Text Example

UnInstall.exe Cerber Ransomware Malware Traffic Analysis PCAP file Download 149.202.64.0.6892: UDP, length 27

 

SHA256: 1f4acebd331ff6fe617afe32da66b7577056a903f077bd79c4bdc534bb044d94
File name: UnInstall.exe
Detection ratio: 19 / 59
Analysis date: 2017-03-25 02:27:04 UTC ( 0 minutes ago )
AegisLab Ransom.Hpcerber.Sm51!c 20170325
Avast Win32:Malware-gen 20170325
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130
DrWeb Trojan.Inject2.51570 20170325
Endgame malicious (high confidence) 20170317
ESET-NOD32 Win32/Filecoder.Cerber.I 20170325
Fortinet W32/Kryptik.FQBM!tr 20170325
Invincea virus.win32.virut.bn 20170203
Kaspersky UDS:DangerousObject.Multi.Generic 20170325
McAfee Ransomware-FLJJ!DF9E8845DE72 20170325
McAfee-GW-Edition BehavesLike.Win32.Conficker.gh 20170325
Palo Alto Networks (Known Signatures) generic.ml 20170325
Qihoo-360 HEUR/QVM02.0.0487.Malware.Gen 20170325
Rising Malware.Generic.1!tfe (cloud:nN3uADiketB) 20170325
SentinelOne (Static ML) static engine – malicious 20170315
Sophos Mal/Cerber-X 20170325

2017-03-24 21:39:57.755565 IP 192.168.1.102.53049 > 82.165.129.119.80: Flags [P.], seq 0:290, ack 1, win 256, length 290: HTTP: GET /UnInstall.exe HTTP/1.1
E..J/.@…3….fR..w.9.Pa.d.B\doP…aR..GET /UnInstall.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 82.165.129.119
Connection: Keep-Alive

2017-03-24 21:40:08.813612 IP 192.168.1.102.64829 > 149.202.64.0.6892: UDP, length 27
E..7…….)…f..@..=…#.sa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813678 IP 192.168.1.102.64829 > 149.202.64.1.6892: UDP, length 27
E..7s…..0….f..@..=…#.ra8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813681 IP 192.168.1.102.64829 > 149.202.64.2.6892: UDP, length 27
E..7?j….dq…f..@..=…#.qa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813756 IP 192.168.1.102.64829 > 149.202.64.3.6892: UDP, length 27
E..7a…..B….f..@..=…#.pa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813758 IP 192.168.1.102.64829 > 149.202.64.4.6892: UDP, length 27
E..7V…..M….f..@..=…#.oa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813823 IP 192.168.1.102.64829 > 149.202.64.5.6892: UDP, length 27
E..7;…..h1…f..@..=…#.na8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813877 IP 192.168.1.102.64829 > 149.202.64.6.6892: UDP, length 27
E..7f…..=….f..@..=…#.ma8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813879 IP 192.168.1.102.64829 > 149.202.64.7.6892: UDP, length 27
E..7…….Q…f..@..=…#.la8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813955 IP 192.168.1.102.64829 > 149.202.64.8.6892: UDP, length 27
E..7h…..:….f..@..=…#.ka8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813957 IP 192.168.1.102.64829 > 149.202.64.9.6892: UDP, length 27
E..7.d…..p…f..@     .=…#.ja8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814033 IP 192.168.1.102.64829 > 149.202.64.10.6892: UDP, length 27
E..7\I….G….f..@
.=…#.ia8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814035 IP 192.168.1.102.64829 > 149.202.64.11.6892: UDP, length 27
E..75…..n@…f..@..=…#.ha8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814110 IP 192.168.1.102.64829 > 149.202.64.12.6892: UDP, length 27
E..7AY….bx…f..@..=…#.ga8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814113 IP 192.168.1.102.64829 > 149.202.64.13.6892: UDP, length 27
E..7`…..C….f..@..=…#.fa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814197 IP 192.168.1.102.64829 > 149.202.64.14.6892: UDP, length 27
E..7…….0…f..@..=…#.ea8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814199 IP 192.168.1.102.64829 > 149.202.64.15.6892: UDP, length 27
E..7m8….6….f..@..=…#.da8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814276 IP 192.168.1.102.64829 > 149.202.64.16.6892: UDP, length 27
E..7Bo….a^…f..@..=…#.ca8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814278 IP 192.168.1.102.64829 > 149.202.64.17.6892: UDP, length 27
E..7\…..F….f..@..=…#.ba8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814355 IP 192.168.1.102.64829 > 149.202.64.18.6892: UDP, length 27
E..7…….6…f..@..=…#.aa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814357 IP 192.168.1.102.64829 > 149.202.64.19.6892: UDP, length 27
E..7pN….3|…f..@..=…#.`a8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814432 IP 192.168.1.102.64829 > 149.202.64.20.6892: UDP, length 27
E..7l…..7….f..@..=…#._a8022f1aa8d50098750100000c1

CERBER Ransomware lobsterscrewallt.top GET /search.php Malware PCAP File Download Traffic Analysis

SHA256:     fa33b75a4e095d6865420c7bd27d7233d7a0653896eb59611f3166466bbfb64a
File name:     1
Detection ratio:     4 / 61
Analysis date:     2017-03-24 23:53:30 UTC ( 1 minute ago )

Antivirus     Result     Update
CrowdStrike Falcon (ML)     malicious_confidence_100% (D)     20170130
Endgame     malicious (moderate confidence)     20170317
Invincea     worm.win32.kasidet.f     20170203
McAfee-GW-Edition     BehavesLike.Win32.ObfusRansom.dc     20170324

 

 

2017-03-24 21:59:48.601287 IP 192.168.1.102.53097 > 54.145.185.110.80: Flags [P.], seq 0:293, ack 1, win 256, length 293: HTTP: GET /search.php HTTP/1.1
E..M{*@….r…f6..n.i.P+….Y..P…….GET /search.php HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: lobsterscrewallt.top
Connection: Keep-Alive

2017-03-24 22:00:43.944049 IP 192.168.1.102.58976 > 149.202.64.0.6892: UDP, length 27
E..7………..f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944056 IP 192.168.1.102.58976 > 149.202.64.1.6892: UDP, length 27
E..7wM….,….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944104 IP 192.168.1.102.58976 > 149.202.64.2.6892: UDP, length 27
E..7C…..`1…f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944170 IP 192.168.1.102.58976 > 149.202.64.3.6892: UDP, length 27
E..7f…..=….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944174 IP 192.168.1.102.58976 > 149.202.64.4.6892: UDP, length 27
E..7Z^….I{…f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944247 IP 192.168.1.102.58976 > 149.202.64.5.6892: UDP, length 27
E..7?…..c….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944250 IP 192.168.1.102.58976 > 149.202.64.6.6892: UDP, length 27
E..7k…..8….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944321 IP 192.168.1.102.58976 > 149.202.64.7.6892: UDP, length 27
E..7………..f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944372 IP 192.168.1.102.58976 > 149.202.64.8.6892: UDP, length 27
E..7m+….6….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944376 IP 192.168.1.102.58976 > 149.202.64.9.6892: UDP, length 27
E..7
……0…f..@  .`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944445 IP 192.168.1.102.58976 > 149.202.64.10.6892: UDP, length 27
E..7`…..CJ…f..@
.`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944448 IP 192.168.1.102.58976 > 149.202.64.11.6892: UDP, length 27
E..79…..j….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944520 IP 192.168.1.102.58976 > 149.202.64.12.6892: UDP, length 27
E..7E…..^8…f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944524 IP 192.168.1.102.58976 > 149.202.64.13.6892: UDP, length 27
E..7dB….?….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944595 IP 192.168.1.102.58976 > 149.202.64.14.6892: UDP, length 27
E..7………..f..@..`…#.~2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944598 IP 192.168.1.102.58976 > 149.202.64.15.6892: UDP, length 27
E..7qx….2V…f..@..`…#.}2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944669 IP 192.168.1.102.58976 > 149.202.64.16.6892: UDP, length 27
E..7F…..]….f..@..`…#.|2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944672 IP 192.168.1.102.58976 > 149.202.64.17.6892: UDP, length 27
E..7a8….B….f..@..`…#.{2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944743 IP 192.168.1.102.58976 > 149.202.64.18.6892: UDP, length 27
E..7………..f..@..`…#.z2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944746 IP 192.168.1.102.58976 > 149.202.64.19.6892: UDP, length 27
E..7t…../<…f..@..`…#.y2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944804 IP 192.168.1.102.58976 > 149.202.64.20.6892: UDP, length 27
E..7pE….3….f..@..`…#.x2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944855 IP 192.168.1.102.58976 > 149.202.64.21.6892: UDP, length 27
E..7    ……*…f..@..`…#.w2021bcf6b65b0091c5010000097

RANSOMWARE TOR kaem-sib.ru PCAP File Download Traffic Sample Malware Botnet

SHA256:     1d75dc020643b59c4b7745887e00730d2fcf1a129fc21d657402341812429891
File name:     focus_gropu.exe
Detection ratio:     51 / 61
Analysis date:     2017-03-25 00:20:49 UTC ( 0 minutes ago )

McAfee-GW-Edition     BehavesLike.Win32.Trojan.dc     20170324
Microsoft     Ransom:Win32/Troldesh.A     20170324
eScan     Trojan.GenericKD.4586233     20170325
NANO-Antivirus     Trojan.Win32.VB.emkvtl     20170324
Palo Alto Networks (Known Signatures)     generic.ml     20170325
Panda     Trj/Genetic.gen     20170324
Qihoo-360     Win32/Trojan.Dropper.489     20170325
Rising     Malware.Generic.5!tfe (cloud:4TqJyxfiS0C)     20170325
SentinelOne (Static ML)     static engine – malicious     20170315
Sophos     Troj/Emogen-BV     20170324
Symantec     Ransom.Kovter     20170324
Tencent     Win32.Trojan.Vb.Wpjn     20170325
TrendMicro     Ransom_CRYPSEN.VC     20170324
TrendMicro-HouseCall     Ransom_CRYPSEN.VC     20170324
VBA32     TScope.Trojan.VB     20170324
VIPRE     Trojan.Win32.Generic!BT     20170325
Webroot     Malicious     20170325
Yandex     Trojan.VB!0amP9/ctkPI     20170323
ZoneAlarm by Check Point     Trojan.Win32.VB.dkbu     20170324

 

 

2017-03-24 22:04:51.615705 IP 192.168.1.102.53116 > 176.57.210.35.80: Flags [P.], seq 2149610031:2149610320, ack 1808991785, win 256, length 289: HTTP: GET /focus_gropu.exe HTTP/1.1
E..Ic.@…Q….f.9.#.|.P. r/k..)P…….GET /focus_gropu.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: kaem-sib.ru
Connection: Keep-Alive

2017-03-24 22:06:01.316270 IP 192.168.1.102.53118 > 208.83.223.34.80: Flags [P.], seq 1865667761:1865667961, ack 2691578719, win 256, length 200: HTTP
E….G@….<…f.S.”.~.Po3…n;_P…f…………….{C}f.Tdd…^T..&i.I.Sj…%.i.E….+./.
.       …..3.9./.5……………www.rdurehjc3eat.com………
.4.2………….       .

 

2017-03-24 22:06:04.845631 IP 192.168.1.102.53121 > 195.154.183.159.443: Flags [P.], seq 238393047:238393259, ack 2918993764, win 260, length 212
E…IY@…sZ…f………5….OdP…a…………..h..
..k……/….Nx…w.nw.O..c….+./.
.       …..3.9./.5………%.#.. www.sjfywd4kadz7fm2wyfi5t4ne.com………
.4.2………….       .
……………………………..#……………………………
2017-03-24 22:06:04.852433 IP 192.168.1.102.53123 > 89.163.224.25.9001: Flags [P.], seq 3812081279:3812081489, ack 2996902744, win 256, length 210
E…B$@……..fY…..#).7…..XP….c…………..*d.5.e…..$.#d.Z.6..f….K..=/….+./.
.       …..3.9./.5………#.!…www.iprzadmkt4twlqiq2zkf6c.com………
.4.2………….       .
……………………………..#……………………………
2017-03-24 22:06:04.892508 IP 192.168.1.102.53122 > 85.10.201.47.9001: Flags [P.], seq 4258093770:4258093963, ack 4228567313, win 256, length 193
E…:Z@….l…fU
./..#)..Z..
..P…………………)……….?..^…./\…=2v<i….+./.
.       …..3.9./.5…..y………www.x27nr.com………
.4.2………….       .
……………………………..#……………………………
2017-03-24 22:06:04.979745 IP 192.168.1.102.53121 > 195.154.183.159.443: Flags [P.], seq 212:338, ack 754, win 258, length 126
E…IZ@…s….f………5….RUP…#…….F…BA..Q.:……..9…..}WNz…Y.M..6<.|.+….R…?…..W.@..6…7′.h………..(…..~…6…..Imv..=|.gN.u…^……h..
2017-03-24 22:06:04.983145 IP 192.168.1.102.53123 > 89.163.224.25.9001: Flags [P.], seq 210:336, ack 753, win 253, length 126
E…B%@….a…fY…..#).7.Q…HP….Z……F…BA…..`…..8I.j       .7……….m..F.#./.v.u.!…X<10…..!Zx..7-.1>Y……….(.b..~…m….ZW-…JG..R)…|..o.GE….8
2017-03-24 22:06:05.011469 IP 192.168.1.102.53122 > 85.10.201.47.9001: Flags [P.], seq 193:319, ack 758, win 253, length 126
E…:[@……..fU
./..#)..[..
..P…H
……F…BA..n./w2…”…..g….F.&@……4l..5K………pDVZq…….U….GL……….(K.8.(.T.<-.w.Cb….T…|.._..n….._….
2017-03-24 22:06:05.088478 IP 192.168.1.102.53121 > 195.154.183.159.443: Flags [P.], seq 338:376, ack 805, win 257, length 38
E..NI[@…t….f………5.)..R.P………..!…..~…..Z…,…..W..!\..R….
2017-03-24 22:06:05.097271 IP 192.168.1.102.53123 > 89.163.224.25.9001: Flags [P.], seq 336:374, ack 804, win 253, length 38
E..NB&@……..fY…..#).7…..{P….’……!.b..~……        ..z>……4m……..a
2017-03-24 22:06:05.124872 IP 192.168.1.102.53122 > 85.10.201.47.9001: Flags [P.], seq 319:357, ack 809, win 253, length 38
E..N:\@……..fU
./..#)..\       .
.9P………..!K.8.(.T..I…..-.{3;Dr.NMq..e.p<.

CERBER Ransomware voperforseanx.top 2.gif Malware Analysis PCAP file Download Traffic Sample

2017-03-24 21:33:08.433085 IP 192.168.1.102.52862 > 47.90.205.113.80: Flags [P.], seq 0:296, ack 1, win 256, length 296: HTTP: GET /user.php?f=2.gif HTTP/1.1
E..P.F@…+….f/Z.q.~.P…….gP…7K..GET /user.php?f=2.gif HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: voperforseanx.top
Connection: Keep-Alive

 

2017-03-24 21:34:18.965418 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 84798, win 32768, length 0
E..(2.@…s….f.O……1.B…b^P…R………
2017-03-24 21:34:18.965823 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 86258, win 32768, length 0
E..(2.@…s….f.O……1.B…h.P…M………
2017-03-24 21:34:18.966006 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 87718, win 32768, length 0
E..(2.@…s….f.O……1.B…m.P…GM……..
2017-03-24 21:34:18.969465 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 89178, win 32768, length 0
E..(2.@…s….f.O……1.B…szP…A………
2017-03-24 21:34:18.969858 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 90638, win 32768, length 0
E..(2.@…s….f.O……1.B…y.P…;………
2017-03-24 21:34:18.969871 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 91215, win 32695, length 0
E..(2.@…s….f.O……1.B…{oP…9………
2017-03-24 21:34:31.818161 IP 192.168.1.102.56966 > 149.202.64.0.6892: UDP, length 27
E..7.t…..i…f..@……#.(e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818169 IP 192.168.1.102.56966 > 149.202.64.1.6892: UDP, length 27
E..7n…..5….f..@……#.’e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818170 IP 192.168.1.102.56966 > 149.202.64.2.6892: UDP, length 27
E..7;*….h….f..@……#.&e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818260 IP 192.168.1.102.56966 > 149.202.64.3.6892: UDP, length 27
E..7]…..FG…f..@……#.%e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818268 IP 192.168.1.102.56966 > 149.202.64.4.6892: UDP, length 27
E..7Q…..Q….f..@……#.$e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818300 IP 192.168.1.102.56966 > 149.202.64.5.6892: UDP, length 27
E..77g….lq…f..@……#.#e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818312 IP 192.168.1.102.56966 > 149.202.64.6.6892: UDP, length 27
E..7b…..AK…f..@……#.”e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818402 IP 192.168.1.102.56966 > 149.202.64.7.6892: UDP, length 27
E..7.E………f..@……#.!e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818405 IP 192.168.1.102.56966 > 149.202.64.8.6892: UDP, length 27
E..7d…..?*…f..@……#. e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818468 IP 192.168.1.102.56966 > 149.202.64.9.6892: UDP, length 27
E..7.$………f..@     …..#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818471 IP 192.168.1.102.56966 > 149.202.64.10.6892: UDP, length 27
E..7X   ….K….f..@
…..#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818521 IP 192.168.1.102.56966 > 149.202.64.11.6892: UDP, length 27
E..71R….r….f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818593 IP 192.168.1.102.56966 > 149.202.64.12.6892: UDP, length 27
E..7=…..f….f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818621 IP 192.168.1.102.56966 > 149.202.64.13.6892: UDP, length 27
E..7[…..H….f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818623 IP 192.168.1.102.56966 > 149.202.64.14.6892: UDP, length 27
E..7._…..p…f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818705 IP 192.168.1.102.56966 > 149.202.64.15.6892: UDP, length 27
E..7h…..:….f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818706 IP 192.168.1.102.56966 > 149.202.64.16.6892: UDP, length 27
E..7>/….e….f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818786 IP 192.168.1.102.56966 > 149.202.64.17.6892: UDP, length 27
E..7X…..K….f..@……#..e008b81bf47e0446950100000f9