|Destination||18.104.22.168 (United States)||html (80)||cpaway.afftrack.com|
|User-Agent||Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; MRSPUTNIK 2, 4, 1, 328; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)|
- 'MRSPUTNIK' is present in a number of User-Agent strings used by malware.
- It isn't definitive by itself, but we can't find any legitimate users of this string.
- It also seems to be linked to more than one family of malware.
- This is a single request for an ad from this host. It was not made by a browser, so some other application must be requesting it.
- A lot of strange surfing and automated behavior. When looking at this specific signature it looks like something is walking craigslist ads for apartments and culling contact information? Given the wide geographic range of these lookups, it doesn't look like one person looking for themselves.
- Also the number of lookups isn't as high as I'd expect if this were a botnet, but that could be deliberate. The lookups are triggered by cleartext credentials.
- There's enough strange behavior on this host to warrant a deeper dive on the asset.