Bor.uz Locky Ransomware Malware NO C2 Traffic Analysis PCAP file download

Download Attachments

  • 1 pcap bor
    Date added: September 25, 2017 11:36 pm Added by: admin File size: 18 KB Downloads: 22
24 engines detected this file
SHA-256 8feb981439774342fbe7c7a25c21d9cbae58f4cc13feb0ebf3657a85f2142158
File name YTkjdJH7w1.exe
File size 591 KB
Last analysis 2017-09-25 15:50:03 UTC

AegisLab

Ransom.Cerber.Smaly0!c

Avast

FileRepMalware

AVG

FileRepMalware

Baidu

Win32.Trojan.WisdomEyes.16070401.9500.9999

CrowdStrike Falcon

malicious_confidence_100% (W)

Cylance

Unsafe

2017-09-25 16:50:29.002420 IP 192.168.1.102.57680 > 75.75.75.75.53: 45408+ A? bor.uz. (24)
E..4…….”…fKKKK.P.5. #..`………..bor.uz…..
2017-09-25 16:50:29.529203 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [S], seq 2670765003, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4\.@….I…f>….=.P.0…….. ……………..
2017-09-25 16:50:29.719862 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [.], ack 1966844122, win 256, length 0
E..(\.@….T…f>….=.P.0..u;..P….A……..
2017-09-25 16:50:29.731330 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [P.], seq 0:479, ack 1, win 256, length 479: HTTP: GET /YTkjdJH7w1 HTTP/1.1
E…\.@….t…f>….=.P.0..u;..P…d~..GET /YTkjdJH7w1 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: bor.uz
Connection: Keep-Alive

2017-09-25 16:50:32.505137 IP 192.168.1.102.56894 > 62.209.133.18.80: Flags [P.], seq 0:268, ack 1, win 256, length 268: HTTP: GET /favicon.ico HTTP/1.1
E..4]Y@….y…f>….>.P.E..j^e’P…….GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Host: bor.uz
Connection: Keep-Alive

 

 

======================================

BINARY STRINGS

++++++++++++++++++++++++++++++++++++++

 

This program cannot be run in DOS mode.
.text
`.rdata
@.data
.rsrc
=o)A
GGWPP
Proc
essMh@)A
hVirt
hvQ3r_Q
DSDS
CreateDesktopW
IsDialogMessageW
IsCharUpperA
LoadIconA
LoadMenuW
PostMessageA
LoadStringW
LoadCursorA
DrawStateW
MessageBoxA
GetClassLongA
DispatchMessageW
GetPropA
user32.dll
LeaveCriticalSection
GetModuleHandleW
GetFileAttributesW
FindNextFileA
GetConsoleAliasW
GetCurrentThread
SearchPathW
GetStringTypeA
GetProcAddress
GetExpandedNameW
GetLogicalDriveStringsA
GetProfileSectionA
GetCurrentProcess
LoadLibraryA
WaitNamedPipeA
GetTempPathW
WaitForSingleObject
GetModuleFileNameA
IsBadReadPtr
kernel32.dll

Leave a Reply