hxxp://petroffpianostudio[.]com/ (This may now be cleaned up at the time of posting)
It looks like the the aforementioned webpage is infected with a redirect to download suspect files
Traffic observed after the infection suggests that it will attempt to download executable files from a few different locations.
hxxp://talk-of-the-tyne.co.uk/download1264/ hxxp://willy.pro.br/download3299/ hxxp://freight.eu.com/download3696/
The analysis of the files on hybrid analysis does confirm that these are malicious files
https://www.hybrid-analysis.com/sample/e8d2f149de58eb45b398a84d6d27d568ab1d239584edcb55531fe11da2f9c51b?environmentId=100
Once the executable file is on the host machine, it then attempts to call out to the following
173.230.137.155 206.214.220.79
Upon further analysis we have another file which has been downloaded from the following location
hxxp://matchpointpro.com/lDu52756eeJMW/
I revisited the links later in the day and have a bit more details, we can see they are still serving executable files. Chrome is now blocking and suggesting these files are malicious, and also so is internet explorer. I have not tried them on firefox at this time.
GET /download3299/ HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-gb User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3) Accept-Encoding: gzip, deflate Host: willy.pro.br Cache-Control: max-age=259200 Connection: keep-aliveHTTP/1.1 200 OK Date: Wed, 12 Apr 2017 18:16:51 GMT Content-Type: application/octet-stream Connection: keep-alive Keep-Alive: timeout=15 Server: Apache Cache-Control: no-cache, no-store, max-age=0, must-revalidate Expires: Tue, 08 Jan 1935 00:00:00 GMT Pragma: no-cache Content-Disposition: attachment; filename="6274.exe" Content-Transfer-Encoding: binaryGET /download1264/ HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-GB User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3) Accept-Encoding: gzip, deflate Host: talk-of-the-tyne.co.uk Cache-Control: max-age=259200 Connection: keep-aliveHTTP/1.1 200 OK Date: Wed, 12 Apr 2017 18:16:09 GMT Server: Apache Cache-Control: no-cache, no-store, max-age=0, must-revalidate Expires: Tue, 08 Jan 1935 00:00:00 GMT Pragma: no-cache Content-Disposition: attachment; filename="5198.exe" Content-Transfer-Encoding: binary Vary: User-Agent X-Powered-By: PleskLin MS-Author-Via: DAV Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/octet-streamGET /lDu52756eeJMW/ HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3) Host: matchpointpro.com Cache-Control: max-age=259200 Connection: keep-aliveHTTP/1.1 200 OK Server: nginx Date: Wed, 12 Apr 2017 18:11:09 GMT Content-Type: application/octet-stream Connection: keep-alive Keep-Alive: timeout=15 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Expires: Tue, 08 Jan 1935 00:00:00 GMT Pragma: no-cache Content-Disposition: attachment; filename="5345.exe" Content-Transfer-Encoding: binary ngpass_ngall: 1
Still in the process of building my Analysis Lab, so this is not quite how I would like to post, but some information is better than none.