Cisco Blogs

Protecting against the latest variant of H1N1

September 15, 2016 - 4 Comments

This is the third and final installment in our technical analysis of the H1N1 loader. In case you missed it, my colleague Josh Reynolds peeled apart the latest variant of H1N1 and analyzed its obfuscation tactics and techniques in the first blog, and in the second blog provides deep technical analysis of its execution.

While we are very lucky to spend time dissecting malware and doing all this analysis and research, ultimately we need to turn this into something tangible (other than this blog). We have broken down this malware and now will discuss how we are creating capabilities in Cisco’s Advanced Malware Protection (AMP) technologies to mitigate these and other threats in the future.

AMP Threat Grid Coverage

AMP Threat Grid provides coverage and convictions of these variants with its current generic indicator sets as discussed in the first blog post of this series. These include: identification of the document dropping an executable, deletion of shadow copies, disabling recovery functionality, and the VBA macro obfuscation techniques:

Figure 1.0: AMP Threat Grid behavioral analysis of H1N1

Figure 1.0: AMP Threat Grid behavioral analysis of H1N1

These indicators provide insight into malicious behaviors performed by H1N1, and provide conviction capabilities even without directly identifying H1N1 families. This highlights the power of identifying behaviors themselves as opposed to making use of static signatures for conviction of malware samples.

AMP for Endpoints Coverage

When AMP Threat Grid analyzes a file, the subsequent results are sent to the AMP knowledgebase. Thanks to this, AMP for Endpoints can detect several techniques used by H1N1 throughout its execution lifecycle using Indicators of Compromise (IOC). These IOCs provide a means of detecting a wide variety of attack vectors. These are seen in the Device Trajectory screen, which provides a view of process activity on the monitored system and any accompanying events that have occurred. The indicators of Compromise that trigger in the case of H1N1 include:

Self-propagation/lateral movement through recycling bin executions (W32.Trojan.Recycle.RET):


 Figure 27.0 AMP for Endpoints W32.Trojan.Recycle.RET trigger in Device Trajectory

Figure 2.0 AMP for Endpoints W32.Trojan.Recycle.RET trigger in Device Trajectory


Figure 28.0: ‘pif’ execution from network share for lateral movement/propagation in Device Trajectory

Figure 3.0: ‘pif’ execution from network share for lateral movement/propagation in Device Trajectory

Generic Botnet Communication when the command and control server is contacted:

Figure 29.0: AMP for Endpoints IOC Generic Botnet Communication trigger in Device Trajectory

Figure 4.0: AMP for Endpoints IOC Generic Botnet Communication trigger in Device Trajectory

Figure 30.0: The command and control contact details within Device Trajectory

Figure 5.0: The command and control contact details within Device Trajectory


AMP Threat Grid can be leveraged to gain a large amount of intelligence from a seemingly small amount of information. We will look into how a single SHA256 can be used to search for additional indicators of compromise and tell us more about the malware family in question. To demonstrate this, I have selected a SHA256 from our list of indicators:

SHA256: 35364eec4a1bced57f333e09b63fbbc0d6fc2b3b624c519cc011e0c551d1ef9b

We start by plugging this hash into Maltego leveraging transforms for AMP Threat Grid:

Figure 31.0: AMP Threat Grid sample IDs related to a specific SHA256

Figure 6.0: AMP Threat Grid sample IDs related to a specific SHA256

We immediately see a number of samples have been submitted to AMP Threat Grid with this SHA256. Next we will again leverage the AMP Threat Grid transforms to provide us with the domain’s and IP addresses these samples are communicating with:

Figure 32.0: Maltego transform result for domains and IP addresses associated with identified samples

Figure 7.0: Maltego transform result for domains and IP addresses associated with identified samples

Now, in order to expand our data set we will use the tgDomain2SID and tgIP2SID transforms to relate associated domains and IPs back to any samples that may be using them. This gives us a plethora of new data to work with:

Figure 33.0: Maltego transforms used to associate domains and IP addresses to sample IDs

Figure 8.0: Maltego transforms used to associate domains and IP addresses to sample IDs

Figure 35.0: Popular domain reference within Maltego

Figure 9.0: Popular domain reference within Maltego

We observe the domain parothenda[dot]com is associated with the majority of the malicious samples we have discovered up to this point. To find more about this domain we can make use of OpenDNS Investigate:

Figure 36.0: OpenDNS Investigate results while searching popular domain

Figure 10.0: OpenDNS Investigate results while searching popular domain

OpenDNS is declaring that this domain is malicious which aligns with our current theory. The domain was created recently and saw activity approximately one week after its creation. This tells us that this campaign is recent, and ongoing. It also shows distinct activity periods, which can indicate the behavior of the actors behind the campaign, since there are periods of higher activity alternating with periods of little to no activity. The last point of interest is the registrant e-mail address. Since there are 178 domains registered to this single e-mail and 177 of them are malicious. This is a data point to explore.

Armed with this new information we will go back to Maltego. We will start by discovering the domain’s and IP’s associated with this registrant email address:

Figure 37: OpenDNS registrant e-mail relations to IP addresses in Maltego

Figure 11.0: OpenDNS registrant e-mail relations to IP addresses in Maltego

We can see from this view that a number of IPs are overlapping with domains used by this actor. This shows the actor’s tendency to reuse existing infrastructure for separate or overlapping campaigns.

Expanding on this, we see a number of malicious samples known to AMP Threat Grid are associated with each of these domains:

Figure 38: Samples that are associated with domains that use this e-mail for registration in Maltego

Figure 12.0: Samples that are associated with domains that use this e-mail for registration in Maltego

We are also given an alias for this e-mail address which is an additional data point to explore. This view gets very interesting as we continue to zoom out:

Figure 39: High level patterns produced by samples that are associated with domains that use this e-mail for registration in Maltego

Figure 13.0: High level patterns produced by samples that are associated with domains that use this e-mail for registration in Maltego

Here we see the registrant e-mail address associated with domains. Each domain has a cluster of malicious samples surrounding them. This indicates that there is a large amount of domains associated with numerous samples over time. This demonstrates a level of sophistication we had not witnessed in our earlier discoveries. Having a large number of domains could indicate sophistication (although lacking in operational security through the use of a single e-mail address), and likely indicates the use of different domains between campaigns and/or targets.

Now let us take a step back and look again at the domains we discovered. We see below a number of domains AMP Threat Grid has seen which also resolves to the IP addresses associated with these domains:

Figure 40.0: Domains associated with newly discovered IP addresses from e-mail registrant

Figure 14.0: Domains associated with newly discovered IP addresses from e-mail registrant

Digging into these new indicators we find they are registered using a private registration service.

For many, this may be an ending point. We will stop our pivoting on the networking data and take a look in AMP Threat Grid to see if there are any samples associated with these domains:

Figure 41.0: Samples associated with registrant e-mail domains

Figure 15.0: Samples associated with registrant e-mail domains

At first glance we see there are a lot of samples associated with the domains as we expand out. Circular nodes are individual with square nodes being groups 25 or more. Now, the possibilities get a lot more interesting. Exploring the indicators for the H1N1 campaign we now have connections to thousands of other malware samples. Let’s see what we can learn!

As we explore the groups of malware further, we see these behavioral indicators (generated by AMP Threat Grid) associated with the malware communicating with the infrastructure around H1N1:

42.0: AMP Threat Grid Behavioral Indicators associated with registrant domain samples

16.0: AMP Threat Grid Behavioral Indicators associated with registrant domain samples

There are two scenarios for this. First, it is possible the actors responsible for the development of H1N1 are also using their infrastructure as command and control routes for other malware based on the purposeful separation between malware, infrastructure, and the aliases used. The poor operational security mentioned before could also be a purposeful choice. However, at this time there is no definitive link between the H1N1 and the malware associated with the domains we discovered based on the network indicators.

The second possibility is the use of malicious infrastructure as a service. This is the more likely scenario given the overlapping network infrastructure, as well as the lack of overlapping indicators. If the first scenario was more likely, we would see other malware samples being distributed from the same command and control infrastructure.

 Figure 43.0: No overlap between H1N1 and newly discovered e-mail registrant samples

Figure 17.0: No overlap between H1N1 and newly discovered e-mail registrant samples

H1N1 is a threat which has continued to evolve in the time since it first appeared. Combined with the research conducted by Malware Reversing (R136a1, 2016) we can see that H1N1 shares common attributes with other malware we have seen previously in the wild. H1N1 will continue to be a threat until it is no longer effective or the author decides to focus efforts on another project.

The nature of targeting in the campaigns stands in stark contrast to the operational security failures we discussed. Combined with the implementation of anti-forensics techniques we can see a sophistication of this actor over time.

Performing research in this manner allows us to provide contextual information around other threats. We see demonstrated above the ability to pivot off any information we may need to enable defenders to better understand the threat. Adding this context enables defenders to filter out the noise and reduce the false positives from their sensors. Access to dynamic analysis information allows incident responders to gain knowledge about a threat to aid remediation.


H1N1 is an example of the many dropper variants that continue to evolve over time, and become threats to your organization in and of themselves, as opposed to the sophisticated variants they are meant to drop. The amount of obfuscation within this binary demonstrates the length at which malware authors are prepared to protect their original code, and even with this amount of complexity there are still a large number of variants that present much larger challenges for analysts.

The intelligence research shows a broad range of malicious activity attributable to a single registrant email address that was found by using a single sample SHA256 to query intelligence within AMP Threat Grid and querying the resulting information within OpenDNS. We see a greater level of sophistication from the threat actor from their use of new domains to minimize detection or domain blacklisting, while also seeing infrastructure reuse based on a large number of domains associated with a single IP address.

In the case of H1N1 it is important to educate users to not open and enable macro content from questionable sources. This is especially true for documents that request users to do so outright, as these are typically social engineering attempts. Education can also assist in the case of file shortcut abuse by informing users that shortcuts can contain hidden malice even when they appear to be benign. User privilege restrictions could also prevent the UAC bypass in this case, since one of the requirements is for the user to reside within the local administrators group. Without the code residing within a high integrity process it may not be able to access all required areas for stealing information.

A layered security approach, such as that provided by the AMP ecosystem provides automated identification of unknown threats using behavioral indicators. This information is then fed back into AMP to protect all customers that may come into contact with these threats.

Hashes and Domains associated with H1N1

Purpose Type Data
H1N1 dropped executable analyzed SHA256 f2bfaf8a606b1479c23501ce280a4b5295349101fa0a4440366b34e4c23b30dc
Dropper document SHA256 75ff88023dacae13fca7b9ef1a8f7de883a667409e9e6a3e4ea64fa12c55e46b
Dropper document SHA256 a118dfd8f30241a1535619fddb7fc628411dba70ec9296e2075151eb9b42fd69
Dropper document SHA256 ac7bd470ac32f13eb268cd49b53c9578d07a809bfd74fac8eb128fafdf0aca17
Dropper document SHA256 f500cbe583c3e1b0d68a673bf31decf7370cbc9976b1d3c3fd6d690839955875
Dropper document SHA256 04e9a1df839a1ddc7334f14cb3ae3a411080934834431c5281ad0f5b332bcde0
Dropper document SHA256 094ac92f55bcdda9763a175281c8703d02518eabde73c7844476b1ee34973e4f
Dropper document SHA256 13ab71a42c8c326d3b6f388dc40f00a3be8c4e4529a5537c35bcdc373019a2af
Dropper document SHA256 16035f0b4f9291454e647ddee951cba3770a429e6b763d42b9a63e28f75b18e6
Dropper document SHA256 188f6651b522dfa963c25b1488c4a6c6441915a4783d78947b7c9e4bdff95f92
Dropper document SHA256 1897d31e4f28b21e1d1b481200f5a8c1b0618815e16f7e894d46e86a025047d4
Dropper document SHA256 1ac9224dbfe0d13894c7716686a12193fe3e13613745395b7637bb63c80a2241
Dropper document SHA256 1cc0804c7d2ea597ce4e77a3d4cdc360f538340901ba1082ab7aa49c4acfb2d8
Dropper document SHA256 1d33585e529c17d299cf335bb800aa314c0a839cb63bbd40069f35468729ba4c
Dropper document SHA256 2512e62e3bdbc0cf18100c98f3c7ed4718c5b4d334c584549bc6695d98d1b1ed
Dropper document SHA256 2676851b7d84bdb1e622bc971a74ad1430bb251375cc3631c4f0ae3846cf378a
Dropper document SHA256 2a6ed4487df71f0adffebeb42c6dd183a422fbf948dbf77e7f1631dcdeaae524
Dropper document SHA256 30dc39d5d8e8b16f8e14022957da3b3aaf90986940c0308eaf7330cfc8921089
Dropper document SHA256 3727efdb2034bcb1b30eb3d4c9beba95d275d1b49d928bdd4565db844770376c
Dropper document SHA256 3814a684b1b90df27f67b1a314ff7e43a52e4b26c0782ea193ac87ddfdd9c1c0
Dropper document SHA256 39209eb67226dbae09e01cea37ff86898876289b67ecd32072d8d6cc524371f7
Dropper document SHA256 39e10090a2145641192f8d44c4049fa475678138645cc99cf080440f5117102f
Dropper document SHA256 3f9145a1f4ef3a33121212f573ff720d3f7a5c1200ca87a3b7a4a59b3d893f8c
Dropper document SHA256 409c9d33ea208c96b52bf49a2b19b8431a9bd05826e7d6f7ee10069f3891d35d
Dropper document SHA256 42617bc09152a27cc94fcaa4e644cddd8dbbb607a6e5040036c8586877662660
Dropper document SHA256 43c81fa49b18b1dbd1c7678687394267b8302e06db9928ccad9cb54515a6cae5
Dropper document SHA256 47087feccf892b839b14d49d1033584fdfa67eab4a81bf1557f836ccb33c3251
Dropper document SHA256 47ec3eed3f756d6a8609e0d625e206dee8602155675b4efdf1720f86da5ae886
Dropper document SHA256 487932bb38394b92ba919a311661a4b3c1d2c753a0b738459dce43ecef1fd2d6
Dropper document SHA256 4c6fadafb48fb20cf0492092284847cca6364104807c3a91740f3d78fd285809
Dropper document SHA256 4c74bf2cd5e7a373bddd8d044f891cd8a10cff01a5282bd8aefb1475ee201bb2
Dropper document SHA256 5393a192787b7ce84a761b53002787959f0e742b043ecc64ace3bea94548bb7f
Dropper document SHA256 5b9870bf221f8f1ab803c1c88e2bb4a679cf7e8563a4b207e0071c2acefb524f
Dropper document SHA256 5d6ee5a8a07248cccdb4422434f1581cf3d40fddc5d2098b33edfb448f1256bc
Dropper document SHA256 5efa91717f222f435110dc032e188e1d75de9839a09c5f0b466d85310398e8f3
Dropper document SHA256 606fd3f48da956dd4d8220f92e1ed8a59e49e7d600fdb9e3564ef2b93cfb439d
Dropper document SHA256 60fed73d028e69df7fa7f89633e035330cef4523f8ef0e0c88c838b78c4afc78
Dropper document SHA256 6316cf20f19e1b493afd9ec997c8c31593c386a511657c23c842a287f0965dda
Dropper document SHA256 64598016a40797f2df382b770ba091fd908d7f4e81db225f6640f4176ff47372
Dropper document SHA256 6b8b88b34733ef119521f3a5b5610104aa47bc9e2955680fd1138ed5be015767
Dropper document SHA256 7baada16116965fbca2df07fa2cb1ba6ca2689121f6087cb90c753ccde44334b
Dropper document SHA256 81330e22d67bfa8df4e288efc93943bae537ecc9df01006b7b4e00fe004693e1
Dropper document SHA256 8182c7e88918e2cb05288143f546eb61d5b1dd1df6e4ab2eefe2bbf411dfc2f6
Dropper document SHA256 826635cec2bd6c5070c4c0f63c5a3b7094f14416787b6534247b9c87d9f982f3
Dropper document SHA256 876ef1f5badb5055ce34a5fa4e8b3da7bbe4fd750f6ec9c69c23151730c868af
Dropper document SHA256 8949bfca4a5db039abe29a433702bdd44f8475569b3483adede81aef532601cf
Dropper document SHA256 8f321d32eeac27a0ec9a738e5a465424e8b8e41b0135dcc744a1e6efb9a5446c
Dropper document SHA256 8f421a02703336fe88740c9ca97aacad14c25081f6506f74b814b45d22e24ddb
Dropper document SHA256 91ee73492d47db5b103c739a1095fb1e4c6c4f1d03b6737a24a99ea2efd88167
Dropper document SHA256 95caaf13b37142c306cad4362cb860c7a66de28dcc2ee2e6a173b4961bd2fbf2
Dropper document SHA256 982871ec7c6640ec6a16c22c76d4415fe7dab617ec5411035bc72fd741a776a4
Dropper document SHA256 9a01b14bb98947675d7cce9b5a291d2b051240f1e06747141cf845019d2dc562
Dropper document SHA256 9a7b39f522866f5e0fc07b1cb18103a738ac1fe0fb532084dacf5ccb4f27654a
Dropper document SHA256 9ba7349dd7365062fa8d3b6bfcdcb75c3c977cb88de78d21c2f1f0b30d40185a
Dropper document SHA256 9bd574839e3b630d0251eb09ccd70969ef7cca3d6cbc41639fcdfd9935dfd995
Dropper document SHA256 a118dfd8f30241a1535619fddb7fc628411dba70ec9296e2075151eb9b42fd69
Dropper document SHA256 a84529c9151e907764a44025ec4cb1782cebcecf7a2d87962b89cd3c180a86ed
Dropper document SHA256 aabebb3afb40475b0b7bd7e80d1fe7b6d58a6319e9dd9421575dedadd67e5b90
Dropper document SHA256 ac7bd470ac32f13eb268cd49b53c9578d07a809bfd74fac8eb128fafdf0aca17
Dropper document SHA256 ae772eba80dfaea51b6066bef1b7fbfe5578991757fa93283675e26be66239ed
Dropper document SHA256 b08f69b992173524331ea8431f7a07ef907a8e113b6934edf2102e0ef3ad6aa9
Dropper document SHA256 b44cd53070bfdbcacdfcb4896f112896512ff9fbfcd132d36c4db734f9601124
Dropper document SHA256 b45c14034dab78d778834a25586ee644362bc3e94f61967227f19e9a0d8d0e9a
Dropper document SHA256 b8a449f9235b82dfa5b59740962affe617f6b02758e0a85d91af380c2c96b139
Dropper document SHA256 c216623add0c6d4228eff5be642a893f8c7c99e758741edb53cd4c08c7ba86ac
Dropper document SHA256 c2b8c920965f40f011e0cd5449d21dd8e35d8d156f73f5186d638cc439008204
Dropper document SHA256 c45f0abff522acc19a89efaa095dcaf420510c5fc6d5777510d3e62c83d8b927
Dropper document SHA256 c4b1ecf96bf0b04352d7f4dda6ca8114f88ac11182cf49b66a1d3a77c6f4e7a1
Dropper document SHA256 c68752053c9c3d333e4ab85bc185552955afb0eefee41309454836d7d13f4dc2
Dropper document SHA256 c6a74125188aafcd9918373c5057c1e701c674c173ee123c87a21b31e67cd001
Dropper document SHA256 c6edc9fb22da1179254d5029bfafe967876e2befc1c12165b555e7def88239b9
Dropper document SHA256 c74349353e9ebee464bed8bf64774194c0afa9c4c5a23532e82aeca2550ae679
Dropper document SHA256 c9b96ed4fd0b71ddfd1d4db7104fd7135dd538cd840a9d817f1efa45deca8f3a
Dropper document SHA256 cf87c2e43b1a887aa482b012687954642c6a2957974ca9f5c2b60dd4c65f8113
Dropper document SHA256 d5c035ed4a0b6e598d7ef483800dbb012c1b015d6fe6c51746d3595f86f90094
Dropper document SHA256 d5f47f14f5db4c59e76780f177c38de66e4c21e0e2167a9fb7b7ec7da264dede
Dropper document SHA256 d7e174e41ec5cdd54827f6f7b4c23e99705d6b6df4946e8a22fc45d4cfbcf0d3
Dropper document SHA256 d7e94be8c81ceb833a4d91a31016a1b8be17c0a9bc47b3ac84f16bb5b28ef5db
Dropper document SHA256 db41209c94c063e3d808ee687cfecfcec5e9037d43a430230160954dc4fae15b
Dropper document SHA256 dc447b19b532ade849cd7a4e5bb0f8fb4a5f97c921f19ff33ef287fb556e8d28
Dropper document SHA256 de6acf1a65ed4b67132b70f355b7afe1fbbe4841d6cd3b1827e804131a5f4267
Dropper document SHA256 e02632693647b690fa2dfcd7ec1ee60652777499ff7645f0be1b67b81037c7e1
Dropper document SHA256 e89d2428e5b9fa073089d0c128035f2e4102cf03d8d6932e9f8a565e2c51b1c3
Dropper document SHA256 ed678a98f08697b2f5d3decd066ab1fe17d53a355ff611bfcdf6381abaaace76
Dropper document SHA256 efb913ad6d3ae87b31a64bd58e478021e0521bb683351acd76804946232c3ac1
Dropper document SHA256 f05f92df998cc03c409b6c81a6ae62cde6192ec980bcfd466b6c91733b15edba
Dropper document SHA256 f35fdffb592675e9fe69b2c4cf89465dc0caacc767cd885bc68062823e27f26f
Dropper document SHA256 f44e33a1b1e18bd54517b360a6e2bbd79701afcaf74d2f935cacb71689a302e6
Dropper document SHA256 f500cbe583c3e1b0d68a673bf31decf7370cbc9976b1d3c3fd6d690839955875
Dropper document SHA256 fcb16fc4749f5be655572f1b1b6b714adacb862c596069da9c4499dee89bd4bc
Dropper document SHA256 fd799540d673b2a66ce7372d04137880998c11073064afe4e7ca979525769f00
Dropper Document SHA256 35364eec4a1bced57f333e09b63fbbc0d6fc2b3b624c519cc011e0c551d1ef9b
Command and Control Domain 24-klad[dot]net
Command and Control Domain acdgroup-careers[dot]com
Command and Control Domain agm-express[dot]com
Command and Control Domain amego-positions[dot]com
Command and Control Domain amglogisticltd[dot]com
Command and Control Domain andmabi[dot]com
Command and Control Domain apreland[dot]com
Command and Control Domain arrowhead-autos[dot]com
Command and Control Domain betsuriin[dot]com
Command and Control Domain bettitotuld[dot]com
Command and Control Domain bigmellowfly[dot]org
Command and Control Domain bismatro[dot]biz
Command and Control Domain bit-trade24[dot]com
Command and Control Domain bitexchangers[dot]com
Command and Control Domain buloftoty[dot]com
Command and Control Domain buryanth[dot]com
Command and Control Domain butfipeke[dot]com
Command and Control Domain buthimetrab[dot]com
Command and Control Domain buy-it-now-motors[dot]com
Command and Control Domain callereb[dot]com
Command and Control Domain castletonpic[dot]com
Command and Control Domain celaryma[dot]com
Command and Control Domain cgi-elbay[dot]com
Command and Control Domain cheaptradeag[dot]com
Command and Control Domain cheaptradeus[dot]com
Command and Control Domain chemtradeag[dot]com
Command and Control Domain chemtradeus[dot]com
Command and Control Domain claytonshoppinglogistics[dot]com
Command and Control Domain coin-trade24[dot]com
Command and Control Domain columer[dot]com
Command and Control Domain comtradeag[dot]com
Command and Control Domain comtradeus[dot]com
Command and Control Domain crossmaplogistics[dot]com
Command and Control Domain de-manager[dot]com
Command and Control Domain degulogg-staffdpt[dot]com
Command and Control Domain diahem[dot]biz
Command and Control Domain didnjoresrat[dot]com
Command and Control Domain dingparmyrol[dot]com
Command and Control Domain dingtalhedtuse[dot]com
Command and Control Domain dintparpahan[dot]com
Command and Control Domain dinttobogo[dot]com
Command and Control Domain ebavv[dot]com
Command and Control Domain eibay-cgi[dot]org
Command and Control Domain engareb[dot]com
Command and Control Domain eupewa[dot]com
Command and Control Domain evengritithan[dot]com
Command and Control Domain evengtiverhed[dot]com
Command and Control Domain eventtolddintaning[dot]com
Command and Control Domain expermi[dot]com
Command and Control Domain faprotheteams[dot]com
Command and Control Domain fardestinygrows[dot]com
Command and Control Domain fastnarrowgoes[dot]com
Command and Control Domain filasrto[dot]org
Command and Control Domain foandrenla[dot]com
Command and Control Domain forwitmeand[dot]com
Command and Control Domain friendlyexpres[dot]com
Command and Control Domain furregisnat[dot]org
Command and Control Domain global-outstaffing[dot]com
Command and Control Domain growlifenews[dot]com
Command and Control Domain gwenegr[dot]com
Command and Control Domain gws-express[dot]com
Command and Control Domain hadfanawass[dot]com
Command and Control Domain hartigening[dot]com
Command and Control Domain hateventundnot[dot]com
Command and Control Domain hateventundnot[dot]com
Command and Control Domain hawasthely[dot]com
Command and Control Domain hecksafaor[dot]com
Command and Control Domain hecksafaor[dot]com
Command and Control Domain hedtmejohngo[dot]ru
Command and Control Domain heimanngroup[dot]com
Command and Control Domain heimannpanel[dot]com
Command and Control Domain helahatun[dot]com
Command and Control Domain hertrindidnted[dot]com
Command and Control Domain hertrindidnted[dot]com
Command and Control Domain hianingherla[dot]com
Command and Control Domain hinhici[dot]com
Command and Control Domain hinromfor[dot]com
Command and Control Domain imc-trading-info[dot]com
Command and Control Domain inuserol[dot]com
Command and Control Domain item-motor[dot]com
Command and Control Domain item-motors[dot]com
Command and Control Domain itemsmotor[dot]com
Command and Control Domain itemsmotors[dot]com
Command and Control Domain itm-buy-it-now[dot]com
Command and Control Domain itm-cgi1[dot]org
Command and Control Domain itm-cgi2[dot]org
Command and Control Domain itm-motors[dot]com
Command and Control Domain itm09[dot]com
Command and Control Domain itm73[dot]com
Command and Control Domain jecranharrigh[dot]com
Command and Control Domain johnnebifi[dot]com
Command and Control Domain kettoftthenwit[dot]com
Command and Control Domain kintaherthet[dot]com
Command and Control Domain lacninghanar[dot]com
Command and Control Domain lastenerigov[dot]org
Command and Control Domain lastnothernglow[dot]com
Command and Control Domain latertors[dot]com
Command and Control Domain ledherspeut[dot]com
Command and Control Domain lehagelha[dot]com
Command and Control Domain letspartorsrab[dot]com
Command and Control Domain listfollowgadjet[dot]org
Command and Control Domain mailers19[dot]com
Command and Control Domain maydelivery[dot]com
Command and Control Domain mesbeu[dot]com
Command and Control Domain mianingrabted[dot]ru
Command and Control Domain mihisparrin[dot]com
Command and Control Domain moatleftbet[dot]com
Command and Control Domain moatleftbet[dot]com
Command and Control Domain motors-itm1[dot]com
Command and Control Domain motors-itm2[dot]com
Command and Control Domain motors-itm3[dot]com
Command and Control Domain motors-itm4[dot]com
Command and Control Domain motors-itm5[dot]com
Command and Control Domain motors-itm6[dot]com
Command and Control Domain muchcocaugh[dot]com
Command and Control Domain muchcocaugh[dot]com
Command and Control Domain mucorrel[dot]com
Command and Control Domain namobusho[dot]biz
Command and Control Domain narco24[dot]com
Command and Control Domain nativeexpressny[dot]com
Command and Control Domain nevercomeagain[dot]com
Command and Control Domain ninjewarst[dot]com
Command and Control Domain nodosandar[dot]com
Command and Control Domain nodosandar[dot]com
Command and Control Domain noruromin[dot]com
Command and Control Domain notroluld[dot]com
Command and Control Domain odysseypost[dot]com
Command and Control Domain odysseypostdash[dot]com
Command and Control Domain odysseypostmail[dot]com
Command and Control Domain onketorsco[dot]com
Command and Control Domain orhislighmi[dot]com
Command and Control Domain parothenda[dot]com
Command and Control Domain parothenda[dot]com
Command and Control Domain pejustitha[dot]com
Command and Control Domain phicular[dot]com
Command and Control Domain plustaws[dot]com
Command and Control Domain polerca[dot]com
Command and Control Domain posrobl[dot]com
Command and Control Domain postuka[dot]biz
Command and Control Domain quarternetglow[dot]com
Command and Control Domain quickaccommodations[dot]com
Command and Control Domain ratforttotot[dot]com
Command and Control Domain rediny[dot]com
Command and Control Domain reobeo[dot]net
Command and Control Domain retoftontto[dot]com
Command and Control Domain ritratrecre[dot]com
Command and Control Domain ronwiruligh[dot]com
Command and Control Domain roriropone[dot]com
Command and Control Domain rototdibi[dot]com
Command and Control Domain rugbed[dot]org
Command and Control Domain rusitpatof[dot]com
Command and Control Domain samlakch[dot]org
Command and Control Domain shamlam[dot]org
Command and Control Domain shiochio[dot]biz
Command and Control Domain sinhenbablitt[dot]com
Command and Control Domain sinsedmuchor[dot]com
Command and Control Domain sirebut[dot]com
Command and Control Domain sofhersothat[dot]com
Command and Control Domain sqarellengit[dot]com
Command and Control Domain stolefarsgnom[dot]com
Command and Control Domain sulacunle[dot]com
Command and Control Domain taleonllc[dot]com
Command and Control Domain tanevengmerow[dot]com
Command and Control Domain thehatingot[dot]com
Command and Control Domain thentothertmi[dot]com
Command and Control Domain thettolethat[dot]com
Command and Control Domain tiherbi[dot]com
Command and Control Domain toldherceru[dot]com
Command and Control Domain tonsandhissi[dot]ru
Command and Control Domain totwoveret[dot]com
Command and Control Domain ukitem8[dot]com
Command and Control Domain ukitem9[dot]com
Command and Control Domain ukitm1[dot]com
Command and Control Domain ukitm2[dot]com
Command and Control Domain ukitm5[dot]com
Command and Control Domain ukitm8[dot]com
Command and Control Domain uldintoldhin[dot]com
Command and Control Domain unjustotor[dot]com
Command and Control Domain usitem8[dot]com
Command and Control Domain usitem9[dot]com
Command and Control Domain usitm1[dot]com
Command and Control Domain usitm5[dot]com
Command and Control Domain utoftor[dot]com
Command and Control Domain vaisaia[dot]com
Command and Control Domain waledun[dot]com
Command and Control Domain wasnoenhes[dot]com
Command and Control Domain wasscaltontuld[dot]com
Command and Control Domain womoredaning[dot]com

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Thanks Emmett and Josh, great posts, good research.

  2. large number of related samples from a single IP address. This demonstrates how powerful AMP Threat Grid’s data sets can be.

  3. They are worthy of being published in pdf format, are very detailed references that can serve in the education of security classes. Three excellent blogs, indeed. Thank you for sharing all of them, deeply appreciated.

  4. Great Job !