2 IOCs for the malware, that can be used to detect it between the infected mac hine and the first hop: - post request, using HTTP / 1.1, using "uid", "context", "mode" and "data" fields. - GET request, using the cookie to forge the request.
2 IOCs for the malware, that can be used to detect it between the infected mac hine and the first hop: - post request, using HTTP / 1.1, using "uid", "context", "mode" and "data" fields. - GET request, using the cookie to forge the request.
2 IOCs for the malware, that can be used to detect it between the infected mac hine and the first hop: - post request, using HTTP / 1.1, using "uid", "context", "mode" and "data" fields. - GET request, using the cookie to forge the request.
* 2 IOCs for the malware, that can be used to detect it between the infected mac
hine and the first hop:
- POST request, using HTTP/1.1, using "uid", "context", "mode" and "data" fields . ####################################################### v84 = (wininet_funcs->HttpOpenRequestA)(v28, a1, "POST", lpString, "HTTP/1.1", 0 , 0, -2074019072, 0); sprintf(&string_for_post, "uid=%d&context=%s&mode=text&data=", v31, &str); ####################################################### - GET request, using the cookie to forge the request. The following fields are s et in the cookie: catid, task, id, forumid, Itemid, link, layout Note that the Referer equals the domain, which might be a soft indicator.