Netwire Wirenet Trojan Downloader Malware 2017.exe PCAP file download traffic analysis

Download Attachments

  • 1 pcap 2017
    Date added: February 20, 2017 3:56 am Added by: admin File size: 36 KB Downloads: 83
SHA256: 26989aa946a3c511b62b809bb98c2c7cf947ca5bfad628873ab3f6b94297b7d1
File name: 2017.exe
Detection ratio: 34 / 57
Analysis date: 2017-02-20 02:14:31 UTC ( 57 minutes ago )
AVG Autoit2_c.ACFW 20170220
AVware Trojan.Win32.Generic!BT 20170219
Ad-Aware Trojan.GenericKD.4425869 20170220
AegisLab Troj.W32.Gen.m5cP 20170220
Antiy-AVL Trojan/Generic.ASVCS3S.1E5 20170220
Arcabit Trojan.Generic.D43888D 20170220
Avira (no cloud) DR/Autoit.yobkp 20170219
BitDefender Trojan.GenericKD.4425869 20170219
Bkav W32.HfsAtITIST.FAB9 20170218
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130
Cyren W32/Trojan.ICBN-4514 20170220
DrWeb BackDoor.Wirenet.187 20170220

Troj/Netwire-GZ

Category: Viruses and Spyware Protection available since: 07 Oct 2016 15:58:11 (GMT)
Type: Trojan Last Updated: 07 Oct 2016 15:58:11 (GMT)
Troj/Netwire-GZ exhibits the following characteristics:

File Information

Size
283K
SHA-1
d57e5c3b764a3a33a3e069b78794cc91a39805f8
MD5
64032694f59a03659420f6205852c662
CRC-32
e9e62086
File type
application/x-ms-dos-executable
First seen
2016-10-06

Runtime Analysis

HTTP Requests
  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
DNS Requests
  • myfilesareok.ddns.net

 

 

2017-02-18 07:59:44.911543 IP 192.168.1.102.56166 > 192.185.145.173.80: Flags [P.], seq 0:298, ack 1, win 256, length 298: HTTP: GET /includes/2017.exe HTTP/1.1
E..R#S@……..f…..f.P….F…P…….GET /includes/2017.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: peruvianflavor.com
Connection: Keep-Alive

2017-02-18 07:59:56.033673 IP 192.168.1.102.54470 > 75.75.75.75.53: 53705+ A? myfilesareok.ddns.net. (39)
E..C)_………fKKKK…5./:…………..myfilesareok.ddns.net…..
2017-02-18 07:59:56.069943 IP 192.168.1.102.56167 > 163.47.20.42.64536: Flags [S], seq 81464738, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.g………… ……………..
2017-02-18 07:59:56.813999 IP 192.168.1.102.56167 > 163.47.20.42.64536: Flags [S], seq 81464738, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.g………… ……………..
2017-02-18 07:59:57.556733 IP 192.168.1.102.56167 > 163.47.20.42.64536: Flags [S], seq 81464738, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…x….f./.*.g……….p. ………….
2017-02-18 07:59:58.269823 IP 192.168.1.102.56168 > 163.47.20.42.64536: Flags [S], seq 394358472, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.h….n……. .w……………
2017-02-18 07:59:59.011302 IP 192.168.1.102.56168 > 163.47.20.42.64536: Flags [S], seq 394358472, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.h….n……. .w……………
2017-02-18 07:59:59.750831 IP 192.168.1.102.56168 > 163.47.20.42.64536: Flags [S], seq 394358472, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…x….f./.*.h….n…..p……………
2017-02-18 08:00:00.347129 IP 192.168.1.102.56169 > 163.47.20.42.64536: Flags [S], seq 4005154394, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.i…..Z…… .A……………
2017-02-18 08:00:01.086048 IP 192.168.1.102.56169 > 163.47.20.42.64536: Flags [S], seq 4005154394, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.i…..Z…… .A……………
2017-02-18 08:00:01.827107 IP 192.168.1.102.56169 > 163.47.20.42.64536: Flags [S], seq 4005154394, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…x….f./.*.i…..Z….p. .U ……….
2017-02-18 08:00:11.454984 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    ……….f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 08:00:12.068271 IP 192.168.1.102.54471 > 75.75.75.75.53: 30946+ A? 2017blessed.ddns.net. (38)
E..B)`………fKKKK…5….x…………2017blessed.ddns.net…..

Leave a Reply