p.exe Loads Ransomware Cerber Variant 91.190.218.63 40.117.145.132 443 PCAP File Download Traffic Analysis

Download Attachments

  • 1 pcap p
    Date added: November 27, 2016 12:08 am Added by: admin File size: 4 KB Downloads: 112
SHA256: 71b2f1c5642d24c7f35479399c96cc572b1f0a24d4843ed0fddbf93af12d59c3
File name: p.exe
Detection ratio: 36 / 56
Analysis date: 2016-11-27 00:03:46 UTC ( 0 minutes ago )
GData Trojan.GenericKD.3764705 20161127
Ikarus Trojan.Win32.Filecoder 20161126
Invincea virus.win32.sality.at 20161018
K7GW Trojan ( 004e16c11 ) 20161127
Kaspersky Trojan.Win32.Inject.acgan 20161127
Malwarebytes Trojan.MalPack.NSIS 20161127
McAfee Artemis!81D6AF74652B 20161127
McAfee-GW-Edition BehavesLike.Win32.Ransom.cc 20161126
eScan Trojan.GenericKD.3764705 20161127
Microsoft Ransom:Win32/Cerber 20161126
Panda Trj/Genetic.gen 20161126
Qihoo-360 HEUR/QVM20.1.6872.Malware.Gen 20161127
Sophos Mal/Generic-S 20161127
Symantec Trojan.Gen 20161127
Tencent Win32.Trojan.Inject.Auto 20161127
TrendMicro-HouseCall TROJ_GEN.R047H09KP16 20161127
VIPRE Trojan.Win32.Generic!BT 20161126
nProtect Ransom/W32.Cerber.163103 20161126

2016-11-26 17:43:28.144466 IP 192.168.1.102.51195 > 203.162.253.20.80: Flags [P.], seq 0:376, ack 1, win 256, length 376: HTTP: GET /p.exe HTTP/1.1
E….L@…WF…f…….P~..*%…P…….GET /p.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
If-Modified-Since: Fri, 25 Nov 2016 10:44:39 GMT
If-None-Match: “400fc-27d1f-5421dcf159061″
Host: 203.162.253.20
Connection: Keep-Alive

2016-11-26 17:43:28.413173 IP 192.168.1.102.51195 > 203.162.253.20.80: Flags [F.], seq 376, ack 153, win 256, length 0
E..(.M@…X….f…….P~…%..1P…./……..
2016-11-26 17:43:28.413507 IP 192.168.1.102.51195 > 203.162.253.20.80: Flags [.], ack 154, win 256, length 0
E..(.N@…X….f…….P~…%..2P………….
2016-11-26 17:43:30.660646 IP 192.168.1.102.51177 > 40.117.145.132.443: Flags [P.], seq 2656244277:2656244730, ack 2896471773, win 32665, length 453
E…H.@…4….f(u…….S.5….P……………P.?..*z^.}…I.;6……w.M._..  .y…..3oDdS..*<…S.’`….}….#.~3R.C..\….+4…Zn..[.[.cc/….'(O….3…..|8…\I.hz|X.-)..9….. d…..l….~..l&.S.!.`.d..=N.6..mYl.
S..&.q.c..X ….+…….X.y..F7f1.C………..v.G……3f..X |.C..w”.[@..5…..kQ.D..rM..y…….’o….x.?_…!)0H..Y.&…W…b….m..+2l..I.E.: ….1Y..C..N…..      ..c.5u..R-.=..a.z3…8.N..\….rVyJG……~..t…………      b…..2
(vIwB-m…………..l..O.c…………….O
2016-11-26 17:43:30.660768 IP 192.168.1.102.51177 > 40.117.145.132.443: Flags [P.], seq 453:1482, ack 1, win 32665, length 1029
E..-H.@…2A…f(u…….S……P………….=S….N..I.2._………(.’J…..;m…..W.@….I…wg…`..6r…1jX…D..e……..^.-…..6.x;14O..a…nNsFG…C;.(……..’….VE.3.sJ….l…….        …f:….q.um.hU..`\..}….~..`../x.{AM….6.q@.X…d*…,. .’S..?*….u…+……….E…&..D7…i.tI……..L.D..p…..;Qp.B..Y.N2……:r.X>……r
E….P…t..(..d5..E..s……..Z..v……H..,Q.g…. ..1<=Z…f.8…6..]…………|…_..1.)…8.(.$..N$j2….K…U   .Q.3..t.h…..E….Fa.=h.]……>..%$..&}./..>….3]c…..y…..l3….K..*P.X.7…ad…..*……^.c..s…%.(.E9……O…S…;’. .^…).L…………..@.\…j…]…a-3.`{$…..”Z[…>.t6….23..l.a.6^L.g.U..2W.. 9……EO.f<l…….Sd..E….b..d.c..)..I.s&p……7E..yQ..q..X….N.{..)_CFQ………….]….=..^”.#d.^Eja<On..f+……?…      .       …..o….@.mz..r.G.}..#.a0……….k.f…..so.|.#….m……U@h.L[c4.Aa…….C..x….K5#…u..2.W..O#
…]u.8..D..B…Y.T9…..:….:.*|.Oo}….n..O…;wP<..!-EY..7…i…..i..s..T.g….A..1W……GW….’.ee..q…v..P.x…%..jo.l{..’^.x…..h../…R..a’.WM.#N.I..
2016-11-26 17:43:31.508088 IP 192.168.1.102.51177 > 40.117.145.132.443: Flags [.], ack 358, win 32620, length 0
E..(H.@…6E…f(u…….S…..BP..l……….
2016-11-26 17:43:34.260439 IP 192.168.1.102.59393 > 192.168.1.111.3074: UDP, length 52
E..P……6….f…o…..<..`…..;. …^.y.4;…+cV ….8..<S…+cV….um……
2016-11-26 17:43:34.311136 IP 192.168.1.111.3074 > 192.168.1.102.59393: UDP, length 52
E..Pp…..Fe…o…f…..<..`…..;. ….8..<S…+cV …^.y.4;…+cV…rIk……
2016-11-26 17:43:34.418756 IP 192.168.1.102.59393 > 192.168.1.111.3074: UDP, length 52
E..P……6….f…o…..<..`…..;. …^.y.4;…+cV ….8..<S…+cV…e./……
2016-11-26 17:43:35.871629 IP 192.168.1.102.54451 > 75.75.75.75.53: 37685+ A? wpad.hsd1.md.comcast.net. (42)
E..F…….,…fKKKK…5.2…5………..wpad.hsd1.md.comcast.net…..
2016-11-26 17:43:43.691442 IP 192.168.1.102.43887 > 41.218.223.2.26881: UDP, length 18
E…’…..H6…f)….oi……)….W..U…+.;..
2016-11-26 17:43:44.599775 IP 192.168.1.102.51152 > 91.190.218.63.443: Flags [.], ack 4120564365, win 256, length 0
E..(..@……..f[..?….|..z….P………….
2016-11-26 17:43:44.600056 IP 192.168.1.102.51152 > 91.190.218.63.443: Flags [F.], seq 0, ack 1, win 256, length 0
E..(.   @……..f[..?….|..z….P………….
2016-11-26 17:43:44.832551 IP 192.168.1.102.51170 > 40.122.162.208.443: Flags [R.], seq 4268482331, ack 2518277989, win 0, length 0
E..(u~@……..f(z…….k…..eP………….
2016-11-26 17:43:44.832961 IP 192.168.1.102.51163 > 157.56.52.40.40012: Flags [P.], seq 2141827235:2141827479, ack 1684209167, win 256, length 244
E…b.@….X…f.84(…L….db..P…….c…9_T…o7..M+..3-k..o.}..%.*..7…6.H…..L>r……..&_..(..Oz…..X..H;f:……..K…${.C…..]M.X6….T.<.8.R….@q….Y…04.o…..<….-.|!uy.<………..O….d….F…~….M.;…f…8..B$..|.7.%..N.HE……c1.V..D.w……..n..e.G…m._.
2016-11-26 17:43:44.833430 IP 192.168.1.102.51163 > 157.56.52.40.40012: Flags [P.], seq 244:260, ack 1, win 256, length 16
E..8b.@….;…f.84(…L….db..P….L..n..;I8.Q..\.”…
2016-11-26 17:43:44.971065 IP 192.168.1.102.51163 > 157.56.52.40.40012: Flags [.], ack 5, win 256, length 0
E..(b.@….J…f.84(…L….db..P…#v……..

Leave a Reply