As with any IP address, please be careful when blacklisting as they may be legitimate. Many of the IP's that I looked into were listed on several blacklists, so please do your research. Below is a quick and dirty list of the IP addresses, enjoy!
Remote IP Addresses - CONNECT:
The connections made to the below IP addresses were made with the CONNECT request method.
181.189.152.131:443
184.164.97.60:443
185.31.33.98:443
188.255.236.227:4443
188.255.241.22:4443
194.28.190.84:443
194.28.191.213:443
195.206.255.131:443
195.34.206.204:443
208.123.129.153:4443
208.123.129.218:4443
208.123.135.106:4443
212.37.81.96:4443
212.69.14.89:443
217.23.194.237:443
31.42.170.118:443
38.124.169.163:4443
46.175.23.130:443
67.206.96.30:443
67.206.97.238:443
67.207.228.144:443
67.219.166.113:443
69.118.144.195:4443
75.134.44.251:443
77.104.206.150:443
77.234.235.48:443
80.234.34.137:443
80.87.219.35:443
83.168.164.18:443
84.16.54.22:443
84.16.55.122:443
84.237.229.49:443
85.192.165.229:443
87.116.153.216:443
91.232.157.139:443
91.240.97.141:443
93.91.154.243:443
95.143.131.73:443
184.164.97.242:443
188.123.35.92:443
194.187.219.116:443
213.133.178.154:443
213.174.6.246:4443
31.134.73.151:4443
31.42.172.36:443
46.151.51.75:443
75.98.158.55:443
Remote IP Addresses - GET:
The connections made to the below IP addresses were made with the GET request method. These appear to be the controller servers.
184.164.97.242:443
188.123.35.92:443
194.187.219.116:443
213.133.178.154:443
213.174.6.246:4443
31.134.73.151:4443
31.42.172.36:443
HTTP URI Directory Structure:
The URI directory is a long value that contains unique information pertaining to the infected host. However, there are a few directories that are consistent. Keep in mind that these will only show in the URI when a GET request method has been made.
- /1106us11/
- /5/spk/
Thank you for reading, I hope this information is useful!
No comments:
Post a Comment
Please feel free to leave a comment that is relevant to the post.