ffhrzvpnfm.myftp[.]org/2c60cab741c433a70fb09861553d3cd2/ is a 302 redirect to eew8cee.steadygos[.]com:8000/rrspottvhu?drhivpwuc=7213044 where the landing page is delivered.
A copy for your review:[pastebin]
The landing page includes requests to a number of .css and .js files.
.jar file disguised as audio/mp4 content type: eew8cee.steadygos[.]com:8000/srovfzb?beldcluoox=esvnohvwidq
Followed by encoded payload disguised as video/mp4: eew8cee.steadygos[.]com:8000/zrzuuofl?bxbhgs=esvnohvwidq
POST to krismencia[.]com/blog/wp-content/themes/yoko/js/ads2.php with Content-Type: application/octet-stream
and fake User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
A couple of failed attempts to download additional binaries:
404’d (possibly cleaned): www.eyespypro[.]com/faq/templates/InterspireShoppingCart/Backup/Snippets/main/data/chng.exe
403’d (possibly cleaned):
And finally some success from cyberlandia[.]org/pacorubio/images/iconos-Fotografias-enlaces/main/data/chng.exe and cyberlandia[.]org/pacorubio/images/iconos-Fotografias-enlaces/main/data/soft.exe
Shortly after geolocation using j.maxmind.com/app/geoip.js was observed followed by initial contact with known ZeroAcess CnC at 126.96.36.199 and P2P communications to destination port 16464.
At the time of this encounter ffhrzvpnfm.myftp[.]org was at 188.8.131.52 and eew8cee.steadygos[.]com at 184.108.40.206.