2997. "Header2": "",
  2998. "PipeName": "",
  2999. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3000. "DNS Sleep": "0",
  3001. "Method1": "GET",
  3002. "Method2": "POST",
  3003. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3004. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3005. "Proxy_AccessType": "2 (Use IE settings)"
  3006. }
  3007. },
  3008. "149.6.167.60": {
  3009. "x86": {
  3010. "BeaconType": "8 (HTTPS)",
  3011. "Port": "443",
  3012. "Polling": "5000",
  3013. "Jitter": "37",
  3014. "C2 Server": "CLIENT.ELISEA-MUTUELLE.fr,/jquery-3.3.1.min.js",
  3015. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  3016. "Method1": "GET",
  3017. "Method2": "POST",
  3018. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe -u -p 223",
  3019. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe -u -p 223",
  3020. "Proxy_AccessType": "2 (Use IE settings)"
  3021. },
  3022. "x64": {
  3023. "BeaconType": "8 (HTTPS)",
  3024. "Port": "443",
  3025. "Polling": "5000",
  3026. "Jitter": "37",
  3027. "C2 Server": "CLIENT.ELISEA-MUTUELLE.fr,/jquery-3.3.1.min.js",
  3028. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  3029. "Method1": "GET",
  3030. "Method2": "POST",
  3031. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe -u -p 223",
  3032. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe -u -p 223",
  3033. "Proxy_AccessType": "2 (Use IE settings)"
  3034. }
  3035. },
  3036. "15.188.88.72": {
  3037. "x86": {
  3038. "BeaconType": "8 (HTTPS)",
  3039. "Port": "443",
  3040. "Polling": "600000",
  3041. "Jitter": "50",
  3042. "Maxdns": "235",
  3043. "C2 Server": "tmestoragetest.azureedge.net,/obj_",
  3044. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36",
  3045. "HTTP Method Path 2": "/upload",
  3046. "Header1": "",
  3047. "Header2": "",
  3048. "PipeName": "",
  3049. "DNS Idle": "\\x08\\x08\\x04\\x04",
  3050. "DNS Sleep": "0",
  3051. "Method1": "GET",
  3052. "Method2": "POST",
  3053. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k LocalService",
  3054. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k LocalService",
  3055. "Proxy_AccessType": "2 (Use IE settings)"
  3056. }
  3057. },
  3058. "15.222.241.107": {
  3059. "x86": {
  3060. "BeaconType": "8 (HTTPS)",
  3061. "Port": "443",
  3062. "Polling": "45000",
  3063. "Jitter": "37",
  3064. "C2 Server": "jquery.soundcloudcdn.com,/jquery-3.3.1.min.js",
  3065. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  3066. "Method1": "GET",
  3067. "Method2": "POST",
  3068. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  3069. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  3070. "Proxy_AccessType": "2 (Use IE settings)"
  3071. }
  3072. },
  3073. "153.92.127.203": {
  3074. "x86": {
  3075. "BeaconType": "8 (HTTPS)",
  3076. "Port": "443",
  3077. "Polling": "60000",
  3078. "Jitter": "0",
  3079. "Maxdns": "255",
  3080. "C2 Server": "io.amscloud.xyz,/ping,d2dtgcu8n83vy7.cloudfront.net,/ping,d1iz6lkxr9mblm.cloudfront.net,/ping",
  3081. "User Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
  3082. "HTTP Method Path 2": "/pong",
  3083. "Header1": "",
  3084. "Header2": "",
  3085. "PipeName": "",
  3086. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3087. "DNS Sleep": "0",
  3088. "Method1": "GET",
  3089. "Method2": "POST",
  3090. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3091. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3092. "Proxy_AccessType": "2 (Use IE settings)"
  3093. }
  3094. },
  3095. "153.92.127.208": {
  3096. "x86": {
  3097. "BeaconType": "8 (HTTPS)",
  3098. "Port": "443",
  3099. "Polling": "60000",
  3100. "Jitter": "0",
  3101. "Maxdns": "255",
  3102. "C2 Server": "io.amscloud.xyz,/ping,d2dtgcu8n83vy7.cloudfront.net,/ping,d1iz6lkxr9mblm.cloudfront.net,/ping",
  3103. "User Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
  3104. "HTTP Method Path 2": "/pong",
  3105. "Header1": "",
  3106. "Header2": "",
  3107. "PipeName": "",
  3108. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3109. "DNS Sleep": "0",
  3110. "Method1": "GET",
  3111. "Method2": "POST",
  3112. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3113. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3114. "Proxy_AccessType": "2 (Use IE settings)"
  3115. },
  3116. "x64": {
  3117. "BeaconType": "8 (HTTPS)",
  3118. "Port": "443",
  3119. "Polling": "60000",
  3120. "Jitter": "0",
  3121. "Maxdns": "255",
  3122. "C2 Server": "io.amscloud.xyz,/ping,d2dtgcu8n83vy7.cloudfront.net,/ping,d1iz6lkxr9mblm.cloudfront.net,/ping",
  3123. "User Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
  3124. "HTTP Method Path 2": "/pong",
  3125. "Header1": "",
  3126. "Header2": "",
  3127. "PipeName": "",
  3128. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3129. "DNS Sleep": "0",
  3130. "Method1": "GET",
  3131. "Method2": "POST",
  3132. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3133. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3134. "Proxy_AccessType": "2 (Use IE settings)"
  3135. }
  3136. },
  3137. "154.86.46.35": {
  3138. "x64": {
  3139. "BeaconType": "8 (HTTPS)",
  3140. "Port": "443",
  3141. "Polling": "60000",
  3142. "Jitter": "0",
  3143. "Maxdns": "255",
  3144. "C2 Server": "154.86.46.35,/IE9CompatViewList.xml",
  3145. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)",
  3146. "HTTP Method Path 2": "/submit.php",
  3147. "Header1": "",
  3148. "Header2": "",
  3149. "PipeName": "",
  3150. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3151. "DNS Sleep": "0",
  3152. "Method1": "GET",
  3153. "Method2": "POST",
  3154. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3155. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3156. "Proxy_AccessType": "2 (Use IE settings)"
  3157. }
  3158. },
  3159. "155.138.230.65": {
  3160. "x86": {
  3161. "BeaconType": "8 (HTTPS)",
  3162. "Port": "443",
  3163. "Polling": "60000",
  3164. "Jitter": "20",
  3165. "Maxdns": "235",
  3166. "C2 Server": "155.138.230.65,/viewerng/meta",
  3167. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  3168. "HTTP Method Path 2": "/viewersng/meta",
  3169. "Header1": "",
  3170. "Header2": "",
  3171. "PipeName": "",
  3172. "DNS Idle": "\\x08\\x08\\x04\\x04",
  3173. "DNS Sleep": "0",
  3174. "Method1": "GET",
  3175. "Method2": "GET",
  3176. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3177. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3178. "Proxy_AccessType": "2 (Use IE settings)"
  3179. }
  3180. },
  3181. "155.138.245.98": {
  3182. "x64": {
  3183. "BeaconType": "8 (HTTPS)",
  3184. "Port": "443",
  3185. "Polling": "60000",
  3186. "Jitter": "0",
  3187. "C2 Server": "155.138.245.98,/pixel.gif",
  3188. "HTTP Method Path 2": "/submit.php",
  3189. "Method1": "GET",
  3190. "Method2": "POST",
  3191. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3192. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3193. "Proxy_AccessType": "2 (Use IE settings)"
  3194. }
  3195. },
  3196. "156.226.191.234": {
  3197. "x86": {
  3198. "BeaconType": "8 (HTTPS)",
  3199. "Port": "443",
  3200. "Polling": "60000",
  3201. "Jitter": "15",
  3202. "Maxdns": "255",
  3203. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  3204. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  3205. "HTTP Method Path 2": "/mail/u/0/",
  3206. "Header1": "",
  3207. "Header2": "",
  3208. "PipeName": "",
  3209. "DNS Idle": "\\x08\\x08\\x04\\x04",
  3210. "DNS Sleep": "0",
  3211. "Method1": "GET",
  3212. "Method2": "POST",
  3213. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  3214. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  3215. "Proxy_AccessType": "2 (Use IE settings)"
  3216. },
  3217. "x64": {
  3218. "BeaconType": "8 (HTTPS)",
  3219. "Port": "443",
  3220. "Polling": "60000",
  3221. "Jitter": "15",
  3222. "Maxdns": "255",
  3223. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  3224. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
  3225. "HTTP Method Path 2": "/mail/u/0/",
  3226. "Header1": "",
  3227. "Header2": "",
  3228. "PipeName": "",
  3229. "DNS Idle": "\\x08\\x08\\x04\\x04",
  3230. "DNS Sleep": "0",
  3231. "Method1": "GET",
  3232. "Method2": "POST",
  3233. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  3234. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  3235. "Proxy_AccessType": "2 (Use IE settings)"
  3236. }
  3237. },
  3238. "156.226.191.235": {
  3239. "x86": {
  3240. "BeaconType": "8 (HTTPS)",
  3241. "Port": "443",
  3242. "Polling": "60000",
  3243. "Jitter": "15",
  3244. "Maxdns": "255",
  3245. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  3246. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  3247. "HTTP Method Path 2": "/mail/u/0/",
  3248. "Header1": "",
  3249. "Header2": "",
  3250. "PipeName": "",
  3251. "DNS Idle": "\\x08\\x08\\x04\\x04",
  3252. "DNS Sleep": "0",
  3253. "Method1": "GET",
  3254. "Method2": "POST",
  3255. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  3256. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  3257. "Proxy_AccessType": "2 (Use IE settings)"
  3258. }
  3259. },
  3260. "156.226.191.236": {
  3261. "x64": {
  3262. "BeaconType": "8 (HTTPS)",
  3263. "Port": "443",
  3264. "Polling": "60000",
  3265. "Jitter": "15",
  3266. "Maxdns": "255",
  3267. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  3268. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
  3269. "HTTP Method Path 2": "/mail/u/0/",
  3270. "Header1": "",
  3271. "Header2": "",
  3272. "PipeName": "",
  3273. "DNS Idle": "\\x08\\x08\\x04\\x04",
  3274. "DNS Sleep": "0",
  3275. "Method1": "GET",
  3276. "Method2": "POST",
  3277. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  3278. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  3279. "Proxy_AccessType": "2 (Use IE settings)"
  3280. }
  3281. },
  3282. "156.226.191.237": {
  3283. "x86": {
  3284. "BeaconType": "8 (HTTPS)",
  3285. "Port": "443",
  3286. "Polling": "60000",
  3287. "Jitter": "15",
  3288. "Maxdns": "255",
  3289. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
  3290. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
  3291. "HTTP Method Path 2": "/mail/u/0/",
  3292. "Header1": "",
  3293. "Header2": "",
  3294. "PipeName": "",
  3295. "DNS Idle": "\\x08\\x08\\x04\\x04",
  3296. "DNS Sleep": "0",
  3297. "Method1": "GET",
  3298. "Method2": "POST",
  3299. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  3300. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  3301. "Proxy_AccessType": "2 (Use IE settings)"
  3302. }
  3303. },
  3304. "157.230.184.142": {
  3305. "x86": {
  3306. "BeaconType": "8 (HTTPS)",
  3307. "Port": "443",
  3308. "Polling": "15",
  3309. "Jitter": "20",
  3310. "Maxdns": "235",
  3311. "C2 Server": "157.230.184.142,/5aq/XP/SY75Qyw.htm",
  3312. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )",
  3313. "HTTP Method Path 2": "/RCg/vp6rBcQ.htm",
  3314. "Header1": "",
  3315. "Header2": "",
  3316. "PipeName": "",
  3317. "DNS Idle": "\\x08\\x08\\x08\\x08",
  3318. "DNS Sleep": "0",
  3319. "Method1": "GET",
  3320. "Method2": "GET",
  3321. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3322. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3323. "Proxy_AccessType": "2 (Use IE settings)"
  3324. }
  3325. },
  3326. "157.230.239.44": {
  3327. "x86": {
  3328. "BeaconType": "8 (HTTPS)",
  3329. "Port": "443",
  3330. "Polling": "63931",
  3331. "Jitter": "41",
  3332. "C2 Server": "157.230.239.44,/faq",
  3333. "HTTP Method Path 2": "/lt",
  3334. "Method1": "GET",
  3335. "Method2": "POST",
  3336. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
  3337. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
  3338. "Proxy_AccessType": "2 (Use IE settings)"
  3339. }
  3340. },
  3341. "157.230.81.209": {
  3342. "x86": {
  3343. "BeaconType": "8 (HTTPS)",
  3344. "Port": "443",
  3345. "Polling": "15000",
  3346. "Jitter": "90",
  3347. "Maxdns": "225",
  3348. "C2 Server": "software-download.office.microsoft.com,/updates",
  3349. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  3350. "HTTP Method Path 2": "/notification",
  3351. "Header1": "",
  3352. "Header2": "",
  3353. "PipeName": "",
  3354. "DNS Idle": "h\\xD8<\\x84",
  3355. "DNS Sleep": "0",
  3356. "Method1": "GET",
  3357. "Method2": "POST",
  3358. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  3359. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  3360. "Proxy_AccessType": "2 (Use IE settings)"
  3361. },
  3362. "x64": {
  3363. "BeaconType": "8 (HTTPS)",
  3364. "Port": "443",
  3365. "Polling": "15000",
  3366. "Jitter": "90",
  3367. "Maxdns": "225",
  3368. "C2 Server": "software-download.office.microsoft.com,/updates",
  3369. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  3370. "HTTP Method Path 2": "/notification",
  3371. "Header1": "",
  3372. "Header2": "",
  3373. "PipeName": "",
  3374. "DNS Idle": "h\\xD8<\\x84",
  3375. "DNS Sleep": "0",
  3376. "Method1": "GET",
  3377. "Method2": "POST",
  3378. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  3379. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  3380. "Proxy_AccessType": "2 (Use IE settings)"
  3381. }
  3382. },
  3383. "159.65.115.160": {
  3384. "x86": {
  3385. "BeaconType": "8 (HTTPS)",
  3386. "Port": "443",
  3387. "Polling": "1500",
  3388. "Jitter": "0",
  3389. "Maxdns": "255",
  3390. "C2 Server": "159.65.115.160,/ocsp/a/",
  3391. "User Agent": "Microsoft-CryptoAPI/6.1",
  3392. "HTTP Method Path 2": "/ocsp/b/",
  3393. "Header1": "",
  3394. "Header2": "",
  3395. "PipeName": "",
  3396. "DNS Idle": "\\xAC\\xD9\\x10\\x8E",
  3397. "DNS Sleep": "0",
  3398. "Method1": "GET",
  3399. "Method2": "POST",
  3400. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  3401. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  3402. "Proxy_AccessType": "2 (Use IE settings)"
  3403. },
  3404. "x64": {
  3405. "BeaconType": "8 (HTTPS)",
  3406. "Port": "443",
  3407. "Polling": "1500",
  3408. "Jitter": "0",
  3409. "Maxdns": "255",
  3410. "C2 Server": "159.65.115.160,/ocsp/a/",
  3411. "User Agent": "Microsoft-CryptoAPI/6.1",
  3412. "HTTP Method Path 2": "/ocsp/b/",
  3413. "Header1": "",
  3414. "Header2": "",
  3415. "PipeName": "",
  3416. "DNS Idle": "\\xAC\\xD9\\x10\\x8E",
  3417. "DNS Sleep": "0",
  3418. "Method1": "GET",
  3419. "Method2": "POST",
  3420. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  3421. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  3422. "Proxy_AccessType": "2 (Use IE settings)"
  3423. }
  3424. },
  3425. "159.65.96.79": {
  3426. "x64": {
  3427. "BeaconType": "8 (HTTPS)",
  3428. "Port": "443",
  3429. "Polling": "61924",
  3430. "Jitter": "43",
  3431. "C2 Server": "cleerhr.com,/html.js",
  3432. "HTTP Method Path 2": "/sq",
  3433. "Method1": "GET",
  3434. "Method2": "POST",
  3435. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
  3436. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
  3437. "Proxy_AccessType": "2 (Use IE settings)"
  3438. }
  3439. },
  3440. "159.89.109.225": {
  3441. "x64": {
  3442. "BeaconType": "8 (HTTPS)",
  3443. "Port": "443",
  3444. "Polling": "15000",
  3445. "Jitter": "23",
  3446. "Maxdns": "255",
  3447. "C2 Server": "159.89.109.225,/sxn/start,104.248.245.41,/sxn/start",
  3448. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  3449. "HTTP Method Path 2": "/dd/met7",
  3450. "Header1": "",
  3451. "Header2": "",
  3452. "PipeName": "",
  3453. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3454. "DNS Sleep": "0",
  3455. "Method1": "GET",
  3456. "Method2": "POST",
  3457. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3458. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3459. "Proxy_AccessType": "2 (Use IE settings)"
  3460. }
  3461. },
  3462. "159.89.131.233": {
  3463. "x86": {
  3464. "BeaconType": "8 (HTTPS)",
  3465. "Port": "443",
  3466. "Polling": "45102",
  3467. "Jitter": "29",
  3468. "C2 Server": "milbank.azurewebsites.net,/azure/api",
  3469. "HTTP Method Path 2": "/azure/us",
  3470. "Method1": "GET",
  3471. "Method2": "POST",
  3472. "Spawnto_x86": "%windir%\\syswow64\\typeperf.exe",
  3473. "Spawnto_x64": "%windir%\\sysnative\\typeperf.exe",
  3474. "Proxy_AccessType": "2 (Use IE settings)"
  3475. }
  3476. },
  3477. "159.89.13.234": {
  3478. "x86": {
  3479. "BeaconType": "8 (HTTPS)",
  3480. "Port": "443",
  3481. "Polling": "15000",
  3482. "Jitter": "90",
  3483. "Maxdns": "225",
  3484. "C2 Server": "yelp.com,/wp-includes/js/script/indigo-migrate",
  3485. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  3486. "HTTP Method Path 2": "/api2/json/check/ticket",
  3487. "Header1": "",
  3488. "Header2": "",
  3489. "PipeName": "",
  3490. "DNS Idle": "h\\xD8<\\x84",
  3491. "DNS Sleep": "0",
  3492. "Method1": "GET",
  3493. "Method2": "POST",
  3494. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  3495. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  3496. "Proxy_AccessType": "2 (Use IE settings)"
  3497. }
  3498. },
  3499. "161.35.218.255": {
  3500. "x86": {
  3501. "BeaconType": "8 (HTTPS)",
  3502. "Port": "443",
  3503. "Polling": "60000",
  3504. "Jitter": "0",
  3505. "C2 Server": "161.35.218.255,/g.pixel",
  3506. "HTTP Method Path 2": "/submit.php",
  3507. "Method1": "GET",
  3508. "Method2": "POST",
  3509. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3510. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3511. "Proxy_AccessType": "2 (Use IE settings)"
  3512. },
  3513. "x64": {
  3514. "BeaconType": "8 (HTTPS)",
  3515. "Port": "443",
  3516. "Polling": "60000",
  3517. "Jitter": "0",
  3518. "C2 Server": "161.35.218.255,/dot.gif",
  3519. "HTTP Method Path 2": "/submit.php",
  3520. "Method1": "GET",
  3521. "Method2": "POST",
  3522. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3523. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3524. "Proxy_AccessType": "2 (Use IE settings)"
  3525. }
  3526. },
  3527. "161.35.38.97": {
  3528. "x64": {
  3529. "BeaconType": "8 (HTTPS)",
  3530. "Port": "443",
  3531. "Polling": "90000",
  3532. "Jitter": "15",
  3533. "Maxdns": "212",
  3534. "C2 Server": "jscript-cdn.azureedge.net,/npm/fullpage.js@2.9.4/dist/jquery.fullpage.min.css",
  3535. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.3396.99 Safari/537.36",
  3536. "HTTP Method Path 2": "/sites/p/b93/googleanalytics/track",
  3537. "Header1": "",
  3538. "Header2": "",
  3539. "PipeName": "",
  3540. "DNS Idle": "h\\x10U\\x14",
  3541. "DNS Sleep": "0",
  3542. "Method1": "GET",
  3543. "Method2": "POST",
  3544. "Spawnto_x86": "%windir%\\syswow64\\gpresult.exe",
  3545. "Spawnto_x64": "%windir%\\sysnative\\gpresult.exe",
  3546. "Proxy_AccessType": "2 (Use IE settings)"
  3547. }
  3548. },
  3549. "161.35.51.98": {
  3550. "x86": {
  3551. "BeaconType": "8 (HTTPS)",
  3552. "Port": "443",
  3553. "Polling": "53",
  3554. "Jitter": "40",
  3555. "Maxdns": "255",
  3556. "C2 Server": "mscrl.microsoft.com,/feed/Video/c/dynamic/,ajax.microsoft.com,/feed/Video/c/dynamic/",
  3557. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)",
  3558. "HTTP Method Path 2": "/main/urgent/w/06/",
  3559. "Header1": "",
  3560. "Header2": "",
  3561. "PipeName": "",
  3562. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3563. "DNS Sleep": "0",
  3564. "Method1": "GET",
  3565. "Method2": "POST",
  3566. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
  3567. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
  3568. "Proxy_AccessType": "2 (Use IE settings)"
  3569. }
  3570. },
  3571. "161.35.6.3": {
  3572. "x64": {
  3573. "BeaconType": "8 (HTTPS)",
  3574. "Port": "443",
  3575. "Polling": "60000",
  3576. "Jitter": "0",
  3577. "C2 Server": "161.35.6.3,/updates.rss",
  3578. "HTTP Method Path 2": "/submit.php",
  3579. "Method1": "GET",
  3580. "Method2": "POST",
  3581. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3582. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3583. "Proxy_AccessType": "2 (Use IE settings)"
  3584. }
  3585. },
  3586. "161.35.76.1": {
  3587. "x64": {
  3588. "BeaconType": "8 (HTTPS)",
  3589. "Port": "443",
  3590. "Polling": "1000",
  3591. "Jitter": "37",
  3592. "Maxdns": "255",
  3593. "C2 Server": "161.35.76.1,/jquery-3.3.1.min.js",
  3594. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  3595. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  3596. "Header1": "",
  3597. "Header2": "",
  3598. "PipeName": "",
  3599. "DNS Idle": "J}\\xC4q",
  3600. "DNS Sleep": "0",
  3601. "Method1": "GET",
  3602. "Method2": "POST",
  3603. "Spawnto_x86": "%windir%\\syswow64\\cmd.exe -k updatehelp",
  3604. "Spawnto_x64": "%windir%\\sysnative\\cmd.exe -k updatehelp",
  3605. "Proxy_AccessType": "2 (Use IE settings)"
  3606. }
  3607. },
  3608. "161.35.81.119": {
  3609. "x86": {
  3610. "BeaconType": "8 (HTTPS)",
  3611. "Port": "443",
  3612. "Polling": "15000",
  3613. "Jitter": "90",
  3614. "Maxdns": "225",
  3615. "C2 Server": "bbc.com,/en-us/p/onerf/MeSilentPassport",
  3616. "User Agent": "Microsoft BITS/7.8",
  3617. "HTTP Method Path 2": "/1.5/95648064/storage/tabs",
  3618. "Header1": "",
  3619. "Header2": "",
  3620. "PipeName": "",
  3621. "DNS Idle": "\\xBC\\xA6\\x0Ee",
  3622. "DNS Sleep": "0",
  3623. "Method1": "GET",
  3624. "Method2": "POST",
  3625. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  3626. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  3627. "Proxy_AccessType": "2 (Use IE settings)"
  3628. },
  3629. "x64": {
  3630. "BeaconType": "8 (HTTPS)",
  3631. "Port": "443",
  3632. "Polling": "15000",
  3633. "Jitter": "90",
  3634. "Maxdns": "225",
  3635. "C2 Server": "bbc.com,/en-us/p/book-2/8MCPZJJCC98C",
  3636. "User Agent": "Microsoft BITS/7.8",
  3637. "HTTP Method Path 2": "/v1/stats",
  3638. "Header1": "",
  3639. "Header2": "",
  3640. "PipeName": "",
  3641. "DNS Idle": "\\xBC\\xA6\\x0Ee",
  3642. "DNS Sleep": "0",
  3643. "Method1": "GET",
  3644. "Method2": "POST",
  3645. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  3646. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  3647. "Proxy_AccessType": "2 (Use IE settings)"
  3648. }
  3649. },
  3650. "161.35.99.14": {
  3651. "x86": {
  3652. "BeaconType": "8 (HTTPS)",
  3653. "Port": "443",
  3654. "Polling": "5000",
  3655. "Jitter": "37",
  3656. "C2 Server": "161.35.99.14,/jquery-3.3.1.min.js",
  3657. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  3658. "Method1": "GET",
  3659. "Method2": "POST",
  3660. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  3661. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  3662. "Proxy_AccessType": "2 (Use IE settings)"
  3663. }
  3664. },
  3665. "162.241.127.180": {
  3666. "x86": {
  3667. "BeaconType": "8 (HTTPS)",
  3668. "Port": "443",
  3669. "Polling": "60000",
  3670. "Jitter": "0",
  3671. "Maxdns": "255",
  3672. "C2 Server": "162.241.127.180,/j.ad",
  3673. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;NLNL)",
  3674. "HTTP Method Path 2": "/submit.php",
  3675. "Header1": "",
  3676. "Header2": "",
  3677. "PipeName": "",
  3678. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3679. "DNS Sleep": "0",
  3680. "Method1": "GET",
  3681. "Method2": "POST",
  3682. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3683. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3684. "Proxy_AccessType": "2 (Use IE settings)"
  3685. },
  3686. "x64": {
  3687. "BeaconType": "8 (HTTPS)",
  3688. "Port": "443",
  3689. "Polling": "60000",
  3690. "Jitter": "0",
  3691. "Maxdns": "255",
  3692. "C2 Server": "162.241.127.180,/activity",
  3693. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENCA)",
  3694. "HTTP Method Path 2": "/submit.php",
  3695. "Header1": "",
  3696. "Header2": "",
  3697. "PipeName": "",
  3698. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3699. "DNS Sleep": "0",
  3700. "Method1": "GET",
  3701. "Method2": "POST",
  3702. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3703. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3704. "Proxy_AccessType": "2 (Use IE settings)"
  3705. }
  3706. },
  3707. "162.241.65.121": {
  3708. "x86": {
  3709. "BeaconType": "8 (HTTPS)",
  3710. "Port": "443",
  3711. "Polling": "60000",
  3712. "Jitter": "0",
  3713. "Maxdns": "255",
  3714. "C2 Server": "162.241.65.121,/cx",
  3715. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MDDRJS)",
  3716. "HTTP Method Path 2": "/submit.php",
  3717. "Header1": "",
  3718. "Header2": "",
  3719. "PipeName": "",
  3720. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3721. "DNS Sleep": "0",
  3722. "Method1": "GET",
  3723. "Method2": "POST",
  3724. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3725. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3726. "Proxy_AccessType": "2 (Use IE settings)"
  3727. }
  3728. },
  3729. "162.248.210.234": {
  3730. "x64": {
  3731. "BeaconType": "8 (HTTPS)",
  3732. "Port": "443",
  3733. "Polling": "5000",
  3734. "Jitter": "10",
  3735. "Maxdns": "235",
  3736. "C2 Server": "wavetips.com,/us/ky/louisville/312-s-fourth-st.html",
  3737. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  3738. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  3739. "Header1": "",
  3740. "Header2": "",
  3741. "PipeName": "",
  3742. "DNS Idle": "\\x08\\x08\\x08\\x08",
  3743. "DNS Sleep": "0",
  3744. "Method1": "GET",
  3745. "Method2": "POST",
  3746. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  3747. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  3748. "Proxy_AccessType": "2 (Use IE settings)"
  3749. }
  3750. },
  3751. "162.254.204.222": {
  3752. "x86": {
  3753. "BeaconType": "8 (HTTPS)",
  3754. "Port": "443",
  3755. "Polling": "13500",
  3756. "Jitter": "27",
  3757. "Maxdns": "255",
  3758. "C2 Server": "mstronestia.me,/maps/overlaybfpr",
  3759. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
  3760. "HTTP Method Path 2": "/fd/ls/lsp.aspx",
  3761. "Header1": "",
  3762. "Header2": "",
  3763. "PipeName": "",
  3764. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3765. "DNS Sleep": "0",
  3766. "Method1": "GET",
  3767. "Method2": "POST",
  3768. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  3769. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  3770. "Proxy_AccessType": "2 (Use IE settings)"
  3771. }
  3772. },
  3773. "165.22.37.148": {
  3774. "x86": {
  3775. "BeaconType": "8 (HTTPS)",
  3776. "Port": "443",
  3777. "Polling": "12000",
  3778. "Jitter": "35",
  3779. "C2 Server": "update03.microsoft-essentials.com,/u/vercheck,165.22.37.148,/u/vercheck",
  3780. "HTTP Method Path 2": "/u/version_status",
  3781. "Method1": "GET",
  3782. "Method2": "POST",
  3783. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  3784. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  3785. "Proxy_AccessType": "2 (Use IE settings)"
  3786. }
  3787. },
  3788. "165.227.85.160": {
  3789. "x86": {
  3790. "BeaconType": "8 (HTTPS)",
  3791. "Port": "443",
  3792. "Polling": "60000",
  3793. "Jitter": "0",
  3794. "Maxdns": "255",
  3795. "C2 Server": "165.227.85.160,/__utm.gif",
  3796. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
  3797. "HTTP Method Path 2": "/submit.php",
  3798. "Header1": "",
  3799. "Header2": "",
  3800. "PipeName": "",
  3801. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3802. "DNS Sleep": "0",
  3803. "Method1": "GET",
  3804. "Method2": "POST",
  3805. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3806. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3807. "Proxy_AccessType": "2 (Use IE settings)"
  3808. },
  3809. "x64": {
  3810. "BeaconType": "8 (HTTPS)",
  3811. "Port": "443",
  3812. "Polling": "60000",
  3813. "Jitter": "0",
  3814. "Maxdns": "255",
  3815. "C2 Server": "165.227.85.160,/match",
  3816. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)",
  3817. "HTTP Method Path 2": "/submit.php",
  3818. "Header1": "",
  3819. "Header2": "",
  3820. "PipeName": "",
  3821. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3822. "DNS Sleep": "0",
  3823. "Method1": "GET",
  3824. "Method2": "POST",
  3825. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3826. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3827. "Proxy_AccessType": "2 (Use IE settings)"
  3828. }
  3829. },
  3830. "165.22.8.172": {
  3831. "x86": {
  3832. "BeaconType": "8 (HTTPS)",
  3833. "Port": "443",
  3834. "Polling": "48",
  3835. "Jitter": "79",
  3836. "C2 Server": "silicontechgroup.com,/content/latest/i/updateonScroll/",
  3837. "HTTP Method Path 2": "/all/hot/0t/1/",
  3838. "Method1": "GET",
  3839. "Method2": "POST",
  3840. "Spawnto_x86": "%windir%\\syswow64\\werfault.exe",
  3841. "Spawnto_x64": "%windir%\\sysnative\\werfault.exe",
  3842. "Proxy_AccessType": "2 (Use IE settings)"
  3843. }
  3844. },
  3845. "167.172.203.162": {
  3846. "x64": {
  3847. "BeaconType": "8 (HTTPS)",
  3848. "Port": "443",
  3849. "Polling": "15000",
  3850. "Jitter": "90",
  3851. "C2 Server": "ajax.microsoft.com,/v4/links/activity-stream",
  3852. "HTTP Method Path 2": "/api2/json/check/ticket",
  3853. "Method1": "GET",
  3854. "Method2": "POST",
  3855. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  3856. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  3857. "Proxy_AccessType": "2 (Use IE settings)"
  3858. }
  3859. },
  3860. "167.172.217.69": {
  3861. "x64": {
  3862. "BeaconType": "8 (HTTPS)",
  3863. "Port": "443",
  3864. "Polling": "45000",
  3865. "Jitter": "37",
  3866. "C2 Server": "xifin.co,/jquery-3.3.1.min.js",
  3867. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  3868. "Method1": "GET",
  3869. "Method2": "POST",
  3870. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  3871. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  3872. "Proxy_AccessType": "2 (Use IE settings)"
  3873. }
  3874. },
  3875. "167.179.87.86": {
  3876. "x64": {
  3877. "BeaconType": "8 (HTTPS)",
  3878. "Port": "443",
  3879. "Polling": "60000",
  3880. "Jitter": "0",
  3881. "Maxdns": "255",
  3882. "C2 Server": "167.179.87.86,/g.pixel",
  3883. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; BOIE9;ENUS)",
  3884. "HTTP Method Path 2": "/submit.php",
  3885. "Header1": "",
  3886. "Header2": "",
  3887. "PipeName": "",
  3888. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3889. "DNS Sleep": "0",
  3890. "Method1": "GET",
  3891. "Method2": "POST",
  3892. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3893. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3894. "Proxy_AccessType": "2 (Use IE settings)"
  3895. }
  3896. },
  3897. "167.179.96.215": {
  3898. "x64": {
  3899. "BeaconType": "8 (HTTPS)",
  3900. "Port": "443",
  3901. "Polling": "9800",
  3902. "Jitter": "26",
  3903. "Maxdns": "235",
  3904. "C2 Server": "167.179.96.215,/cdn/heartbeat",
  3905. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
  3906. "HTTP Method Path 2": "/cdn/update",
  3907. "Header1": "",
  3908. "Header2": "",
  3909. "PipeName": "",
  3910. "DNS Idle": "\\x08\\x08\\x04\\x04",
  3911. "DNS Sleep": "0",
  3912. "Method1": "GET",
  3913. "Method2": "POST",
  3914. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  3915. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  3916. "Proxy_AccessType": "2 (Use IE settings)"
  3917. }
  3918. },
  3919. "167.71.145.204": {
  3920. "x86": {
  3921. "BeaconType": "8 (HTTPS)",
  3922. "Port": "443",
  3923. "Polling": "45000",
  3924. "Jitter": "37",
  3925. "C2 Server": "1shop4health.com,/jquery-3.3.1.min.js",
  3926. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  3927. "Method1": "GET",
  3928. "Method2": "POST",
  3929. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  3930. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  3931. "Proxy_AccessType": "2 (Use IE settings)"
  3932. },
  3933. "x64": {
  3934. "BeaconType": "8 (HTTPS)",
  3935. "Port": "443",
  3936. "Polling": "45000",
  3937. "Jitter": "37",
  3938. "C2 Server": "1shop4health.com,/jquery-3.3.1.min.js",
  3939. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  3940. "Method1": "GET",
  3941. "Method2": "POST",
  3942. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  3943. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  3944. "Proxy_AccessType": "2 (Use IE settings)"
  3945. }
  3946. },
  3947. "167.71.244.25": {
  3948. "x86": {
  3949. "BeaconType": "8 (HTTPS)",
  3950. "Port": "443",
  3951. "Polling": "15000",
  3952. "Jitter": "90",
  3953. "C2 Server": "ajax.microsoft.com,/wp-content/themes/am43-6/dist/records",
  3954. "HTTP Method Path 2": "/ev/ext001001",
  3955. "Method1": "GET",
  3956. "Method2": "POST",
  3957. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  3958. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  3959. "Proxy_AccessType": "2 (Use IE settings)"
  3960. },
  3961. "x64": {
  3962. "BeaconType": "8 (HTTPS)",
  3963. "Port": "443",
  3964. "Polling": "15000",
  3965. "Jitter": "90",
  3966. "C2 Server": "ajax.microsoft.com,/api2/json/cluster/resources",
  3967. "HTTP Method Path 2": "/gp/aw/ybh/handlers",
  3968. "Method1": "GET",
  3969. "Method2": "POST",
  3970. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  3971. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  3972. "Proxy_AccessType": "2 (Use IE settings)"
  3973. }
  3974. },
  3975. "167.99.197.196": {
  3976. "x86": {
  3977. "BeaconType": "8 (HTTPS)",
  3978. "Port": "443",
  3979. "Polling": "60000",
  3980. "Jitter": "0",
  3981. "Maxdns": "255",
  3982. "C2 Server": "myredirector1.live,/c/msdownload/update/others/2020/10/29136388_,myredirector2.live,/c/msdownload/update/others/2020/10/29136388_",
  3983. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
  3984. "HTTP Method Path 2": "/c/msdownload/update/others/2020/10/28986731_",
  3985. "Header1": "",
  3986. "Header2": "",
  3987. "PipeName": "",
  3988. "DNS Idle": "\\x00\\x00\\x00\\x00",
  3989. "DNS Sleep": "0",
  3990. "Method1": "GET",
  3991. "Method2": "POST",
  3992. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  3993. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  3994. "Proxy_AccessType": "2 (Use IE settings)"
  3995. }
  3996. },
  3997. "167.99.200.45": {
  3998. "x64": {
  3999. "BeaconType": "8 (HTTPS)",
  4000. "Port": "443",
  4001. "Polling": "30000",
  4002. "Jitter": "20",
  4003. "Maxdns": "235",
  4004. "C2 Server": "outlook-1.azureedge.net,/static/css/main.d22d3525.chunk.css",
  4005. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36",
  4006. "HTTP Method Path 2": "/owamail/calendar/service.svc",
  4007. "Header1": "",
  4008. "Header2": "",
  4009. "PipeName": "",
  4010. "DNS Idle": "\rZ\\xD5\\xCC",
  4011. "DNS Sleep": "0",
  4012. "Method1": "GET",
  4013. "Method2": "POST",
  4014. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  4015. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  4016. "Proxy_AccessType": "2 (Use IE settings)"
  4017. }
  4018. },
  4019. "168.119.0.88": {
  4020. "x86": {
  4021. "BeaconType": "8 (HTTPS)",
  4022. "Port": "443",
  4023. "Polling": "60000",
  4024. "Jitter": "0",
  4025. "Maxdns": "255",
  4026. "C2 Server": "168.119.0.88,/g.pixel",
  4027. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)",
  4028. "HTTP Method Path 2": "/submit.php",
  4029. "Header1": "",
  4030. "Header2": "",
  4031. "PipeName": "",
  4032. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4033. "DNS Sleep": "0",
  4034. "Method1": "GET",
  4035. "Method2": "POST",
  4036. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4037. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4038. "Proxy_AccessType": "2 (Use IE settings)"
  4039. }
  4040. },
  4041. "168.62.7.130": {
  4042. "x64": {
  4043. "BeaconType": "8 (HTTPS)",
  4044. "Port": "443",
  4045. "Polling": "37500",
  4046. "Jitter": "33",
  4047. "Maxdns": "245",
  4048. "C2 Server": "red.therclegalgroup.com,/javascripts/jquery.foundation.navigation.js",
  4049. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; SLCC; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MS-RTC LM 8)",
  4050. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  4051. "Header1": "",
  4052. "Header2": "",
  4053. "PipeName": "",
  4054. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4055. "DNS Sleep": "0",
  4056. "Method1": "GET",
  4057. "Method2": "POST",
  4058. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  4059. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  4060. "Proxy_AccessType": "2 (Use IE settings)"
  4061. }
  4062. },
  4063. "172.241.27.214": {
  4064. "x86": {
  4065. "BeaconType": "8 (HTTPS)",
  4066. "Port": "443",
  4067. "Polling": "5000",
  4068. "Jitter": "10",
  4069. "Maxdns": "235",
  4070. "C2 Server": "repshd.com,/us/ky/louisville/312-s-fourth-st.html,pinglis.com,/us/ky/louisville/312-s-fourth-st.html,stargut.com,/us/ky/louisville/312-s-fourth-st.html",
  4071. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4072. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4073. "Header1": "",
  4074. "Header2": "",
  4075. "PipeName": "",
  4076. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4077. "DNS Sleep": "0",
  4078. "Method1": "GET",
  4079. "Method2": "POST",
  4080. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4081. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4082. "Proxy_AccessType": "2 (Use IE settings)"
  4083. }
  4084. },
  4085. "172.241.27.230": {
  4086. "x86": {
  4087. "BeaconType": "8 (HTTPS)",
  4088. "Port": "443",
  4089. "Polling": "5000",
  4090. "Jitter": "10",
  4091. "Maxdns": "235",
  4092. "C2 Server": "ramush.com,/us/ky/louisville/312-s-fourth-st.html,leepick.com,/us/ky/louisville/312-s-fourth-st.html",
  4093. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4094. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4095. "Header1": "",
  4096. "Header2": "",
  4097. "PipeName": "",
  4098. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4099. "DNS Sleep": "0",
  4100. "Method1": "GET",
  4101. "Method2": "POST",
  4102. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4103. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4104. "Proxy_AccessType": "2 (Use IE settings)"
  4105. }
  4106. },
  4107. "172.241.27.46": {
  4108. "x86": {
  4109. "BeaconType": "8 (HTTPS)",
  4110. "Port": "443",
  4111. "Polling": "5000",
  4112. "Jitter": "10",
  4113. "Maxdns": "235",
  4114. "C2 Server": "oldplex.com,/us/ky/louisville/312-s-fourth-st.html",
  4115. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4116. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4117. "Header1": "",
  4118. "Header2": "",
  4119. "PipeName": "",
  4120. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4121. "DNS Sleep": "0",
  4122. "Method1": "GET",
  4123. "Method2": "POST",
  4124. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4125. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4126. "Proxy_AccessType": "2 (Use IE settings)"
  4127. },
  4128. "x64": {
  4129. "BeaconType": "8 (HTTPS)",
  4130. "Port": "443",
  4131. "Polling": "5000",
  4132. "Jitter": "10",
  4133. "Maxdns": "235",
  4134. "C2 Server": "oldplex.com,/us/ky/louisville/312-s-fourth-st.html",
  4135. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4136. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4137. "Header1": "",
  4138. "Header2": "",
  4139. "PipeName": "",
  4140. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4141. "DNS Sleep": "0",
  4142. "Method1": "GET",
  4143. "Method2": "POST",
  4144. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4145. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4146. "Proxy_AccessType": "2 (Use IE settings)"
  4147. }
  4148. },
  4149. "172.241.27.57": {
  4150. "x86": {
  4151. "BeaconType": "8 (HTTPS)",
  4152. "Port": "443",
  4153. "Polling": "5000",
  4154. "Jitter": "10",
  4155. "Maxdns": "235",
  4156. "C2 Server": "zipflag.com,/us/ky/louisville/312-s-fourth-st.html",
  4157. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4158. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4159. "Header1": "",
  4160. "Header2": "",
  4161. "PipeName": "",
  4162. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4163. "DNS Sleep": "0",
  4164. "Method1": "GET",
  4165. "Method2": "POST",
  4166. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4167. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4168. "Proxy_AccessType": "2 (Use IE settings)"
  4169. }
  4170. },
  4171. "172.241.29.153": {
  4172. "x86": {
  4173. "BeaconType": "8 (HTTPS)",
  4174. "Port": "443",
  4175. "Polling": "60000",
  4176. "Jitter": "0",
  4177. "Maxdns": "255",
  4178. "C2 Server": "172.241.29.153,/dpixel",
  4179. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Xbox)",
  4180. "HTTP Method Path 2": "/submit.php",
  4181. "Header1": "",
  4182. "Header2": "",
  4183. "PipeName": "",
  4184. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4185. "DNS Sleep": "0",
  4186. "Method1": "GET",
  4187. "Method2": "POST",
  4188. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4189. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4190. "Proxy_AccessType": "2 (Use IE settings)"
  4191. }
  4192. },
  4193. "172.241.29.155": {
  4194. "x64": {
  4195. "BeaconType": "8 (HTTPS)",
  4196. "Port": "443",
  4197. "Polling": "60000",
  4198. "Jitter": "0",
  4199. "Maxdns": "255",
  4200. "C2 Server": "amamai-tecnologies.space,/dot.gif",
  4201. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)",
  4202. "HTTP Method Path 2": "/submit.php",
  4203. "Header1": "",
  4204. "Header2": "",
  4205. "PipeName": "",
  4206. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4207. "DNS Sleep": "0",
  4208. "Method1": "GET",
  4209. "Method2": "POST",
  4210. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4211. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4212. "Proxy_AccessType": "2 (Use IE settings)"
  4213. }
  4214. },
  4215. "172.241.29.156": {
  4216. "x64": {
  4217. "BeaconType": "8 (HTTPS)",
  4218. "Port": "443",
  4219. "Polling": "60000",
  4220. "Jitter": "0",
  4221. "Maxdns": "255",
  4222. "C2 Server": "amamai-tecnologies.digital,/IE9CompatViewList.xml",
  4223. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENAU)",
  4224. "HTTP Method Path 2": "/submit.php",
  4225. "Header1": "",
  4226. "Header2": "",
  4227. "PipeName": "",
  4228. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4229. "DNS Sleep": "0",
  4230. "Method1": "GET",
  4231. "Method2": "POST",
  4232. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4233. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4234. "Proxy_AccessType": "2 (Use IE settings)"
  4235. }
  4236. },
  4237. "172.82.148.202": {
  4238. "x86": {
  4239. "BeaconType": "8 (HTTPS)",
  4240. "Port": "443",
  4241. "Polling": "5000",
  4242. "Jitter": "10",
  4243. "Maxdns": "235",
  4244. "C2 Server": "172.82.148.202,/us/ky/louisville/312-s-fourth-st.html,resnote.com,/us/ky/louisville/312-s-fourth-st.html",
  4245. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4246. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4247. "Header1": "",
  4248. "Header2": "",
  4249. "PipeName": "",
  4250. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4251. "DNS Sleep": "0",
  4252. "Method1": "GET",
  4253. "Method2": "POST",
  4254. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4255. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4256. "Proxy_AccessType": "2 (Use IE settings)"
  4257. },
  4258. "x64": {
  4259. "BeaconType": "8 (HTTPS)",
  4260. "Port": "443",
  4261. "Polling": "5000",
  4262. "Jitter": "10",
  4263. "Maxdns": "235",
  4264. "C2 Server": "172.82.148.202,/us/ky/louisville/312-s-fourth-st.html,resnote.com,/us/ky/louisville/312-s-fourth-st.html",
  4265. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4266. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4267. "Header1": "",
  4268. "Header2": "",
  4269. "PipeName": "",
  4270. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4271. "DNS Sleep": "0",
  4272. "Method1": "GET",
  4273. "Method2": "POST",
  4274. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4275. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4276. "Proxy_AccessType": "2 (Use IE settings)"
  4277. }
  4278. },
  4279. "172.82.179.170": {
  4280. "x64": {
  4281. "BeaconType": "8 (HTTPS)",
  4282. "Port": "443",
  4283. "Polling": "5000",
  4284. "Jitter": "10",
  4285. "Maxdns": "235",
  4286. "C2 Server": "foxreps.com,/us/ky/louisville/312-s-fourth-st.html,novause.com,/us/ky/louisville/312-s-fourth-st.html",
  4287. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4288. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4289. "Header1": "",
  4290. "Header2": "",
  4291. "PipeName": "",
  4292. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4293. "DNS Sleep": "0",
  4294. "Method1": "GET",
  4295. "Method2": "POST",
  4296. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4297. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4298. "Proxy_AccessType": "2 (Use IE settings)"
  4299. }
  4300. },
  4301. "172.93.101.50": {
  4302. "x86": {
  4303. "BeaconType": "8 (HTTPS)",
  4304. "Port": "443",
  4305. "Polling": "5000",
  4306. "Jitter": "10",
  4307. "Maxdns": "235",
  4308. "C2 Server": "orgsale.com,/us/ky/louisville/312-s-fourth-st.html",
  4309. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4310. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4311. "Header1": "",
  4312. "Header2": "",
  4313. "PipeName": "",
  4314. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4315. "DNS Sleep": "0",
  4316. "Method1": "GET",
  4317. "Method2": "POST",
  4318. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4319. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4320. "Proxy_AccessType": "2 (Use IE settings)"
  4321. },
  4322. "x64": {
  4323. "BeaconType": "8 (HTTPS)",
  4324. "Port": "443",
  4325. "Polling": "5000",
  4326. "Jitter": "10",
  4327. "Maxdns": "235",
  4328. "C2 Server": "orgsale.com,/us/ky/louisville/312-s-fourth-st.html",
  4329. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4330. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4331. "Header1": "",
  4332. "Header2": "",
  4333. "PipeName": "",
  4334. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4335. "DNS Sleep": "0",
  4336. "Method1": "GET",
  4337. "Method2": "POST",
  4338. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4339. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4340. "Proxy_AccessType": "2 (Use IE settings)"
  4341. }
  4342. },
  4343. "172.93.102.164": {
  4344. "x86": {
  4345. "BeaconType": "8 (HTTPS)",
  4346. "Port": "443",
  4347. "Polling": "5000",
  4348. "Jitter": "10",
  4349. "Maxdns": "235",
  4350. "C2 Server": "facesh.com,/us/ky/louisville/312-s-fourth-st.html",
  4351. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4352. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4353. "Header1": "",
  4354. "Header2": "",
  4355. "PipeName": "",
  4356. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4357. "DNS Sleep": "0",
  4358. "Method1": "GET",
  4359. "Method2": "POST",
  4360. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4361. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4362. "Proxy_AccessType": "2 (Use IE settings)"
  4363. }
  4364. },
  4365. "172.93.107.2": {
  4366. "x86": {
  4367. "BeaconType": "8 (HTTPS)",
  4368. "Port": "443",
  4369. "Polling": "30000",
  4370. "Jitter": "20",
  4371. "Maxdns": "255",
  4372. "C2 Server": "keyisa.com,/CWoNaJLBo/VTNeWw11212/",
  4373. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  4374. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  4375. "Header1": "",
  4376. "Header2": "",
  4377. "PipeName": "",
  4378. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4379. "DNS Sleep": "0",
  4380. "Method1": "GET",
  4381. "Method2": "POST",
  4382. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4383. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4384. "Proxy_AccessType": "2 (Use IE settings)"
  4385. },
  4386. "x64": {
  4387. "BeaconType": "8 (HTTPS)",
  4388. "Port": "443",
  4389. "Polling": "30000",
  4390. "Jitter": "20",
  4391. "Maxdns": "255",
  4392. "C2 Server": "keyisa.com,/CWoNaJLBo/VTNeWw11212/",
  4393. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  4394. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  4395. "Header1": "",
  4396. "Header2": "",
  4397. "PipeName": "",
  4398. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4399. "DNS Sleep": "0",
  4400. "Method1": "GET",
  4401. "Method2": "POST",
  4402. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4403. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4404. "Proxy_AccessType": "2 (Use IE settings)"
  4405. }
  4406. },
  4407. "172.93.97.66": {
  4408. "x86": {
  4409. "BeaconType": "8 (HTTPS)",
  4410. "Port": "443",
  4411. "Polling": "30000",
  4412. "Jitter": "20",
  4413. "Maxdns": "255",
  4414. "C2 Server": "stephq.com,/CWoNaJLBo/VTNeWw11212/",
  4415. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  4416. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  4417. "Header1": "",
  4418. "Header2": "",
  4419. "PipeName": "",
  4420. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4421. "DNS Sleep": "0",
  4422. "Method1": "GET",
  4423. "Method2": "POST",
  4424. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4425. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4426. "Proxy_AccessType": "2 (Use IE settings)"
  4427. },
  4428. "x64": {
  4429. "BeaconType": "8 (HTTPS)",
  4430. "Port": "443",
  4431. "Polling": "30000",
  4432. "Jitter": "20",
  4433. "Maxdns": "255",
  4434. "C2 Server": "stephq.com,/CWoNaJLBo/VTNeWw11212/",
  4435. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  4436. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  4437. "Header1": "",
  4438. "Header2": "",
  4439. "PipeName": "",
  4440. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4441. "DNS Sleep": "0",
  4442. "Method1": "GET",
  4443. "Method2": "POST",
  4444. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4445. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4446. "Proxy_AccessType": "2 (Use IE settings)"
  4447. }
  4448. },
  4449. "172.96.160.218": {
  4450. "x64": {
  4451. "BeaconType": "8 (HTTPS)",
  4452. "Port": "443",
  4453. "Polling": "5000",
  4454. "Jitter": "10",
  4455. "Maxdns": "235",
  4456. "C2 Server": "lenview.com,/us/ky/louisville/312-s-fourth-st.html",
  4457. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4458. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4459. "Header1": "",
  4460. "Header2": "",
  4461. "PipeName": "",
  4462. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4463. "DNS Sleep": "0",
  4464. "Method1": "GET",
  4465. "Method2": "POST",
  4466. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4467. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4468. "Proxy_AccessType": "2 (Use IE settings)"
  4469. }
  4470. },
  4471. "172.98.192.91": {
  4472. "x86": {
  4473. "BeaconType": "8 (HTTPS)",
  4474. "Port": "443",
  4475. "Polling": "5000",
  4476. "Jitter": "0",
  4477. "Maxdns": "255",
  4478. "C2 Server": "172.98.192.91,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  4479. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  4480. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  4481. "Header1": "",
  4482. "Header2": "",
  4483. "PipeName": "",
  4484. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4485. "DNS Sleep": "0",
  4486. "Method1": "GET",
  4487. "Method2": "POST",
  4488. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4489. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4490. "Proxy_AccessType": "2 (Use IE settings)"
  4491. }
  4492. },
  4493. "172.98.192.94": {
  4494. "x86": {
  4495. "BeaconType": "8 (HTTPS)",
  4496. "Port": "443",
  4497. "Polling": "60000",
  4498. "Jitter": "0",
  4499. "Maxdns": "255",
  4500. "C2 Server": "172.98.192.94,/g.pixel",
  4501. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENAU)",
  4502. "HTTP Method Path 2": "/submit.php",
  4503. "Header1": "",
  4504. "Header2": "",
  4505. "PipeName": "",
  4506. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4507. "DNS Sleep": "0",
  4508. "Method1": "GET",
  4509. "Method2": "POST",
  4510. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4511. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4512. "Proxy_AccessType": "2 (Use IE settings)"
  4513. }
  4514. },
  4515. "173.234.155.146": {
  4516. "x86": {
  4517. "BeaconType": "8 (HTTPS)",
  4518. "Port": "443",
  4519. "Polling": "5000",
  4520. "Jitter": "10",
  4521. "Maxdns": "235",
  4522. "C2 Server": "landcook.com,/us/ky/louisville/312-s-fourth-st.html",
  4523. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4524. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4525. "Header1": "",
  4526. "Header2": "",
  4527. "PipeName": "",
  4528. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4529. "DNS Sleep": "0",
  4530. "Method1": "GET",
  4531. "Method2": "POST",
  4532. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4533. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4534. "Proxy_AccessType": "2 (Use IE settings)"
  4535. }
  4536. },
  4537. "173.234.155.173": {
  4538. "x86": {
  4539. "BeaconType": "8 (HTTPS)",
  4540. "Port": "443",
  4541. "Polling": "5000",
  4542. "Jitter": "10",
  4543. "Maxdns": "235",
  4544. "C2 Server": "resfox.com,/us/ky/louisville/312-s-fourth-st.html,zeroflip.com,/us/ky/louisville/312-s-fourth-st.html",
  4545. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4546. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4547. "Header1": "",
  4548. "Header2": "",
  4549. "PipeName": "",
  4550. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4551. "DNS Sleep": "0",
  4552. "Method1": "GET",
  4553. "Method2": "POST",
  4554. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4555. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4556. "Proxy_AccessType": "2 (Use IE settings)"
  4557. }
  4558. },
  4559. "173.234.155.184": {
  4560. "x86": {
  4561. "BeaconType": "8 (HTTPS)",
  4562. "Port": "443",
  4563. "Polling": "30000",
  4564. "Jitter": "20",
  4565. "Maxdns": "255",
  4566. "C2 Server": "dealeva.com,/CWoNaJLBo/VTNeWw11212/",
  4567. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  4568. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  4569. "Header1": "",
  4570. "Header2": "",
  4571. "PipeName": "",
  4572. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4573. "DNS Sleep": "0",
  4574. "Method1": "GET",
  4575. "Method2": "POST",
  4576. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4577. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4578. "Proxy_AccessType": "2 (Use IE settings)"
  4579. },
  4580. "x64": {
  4581. "BeaconType": "8 (HTTPS)",
  4582. "Port": "443",
  4583. "Polling": "30000",
  4584. "Jitter": "20",
  4585. "Maxdns": "255",
  4586. "C2 Server": "dealeva.com,/CWoNaJLBo/VTNeWw11212/",
  4587. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  4588. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  4589. "Header1": "",
  4590. "Header2": "",
  4591. "PipeName": "",
  4592. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4593. "DNS Sleep": "0",
  4594. "Method1": "GET",
  4595. "Method2": "POST",
  4596. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4597. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4598. "Proxy_AccessType": "2 (Use IE settings)"
  4599. }
  4600. },
  4601. "173.234.155.54": {
  4602. "x86": {
  4603. "BeaconType": "8 (HTTPS)",
  4604. "Port": "443",
  4605. "Polling": "60000",
  4606. "Jitter": "0",
  4607. "Maxdns": "255",
  4608. "C2 Server": "img.intactlinks.com,/fwlink,print.intactlinks.com,/cx",
  4609. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; ; NCLIENT50_AAPCDA5841E333)",
  4610. "HTTP Method Path 2": "/submit.php",
  4611. "Header1": "",
  4612. "Header2": "",
  4613. "PipeName": "",
  4614. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4615. "DNS Sleep": "0",
  4616. "Method1": "GET",
  4617. "Method2": "POST",
  4618. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4619. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4620. "Proxy_AccessType": "2 (Use IE settings)"
  4621. },
  4622. "x64": {
  4623. "BeaconType": "8 (HTTPS)",
  4624. "Port": "443",
  4625. "Polling": "60000",
  4626. "Jitter": "0",
  4627. "Maxdns": "255",
  4628. "C2 Server": "img.intactlinks.com,/j.ad,print.intactlinks.com,/activity",
  4629. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
  4630. "HTTP Method Path 2": "/submit.php",
  4631. "Header1": "",
  4632. "Header2": "",
  4633. "PipeName": "",
  4634. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4635. "DNS Sleep": "0",
  4636. "Method1": "GET",
  4637. "Method2": "POST",
  4638. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4639. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4640. "Proxy_AccessType": "2 (Use IE settings)"
  4641. }
  4642. },
  4643. "173.234.155.55": {
  4644. "x86": {
  4645. "BeaconType": "8 (HTTPS)",
  4646. "Port": "443",
  4647. "Polling": "5000",
  4648. "Jitter": "37",
  4649. "Maxdns": "255",
  4650. "C2 Server": "cwsedge.net,/jquery-3.3.1.min.js",
  4651. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  4652. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  4653. "Header1": "",
  4654. "Header2": "",
  4655. "PipeName": "",
  4656. "DNS Idle": "J}\\xC4q",
  4657. "DNS Sleep": "0",
  4658. "Method1": "GET",
  4659. "Method2": "POST",
  4660. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  4661. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  4662. "Proxy_AccessType": "2 (Use IE settings)"
  4663. }
  4664. },
  4665. "173.234.155.75": {
  4666. "x64": {
  4667. "BeaconType": "8 (HTTPS)",
  4668. "Port": "443",
  4669. "Polling": "5000",
  4670. "Jitter": "10",
  4671. "Maxdns": "235",
  4672. "C2 Server": "likenic.com,/us/ky/louisville/312-s-fourth-st.html",
  4673. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4674. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4675. "Header1": "",
  4676. "Header2": "",
  4677. "PipeName": "",
  4678. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4679. "DNS Sleep": "0",
  4680. "Method1": "GET",
  4681. "Method2": "POST",
  4682. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4683. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4684. "Proxy_AccessType": "2 (Use IE settings)"
  4685. }
  4686. },
  4687. "173.234.155.85": {
  4688. "x86": {
  4689. "BeaconType": "8 (HTTPS)",
  4690. "Port": "443",
  4691. "Polling": "5000",
  4692. "Jitter": "10",
  4693. "Maxdns": "235",
  4694. "C2 Server": "arcnew.com,/us/ky/louisville/312-s-fourth-st.html",
  4695. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4696. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4697. "Header1": "",
  4698. "Header2": "",
  4699. "PipeName": "",
  4700. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4701. "DNS Sleep": "0",
  4702. "Method1": "GET",
  4703. "Method2": "POST",
  4704. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4705. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4706. "Proxy_AccessType": "2 (Use IE settings)"
  4707. },
  4708. "x64": {
  4709. "BeaconType": "8 (HTTPS)",
  4710. "Port": "443",
  4711. "Polling": "5000",
  4712. "Jitter": "10",
  4713. "Maxdns": "235",
  4714. "C2 Server": "arcnew.com,/us/ky/louisville/312-s-fourth-st.html",
  4715. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  4716. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  4717. "Header1": "",
  4718. "Header2": "",
  4719. "PipeName": "",
  4720. "DNS Idle": "\\x08\\x08\\x08\\x08",
  4721. "DNS Sleep": "0",
  4722. "Method1": "GET",
  4723. "Method2": "POST",
  4724. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  4725. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  4726. "Proxy_AccessType": "2 (Use IE settings)"
  4727. }
  4728. },
  4729. "173.234.25.74": {
  4730. "x86": {
  4731. "BeaconType": "8 (HTTPS)",
  4732. "Port": "443",
  4733. "Polling": "60000",
  4734. "Jitter": "0",
  4735. "C2 Server": "45.170.251.101,/ga.js",
  4736. "HTTP Method Path 2": "/submit.php",
  4737. "Method1": "GET",
  4738. "Method2": "POST",
  4739. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4740. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4741. "Proxy_AccessType": "2 (Use IE settings)"
  4742. }
  4743. },
  4744. "173.234.25.75": {
  4745. "x64": {
  4746. "BeaconType": "8 (HTTPS)",
  4747. "Port": "443",
  4748. "Polling": "60000",
  4749. "Jitter": "0",
  4750. "C2 Server": "45.170.251.101,/updates.rss",
  4751. "HTTP Method Path 2": "/submit.php",
  4752. "Method1": "GET",
  4753. "Method2": "POST",
  4754. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4755. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4756. "Proxy_AccessType": "2 (Use IE settings)"
  4757. }
  4758. },
  4759. "173.234.25.76": {
  4760. "x86": {
  4761. "BeaconType": "8 (HTTPS)",
  4762. "Port": "443",
  4763. "Polling": "60000",
  4764. "Jitter": "0",
  4765. "C2 Server": "45.170.251.101,/ga.js",
  4766. "HTTP Method Path 2": "/submit.php",
  4767. "Method1": "GET",
  4768. "Method2": "POST",
  4769. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4770. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4771. "Proxy_AccessType": "2 (Use IE settings)"
  4772. }
  4773. },
  4774. "173.234.25.77": {
  4775. "x86": {
  4776. "BeaconType": "8 (HTTPS)",
  4777. "Port": "443",
  4778. "Polling": "60000",
  4779. "Jitter": "0",
  4780. "C2 Server": "45.170.251.101,/ga.js",
  4781. "HTTP Method Path 2": "/submit.php",
  4782. "Method1": "GET",
  4783. "Method2": "POST",
  4784. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4785. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4786. "Proxy_AccessType": "2 (Use IE settings)"
  4787. }
  4788. },
  4789. "173.234.25.78": {
  4790. "x86": {
  4791. "BeaconType": "8 (HTTPS)",
  4792. "Port": "443",
  4793. "Polling": "60000",
  4794. "Jitter": "0",
  4795. "C2 Server": "45.170.251.101,/ga.js",
  4796. "HTTP Method Path 2": "/submit.php",
  4797. "Method1": "GET",
  4798. "Method2": "POST",
  4799. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4800. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4801. "Proxy_AccessType": "2 (Use IE settings)"
  4802. },
  4803. "x64": {
  4804. "BeaconType": "8 (HTTPS)",
  4805. "Port": "443",
  4806. "Polling": "60000",
  4807. "Jitter": "0",
  4808. "C2 Server": "45.170.251.101,/updates.rss",
  4809. "HTTP Method Path 2": "/submit.php",
  4810. "Method1": "GET",
  4811. "Method2": "POST",
  4812. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4813. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4814. "Proxy_AccessType": "2 (Use IE settings)"
  4815. }
  4816. },
  4817. "176.105.254.220": {
  4818. "x64": {
  4819. "BeaconType": "8 (HTTPS)",
  4820. "Port": "443",
  4821. "Polling": "38310",
  4822. "Jitter": "35",
  4823. "Maxdns": "245",
  4824. "C2 Server": "chromeupdates.best,/admin",
  4825. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.227.0 Safari/536.3",
  4826. "HTTP Method Path 2": "/Login",
  4827. "Header1": "",
  4828. "Header2": "",
  4829. "PipeName": "",
  4830. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4831. "DNS Sleep": "0",
  4832. "Method1": "GET",
  4833. "Method2": "GET",
  4834. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  4835. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  4836. "Proxy_AccessType": "2 (Use IE settings)"
  4837. }
  4838. },
  4839. "176.121.14.229": {
  4840. "x86": {
  4841. "BeaconType": "8 (HTTPS)",
  4842. "Port": "443",
  4843. "Polling": "60000",
  4844. "Jitter": "0",
  4845. "Maxdns": "255",
  4846. "C2 Server": "176.121.14.229,/match",
  4847. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)",
  4848. "HTTP Method Path 2": "/submit.php",
  4849. "Header1": "",
  4850. "Header2": "",
  4851. "PipeName": "",
  4852. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4853. "DNS Sleep": "0",
  4854. "Method1": "GET",
  4855. "Method2": "POST",
  4856. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4857. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4858. "Proxy_AccessType": "2 (Use IE settings)"
  4859. }
  4860. },
  4861. "176.121.14.249": {
  4862. "x64": {
  4863. "BeaconType": "8 (HTTPS)",
  4864. "Port": "443",
  4865. "Polling": "60000",
  4866. "Jitter": "0",
  4867. "Maxdns": "255",
  4868. "C2 Server": "176.121.14.249,/j.ad",
  4869. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)",
  4870. "HTTP Method Path 2": "/submit.php",
  4871. "Header1": "",
  4872. "Header2": "",
  4873. "PipeName": "",
  4874. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4875. "DNS Sleep": "0",
  4876. "Method1": "GET",
  4877. "Method2": "POST",
  4878. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4879. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4880. "Proxy_AccessType": "2 (Use IE settings)"
  4881. }
  4882. },
  4883. "176.121.14.251": {
  4884. "x86": {
  4885. "BeaconType": "8 (HTTPS)",
  4886. "Port": "443",
  4887. "Polling": "60000",
  4888. "Jitter": "0",
  4889. "Maxdns": "255",
  4890. "C2 Server": "176.121.14.251,/updates.rss",
  4891. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)",
  4892. "HTTP Method Path 2": "/submit.php",
  4893. "Header1": "",
  4894. "Header2": "",
  4895. "PipeName": "",
  4896. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4897. "DNS Sleep": "0",
  4898. "Method1": "GET",
  4899. "Method2": "POST",
  4900. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4901. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4902. "Proxy_AccessType": "2 (Use IE settings)"
  4903. }
  4904. },
  4905. "176.123.8.228": {
  4906. "x86": {
  4907. "BeaconType": "8 (HTTPS)",
  4908. "Port": "443",
  4909. "Polling": "60000",
  4910. "Jitter": "0",
  4911. "Maxdns": "255",
  4912. "C2 Server": "176.123.8.228,/__utm.gif",
  4913. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
  4914. "HTTP Method Path 2": "/___utm.gif",
  4915. "Header1": "",
  4916. "Header2": "",
  4917. "PipeName": "",
  4918. "DNS Idle": "\\x00\\x00\\x00\\x00",
  4919. "DNS Sleep": "0",
  4920. "Method1": "GET",
  4921. "Method2": "POST",
  4922. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  4923. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  4924. "Proxy_AccessType": "2 (Use IE settings)"
  4925. }
  4926. },
  4927. "178.128.105.13": {
  4928. "x86": {
  4929. "BeaconType": "8 (HTTPS)",
  4930. "Port": "443",
  4931. "Polling": "15000",
  4932. "Jitter": "90",
  4933. "Maxdns": "225",
  4934. "C2 Server": "ajax.microsoft.com,/gp/aj/private/reviewsGallery/get-image-gallery-assets,mscrl.microsoft.com,/wp-includes/js/script/indigo-migrate",
  4935. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  4936. "HTTP Method Path 2": "/gp/aw/ybh/handlers",
  4937. "Header1": "",
  4938. "Header2": "",
  4939. "PipeName": "",
  4940. "DNS Idle": "h\\xD8<\\x84",
  4941. "DNS Sleep": "0",
  4942. "Method1": "GET",
  4943. "Method2": "POST",
  4944. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
  4945. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
  4946. "Proxy_AccessType": "2 (Use IE settings)"
  4947. }
  4948. },
  4949. "178.128.187.10": {
  4950. "x64": {
  4951. "BeaconType": "8 (HTTPS)",
  4952. "Port": "443",
  4953. "Polling": "15000",
  4954. "Jitter": "90",
  4955. "C2 Server": "securetraining.org,/wp-includes/js/script/indigo-migrate",
  4956. "HTTP Method Path 2": "/v4/links/check-activity/check",
  4957. "Method1": "GET",
  4958. "Method2": "POST",
  4959. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  4960. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  4961. "Proxy_AccessType": "2 (Use IE settings)"
  4962. }
  4963. },
  4964. "178.238.228.90": {
  4965. "x86": {
  4966. "BeaconType": "8 (HTTPS)",
  4967. "Port": "443",
  4968. "Polling": "57236",
  4969. "Jitter": "37",
  4970. "Maxdns": "249",
  4971. "C2 Server": "178.238.228.90,/Content",
  4972. "User Agent": "Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
  4973. "HTTP Method Path 2": "/adminhtml",
  4974. "Header1": "",
  4975. "Header2": "",
  4976. "PipeName": "",
  4977. "DNS Idle": "\\xDC\\\\x92\\x8B",
  4978. "DNS Sleep": "0",
  4979. "Method1": "GET",
  4980. "Method2": "POST",
  4981. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
  4982. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
  4983. "Proxy_AccessType": "2 (Use IE settings)"
  4984. }
  4985. },
  4986. "178.79.134.144": {
  4987. "x86": {
  4988. "BeaconType": "8 (HTTPS)",
  4989. "Port": "443",
  4990. "Polling": "5000",
  4991. "Jitter": "0",
  4992. "Maxdns": "255",
  4993. "C2 Server": "tcpsessionsconnect.com,/idle/1376547834/1",
  4994. "User Agent": "Shockwave Flash",
  4995. "HTTP Method Path 2": "/send/1376547834/",
  4996. "Header1": "",
  4997. "Header2": "",
  4998. "PipeName": "",
  4999. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5000. "DNS Sleep": "0",
  5001. "Method1": "GET",
  5002. "Method2": "POST",
  5003. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5004. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5005. "Proxy_AccessType": "1 (Use direct connection)"
  5006. }
  5007. },
  5008. "18.144.133.24": {
  5009. "x64": {
  5010. "BeaconType": "8 (HTTPS)",
  5011. "Port": "443",
  5012. "Polling": "62658",
  5013. "Jitter": "39",
  5014. "C2 Server": "18.144.133.24,/search",
  5015. "HTTP Method Path 2": "/fo",
  5016. "Method1": "GET",
  5017. "Method2": "POST",
  5018. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
  5019. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
  5020. "Proxy_AccessType": "2 (Use IE settings)"
  5021. }
  5022. },
  5023. "18.156.114.88": {
  5024. "x86": {
  5025. "BeaconType": "8 (HTTPS)",
  5026. "Port": "443",
  5027. "Polling": "60000",
  5028. "Jitter": "20",
  5029. "C2 Server": "3.127.139.203,/c/msdownload/update/others/2020/11/KB152288_",
  5030. "HTTP Method Path 2": "/c/msdownload/update/others/2020/11/KB13434_",
  5031. "Method1": "GET",
  5032. "Method2": "GET",
  5033. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5034. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5035. "Proxy_AccessType": "2 (Use IE settings)"
  5036. }
  5037. },
  5038. "18.163.120.26": {
  5039. "x64": {
  5040. "BeaconType": "8 (HTTPS)",
  5041. "Port": "443",
  5042. "Polling": "60000",
  5043. "Jitter": "0",
  5044. "Maxdns": "255",
  5045. "C2 Server": "18.163.120.26,/__utm.gif",
  5046. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSMSE)",
  5047. "HTTP Method Path 2": "/submit.php",
  5048. "Header1": "",
  5049. "Header2": "",
  5050. "PipeName": "",
  5051. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5052. "DNS Sleep": "0",
  5053. "Method1": "GET",
  5054. "Method2": "POST",
  5055. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5056. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5057. "Proxy_AccessType": "2 (Use IE settings)"
  5058. }
  5059. },
  5060. "18.163.195.231": {
  5061. "x86": {
  5062. "BeaconType": "8 (HTTPS)",
  5063. "Port": "443",
  5064. "Polling": "60000",
  5065. "Jitter": "20",
  5066. "Maxdns": "235",
  5067. "C2 Server": "18.166.71.96,/c/msdownload/update/others/2016/12/29136388_",
  5068. "User Agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40",
  5069. "HTTP Method Path 2": "/c/msdownload/update/others/2016/12/3215234_",
  5070. "Header1": "",
  5071. "Header2": "",
  5072. "PipeName": "",
  5073. "DNS Idle": "\\x08\\x08\\x04\\x04",
  5074. "DNS Sleep": "0",
  5075. "Method1": "GET",
  5076. "Method2": "GET",
  5077. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5078. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5079. "Proxy_AccessType": "2 (Use IE settings)"
  5080. },
  5081. "x64": {
  5082. "BeaconType": "8 (HTTPS)",
  5083. "Port": "443",
  5084. "Polling": "60000",
  5085. "Jitter": "20",
  5086. "Maxdns": "235",
  5087. "C2 Server": "18.166.71.96,/c/msdownload/update/others/2016/12/29136388_",
  5088. "User Agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40",
  5089. "HTTP Method Path 2": "/c/msdownload/update/others/2016/12/3215234_",
  5090. "Header1": "",
  5091. "Header2": "",
  5092. "PipeName": "",
  5093. "DNS Idle": "\\x08\\x08\\x04\\x04",
  5094. "DNS Sleep": "0",
  5095. "Method1": "GET",
  5096. "Method2": "GET",
  5097. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5098. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5099. "Proxy_AccessType": "2 (Use IE settings)"
  5100. }
  5101. },
  5102. "18.189.12.168": {
  5103. "x64": {
  5104. "BeaconType": "8 (HTTPS)",
  5105. "Port": "443",
  5106. "Polling": "60000",
  5107. "Jitter": "47",
  5108. "Maxdns": "255",
  5109. "C2 Server": "jquery.alrowadclinic.com,/jquery-3.3.1.min.js",
  5110. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  5111. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  5112. "Header1": "",
  5113. "Header2": "",
  5114. "PipeName": "",
  5115. "DNS Idle": "J}\\xC4q",
  5116. "DNS Sleep": "0",
  5117. "Method1": "GET",
  5118. "Method2": "POST",
  5119. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5120. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5121. "Proxy_AccessType": "2 (Use IE settings)"
  5122. }
  5123. },
  5124. "18.191.170.242": {
  5125. "x86": {
  5126. "BeaconType": "8 (HTTPS)",
  5127. "Port": "443",
  5128. "Polling": "5000",
  5129. "Jitter": "37",
  5130. "C2 Server": "18.191.170.242,/jquery-3.3.1.min.js",
  5131. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  5132. "Method1": "GET",
  5133. "Method2": "POST",
  5134. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
  5135. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
  5136. "Proxy_AccessType": "2 (Use IE settings)"
  5137. }
  5138. },
  5139. "18.191.221.167": {
  5140. "x86": {
  5141. "BeaconType": "8 (HTTPS)",
  5142. "Port": "443",
  5143. "Polling": "45000",
  5144. "Jitter": "37",
  5145. "Maxdns": "255",
  5146. "C2 Server": "18.191.221.167,/jquery-3.3.1.min.js",
  5147. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  5148. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  5149. "Header1": "",
  5150. "Header2": "",
  5151. "PipeName": "",
  5152. "DNS Idle": "J}\\xC4q",
  5153. "DNS Sleep": "0",
  5154. "Method1": "GET",
  5155. "Method2": "POST",
  5156. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  5157. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  5158. "Proxy_AccessType": "2 (Use IE settings)"
  5159. }
  5160. },
  5161. "18.191.221.28": {
  5162. "x86": {
  5163. "BeaconType": "8 (HTTPS)",
  5164. "Port": "443",
  5165. "Polling": "6700",
  5166. "Jitter": "13",
  5167. "Maxdns": "247",
  5168. "C2 Server": "cmpinsurance.com,/s/ref=nb_sb_noss_1/122-66617254-9010232/field-keywords=problem",
  5169. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0",
  5170. "HTTP Method Path 2": "/N1547/adj/amzn.us.sr.aps",
  5171. "Header1": "",
  5172. "Header2": "",
  5173. "PipeName": "",
  5174. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5175. "DNS Sleep": "0",
  5176. "Method1": "GET",
  5177. "Method2": "POST",
  5178. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  5179. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  5180. "Proxy_AccessType": "2 (Use IE settings)"
  5181. }
  5182. },
  5183. "18.206.136.219": {
  5184. "x64": {
  5185. "BeaconType": "8 (HTTPS)",
  5186. "Port": "443",
  5187. "Polling": "62177",
  5188. "Jitter": "43",
  5189. "Maxdns": "254",
  5190. "C2 Server": "utils.couch2kubernetes.com,/mobile-home",
  5191. "User Agent": "Mozilla/5.0 (Linux; Android 6.0; HTC One X10 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
  5192. "HTTP Method Path 2": "/posting",
  5193. "Header1": "",
  5194. "Header2": "",
  5195. "PipeName": "",
  5196. "DNS Idle": ":Sg?",
  5197. "DNS Sleep": "0",
  5198. "Method1": "GET",
  5199. "Method2": "POST",
  5200. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
  5201. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
  5202. "Proxy_AccessType": "2 (Use IE settings)"
  5203. }
  5204. },
  5205. "18.212.159.80": {
  5206. "x64": {
  5207. "BeaconType": "8 (HTTPS)",
  5208. "Port": "443",
  5209. "Polling": "10000",
  5210. "Jitter": "10",
  5211. "C2 Server": "d2mq9y2bddy4j9.cloudfront.net,/ec2/",
  5212. "HTTP Method Path 2": "/console/home/ec2",
  5213. "Method1": "GET",
  5214. "Method2": "POST",
  5215. "Spawnto_x86": "%windir%\\syswow64\\wermgr.exe",
  5216. "Spawnto_x64": "%windir%\\sysnative\\wermgr.exe",
  5217. "Proxy_AccessType": "2 (Use IE settings)"
  5218. }
  5219. },
  5220. "18.223.155.112": {
  5221. "x86": {
  5222. "BeaconType": "8 (HTTPS)",
  5223. "Port": "443",
  5224. "Polling": "60000",
  5225. "Jitter": "0",
  5226. "Maxdns": "255",
  5227. "C2 Server": "18.223.155.112,/match",
  5228. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)",
  5229. "HTTP Method Path 2": "/submit.php",
  5230. "Header1": "",
  5231. "Header2": "",
  5232. "PipeName": "",
  5233. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5234. "DNS Sleep": "0",
  5235. "Method1": "GET",
  5236. "Method2": "POST",
  5237. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5238. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5239. "Proxy_AccessType": "2 (Use IE settings)"
  5240. }
  5241. },
  5242. "182.254.180.180": {
  5243. "x64": {
  5244. "BeaconType": "8 (HTTPS)",
  5245. "Port": "443",
  5246. "Polling": "60000",
  5247. "Jitter": "0",
  5248. "Maxdns": "255",
  5249. "C2 Server": "182.254.180.180,/en_US/all.js",
  5250. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)",
  5251. "HTTP Method Path 2": "/submit.php",
  5252. "Header1": "",
  5253. "Header2": "",
  5254. "PipeName": "",
  5255. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5256. "DNS Sleep": "0",
  5257. "Method1": "GET",
  5258. "Method2": "POST",
  5259. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5260. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5261. "Proxy_AccessType": "2 (Use IE settings)"
  5262. }
  5263. },
  5264. "182.92.120.156": {
  5265. "x86": {
  5266. "BeaconType": "8 (HTTPS)",
  5267. "Port": "443",
  5268. "Polling": "60000",
  5269. "Jitter": "0",
  5270. "Maxdns": "255",
  5271. "C2 Server": "182.92.120.156,/visit.js",
  5272. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7)",
  5273. "HTTP Method Path 2": "/submit.php",
  5274. "Header1": "",
  5275. "Header2": "",
  5276. "PipeName": "",
  5277. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5278. "DNS Sleep": "0",
  5279. "Method1": "GET",
  5280. "Method2": "POST",
  5281. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5282. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5283. "Proxy_AccessType": "2 (Use IE settings)"
  5284. }
  5285. },
  5286. "185.14.30.217": {
  5287. "x86": {
  5288. "BeaconType": "8 (HTTPS)",
  5289. "Port": "443",
  5290. "Polling": "5000",
  5291. "Jitter": "0",
  5292. "C2 Server": "185.14.30.217,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  5293. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  5294. "Method1": "GET",
  5295. "Method2": "POST",
  5296. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5297. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5298. "Proxy_AccessType": "2 (Use IE settings)"
  5299. },
  5300. "x64": {
  5301. "BeaconType": "8 (HTTPS)",
  5302. "Port": "443",
  5303. "Polling": "5000",
  5304. "Jitter": "0",
  5305. "C2 Server": "185.14.30.217,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  5306. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  5307. "Method1": "GET",
  5308. "Method2": "POST",
  5309. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5310. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5311. "Proxy_AccessType": "2 (Use IE settings)"
  5312. }
  5313. },
  5314. "185.150.117.142": {
  5315. "x86": {
  5316. "BeaconType": "8 (HTTPS)",
  5317. "Port": "443",
  5318. "Polling": "60000",
  5319. "Jitter": "0",
  5320. "Maxdns": "255",
  5321. "C2 Server": "185.150.117.142,/activity",
  5322. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)",
  5323. "HTTP Method Path 2": "/submit.php",
  5324. "Header1": "",
  5325. "Header2": "",
  5326. "PipeName": "",
  5327. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5328. "DNS Sleep": "0",
  5329. "Method1": "GET",
  5330. "Method2": "POST",
  5331. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5332. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5333. "Proxy_AccessType": "2 (Use IE settings)"
  5334. }
  5335. },
  5336. "185.150.119.148": {
  5337. "x86": {
  5338. "BeaconType": "8 (HTTPS)",
  5339. "Port": "443",
  5340. "Polling": "60000",
  5341. "Jitter": "15",
  5342. "C2 Server": "185.150.119.148,/_/scs/mail-static/_/js/",
  5343. "HTTP Method Path 2": "/mail/u/0/",
  5344. "Method1": "GET",
  5345. "Method2": "POST",
  5346. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5347. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5348. "Proxy_AccessType": "2 (Use IE settings)"
  5349. }
  5350. },
  5351. "185.150.190.113": {
  5352. "x86": {
  5353. "BeaconType": "8 (HTTPS)",
  5354. "Port": "443",
  5355. "Polling": "5000",
  5356. "Jitter": "10",
  5357. "Maxdns": "235",
  5358. "C2 Server": "topevi.com,/us/ky/louisville/312-s-fourth-st.html",
  5359. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  5360. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  5361. "Header1": "",
  5362. "Header2": "",
  5363. "PipeName": "",
  5364. "DNS Idle": "\\x08\\x08\\x08\\x08",
  5365. "DNS Sleep": "0",
  5366. "Method1": "GET",
  5367. "Method2": "POST",
  5368. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  5369. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  5370. "Proxy_AccessType": "2 (Use IE settings)"
  5371. }
  5372. },
  5373. "185.150.190.204": {
  5374. "x86": {
  5375. "BeaconType": "8 (HTTPS)",
  5376. "Port": "443",
  5377. "Polling": "5000",
  5378. "Jitter": "10",
  5379. "Maxdns": "235",
  5380. "C2 Server": "regbest.com,/us/ky/louisville/312-s-fourth-st.html",
  5381. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  5382. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  5383. "Header1": "",
  5384. "Header2": "",
  5385. "PipeName": "",
  5386. "DNS Idle": "\\x08\\x08\\x08\\x08",
  5387. "DNS Sleep": "0",
  5388. "Method1": "GET",
  5389. "Method2": "POST",
  5390. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  5391. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  5392. "Proxy_AccessType": "2 (Use IE settings)"
  5393. },
  5394. "x64": {
  5395. "BeaconType": "8 (HTTPS)",
  5396. "Port": "443",
  5397. "Polling": "5000",
  5398. "Jitter": "10",
  5399. "Maxdns": "235",
  5400. "C2 Server": "regbest.com,/us/ky/louisville/312-s-fourth-st.html",
  5401. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  5402. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  5403. "Header1": "",
  5404. "Header2": "",
  5405. "PipeName": "",
  5406. "DNS Idle": "\\x08\\x08\\x08\\x08",
  5407. "DNS Sleep": "0",
  5408. "Method1": "GET",
  5409. "Method2": "POST",
  5410. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  5411. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  5412. "Proxy_AccessType": "2 (Use IE settings)"
  5413. }
  5414. },
  5415. "185.153.196.130": {
  5416. "x86": {
  5417. "BeaconType": "8 (HTTPS)",
  5418. "Port": "443",
  5419. "Polling": "60000",
  5420. "Jitter": "0",
  5421. "Maxdns": "255",
  5422. "C2 Server": "185.153.196.130,/match",
  5423. "User Agent": "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent",
  5424. "HTTP Method Path 2": "/submit.php",
  5425. "Header1": "",
  5426. "Header2": "",
  5427. "PipeName": "",
  5428. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5429. "DNS Sleep": "0",
  5430. "Method1": "GET",
  5431. "Method2": "POST",
  5432. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5433. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5434. "Proxy_AccessType": "2 (Use IE settings)"
  5435. }
  5436. },
  5437. "185.158.249.123": {
  5438. "x64": {
  5439. "BeaconType": "8 (HTTPS)",
  5440. "Port": "443",
  5441. "Polling": "60000",
  5442. "Jitter": "0",
  5443. "Maxdns": "255",
  5444. "C2 Server": "185.158.249.123,/cm",
  5445. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)",
  5446. "HTTP Method Path 2": "/submit.php",
  5447. "Header1": "",
  5448. "Header2": "",
  5449. "PipeName": "",
  5450. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5451. "DNS Sleep": "0",
  5452. "Method1": "GET",
  5453. "Method2": "POST",
  5454. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5455. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5456. "Proxy_AccessType": "2 (Use IE settings)"
  5457. }
  5458. },
  5459. "185.162.235.111": {
  5460. "x64": {
  5461. "BeaconType": "8 (HTTPS)",
  5462. "Port": "443",
  5463. "Polling": "60000",
  5464. "Jitter": "0",
  5465. "Maxdns": "255",
  5466. "C2 Server": "185.162.235.111,/visit.js",
  5467. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; LBBROWSER)",
  5468. "HTTP Method Path 2": "/submit.php",
  5469. "Header1": "",
  5470. "Header2": "",
  5471. "PipeName": "",
  5472. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5473. "DNS Sleep": "0",
  5474. "Method1": "GET",
  5475. "Method2": "POST",
  5476. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5477. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5478. "Proxy_AccessType": "2 (Use IE settings)"
  5479. }
  5480. },
  5481. "185.162.235.35": {
  5482. "x86": {
  5483. "BeaconType": "8 (HTTPS)",
  5484. "Port": "443",
  5485. "Polling": "60000",
  5486. "Jitter": "0",
  5487. "Maxdns": "255",
  5488. "C2 Server": "185.162.235.35,/dot.gif",
  5489. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)",
  5490. "HTTP Method Path 2": "/submit.php",
  5491. "Header1": "",
  5492. "Header2": "",
  5493. "PipeName": "",
  5494. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5495. "DNS Sleep": "0",
  5496. "Method1": "GET",
  5497. "Method2": "POST",
  5498. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5499. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5500. "Proxy_AccessType": "2 (Use IE settings)"
  5501. }
  5502. },
  5503. "185.162.235.61": {
  5504. "x86": {
  5505. "BeaconType": "8 (HTTPS)",
  5506. "Port": "443",
  5507. "Polling": "60000",
  5508. "Jitter": "0",
  5509. "Maxdns": "255",
  5510. "C2 Server": "185.162.235.61,/fwlink",
  5511. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Touch; ASU2JS)",
  5512. "HTTP Method Path 2": "/submit.php",
  5513. "Header1": "",
  5514. "Header2": "",
  5515. "PipeName": "",
  5516. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5517. "DNS Sleep": "0",
  5518. "Method1": "GET",
  5519. "Method2": "POST",
  5520. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5521. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5522. "Proxy_AccessType": "2 (Use IE settings)"
  5523. },
  5524. "x64": {
  5525. "BeaconType": "8 (HTTPS)",
  5526. "Port": "443",
  5527. "Polling": "60000",
  5528. "Jitter": "0",
  5529. "Maxdns": "255",
  5530. "C2 Server": "185.162.235.61,/cx",
  5531. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)",
  5532. "HTTP Method Path 2": "/submit.php",
  5533. "Header1": "",
  5534. "Header2": "",
  5535. "PipeName": "",
  5536. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5537. "DNS Sleep": "0",
  5538. "Method1": "GET",
  5539. "Method2": "POST",
  5540. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5541. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5542. "Proxy_AccessType": "2 (Use IE settings)"
  5543. }
  5544. },
  5545. "185.189.151.92": {
  5546. "x86": {
  5547. "BeaconType": "8 (HTTPS)",
  5548. "Port": "443",
  5549. "Polling": "60000",
  5550. "Jitter": "0",
  5551. "Maxdns": "255",
  5552. "C2 Server": "185.189.151.92,/activity",
  5553. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUSMSNIP)",
  5554. "HTTP Method Path 2": "/submit.php",
  5555. "Header1": "",
  5556. "Header2": "",
  5557. "PipeName": "",
  5558. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5559. "DNS Sleep": "0",
  5560. "Method1": "GET",
  5561. "Method2": "POST",
  5562. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5563. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5564. "Proxy_AccessType": "2 (Use IE settings)"
  5565. },
  5566. "x64": {
  5567. "BeaconType": "8 (HTTPS)",
  5568. "Port": "443",
  5569. "Polling": "60000",
  5570. "Jitter": "0",
  5571. "Maxdns": "255",
  5572. "C2 Server": "185.189.151.92,/dot.gif",
  5573. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)",
  5574. "HTTP Method Path 2": "/submit.php",
  5575. "Header1": "",
  5576. "Header2": "",
  5577. "PipeName": "",
  5578. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5579. "DNS Sleep": "0",
  5580. "Method1": "GET",
  5581. "Method2": "POST",
  5582. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5583. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5584. "Proxy_AccessType": "2 (Use IE settings)"
  5585. }
  5586. },
  5587. "185.191.32.168": {
  5588. "x86": {
  5589. "BeaconType": "8 (HTTPS)",
  5590. "Port": "443",
  5591. "Polling": "45000",
  5592. "Jitter": "37",
  5593. "Maxdns": "255",
  5594. "C2 Server": "185.191.32.168,/jquery-3.3.1.min.js",
  5595. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  5596. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  5597. "Header1": "",
  5598. "Header2": "",
  5599. "PipeName": "",
  5600. "DNS Idle": "J}\\xC4q",
  5601. "DNS Sleep": "0",
  5602. "Method1": "GET",
  5603. "Method2": "POST",
  5604. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  5605. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  5606. "Proxy_AccessType": "2 (Use IE settings)"
  5607. }
  5608. },
  5609. "185.191.32.180": {
  5610. "x64": {
  5611. "BeaconType": "8 (HTTPS)",
  5612. "Port": "443",
  5613. "Polling": "60000",
  5614. "Jitter": "0",
  5615. "Maxdns": "255",
  5616. "C2 Server": "185.191.32.180,/en_US/all.js",
  5617. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)",
  5618. "HTTP Method Path 2": "/submit.php",
  5619. "Header1": "",
  5620. "Header2": "",
  5621. "PipeName": "",
  5622. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5623. "DNS Sleep": "0",
  5624. "Method1": "GET",
  5625. "Method2": "POST",
  5626. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5627. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5628. "Proxy_AccessType": "2 (Use IE settings)"
  5629. }
  5630. },
  5631. "185.201.47.155": {
  5632. "x86": {
  5633. "BeaconType": "8 (HTTPS)",
  5634. "Port": "443",
  5635. "Polling": "60000",
  5636. "Jitter": "0",
  5637. "Maxdns": "255",
  5638. "C2 Server": "thie7keiz2eu2eeshoog.greenyellow.xyz,/ga.js,Oophofeip9aiph4zoo6e.greenyellow.site,/dpixel,eeTaicaiT4eeceingoz9.greenyellow.fun,/visit.js",
  5639. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
  5640. "HTTP Method Path 2": "/submit.php",
  5641. "Header1": "",
  5642. "Header2": "",
  5643. "PipeName": "",
  5644. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5645. "DNS Sleep": "0",
  5646. "Method1": "GET",
  5647. "Method2": "POST",
  5648. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5649. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5650. "Proxy_AccessType": "2 (Use IE settings)"
  5651. },
  5652. "x64": {
  5653. "BeaconType": "8 (HTTPS)",
  5654. "Port": "443",
  5655. "Polling": "60000",
  5656. "Jitter": "0",
  5657. "Maxdns": "255",
  5658. "C2 Server": "thie7keiz2eu2eeshoog.greenyellow.xyz,/cm,Oophofeip9aiph4zoo6e.greenyellow.site,/cx,eeTaicaiT4eeceingoz9.greenyellow.fun,/dot.gif",
  5659. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)",
  5660. "HTTP Method Path 2": "/submit.php",
  5661. "Header1": "",
  5662. "Header2": "",
  5663. "PipeName": "",
  5664. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5665. "DNS Sleep": "0",
  5666. "Method1": "GET",
  5667. "Method2": "POST",
  5668. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5669. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5670. "Proxy_AccessType": "2 (Use IE settings)"
  5671. }
  5672. },
  5673. "185.225.19.140": {
  5674. "x86": {
  5675. "BeaconType": "8 (HTTPS)",
  5676. "Port": "443",
  5677. "Polling": "60000",
  5678. "Jitter": "20",
  5679. "Maxdns": "255",
  5680. "C2 Server": "185.225.19.140,/c/msdownload/update/others/2020/10/29136388_",
  5681. "User Agent": "Windows-Update-Agent/10.0.10022.16384 Client-Protocol/1.40",
  5682. "HTTP Method Path 2": "/c/msdownload/update/others/2020/10/28986731_",
  5683. "Header1": "",
  5684. "Header2": "",
  5685. "PipeName": "",
  5686. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5687. "DNS Sleep": "0",
  5688. "Method1": "GET",
  5689. "Method2": "POST",
  5690. "Spawnto_x86": "%windir%\\syswow64\\wusa.exe",
  5691. "Spawnto_x64": "%windir%\\sysnative\\wusa.exe",
  5692. "Proxy_AccessType": "2 (Use IE settings)"
  5693. }
  5694. },
  5695. "185.227.82.66": {
  5696. "x86": {
  5697. "BeaconType": "8 (HTTPS)",
  5698. "Port": "443",
  5699. "Polling": "60000",
  5700. "Jitter": "0",
  5701. "Maxdns": "255",
  5702. "C2 Server": "185.227.82.66,/push",
  5703. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)",
  5704. "HTTP Method Path 2": "/submit.php",
  5705. "Header1": "",
  5706. "Header2": "",
  5707. "PipeName": "",
  5708. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5709. "DNS Sleep": "0",
  5710. "Method1": "GET",
  5711. "Method2": "POST",
  5712. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5713. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5714. "Proxy_AccessType": "2 (Use IE settings)"
  5715. }
  5716. },
  5717. "185.232.52.137": {
  5718. "x86": {
  5719. "BeaconType": "8 (HTTPS)",
  5720. "Port": "443",
  5721. "Polling": "60000",
  5722. "Jitter": "0",
  5723. "Maxdns": "255",
  5724. "C2 Server": "185.232.52.137,/g.pixel",
  5725. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
  5726. "HTTP Method Path 2": "/submit.php",
  5727. "Header1": "",
  5728. "Header2": "",
  5729. "PipeName": "",
  5730. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5731. "DNS Sleep": "0",
  5732. "Method1": "GET",
  5733. "Method2": "POST",
  5734. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5735. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5736. "Proxy_AccessType": "2 (Use IE settings)"
  5737. },
  5738. "x64": {
  5739. "BeaconType": "8 (HTTPS)",
  5740. "Port": "443",
  5741. "Polling": "60000",
  5742. "Jitter": "0",
  5743. "Maxdns": "255",
  5744. "C2 Server": "185.232.52.137,/pixel",
  5745. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) LBBROWSER",
  5746. "HTTP Method Path 2": "/submit.php",
  5747. "Header1": "",
  5748. "Header2": "",
  5749. "PipeName": "",
  5750. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5751. "DNS Sleep": "0",
  5752. "Method1": "GET",
  5753. "Method2": "POST",
  5754. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5755. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5756. "Proxy_AccessType": "2 (Use IE settings)"
  5757. }
  5758. },
  5759. "185.232.52.143": {
  5760. "x64": {
  5761. "BeaconType": "8 (HTTPS)",
  5762. "Port": "443",
  5763. "Polling": "60000",
  5764. "Jitter": "0",
  5765. "Maxdns": "255",
  5766. "C2 Server": "185.232.52.143,/ptj",
  5767. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
  5768. "HTTP Method Path 2": "/submit.php",
  5769. "Header1": "",
  5770. "Header2": "",
  5771. "PipeName": "",
  5772. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5773. "DNS Sleep": "0",
  5774. "Method1": "GET",
  5775. "Method2": "POST",
  5776. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5777. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5778. "Proxy_AccessType": "2 (Use IE settings)"
  5779. }
  5780. },
  5781. "185.238.169.166": {
  5782. "x86": {
  5783. "BeaconType": "8 (HTTPS)",
  5784. "Port": "443",
  5785. "Polling": "5000",
  5786. "Jitter": "10",
  5787. "Maxdns": "235",
  5788. "C2 Server": "rinnosaur.com,/us/ky/louisville/312-s-fourth-st.html",
  5789. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  5790. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  5791. "Header1": "",
  5792. "Header2": "",
  5793. "PipeName": "",
  5794. "DNS Idle": "\\x08\\x08\\x08\\x08",
  5795. "DNS Sleep": "0",
  5796. "Method1": "GET",
  5797. "Method2": "POST",
  5798. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  5799. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  5800. "Proxy_AccessType": "2 (Use IE settings)"
  5801. }
  5802. },
  5803. "185.244.149.152": {
  5804. "x64": {
  5805. "BeaconType": "8 (HTTPS)",
  5806. "Port": "443",
  5807. "Polling": "60000",
  5808. "Jitter": "0",
  5809. "Maxdns": "255",
  5810. "C2 Server": "yambanetsdev.net,/g.pixel",
  5811. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
  5812. "HTTP Method Path 2": "/submit.php",
  5813. "Header1": "",
  5814. "Header2": "",
  5815. "PipeName": "",
  5816. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5817. "DNS Sleep": "0",
  5818. "Method1": "GET",
  5819. "Method2": "POST",
  5820. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5821. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5822. "Proxy_AccessType": "2 (Use IE settings)"
  5823. }
  5824. },
  5825. "185.244.39.110": {
  5826. "x86": {
  5827. "BeaconType": "8 (HTTPS)",
  5828. "Port": "443",
  5829. "Polling": "45000",
  5830. "Jitter": "37",
  5831. "Maxdns": "255",
  5832. "C2 Server": "185.244.39.110,/jquery-3.3.1.min.js",
  5833. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  5834. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  5835. "Header1": "",
  5836. "Header2": "",
  5837. "PipeName": "",
  5838. "DNS Idle": "J}\\xC4q",
  5839. "DNS Sleep": "0",
  5840. "Method1": "GET",
  5841. "Method2": "POST",
  5842. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  5843. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  5844. "Proxy_AccessType": "2 (Use IE settings)"
  5845. },
  5846. "x64": {
  5847. "BeaconType": "8 (HTTPS)",
  5848. "Port": "443",
  5849. "Polling": "45000",
  5850. "Jitter": "37",
  5851. "Maxdns": "255",
  5852. "C2 Server": "185.244.39.110,/jquery-3.3.1.min.js",
  5853. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  5854. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  5855. "Header1": "",
  5856. "Header2": "",
  5857. "PipeName": "",
  5858. "DNS Idle": "J}\\xC4q",
  5859. "DNS Sleep": "0",
  5860. "Method1": "GET",
  5861. "Method2": "POST",
  5862. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  5863. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  5864. "Proxy_AccessType": "2 (Use IE settings)"
  5865. }
  5866. },
  5867. "185.62.189.116": {
  5868. "x64": {
  5869. "BeaconType": "8 (HTTPS)",
  5870. "Port": "443",
  5871. "Polling": "10000",
  5872. "Jitter": "37",
  5873. "Maxdns": "255",
  5874. "C2 Server": "ojbg.sigiwendksgna.com,/jquery-3.3.1.min.js",
  5875. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  5876. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  5877. "Header1": "",
  5878. "Header2": "",
  5879. "PipeName": "",
  5880. "DNS Idle": "J}\\xC4q",
  5881. "DNS Sleep": "0",
  5882. "Method1": "GET",
  5883. "Method2": "POST",
  5884. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  5885. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  5886. "Proxy_AccessType": "2 (Use IE settings)"
  5887. }
  5888. },
  5889. "185.82.126.47": {
  5890. "x86": {
  5891. "BeaconType": "8 (HTTPS)",
  5892. "Port": "443",
  5893. "Polling": "60000",
  5894. "Jitter": "0",
  5895. "Maxdns": "255",
  5896. "C2 Server": "185.82.126.47,/pixel",
  5897. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)",
  5898. "HTTP Method Path 2": "/submit.php",
  5899. "Header1": "",
  5900. "Header2": "",
  5901. "PipeName": "",
  5902. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5903. "DNS Sleep": "0",
  5904. "Method1": "GET",
  5905. "Method2": "POST",
  5906. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5907. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5908. "Proxy_AccessType": "2 (Use IE settings)"
  5909. }
  5910. },
  5911. "188.119.112.174": {
  5912. "x86": {
  5913. "BeaconType": "8 (HTTPS)",
  5914. "Port": "8081",
  5915. "Polling": "30000",
  5916. "Jitter": "20",
  5917. "Maxdns": "255",
  5918. "C2 Server": "girls4dating.asia,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2",
  5919. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  5920. "HTTP Method Path 2": "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4",
  5921. "Header1": "",
  5922. "Header2": "",
  5923. "PipeName": "",
  5924. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5925. "DNS Sleep": "0",
  5926. "Method1": "GET",
  5927. "Method2": "POST",
  5928. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5929. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5930. "Proxy_AccessType": "2 (Use IE settings)"
  5931. },
  5932. "x64": {
  5933. "BeaconType": "8 (HTTPS)",
  5934. "Port": "8081",
  5935. "Polling": "30000",
  5936. "Jitter": "20",
  5937. "Maxdns": "255",
  5938. "C2 Server": "girls4dating.asia,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2",
  5939. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  5940. "HTTP Method Path 2": "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4",
  5941. "Header1": "",
  5942. "Header2": "",
  5943. "PipeName": "",
  5944. "DNS Idle": "\\x00\\x00\\x00\\x00",
  5945. "DNS Sleep": "0",
  5946. "Method1": "GET",
  5947. "Method2": "POST",
  5948. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  5949. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  5950. "Proxy_AccessType": "2 (Use IE settings)"
  5951. }
  5952. },
  5953. "188.119.113.18": {
  5954. "x86": {
  5955. "BeaconType": "0 (HTTP)",
  5956. "Port": "443",
  5957. "Polling": "7000",
  5958. "Jitter": "0",
  5959. "Maxdns": "255",
  5960. "C2 Server": "hopetmone.com,/jquery-3.3.1.min.js",
  5961. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  5962. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  5963. "Header1": "",
  5964. "Header2": "",
  5965. "PipeName": "",
  5966. "DNS Idle": "J}\\xC4q",
  5967. "DNS Sleep": "0",
  5968. "Method1": "GET",
  5969. "Method2": "POST",
  5970. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  5971. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  5972. "Proxy_AccessType": "2 (Use IE settings)"
  5973. },
  5974. "x64": {
  5975. "BeaconType": "0 (HTTP)",
  5976. "Port": "443",
  5977. "Polling": "7000",
  5978. "Jitter": "0",
  5979. "Maxdns": "255",
  5980. "C2 Server": "hopetmone.com,/jquery-3.3.1.min.js",
  5981. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  5982. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  5983. "Header1": "",
  5984. "Header2": "",
  5985. "PipeName": "",
  5986. "DNS Idle": "J}\\xC4q",
  5987. "DNS Sleep": "0",
  5988. "Method1": "GET",
  5989. "Method2": "POST",
  5990. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  5991. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  5992. "Proxy_AccessType": "2 (Use IE settings)"
  5993. }
  5994. },
  5995. "192.111.144.210": {
  5996. "x64": {
  5997. "BeaconType": "8 (HTTPS)",
  5998. "Port": "443",
  5999. "Polling": "5000",
  6000. "Jitter": "10",
  6001. "Maxdns": "235",
  6002. "C2 Server": "repshd.com,/us/ky/louisville/312-s-fourth-st.html,pinglis.com,/us/ky/louisville/312-s-fourth-st.html,stargut.com,/us/ky/louisville/312-s-fourth-st.html",
  6003. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6004. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6005. "Header1": "",
  6006. "Header2": "",
  6007. "PipeName": "",
  6008. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6009. "DNS Sleep": "0",
  6010. "Method1": "GET",
  6011. "Method2": "POST",
  6012. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6013. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6014. "Proxy_AccessType": "2 (Use IE settings)"
  6015. }
  6016. },
  6017. "192.119.110.81": {
  6018. "x64": {
  6019. "BeaconType": "8 (HTTPS)",
  6020. "Port": "443",
  6021. "Polling": "60000",
  6022. "Jitter": "0",
  6023. "Maxdns": "255",
  6024. "C2 Server": "192.119.111.117,/IE9CompatViewList.xml",
  6025. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS)",
  6026. "HTTP Method Path 2": "/submit.php",
  6027. "Header1": "",
  6028. "Header2": "",
  6029. "PipeName": "",
  6030. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6031. "DNS Sleep": "0",
  6032. "Method1": "GET",
  6033. "Method2": "POST",
  6034. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6035. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6036. "Proxy_AccessType": "2 (Use IE settings)"
  6037. }
  6038. },
  6039. "192.119.111.117": {
  6040. "x86": {
  6041. "BeaconType": "8 (HTTPS)",
  6042. "Port": "443",
  6043. "Polling": "60000",
  6044. "Jitter": "0",
  6045. "Maxdns": "255",
  6046. "C2 Server": "192.119.111.117,/cm",
  6047. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)",
  6048. "HTTP Method Path 2": "/submit.php",
  6049. "Header1": "",
  6050. "Header2": "",
  6051. "PipeName": "",
  6052. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6053. "DNS Sleep": "0",
  6054. "Method1": "GET",
  6055. "Method2": "POST",
  6056. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6057. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6058. "Proxy_AccessType": "2 (Use IE settings)"
  6059. },
  6060. "x64": {
  6061. "BeaconType": "8 (HTTPS)",
  6062. "Port": "443",
  6063. "Polling": "60000",
  6064. "Jitter": "0",
  6065. "Maxdns": "255",
  6066. "C2 Server": "192.119.111.117,/IE9CompatViewList.xml",
  6067. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS)",
  6068. "HTTP Method Path 2": "/submit.php",
  6069. "Header1": "",
  6070. "Header2": "",
  6071. "PipeName": "",
  6072. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6073. "DNS Sleep": "0",
  6074. "Method1": "GET",
  6075. "Method2": "POST",
  6076. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6077. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6078. "Proxy_AccessType": "2 (Use IE settings)"
  6079. }
  6080. },
  6081. "192.119.111.155": {
  6082. "x86": {
  6083. "BeaconType": "8 (HTTPS)",
  6084. "Port": "443",
  6085. "Polling": "60000",
  6086. "Jitter": "0",
  6087. "Maxdns": "255",
  6088. "C2 Server": "192.119.111.117,/cm",
  6089. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)",
  6090. "HTTP Method Path 2": "/submit.php",
  6091. "Header1": "",
  6092. "Header2": "",
  6093. "PipeName": "",
  6094. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6095. "DNS Sleep": "0",
  6096. "Method1": "GET",
  6097. "Method2": "POST",
  6098. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6099. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6100. "Proxy_AccessType": "2 (Use IE settings)"
  6101. }
  6102. },
  6103. "192.119.92.16": {
  6104. "x86": {
  6105. "BeaconType": "8 (HTTPS)",
  6106. "Port": "443",
  6107. "Polling": "59558",
  6108. "Jitter": "41",
  6109. "Maxdns": "241",
  6110. "C2 Server": "qw.client-update.xyz,/kj.html,as.client-update.xyz,/kj.html,zx.client-update.xyz,/kj.html",
  6111. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
  6112. "HTTP Method Path 2": "/temp",
  6113. "Header1": "",
  6114. "Header2": "",
  6115. "PipeName": "",
  6116. "DNS Idle": "\\xA7\\x99\\x1D\\x01",
  6117. "DNS Sleep": "0",
  6118. "Method1": "GET",
  6119. "Method2": "POST",
  6120. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  6121. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  6122. "Proxy_AccessType": "2 (Use IE settings)"
  6123. }
  6124. },
  6125. "192.184.35.222": {
  6126. "x86": {
  6127. "BeaconType": "8 (HTTPS)",
  6128. "Port": "443",
  6129. "Polling": "5000",
  6130. "Jitter": "10",
  6131. "Maxdns": "235",
  6132. "C2 Server": "exrap.com,/us/ky/louisville/312-s-fourth-st.html",
  6133. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6134. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6135. "Header1": "",
  6136. "Header2": "",
  6137. "PipeName": "",
  6138. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6139. "DNS Sleep": "0",
  6140. "Method1": "GET",
  6141. "Method2": "POST",
  6142. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6143. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6144. "Proxy_AccessType": "2 (Use IE settings)"
  6145. },
  6146. "x64": {
  6147. "BeaconType": "8 (HTTPS)",
  6148. "Port": "443",
  6149. "Polling": "5000",
  6150. "Jitter": "10",
  6151. "Maxdns": "235",
  6152. "C2 Server": "exrap.com,/us/ky/louisville/312-s-fourth-st.html",
  6153. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6154. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6155. "Header1": "",
  6156. "Header2": "",
  6157. "PipeName": "",
  6158. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6159. "DNS Sleep": "0",
  6160. "Method1": "GET",
  6161. "Method2": "POST",
  6162. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6163. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6164. "Proxy_AccessType": "2 (Use IE settings)"
  6165. }
  6166. },
  6167. "192.236.232.228": {
  6168. "x64": {
  6169. "BeaconType": "8 (HTTPS)",
  6170. "Port": "443",
  6171. "Polling": "60000",
  6172. "Jitter": "0",
  6173. "Maxdns": "255",
  6174. "C2 Server": "192.236.232.228,/en_US/all.js",
  6175. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)",
  6176. "HTTP Method Path 2": "/submit.php",
  6177. "Header1": "",
  6178. "Header2": "",
  6179. "PipeName": "",
  6180. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6181. "DNS Sleep": "0",
  6182. "Method1": "GET",
  6183. "Method2": "POST",
  6184. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6185. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6186. "Proxy_AccessType": "2 (Use IE settings)"
  6187. }
  6188. },
  6189. "192.236.248.169": {
  6190. "x86": {
  6191. "BeaconType": "8 (HTTPS)",
  6192. "Port": "443",
  6193. "Polling": "60000",
  6194. "Jitter": "0",
  6195. "Maxdns": "255",
  6196. "C2 Server": "amapai-technologies.email,/ptj",
  6197. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",
  6198. "HTTP Method Path 2": "/submit.php",
  6199. "Header1": "",
  6200. "Header2": "",
  6201. "PipeName": "",
  6202. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6203. "DNS Sleep": "0",
  6204. "Method1": "GET",
  6205. "Method2": "POST",
  6206. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6207. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6208. "Proxy_AccessType": "2 (Use IE settings)"
  6209. }
  6210. },
  6211. "192.3.81.214": {
  6212. "x64": {
  6213. "BeaconType": "8 (HTTPS)",
  6214. "Port": "443",
  6215. "Polling": "5000",
  6216. "Jitter": "10",
  6217. "Maxdns": "235",
  6218. "C2 Server": "139.199.185.41,/updates",
  6219. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
  6220. "HTTP Method Path 2": "/aircanada/dark.php",
  6221. "Header1": "",
  6222. "Header2": "",
  6223. "PipeName": "",
  6224. "DNS Idle": "\\x08\\x08\\x04\\x04",
  6225. "DNS Sleep": "0",
  6226. "Method1": "GET",
  6227. "Method2": "POST",
  6228. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6229. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6230. "Proxy_AccessType": "2 (Use IE settings)"
  6231. }
  6232. },
  6233. "193.168.147.249": {
  6234. "x86": {
  6235. "BeaconType": "8 (HTTPS)",
  6236. "Port": "443",
  6237. "Polling": "5000",
  6238. "Jitter": "0",
  6239. "Maxdns": "255",
  6240. "C2 Server": "mesteratosr.me,/api",
  6241. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0",
  6242. "HTTP Method Path 2": "/lowpacket/mt.php",
  6243. "Header1": "",
  6244. "Header2": "",
  6245. "PipeName": "",
  6246. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6247. "DNS Sleep": "0",
  6248. "Method1": "GET",
  6249. "Method2": "POST",
  6250. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6251. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6252. "Proxy_AccessType": "2 (Use IE settings)"
  6253. }
  6254. },
  6255. "193.27.14.247": {
  6256. "x64": {
  6257. "BeaconType": "8 (HTTPS)",
  6258. "Port": "443",
  6259. "Polling": "60000",
  6260. "Jitter": "37",
  6261. "Maxdns": "255",
  6262. "C2 Server": "ap.availablenationwide.com,/jquery-ajaxSuccess.js",
  6263. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  6264. "HTTP Method Path 2": "/jquery-before.js",
  6265. "Header1": "",
  6266. "Header2": "",
  6267. "PipeName": "",
  6268. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6269. "DNS Sleep": "0",
  6270. "Method1": "GET",
  6271. "Method2": "POST",
  6272. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6273. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6274. "Proxy_AccessType": "2 (Use IE settings)"
  6275. }
  6276. },
  6277. "193.34.166.124": {
  6278. "x86": {
  6279. "BeaconType": "8 (HTTPS)",
  6280. "Port": "443",
  6281. "Polling": "60000",
  6282. "Jitter": "0",
  6283. "Maxdns": "255",
  6284. "C2 Server": "ntservicespack.com,/load",
  6285. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)",
  6286. "HTTP Method Path 2": "/submit.php",
  6287. "Header1": "",
  6288. "Header2": "",
  6289. "PipeName": "",
  6290. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6291. "DNS Sleep": "0",
  6292. "Method1": "GET",
  6293. "Method2": "POST",
  6294. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6295. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6296. "Proxy_AccessType": "2 (Use IE settings)"
  6297. },
  6298. "x64": {
  6299. "BeaconType": "8 (HTTPS)",
  6300. "Port": "443",
  6301. "Polling": "60000",
  6302. "Jitter": "0",
  6303. "Maxdns": "255",
  6304. "C2 Server": "ntservicespack.com,/ptj",
  6305. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
  6306. "HTTP Method Path 2": "/submit.php",
  6307. "Header1": "",
  6308. "Header2": "",
  6309. "PipeName": "",
  6310. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6311. "DNS Sleep": "0",
  6312. "Method1": "GET",
  6313. "Method2": "POST",
  6314. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6315. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6316. "Proxy_AccessType": "2 (Use IE settings)"
  6317. }
  6318. },
  6319. "193.34.166.207": {
  6320. "x86": {
  6321. "BeaconType": "8 (HTTPS)",
  6322. "Port": "443",
  6323. "Polling": "60000",
  6324. "Jitter": "0",
  6325. "Maxdns": "255",
  6326. "C2 Server": "timesyncad.com,/IE9CompatViewList.xml",
  6327. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)",
  6328. "HTTP Method Path 2": "/submit.php",
  6329. "Header1": "",
  6330. "Header2": "",
  6331. "PipeName": "",
  6332. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6333. "DNS Sleep": "0",
  6334. "Method1": "GET",
  6335. "Method2": "POST",
  6336. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6337. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6338. "Proxy_AccessType": "2 (Use IE settings)"
  6339. }
  6340. },
  6341. "193.34.166.73": {
  6342. "x86": {
  6343. "BeaconType": "8 (HTTPS)",
  6344. "Port": "443",
  6345. "Polling": "60000",
  6346. "Jitter": "0",
  6347. "Maxdns": "255",
  6348. "C2 Server": "servupdates.com,/ca",
  6349. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)",
  6350. "HTTP Method Path 2": "/submit.php",
  6351. "Header1": "",
  6352. "Header2": "",
  6353. "PipeName": "",
  6354. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6355. "DNS Sleep": "0",
  6356. "Method1": "GET",
  6357. "Method2": "POST",
  6358. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6359. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6360. "Proxy_AccessType": "2 (Use IE settings)"
  6361. },
  6362. "x64": {
  6363. "BeaconType": "8 (HTTPS)",
  6364. "Port": "443",
  6365. "Polling": "60000",
  6366. "Jitter": "0",
  6367. "Maxdns": "255",
  6368. "C2 Server": "servupdates.com,/cx",
  6369. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
  6370. "HTTP Method Path 2": "/submit.php",
  6371. "Header1": "",
  6372. "Header2": "",
  6373. "PipeName": "",
  6374. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6375. "DNS Sleep": "0",
  6376. "Method1": "GET",
  6377. "Method2": "POST",
  6378. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6379. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6380. "Proxy_AccessType": "2 (Use IE settings)"
  6381. }
  6382. },
  6383. "193.34.166.89": {
  6384. "x64": {
  6385. "BeaconType": "8 (HTTPS)",
  6386. "Port": "443",
  6387. "Polling": "60000",
  6388. "Jitter": "0",
  6389. "Maxdns": "255",
  6390. "C2 Server": "193.34.166.89,/fwlink",
  6391. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Touch; MALCJS)",
  6392. "HTTP Method Path 2": "/submit.php",
  6393. "Header1": "",
  6394. "Header2": "",
  6395. "PipeName": "",
  6396. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6397. "DNS Sleep": "0",
  6398. "Method1": "GET",
  6399. "Method2": "POST",
  6400. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6401. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6402. "Proxy_AccessType": "2 (Use IE settings)"
  6403. }
  6404. },
  6405. "193.34.167.200": {
  6406. "x86": {
  6407. "BeaconType": "8 (HTTPS)",
  6408. "Port": "443",
  6409. "Polling": "60000",
  6410. "Jitter": "0",
  6411. "Maxdns": "255",
  6412. "C2 Server": "inteldrivers.com,/cm",
  6413. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7)",
  6414. "HTTP Method Path 2": "/submit.php",
  6415. "Header1": "",
  6416. "Header2": "",
  6417. "PipeName": "",
  6418. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6419. "DNS Sleep": "0",
  6420. "Method1": "GET",
  6421. "Method2": "POST",
  6422. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6423. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6424. "Proxy_AccessType": "2 (Use IE settings)"
  6425. }
  6426. },
  6427. "193.34.167.60": {
  6428. "x86": {
  6429. "BeaconType": "8 (HTTPS)",
  6430. "Port": "443",
  6431. "Polling": "60000",
  6432. "Jitter": "0",
  6433. "C2 Server": "server3.msadwindows.com,/cm",
  6434. "HTTP Method Path 2": "/submit.php",
  6435. "Method1": "GET",
  6436. "Method2": "POST",
  6437. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6438. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6439. "Proxy_AccessType": "2 (Use IE settings)"
  6440. }
  6441. },
  6442. "194.5.249.55": {
  6443. "x86": {
  6444. "BeaconType": "8 (HTTPS)",
  6445. "Port": "443",
  6446. "Polling": "60000",
  6447. "Jitter": "0",
  6448. "Maxdns": "255",
  6449. "C2 Server": "194.5.249.55,/cx",
  6450. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)",
  6451. "HTTP Method Path 2": "/submit.php",
  6452. "Header1": "",
  6453. "Header2": "",
  6454. "PipeName": "",
  6455. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6456. "DNS Sleep": "0",
  6457. "Method1": "GET",
  6458. "Method2": "POST",
  6459. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6460. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6461. "Proxy_AccessType": "2 (Use IE settings)"
  6462. }
  6463. },
  6464. "195.123.217.7": {
  6465. "x86": {
  6466. "BeaconType": "8 (HTTPS)",
  6467. "Port": "443",
  6468. "Polling": "5000",
  6469. "Jitter": "0",
  6470. "Maxdns": "255",
  6471. "C2 Server": "195.123.217.7,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,yten.xyz,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  6472. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  6473. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  6474. "Header1": "",
  6475. "Header2": "",
  6476. "PipeName": "",
  6477. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6478. "DNS Sleep": "0",
  6479. "Method1": "GET",
  6480. "Method2": "POST",
  6481. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6482. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6483. "Proxy_AccessType": "2 (Use IE settings)"
  6484. },
  6485. "x64": {
  6486. "BeaconType": "8 (HTTPS)",
  6487. "Port": "443",
  6488. "Polling": "5000",
  6489. "Jitter": "0",
  6490. "Maxdns": "255",
  6491. "C2 Server": "195.123.217.7,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,yten.xyz,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  6492. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  6493. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  6494. "Header1": "",
  6495. "Header2": "",
  6496. "PipeName": "",
  6497. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6498. "DNS Sleep": "0",
  6499. "Method1": "GET",
  6500. "Method2": "POST",
  6501. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6502. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6503. "Proxy_AccessType": "2 (Use IE settings)"
  6504. }
  6505. },
  6506. "195.123.222.43": {
  6507. "x86": {
  6508. "BeaconType": "8 (HTTPS)",
  6509. "Port": "443",
  6510. "Polling": "7000",
  6511. "Jitter": "0",
  6512. "Maxdns": "255",
  6513. "C2 Server": "duskeducate.com,/jquery-3.3.1.min.js",
  6514. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  6515. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  6516. "Header1": "",
  6517. "Header2": "",
  6518. "PipeName": "",
  6519. "DNS Idle": "J}\\xC4q",
  6520. "DNS Sleep": "0",
  6521. "Method1": "GET",
  6522. "Method2": "POST",
  6523. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  6524. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  6525. "Proxy_AccessType": "2 (Use IE settings)"
  6526. },
  6527. "x64": {
  6528. "BeaconType": "8 (HTTPS)",
  6529. "Port": "443",
  6530. "Polling": "7000",
  6531. "Jitter": "0",
  6532. "Maxdns": "255",
  6533. "C2 Server": "duskeducate.com,/jquery-3.3.1.min.js",
  6534. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  6535. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  6536. "Header1": "",
  6537. "Header2": "",
  6538. "PipeName": "",
  6539. "DNS Idle": "J}\\xC4q",
  6540. "DNS Sleep": "0",
  6541. "Method1": "GET",
  6542. "Method2": "POST",
  6543. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  6544. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  6545. "Proxy_AccessType": "2 (Use IE settings)"
  6546. }
  6547. },
  6548. "195.30.132.195": {
  6549. "x86": {
  6550. "BeaconType": "8 (HTTPS)",
  6551. "Port": "443",
  6552. "Polling": "5000",
  6553. "Jitter": "15",
  6554. "Maxdns": "255",
  6555. "C2 Server": "d1hp3kzjl3pr7y.cloudfront.net,/_/scs/mail-static/_/css/,d3mdcyc7die6tc.cloudfront.net,/_/scs/mail-static/_/css/",
  6556. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)",
  6557. "HTTP Method Path 2": "/mail/u/2/",
  6558. "Header1": "",
  6559. "Header2": "",
  6560. "PipeName": "",
  6561. "DNS Idle": "\\x01\\x01\\x01\\x01",
  6562. "DNS Sleep": "0",
  6563. "Method1": "GET",
  6564. "Method2": "POST",
  6565. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6566. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6567. "Proxy_AccessType": "2 (Use IE settings)"
  6568. },
  6569. "x64": {
  6570. "BeaconType": "8 (HTTPS)",
  6571. "Port": "443",
  6572. "Polling": "5000",
  6573. "Jitter": "15",
  6574. "Maxdns": "255",
  6575. "C2 Server": "d1hp3kzjl3pr7y.cloudfront.net,/_/scs/mail-static/_/css/,d3mdcyc7die6tc.cloudfront.net,/_/scs/mail-static/_/css/",
  6576. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MDDRJS)",
  6577. "HTTP Method Path 2": "/mail/u/2/",
  6578. "Header1": "",
  6579. "Header2": "",
  6580. "PipeName": "",
  6581. "DNS Idle": "\\x01\\x01\\x01\\x01",
  6582. "DNS Sleep": "0",
  6583. "Method1": "GET",
  6584. "Method2": "POST",
  6585. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6586. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6587. "Proxy_AccessType": "2 (Use IE settings)"
  6588. }
  6589. },
  6590. "198.211.107.136": {
  6591. "x64": {
  6592. "BeaconType": "8 (HTTPS)",
  6593. "Port": "443",
  6594. "Polling": "58758",
  6595. "Jitter": "39",
  6596. "Maxdns": "254",
  6597. "C2 Server": "ajax.microsoft.com,/zh.css",
  6598. "User Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0",
  6599. "HTTP Method Path 2": "/an",
  6600. "Header1": "",
  6601. "Header2": "",
  6602. "PipeName": "",
  6603. "DNS Idle": "L4\\x8D}",
  6604. "DNS Sleep": "0",
  6605. "Method1": "GET",
  6606. "Method2": "POST",
  6607. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  6608. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  6609. "Proxy_AccessType": "2 (Use IE settings)"
  6610. }
  6611. },
  6612. "198.27.79.75": {
  6613. "x64": {
  6614. "BeaconType": "8 (HTTPS)",
  6615. "Port": "443",
  6616. "Polling": "56196",
  6617. "Jitter": "43",
  6618. "Maxdns": "241",
  6619. "C2 Server": "185.189.151.107,/na",
  6620. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
  6621. "HTTP Method Path 2": "/extension",
  6622. "Header1": "",
  6623. "Header2": "",
  6624. "PipeName": "",
  6625. "DNS Idle": "q\\xF5\\x128",
  6626. "DNS Sleep": "0",
  6627. "Method1": "GET",
  6628. "Method2": "POST",
  6629. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  6630. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  6631. "Proxy_AccessType": "2 (Use IE settings)"
  6632. }
  6633. },
  6634. "198.44.14.47": {
  6635. "x86": {
  6636. "BeaconType": "8 (HTTPS)",
  6637. "Port": "443",
  6638. "Polling": "63118",
  6639. "Jitter": "39",
  6640. "Maxdns": "240",
  6641. "C2 Server": "qw.update-chromeservices.com,/groupcp,as.update-chromeservices.com,/groupcp,zx.update-chromeservices.com,/hr",
  6642. "User Agent": "Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)",
  6643. "HTTP Method Path 2": "/groupcp",
  6644. "Header1": "",
  6645. "Header2": "",
  6646. "PipeName": "",
  6647. "DNS Idle": "\\xD4\\xCC\\xC7&",
  6648. "DNS Sleep": "0",
  6649. "Method1": "GET",
  6650. "Method2": "POST",
  6651. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
  6652. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
  6653. "Proxy_AccessType": "2 (Use IE settings)"
  6654. }
  6655. },
  6656. "198.44.97.180": {
  6657. "x86": {
  6658. "BeaconType": "8 (HTTPS)",
  6659. "Port": "443",
  6660. "Polling": "60000",
  6661. "Jitter": "0",
  6662. "Maxdns": "255",
  6663. "C2 Server": "198.44.97.180,/push",
  6664. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENGB)",
  6665. "HTTP Method Path 2": "/submit.php",
  6666. "Header1": "",
  6667. "Header2": "",
  6668. "PipeName": "",
  6669. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6670. "DNS Sleep": "0",
  6671. "Method1": "GET",
  6672. "Method2": "POST",
  6673. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6674. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6675. "Proxy_AccessType": "2 (Use IE settings)"
  6676. }
  6677. },
  6678. "198.44.97.181": {
  6679. "x86": {
  6680. "BeaconType": "8 (HTTPS)",
  6681. "Port": "443",
  6682. "Polling": "60000",
  6683. "Jitter": "0",
  6684. "Maxdns": "255",
  6685. "C2 Server": "198.44.97.180,/push",
  6686. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENGB)",
  6687. "HTTP Method Path 2": "/submit.php",
  6688. "Header1": "",
  6689. "Header2": "",
  6690. "PipeName": "",
  6691. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6692. "DNS Sleep": "0",
  6693. "Method1": "GET",
  6694. "Method2": "POST",
  6695. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6696. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6697. "Proxy_AccessType": "2 (Use IE settings)"
  6698. }
  6699. },
  6700. "199.127.60.227": {
  6701. "x86": {
  6702. "BeaconType": "8 (HTTPS)",
  6703. "Port": "443",
  6704. "Polling": "5000",
  6705. "Jitter": "10",
  6706. "Maxdns": "235",
  6707. "C2 Server": "bitsse.com,/us/ky/louisville/312-s-fourth-st.html,uncole.com,/us/ky/louisville/312-s-fourth-st.html",
  6708. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6709. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6710. "Header1": "",
  6711. "Header2": "",
  6712. "PipeName": "",
  6713. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6714. "DNS Sleep": "0",
  6715. "Method1": "GET",
  6716. "Method2": "POST",
  6717. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6718. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6719. "Proxy_AccessType": "2 (Use IE settings)"
  6720. }
  6721. },
  6722. "199.127.60.67": {
  6723. "x86": {
  6724. "BeaconType": "8 (HTTPS)",
  6725. "Port": "443",
  6726. "Polling": "5000",
  6727. "Jitter": "10",
  6728. "Maxdns": "235",
  6729. "C2 Server": "zipflag.com,/us/ky/louisville/312-s-fourth-st.html",
  6730. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6731. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6732. "Header1": "",
  6733. "Header2": "",
  6734. "PipeName": "",
  6735. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6736. "DNS Sleep": "0",
  6737. "Method1": "GET",
  6738. "Method2": "POST",
  6739. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6740. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6741. "Proxy_AccessType": "2 (Use IE settings)"
  6742. }
  6743. },
  6744. "199.127.61.214": {
  6745. "x86": {
  6746. "BeaconType": "8 (HTTPS)",
  6747. "Port": "443",
  6748. "Polling": "5000",
  6749. "Jitter": "10",
  6750. "Maxdns": "235",
  6751. "C2 Server": "volof.com,/us/ky/louisville/312-s-fourth-st.html",
  6752. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6753. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6754. "Header1": "",
  6755. "Header2": "",
  6756. "PipeName": "",
  6757. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6758. "DNS Sleep": "0",
  6759. "Method1": "GET",
  6760. "Method2": "POST",
  6761. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6762. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6763. "Proxy_AccessType": "2 (Use IE settings)"
  6764. }
  6765. },
  6766. "199.127.61.74": {
  6767. "x86": {
  6768. "BeaconType": "8 (HTTPS)",
  6769. "Port": "443",
  6770. "Polling": "5000",
  6771. "Jitter": "10",
  6772. "Maxdns": "235",
  6773. "C2 Server": "lenfree.com,/us/ky/louisville/312-s-fourth-st.html,199.127.61.74,/us/ky/louisville/312-s-fourth-st.html",
  6774. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6775. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6776. "Header1": "",
  6777. "Header2": "",
  6778. "PipeName": "",
  6779. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6780. "DNS Sleep": "0",
  6781. "Method1": "GET",
  6782. "Method2": "POST",
  6783. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6784. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6785. "Proxy_AccessType": "2 (Use IE settings)"
  6786. },
  6787. "x64": {
  6788. "BeaconType": "8 (HTTPS)",
  6789. "Port": "443",
  6790. "Polling": "5000",
  6791. "Jitter": "10",
  6792. "Maxdns": "235",
  6793. "C2 Server": "lenfree.com,/us/ky/louisville/312-s-fourth-st.html,199.127.61.74,/us/ky/louisville/312-s-fourth-st.html",
  6794. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6795. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6796. "Header1": "",
  6797. "Header2": "",
  6798. "PipeName": "",
  6799. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6800. "DNS Sleep": "0",
  6801. "Method1": "GET",
  6802. "Method2": "POST",
  6803. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6804. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6805. "Proxy_AccessType": "2 (Use IE settings)"
  6806. }
  6807. },
  6808. "199.127.63.73": {
  6809. "x86": {
  6810. "BeaconType": "8 (HTTPS)",
  6811. "Port": "443",
  6812. "Polling": "5000",
  6813. "Jitter": "10",
  6814. "Maxdns": "235",
  6815. "C2 Server": "eyedm.com,/us/ky/louisville/312-s-fourth-st.html",
  6816. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6817. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6818. "Header1": "",
  6819. "Header2": "",
  6820. "PipeName": "",
  6821. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6822. "DNS Sleep": "0",
  6823. "Method1": "GET",
  6824. "Method2": "POST",
  6825. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6826. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6827. "Proxy_AccessType": "2 (Use IE settings)"
  6828. }
  6829. },
  6830. "199.195.251.56": {
  6831. "x86": {
  6832. "BeaconType": "8 (HTTPS)",
  6833. "Port": "443",
  6834. "Polling": "5000",
  6835. "Jitter": "10",
  6836. "Maxdns": "235",
  6837. "C2 Server": "micsoftin.us,/updates",
  6838. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
  6839. "HTTP Method Path 2": "/aircanada/dark.php",
  6840. "Header1": "",
  6841. "Header2": "",
  6842. "PipeName": "",
  6843. "DNS Idle": "\\x08\\x08\\x04\\x04",
  6844. "DNS Sleep": "0",
  6845. "Method1": "GET",
  6846. "Method2": "POST",
  6847. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6848. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6849. "Proxy_AccessType": "2 (Use IE settings)"
  6850. }
  6851. },
  6852. "199.195.254.79": {
  6853. "x64": {
  6854. "BeaconType": "8 (HTTPS)",
  6855. "Port": "443",
  6856. "Polling": "10000",
  6857. "Jitter": "20",
  6858. "Maxdns": "235",
  6859. "C2 Server": "www.google-dev.tk,/jquery-3.3.1.min.js",
  6860. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )",
  6861. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  6862. "Header1": "",
  6863. "Header2": "",
  6864. "PipeName": "",
  6865. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6866. "DNS Sleep": "0",
  6867. "Method1": "GET",
  6868. "Method2": "POST",
  6869. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6870. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6871. "Proxy_AccessType": "2 (Use IE settings)"
  6872. }
  6873. },
  6874. "202.182.101.162": {
  6875. "x64": {
  6876. "BeaconType": "8 (HTTPS)",
  6877. "Port": "443",
  6878. "Polling": "60000",
  6879. "Jitter": "0",
  6880. "Maxdns": "255",
  6881. "C2 Server": "202.182.101.162,/ca",
  6882. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2)",
  6883. "HTTP Method Path 2": "/submit.php",
  6884. "Header1": "",
  6885. "Header2": "",
  6886. "PipeName": "",
  6887. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6888. "DNS Sleep": "0",
  6889. "Method1": "GET",
  6890. "Method2": "POST",
  6891. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6892. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6893. "Proxy_AccessType": "2 (Use IE settings)"
  6894. }
  6895. },
  6896. "202.182.96.238": {
  6897. "x64": {
  6898. "BeaconType": "8 (HTTPS)",
  6899. "Port": "443",
  6900. "Polling": "5000",
  6901. "Jitter": "0",
  6902. "Maxdns": "255",
  6903. "C2 Server": "coivotek.livehost.live,/access/",
  6904. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  6905. "HTTP Method Path 2": "/radio/xmlrpc/v35",
  6906. "Header1": "",
  6907. "Header2": "",
  6908. "PipeName": "",
  6909. "DNS Idle": "\\x00\\x00\\x00\\x00",
  6910. "DNS Sleep": "0",
  6911. "Method1": "GET",
  6912. "Method2": "POST",
  6913. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6914. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6915. "Proxy_AccessType": "2 (Use IE settings)"
  6916. }
  6917. },
  6918. "20.36.203.162": {
  6919. "x64": {
  6920. "BeaconType": "8 (HTTPS)",
  6921. "Port": "443",
  6922. "Polling": "60000",
  6923. "Jitter": "0",
  6924. "C2 Server": "20.36.203.162,/load",
  6925. "HTTP Method Path 2": "/submit.php",
  6926. "Method1": "GET",
  6927. "Method2": "POST",
  6928. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  6929. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  6930. "Proxy_AccessType": "2 (Use IE settings)"
  6931. }
  6932. },
  6933. "204.16.247.235": {
  6934. "x86": {
  6935. "BeaconType": "8 (HTTPS)",
  6936. "Port": "443",
  6937. "Polling": "5000",
  6938. "Jitter": "10",
  6939. "Maxdns": "235",
  6940. "C2 Server": "avetool.com,/us/ky/louisville/312-s-fourth-st.html",
  6941. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6942. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6943. "Header1": "",
  6944. "Header2": "",
  6945. "PipeName": "",
  6946. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6947. "DNS Sleep": "0",
  6948. "Method1": "GET",
  6949. "Method2": "POST",
  6950. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6951. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6952. "Proxy_AccessType": "2 (Use IE settings)"
  6953. },
  6954. "x64": {
  6955. "BeaconType": "8 (HTTPS)",
  6956. "Port": "443",
  6957. "Polling": "5000",
  6958. "Jitter": "10",
  6959. "Maxdns": "235",
  6960. "C2 Server": "avetool.com,/us/ky/louisville/312-s-fourth-st.html",
  6961. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6962. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6963. "Header1": "",
  6964. "Header2": "",
  6965. "PipeName": "",
  6966. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6967. "DNS Sleep": "0",
  6968. "Method1": "GET",
  6969. "Method2": "POST",
  6970. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6971. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6972. "Proxy_AccessType": "2 (Use IE settings)"
  6973. }
  6974. },
  6975. "204.16.247.30": {
  6976. "x86": {
  6977. "BeaconType": "8 (HTTPS)",
  6978. "Port": "443",
  6979. "Polling": "5000",
  6980. "Jitter": "10",
  6981. "Maxdns": "235",
  6982. "C2 Server": "ballom.com,/us/ky/louisville/312-s-fourth-st.html",
  6983. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  6984. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  6985. "Header1": "",
  6986. "Header2": "",
  6987. "PipeName": "",
  6988. "DNS Idle": "\\x08\\x08\\x08\\x08",
  6989. "DNS Sleep": "0",
  6990. "Method1": "GET",
  6991. "Method2": "POST",
  6992. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  6993. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  6994. "Proxy_AccessType": "2 (Use IE settings)"
  6995. }
  6996. },
  6997. "204.16.247.48": {
  6998. "x86": {
  6999. "BeaconType": "8 (HTTPS)",
  7000. "Port": "443",
  7001. "Polling": "30000",
  7002. "Jitter": "20",
  7003. "Maxdns": "255",
  7004. "C2 Server": "goodroy.com,/CWoNaJLBo/VTNeWw11212/",
  7005. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  7006. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  7007. "Header1": "",
  7008. "Header2": "",
  7009. "PipeName": "",
  7010. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7011. "DNS Sleep": "0",
  7012. "Method1": "GET",
  7013. "Method2": "POST",
  7014. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7015. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7016. "Proxy_AccessType": "2 (Use IE settings)"
  7017. }
  7018. },
  7019. "204.16.247.65": {
  7020. "x86": {
  7021. "BeaconType": "8 (HTTPS)",
  7022. "Port": "443",
  7023. "Polling": "30000",
  7024. "Jitter": "20",
  7025. "Maxdns": "255",
  7026. "C2 Server": "peernew.com,/CWoNaJLBo/VTNeWw11212/",
  7027. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  7028. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  7029. "Header1": "",
  7030. "Header2": "",
  7031. "PipeName": "",
  7032. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7033. "DNS Sleep": "0",
  7034. "Method1": "GET",
  7035. "Method2": "POST",
  7036. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7037. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7038. "Proxy_AccessType": "2 (Use IE settings)"
  7039. }
  7040. },
  7041. "204.16.247.89": {
  7042. "x86": {
  7043. "BeaconType": "8 (HTTPS)",
  7044. "Port": "443",
  7045. "Polling": "60000",
  7046. "Jitter": "0",
  7047. "Maxdns": "255",
  7048. "C2 Server": "204.16.247.89,/g.pixel",
  7049. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)",
  7050. "HTTP Method Path 2": "/submit.php",
  7051. "Header1": "",
  7052. "Header2": "",
  7053. "PipeName": "",
  7054. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7055. "DNS Sleep": "0",
  7056. "Method1": "GET",
  7057. "Method2": "POST",
  7058. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7059. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7060. "Proxy_AccessType": "2 (Use IE settings)"
  7061. },
  7062. "x64": {
  7063. "BeaconType": "8 (HTTPS)",
  7064. "Port": "443",
  7065. "Polling": "60000",
  7066. "Jitter": "0",
  7067. "Maxdns": "255",
  7068. "C2 Server": "204.16.247.89,/ptj",
  7069. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",
  7070. "HTTP Method Path 2": "/submit.php",
  7071. "Header1": "",
  7072. "Header2": "",
  7073. "PipeName": "",
  7074. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7075. "DNS Sleep": "0",
  7076. "Method1": "GET",
  7077. "Method2": "POST",
  7078. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7079. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7080. "Proxy_AccessType": "2 (Use IE settings)"
  7081. }
  7082. },
  7083. "206.189.223.152": {
  7084. "x86": {
  7085. "BeaconType": "8 (HTTPS)",
  7086. "Port": "443",
  7087. "Polling": "60000",
  7088. "Jitter": "0",
  7089. "C2 Server": "206.189.223.152,/push",
  7090. "HTTP Method Path 2": "/submit.php",
  7091. "Method1": "GET",
  7092. "Method2": "POST",
  7093. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7094. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7095. "Proxy_AccessType": "2 (Use IE settings)"
  7096. }
  7097. },
  7098. "206.189.37.245": {
  7099. "x64": {
  7100. "BeaconType": "8 (HTTPS)",
  7101. "Port": "443",
  7102. "Polling": "15000",
  7103. "Jitter": "90",
  7104. "Maxdns": "225",
  7105. "C2 Server": "do.skype.com,/api2/json/access/ticket,mscrl.microsoft.com,/en-us/p/onerf/MeSilentPassport",
  7106. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  7107. "HTTP Method Path 2": "/gql",
  7108. "Header1": "",
  7109. "Header2": "",
  7110. "PipeName": "",
  7111. "DNS Idle": "h\\xD8<\\x84",
  7112. "DNS Sleep": "0",
  7113. "Method1": "GET",
  7114. "Method2": "POST",
  7115. "Spawnto_x86": "%windir%\\System32\\werfault.exe",
  7116. "Spawnto_x64": "%windir%\\System32\\werfault.exe",
  7117. "Proxy_AccessType": "2 (Use IE settings)"
  7118. }
  7119. },
  7120. "206.221.176.205": {
  7121. "x64": {
  7122. "BeaconType": "8 (HTTPS)",
  7123. "Port": "443",
  7124. "Polling": "5000",
  7125. "Jitter": "10",
  7126. "Maxdns": "235",
  7127. "C2 Server": "arcnew.com,/us/ky/louisville/312-s-fourth-st.html",
  7128. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7129. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7130. "Header1": "",
  7131. "Header2": "",
  7132. "PipeName": "",
  7133. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7134. "DNS Sleep": "0",
  7135. "Method1": "GET",
  7136. "Method2": "POST",
  7137. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7138. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7139. "Proxy_AccessType": "2 (Use IE settings)"
  7140. }
  7141. },
  7142. "206.221.179.202": {
  7143. "x86": {
  7144. "BeaconType": "8 (HTTPS)",
  7145. "Port": "443",
  7146. "Polling": "5000",
  7147. "Jitter": "10",
  7148. "Maxdns": "235",
  7149. "C2 Server": "geotry.com,/us/ky/louisville/312-s-fourth-st.html",
  7150. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7151. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7152. "Header1": "",
  7153. "Header2": "",
  7154. "PipeName": "",
  7155. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7156. "DNS Sleep": "0",
  7157. "Method1": "GET",
  7158. "Method2": "POST",
  7159. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7160. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7161. "Proxy_AccessType": "2 (Use IE settings)"
  7162. },
  7163. "x64": {
  7164. "BeaconType": "8 (HTTPS)",
  7165. "Port": "443",
  7166. "Polling": "5000",
  7167. "Jitter": "10",
  7168. "Maxdns": "235",
  7169. "C2 Server": "geotry.com,/us/ky/louisville/312-s-fourth-st.html",
  7170. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7171. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7172. "Header1": "",
  7173. "Header2": "",
  7174. "PipeName": "",
  7175. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7176. "DNS Sleep": "0",
  7177. "Method1": "GET",
  7178. "Method2": "POST",
  7179. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7180. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7181. "Proxy_AccessType": "2 (Use IE settings)"
  7182. }
  7183. },
  7184. "206.54.190.220": {
  7185. "x86": {
  7186. "BeaconType": "8 (HTTPS)",
  7187. "Port": "443",
  7188. "Polling": "60000",
  7189. "Jitter": "0",
  7190. "C2 Server": "45.170.251.101,/ga.js",
  7191. "HTTP Method Path 2": "/submit.php",
  7192. "Method1": "GET",
  7193. "Method2": "POST",
  7194. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7195. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7196. "Proxy_AccessType": "2 (Use IE settings)"
  7197. }
  7198. },
  7199. "207.148.70.82": {
  7200. "x64": {
  7201. "BeaconType": "8 (HTTPS)",
  7202. "Port": "443",
  7203. "Polling": "60000",
  7204. "Jitter": "0",
  7205. "Maxdns": "255",
  7206. "C2 Server": "207.148.70.82,/pixel",
  7207. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
  7208. "HTTP Method Path 2": "/submit.php",
  7209. "Header1": "",
  7210. "Header2": "",
  7211. "PipeName": "",
  7212. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7213. "DNS Sleep": "0",
  7214. "Method1": "GET",
  7215. "Method2": "POST",
  7216. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7217. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7218. "Proxy_AccessType": "2 (Use IE settings)"
  7219. }
  7220. },
  7221. "207.219.199.120": {
  7222. "x86": {
  7223. "BeaconType": "8 (HTTPS)",
  7224. "Port": "443",
  7225. "Polling": "5000",
  7226. "Jitter": "0",
  7227. "Maxdns": "255",
  7228. "C2 Server": "s3app.eastus.cloudapp.azure.com,/iconpage.gif,azurecloudapi.eastus.cloudapp.azure.com,/iconpage.gif",
  7229. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)",
  7230. "HTTP Method Path 2": "/iconimage.gif",
  7231. "Header1": "",
  7232. "Header2": "",
  7233. "PipeName": "",
  7234. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7235. "DNS Sleep": "0",
  7236. "Method1": "GET",
  7237. "Method2": "GET",
  7238. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7239. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7240. "Proxy_AccessType": "2 (Use IE settings)"
  7241. },
  7242. "x64": {
  7243. "BeaconType": "8 (HTTPS)",
  7244. "Port": "443",
  7245. "Polling": "5000",
  7246. "Jitter": "0",
  7247. "Maxdns": "255",
  7248. "C2 Server": "s3app.eastus.cloudapp.azure.com,/iconpage.gif,azurecloudapi.eastus.cloudapp.azure.com,/iconpage.gif",
  7249. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; Avant Browser)",
  7250. "HTTP Method Path 2": "/iconimage.gif",
  7251. "Header1": "",
  7252. "Header2": "",
  7253. "PipeName": "",
  7254. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7255. "DNS Sleep": "0",
  7256. "Method1": "GET",
  7257. "Method2": "GET",
  7258. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7259. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7260. "Proxy_AccessType": "2 (Use IE settings)"
  7261. }
  7262. },
  7263. "209.222.101.153": {
  7264. "x86": {
  7265. "BeaconType": "8 (HTTPS)",
  7266. "Port": "443",
  7267. "Polling": "5000",
  7268. "Jitter": "10",
  7269. "Maxdns": "235",
  7270. "C2 Server": "mixdir.com,/us/ky/louisville/312-s-fourth-st.html",
  7271. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7272. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7273. "Header1": "",
  7274. "Header2": "",
  7275. "PipeName": "",
  7276. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7277. "DNS Sleep": "0",
  7278. "Method1": "GET",
  7279. "Method2": "POST",
  7280. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7281. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7282. "Proxy_AccessType": "2 (Use IE settings)"
  7283. }
  7284. },
  7285. "209.222.97.8": {
  7286. "x86": {
  7287. "BeaconType": "8 (HTTPS)",
  7288. "Port": "443",
  7289. "Polling": "5000",
  7290. "Jitter": "10",
  7291. "Maxdns": "235",
  7292. "C2 Server": "landcook.com,/us/ky/louisville/312-s-fourth-st.html",
  7293. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7294. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7295. "Header1": "",
  7296. "Header2": "",
  7297. "PipeName": "",
  7298. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7299. "DNS Sleep": "0",
  7300. "Method1": "GET",
  7301. "Method2": "POST",
  7302. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7303. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7304. "Proxy_AccessType": "2 (Use IE settings)"
  7305. },
  7306. "x64": {
  7307. "BeaconType": "8 (HTTPS)",
  7308. "Port": "443",
  7309. "Polling": "5000",
  7310. "Jitter": "10",
  7311. "Maxdns": "235",
  7312. "C2 Server": "landcook.com,/us/ky/louisville/312-s-fourth-st.html",
  7313. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7314. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7315. "Header1": "",
  7316. "Header2": "",
  7317. "PipeName": "",
  7318. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7319. "DNS Sleep": "0",
  7320. "Method1": "GET",
  7321. "Method2": "POST",
  7322. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7323. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7324. "Proxy_AccessType": "2 (Use IE settings)"
  7325. }
  7326. },
  7327. "209.222.98.45": {
  7328. "x86": {
  7329. "BeaconType": "8 (HTTPS)",
  7330. "Port": "443",
  7331. "Polling": "5000",
  7332. "Jitter": "10",
  7333. "Maxdns": "235",
  7334. "C2 Server": "exrap.com,/us/ky/louisville/312-s-fourth-st.html",
  7335. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7336. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7337. "Header1": "",
  7338. "Header2": "",
  7339. "PipeName": "",
  7340. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7341. "DNS Sleep": "0",
  7342. "Method1": "GET",
  7343. "Method2": "POST",
  7344. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7345. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7346. "Proxy_AccessType": "2 (Use IE settings)"
  7347. },
  7348. "x64": {
  7349. "BeaconType": "8 (HTTPS)",
  7350. "Port": "443",
  7351. "Polling": "5000",
  7352. "Jitter": "10",
  7353. "Maxdns": "235",
  7354. "C2 Server": "exrap.com,/us/ky/louisville/312-s-fourth-st.html",
  7355. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7356. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7357. "Header1": "",
  7358. "Header2": "",
  7359. "PipeName": "",
  7360. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7361. "DNS Sleep": "0",
  7362. "Method1": "GET",
  7363. "Method2": "POST",
  7364. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7365. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7366. "Proxy_AccessType": "2 (Use IE settings)"
  7367. }
  7368. },
  7369. "209.222.98.96": {
  7370. "x86": {
  7371. "BeaconType": "8 (HTTPS)",
  7372. "Port": "443",
  7373. "Polling": "5000",
  7374. "Jitter": "10",
  7375. "Maxdns": "235",
  7376. "C2 Server": "wolfnew.com,/us/ky/louisville/312-s-fourth-st.html",
  7377. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7378. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7379. "Header1": "",
  7380. "Header2": "",
  7381. "PipeName": "",
  7382. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7383. "DNS Sleep": "0",
  7384. "Method1": "GET",
  7385. "Method2": "POST",
  7386. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7387. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7388. "Proxy_AccessType": "2 (Use IE settings)"
  7389. },
  7390. "x64": {
  7391. "BeaconType": "8 (HTTPS)",
  7392. "Port": "443",
  7393. "Polling": "5000",
  7394. "Jitter": "10",
  7395. "Maxdns": "235",
  7396. "C2 Server": "wolfnew.com,/us/ky/louisville/312-s-fourth-st.html",
  7397. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7398. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7399. "Header1": "",
  7400. "Header2": "",
  7401. "PipeName": "",
  7402. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7403. "DNS Sleep": "0",
  7404. "Method1": "GET",
  7405. "Method2": "POST",
  7406. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7407. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7408. "Proxy_AccessType": "2 (Use IE settings)"
  7409. }
  7410. },
  7411. "209.249.134.14": {
  7412. "x86": {
  7413. "BeaconType": "8 (HTTPS)",
  7414. "Port": "443",
  7415. "Polling": "30000",
  7416. "Jitter": "20",
  7417. "Maxdns": "255",
  7418. "C2 Server": "downloads.daytonaneurosurgery.com,/login",
  7419. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36",
  7420. "HTTP Method Path 2": "/api/chat.postMessage",
  7421. "Header1": "",
  7422. "Header2": "",
  7423. "PipeName": "",
  7424. "DNS Idle": "J}\\xC4q",
  7425. "DNS Sleep": "0",
  7426. "Method1": "GET",
  7427. "Method2": "POST",
  7428. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  7429. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  7430. "Proxy_AccessType": "2 (Use IE settings)"
  7431. }
  7432. },
  7433. "217.12.208.251": {
  7434. "x86": {
  7435. "BeaconType": "8 (HTTPS)",
  7436. "Port": "443",
  7437. "Polling": "45000",
  7438. "Jitter": "37",
  7439. "Maxdns": "255",
  7440. "C2 Server": "217.12.208.251,/jquery-3.3.1.min.js",
  7441. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  7442. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  7443. "Header1": "",
  7444. "Header2": "",
  7445. "PipeName": "",
  7446. "DNS Idle": "J}\\xC4q",
  7447. "DNS Sleep": "0",
  7448. "Method1": "GET",
  7449. "Method2": "POST",
  7450. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  7451. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  7452. "Proxy_AccessType": "2 (Use IE settings)"
  7453. }
  7454. },
  7455. "217.8.117.13": {
  7456. "x64": {
  7457. "BeaconType": "8 (HTTPS)",
  7458. "Port": "443",
  7459. "Polling": "60000",
  7460. "Jitter": "0",
  7461. "Maxdns": "255",
  7462. "C2 Server": "217.8.117.13,/fwlink",
  7463. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)",
  7464. "HTTP Method Path 2": "/submit.php",
  7465. "Header1": "",
  7466. "Header2": "",
  7467. "PipeName": "",
  7468. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7469. "DNS Sleep": "0",
  7470. "Method1": "GET",
  7471. "Method2": "POST",
  7472. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7473. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7474. "Proxy_AccessType": "2 (Use IE settings)"
  7475. }
  7476. },
  7477. "23.106.160.111": {
  7478. "x64": {
  7479. "BeaconType": "8 (HTTPS)",
  7480. "Port": "443",
  7481. "Polling": "5000",
  7482. "Jitter": "10",
  7483. "Maxdns": "235",
  7484. "C2 Server": "mixres.com,/us/ky/louisville/312-s-fourth-st.html",
  7485. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7486. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7487. "Header1": "",
  7488. "Header2": "",
  7489. "PipeName": "",
  7490. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7491. "DNS Sleep": "0",
  7492. "Method1": "GET",
  7493. "Method2": "POST",
  7494. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7495. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7496. "Proxy_AccessType": "2 (Use IE settings)"
  7497. }
  7498. },
  7499. "23.106.160.129": {
  7500. "x64": {
  7501. "BeaconType": "8 (HTTPS)",
  7502. "Port": "443",
  7503. "Polling": "5000",
  7504. "Jitter": "10",
  7505. "Maxdns": "235",
  7506. "C2 Server": "regbest.com,/us/ky/louisville/312-s-fourth-st.html",
  7507. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7508. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7509. "Header1": "",
  7510. "Header2": "",
  7511. "PipeName": "",
  7512. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7513. "DNS Sleep": "0",
  7514. "Method1": "GET",
  7515. "Method2": "POST",
  7516. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7517. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7518. "Proxy_AccessType": "2 (Use IE settings)"
  7519. }
  7520. },
  7521. "23.106.160.191": {
  7522. "x86": {
  7523. "BeaconType": "8 (HTTPS)",
  7524. "Port": "443",
  7525. "Polling": "60000",
  7526. "Jitter": "0",
  7527. "Maxdns": "255",
  7528. "C2 Server": "23.106.160.191,/activity",
  7529. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)",
  7530. "HTTP Method Path 2": "/submit.php",
  7531. "Header1": "",
  7532. "Header2": "",
  7533. "PipeName": "",
  7534. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7535. "DNS Sleep": "0",
  7536. "Method1": "GET",
  7537. "Method2": "POST",
  7538. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7539. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7540. "Proxy_AccessType": "2 (Use IE settings)"
  7541. }
  7542. },
  7543. "23.106.160.195": {
  7544. "x86": {
  7545. "BeaconType": "8 (HTTPS)",
  7546. "Port": "443",
  7547. "Polling": "5000",
  7548. "Jitter": "10",
  7549. "Maxdns": "235",
  7550. "C2 Server": "topevi.com,/us/ky/louisville/312-s-fourth-st.html",
  7551. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7552. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7553. "Header1": "",
  7554. "Header2": "",
  7555. "PipeName": "",
  7556. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7557. "DNS Sleep": "0",
  7558. "Method1": "GET",
  7559. "Method2": "POST",
  7560. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7561. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7562. "Proxy_AccessType": "2 (Use IE settings)"
  7563. }
  7564. },
  7565. "23.106.160.198": {
  7566. "x86": {
  7567. "BeaconType": "8 (HTTPS)",
  7568. "Port": "443",
  7569. "Polling": "5000",
  7570. "Jitter": "10",
  7571. "Maxdns": "235",
  7572. "C2 Server": "repshd.com,/us/ky/louisville/312-s-fourth-st.html,pinglis.com,/us/ky/louisville/312-s-fourth-st.html,stargut.com,/us/ky/louisville/312-s-fourth-st.html",
  7573. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7574. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7575. "Header1": "",
  7576. "Header2": "",
  7577. "PipeName": "",
  7578. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7579. "DNS Sleep": "0",
  7580. "Method1": "GET",
  7581. "Method2": "POST",
  7582. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7583. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7584. "Proxy_AccessType": "2 (Use IE settings)"
  7585. }
  7586. },
  7587. "23.106.160.2": {
  7588. "x64": {
  7589. "BeaconType": "8 (HTTPS)",
  7590. "Port": "443",
  7591. "Polling": "5000",
  7592. "Jitter": "10",
  7593. "Maxdns": "235",
  7594. "C2 Server": "bitsse.com,/us/ky/louisville/312-s-fourth-st.html,uncole.com,/us/ky/louisville/312-s-fourth-st.html",
  7595. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7596. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7597. "Header1": "",
  7598. "Header2": "",
  7599. "PipeName": "",
  7600. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7601. "DNS Sleep": "0",
  7602. "Method1": "GET",
  7603. "Method2": "POST",
  7604. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7605. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7606. "Proxy_AccessType": "2 (Use IE settings)"
  7607. }
  7608. },
  7609. "23.106.160.216": {
  7610. "x86": {
  7611. "BeaconType": "8 (HTTPS)",
  7612. "Port": "443",
  7613. "Polling": "5000",
  7614. "Jitter": "10",
  7615. "Maxdns": "235",
  7616. "C2 Server": "volof.com,/us/ky/louisville/312-s-fourth-st.html",
  7617. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7618. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7619. "Header1": "",
  7620. "Header2": "",
  7621. "PipeName": "",
  7622. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7623. "DNS Sleep": "0",
  7624. "Method1": "GET",
  7625. "Method2": "POST",
  7626. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7627. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7628. "Proxy_AccessType": "2 (Use IE settings)"
  7629. }
  7630. },
  7631. "23.106.160.229": {
  7632. "x86": {
  7633. "BeaconType": "8 (HTTPS)",
  7634. "Port": "443",
  7635. "Polling": "60000",
  7636. "Jitter": "0",
  7637. "Maxdns": "255",
  7638. "C2 Server": "23.106.160.229,/cx",
  7639. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)",
  7640. "HTTP Method Path 2": "/submit.php",
  7641. "Header1": "",
  7642. "Header2": "",
  7643. "PipeName": "",
  7644. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7645. "DNS Sleep": "0",
  7646. "Method1": "GET",
  7647. "Method2": "POST",
  7648. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7649. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7650. "Proxy_AccessType": "2 (Use IE settings)"
  7651. },
  7652. "x64": {
  7653. "BeaconType": "8 (HTTPS)",
  7654. "Port": "443",
  7655. "Polling": "60000",
  7656. "Jitter": "0",
  7657. "Maxdns": "255",
  7658. "C2 Server": "23.106.160.229,/push",
  7659. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
  7660. "HTTP Method Path 2": "/submit.php",
  7661. "Header1": "",
  7662. "Header2": "",
  7663. "PipeName": "",
  7664. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7665. "DNS Sleep": "0",
  7666. "Method1": "GET",
  7667. "Method2": "POST",
  7668. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7669. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7670. "Proxy_AccessType": "2 (Use IE settings)"
  7671. }
  7672. },
  7673. "23.106.160.61": {
  7674. "x86": {
  7675. "BeaconType": "8 (HTTPS)",
  7676. "Port": "443",
  7677. "Polling": "5000",
  7678. "Jitter": "10",
  7679. "Maxdns": "235",
  7680. "C2 Server": "wikibros.com,/us/ky/louisville/312-s-fourth-st.html",
  7681. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7682. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7683. "Header1": "",
  7684. "Header2": "",
  7685. "PipeName": "",
  7686. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7687. "DNS Sleep": "0",
  7688. "Method1": "GET",
  7689. "Method2": "POST",
  7690. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7691. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7692. "Proxy_AccessType": "2 (Use IE settings)"
  7693. }
  7694. },
  7695. "23.106.160.86": {
  7696. "x86": {
  7697. "BeaconType": "8 (HTTPS)",
  7698. "Port": "443",
  7699. "Polling": "5000",
  7700. "Jitter": "10",
  7701. "Maxdns": "235",
  7702. "C2 Server": "raills.com,/us/ky/louisville/312-s-fourth-st.html",
  7703. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7704. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7705. "Header1": "",
  7706. "Header2": "",
  7707. "PipeName": "",
  7708. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7709. "DNS Sleep": "0",
  7710. "Method1": "GET",
  7711. "Method2": "POST",
  7712. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7713. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7714. "Proxy_AccessType": "2 (Use IE settings)"
  7715. }
  7716. },
  7717. "23.106.215.199": {
  7718. "x64": {
  7719. "BeaconType": "8 (HTTPS)",
  7720. "Port": "443",
  7721. "Polling": "30000",
  7722. "Jitter": "20",
  7723. "Maxdns": "255",
  7724. "C2 Server": "stephq.com,/CWoNaJLBo/VTNeWw11212/",
  7725. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  7726. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  7727. "Header1": "",
  7728. "Header2": "",
  7729. "PipeName": "",
  7730. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7731. "DNS Sleep": "0",
  7732. "Method1": "GET",
  7733. "Method2": "POST",
  7734. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7735. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7736. "Proxy_AccessType": "2 (Use IE settings)"
  7737. }
  7738. },
  7739. "23.106.215.32": {
  7740. "x64": {
  7741. "BeaconType": "8 (HTTPS)",
  7742. "Port": "443",
  7743. "Polling": "5000",
  7744. "Jitter": "37",
  7745. "Maxdns": "255",
  7746. "C2 Server": "contedge.net,/jquery-3.3.1.min.js",
  7747. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  7748. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  7749. "Header1": "",
  7750. "Header2": "",
  7751. "PipeName": "",
  7752. "DNS Idle": "J}\\xC4q",
  7753. "DNS Sleep": "0",
  7754. "Method1": "GET",
  7755. "Method2": "POST",
  7756. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  7757. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  7758. "Proxy_AccessType": "2 (Use IE settings)"
  7759. }
  7760. },
  7761. "23.106.215.40": {
  7762. "x86": {
  7763. "BeaconType": "8 (HTTPS)",
  7764. "Port": "443",
  7765. "Polling": "60000",
  7766. "Jitter": "0",
  7767. "Maxdns": "255",
  7768. "C2 Server": "cuphq.com,/ga.js",
  7769. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)",
  7770. "HTTP Method Path 2": "/submit.php",
  7771. "Header1": "",
  7772. "Header2": "",
  7773. "PipeName": "",
  7774. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7775. "DNS Sleep": "0",
  7776. "Method1": "GET",
  7777. "Method2": "POST",
  7778. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7779. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7780. "Proxy_AccessType": "2 (Use IE settings)"
  7781. }
  7782. },
  7783. "23.106.223.151": {
  7784. "x86": {
  7785. "BeaconType": "8 (HTTPS)",
  7786. "Port": "443",
  7787. "Polling": "5000",
  7788. "Jitter": "10",
  7789. "Maxdns": "235",
  7790. "C2 Server": "foxreps.com,/us/ky/louisville/312-s-fourth-st.html,novause.com,/us/ky/louisville/312-s-fourth-st.html",
  7791. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7792. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7793. "Header1": "",
  7794. "Header2": "",
  7795. "PipeName": "",
  7796. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7797. "DNS Sleep": "0",
  7798. "Method1": "GET",
  7799. "Method2": "POST",
  7800. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7801. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7802. "Proxy_AccessType": "2 (Use IE settings)"
  7803. },
  7804. "x64": {
  7805. "BeaconType": "8 (HTTPS)",
  7806. "Port": "443",
  7807. "Polling": "5000",
  7808. "Jitter": "10",
  7809. "Maxdns": "235",
  7810. "C2 Server": "foxreps.com,/us/ky/louisville/312-s-fourth-st.html,novause.com,/us/ky/louisville/312-s-fourth-st.html",
  7811. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7812. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7813. "Header1": "",
  7814. "Header2": "",
  7815. "PipeName": "",
  7816. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7817. "DNS Sleep": "0",
  7818. "Method1": "GET",
  7819. "Method2": "POST",
  7820. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7821. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7822. "Proxy_AccessType": "2 (Use IE settings)"
  7823. }
  7824. },
  7825. "23.106.223.172": {
  7826. "x86": {
  7827. "BeaconType": "8 (HTTPS)",
  7828. "Port": "443",
  7829. "Polling": "5000",
  7830. "Jitter": "10",
  7831. "Maxdns": "235",
  7832. "C2 Server": "resfox.com,/us/ky/louisville/312-s-fourth-st.html,zeroflip.com,/us/ky/louisville/312-s-fourth-st.html",
  7833. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7834. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7835. "Header1": "",
  7836. "Header2": "",
  7837. "PipeName": "",
  7838. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7839. "DNS Sleep": "0",
  7840. "Method1": "GET",
  7841. "Method2": "POST",
  7842. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7843. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7844. "Proxy_AccessType": "2 (Use IE settings)"
  7845. }
  7846. },
  7847. "23.106.223.27": {
  7848. "x86": {
  7849. "BeaconType": "8 (HTTPS)",
  7850. "Port": "443",
  7851. "Polling": "5000",
  7852. "Jitter": "10",
  7853. "Maxdns": "235",
  7854. "C2 Server": "arcnew.com,/us/ky/louisville/312-s-fourth-st.html",
  7855. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7856. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7857. "Header1": "",
  7858. "Header2": "",
  7859. "PipeName": "",
  7860. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7861. "DNS Sleep": "0",
  7862. "Method1": "GET",
  7863. "Method2": "POST",
  7864. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7865. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7866. "Proxy_AccessType": "2 (Use IE settings)"
  7867. },
  7868. "x64": {
  7869. "BeaconType": "8 (HTTPS)",
  7870. "Port": "443",
  7871. "Polling": "5000",
  7872. "Jitter": "10",
  7873. "Maxdns": "235",
  7874. "C2 Server": "arcnew.com,/us/ky/louisville/312-s-fourth-st.html",
  7875. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7876. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7877. "Header1": "",
  7878. "Header2": "",
  7879. "PipeName": "",
  7880. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7881. "DNS Sleep": "0",
  7882. "Method1": "GET",
  7883. "Method2": "POST",
  7884. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7885. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7886. "Proxy_AccessType": "2 (Use IE settings)"
  7887. }
  7888. },
  7889. "23.19.227.165": {
  7890. "x86": {
  7891. "BeaconType": "8 (HTTPS)",
  7892. "Port": "443",
  7893. "Polling": "5000",
  7894. "Jitter": "10",
  7895. "Maxdns": "235",
  7896. "C2 Server": "facesh.com,/us/ky/louisville/312-s-fourth-st.html",
  7897. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7898. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7899. "Header1": "",
  7900. "Header2": "",
  7901. "PipeName": "",
  7902. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7903. "DNS Sleep": "0",
  7904. "Method1": "GET",
  7905. "Method2": "POST",
  7906. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7907. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7908. "Proxy_AccessType": "2 (Use IE settings)"
  7909. }
  7910. },
  7911. "23.19.227.204": {
  7912. "x86": {
  7913. "BeaconType": "8 (HTTPS)",
  7914. "Port": "443",
  7915. "Polling": "60000",
  7916. "Jitter": "0",
  7917. "Maxdns": "255",
  7918. "C2 Server": "pics.lockboxlink.com,/IE9CompatViewList.xml,black.lockboxlink.com,/g.pixel",
  7919. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)",
  7920. "HTTP Method Path 2": "/submit.php",
  7921. "Header1": "",
  7922. "Header2": "",
  7923. "PipeName": "",
  7924. "DNS Idle": "\\x00\\x00\\x00\\x00",
  7925. "DNS Sleep": "0",
  7926. "Method1": "GET",
  7927. "Method2": "POST",
  7928. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7929. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7930. "Proxy_AccessType": "2 (Use IE settings)"
  7931. }
  7932. },
  7933. "23.227.194.185": {
  7934. "x86": {
  7935. "BeaconType": "8 (HTTPS)",
  7936. "Port": "443",
  7937. "Polling": "60000",
  7938. "Jitter": "0",
  7939. "C2 Server": "23.227.194.185,/pixel.gif",
  7940. "HTTP Method Path 2": "/submit.php",
  7941. "Method1": "GET",
  7942. "Method2": "POST",
  7943. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  7944. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  7945. "Proxy_AccessType": "2 (Use IE settings)"
  7946. }
  7947. },
  7948. "23.81.246.24": {
  7949. "x86": {
  7950. "BeaconType": "8 (HTTPS)",
  7951. "Port": "443",
  7952. "Polling": "5000",
  7953. "Jitter": "10",
  7954. "Maxdns": "235",
  7955. "C2 Server": "repshd.com,/us/ky/louisville/312-s-fourth-st.html,pinglis.com,/us/ky/louisville/312-s-fourth-st.html,stargut.com,/us/ky/louisville/312-s-fourth-st.html",
  7956. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7957. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7958. "Header1": "",
  7959. "Header2": "",
  7960. "PipeName": "",
  7961. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7962. "DNS Sleep": "0",
  7963. "Method1": "GET",
  7964. "Method2": "POST",
  7965. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7966. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7967. "Proxy_AccessType": "2 (Use IE settings)"
  7968. },
  7969. "x64": {
  7970. "BeaconType": "8 (HTTPS)",
  7971. "Port": "443",
  7972. "Polling": "5000",
  7973. "Jitter": "10",
  7974. "Maxdns": "235",
  7975. "C2 Server": "repshd.com,/us/ky/louisville/312-s-fourth-st.html,pinglis.com,/us/ky/louisville/312-s-fourth-st.html,stargut.com,/us/ky/louisville/312-s-fourth-st.html",
  7976. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  7977. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  7978. "Header1": "",
  7979. "Header2": "",
  7980. "PipeName": "",
  7981. "DNS Idle": "\\x08\\x08\\x08\\x08",
  7982. "DNS Sleep": "0",
  7983. "Method1": "GET",
  7984. "Method2": "POST",
  7985. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  7986. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  7987. "Proxy_AccessType": "2 (Use IE settings)"
  7988. }
  7989. },
  7990. "23.81.246.46": {
  7991. "x86": {
  7992. "BeaconType": "8 (HTTPS)",
  7993. "Port": "443",
  7994. "Polling": "5000",
  7995. "Jitter": "0",
  7996. "Maxdns": "255",
  7997. "C2 Server": "contmetric.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  7998. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  7999. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  8000. "Header1": "",
  8001. "Header2": "",
  8002. "PipeName": "",
  8003. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8004. "DNS Sleep": "0",
  8005. "Method1": "GET",
  8006. "Method2": "POST",
  8007. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  8008. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  8009. "Proxy_AccessType": "2 (Use IE settings)"
  8010. }
  8011. },
  8012. "23.81.246.74": {
  8013. "x86": {
  8014. "BeaconType": "8 (HTTPS)",
  8015. "Port": "443",
  8016. "Polling": "30000",
  8017. "Jitter": "20",
  8018. "Maxdns": "255",
  8019. "C2 Server": "keyisa.com,/CWoNaJLBo/VTNeWw11212/",
  8020. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  8021. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  8022. "Header1": "",
  8023. "Header2": "",
  8024. "PipeName": "",
  8025. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8026. "DNS Sleep": "0",
  8027. "Method1": "GET",
  8028. "Method2": "POST",
  8029. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8030. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8031. "Proxy_AccessType": "2 (Use IE settings)"
  8032. },
  8033. "x64": {
  8034. "BeaconType": "8 (HTTPS)",
  8035. "Port": "443",
  8036. "Polling": "30000",
  8037. "Jitter": "20",
  8038. "Maxdns": "255",
  8039. "C2 Server": "keyisa.com,/CWoNaJLBo/VTNeWw11212/",
  8040. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
  8041. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
  8042. "Header1": "",
  8043. "Header2": "",
  8044. "PipeName": "",
  8045. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8046. "DNS Sleep": "0",
  8047. "Method1": "GET",
  8048. "Method2": "POST",
  8049. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8050. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8051. "Proxy_AccessType": "2 (Use IE settings)"
  8052. }
  8053. },
  8054. "23.81.246.89": {
  8055. "x86": {
  8056. "BeaconType": "8 (HTTPS)",
  8057. "Port": "443",
  8058. "Polling": "60000",
  8059. "Jitter": "0",
  8060. "Maxdns": "255",
  8061. "C2 Server": "amapai-technologies.space,/g.pixel",
  8062. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENAU)",
  8063. "HTTP Method Path 2": "/submit.php",
  8064. "Header1": "",
  8065. "Header2": "",
  8066. "PipeName": "",
  8067. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8068. "DNS Sleep": "0",
  8069. "Method1": "GET",
  8070. "Method2": "POST",
  8071. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8072. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8073. "Proxy_AccessType": "2 (Use IE settings)"
  8074. },
  8075. "x64": {
  8076. "BeaconType": "8 (HTTPS)",
  8077. "Port": "443",
  8078. "Polling": "60000",
  8079. "Jitter": "0",
  8080. "Maxdns": "255",
  8081. "C2 Server": "amapai-technologies.space,/__utm.gif",
  8082. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)",
  8083. "HTTP Method Path 2": "/submit.php",
  8084. "Header1": "",
  8085. "Header2": "",
  8086. "PipeName": "",
  8087. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8088. "DNS Sleep": "0",
  8089. "Method1": "GET",
  8090. "Method2": "POST",
  8091. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8092. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8093. "Proxy_AccessType": "2 (Use IE settings)"
  8094. }
  8095. },
  8096. "23.83.133.240": {
  8097. "x86": {
  8098. "BeaconType": "8 (HTTPS)",
  8099. "Port": "443",
  8100. "Polling": "60000",
  8101. "Jitter": "0",
  8102. "Maxdns": "255",
  8103. "C2 Server": "amapai-technologies.site,/ptj",
  8104. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
  8105. "HTTP Method Path 2": "/submit.php",
  8106. "Header1": "",
  8107. "Header2": "",
  8108. "PipeName": "",
  8109. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8110. "DNS Sleep": "0",
  8111. "Method1": "GET",
  8112. "Method2": "POST",
  8113. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8114. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8115. "Proxy_AccessType": "2 (Use IE settings)"
  8116. }
  8117. },
  8118. "23.83.134.16": {
  8119. "x86": {
  8120. "BeaconType": "8 (HTTPS)",
  8121. "Port": "443",
  8122. "Polling": "60000",
  8123. "Jitter": "0",
  8124. "Maxdns": "255",
  8125. "C2 Server": "black.lockboxlink.com,/ga.js,pics.lockboxlink.com,/match",
  8126. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)",
  8127. "HTTP Method Path 2": "/submit.php",
  8128. "Header1": "",
  8129. "Header2": "",
  8130. "PipeName": "",
  8131. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8132. "DNS Sleep": "0",
  8133. "Method1": "GET",
  8134. "Method2": "POST",
  8135. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8136. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8137. "Proxy_AccessType": "2 (Use IE settings)"
  8138. },
  8139. "x64": {
  8140. "BeaconType": "8 (HTTPS)",
  8141. "Port": "443",
  8142. "Polling": "60000",
  8143. "Jitter": "0",
  8144. "Maxdns": "255",
  8145. "C2 Server": "black.lockboxlink.com,/ptj,pics.lockboxlink.com,/pixel",
  8146. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)",
  8147. "HTTP Method Path 2": "/submit.php",
  8148. "Header1": "",
  8149. "Header2": "",
  8150. "PipeName": "",
  8151. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8152. "DNS Sleep": "0",
  8153. "Method1": "GET",
  8154. "Method2": "POST",
  8155. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8156. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8157. "Proxy_AccessType": "2 (Use IE settings)"
  8158. }
  8159. },
  8160. "27.102.70.189": {
  8161. "x64": {
  8162. "BeaconType": "8 (HTTPS)",
  8163. "Port": "443",
  8164. "Polling": "10000",
  8165. "Jitter": "0",
  8166. "Maxdns": "255",
  8167. "C2 Server": "img.alicdn.com,/geo/collect/v1,at.alicdn.com,/geo/collect/v1,ald.taobao.com,/geo/collect/v1,www.aliyunbaike.com,/geo/collect/v1",
  8168. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0;) like Gecko",
  8169. "HTTP Method Path 2": "/collect/v1",
  8170. "Header1": "",
  8171. "Header2": "",
  8172. "PipeName": "",
  8173. "DNS Idle": "\\x08\\x08\\x08\\x08",
  8174. "DNS Sleep": "0",
  8175. "Method1": "GET",
  8176. "Method2": "POST",
  8177. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  8178. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  8179. "Proxy_AccessType": "2 (Use IE settings)"
  8180. }
  8181. },
  8182. "31.14.40.143": {
  8183. "x86": {
  8184. "BeaconType": "8 (HTTPS)",
  8185. "Port": "443",
  8186. "Polling": "60000",
  8187. "Jitter": "0",
  8188. "Maxdns": "255",
  8189. "C2 Server": "31.14.40.143,/g.pixel",
  8190. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)",
  8191. "HTTP Method Path 2": "/submit.php",
  8192. "Header1": "",
  8193. "Header2": "",
  8194. "PipeName": "",
  8195. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8196. "DNS Sleep": "0",
  8197. "Method1": "GET",
  8198. "Method2": "POST",
  8199. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8200. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8201. "Proxy_AccessType": "2 (Use IE settings)"
  8202. },
  8203. "x64": {
  8204. "BeaconType": "8 (HTTPS)",
  8205. "Port": "443",
  8206. "Polling": "60000",
  8207. "Jitter": "0",
  8208. "Maxdns": "255",
  8209. "C2 Server": "31.14.40.143,/push",
  8210. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
  8211. "HTTP Method Path 2": "/submit.php",
  8212. "Header1": "",
  8213. "Header2": "",
  8214. "PipeName": "",
  8215. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8216. "DNS Sleep": "0",
  8217. "Method1": "GET",
  8218. "Method2": "POST",
  8219. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8220. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8221. "Proxy_AccessType": "2 (Use IE settings)"
  8222. }
  8223. },
  8224. "31.187.64.199": {
  8225. "x86": {
  8226. "BeaconType": "8 (HTTPS)",
  8227. "Port": "443",
  8228. "Polling": "10010",
  8229. "Jitter": "1",
  8230. "Maxdns": "255",
  8231. "C2 Server": "d30qpb9e10re4o.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,dzep7n1lqmr18.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,d2qbce1fkipgyc.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,nix1.xyz,/gen_204eiT6EX_r4F3fqwHI9boDg",
  8232. "User Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 15.0;) Gecko/20100101 Firefox/637.0",
  8233. "HTTP Method Path 2": "/_/VisualFrontendUi/data/batchexecute",
  8234. "Header1": "",
  8235. "Header2": "",
  8236. "PipeName": "",
  8237. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8238. "DNS Sleep": "0",
  8239. "Method1": "POST",
  8240. "Method2": "POST",
  8241. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  8242. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  8243. "Proxy_AccessType": "2 (Use IE settings)"
  8244. }
  8245. },
  8246. "31.187.64.231": {
  8247. "x64": {
  8248. "BeaconType": "8 (HTTPS)",
  8249. "Port": "443",
  8250. "Polling": "10010",
  8251. "Jitter": "1",
  8252. "Maxdns": "255",
  8253. "C2 Server": "d30qpb9e10re4o.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,dzep7n1lqmr18.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,d2qbce1fkipgyc.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,nix1.xyz,/gen_204eiT6EX_r4F3fqwHI9boDg",
  8254. "User Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 15.0;) Gecko/20100101 Firefox/637.0",
  8255. "HTTP Method Path 2": "/_/VisualFrontendUi/data/batchexecute",
  8256. "Header1": "",
  8257. "Header2": "",
  8258. "PipeName": "",
  8259. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8260. "DNS Sleep": "0",
  8261. "Method1": "POST",
  8262. "Method2": "POST",
  8263. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  8264. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  8265. "Proxy_AccessType": "2 (Use IE settings)"
  8266. }
  8267. },
  8268. "3.122.109.210": {
  8269. "x86": {
  8270. "BeaconType": "8 (HTTPS)",
  8271. "Port": "443",
  8272. "Polling": "37500",
  8273. "Jitter": "33",
  8274. "Maxdns": "245",
  8275. "C2 Server": "3.122.109.210,/audio/",
  8276. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
  8277. "HTTP Method Path 2": "/melody/",
  8278. "Header1": "",
  8279. "Header2": "",
  8280. "PipeName": "",
  8281. "DNS Idle": "\\x08\\x08\\x08\\x08",
  8282. "DNS Sleep": "0",
  8283. "Method1": "GET",
  8284. "Method2": "POST",
  8285. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  8286. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  8287. "Proxy_AccessType": "2 (Use IE settings)"
  8288. }
  8289. },
  8290. "3.122.252.220": {
  8291. "x64": {
  8292. "BeaconType": "8 (HTTPS)",
  8293. "Port": "443",
  8294. "Polling": "45000",
  8295. "Jitter": "37",
  8296. "Maxdns": "255",
  8297. "C2 Server": "cdn1.srv-spotlfy.com,/js/jquery-3.3.1.min.js",
  8298. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  8299. "HTTP Method Path 2": "/js/jquery-3.3.2.min.js",
  8300. "Header1": "",
  8301. "Header2": "",
  8302. "PipeName": "",
  8303. "DNS Idle": "J}\\xC4q",
  8304. "DNS Sleep": "0",
  8305. "Method1": "GET",
  8306. "Method2": "POST",
  8307. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  8308. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  8309. "Proxy_AccessType": "2 (Use IE settings)"
  8310. }
  8311. },
  8312. "3.124.3.252": {
  8313. "x86": {
  8314. "BeaconType": "8 (HTTPS)",
  8315. "Port": "443",
  8316. "Polling": "60000",
  8317. "Jitter": "20",
  8318. "C2 Server": "3.127.139.203,/c/msdownload/update/others/2020/11/KB152288_",
  8319. "HTTP Method Path 2": "/c/msdownload/update/others/2020/11/KB13434_",
  8320. "Method1": "GET",
  8321. "Method2": "GET",
  8322. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8323. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8324. "Proxy_AccessType": "2 (Use IE settings)"
  8325. }
  8326. },
  8327. "3.125.158.190": {
  8328. "x64": {
  8329. "BeaconType": "8 (HTTPS)",
  8330. "Port": "443",
  8331. "Polling": "37500",
  8332. "Jitter": "33",
  8333. "Maxdns": "245",
  8334. "C2 Server": "hydra1337.com,/audio/",
  8335. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
  8336. "HTTP Method Path 2": "/melody/",
  8337. "Header1": "",
  8338. "Header2": "",
  8339. "PipeName": "",
  8340. "DNS Idle": "\\x08\\x08\\x08\\x08",
  8341. "DNS Sleep": "0",
  8342. "Method1": "GET",
  8343. "Method2": "POST",
  8344. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  8345. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  8346. "Proxy_AccessType": "2 (Use IE settings)"
  8347. }
  8348. },
  8349. "3.126.209.180": {
  8350. "x86": {
  8351. "BeaconType": "8 (HTTPS)",
  8352. "Port": "443",
  8353. "Polling": "60000",
  8354. "Jitter": "15",
  8355. "C2 Server": "cob.maranshipssupplies.com,/_/scs/mail-static/_/js/",
  8356. "HTTP Method Path 2": "/mail/u/0/",
  8357. "Method1": "GET",
  8358. "Method2": "POST",
  8359. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8360. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8361. "Proxy_AccessType": "2 (Use IE settings)"
  8362. }
  8363. },
  8364. "3.127.139.203": {
  8365. "x64": {
  8366. "BeaconType": "8 (HTTPS)",
  8367. "Port": "443",
  8368. "Polling": "60000",
  8369. "Jitter": "20",
  8370. "C2 Server": "3.127.139.203,/c/msdownload/update/others/2020/11/KB152288_",
  8371. "HTTP Method Path 2": "/c/msdownload/update/others/2020/11/KB13434_",
  8372. "Method1": "GET",
  8373. "Method2": "GET",
  8374. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8375. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8376. "Proxy_AccessType": "2 (Use IE settings)"
  8377. }
  8378. },
  8379. "3.127.150.208": {
  8380. "x86": {
  8381. "BeaconType": "8 (HTTPS)",
  8382. "Port": "443",
  8383. "Polling": "60000",
  8384. "Jitter": "15",
  8385. "C2 Server": "cob.maranshipssupplies.com,/_/scs/mail-static/_/js/",
  8386. "HTTP Method Path 2": "/mail/u/0/",
  8387. "Method1": "GET",
  8388. "Method2": "POST",
  8389. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8390. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8391. "Proxy_AccessType": "2 (Use IE settings)"
  8392. },
  8393. "x64": {
  8394. "BeaconType": "8 (HTTPS)",
  8395. "Port": "443",
  8396. "Polling": "60000",
  8397. "Jitter": "15",
  8398. "C2 Server": "cob.maranshipssupplies.com,/_/scs/mail-static/_/js/",
  8399. "HTTP Method Path 2": "/mail/u/0/",
  8400. "Method1": "GET",
  8401. "Method2": "POST",
  8402. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8403. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8404. "Proxy_AccessType": "2 (Use IE settings)"
  8405. }
  8406. },
  8407. "3.128.244.129": {
  8408. "x86": {
  8409. "BeaconType": "8 (HTTPS)",
  8410. "Port": "443",
  8411. "Polling": "30000",
  8412. "Jitter": "30",
  8413. "Maxdns": "99",
  8414. "C2 Server": "analytics.itshealthpro.com,/logo",
  8415. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  8416. "HTTP Method Path 2": "/r_config",
  8417. "Header1": "",
  8418. "Header2": "",
  8419. "PipeName": "",
  8420. "DNS Idle": "(pH\\xCD",
  8421. "DNS Sleep": "0",
  8422. "Method1": "GET",
  8423. "Method2": "POST",
  8424. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
  8425. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
  8426. "Proxy_AccessType": "2 (Use IE settings)"
  8427. }
  8428. },
  8429. "3.133.100.221": {
  8430. "x64": {
  8431. "BeaconType": "8 (HTTPS)",
  8432. "Port": "443",
  8433. "Polling": "60000",
  8434. "Jitter": "0",
  8435. "C2 Server": "3.133.100.221,/cx",
  8436. "HTTP Method Path 2": "/submit.php",
  8437. "Method1": "GET",
  8438. "Method2": "POST",
  8439. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8440. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8441. "Proxy_AccessType": "2 (Use IE settings)"
  8442. }
  8443. },
  8444. "3.133.160.202": {
  8445. "x86": {
  8446. "BeaconType": "8 (HTTPS)",
  8447. "Port": "443",
  8448. "Polling": "60000",
  8449. "Jitter": "0",
  8450. "C2 Server": "scripts.completelyinnocuousdomain.com,/updates.rss",
  8451. "HTTP Method Path 2": "/submit.php",
  8452. "Method1": "GET",
  8453. "Method2": "POST",
  8454. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8455. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8456. "Proxy_AccessType": "2 (Use IE settings)"
  8457. }
  8458. },
  8459. "3.135.189.104": {
  8460. "x86": {
  8461. "BeaconType": "8 (HTTPS)",
  8462. "Port": "443",
  8463. "Polling": "810",
  8464. "Jitter": "0",
  8465. "Maxdns": "242",
  8466. "C2 Server": "raymondjames.hostedconnectedrisk.com:,/access/",
  8467. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
  8468. "HTTP Method Path 2": "/radio/xmlrpc/v35",
  8469. "Header1": "",
  8470. "Header2": "",
  8471. "PipeName": "",
  8472. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8473. "DNS Sleep": "0",
  8474. "Method1": "GET",
  8475. "Method2": "POST",
  8476. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8477. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8478. "Proxy_AccessType": "2 (Use IE settings)"
  8479. },
  8480. "x64": {
  8481. "BeaconType": "8 (HTTPS)",
  8482. "Port": "443",
  8483. "Polling": "810",
  8484. "Jitter": "0",
  8485. "Maxdns": "242",
  8486. "C2 Server": "raymondjames.hostedconnectedrisk.com:,/access/",
  8487. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
  8488. "HTTP Method Path 2": "/radio/xmlrpc/v35",
  8489. "Header1": "",
  8490. "Header2": "",
  8491. "PipeName": "",
  8492. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8493. "DNS Sleep": "0",
  8494. "Method1": "GET",
  8495. "Method2": "POST",
  8496. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8497. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8498. "Proxy_AccessType": "2 (Use IE settings)"
  8499. }
  8500. },
  8501. "3.135.47.125": {
  8502. "x86": {
  8503. "BeaconType": "8 (HTTPS)",
  8504. "Port": "443",
  8505. "Polling": "5000",
  8506. "Jitter": "47",
  8507. "Maxdns": "255",
  8508. "C2 Server": "DailyHealthGuide.org,/jquery-3.3.1.min.js",
  8509. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  8510. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  8511. "Header1": "",
  8512. "Header2": "",
  8513. "PipeName": "",
  8514. "DNS Idle": "J}\\xC4q",
  8515. "DNS Sleep": "0",
  8516. "Method1": "GET",
  8517. "Method2": "POST",
  8518. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  8519. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  8520. "Proxy_AccessType": "2 (Use IE settings)"
  8521. }
  8522. },
  8523. "3.136.109.67": {
  8524. "x64": {
  8525. "BeaconType": "8 (HTTPS)",
  8526. "Port": "443",
  8527. "Polling": "30000",
  8528. "Jitter": "20",
  8529. "Maxdns": "235",
  8530. "C2 Server": "pentair-slack.com,/messages/C0527B0NM,3.136.109.67,/messages/C0527B0NM",
  8531. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  8532. "HTTP Method Path 2": "/api/api.test",
  8533. "Header1": "",
  8534. "Header2": "",
  8535. "PipeName": "",
  8536. "DNS Idle": "\\x08\\x08\\x08\\x08",
  8537. "DNS Sleep": "0",
  8538. "Method1": "GET",
  8539. "Method2": "POST",
  8540. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  8541. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  8542. "Proxy_AccessType": "2 (Use IE settings)"
  8543. }
  8544. },
  8545. "3.136.160.122": {
  8546. "x64": {
  8547. "BeaconType": "8 (HTTPS)",
  8548. "Port": "443",
  8549. "Polling": "60000",
  8550. "Jitter": "37",
  8551. "Maxdns": "255",
  8552. "C2 Server": "telemetry.wessonlabpartners.com,/jquery-3.3.1.min.js,admitting.healthfitconnection.com,/jquery-3.3.1.min.js,skilled_nursing.healthmanagementtoday.com,/jquery-3.3.1.min.js",
  8553. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  8554. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  8555. "Header1": "",
  8556. "Header2": "",
  8557. "PipeName": "",
  8558. "DNS Idle": "\\x03\\x88\\xA0z",
  8559. "DNS Sleep": "0",
  8560. "Method1": "GET",
  8561. "Method2": "POST",
  8562. "Spawnto_x86": "%windir%\\syswow64\\spoolsv.exe",
  8563. "Spawnto_x64": "%windir%\\sysnative\\spoolsv.exe",
  8564. "Proxy_AccessType": "2 (Use IE settings)"
  8565. }
  8566. },
  8567. "3.137.139.119": {
  8568. "x64": {
  8569. "BeaconType": "8 (HTTPS)",
  8570. "Port": "443",
  8571. "Polling": "60000",
  8572. "Jitter": "0",
  8573. "Maxdns": "255",
  8574. "C2 Server": "service.office247.tech,/match",
  8575. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)",
  8576. "HTTP Method Path 2": "/submit.php",
  8577. "Header1": "",
  8578. "Header2": "",
  8579. "PipeName": "",
  8580. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8581. "DNS Sleep": "0",
  8582. "Method1": "GET",
  8583. "Method2": "POST",
  8584. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8585. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8586. "Proxy_AccessType": "2 (Use IE settings)"
  8587. }
  8588. },
  8589. "3.137.206.229": {
  8590. "x64": {
  8591. "BeaconType": "8 (HTTPS)",
  8592. "Port": "443",
  8593. "Polling": "60000",
  8594. "Jitter": "0",
  8595. "C2 Server": "3.133.100.221,/cx",
  8596. "HTTP Method Path 2": "/submit.php",
  8597. "Method1": "GET",
  8598. "Method2": "POST",
  8599. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8600. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8601. "Proxy_AccessType": "2 (Use IE settings)"
  8602. }
  8603. },
  8604. "3.137.217.140": {
  8605. "x64": {
  8606. "BeaconType": "8 (HTTPS)",
  8607. "Port": "443",
  8608. "Polling": "60000",
  8609. "Jitter": "0",
  8610. "Maxdns": "255",
  8611. "C2 Server": "3.137.217.140,/cm",
  8612. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; NP07; NP07)",
  8613. "HTTP Method Path 2": "/submit.php",
  8614. "Header1": "",
  8615. "Header2": "",
  8616. "PipeName": "",
  8617. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8618. "DNS Sleep": "0",
  8619. "Method1": "GET",
  8620. "Method2": "POST",
  8621. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8622. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8623. "Proxy_AccessType": "2 (Use IE settings)"
  8624. }
  8625. },
  8626. "3.139.231.113": {
  8627. "x86": {
  8628. "BeaconType": "8 (HTTPS)",
  8629. "Port": "443",
  8630. "Polling": "57081",
  8631. "Jitter": "37",
  8632. "C2 Server": "3.139.231.113,/ky",
  8633. "HTTP Method Path 2": "/lv",
  8634. "Method1": "GET",
  8635. "Method2": "POST",
  8636. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
  8637. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
  8638. "Proxy_AccessType": "2 (Use IE settings)"
  8639. },
  8640. "x64": {
  8641. "BeaconType": "8 (HTTPS)",
  8642. "Port": "443",
  8643. "Polling": "57081",
  8644. "Jitter": "37",
  8645. "C2 Server": "3.139.231.113,/ky",
  8646. "HTTP Method Path 2": "/lv",
  8647. "Method1": "GET",
  8648. "Method2": "POST",
  8649. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
  8650. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
  8651. "Proxy_AccessType": "2 (Use IE settings)"
  8652. }
  8653. },
  8654. "31.44.184.100": {
  8655. "x86": {
  8656. "BeaconType": "8 (HTTPS)",
  8657. "Port": "443",
  8658. "Polling": "60000",
  8659. "Jitter": "0",
  8660. "C2 Server": "31.44.184.100,/dpixel",
  8661. "HTTP Method Path 2": "/submit.php",
  8662. "Method1": "GET",
  8663. "Method2": "POST",
  8664. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8665. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8666. "Proxy_AccessType": "2 (Use IE settings)"
  8667. }
  8668. },
  8669. "31.44.184.174": {
  8670. "x86": {
  8671. "BeaconType": "8 (HTTPS)",
  8672. "Port": "443",
  8673. "Polling": "60000",
  8674. "Jitter": "0",
  8675. "C2 Server": "31.44.184.174,/ptj",
  8676. "HTTP Method Path 2": "/submit.php",
  8677. "Method1": "GET",
  8678. "Method2": "POST",
  8679. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8680. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8681. "Proxy_AccessType": "2 (Use IE settings)"
  8682. },
  8683. "x64": {
  8684. "BeaconType": "8 (HTTPS)",
  8685. "Port": "443",
  8686. "Polling": "60000",
  8687. "Jitter": "0",
  8688. "C2 Server": "31.44.184.174,/dot.gif",
  8689. "HTTP Method Path 2": "/submit.php",
  8690. "Method1": "GET",
  8691. "Method2": "POST",
  8692. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8693. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8694. "Proxy_AccessType": "2 (Use IE settings)"
  8695. }
  8696. },
  8697. "31.44.184.181": {
  8698. "x86": {
  8699. "BeaconType": "8 (HTTPS)",
  8700. "Port": "443",
  8701. "Polling": "60000",
  8702. "Jitter": "0",
  8703. "C2 Server": "31.44.184.181,/ptj",
  8704. "HTTP Method Path 2": "/submit.php",
  8705. "Method1": "GET",
  8706. "Method2": "POST",
  8707. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8708. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8709. "Proxy_AccessType": "2 (Use IE settings)"
  8710. }
  8711. },
  8712. "31.44.184.56": {
  8713. "x86": {
  8714. "BeaconType": "8 (HTTPS)",
  8715. "Port": "443",
  8716. "Polling": "60000",
  8717. "Jitter": "0",
  8718. "C2 Server": "31.44.184.56,/pixel.gif",
  8719. "HTTP Method Path 2": "/submit.php",
  8720. "Method1": "GET",
  8721. "Method2": "POST",
  8722. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8723. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8724. "Proxy_AccessType": "2 (Use IE settings)"
  8725. }
  8726. },
  8727. "3.16.136.106": {
  8728. "x86": {
  8729. "BeaconType": "8 (HTTPS)",
  8730. "Port": "443",
  8731. "Polling": "60000",
  8732. "Jitter": "37",
  8733. "Maxdns": "255",
  8734. "C2 Server": "ajax.microsoft.com,/jquery-3.3.1.min.js",
  8735. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36",
  8736. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  8737. "Header1": "",
  8738. "Header2": "",
  8739. "PipeName": "",
  8740. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8741. "DNS Sleep": "0",
  8742. "Method1": "GET",
  8743. "Method2": "POST",
  8744. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
  8745. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
  8746. "Proxy_AccessType": "2 (Use IE settings)"
  8747. }
  8748. },
  8749. "3.16.1.87": {
  8750. "x86": {
  8751. "BeaconType": "8 (HTTPS)",
  8752. "Port": "443",
  8753. "Polling": "60000",
  8754. "Jitter": "0",
  8755. "Maxdns": "255",
  8756. "C2 Server": "3.16.1.87,/dot.gif",
  8757. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)",
  8758. "HTTP Method Path 2": "/submit.php",
  8759. "Header1": "",
  8760. "Header2": "",
  8761. "PipeName": "",
  8762. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8763. "DNS Sleep": "0",
  8764. "Method1": "GET",
  8765. "Method2": "POST",
  8766. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8767. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8768. "Proxy_AccessType": "2 (Use IE settings)"
  8769. },
  8770. "x64": {
  8771. "BeaconType": "8 (HTTPS)",
  8772. "Port": "443",
  8773. "Polling": "60000",
  8774. "Jitter": "0",
  8775. "Maxdns": "255",
  8776. "C2 Server": "3.16.1.87,/load",
  8777. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
  8778. "HTTP Method Path 2": "/submit.php",
  8779. "Header1": "",
  8780. "Header2": "",
  8781. "PipeName": "",
  8782. "DNS Idle": "\\x00\\x00\\x00\\x00",
  8783. "DNS Sleep": "0",
  8784. "Method1": "GET",
  8785. "Method2": "POST",
  8786. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8787. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8788. "Proxy_AccessType": "2 (Use IE settings)"
  8789. }
  8790. },
  8791. "3.17.176.47": {
  8792. "x64": {
  8793. "BeaconType": "8 (HTTPS)",
  8794. "Port": "443",
  8795. "Polling": "60000",
  8796. "Jitter": "0",
  8797. "C2 Server": "scripts.arshmedicalfoundation.com,/dot.gif",
  8798. "HTTP Method Path 2": "/submit.php",
  8799. "Method1": "GET",
  8800. "Method2": "POST",
  8801. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8802. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8803. "Proxy_AccessType": "2 (Use IE settings)"
  8804. }
  8805. },
  8806. "3.19.26.213": {
  8807. "x86": {
  8808. "BeaconType": "8 (HTTPS)",
  8809. "Port": "443",
  8810. "Polling": "5000",
  8811. "Jitter": "0",
  8812. "C2 Server": "ec2-3-19-26-213.us-east-2.compute.amazonaws.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  8813. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  8814. "Method1": "GET",
  8815. "Method2": "POST",
  8816. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8817. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8818. "Proxy_AccessType": "2 (Use IE settings)"
  8819. }
  8820. },
  8821. "3.22.101.152": {
  8822. "x86": {
  8823. "BeaconType": "8 (HTTPS)",
  8824. "Port": "443",
  8825. "Polling": "30000",
  8826. "Jitter": "20",
  8827. "C2 Server": "d6qg530ok85uj.cloudfront.net,/safebrowsing/fp/X5dYOhqFrKn95vdkmSCHODPEuY9",
  8828. "HTTP Method Path 2": "/safebrowsing/fp/Xtsuqd9wDd34nVxGbIiRlzzODKYweAye7kEob",
  8829. "Method1": "GET",
  8830. "Method2": "POST",
  8831. "Spawnto_x86": "%windir%\\syswow64\\mcbuilder.exe",
  8832. "Spawnto_x64": "%windir%\\sysnative\\mcbuilder.exe",
  8833. "Proxy_AccessType": "2 (Use IE settings)"
  8834. },
  8835. "x64": {
  8836. "BeaconType": "8 (HTTPS)",
  8837. "Port": "443",
  8838. "Polling": "30000",
  8839. "Jitter": "20",
  8840. "C2 Server": "d6qg530ok85uj.cloudfront.net,/safebrowsing/fp/X5dYOhqFrKn95vdkmSCHODPEuY9",
  8841. "HTTP Method Path 2": "/safebrowsing/fp/Xtsuqd9wDd34nVxGbIiRlzzODKYweAye7kEob",
  8842. "Method1": "GET",
  8843. "Method2": "POST",
  8844. "Spawnto_x86": "%windir%\\syswow64\\mcbuilder.exe",
  8845. "Spawnto_x64": "%windir%\\sysnative\\mcbuilder.exe",
  8846. "Proxy_AccessType": "2 (Use IE settings)"
  8847. }
  8848. },
  8849. "3.231.164.70": {
  8850. "x64": {
  8851. "BeaconType": "8 (HTTPS)",
  8852. "Port": "443",
  8853. "Polling": "57970",
  8854. "Jitter": "43",
  8855. "Maxdns": "254",
  8856. "C2 Server": "k8s.containerkubernetes.com,/bm",
  8857. "User Agent": "Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)",
  8858. "HTTP Method Path 2": "/br",
  8859. "Header1": "",
  8860. "Header2": "",
  8861. "PipeName": "",
  8862. "DNS Idle": "\\xB7\\x08(1",
  8863. "DNS Sleep": "0",
  8864. "Method1": "GET",
  8865. "Method2": "POST",
  8866. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
  8867. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
  8868. "Proxy_AccessType": "2 (Use IE settings)"
  8869. }
  8870. },
  8871. "3.234.215.191": {
  8872. "x64": {
  8873. "BeaconType": "8 (HTTPS)",
  8874. "Port": "443",
  8875. "Polling": "30000",
  8876. "Jitter": "10",
  8877. "C2 Server": "secure.kaysHealthAndBeautySense.com,/recipe.html",
  8878. "HTTP Method Path 2": "/italian",
  8879. "Method1": "GET",
  8880. "Method2": "POST",
  8881. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8882. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8883. "Proxy_AccessType": "2 (Use IE settings)"
  8884. }
  8885. },
  8886. "3.23.61.79": {
  8887. "x86": {
  8888. "BeaconType": "8 (HTTPS)",
  8889. "Port": "443",
  8890. "Polling": "41000",
  8891. "Jitter": "35",
  8892. "C2 Server": "3.23.61.79,/c/msdownload/update/others/2019/12/mVKMlUG03GFQfOJ2FZUYNYaNl",
  8893. "HTTP Method Path 2": "/msdownload/update/others/2019/12/lmT9iLxVAILu9XhSluVMNWXi9lAma",
  8894. "Method1": "GET",
  8895. "Method2": "POST",
  8896. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
  8897. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
  8898. "Proxy_AccessType": "2 (Use IE settings)"
  8899. },
  8900. "x64": {
  8901. "BeaconType": "8 (HTTPS)",
  8902. "Port": "443",
  8903. "Polling": "41000",
  8904. "Jitter": "35",
  8905. "C2 Server": "3.23.61.79,/c/msdownload/update/others/2019/12/mVKMlUG03GFQfOJ2FZUYNYaNl",
  8906. "HTTP Method Path 2": "/msdownload/update/others/2019/12/lmT9iLxVAILu9XhSluVMNWXi9lAma",
  8907. "Method1": "GET",
  8908. "Method2": "POST",
  8909. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
  8910. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
  8911. "Proxy_AccessType": "2 (Use IE settings)"
  8912. }
  8913. },
  8914. "3.236.230.152": {
  8915. "x86": {
  8916. "BeaconType": "8 (HTTPS)",
  8917. "Port": "443",
  8918. "Polling": "2700",
  8919. "Jitter": "11",
  8920. "Maxdns": "244",
  8921. "C2 Server": "www.pepsicoamerica.com,/preload",
  8922. "User Agent": "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 GTB6 (.NET CLR 3.5.30729)",
  8923. "HTTP Method Path 2": "/sa",
  8924. "Header1": "",
  8925. "Header2": "",
  8926. "PipeName": "",
  8927. "DNS Idle": "\\x08\\x08\\x04\\x04",
  8928. "DNS Sleep": "0",
  8929. "Method1": "GET",
  8930. "Method2": "GET",
  8931. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8932. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8933. "Proxy_AccessType": "1 (Use direct connection)"
  8934. },
  8935. "x64": {
  8936. "BeaconType": "8 (HTTPS)",
  8937. "Port": "443",
  8938. "Polling": "2700",
  8939. "Jitter": "11",
  8940. "Maxdns": "244",
  8941. "C2 Server": "www.pepsicoamerica.com,/preload",
  8942. "User Agent": "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 GTB6 (.NET CLR 3.5.30729)",
  8943. "HTTP Method Path 2": "/sa",
  8944. "Header1": "",
  8945. "Header2": "",
  8946. "PipeName": "",
  8947. "DNS Idle": "\\x08\\x08\\x04\\x04",
  8948. "DNS Sleep": "0",
  8949. "Method1": "GET",
  8950. "Method2": "GET",
  8951. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  8952. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  8953. "Proxy_AccessType": "1 (Use direct connection)"
  8954. }
  8955. },
  8956. "3.237.38.249": {
  8957. "x86": {
  8958. "BeaconType": "8 (HTTPS)",
  8959. "Port": "443",
  8960. "Polling": "45000",
  8961. "Jitter": "20",
  8962. "C2 Server": "www.amzn-solutions.com,/page.jsp,help.amzn-solutions.com,/page.jsp,forum.dmcseddebtservices.com,/index.jsp,www.dmcseddebtservices.com,/process.jsp",
  8963. "HTTP Method Path 2": "/search.jsp",
  8964. "Method1": "GET",
  8965. "Method2": "POST",
  8966. "Spawnto_x86": "%windir%\\syswow64\\wecutil.exe",
  8967. "Spawnto_x64": "%windir%\\sysnative\\wecutil.exe",
  8968. "Proxy_AccessType": "2 (Use IE settings)"
  8969. },
  8970. "x64": {
  8971. "BeaconType": "8 (HTTPS)",
  8972. "Port": "443",
  8973. "Polling": "45000",
  8974. "Jitter": "20",
  8975. "C2 Server": "www.amzn-solutions.com,/page.jsp,help.amzn-solutions.com,/process.jsp,forum.dmcseddebtservices.com,/index.jsp,www.dmcseddebtservices.com,/user.jsp",
  8976. "HTTP Method Path 2": "/parse.jsp",
  8977. "Method1": "GET",
  8978. "Method2": "POST",
  8979. "Spawnto_x86": "%windir%\\syswow64\\wecutil.exe",
  8980. "Spawnto_x64": "%windir%\\sysnative\\wecutil.exe",
  8981. "Proxy_AccessType": "2 (Use IE settings)"
  8982. }
  8983. },
  8984. "3.250.193.216": {
  8985. "x86": {
  8986. "BeaconType": "8 (HTTPS)",
  8987. "Port": "443",
  8988. "Polling": "400",
  8989. "Jitter": "12",
  8990. "C2 Server": "ehrclient-canary.teams.microsoft.com,/s/ref=nb_sb_noss_1/698-71218292-1534620/field-keywords=point",
  8991. "HTTP Method Path 2": "/N5819/adj/amzn.us.sr.aps",
  8992. "Method1": "GET",
  8993. "Method2": "POST",
  8994. "Spawnto_x86": "%windir%\\syswow64\\net.exe",
  8995. "Spawnto_x64": "%windir%\\sysnative\\net.exe",
  8996. "Proxy_AccessType": "2 (Use IE settings)"
  8997. },
  8998. "x64": {
  8999. "BeaconType": "8 (HTTPS)",
  9000. "Port": "443",
  9001. "Polling": "400",
  9002. "Jitter": "12",
  9003. "C2 Server": "ehrclient-canary.teams.microsoft.com,/s/ref=nb_sb_noss_1/698-71218292-1534620/field-keywords=point",
  9004. "HTTP Method Path 2": "/N5819/adj/amzn.us.sr.aps",
  9005. "Method1": "GET",
  9006. "Method2": "POST",
  9007. "Spawnto_x86": "%windir%\\syswow64\\net.exe",
  9008. "Spawnto_x64": "%windir%\\sysnative\\net.exe",
  9009. "Proxy_AccessType": "2 (Use IE settings)"
  9010. }
  9011. },
  9012. "3.25.232.105": {
  9013. "x86": {
  9014. "BeaconType": "8 (HTTPS)",
  9015. "Port": "443",
  9016. "Polling": "5000",
  9017. "Jitter": "0",
  9018. "C2 Server": "blog.widetechworld.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  9019. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  9020. "Method1": "GET",
  9021. "Method2": "POST",
  9022. "Spawnto_x86": "C:\\Windows\\syswow64\\svchost.exe -k localservice -p -s fdPHost",
  9023. "Spawnto_x64": "C:\\Windows\\sysnative\\svchost.exe -k localservice -p -s fdPHost",
  9024. "Proxy_AccessType": "2 (Use IE settings)"
  9025. }
  9026. },
  9027. "34.121.230.223": {
  9028. "x64": {
  9029. "BeaconType": "8 (HTTPS)",
  9030. "Port": "443",
  9031. "Polling": "60000",
  9032. "Jitter": "0",
  9033. "Maxdns": "255",
  9034. "C2 Server": "about.inno-finance.com,/cx",
  9035. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)",
  9036. "HTTP Method Path 2": "/submit.php",
  9037. "Header1": "",
  9038. "Header2": "",
  9039. "PipeName": "",
  9040. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9041. "DNS Sleep": "0",
  9042. "Method1": "GET",
  9043. "Method2": "POST",
  9044. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9045. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9046. "Proxy_AccessType": "2 (Use IE settings)"
  9047. }
  9048. },
  9049. "34.200.243.234": {
  9050. "x86": {
  9051. "BeaconType": "8 (HTTPS)",
  9052. "Port": "443",
  9053. "Polling": "60000",
  9054. "Jitter": "20",
  9055. "C2 Server": "api.bcbshealth.care,/complete/search",
  9056. "HTTP Method Path 2": "/Complete_Search",
  9057. "Method1": "GET",
  9058. "Method2": "POST",
  9059. "Spawnto_x86": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
  9060. "Spawnto_x64": "C:\\Program Files\\internet explorer\\iexplore.exe",
  9061. "Proxy_AccessType": "2 (Use IE settings)"
  9062. }
  9063. },
  9064. "34.201.140.145": {
  9065. "x64": {
  9066. "BeaconType": "8 (HTTPS)",
  9067. "Port": "443",
  9068. "Polling": "60000",
  9069. "Jitter": "15",
  9070. "Maxdns": "255",
  9071. "C2 Server": "34.201.140.145,/_/scs/mail-static/_/js/",
  9072. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)",
  9073. "HTTP Method Path 2": "/mail/u/0/",
  9074. "Header1": "",
  9075. "Header2": "",
  9076. "PipeName": "",
  9077. "DNS Idle": "\\x08\\x08\\x04\\x04",
  9078. "DNS Sleep": "0",
  9079. "Method1": "GET",
  9080. "Method2": "POST",
  9081. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9082. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9083. "Proxy_AccessType": "2 (Use IE settings)"
  9084. }
  9085. },
  9086. "34.203.235.59": {
  9087. "x86": {
  9088. "BeaconType": "8 (HTTPS)",
  9089. "Port": "443",
  9090. "Polling": "20000",
  9091. "Jitter": "20",
  9092. "C2 Server": "sitehealthcheck.org,/oscp/",
  9093. "HTTP Method Path 2": "/oscp/a/",
  9094. "Method1": "GET",
  9095. "Method2": "POST",
  9096. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9097. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9098. "Proxy_AccessType": "2 (Use IE settings)"
  9099. },
  9100. "x64": {
  9101. "BeaconType": "8 (HTTPS)",
  9102. "Port": "443",
  9103. "Polling": "20000",
  9104. "Jitter": "20",
  9105. "C2 Server": "sitehealthcheck.org,/oscp/",
  9106. "HTTP Method Path 2": "/oscp/a/",
  9107. "Method1": "GET",
  9108. "Method2": "POST",
  9109. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9110. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9111. "Proxy_AccessType": "2 (Use IE settings)"
  9112. }
  9113. },
  9114. "34.211.110.219": {
  9115. "x86": {
  9116. "BeaconType": "8 (HTTPS)",
  9117. "Port": "443",
  9118. "Polling": "60000",
  9119. "Jitter": "0",
  9120. "Maxdns": "255",
  9121. "C2 Server": "nelnetbanks.com,/fwlink",
  9122. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; InfoPath.3)",
  9123. "HTTP Method Path 2": "/submit.php",
  9124. "Header1": "",
  9125. "Header2": "",
  9126. "PipeName": "",
  9127. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9128. "DNS Sleep": "0",
  9129. "Method1": "GET",
  9130. "Method2": "POST",
  9131. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9132. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9133. "Proxy_AccessType": "2 (Use IE settings)"
  9134. }
  9135. },
  9136. "34.212.57.1": {
  9137. "x86": {
  9138. "BeaconType": "8 (HTTPS)",
  9139. "Port": "443",
  9140. "Polling": "60000",
  9141. "Jitter": "0",
  9142. "C2 Server": "ec2-34-212-57-1.us-west-2.compute.amazonaws.com,/ptj",
  9143. "HTTP Method Path 2": "/submit.php",
  9144. "Method1": "GET",
  9145. "Method2": "POST",
  9146. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9147. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9148. "Proxy_AccessType": "2 (Use IE settings)"
  9149. }
  9150. },
  9151. "34.217.5.107": {
  9152. "x86": {
  9153. "BeaconType": "8 (HTTPS)",
  9154. "Port": "443",
  9155. "Polling": "30000",
  9156. "Jitter": "50",
  9157. "Maxdns": "255",
  9158. "C2 Server": "secure.carestreamhealthcare.com,/__utm.gif",
  9159. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  9160. "HTTP Method Path 2": "/___utm.gif",
  9161. "Header1": "",
  9162. "Header2": "",
  9163. "PipeName": "",
  9164. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9165. "DNS Sleep": "0",
  9166. "Method1": "GET",
  9167. "Method2": "POST",
  9168. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
  9169. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
  9170. "Proxy_AccessType": "2 (Use IE settings)"
  9171. }
  9172. },
  9173. "34.222.203.112": {
  9174. "x86": {
  9175. "BeaconType": "8 (HTTPS)",
  9176. "Port": "443",
  9177. "Polling": "5400",
  9178. "Jitter": "12",
  9179. "C2 Server": "creditnetfinance.com,/rs-apps/assets/images/portfolio",
  9180. "HTTP Method Path 2": "/next-api/graphql",
  9181. "Method1": "GET",
  9182. "Method2": "POST",
  9183. "Spawnto_x86": "%windir%\\syswow64\\upnpcont.exe",
  9184. "Spawnto_x64": "%windir%\\sysnative\\upnpcont.exe",
  9185. "Proxy_AccessType": "2 (Use IE settings)"
  9186. },
  9187. "x64": {
  9188. "BeaconType": "8 (HTTPS)",
  9189. "Port": "443",
  9190. "Polling": "5400",
  9191. "Jitter": "12",
  9192. "C2 Server": "creditnetfinance.com,/rs-apps/assets/images/portfolio",
  9193. "HTTP Method Path 2": "/next-api/graphql",
  9194. "Method1": "GET",
  9195. "Method2": "POST",
  9196. "Spawnto_x86": "%windir%\\syswow64\\upnpcont.exe",
  9197. "Spawnto_x64": "%windir%\\sysnative\\upnpcont.exe",
  9198. "Proxy_AccessType": "2 (Use IE settings)"
  9199. }
  9200. },
  9201. "34.238.192.43": {
  9202. "x86": {
  9203. "BeaconType": "8 (HTTPS)",
  9204. "Port": "443",
  9205. "Polling": "32051",
  9206. "Jitter": "57",
  9207. "Maxdns": "255",
  9208. "C2 Server": "sharkfishinguk.com,/jquery-1.12.1.min.js",
  9209. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36 Edg/80.0.361.62",
  9210. "HTTP Method Path 2": "/jquery-1.12.2.min.js",
  9211. "Header1": "",
  9212. "Header2": "",
  9213. "PipeName": "",
  9214. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9215. "DNS Sleep": "0",
  9216. "Method1": "GET",
  9217. "Method2": "POST",
  9218. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
  9219. "Spawnto_x64": "%windir%\\sysnative\\spoolsv.exe",
  9220. "Proxy_AccessType": "2 (Use IE settings)"
  9221. },
  9222. "x64": {
  9223. "BeaconType": "8 (HTTPS)",
  9224. "Port": "443",
  9225. "Polling": "32051",
  9226. "Jitter": "57",
  9227. "Maxdns": "255",
  9228. "C2 Server": "sharkfishinguk.com,/jquery-1.12.1.min.js",
  9229. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36 Edg/80.0.361.62",
  9230. "HTTP Method Path 2": "/jquery-1.12.2.min.js",
  9231. "Header1": "",
  9232. "Header2": "",
  9233. "PipeName": "",
  9234. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9235. "DNS Sleep": "0",
  9236. "Method1": "GET",
  9237. "Method2": "POST",
  9238. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
  9239. "Spawnto_x64": "%windir%\\sysnative\\spoolsv.exe",
  9240. "Proxy_AccessType": "2 (Use IE settings)"
  9241. }
  9242. },
  9243. "34.80.40.66": {
  9244. "x86": {
  9245. "BeaconType": "8 (HTTPS)",
  9246. "Port": "443",
  9247. "Polling": "25000",
  9248. "Jitter": "5",
  9249. "Maxdns": "255",
  9250. "C2 Server": "www.huijingwifi.com,/link",
  9251. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3835.79",
  9252. "HTTP Method Path 2": "/images/",
  9253. "Header1": "",
  9254. "Header2": "",
  9255. "PipeName": "",
  9256. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9257. "DNS Sleep": "0",
  9258. "Method1": "GET",
  9259. "Method2": "POST",
  9260. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9261. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9262. "Proxy_AccessType": "2 (Use IE settings)"
  9263. }
  9264. },
  9265. "35.158.118.182": {
  9266. "x86": {
  9267. "BeaconType": "8 (HTTPS)",
  9268. "Port": "443",
  9269. "Polling": "60000",
  9270. "Jitter": "15",
  9271. "C2 Server": "cob.maranshipssupplies.com,/_/scs/mail-static/_/js/",
  9272. "HTTP Method Path 2": "/mail/u/0/",
  9273. "Method1": "GET",
  9274. "Method2": "POST",
  9275. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9276. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9277. "Proxy_AccessType": "2 (Use IE settings)"
  9278. }
  9279. },
  9280. "35.158.226.16": {
  9281. "x86": {
  9282. "BeaconType": "8 (HTTPS)",
  9283. "Port": "443",
  9284. "Polling": "5000",
  9285. "Jitter": "10",
  9286. "C2 Server": "rijkzijn.nl,/vlk/grants,uwprivatebank.nl,/vlk/grants,systest.nl,/vlk/grants",
  9287. "HTTP Method Path 2": "/vlk/xmlrpc/v2",
  9288. "Method1": "GET",
  9289. "Method2": "POST",
  9290. "Spawnto_x86": "%windir%\\syswow64\\mavinject.exe",
  9291. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  9292. "Proxy_AccessType": "2 (Use IE settings)"
  9293. },
  9294. "x64": {
  9295. "BeaconType": "8 (HTTPS)",
  9296. "Port": "443",
  9297. "Polling": "5000",
  9298. "Jitter": "10",
  9299. "C2 Server": "rijkzijn.nl,/vlk/grants,uwprivatebank.nl,/vlk/grants,systest.nl,/vlk/grants",
  9300. "HTTP Method Path 2": "/vlk/xmlrpc/v2",
  9301. "Method1": "GET",
  9302. "Method2": "POST",
  9303. "Spawnto_x86": "%windir%\\syswow64\\mavinject.exe",
  9304. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  9305. "Proxy_AccessType": "2 (Use IE settings)"
  9306. }
  9307. },
  9308. "35.176.207.20": {
  9309. "x86": {
  9310. "BeaconType": "8 (HTTPS)",
  9311. "Port": "443",
  9312. "Polling": "60000",
  9313. "Jitter": "20",
  9314. "Maxdns": "235",
  9315. "C2 Server": "35.176.207.20,/c/msdownload/update/others/2016/12/29136388_",
  9316. "User Agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40",
  9317. "HTTP Method Path 2": "/c/msdownload/update/others/2016/12/3215234_",
  9318. "Header1": "",
  9319. "Header2": "",
  9320. "PipeName": "",
  9321. "DNS Idle": "\\x08\\x08\\x04\\x04",
  9322. "DNS Sleep": "0",
  9323. "Method1": "GET",
  9324. "Method2": "GET",
  9325. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
  9326. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
  9327. "Proxy_AccessType": "2 (Use IE settings)"
  9328. },
  9329. "x64": {
  9330. "BeaconType": "8 (HTTPS)",
  9331. "Port": "443",
  9332. "Polling": "60000",
  9333. "Jitter": "20",
  9334. "Maxdns": "235",
  9335. "C2 Server": "35.176.207.20,/c/msdownload/update/others/2016/12/29136388_",
  9336. "User Agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40",
  9337. "HTTP Method Path 2": "/c/msdownload/update/others/2016/12/3215234_",
  9338. "Header1": "",
  9339. "Header2": "",
  9340. "PipeName": "",
  9341. "DNS Idle": "\\x08\\x08\\x04\\x04",
  9342. "DNS Sleep": "0",
  9343. "Method1": "GET",
  9344. "Method2": "GET",
  9345. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
  9346. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
  9347. "Proxy_AccessType": "2 (Use IE settings)"
  9348. }
  9349. },
  9350. "35.192.90.50": {
  9351. "x86": {
  9352. "BeaconType": "8 (HTTPS)",
  9353. "Port": "443",
  9354. "Polling": "55647",
  9355. "Jitter": "39",
  9356. "Maxdns": "254",
  9357. "C2 Server": "recovery.healthfitconnection.com,/ticket",
  9358. "User Agent": "Mozilla/5.0 (Linux; Android 6.0; HTC One X10 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
  9359. "HTTP Method Path 2": "/wwwboard",
  9360. "Header1": "",
  9361. "Header2": "",
  9362. "PipeName": "",
  9363. "DNS Idle": "D@\\xE68",
  9364. "DNS Sleep": "0",
  9365. "Method1": "GET",
  9366. "Method2": "POST",
  9367. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  9368. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  9369. "Proxy_AccessType": "2 (Use IE settings)"
  9370. }
  9371. },
  9372. "35.193.193.149": {
  9373. "x86": {
  9374. "BeaconType": "8 (HTTPS)",
  9375. "Port": "443",
  9376. "Polling": "60000",
  9377. "Jitter": "0",
  9378. "Maxdns": "255",
  9379. "C2 Server": "35.193.193.149,/dot.gif",
  9380. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)",
  9381. "HTTP Method Path 2": "/submit.php",
  9382. "Header1": "",
  9383. "Header2": "",
  9384. "PipeName": "",
  9385. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9386. "DNS Sleep": "0",
  9387. "Method1": "GET",
  9388. "Method2": "POST",
  9389. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9390. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9391. "Proxy_AccessType": "2 (Use IE settings)"
  9392. }
  9393. },
  9394. "35.221.158.178": {
  9395. "x86": {
  9396. "BeaconType": "8 (HTTPS)",
  9397. "Port": "443",
  9398. "Polling": "60000",
  9399. "Jitter": "0",
  9400. "Maxdns": "255",
  9401. "C2 Server": "35.221.158.178,/ptj",
  9402. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7)",
  9403. "HTTP Method Path 2": "/submit.php",
  9404. "Header1": "",
  9405. "Header2": "",
  9406. "PipeName": "",
  9407. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9408. "DNS Sleep": "0",
  9409. "Method1": "GET",
  9410. "Method2": "POST",
  9411. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9412. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9413. "Proxy_AccessType": "2 (Use IE settings)"
  9414. }
  9415. },
  9416. "35.241.143.134": {
  9417. "x64": {
  9418. "BeaconType": "8 (HTTPS)",
  9419. "Port": "443",
  9420. "Polling": "60000",
  9421. "Jitter": "20",
  9422. "Maxdns": "235",
  9423. "C2 Server": "control.commanderinthe.cloud,/search/",
  9424. "User Agent": "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
  9425. "HTTP Method Path 2": "/Search/",
  9426. "Header1": "",
  9427. "Header2": "",
  9428. "PipeName": "",
  9429. "DNS Idle": "\\x08\\x08\\x04\\x04",
  9430. "DNS Sleep": "0",
  9431. "Method1": "GET",
  9432. "Method2": "GET",
  9433. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9434. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9435. "Proxy_AccessType": "2 (Use IE settings)"
  9436. }
  9437. },
  9438. "37.252.120.101": {
  9439. "x64": {
  9440. "BeaconType": "8 (HTTPS)",
  9441. "Port": "443",
  9442. "Polling": "10000",
  9443. "Jitter": "15",
  9444. "Maxdns": "255",
  9445. "C2 Server": "37.252.120.101,/resolve/alter/",
  9446. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; BTRS125526)",
  9447. "HTTP Method Path 2": "/client/real/",
  9448. "Header1": "",
  9449. "Header2": "",
  9450. "PipeName": "",
  9451. "DNS Idle": "\\x08\\x08\\x04\\x04",
  9452. "DNS Sleep": "0",
  9453. "Method1": "GET",
  9454. "Method2": "POST",
  9455. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9456. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9457. "Proxy_AccessType": "2 (Use IE settings)"
  9458. }
  9459. },
  9460. "38.100.141.131": {
  9461. "x86": {
  9462. "BeaconType": "8 (HTTPS)",
  9463. "Port": "443",
  9464. "Polling": "15000",
  9465. "Jitter": "90",
  9466. "Maxdns": "225",
  9467. "C2 Server": "ecnads1.msn.com,/api2/json/access/ticket",
  9468. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  9469. "HTTP Method Path 2": "/gp/aw/ybh/handlers",
  9470. "Header1": "",
  9471. "Header2": "",
  9472. "PipeName": "",
  9473. "DNS Idle": "h\\xD8<\\x84",
  9474. "DNS Sleep": "0",
  9475. "Method1": "GET",
  9476. "Method2": "POST",
  9477. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
  9478. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
  9479. "Proxy_AccessType": "2 (Use IE settings)"
  9480. }
  9481. },
  9482. "3.85.60.172": {
  9483. "x86": {
  9484. "BeaconType": "8 (HTTPS)",
  9485. "Port": "443",
  9486. "Polling": "32051",
  9487. "Jitter": "57",
  9488. "Maxdns": "255",
  9489. "C2 Server": "banking.capitalviewfinance.com,/jquery-1.12.1.min.js",
  9490. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36 Edg/80.0.361.62",
  9491. "HTTP Method Path 2": "/jquery-1.12.2.min.js",
  9492. "Header1": "",
  9493. "Header2": "",
  9494. "PipeName": "",
  9495. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9496. "DNS Sleep": "0",
  9497. "Method1": "GET",
  9498. "Method2": "POST",
  9499. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
  9500. "Spawnto_x64": "%windir%\\sysnative\\spoolsv.exe",
  9501. "Proxy_AccessType": "2 (Use IE settings)"
  9502. }
  9503. },
  9504. "3.86.2.34": {
  9505. "x86": {
  9506. "BeaconType": "8 (HTTPS)",
  9507. "Port": "443",
  9508. "Polling": "5400",
  9509. "Jitter": "12",
  9510. "Maxdns": "255",
  9511. "C2 Server": "roofstock-cdn5.azureedge.net,/rs-apps/assets/images/portfolio",
  9512. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  9513. "HTTP Method Path 2": "/next-api/graphql",
  9514. "Header1": "",
  9515. "Header2": "",
  9516. "PipeName": "",
  9517. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9518. "DNS Sleep": "0",
  9519. "Method1": "GET",
  9520. "Method2": "POST",
  9521. "Spawnto_x86": "%windir%\\syswow64\\upnpcont.exe",
  9522. "Spawnto_x64": "%windir%\\sysnative\\upnpcont.exe",
  9523. "Proxy_AccessType": "2 (Use IE settings)"
  9524. },
  9525. "x64": {
  9526. "BeaconType": "8 (HTTPS)",
  9527. "Port": "443",
  9528. "Polling": "5400",
  9529. "Jitter": "12",
  9530. "Maxdns": "255",
  9531. "C2 Server": "roofstock-cdn5.azureedge.net,/rs-apps/assets/images/portfolio",
  9532. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  9533. "HTTP Method Path 2": "/next-api/graphql",
  9534. "Header1": "",
  9535. "Header2": "",
  9536. "PipeName": "",
  9537. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9538. "DNS Sleep": "0",
  9539. "Method1": "GET",
  9540. "Method2": "POST",
  9541. "Spawnto_x86": "%windir%\\syswow64\\upnpcont.exe",
  9542. "Spawnto_x64": "%windir%\\sysnative\\upnpcont.exe",
  9543. "Proxy_AccessType": "2 (Use IE settings)"
  9544. }
  9545. },
  9546. "39.108.229.236": {
  9547. "x86": {
  9548. "BeaconType": "8 (HTTPS)",
  9549. "Port": "443",
  9550. "Polling": "60000",
  9551. "Jitter": "0",
  9552. "Maxdns": "255",
  9553. "C2 Server": "39.108.229.236,/match",
  9554. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)",
  9555. "HTTP Method Path 2": "/submit.php",
  9556. "Header1": "",
  9557. "Header2": "",
  9558. "PipeName": "",
  9559. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9560. "DNS Sleep": "0",
  9561. "Method1": "GET",
  9562. "Method2": "POST",
  9563. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9564. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9565. "Proxy_AccessType": "2 (Use IE settings)"
  9566. }
  9567. },
  9568. "3.95.159.27": {
  9569. "x86": {
  9570. "BeaconType": "8 (HTTPS)",
  9571. "Port": "443",
  9572. "Polling": "32051",
  9573. "Jitter": "57",
  9574. "Maxdns": "255",
  9575. "C2 Server": "sharkfishinguk.com,/jquery-1.12.1.min.js",
  9576. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36 Edg/80.0.361.62",
  9577. "HTTP Method Path 2": "/jquery-1.12.2.min.js",
  9578. "Header1": "",
  9579. "Header2": "",
  9580. "PipeName": "",
  9581. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9582. "DNS Sleep": "0",
  9583. "Method1": "GET",
  9584. "Method2": "POST",
  9585. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
  9586. "Spawnto_x64": "%windir%\\sysnative\\spoolsv.exe",
  9587. "Proxy_AccessType": "2 (Use IE settings)"
  9588. }
  9589. },
  9590. "39.98.84.58": {
  9591. "x86": {
  9592. "BeaconType": "8 (HTTPS)",
  9593. "Port": "443",
  9594. "Polling": "5000",
  9595. "Jitter": "0",
  9596. "Maxdns": "255",
  9597. "C2 Server": "www.microport.com.cn,/zC",
  9598. "User Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
  9599. "HTTP Method Path 2": "/dE",
  9600. "Header1": "",
  9601. "Header2": "",
  9602. "PipeName": "",
  9603. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9604. "DNS Sleep": "0",
  9605. "Method1": "GET",
  9606. "Method2": "POST",
  9607. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9608. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9609. "Proxy_AccessType": "2 (Use IE settings)"
  9610. }
  9611. },
  9612. "39.99.60.123": {
  9613. "x64": {
  9614. "BeaconType": "8 (HTTPS)",
  9615. "Port": "443",
  9616. "Polling": "60000",
  9617. "Jitter": "0",
  9618. "Maxdns": "255",
  9619. "C2 Server": "39.99.60.123,/cx",
  9620. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MDDCJS)",
  9621. "HTTP Method Path 2": "/submit.php",
  9622. "Header1": "",
  9623. "Header2": "",
  9624. "PipeName": "",
  9625. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9626. "DNS Sleep": "0",
  9627. "Method1": "GET",
  9628. "Method2": "POST",
  9629. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9630. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9631. "Proxy_AccessType": "2 (Use IE settings)"
  9632. }
  9633. },
  9634. "40.113.217.182": {
  9635. "x86": {
  9636. "BeaconType": "8 (HTTPS)",
  9637. "Port": "443",
  9638. "Polling": "60000",
  9639. "Jitter": "0",
  9640. "C2 Server": "40.113.217.182,/__utm.gif",
  9641. "HTTP Method Path 2": "/___utm.gif",
  9642. "Method1": "GET",
  9643. "Method2": "POST",
  9644. "Spawnto_x86": "%windir%\\syswow64\\explorer.exe",
  9645. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
  9646. "Proxy_AccessType": "2 (Use IE settings)"
  9647. },
  9648. "x64": {
  9649. "BeaconType": "8 (HTTPS)",
  9650. "Port": "443",
  9651. "Polling": "60000",
  9652. "Jitter": "0",
  9653. "C2 Server": "40.113.217.182,/__utm.gif",
  9654. "HTTP Method Path 2": "/___utm.gif",
  9655. "Method1": "GET",
  9656. "Method2": "POST",
  9657. "Spawnto_x86": "%windir%\\syswow64\\explorer.exe",
  9658. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
  9659. "Proxy_AccessType": "2 (Use IE settings)"
  9660. }
  9661. },
  9662. "40.117.40.46": {
  9663. "x64": {
  9664. "BeaconType": "8 (HTTPS)",
  9665. "Port": "443",
  9666. "Polling": "5000",
  9667. "Jitter": "0",
  9668. "Maxdns": "255",
  9669. "C2 Server": "wmjdvuif.limyonly.me,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  9670. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  9671. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  9672. "Header1": "",
  9673. "Header2": "",
  9674. "PipeName": "",
  9675. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9676. "DNS Sleep": "0",
  9677. "Method1": "GET",
  9678. "Method2": "POST",
  9679. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  9680. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  9681. "Proxy_AccessType": "2 (Use IE settings)"
  9682. }
  9683. },
  9684. "40.122.106.213": {
  9685. "x64": {
  9686. "BeaconType": "8 (HTTPS)",
  9687. "Port": "443",
  9688. "Polling": "37000",
  9689. "Jitter": "25",
  9690. "C2 Server": "api.aperture.network,/functionalStatus",
  9691. "HTTP Method Path 2": "/rest/2/meetings",
  9692. "Method1": "GET",
  9693. "Method2": "POST",
  9694. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  9695. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  9696. "Proxy_AccessType": "2 (Use IE settings)"
  9697. }
  9698. },
  9699. "43.240.15.68": {
  9700. "x86": {
  9701. "BeaconType": "8 (HTTPS)",
  9702. "Port": "443",
  9703. "Polling": "60000",
  9704. "Jitter": "0",
  9705. "Maxdns": "255",
  9706. "C2 Server": "5.180.99.65,/dot.gif",
  9707. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",
  9708. "HTTP Method Path 2": "/submit.php",
  9709. "Header1": "",
  9710. "Header2": "",
  9711. "PipeName": "",
  9712. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9713. "DNS Sleep": "0",
  9714. "Method1": "GET",
  9715. "Method2": "POST",
  9716. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9717. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9718. "Proxy_AccessType": "2 (Use IE settings)"
  9719. }
  9720. },
  9721. "43.243.171.226": {
  9722. "x86": {
  9723. "BeaconType": "8 (HTTPS)",
  9724. "Port": "443",
  9725. "Polling": "5000",
  9726. "Jitter": "30",
  9727. "Maxdns": "255",
  9728. "C2 Server": "43.243.171.226,/cache/global/img/aladdinIcon-1.0.gif",
  9729. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36",
  9730. "HTTP Method Path 2": "/link",
  9731. "Header1": "",
  9732. "Header2": "",
  9733. "PipeName": "",
  9734. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9735. "DNS Sleep": "0",
  9736. "Method1": "GET",
  9737. "Method2": "GET",
  9738. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9739. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9740. "Proxy_AccessType": "2 (Use IE settings)"
  9741. },
  9742. "x64": {
  9743. "BeaconType": "8 (HTTPS)",
  9744. "Port": "443",
  9745. "Polling": "5000",
  9746. "Jitter": "30",
  9747. "Maxdns": "255",
  9748. "C2 Server": "43.243.171.226,/cache/global/img/aladdinIcon-1.0.gif",
  9749. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36",
  9750. "HTTP Method Path 2": "/link",
  9751. "Header1": "",
  9752. "Header2": "",
  9753. "PipeName": "",
  9754. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9755. "DNS Sleep": "0",
  9756. "Method1": "GET",
  9757. "Method2": "GET",
  9758. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9759. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9760. "Proxy_AccessType": "2 (Use IE settings)"
  9761. }
  9762. },
  9763. "44.231.58.231": {
  9764. "x86": {
  9765. "BeaconType": "8 (HTTPS)",
  9766. "Port": "443",
  9767. "Polling": "60000",
  9768. "Jitter": "0",
  9769. "Maxdns": "225",
  9770. "C2 Server": "dist.nuget.org,/cgi-bin/certstore/,ajax.aspnetcdn.com,/cgi-bin/certstore/",
  9771. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36",
  9772. "HTTP Method Path 2": "/pem/office.microsoft.com/",
  9773. "Header1": "",
  9774. "Header2": "",
  9775. "PipeName": "",
  9776. "DNS Idle": "(pH\\xCD",
  9777. "DNS Sleep": "0",
  9778. "Method1": "GET",
  9779. "Method2": "POST",
  9780. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9781. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9782. "Proxy_AccessType": "2 (Use IE settings)"
  9783. },
  9784. "x64": {
  9785. "BeaconType": "8 (HTTPS)",
  9786. "Port": "443",
  9787. "Polling": "60000",
  9788. "Jitter": "0",
  9789. "Maxdns": "225",
  9790. "C2 Server": "dist.nuget.org,/cgi-bin/certstore/,ajax.aspnetcdn.com,/cgi-bin/certstore/",
  9791. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36",
  9792. "HTTP Method Path 2": "/pem/office.microsoft.com/",
  9793. "Header1": "",
  9794. "Header2": "",
  9795. "PipeName": "",
  9796. "DNS Idle": "(pH\\xCD",
  9797. "DNS Sleep": "0",
  9798. "Method1": "GET",
  9799. "Method2": "POST",
  9800. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9801. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9802. "Proxy_AccessType": "2 (Use IE settings)"
  9803. }
  9804. },
  9805. "44.234.72.246": {
  9806. "x64": {
  9807. "BeaconType": "8 (HTTPS)",
  9808. "Port": "443",
  9809. "Polling": "60000",
  9810. "Jitter": "0",
  9811. "Maxdns": "255",
  9812. "C2 Server": "44.234.72.246,/cx",
  9813. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;SVSE)",
  9814. "HTTP Method Path 2": "/submit.php",
  9815. "Header1": "",
  9816. "Header2": "",
  9817. "PipeName": "",
  9818. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9819. "DNS Sleep": "0",
  9820. "Method1": "GET",
  9821. "Method2": "POST",
  9822. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9823. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9824. "Proxy_AccessType": "2 (Use IE settings)"
  9825. }
  9826. },
  9827. "45.128.156.102": {
  9828. "x86": {
  9829. "BeaconType": "8 (HTTPS)",
  9830. "Port": "443",
  9831. "Polling": "5000",
  9832. "Jitter": "10",
  9833. "Maxdns": "235",
  9834. "C2 Server": "mixdir.com,/us/ky/louisville/312-s-fourth-st.html",
  9835. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  9836. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  9837. "Header1": "",
  9838. "Header2": "",
  9839. "PipeName": "",
  9840. "DNS Idle": "\\x08\\x08\\x08\\x08",
  9841. "DNS Sleep": "0",
  9842. "Method1": "GET",
  9843. "Method2": "POST",
  9844. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  9845. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  9846. "Proxy_AccessType": "2 (Use IE settings)"
  9847. }
  9848. },
  9849. "45.138.172.80": {
  9850. "x64": {
  9851. "BeaconType": "8 (HTTPS)",
  9852. "Port": "443",
  9853. "Polling": "57000",
  9854. "Jitter": "41",
  9855. "C2 Server": "meadowstonto.com,/fo.html",
  9856. "HTTP Method Path 2": "/default",
  9857. "Method1": "GET",
  9858. "Method2": "POST",
  9859. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  9860. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  9861. "Proxy_AccessType": "2 (Use IE settings)"
  9862. }
  9863. },
  9864. "45.14.149.202": {
  9865. "x86": {
  9866. "BeaconType": "8 (HTTPS)",
  9867. "Port": "443",
  9868. "Polling": "60000",
  9869. "Jitter": "0",
  9870. "Maxdns": "255",
  9871. "C2 Server": "45.14.149.202,/activity",
  9872. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 2.0.50727)",
  9873. "HTTP Method Path 2": "/submit.php",
  9874. "Header1": "",
  9875. "Header2": "",
  9876. "PipeName": "",
  9877. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9878. "DNS Sleep": "0",
  9879. "Method1": "GET",
  9880. "Method2": "POST",
  9881. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9882. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9883. "Proxy_AccessType": "2 (Use IE settings)"
  9884. },
  9885. "x64": {
  9886. "BeaconType": "8 (HTTPS)",
  9887. "Port": "443",
  9888. "Polling": "60000",
  9889. "Jitter": "0",
  9890. "Maxdns": "255",
  9891. "C2 Server": "45.14.149.202,/pixel.gif",
  9892. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
  9893. "HTTP Method Path 2": "/submit.php",
  9894. "Header1": "",
  9895. "Header2": "",
  9896. "PipeName": "",
  9897. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9898. "DNS Sleep": "0",
  9899. "Method1": "GET",
  9900. "Method2": "POST",
  9901. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9902. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9903. "Proxy_AccessType": "2 (Use IE settings)"
  9904. }
  9905. },
  9906. "45.141.84.32": {
  9907. "x86": {
  9908. "BeaconType": "8 (HTTPS)",
  9909. "Port": "443",
  9910. "Polling": "60000",
  9911. "Jitter": "0",
  9912. "Maxdns": "255",
  9913. "C2 Server": "45.141.84.32,/IE9CompatViewList.xml",
  9914. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)",
  9915. "HTTP Method Path 2": "/submit.php",
  9916. "Header1": "",
  9917. "Header2": "",
  9918. "PipeName": "",
  9919. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9920. "DNS Sleep": "0",
  9921. "Method1": "GET",
  9922. "Method2": "POST",
  9923. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9924. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9925. "Proxy_AccessType": "2 (Use IE settings)"
  9926. }
  9927. },
  9928. "45.146.165.140": {
  9929. "x86": {
  9930. "BeaconType": "8 (HTTPS)",
  9931. "Port": "443",
  9932. "Polling": "60000",
  9933. "Jitter": "0",
  9934. "Maxdns": "255",
  9935. "C2 Server": "45.146.165.140,/IE9CompatViewList.xml",
  9936. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)",
  9937. "HTTP Method Path 2": "/submit.php",
  9938. "Header1": "",
  9939. "Header2": "",
  9940. "PipeName": "",
  9941. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9942. "DNS Sleep": "0",
  9943. "Method1": "GET",
  9944. "Method2": "POST",
  9945. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9946. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9947. "Proxy_AccessType": "2 (Use IE settings)"
  9948. }
  9949. },
  9950. "45.147.229.44": {
  9951. "x86": {
  9952. "BeaconType": "8 (HTTPS)",
  9953. "Port": "443",
  9954. "Polling": "60283",
  9955. "Jitter": "39",
  9956. "Maxdns": "249",
  9957. "C2 Server": "mn.backup-helper.com,/template.css,nm.backup-helper.com,/fam_calendar.css,ws.backup-helper.com,/fam_calendar.css",
  9958. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
  9959. "HTTP Method Path 2": "/gv",
  9960. "Header1": "",
  9961. "Header2": "",
  9962. "PipeName": "",
  9963. "DNS Idle": "\\x1E\\xBEI\\x86",
  9964. "DNS Sleep": "0",
  9965. "Method1": "GET",
  9966. "Method2": "POST",
  9967. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  9968. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  9969. "Proxy_AccessType": "2 (Use IE settings)"
  9970. }
  9971. },
  9972. "45.147.230.0": {
  9973. "x86": {
  9974. "BeaconType": "8 (HTTPS)",
  9975. "Port": "443",
  9976. "Polling": "60000",
  9977. "Jitter": "0",
  9978. "Maxdns": "255",
  9979. "C2 Server": "amajai-technologies.online,/push",
  9980. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
  9981. "HTTP Method Path 2": "/submit.php",
  9982. "Header1": "",
  9983. "Header2": "",
  9984. "PipeName": "",
  9985. "DNS Idle": "\\x00\\x00\\x00\\x00",
  9986. "DNS Sleep": "0",
  9987. "Method1": "GET",
  9988. "Method2": "POST",
  9989. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  9990. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  9991. "Proxy_AccessType": "2 (Use IE settings)"
  9992. },
  9993. "x64": {
  9994. "BeaconType": "8 (HTTPS)",
  9995. "Port": "443",
  9996. "Polling": "60000",
  9997. "Jitter": "0",
  9998. "Maxdns": "255",
  9999. "C2 Server": "amajai-technologies.online,/en_US/all.js",
  10000. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; Avant Browser)",
  10001. "HTTP Method Path 2": "/submit.php",
  10002. "Header1": "",
  10003. "Header2": "",
  10004. "PipeName": "",
  10005. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10006. "DNS Sleep": "0",
  10007. "Method1": "GET",
  10008. "Method2": "POST",
  10009. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10010. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10011. "Proxy_AccessType": "2 (Use IE settings)"
  10012. }
  10013. },
  10014. "45.153.243.215": {
  10015. "x86": {
  10016. "BeaconType": "8 (HTTPS)",
  10017. "Port": "443",
  10018. "Polling": "60000",
  10019. "Jitter": "0",
  10020. "Maxdns": "255",
  10021. "C2 Server": "amajai-technologies.support,/g.pixel",
  10022. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)",
  10023. "HTTP Method Path 2": "/submit.php",
  10024. "Header1": "",
  10025. "Header2": "",
  10026. "PipeName": "",
  10027. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10028. "DNS Sleep": "0",
  10029. "Method1": "GET",
  10030. "Method2": "POST",
  10031. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10032. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10033. "Proxy_AccessType": "2 (Use IE settings)"
  10034. }
  10035. },
  10036. "45.170.251.101": {
  10037. "x86": {
  10038. "BeaconType": "8 (HTTPS)",
  10039. "Port": "443",
  10040. "Polling": "60000",
  10041. "Jitter": "0",
  10042. "C2 Server": "45.170.251.101,/ga.js",
  10043. "HTTP Method Path 2": "/submit.php",
  10044. "Method1": "GET",
  10045. "Method2": "POST",
  10046. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10047. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10048. "Proxy_AccessType": "2 (Use IE settings)"
  10049. },
  10050. "x64": {
  10051. "BeaconType": "8 (HTTPS)",
  10052. "Port": "443",
  10053. "Polling": "60000",
  10054. "Jitter": "0",
  10055. "C2 Server": "45.170.251.101,/updates.rss",
  10056. "HTTP Method Path 2": "/submit.php",
  10057. "Method1": "GET",
  10058. "Method2": "POST",
  10059. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10060. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10061. "Proxy_AccessType": "2 (Use IE settings)"
  10062. }
  10063. },
  10064. "45.199.110.164": {
  10065. "x86": {
  10066. "BeaconType": "8 (HTTPS)",
  10067. "Port": "443",
  10068. "Polling": "60000",
  10069. "Jitter": "0",
  10070. "Maxdns": "255",
  10071. "C2 Server": "wyx.3utilities.com,/IE9CompatViewList.xml",
  10072. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) LBBROWSER",
  10073. "HTTP Method Path 2": "/submit.php",
  10074. "Header1": "",
  10075. "Header2": "",
  10076. "PipeName": "",
  10077. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10078. "DNS Sleep": "0",
  10079. "Method1": "GET",
  10080. "Method2": "POST",
  10081. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10082. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10083. "Proxy_AccessType": "2 (Use IE settings)"
  10084. }
  10085. },
  10086. "45.207.49.205": {
  10087. "x86": {
  10088. "BeaconType": "8 (HTTPS)",
  10089. "Port": "443",
  10090. "Polling": "5000",
  10091. "Jitter": "10",
  10092. "Maxdns": "235",
  10093. "C2 Server": "45.207.49.205,/updates",
  10094. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
  10095. "HTTP Method Path 2": "/windebug/updcheck.php",
  10096. "Header1": "",
  10097. "Header2": "",
  10098. "PipeName": "",
  10099. "DNS Idle": "\\x08\\x08\\x04\\x04",
  10100. "DNS Sleep": "0",
  10101. "Method1": "GET",
  10102. "Method2": "POST",
  10103. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10104. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10105. "Proxy_AccessType": "2 (Use IE settings)"
  10106. },
  10107. "x64": {
  10108. "BeaconType": "8 (HTTPS)",
  10109. "Port": "443",
  10110. "Polling": "5000",
  10111. "Jitter": "10",
  10112. "Maxdns": "235",
  10113. "C2 Server": "45.207.49.205,/updates",
  10114. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
  10115. "HTTP Method Path 2": "/aero2/fly.php",
  10116. "Header1": "",
  10117. "Header2": "",
  10118. "PipeName": "",
  10119. "DNS Idle": "\\x08\\x08\\x04\\x04",
  10120. "DNS Sleep": "0",
  10121. "Method1": "GET",
  10122. "Method2": "POST",
  10123. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10124. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10125. "Proxy_AccessType": "2 (Use IE settings)"
  10126. }
  10127. },
  10128. "45.32.52.188": {
  10129. "x86": {
  10130. "BeaconType": "8 (HTTPS)",
  10131. "Port": "443",
  10132. "Polling": "10000",
  10133. "Jitter": "41",
  10134. "Maxdns": "67",
  10135. "C2 Server": "45.32.52.188,/settings",
  10136. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36",
  10137. "HTTP Method Path 2": "/collect/v1",
  10138. "Header1": "",
  10139. "Header2": "",
  10140. "PipeName": "",
  10141. "DNS Idle": "\\xDF\\x05\\x05\\x05",
  10142. "DNS Sleep": "0",
  10143. "Method1": "POST",
  10144. "Method2": "POST",
  10145. "Spawnto_x86": "%windir%\\syswow64\\msiexec.exe",
  10146. "Spawnto_x64": "%windir%\\sysnative\\msiexec.exe",
  10147. "Proxy_AccessType": "2 (Use IE settings)"
  10148. },
  10149. "x64": {
  10150. "BeaconType": "8 (HTTPS)",
  10151. "Port": "443",
  10152. "Polling": "10000",
  10153. "Jitter": "41",
  10154. "Maxdns": "67",
  10155. "C2 Server": "45.32.52.188,/settings",
  10156. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36",
  10157. "HTTP Method Path 2": "/collect/v1",
  10158. "Header1": "",
  10159. "Header2": "",
  10160. "PipeName": "",
  10161. "DNS Idle": "\\xDF\\x05\\x05\\x05",
  10162. "DNS Sleep": "0",
  10163. "Method1": "POST",
  10164. "Method2": "POST",
  10165. "Spawnto_x86": "%windir%\\syswow64\\msiexec.exe",
  10166. "Spawnto_x64": "%windir%\\sysnative\\msiexec.exe",
  10167. "Proxy_AccessType": "2 (Use IE settings)"
  10168. }
  10169. },
  10170. "45.33.27.73": {
  10171. "x64": {
  10172. "BeaconType": "8 (HTTPS)",
  10173. "Port": "443",
  10174. "Polling": "60000",
  10175. "Jitter": "0",
  10176. "Maxdns": "255",
  10177. "C2 Server": "45.33.27.73,/dpixel",
  10178. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
  10179. "HTTP Method Path 2": "/submit.php",
  10180. "Header1": "",
  10181. "Header2": "",
  10182. "PipeName": "",
  10183. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10184. "DNS Sleep": "0",
  10185. "Method1": "GET",
  10186. "Method2": "POST",
  10187. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10188. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10189. "Proxy_AccessType": "2 (Use IE settings)"
  10190. }
  10191. },
  10192. "45.58.116.242": {
  10193. "x86": {
  10194. "BeaconType": "8 (HTTPS)",
  10195. "Port": "443",
  10196. "Polling": "5000",
  10197. "Jitter": "10",
  10198. "Maxdns": "235",
  10199. "C2 Server": "withfix.com,/us/ky/louisville/312-s-fourth-st.html",
  10200. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
  10201. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
  10202. "Header1": "",
  10203. "Header2": "",
  10204. "PipeName": "",
  10205. "DNS Idle": "\\x08\\x08\\x08\\x08",
  10206. "DNS Sleep": "0",
  10207. "Method1": "GET",
  10208. "Method2": "POST",
  10209. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  10210. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  10211. "Proxy_AccessType": "2 (Use IE settings)"
  10212. }
  10213. },
  10214. "45.64.186.249": {
  10215. "x64": {
  10216. "BeaconType": "8 (HTTPS)",
  10217. "Port": "443",
  10218. "Polling": "60000",
  10219. "Jitter": "0",
  10220. "Maxdns": "255",
  10221. "C2 Server": "45.64.186.249,/static/v3/logo2.gif",
  10222. "User Agent": "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08",
  10223. "HTTP Method Path 2": "/static/v3/logo1.gif",
  10224. "Header1": "",
  10225. "Header2": "",
  10226. "PipeName": "",
  10227. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10228. "DNS Sleep": "0",
  10229. "Method1": "GET",
  10230. "Method2": "POST",
  10231. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10232. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10233. "Proxy_AccessType": "2 (Use IE settings)"
  10234. }
  10235. },
  10236. "45.67.229.168": {
  10237. "x64": {
  10238. "BeaconType": "8 (HTTPS)",
  10239. "Port": "443",
  10240. "Polling": "53000",
  10241. "Jitter": "34",
  10242. "Maxdns": "255",
  10243. "C2 Server": "45.67.229.168,/jquery-3.3.1.min.js",
  10244. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
  10245. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  10246. "Header1": "",
  10247. "Header2": "",
  10248. "PipeName": "",
  10249. "DNS Idle": "J}\\xC4q",
  10250. "DNS Sleep": "0",
  10251. "Method1": "GET",
  10252. "Method2": "POST",
  10253. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
  10254. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
  10255. "Proxy_AccessType": "2 (Use IE settings)"
  10256. }
  10257. },
  10258. "45.76.48.40": {
  10259. "x86": {
  10260. "BeaconType": "8 (HTTPS)",
  10261. "Port": "443",
  10262. "Polling": "60000",
  10263. "Jitter": "0",
  10264. "Maxdns": "255",
  10265. "C2 Server": "45.76.48.40,/ptj",
  10266. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)",
  10267. "HTTP Method Path 2": "/submit.php",
  10268. "Header1": "",
  10269. "Header2": "",
  10270. "PipeName": "",
  10271. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10272. "DNS Sleep": "0",
  10273. "Method1": "GET",
  10274. "Method2": "POST",
  10275. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10276. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10277. "Proxy_AccessType": "2 (Use IE settings)"
  10278. }
  10279. },
  10280. "46.161.27.220": {
  10281. "x86": {
  10282. "BeaconType": "8 (HTTPS)",
  10283. "Port": "443",
  10284. "Polling": "60000",
  10285. "Jitter": "0",
  10286. "Maxdns": "255",
  10287. "C2 Server": "46.161.27.220,/ptj",
  10288. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
  10289. "HTTP Method Path 2": "/submit.php",
  10290. "Header1": "",
  10291. "Header2": "",
  10292. "PipeName": "",
  10293. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10294. "DNS Sleep": "0",
  10295. "Method1": "GET",
  10296. "Method2": "POST",
  10297. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10298. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10299. "Proxy_AccessType": "2 (Use IE settings)"
  10300. }
  10301. },
  10302. "46.166.128.234": {
  10303. "x64": {
  10304. "BeaconType": "8 (HTTPS)",
  10305. "Port": "443",
  10306. "Polling": "60000",
  10307. "Jitter": "0",
  10308. "Maxdns": "255",
  10309. "C2 Server": "46.166.128.234,/cx",
  10310. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
  10311. "HTTP Method Path 2": "/submit.php",
  10312. "Header1": "",
  10313. "Header2": "",
  10314. "PipeName": "",
  10315. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10316. "DNS Sleep": "0",
  10317. "Method1": "GET",
  10318. "Method2": "POST",
  10319. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10320. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10321. "Proxy_AccessType": "2 (Use IE settings)"
  10322. }
  10323. },
  10324. "46.166.129.176": {
  10325. "x86": {
  10326. "BeaconType": "8 (HTTPS)",
  10327. "Port": "443",
  10328. "Polling": "60000",
  10329. "Jitter": "0",
  10330. "Maxdns": "255",
  10331. "C2 Server": "46.166.129.169,/load",
  10332. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
  10333. "HTTP Method Path 2": "/submit.php",
  10334. "Header1": "",
  10335. "Header2": "",
  10336. "PipeName": "",
  10337. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10338. "DNS Sleep": "0",
  10339. "Method1": "GET",
  10340. "Method2": "POST",
  10341. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10342. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10343. "Proxy_AccessType": "2 (Use IE settings)"
  10344. }
  10345. },
  10346. "46.166.162.165": {
  10347. "x86": {
  10348. "BeaconType": "8 (HTTPS)",
  10349. "Port": "443",
  10350. "Polling": "60000",
  10351. "Jitter": "0",
  10352. "Maxdns": "255",
  10353. "C2 Server": "46.166.162.165,/pixel.gif",
  10354. "User Agent": "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent",
  10355. "HTTP Method Path 2": "/submit.php",
  10356. "Header1": "",
  10357. "Header2": "",
  10358. "PipeName": "",
  10359. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10360. "DNS Sleep": "0",
  10361. "Method1": "GET",
  10362. "Method2": "POST",
  10363. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10364. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10365. "Proxy_AccessType": "2 (Use IE settings)"
  10366. },
  10367. "x64": {
  10368. "BeaconType": "8 (HTTPS)",
  10369. "Port": "443",
  10370. "Polling": "60000",
  10371. "Jitter": "0",
  10372. "Maxdns": "255",
  10373. "C2 Server": "46.166.162.165,/j.ad",
  10374. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Avant Browser)",
  10375. "HTTP Method Path 2": "/submit.php",
  10376. "Header1": "",
  10377. "Header2": "",
  10378. "PipeName": "",
  10379. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10380. "DNS Sleep": "0",
  10381. "Method1": "GET",
  10382. "Method2": "POST",
  10383. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10384. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10385. "Proxy_AccessType": "2 (Use IE settings)"
  10386. }
  10387. },
  10388. "46.166.162.97": {
  10389. "x64": {
  10390. "BeaconType": "8 (HTTPS)",
  10391. "Port": "443",
  10392. "Polling": "60000",
  10393. "Jitter": "0",
  10394. "Maxdns": "255",
  10395. "C2 Server": "46.166.162.97,/cx",
  10396. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
  10397. "HTTP Method Path 2": "/submit.php",
  10398. "Header1": "",
  10399. "Header2": "",
  10400. "PipeName": "",
  10401. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10402. "DNS Sleep": "0",
  10403. "Method1": "GET",
  10404. "Method2": "POST",
  10405. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10406. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10407. "Proxy_AccessType": "2 (Use IE settings)"
  10408. }
  10409. },
  10410. "46.30.189.89": {
  10411. "x86": {
  10412. "BeaconType": "8 (HTTPS)",
  10413. "Port": "443",
  10414. "Polling": "5000",
  10415. "Jitter": "0",
  10416. "Maxdns": "255",
  10417. "C2 Server": "top.jimwilkens.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
  10418. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
  10419. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
  10420. "Header1": "",
  10421. "Header2": "",
  10422. "PipeName": "",
  10423. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10424. "DNS Sleep": "0",
  10425. "Method1": "GET",
  10426. "Method2": "POST",
  10427. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
  10428. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
  10429. "Proxy_AccessType": "2 (Use IE settings)"
  10430. }
  10431. },
  10432. "46.8.180.147": {
  10433. "x86": {
  10434. "BeaconType": "8 (HTTPS)",
  10435. "Port": "443",
  10436. "Polling": "60000",
  10437. "Jitter": "0",
  10438. "Maxdns": "255",
  10439. "C2 Server": "46.8.180.147,/visit.js",
  10440. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)",
  10441. "HTTP Method Path 2": "/submit.php",
  10442. "Header1": "",
  10443. "Header2": "",
  10444. "PipeName": "",
  10445. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10446. "DNS Sleep": "0",
  10447. "Method1": "GET",
  10448. "Method2": "POST",
  10449. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10450. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10451. "Proxy_AccessType": "2 (Use IE settings)"
  10452. },
  10453. "x64": {
  10454. "BeaconType": "8 (HTTPS)",
  10455. "Port": "443",
  10456. "Polling": "60000",
  10457. "Jitter": "0",
  10458. "Maxdns": "255",
  10459. "C2 Server": "46.8.180.147,/cm",
  10460. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
  10461. "HTTP Method Path 2": "/submit.php",
  10462. "Header1": "",
  10463. "Header2": "",
  10464. "PipeName": "",
  10465. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10466. "DNS Sleep": "0",
  10467. "Method1": "GET",
  10468. "Method2": "POST",
  10469. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10470. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10471. "Proxy_AccessType": "2 (Use IE settings)"
  10472. }
  10473. },
  10474. "47.101.214.85": {
  10475. "x64": {
  10476. "BeaconType": "8 (HTTPS)",
  10477. "Port": "443",
  10478. "Polling": "60000",
  10479. "Jitter": "0",
  10480. "Maxdns": "255",
  10481. "C2 Server": "47.101.214.85,/dpixel",
  10482. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
  10483. "HTTP Method Path 2": "/submit.php",
  10484. "Header1": "",
  10485. "Header2": "",
  10486. "PipeName": "",
  10487. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10488. "DNS Sleep": "0",
  10489. "Method1": "GET",
  10490. "Method2": "POST",
  10491. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10492. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10493. "Proxy_AccessType": "2 (Use IE settings)"
  10494. }
  10495. },
  10496. "47.104.11.169": {
  10497. "x86": {
  10498. "BeaconType": "8 (HTTPS)",
  10499. "Port": "443",
  10500. "Polling": "60000",
  10501. "Jitter": "0",
  10502. "Maxdns": "255",
  10503. "C2 Server": "47.104.11.169,/pixel",
  10504. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)",
  10505. "HTTP Method Path 2": "/submit.php",
  10506. "Header1": "",
  10507. "Header2": "",
  10508. "PipeName": "",
  10509. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10510. "DNS Sleep": "0",
  10511. "Method1": "GET",
  10512. "Method2": "POST",
  10513. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10514. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10515. "Proxy_AccessType": "2 (Use IE settings)"
  10516. },
  10517. "x64": {
  10518. "BeaconType": "8 (HTTPS)",
  10519. "Port": "443",
  10520. "Polling": "60000",
  10521. "Jitter": "0",
  10522. "Maxdns": "255",
  10523. "C2 Server": "47.104.11.169,/cx",
  10524. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENIN)",
  10525. "HTTP Method Path 2": "/submit.php",
  10526. "Header1": "",
  10527. "Header2": "",
  10528. "PipeName": "",
  10529. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10530. "DNS Sleep": "0",
  10531. "Method1": "GET",
  10532. "Method2": "POST",
  10533. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10534. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10535. "Proxy_AccessType": "2 (Use IE settings)"
  10536. }
  10537. },
  10538. "47.104.156.242": {
  10539. "x86": {
  10540. "BeaconType": "8 (HTTPS)",
  10541. "Port": "443",
  10542. "Polling": "60000",
  10543. "Jitter": "50",
  10544. "Maxdns": "244",
  10545. "C2 Server": "47.104.156.242,/v1/act",
  10546. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4068.4 Safari/537.36",
  10547. "HTTP Method Path 2": "/v2/api",
  10548. "Header1": "",
  10549. "Header2": "",
  10550. "PipeName": "",
  10551. "DNS Idle": "\\x08\\x08\\x08\\x08",
  10552. "DNS Sleep": "0",
  10553. "Method1": "GET",
  10554. "Method2": "POST",
  10555. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
  10556. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
  10557. "Proxy_AccessType": "2 (Use IE settings)"
  10558. },
  10559. "x64": {
  10560. "BeaconType": "8 (HTTPS)",
  10561. "Port": "443",
  10562. "Polling": "60000",
  10563. "Jitter": "50",
  10564. "Maxdns": "244",
  10565. "C2 Server": "47.104.156.242,/v1/act",
  10566. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4068.4 Safari/537.36",
  10567. "HTTP Method Path 2": "/v2/do",
  10568. "Header1": "",
  10569. "Header2": "",
  10570. "PipeName": "",
  10571. "DNS Idle": "\\x08\\x08\\x08\\x08",
  10572. "DNS Sleep": "0",
  10573. "Method1": "GET",
  10574. "Method2": "POST",
  10575. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
  10576. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
  10577. "Proxy_AccessType": "2 (Use IE settings)"
  10578. }
  10579. },
  10580. "47.111.134.70": {
  10581. "x86": {
  10582. "BeaconType": "8 (HTTPS)",
  10583. "Port": "443",
  10584. "Polling": "59768",
  10585. "Jitter": "41",
  10586. "Maxdns": "253",
  10587. "C2 Server": "47.111.134.70,/mt",
  10588. "User Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0",
  10589. "HTTP Method Path 2": "/language",
  10590. "Header1": "",
  10591. "Header2": "",
  10592. "PipeName": "",
  10593. "DNS Idle": "d \\x8E\\x86",
  10594. "DNS Sleep": "0",
  10595. "Method1": "GET",
  10596. "Method2": "POST",
  10597. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  10598. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  10599. "Proxy_AccessType": "2 (Use IE settings)"
  10600. },
  10601. "x64": {
  10602. "BeaconType": "8 (HTTPS)",
  10603. "Port": "443",
  10604. "Polling": "59768",
  10605. "Jitter": "41",
  10606. "Maxdns": "253",
  10607. "C2 Server": "47.111.134.70,/eo",
  10608. "User Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0",
  10609. "HTTP Method Path 2": "/ny",
  10610. "Header1": "",
  10611. "Header2": "",
  10612. "PipeName": "",
  10613. "DNS Idle": "d \\x8E\\x86",
  10614. "DNS Sleep": "0",
  10615. "Method1": "GET",
  10616. "Method2": "POST",
  10617. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
  10618. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
  10619. "Proxy_AccessType": "2 (Use IE settings)"
  10620. }
  10621. },
  10622. "47.114.35.225": {
  10623. "x86": {
  10624. "BeaconType": "8 (HTTPS)",
  10625. "Port": "443",
  10626. "Polling": "8658",
  10627. "Jitter": "37",
  10628. "Maxdns": "243",
  10629. "C2 Server": "47.114.35.225,/gv",
  10630. "User Agent": "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202",
  10631. "HTTP Method Path 2": "/an",
  10632. "Header1": "",
  10633. "Header2": "",
  10634. "PipeName": "",
  10635. "DNS Idle": "\\xC1\\x19\\xB3p",
  10636. "DNS Sleep": "0",
  10637. "Method1": "GET",
  10638. "Method2": "POST",
  10639. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
  10640. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
  10641. "Proxy_AccessType": "2 (Use IE settings)"
  10642. }
  10643. },
  10644. "47.242.140.1": {
  10645. "x64": {
  10646. "BeaconType": "8 (HTTPS)",
  10647. "Port": "443",
  10648. "Polling": "37500",
  10649. "Jitter": "33",
  10650. "Maxdns": "245",
  10651. "C2 Server": "36.102.212.68,/modcp,221.236.11.67,/mobile-home,58.218.215.93,/mobile-home,118.123.241.208,/modcp,222.222.88.77,/mobile-home,121.9.212.217,/mt,175.6.235.200,/modcp,118.123.241.208,/mt,121.9.212.217,/modcp,125.37.206.224,/modcp,58.218.215.129,/mobile-home",
  10652. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
  10653. "HTTP Method Path 2": "/Admin",
  10654. "Header1": "",
  10655. "Header2": "",
  10656. "PipeName": "",
  10657. "DNS Idle": "rrrr",
  10658. "DNS Sleep": "0",
  10659. "Method1": "GET",
  10660. "Method2": "GET",
  10661. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
  10662. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
  10663. "Proxy_AccessType": "2 (Use IE settings)"
  10664. }
  10665. },
  10666. "47.56.144.122": {
  10667. "x86": {
  10668. "BeaconType": "8 (HTTPS)",
  10669. "Port": "443",
  10670. "Polling": "60000",
  10671. "Jitter": "0",
  10672. "Maxdns": "255",
  10673. "C2 Server": "47.56.144.122,/visit.js",
  10674. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP08; MAAU; NP08)",
  10675. "HTTP Method Path 2": "/submit.php",
  10676. "Header1": "",
  10677. "Header2": "",
  10678. "PipeName": "",
  10679. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10680. "DNS Sleep": "0",
  10681. "Method1": "GET",
  10682. "Method2": "POST",
  10683. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10684. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10685. "Proxy_AccessType": "2 (Use IE settings)"
  10686. },
  10687. "x64": {
  10688. "BeaconType": "8 (HTTPS)",
  10689. "Port": "443",
  10690. "Polling": "60000",
  10691. "Jitter": "0",
  10692. "Maxdns": "255",
  10693. "C2 Server": "47.56.144.122,/updates.rss",
  10694. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)",
  10695. "HTTP Method Path 2": "/submit.php",
  10696. "Header1": "",
  10697. "Header2": "",
  10698. "PipeName": "",
  10699. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10700. "DNS Sleep": "0",
  10701. "Method1": "GET",
  10702. "Method2": "POST",
  10703. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10704. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10705. "Proxy_AccessType": "2 (Use IE settings)"
  10706. }
  10707. },
  10708. "47.95.37.84": {
  10709. "x86": {
  10710. "BeaconType": "8 (HTTPS)",
  10711. "Port": "443",
  10712. "Polling": "5000",
  10713. "Jitter": "50",
  10714. "Maxdns": "255",
  10715. "C2 Server": "47.95.37.84,/jquery-3.3.1.min.js",
  10716. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) WebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
  10717. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
  10718. "Header1": "",
  10719. "Header2": "",
  10720. "PipeName": "",
  10721. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10722. "DNS Sleep": "0",
  10723. "Method1": "GET",
  10724. "Method2": "POST",
  10725. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
  10726. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
  10727. "Proxy_AccessType": "2 (Use IE settings)"
  10728. }
  10729. },
  10730. "47.97.65.242": {
  10731. "x86": {
  10732. "BeaconType": "8 (HTTPS)",
  10733. "Port": "443",
  10734. "Polling": "60000",
  10735. "Jitter": "0",
  10736. "Maxdns": "255",
  10737. "C2 Server": "47.97.65.242,/ptj",
  10738. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
  10739. "HTTP Method Path 2": "/submit.php",
  10740. "Header1": "",
  10741. "Header2": "",
  10742. "PipeName": "",
  10743. "DNS Idle": "\\x00\\x00\\x00\\x00",
  10744. "DNS Sleep": "0",
  10745. "Method1": "GET",
  10746. "Method2": "POST",
  10747. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
  10748. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
  10749. "Proxy_AccessType": "2 (Use IE settings)"
  10750. },