Lord Exploit Kit Exploiting Flash Vulnerability Delivering Eris Ransomware PCAP File Download Traffic Sample

2019-08-02 10:46:29.501586 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1 E..m.y@….. ..e…….PM….Hg.P…….GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate DNT: 1 Connection: Keep-Alive Host: 57189bbb.ngrok.io 2019-08-02 10:46:29.501716 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], ack 326, win 64240, length 0 E..(……U….. ..e.P…Hg.M..$P…l… 2019-08-02 10:46:29.666953 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK E………PB…. ..e.P…Hg.M..$P…….HTTP/1.1 200 OK Date: Fri, 02 Aug 2019 14:46:29 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: […]

NEW Flash Exploiting Lord EK Exploit Kit Found in the Wild PCAP Download Traffic Sample Analysis

A newly identified exploit kit is targeting vulnerable versions of Adobe’s Flash Player, Malwarebytes security researchers say. Dubbed “Lord,” the exploit kit (EK) was initially identified by Virus Bulletin‘s Adrian Luca. The toolkit emerged as part of a malvertising chain via the PopCash ad network. The EK uses a compromised website to redirect unsuspecting victims to its landing page. Initially, the portal was rather rudimentary and in clear text, but the toolkit operators quickly moved to obfuscate it.  The landing page has a function to check for the presence of Flash Player, in an attempt to exploit the CVE-2018-15982 vulnerability.  One thing […]

Hancitor Amadey Pony Malware Trojan Downloader Cobalt-Strike PCAP Download Traffic Sample todratsake.ru 31.44.184.33

2019-07-25 13:00:40.697356 IP 10.7.25.101.54392 > 10.7.25.1.53: 3214+ A? codeotso.com. (30) E..:.f…… ..e ….x.5.&E…………..codeotso.com….. 2019-07-25 13:00:40.963731 IP 10.7.25.1.53 > 10.7.25.101.54392: 3214 1/0/0 A 83.220.175.185 (46) E..J6……. … ..e.5.x.6……………codeotso.com……………..S… 2019-07-25 13:00:40.988041 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [S], seq 1865439027, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4.g@….[ ..eS……Po0W3…… ..T………….. 2019-07-25 13:00:41.166747 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [S.], seq 1917710723, ack 1865439028, win 64240, options [mss 1460], length 0 E..,6……CS… ..e.P..rM..o0W4`……….. 2019-07-25 13:00:41.167101 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [.], ack 1, win 64240, length 0 E..(.i@….e ..eS……Po0W4rM..P….T.. 2019-07-25 13:00:41.167225 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [P.], seq 1:231, ack 1, win 64240, length […]

MyDoom DDoS $38 Billion Dollar P2P Malware Botnet PCAP Download Traffic Sample

MyDoom Botnet MyDoom has several methods of impacts, but main attacks are DDOSMyDoom uses DGA for its P2P communications but also some Command and Control Server Damage of an estimated $38.7 billion was caused by the fastest spreading malware Mydoom to Microsoft Windows-based computers. Spyware is a deadly malware that extracts a company’s confidential information without awareness of the company. 2019-07-15 13:00:22.289866 IP 10.7.15.101.51171 > 10.7.15.1.53: 48767+ MX? acm.org. (25) E..5…….. ..e ……5.!X…………..acm.org….. 2019-07-15 13:00:22.340366 IP 10.7.15.1.53 > 10.7.15.101.51171: 48767 1/0/0 MX mail.mailroute.net. 10 (59) E..W…….G … ..e.5…C……………acm.org……………… .mail mailroute.net. 2019-07-15 13:00:22.348650 IP 10.7.15.101.53658 > 10.7.15.1.53: 65013+ A? mail.mailroute.net. (36) […]

Ursnif and Pushdo Trojan DDoS Botnet Malware Infection PCAP file download traffic sample

2019-07-29 12:48:13.981152 IP 10.7.29.101.49158 > 185.244.213.113.443: Flags [P.], seq 1:118, ack 1, win 64240, length 117 E….]@…C, ..e…q….r.Z…..P………..p…l..]=…A..}}.5T+…M%…$…Lr*,.6…./.5… ….. . .2.8…….+…………..riuytessl.xyz. ………….. 2019-07-29 12:48:13.981273 IP 185.244.213.113.443 > 10.7.29.101.49158: Flags [.], ack 118, win 64240, length 0 E..(…….t…q ..e……..r.Z.P…EP.. 2019-07-29 12:48:14.192305 IP 185.244.213.113.443 > 10.7.29.101.49158: Flags [P.], seq 1:1383, ack 118, win 64240, length 1382 E…………..q ..e……..r.Z.P………..]…Y..]?#Ny.8…..-…. i………!a.. .BAB…..i.PQ.?Qa&..K….’.6z…………………………………i0..e0..M……..y@.TCg.,..Xc.oo .0.. *.H……..0J1.0 ..U….US1.0…U. ..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30…190719142342Z..191017142342Z0.1.0…U….riuytessl.xyz0..”0.. .H………….0.. ……….(C.9.U.k…..j.C.U.6..|a….k…M.. ……”q….O..q..V.g4.k.i….:?….(……………….+G..I.u..]k..3…..<….au..].L’xLh…..#9q.r.k……?.fCib..4[}P……p……Y.U..y.:..i……p..Zt5s}. .z]A@azl.t..D..X….dVU..Rcp.o.l!..^,.1.1…q…….Mn.. ..Vl..5…….U0S’.y?…….>hr…7…..=.. .k!TS_n.UE#N……F.dvi…ws….Q….#\PT.06…..+1.Y.g.?W.o-…#%,[..U….P.7….DMe…….|e.Z..-0….F9H….j./…Zj.]… VJ…~.ayy..Ny;h.u.i.’.{U3$c…………&.5c|……6……9. …..X.)py.………….u0..q0…U………..0…U.%..0…+………+…….0…U…….0.0…U……:.$’.UF.W.x.*.h&….0…U.#..0….Jjc.}….9..Ee…..0o..+……..c0a0…+…..0..”http://ocsp.int-x3.letsencrypt.org0/..+…..0..#http://cert.int-x3.letsencrypt.org/0+..U…$0″..riuytessl.xyz..www.riuytessl.xyz0L..U. .E0C0…g…..07..+……….0(0&..+………http://cps.letsencrypt.org0…. +…..y…………v.oSv.1.1…..Q..w…….)…..7…..l ..c…..G0E.!…..T..X.LB……..~Z.…V….. .+/.|Ri.e….5.…vO..w../.]….v.) 10.7.29.101.49158: Flags [.], seq 1383:2843, ack 118, win 64240, length 1460 E…………..q ..e…….xr.Z.P…….r……EG.x…l ..>…..G0E.!…..lh…..F…P…….w..<.l0… T<..y..T.2Q +..Q.p…3_>.#%.z!.E0.. *.H………….Q.>=-J..’p.!.7W……X..q.WTx…..i8<…kc6…….D.O…….3…>…i.RRx.5<.….]../..1.T..A f..&..4.Q…:.6j.NR…./x.9….J…5Me..V}h..e….=.G….{………d.O….3E.?.VG..e0……1…..$…?.bp..Gw…h..).., mZ3…….!;.X…Q/..d…y…|…f….o…0…0..z……. .AB…S.sj…..0.. *.H……..0?1$0″..U. ..Digital […]