Malware Domain List

Malware Related => Malicious Domains => Topic started by: pktguy on December 01, 2011, 05:51:51 pm

Title: Phoenix kits
Post by: pktguy on December 01, 2011, 05:51:51 pm
Phoenix with ZeroAccess payload

http://www.ffyehugv.cjb.net/ibput0sq/?2

http://www.virustotal.com/file-scan/report.html?id=730007c455233afe92f46f6d029acddb379a217c5ab0a740cf44fffcffe0584b-1322760964
Title: Re: Phoenix kits
Post by: SysAdMini on December 01, 2011, 06:20:49 pm
Are you sure that it is Phoenix ?

I'm looking for the name.

http://www.malwaredomainlist.com/forums/index.php?topic=4695.0

I still have the problem that it always returns 404 only.
Title: Re: Phoenix kits
Post by: pktguy on December 01, 2011, 06:54:20 pm
It triggered Emerging Threats rule "ET CURRENT_EVENTS Phoenix URI Requested Contains /? and hex", so I am assuming that's what it is.  I hit the URL from inside a sandbox which caused it download several .jar files and finally loaded zeroaccess.  You can see where it tried to load the applets in the SetInnerHTML section of http://urlquery.net/report.php?id=10179