Please don't use these domains & IPs without giving me credit! Thanks :-) Twitter: @c_APT_ure | https://twitter.com/c_APT_ure Blog: http://c-apt-ure.blogspot.com/ Main Ponmocup research page: - http://www9.dyndns-server.com:8080/pub/botnet-links.html Please see also for more details: - http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/.__READ-ME-FIRST__.txt ---------------------------------------------------------------------------------------------------- Domain IP MD5 Date multiply.com 38.126.198.16 b4d689fe9e91c269fd229d8716cf4c1b 2011-11-14 82.192.79.174 82.192.79.174 cc4d3340927075f683f3c54b3d623cc4 2011-11-06 cache2.bazookanetworks.com 69.163.248.145 ee324ae3e7b7b9bd2a6ac558702b2f48 2011-11-06 cache.trillinux.org 69.163.250.145 ee324ae3e7b7b9bd2a6ac558702b2f48 2011-11-06 82.192.79.174 82.192.79.174 ee324ae3e7b7b9bd2a6ac558702b2f48 2011-11-06 173.193.216.86:8014 173.193.216.86 ee324ae3e7b7b9bd2a6ac558702b2f48 2011-11-06 31.214.169.43:8000 31.214.169.43 ee324ae3e7b7b9bd2a6ac558702b2f48 2011-11-06 onlinebizdirectory.com 173.203.101.8 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 freshmediaportal.com 63.251.179.57 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 freshmediaportal.com 64.158.56.57 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 contactfriendly.com 95.211.130.162 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 aeravine.com 193.27.246.60 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 imagehut4.cn 64.158.56.57 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 imagehut4.cn 63.251.179.57 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 resetmymemory.com 64.158.56.57 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 resetmymemory.com 63.251.179.57 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 zonedg.com 96.9.169.85 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 freshmediaportal.com 64.158.56.57 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 freshmediaportal.com 63.251.179.57 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 middlechrist.com 78.159.100.32 6e4f168b202bcae89ab6c5d60638b2a0 2011-10-07 95.211.130.162 95.211.130.162 002a217d4bbb8ff8fd8e941acca85fcd 2011-10-01 ultrafastsearch.com 95.211.8.195 f5b373648b2502bcb54abfb5aaf48b25 2011-06-26 imagehut4.cn 64.158.56.57 f5b373648b2502bcb54abfb5aaf48b25 2011-06-26 imagehut4.cn 63.251.179.57 f5b373648b2502bcb54abfb5aaf48b25 2011-06-26 victoryltd.net 95.168.177.58 ac46fbcfbbd1bc0f511847909ea2738d 2010-12-09 victoryltd.net 95.168.177.58 5712b05dca33c575bc588ff10e1082c5 2010-10-28 ---------------------------------------------------------------------------------------------------- C2 URL patterns: # 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 /update/utu.dat /dpxezto/ubsnltn.php?adv=adv610&id=82799957&c=10331881 /dpxezto/ctbidkjq.php?adv=adv610&id=82799957&c=10331881 /dpxezto/zdlfahcaip.php?adv=adv610&id=82799957&c=10331881 /dpxezto/dhpjelxr.php?adv=adv610&code1=HOLC&code2=3201&id=82799957&p=1&b=1&c=10331881 # ee324ae3e7b7b9bd2a6ac558702b2f48 2011-11-06 http://www.threatexpert.com/report.aspx?md5=ee324ae3e7b7b9bd2a6ac558702b2f48 /g2/bazooka.php?net=gnutella2&get=1&client=RAZA2.5.0.0 /g2/bazooka.php?net=gnutella2&get=1&client=RAZA2.5.0.0 /search There was an outbound traffic produced on port 8014: 00000000 | 0400 0001 0500 0000 0007 0001 0004 0000 | ................ 00000010 | 0101 0000 0005 | ...... There was an outbound traffic produced on port 8000: 00000000 | B6E7 5416 A783 00 | ..T.... ---------------------------------------------------------------------------------------------------- C2 User-Agents: # 881e21645e5ffe1ffb959835f8fdf71d 2011-10-10 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; SV1) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver76 ----------------------------------------------------------------------------------------------------