Text Example

OCTOPUS APT/2 Malware PCAP Download Traffic Analysis 88.198.204.196

Download Attachments

  • 1 pcap octupus
    Date added: April 23, 2019 5:29 am Added by: admin File size: 5 MB Downloads: 119

2018-11-06 03:08:56.939686 IP 10.1.10.73.65480 > 10.1.10.100.55555: Flags [P.], seq 1:562, ack 1, win 2053, length 561
E..YJs@….}
.
I
.
d….*…….P…….GET /apt/DustSquad/OctopusDelphi.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://10.1.10.100:55555/apt/DustSquad/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: 10.1.10.100:55555
Connection: Keep-Alive

2018-11-06 03:08:56.939868 IP 10.1.10.100.55555 > 10.1.10.73.65480: Flags [.], ack 562, win 237, length 0

.
I…….P……………………… 2018-11-06 03:09:11.604468 IP 148.251.185.168.80 > 10.1.10.73.65490: Flags [S.], seq 949224391, ack 3926170411, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0 E .4..@./……. . I.P..8……+….Kg………….. 2018-11-06 03:09:11.604766 IP 10.1.10.73.65490 > 148.251.185.168.80: Flags [.], ack 1, win 256, length 0 E..(!.@…u. . I…….P…+8…P….7…….. 2018-11-06 03:09:11.608831 IP 10.1.10.73.65490 > 148.251.185.168.80: Flags [P.], seq 1:240, ack 1, win 256, length 239: HTTP: GET /d4.php?check HTTP/1.1 E…!.@…u. . I…….P…+8…P…….GET /d4.php?check HTTP/1.1 Host: 148.251.185.168 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

2018-11-06 03:09:11.735371 IP 148.251.185.168.80 > 10.1.10.73.65490: Flags [P.], seq 1:325, ack 240, win 1026, length 324: HTTP: HTTP/1.1 404 Not Found
E .l..@./..~….
.

I.P..8…….P…….HTTP/1.1 404 Not Found

.
IX……P…….RP….k……..
2018-11-06 03:09:11.866394 IP 148.251.185.168.80 > 10.1.10.73.65490: Flags [F.], seq 325, ack 241, win 1026, length 0
E .(..@./…….
.
I.P..8…….P………….
2018-11-06 03:09:11.866628 IP 10.1.10.73.65490 > 148.251.185.168.80: Flags [.], ack 326, win 255, length 0
E..(!.@…u.
.
I…….P….8…P………….
2018-11-06 03:09:11.869397 IP 10.1.10.73.65491 > 88.198.204.196.80: Flags [P.], seq 1:239, ack 1, win 256, length 238: HTTP: GET /d4.php?check HTTP/1.1
E…..@….Q
.
IX……P…….RP…….GET /d4.php?check HTTP/1.1
Host: 88.198.204.196
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

2018-11-06 03:09:11.995486 IP 88.198.204.196.80 > 10.1.10.73.65491: Flags [.], ack 239, win 123, length 0
E .(=E@.0…X…
.

I.P…..R….P..{……….

.
IX……P..q…………………….
2018-11-06 03:09:13.175672 IP 88.198.204.196.80 > 10.1.10.73.65493: Flags [S.], seq 1943939956, ack 4008735111, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.0…X…
.
I.P..s.+t..q…9..3…………..
2018-11-06 03:09:13.175994 IP 10.1.10.73.65493 > 88.198.204.196.80: Flags [.], ack 1, win 256, length 0
E..(..@….;
.
IX……P..q.s.+uP…u………
2018-11-06 03:09:13.193802 IP 10.1.10.73.65493 > 88.198.204.196.80: Flags [P.], seq 1:241, ack 1, win 256, length 240: HTTP: GET /d4.php?check HTTP/1.1
E…..@….J
.
IX……P..q.s.+uP…….GET /d4.php?check HTTP/1.1
Host: www.runa-ldn.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

2018-11-06 03:09:13.314178 IP 88.198.204.196.80 > 10.1.10.73.65493: Flags [.], ack 241, win 123, length 0
E .(.I@.0.k.X…
.

I.P..s.+u..rwP..{t………

.
Ihv.6…P..w…………………….
2018-11-06 03:09:44.234391 IP 104.118.190.54.80 > 10.1.10.73.65508: Flags [S.], seq 565809931, ack 3247929270, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.8…hv.6
.
I.P..!…..w…r……………..
2018-11-06 03:09:44.234657 IP 10.1.10.73.65508 > 104.118.190.54.80: Flags [.], ack 1, win 256, length 0
E..(Y6@…f.
.
Ihv.6…P..w.!…P………….
2018-11-06 03:09:54.671156 IP 10.1.10.73.65508 > 104.118.190.54.80: Flags [P.], seq 1:230, ack 1, win 256, length 229: HTTP: POST /vpninfo/servers HTTP/1.1
E…Y7@…e.
.
Ihv.6…P..w.!…P…….POST /vpninfo/servers HTTP/1.1
Host: www.privateinternetaccess.com
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: /
User-Agent: Ruby
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

2018-11-06 03:09:54.672196 IP 10.1.10.73.65508 > 104.118.190.54.80: Flags [P.], seq 230:279, ack 1, win 256, length 49: HTTP

E..YY8@…fp

I
.
d…..\
.)~..P………….
2018-11-06 03:10:22.717526 IP 10.1.10.73.65527 > 10.1.10.100.55555: Flags [P.], seq 1:580, ack 1, win 2053, length 579
E..kLW@…..
.
I
.
d…..\
.)~..P…9…GET /apt/DustSquad/OctopusTelegramMessengerDropper.bin HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Referer: http://10.1.10.100:55555/apt/DustSquad/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: 10.1.10.100:55555
Connection: Keep-Alive

2018-11-06 03:10:22.717734 IP 10.1.10.100.55555 > 10.1.10.73.65527: Flags [.], ack 580, win 238, length 0

E .4.?@.m…%..)
.
I._….mvF.w…q .t…………..
2018-11-06 03:11:34.409113 IP 10.1.10.73.49182 > 37.244.26.41.1119: Flags [.], ack 1, win 256, length 0
E..(.A@….(
.
I%..)…_F.w…mwP…pb……..
2018-11-06 03:11:34.409705 IP 10.1.10.73.49182 > 37.244.26.41.1119: Flags [P.], seq 1:140, ack 1, win 256, length 139
E….B@…..
.
I%..)…_F.w…mwP….f..GET /catalogs/cdns?nocache=15414882944368240 HTTP/1.1
Host: us.patch.battle.net:1119
User-Agent: Battle.net/1.12.5.10671
Accept: /

2018-11-06 03:11:34.413491 IP 37.244.26.41.1119 > 10.1.10.73.49183: Flags [S.], seq 1499628406, ack 606991932, win 28960, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E .4.@@.m…%..)
.
I...Yb.v$-.<..q ……………. 2018-11-06 03:11:34.413719 IP 10.1.10.73.49183 > 37.244.26.41.1119: Flags [.], ack 1, win 256, length 0 E..(.C@….& . I%..)…$-. 37.244.26.41.1119: Flags [P.], seq 1:144, ack 1, win 256, length 143
E….D@…..
.
I%..)…_$-.<Yb.wP…m…GET /catalogs/versions?nocache=15414882944368240 HTTP/1.1
Host: us.patch.battle.net:1119
User-Agent: Battle.net/1.12.5.10671
Accept: /

2018-11-06 03:11:34.503109 IP 37.244.26.41.1119 > 10.1.10.73.49183: Flags [P.], seq 123:676, ack 144, win 4380, length 553
E .Q…….w%..)
.
I._..Yb..$-..P…./..Region!STRING:0|BuildConfig!HEX:16|CDNConfig!HEX:16|KeyRing!HEX:16|BuildId!DEC:4|VersionsName!String:0|ProductConfig!HEX:16

## seqn = 57858

.
I.23..4.PQ[K……….J…………..
2018-11-06 03:12:14.326073 IP 23.50.51.200.80 > 10.1.10.73.49204: Flags [S.], seq 1417380829, ack 1364937650, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.8..`.23.
.
I.P.4T{..Q[K…r.g……………
2018-11-06 03:12:14.326386 IP 10.1.10.73.49204 > 23.50.51.200.80: Flags [.], ack 1, win 256, length 0
E..(UF@…FF
.
I.23..4.PQ[K.T{..P………….
2018-11-06 03:12:14.332421 IP 10.1.10.73.49204 > 23.50.51.200.80: Flags [P.], seq 1:83, ack 1, win 256, length 82: HTTP: GET /ncc.txt HTTP/1.1
E..zUG@…E.
.
I.23..4.PQ[K.T{..P…….GET /ncc.txt HTTP/1.1
Host: ncc.avast.com
User-Agent: Avast NCC
Accept: /

2018-11-06 03:12:14.350954 IP 23.50.51.200.80 > 10.1.10.73.49204: Flags [.], ack 83, win 229, length 0
E .(..@.8..d.23.
.
I.P.4T{..Q[L.P….n……..

2018-11-06 03:12:14.351729 IP 23.50.51.200.80 > 10.1.10.73.49204: Flags [P.], seq 1:152, ack 83, win 229, length 151: HTTP: HTTP/1.1 200 OK

.P.6@…p.P………….
2018-11-06 03:13:14.499210 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [P.], seq 4535:4877, ack 302, win 3, length 342: HTTP
E .~R.@.-.m.M.*.
.
I.P.
..p..6@.P…;3….b.a+?…….u…P…..g….B`/f..y.&.L..c./….^(..y.N$….RG……J/…………..D….[s..U..@.GF9PFSFan.n….DiA..|…..{…Q…….%C..w._<!…..c=…o..^#v6..J………..J..B.-..2….P……….L…o8…….-iPp.G.C2X.^J..y.
.{.1…PA….8′..3l.Z.I……..-…B…iDN..Z….”.v…(-…y..$……w..B.E…^…..j…#…..ASWSig2B
0

2018-11-06 03:13:14.516560 IP 10.1.10.73.62218 > 77.234.42.247.80: Flags [P.], seq 302:604, ack 4877, win 255, length 302: HTTP: GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCCuoZnKgcIAxDe25dmMgoIBBCCuoZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
E..VL.@….~
.
IM.*..
.P.6@…q.P…….GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCCuoZnKgcIAxDe25dmMgoIBBCCuoZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
Host: su.ff.avast.com
Accept: */*
Content-Type: application/octet-stream
Pragma: no-cache
Connection: keep-alive

2018-11-06 03:13:14.589588 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [.], ack 604, win 4, length 0
E .(R.@.-.nqM.*.

.

IM... .P.6A…..P…o……… 2018-11-06 03:17:59.378603 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [P.], seq 9411:9771, ack 604, win 4, length 360: HTTP E ..R.@.-.m.M..
.
I.P.
…..6A.P….”..}.; …./..K”..<..@Hu-……=…#.5.J……..M.<.0i…..:…..*…g….gDV.{=.F……[…zfAr…I%.t…………Ux..C………..,+…|T.[.f…..>.(‘.’)7.B..+…7………^…q…..z…L……..%..c.KF. k..w_.…..0(.…H..:.=h].c…U……7Pk.Q..w1…e…,:.o.n.d.8.5…s1_=(…?|> 3..b$t.e.+…d%X.9..yp.J.dN’..P}Mv…y?.k.aS.r|.8U.rs……tASWSig2B
0

2018-11-06 03:17:59.396393 IP 10.1.10.73.62218 > 77.234.42.247.80: Flags [P.], seq 604:906, ack 9771, win 255, length 302: HTTP: GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCjvIZnKgcIAxDe25dmMgoIBBCjvIZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
E..VL.@….{
.
IM.*..
.P.6A…..P…rk..GET /R/A3gKIGQ1Yjc2MDk4NjNhNjQ1N2JhNmZhMjZlYjFjNzgxNGE5EgQGBREYGJcFIgH-KgcIBBCjvIZnKgcIAxDe25dmMgoIBBCjvIZnGIAKOLKSnJABQiCzHp13tjgkeEmf_uYnjqPisL61OLbIXDB0_dRDuRVZGkiAgyg= HTTP/1.1
Host: su.ff.avast.com
Accept: */*
Content-Type: application/octet-stream
Pragma: no-cache
Connection: keep-alive

2018-11-06 03:17:59.471625 IP 77.234.42.247.80 > 10.1.10.73.62218: Flags [.], ack 906, win 4, length 0
E .(R.@.-.nkM.*.

.

.
Ihn.…P………………………. 2018-11-06 03:20:48.497232 IP 104.110.209.95.80 > 10.1.10.73.49426: Flags [S.], seq 1611496151, ack 3370241501, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 E .4..@.8…hn.
.
I.P...z.......r.{............... 2018-11-06 03:20:48.497541 IP 10.1.10.73.49426 > 104.110.209.95.80: Flags [.], ack 1, win 256, length 0 E..(U.@...V. . Ihn._...P.....z.P…-………
2018-11-06 03:20:48.498451 IP 10.1.10.73.49426 > 104.110.209.95.80: Flags [P.], seq 1:230, ack 1, win 256, length 229: HTTP: POST /vpninfo/servers HTTP/1.1
E…U.@…V.
.
Ihn._…P….`.z.P…<“..POST /vpninfo/servers HTTP/1.1
Host: www.privateinternetaccess.com
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: /
User-Agent: Ruby
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

2018-11-06 03:20:48.498498 IP 10.1.10.73.49426 > 104.110.209.95.80: Flags [P.], seq 230:279, ack 1, win 256, length 49: HTTP
E..YU.@…V.

Posted in APT

Leave a Reply