Malware-Traffic-Analysis.net - My technical blog posts - 2017

[ 2013 ] - [ 2014 ] - [ 2015 ] - [ 2016 ] - [ 2017 ] - [ 2018 ] - [ 2019 ] - [ 2020 ] - [ 2021 ]

2017-12-29 -- Resume-themed malspam pushing Dreambot banking Trojan
2017-12-29 -- Traffic, email, and malware samples from 3 days of Necurs Botnet malspam
2017-12-28 -- Seamless campaign continues using Rig EK to send Ramnit banking Trojan
2017-12-27 -- Malspam pushing Emotet Trojan - Subject: Merry Christmas!
2017-12-26 -- EITest campaign HoeflerText popups or fake AV alerts
2017-12-26 -- Necurs Botnet malspam pushes GlobeImposter ransomware
2017-12-22 -- Malspam uses CVE-2017-0199 to distribute Remcos RAT
2017-12-21 -- Hancitor malspam - Subject: RE: FW: december billing invoice
2017-12-21 -- Necurs Botnet malspam pushes GlobeImposter ransomware
2017-12-20 -- Quick post - Hancitor malspam
2017-12-19 -- Quick post - EITest HoeflerText popups or fake anti-virus pages
2017-12-19 -- Quick post - Hancitor malspam
2017-12-19 -- Quick post - Necurs Botnet malspam pushes GlobeImposter ransomware
2017-12-18 -- Quick post - Hancitor malspam
2017-12-18 -- A weekend's worth of phishing emails from my inbox
2017-12-14 -- Ngay campaign Rig EK pushes Quant Loader & Monero CPU miner
2017-12-13 -- Hancitor malspam (eFax-themed)
2017-12-13 -- Necurs Botnet malspam examples, 2017-12-07 thru 12
2017-12-13 -- Email attachment exploits CVE-2017-11882 to spread Loki Bot
2017-12-12 -- EITest HoeflerText popups and fake anti-virus pages
2017-12-12 -- Ngay campaign Rig EK pushes Quant Loader & Monero CPU miner
2017-12-11 -- AutoIT malspam - Subject: NFe - FISCAL
2017-12-11 -- Hancitor malspam (eFax-themed)
2017-12-08 -- Fobos campaign Rig EK pushes Bunitu
2017-12-06 -- Quick post: UK vehicle violation-themed malspam pushes Nymaim
2017-12-06 -- Hancitor malspam - More IcedID banking Trojan (no Zeus Panda Banker)
2017-12-06 -- Quick post: Necurs Botnet malspam pushes GlobeImposter ransomware
2017-12-06 -- Quick post: EITest HoeflerText popup pushes NetSupport Manager RAT
2017-12-05 -- Quick post: Hancitor malspam
2017-12-05 -- Quick post: Necurs Botnet malspam pushes GlobeImposter ransomware
2017-12-04 -- Dridex is back, Baby! - Necurs Botnet malspam pushes Dridex
2017-12-04 -- Necurs Botnet malspam pushes GlobeImposter ransomware
2017-12-01 -- Phishing emails for shopping job at Target
2017-12-01 -- EITest campaign fake anti-virus alert

2017-11-30 -- Necurs Botnet malspam pushes GlobeImposter ransomware
2017-11-29 -- pcap/malware for an ISC diary (Emotet malspam)
2017-11-28 -- Payment slip malspam
2017-11-28 -- Two days of Hancitor malspam
2017-11-28 -- Fake Netflix login pages from phishing emails
2017-11-27 -- "Tungsten Rounded" popup on Chrome/Firefox pushes Monero CPU miner
2017-11-23 -- Necurs Botnet malspam pushes "Scarab" ransomware
2017-11-22 -- Netflix phishing emails
2017-11-21 -- Italian malspam pushing Zeus Panda Banker
2017-11-21 -- Hancitor malspam - Now w/ IcedID banking Trojan (not Zeus Panda Banker)
2017-11-19 -- pcap/malware for an ISC diary (resume malspam pushing Smoke Loader)
2017-11-17 -- KaiXin EK still around, very Chinese, and acting like it's 2013
2017-11-16 -- traffic, emails, and malware from 5 days of Hancitor malspam
2017-11-16 -- Malspam using CVE-2017-0199 to push Loki Bot
2017-11-15 -- Brazil malpsam pushes Banload malware
2017-11-12 -- "Mercury Text" popup for Chrome/FireFox pushes Monero CPU miner
2017-11-10 -- Phishing emails link to fake on-line banking pages
2017-11-09 -- Necurs Botnet malspam still pushing Locky ransomware
2017-11-08 -- Hancitor malspam - Subject: RE: iPhone X pre-order
2017-11-07 -- A Day in the Life (of a Researcher)
2017-11-06 -- Hancitor malspam - Subject: Delivery failed
2017-11-03 -- malspam pushing Nymaim
2017-11-03 -- Brazil malpsam pushes Banload malware
2017-11-02 -- Adventures with Smoke Loader
2017-11-01 -- Hancitor malspam (fake RingCentral fax)
2017-11-01 -- Necurs Botnet malspam continues pushing Locky

2017-10-31 -- Quick post: Hancitor malspam (Payment notice for invoice)
2017-10-31 -- Necurs Botnet malspam stops using DDE, still uses Word docs
2017-10-30 -- Hancitor malspam (View your Office 365 Business billing statement)
2017-10-30 -- Necurs Botnet malspam uses DDE attack to push Locky
2017-10-27 -- malspam pushing Remcos RAT
2017-10-26 -- Hancitor malspam (missed delivery/shipment/shipping notification)
2017-10-26 -- EITest campaign sends HoeflerText popups or fake AV page
2017-10-24 -- Necurs Botnet malspam uses DDE attack to push Locky
2017-10-24 -- Compromised site has EITest fake AV, also has coinminer javascript
2017-10-24 -- Phishing email, Subject: BAHL Internet Banking - Update
2017-10-23 -- Brazil malspam pushes Banload
2017-10-23 -- malspam pushes a RAT's nest of malware
2017-10-19 -- Pcap & malware for an ISC diary (Necurs Botnet malspam uses DDE attack)
2017-10-18 -- Pcap and malware for an ISC diary (Loki Bot malspam)
2017-10-17 -- Terror EK sends Smoke Loader, Smoke Loader sends more malware
2017-10-16 -- pcap and malware for an ISC diary (Hancitor malspam)
2017-10-13 -- Blank Slate malspam stops pushing Locky, starts pushing Sage 2.2
2017-10-11 -- WhatsApp-themed Brazil malspam pushes Banload malware
2017-10-11 -- FTFY: Necurs Botnet malspam pushing ".asasin" variant Locky ransomware
2017-10-11 -- Phishing email - Subject: Completed Title Work :Please DocuSign
2017-10-10 -- Malspam using CVE-2017-0199 to push Loki Bot
2017-10-10 -- Malspam pushing Emotet Trojan
2017-10-09 -- Adwind/jRAT malspam - Subject: Payment TT Copy
2017-10-06 -- Brazil malspam - Subject: Envio de Boleto - URGENTE - GRUPO FREITAS
2017-10-05 -- Hancitor malspam (2 waves: Make Hacking Difficult & FW: IRS)
2017-10-04 -- Blank Slate malspam pushes ".ykcol" variant Locky ransomware
2017-10-04 -- EITest campaign HoeflerText popup / fake AV alert
2017-10-03 -- Japanese malspam pushing Ursnif
2017-10-03 -- Brazil malspam - Subj: Fotos Enviadas via WhatsApp Messenger WEB
2017-10-03 -- Hancitor malspam (fake RingCentral Fax)
2017-10-03 -- pcap and malware for an ISC diary (Formbook info stealer malspam)
2017-10-02 -- Quick post: Hancitor malspam (fake FedEx emails)
2017-10-02 -- Necurs Botnet malspam still pushing ".ykcol" variant Locky ransomware

2017-09-22 -- Brazil malspam - Subject: Envio de Boleto - URGENTE - GRUPO FREITAS
2017-09-22 -- Pcap and malware for an ISC diary (Hancitor malspam)
2017-09-21 -- Pcap and malware for an ISC diary (CVE-2017-8759)
2017-09-20 -- Loki bot malspam - Subject: RFQ: FROM: Fortune Sciences Co., Ltd
2017-09-18 -- Malspam pushing Emotet Trojan
2017-09-18 -- Hancitor malspam (sept invoice)
2017-09-18 -- Necurs Botnet malspam pushing ".ykcol" variant Locky ransomware
2017-09-18 -- Malspam pushing Emotet Trojan
2017-09-15 -- Amateur hour: more fake Microsoft update malspam with .exe attachments
2017-09-15 -- Blank Slate malspam pushes Locky ransomware
2017-09-14 -- Fake Microsoft update malspam with .exe attachments
2017-09-11 -- Blank Slate malspam pushes "Lukitus" variant Locky ransomware
2017-09-08 -- Locky malspam
2017-09-08 -- EITest campaign fake AV alert / HoeflerText popup
2017-09-07 -- Malspam pushes "Lukitus" variant Locky ransomware
2017-09-07 -- EITest campaign still using fake AV alerts or HoeflerText popups
2017-09-06 -- Japanese malspam pushing Ursnif
2017-09-05 -- Grab bag
2017-09-04 -- Brazil malspam - Subj: Crt: 386 / Oper: 2557 / Contrato: 5213706677228235...
2017-09-04 -- Malspam pushing GlobeImposter ransomware (..txt file extensions)
2017-09-01 -- EITest HoflerText popups or fake anti-virus pages

2017-08-31 -- Grab bag
2017-08-29 -- Traffic analysis pop quiz
2017-08-29 -- Terror EK seen using HTTPS
2017-08-28 -- Brazil malspam - Subject: Envio de Boleto - URGENTE - GRUPO FREITAS
2017-08-28 -- Fobos campaign Rig EK sends Bunitu
2017-08-25 -- Seamless campaign Rig EK sends Ramnit
2017-08-21 -- Hancitor malspam (UPS Quantum View)
2017-08-21 -- Malspam continues pushing Trickbot banking Trojan
2017-08-19 -- Brazil spam pushes banking Trojan - Subj: Aviso de Inclusao De Protesto
2017-08-16 -- Some emails, malware, and pcaps for "Lukitus" variant Locky ransomware
2017-08-15 -- Pcap and malware for and ISC diary (Trickbot malspam)
2017-08-12 -- Malspam continues to push Trickbot banking Trojan
2017-08-11 -- "Diablo6" Locky malspam - PDF attachments with embedded .docm files
2017-08-10 -- Hancitor malspam (FedEx shipment delivered)
2017-08-09 -- Malware & traffic from malspam pushing Diablo6 variant of Locky
2017-08-09 -- Pcap and malware for an ISC diary I wrote
2017-08-08 -- Quick post: malspam pushing GlobeImposter ransomware
2017-08-07 -- Fake BBB malspam uses goo.gl links to send JavaScript file
2017-08-04 -- Magnitude EK data dump
2017-08-03 -- Hancitor malspam (invoice from Casey Martinez)
2017-08-02 -- "Blank Slate" malspam pushing Gryphon ransomware (a BTCware variant)
2017-08-02 -- Malspam pushing GlobeImposter ransomware (726 file extension)
2017-08-02 -- Hancitor malspam (ADP payroll invoice)
2017-08-02 -- Magnitude EK sends Cerber ransomware
2017-08-01 -- Rig EK from the HookAds campaign sends Dreambot

2017-07-31 -- malspam pushing GlobeImposter ransomware
2017-07-29 -- "Blank Slate" malspam pushing BTCware (Aleta variant) ransomware
2017-07-28 -- Dog Turd in a Big Bowl of Soup: A Security Parable
2017-07-26 -- Pcap and malware for an ISC diary (malspam pushing Emotet)
2017-07-24 -- quick post: Hancitor malspam
2017-07-24 -- quick post: Trickbot malspam
2017-07-23 -- EITest campaign HolflerText popup sends Mole ransomware
2017-07-21 -- Brazil malspam - Subject: Envio de Boleto - URGENTE - AXECAPITAL
2017-07-20 -- Hancitor malspam (invoice notification)
2017-07-18 -- UPS-themed malspam pushing NemucodAES ransomware
2017-07-17 -- Rig EK data dump (HookAds and Seamless campaigns)
2017-07-14 -- Another tech support scam popup message
2017-07-14 -- Pcap and malware for an ISC diary (Kovter/NemucodAES malspam)
2017-07-12 -- Brazil malspam - Subject: Ultimo aviso da 2a via boleto em Atraso
2017-07-10 -- Rig EK from the HookAds campaign
2017-07-10 -- More UPS-themed malspam pushing Kovter/Nemucod ransomware
2017-07-07 -- Brazil malspam - Subj: Mensagem pessoal (Detran) - (87960)
2017-07-06 -- EITest campaign pushes tech support scam
2017-07-05 -- Japanese malspam with Excel spreadsheet attachment
2017-07-04 -- Malspam with Java-based RAT
2017-07-03 -- More UPS-themed malspam pushing Kovter
2017-07-03 -- Hancitor malspam (FedEx tracking notification)

2017-06-30 -- Rig EK from HookAds campaign send Chthonic banking Trojan
2017-06-29 -- Kovter malspam - UPS delivery theme
2017-06-29 -- Hancitor malspam (Google Docs)
2017-06-28 -- Hancitor Malspam (RingCentral fax)
2017-06-28 -- Pcap and malware for an ISC diary (Blank Slate malspam)
2017-06-27 -- Hancitor malspam (invoice problems)
2017-06-26 -- Hancitor malspam (ADP payroll)
2017-06-22 -- Locky malspam - PDF attachments with embedded .docm files
2017-06-21 -- Hancitor malspam (from "De Leons Transport, Inc.")
2017-06-21 -- Rig EK sends Bunitu Trojan
2017-06-20 -- Rig EK from HookAds campaign sends Dreambot & Chthonic
2017-06-19 -- Rig EK from the HookAds campaign sends Dreambot
2017-06-16 -- Rig EK from the HookAds campaign
2017-06-16 -- Boleto malspam
2017-06-15 -- Hancitor malspam (Google Docs-themed)
2017-06-15 -- Rig EK (HookAds and Seamless campaigns)
2017-06-14 -- Trickbot malspam - PDF attachments with embedded .xlsm files
2017-06-14 -- Hancitor malspam (ADP bill)
2017-06-13 -- malspam pushing Jaff ransomware from .wsf files
2017-06-12 -- Hancitor malspam (Docusign-themed)
2017-06-12 -- malspam pushing Trickbot from .wsf files
2017-06-12 -- malspam - Subject: Confirmation Required
2017-06-12 -- Japanese Ursnif malspam
2017-06-12 -- Loki Bot malspam - Subject: Re: PURCHASE ORDER 457211
2017-06-09 -- EITest campaign still pushing tech support scams
2017-06-08 -- Hancitor malspam (Dropbox-themed)
2017-06-08 -- Portuguese malspam - Notificacao IPTU
2017-06-07 -- Hancitor malspam (Google Docs-themed)
2017-06-07 -- Loki Bot malspam - Subject: Re:Purchase request
2017-06-06 -- Hancitor malspam - Subject: New incoming fax from 421-xxx-xxxx
2017-06-06 -- malspam pushing Jaff ransomware from Word docs in PDF attachments
2017-06-06 -- RoughTed campaign Rig EK
2017-06-05 -- Dridex malspam (Word docs in PDF attachments)
2017-06-02 -- Seamless campaign continues using Rig EK to send Ramnit
2017-06-02 -- Dridex malspam (Word docs in PDF attachments)
2017-06-01 -- Hancitor malspam - Google Docs-themed emails
2017-06-01 -- malspam pushing Jaff ransomware from Word docs in PDF attachments
2017-06-01 -- Parking ticket-themed malspam pushing Zeus Panda Banker

2017-05-31 -- Hancitor malspam - Subject: Your package has been returned!
2017-05-31 -- malspam - Subject: RFQ-Doc
2017-05-30 -- Rig EK sends Kovter
2017-05-30 -- EITest campaign pushing tech support scams, Rig EK, HoeflerText popups
2017-05-30 -- Hancitor malspam - Subject: FedEx Shipment Notification
2017-05-26 -- EITest campaign pushing tech support scams, Rig EK, HoeflerText popups
2017-05-26 -- Malspam - Subject: DHL Tracking Number for shipment 97 93745 186
2017-05-25 -- EITest campaign pushing tech support scams in US and UK
2017-05-25 -- Malspam pushing Jaff ransomware from Word docs in PDF attachments
2017-05-25 -- Hancitor malspam with a Google Docs theme
2017-05-24 -- Malspam pushing Jaff ransomware from Word docs in PDF attachments
2017-05-24 -- Pcap and malware for an ISC diary (about Jaff ransomware)
2017-05-22 -- Malspam pushing Jaff ransomware from Word docs in PDF attachments
2017-05-17 -- EITest HoeflerText popups sends Spora ransomware
2017-05-16 -- Hancitor malspam - Subject: UPS Shipment Label Notification
2017-05-16 -- More examples of malspam pushing Jaff ransomware
2017-05-15 -- My take on WannaCry ransomware
2017-05-15 -- The Jaff ransomware train keeps on rollin'
2017-05-12 -- FedEx-themed malspam pushes Kovter (again)
2017-05-12 -- Rig EK examples
2017-05-12 -- "Blank Slate" malspam continues pushing Cerber ransomware
2017-05-11 -- Jumping on the Jaff ransomware bandwagon
2017-05-11 -- FedEx-themed malspam pushes Kovter
2017-05-11 -- Pcap and malware for an ISC diary on Rig EK
2017-05-10 -- Hancitor malspam - Subpoenas and Comcast bills
2017-05-10 -- "Blank Slate" malspam pushing Cerber and GlobeImposter ransomware
2017-05-09 -- Hancitor malspam - Subject: RE: may subpoena from FTC
2017-05-09 -- Rig EK sends Bunitu Trojan
2017-05-05 -- "Blank Slate" malspam back to sending Cerber
2017-05-04 -- Hancitor malspam - Subj: USPS Proof of Delivery letter on your shipment
2017-05-04 -- Decimal IP campaign uses fake Flash Player site to send Smoke Loader
2017-05-03 -- "Blank Slate" malspam pushes GlobeImposter ransomware variant
2017-05-03 -- WhatsApp malspam - Subject: Missed voice message
2017-05-02 -- Hancitor malspam - Subj: Your online bill is available. Amount due $484.45
2017-05-02 -- Keeping it 100: "Blank Slate" malspam starts pushing Mordor ransomware
2017-05-01 -- Hancitor malspam - Subject: 725-630-1234 has sent you a 3 page(s) fax!

2017-04-28 -- Banking Trojan - Subj: UPS Tracking Number for shipment H6902644376
2017-04-27 -- "Blank Slate" malspam still pushing Cerber, also trying CVE-2017-0199
2017-04-26 -- Hancitor malspam - Subject: Your invoice 123456 is available for review!
2017-04-26 -- USPS-themed malspam pushes Mole Ransomware and Kovter
2017-04-25 -- "Good Man" campaign Rig EK sends Latentbot
2017-04-24 -- Hancitor malspam - Subject: RE: RE: wrong amount for invoice # 1234567
2017-04-23 -- Dridex-style malspam pushes Locky ransomware instead
2017-04-21 -- USPS-themed malspam changes to Parking Service malspam
2017-04-20 -- "Blank Slate" malspam still pushing Cerber
2017-04-20 -- EITest campaign Rig EK / HoeflerText Chrome popup
2017-04-19 -- Dridex malspam with PDF attachments containing embedded Word docs
2017-04-19 -- USPS-themed malspam continues pushing Panda Banker, Kovter, & Miuref
2017-04-18 -- USPS-themed malspam resumes after weekend break
2017-04-18 -- EITest campaign Rig EK / HoeflerText Chrome popup
2017-04-16 -- EITest campaign Rig EK / HoeflerText Chrome popup
2017-04-15 -- EITest campaign Rig EK / HoeflerText Chrome popup
2017-04-14 -- Gate leads to Terror EK, same gate later leads to Rig EK
2017-04-13 -- "Blank Slate" malspam still pushing Cerber, still using fake Chrome page
2017-04-13 -- What seems like Rig EK sends possible SmokeLoader payload
2017-04-12 -- Pcap and malware for an ISC diary
2017-04-11 -- Pcap and malware for an ISC diary
2017-04-07 -- If using Chrome: EITest = HoeflerText popup - If using IE: EITest = Rig EK
2017-04-06 -- EITest Rig EK from 109.234.36.165 sends Matrix ransomware variant
2017-04-06 -- "Blank Slate" malspam still pushing Cerber, still using fake Chrome page
2017-04-05 -- Hancitor malspam - Subject: march invoice # 1234567 due
2017-04-05 -- Cerber/Kovter malspam - Subject: Delivery Notification
2017-04-05 -- malspam - Subject: problem with your order
2017-04-05 -- Terror EK sends Andromeda
2017-04-04 -- Hancitor malspam - Subject: Your monthly bill 123456 is available!
2017-04-04 -- Cerber/Kovter malspam - Subject: Our UPS courier can not contact you
2017-04-03 -- EITest Rig EK from 5.101.77.137 sends MSIL/Matrix ransomware variant
2017-04-03 -- DHL invoice malspam/photo malspam - various subject lines
2017-04-03 -- Hancitor malspam - Subj: New Fax Message, incoming from 849-930-xxxx

2017-03-31 -- "Blank Slate" malspam still pushing Cerber
2017-03-30 -- Dridex malspam (two waves)
2017-03-30 -- Terror EK from 159.203.185.4
2017-03-29 -- Hancitor malspam - Subject: Your Flight Ticket Order
2017-03-28 -- EITest Rig EK from 46.173.214.185 sends (some sort of) ransomware
2017-03-24 -- "Blank Slate" malspam tries fake Chrome install page
2017-03-23 -- Malspam for "Quantum Code" scam
2017-03-22 -- Portuguese invoice malspam
2017-03-21 -- Pcaps and malware for an ISC diary
2017-03-20 -- pseudoDarkleech Rig EK from 92.53.104.78 sends Cerber ransomware
2017-03-20 -- EITest Rig EK from 92.53.104.78 sends Cerber ransomware
2017-03-16 -- Hancitor malspam - Subject: RE: divorce papers
2017-03-15 -- "Blank Slate" malspam campaign sending Cerber ransomware
2017-03-15 -- Hancitor malspam - Subject: RE: subpoena
2017-03-15 -- EITest Rig EK sends Revenge Ransomware
2017-03-15 -- pseudoDarkleech Rig EK sends Cerber
2017-03-15 -- unidentified campaign Rig EK sends DELoader/Zloader
2017-03-14 -- Kovter malspam - Subject: Status of your UPS delivery
2017-03-14 -- Hancitor malspam - Subject: Payment request for invoice
2017-03-14 -- "Blank Slate" malspam campaign sending Cerber ransomware
2017-03-13 -- "Good Man" campaign Rig EK sends Godzilla Loader/Zbot
2017-03-13 -- Hancitor malspam - Subject: Incoming Fax
2017-03-13 -- Kovter/Locky malspam - Subject: Status of your UPS delivery
2017-03-10 -- "Blank Slate" malspam continues sending Cerber ransomware
2017-03-10 -- malspam: URGENTE - Informe de Rendimentos de 2016 - CORRIGIDO
2017-03-10 -- EITest HoeflerText Chrome popup leads to Spora ransomware
2017-03-09 -- Rig EK sends Zbot
2017-03-08 -- Hancitor malspam - fake eFax emails
2017-03-07 -- EITest Rig EK from 188.225.32.10 sends Dreambot
2017-03-07 -- Sundown EK
2017-03-06 -- Hancitor malspam - fake Delta Air Lines emails
2017-03-06 -- EITest HoeflerText Chrome popup leads to Spora ransomware
2017-03-04 -- KaiXin EK from 220.170.89.153
2017-03-03 -- Malspam - Subject: IRS Urgent Notification
2017-03-02 -- Nebula EK sends DiamondFox malware

2017-02-28 -- Hancitor malspam - fake USPS emails
2017-02-28 -- Ongoing malspam campaign spreading ransomware
2017-02-28 -- EITest Rig EK from 81.177.140.75 sends CryptoShield ransomware
2017-02-27 -- Hancitor malspam
2017-02-27 -- Rig EK examples (pseudoDarkleech and EITest campaigns)
2017-02-23 -- Hancitor malspam
2017-02-23 -- EITest Rig EK from 188.225.35.79 sends Dreambot
2017-02-22 -- EITest HoeflerText Chrome popup leads to Spora ransomware
2017-02-22 -- pseudoDarkleech Rig EK from 81.177.6.153 sends Cerber ransomware
2017-02-21 -- Zeus Panda Banker malspam
2017-02-21 -- Hancitor malspam
2017-02-20 -- Malspam - Subject: radar photo proof 57628324
2017-02-18 -- Pcaps and malware for an ISC diary
2017-02-16 -- Hancitor malspam
2017-02-15 -- EITest HoeflerText Chrome popup leads to Spora ransomware
2017-02-14 -- EITest HoeflerText Chrome popup leads to Spora ransomware
2017-02-14 -- EITest Rig EK sends CryptoShield ransomware
2017-02-10 -- Pcaps and malware for an ISC diary
2017-02-09 -- Pcaps and malware for an ISC diary
2017-02-08 -- Ongoing malspam campaign spreading ransomware
2017-02-07 -- Hancitor/Pony malspam - Subject: You received a new eFax
2017-02-06 -- pseudoDarkleech Rig EK from 194.87.94.37 sends Cerber ransomware
2017-02-06 -- Afraidgate Rig EK from 194.87.94.37 sends Godzilla Loader/Locky/other
2017-02-06 -- Hancitor/Pony malspam - Subject: Shipping information for parcel
2017-02-06 -- EITest Rig EK sends CryptoShield ransomware
2017-02-04 -- EITest fake Chrome popup leads to Spora ransomware
2017-02-02 -- Ongoing malspam campaign spreading ransomware
2017-02-01 -- Hancitor/Pony malspam - Subject: Invoice #12345678

2017-01-31 -- Hancitor/Pony malspam - Subject: You received a new eFax
2017-01-31 -- EITest Rig EK from 195.133.144.228 sends CryptoShield ransomware
2017-01-31 -- Ongoing malspam campaign spreading ransomware
2017-01-30 -- EITest fake Chrome popup leads to Spora ransomware
2017-01-30 -- Hancitor/Pony malspam - Subject: Parcel Delivery Information
2017-01-30 -- Afraidgate Rig-V from 194.87.94.4 sends Locky ransomware
2017-01-27 -- More malspam spreading ransomware
2017-01-27 -- More Afraidgate Rig-V
2017-01-27 -- Ongoing malspam campaign spreading ransomware
2017-01-26 -- pseudoDarkleech Rig-V sends Cerber ransomware
2017-01-26 -- Afraidgate Rig-V sends Godzilla Loader/Locky/something else
2017-01-25 -- Hancitor/Pony malspam - Subject: You received a new eFax
2017-01-25 -- Ongoing Japanese malspam campaign spreading Ursnif variant
2017-01-24 -- Ongoing Japanese malspam campaign spreading Ursnif variant
2017-01-24 -- EITest Rig-V from 89.223.29.254 sends CryptoMix ransomware
2017-01-24 -- pseudoDarkleech Rig-V from 89.223.29.254 sends Cerber ransomware
2017-01-23 -- Ongoing malspam campaign spreading Cerber and Sage 2.0 ransomware
2017-01-23 -- EITest Rig-V from 89.223.29.252 sends CryptoMix ransomware
2017-01-21 -- Pcap and malware for an ISC diary
2017-01-20 -- EITest Rig-V from 92.53.120.142 sends Cerber ransomware
2017-01-19 -- EITest Sundown EK from 93.190.143.82 sends Cerber ransomware
2017-01-19 -- pseudoDarkleech Rig-V sends Cerber ransomware
2017-01-19 -- EITest Rig-V from 92.53.119.137 sends Cerber ransomware
2017-01-18 -- pseudoDarkleech Rig-V and malspam campaign back to sending Cerber
2017-01-18 -- pseudoDarkleech Rig-V and malspam campaign stop sending Cerber
2017-01-17 -- EITest Rig-V from 92.53.127.86 sends Spora ransomware
2017-01-17 -- Malspam spreading Cerber ransomware (HELP_HELP_HELP)
2017-01-13 -- Android malware
2017-01-13 -- Malspam spreading Cerber ransomware from AWS IP addresses
2017-01-13 -- Afraidgate Rig-V from 92.53.120.233 sends "Osiris" variant Locky
2017-01-13 -- pseudoDarkleech Rig-V from 92.53.120.233 sends Cerber ransomware
2017-01-13 -- EITest Rig-V from 92.53.120.233 sends CryptoMix ransomware
2017-01-12 -- Hancitor/Pony/Vawtrak malspam - Subject: RE: RE: your iphone order
2017-01-12 -- EITest Rig-V from 81.177.139.122 sends CryptoMix ransomware
2017-01-11 -- Rig-V from 109.234.38.150
2017-01-11 -- Pcap and malware for an ISC diary
2017-01-10 -- EITest Rig-V from 92.53.124.185 sends CryptoMix ransomware
2017-01-09 -- DHL malspam
2017-01-09 -- pseudoDarkleech Rig-V from 194.87.94.227 sends Cerber ransomware
2017-01-09 -- malspam spreading Cerber ransomware
2017-01-09 -- Pcap and malware for an ISC diary
2017-01-06 -- Sundown EK from 188.165.163.226 and 93.190.143.201
2017-01-06 -- pseudoDarkleech Rig-V from 92.53.119.69 sends Cerber ransomware
2017-01-05 -- malspam - Subj: A NF-e (Nota Fiscal Eletronica) do seu pedido foi emitida
2017-01-05 -- malspam spreading Cerber ransomware
2017-01-05 -- pseudoDarkleech Rig-V sends Cerber ransomware
2017-01-04 -- Malspam spreading Cerber ransomware
2017-01-04 -- pseudoDarkleech Rig-V from 194.87.232.6 sends Cerber ransomware
2017-01-03 -- pseudoDarkleech Rig-V from 46.30.42.31 sends Cerber ransomware
2017-01-03 -- malspam - Subject: URGENTE - Entrega não Efetuada. (71678)
2017-01-02 -- pseudoDarkleech Rig-V from 109.234.36.210 sends Cerber ransomware
2017-01-01 -- pseudoDarkleech Rig-V from 109.234.36.133 sends Cerber ransomware

Return to main menu
RSS feed
@malware_traffic on Twitter

Traffic analysis exercises
My technical blog posts
My non-technical posts
Guest blog posts

Tutorials and other entries

About this blog

Copyright © 2017 | Malware-Traffic-Analysis.net