Western Union Statement Malspam Adwind Malware Trojan PCAP file download traffic sample

Download Attachments

  • 1 pcap jar
    Date added: October 29, 2016 7:48 am Added by: admin File size: 17 KB Downloads: 108
SHA256: 51d0f63e2d215ab1e4240468b8a518412472dc90ed24fffb8e5cf1e7aa75ede2
File name: Western_Union_Agent_Statement_and_summary_pdf.jar
Detection ratio: 19 / 55
Analysis date: 2016-10-29 07:42:32 UTC ( 0 minutes ago )
ALYac Trojan.Java.Adwind 20161029
AVware Trojan.Java.Generic.a (v) 20161029
AegisLab Troj.Java.Agent!c 20161029
AhnLab-V3 HEUR/Jarex 20161028
Avast Java:Adwind-G [Trj] 20161029
ClamAV Java.Malware.Agent-1803486 20161029
DrWeb Java.Adwind.179 20161029
ESET-NOD32 a variant of Java/Adwind.AAJ 20161029
GData Java.Trojan.Agent.PLRUTU 20161029
Ikarus Trojan.Java.Adwind 20161028
Kaspersky HEUR:Trojan.Java.Agent.gen 20161029
McAfee Adwind!jar 20161029
McAfee-GW-Edition Artemis!Trojan 20161029
Sophos Java/Adwind-IV 20161029
Symantec Trojan.Maljava 20161029
TrendMicro JAVA_ADWIND.JCC 20161029
TrendMicro-HouseCall JAVA_ADWIND.JCC 20161029
VIPRE Trojan.Java.Generic.a (v) 20161029
ViRobot JAVA.S.Adwind.232864[h]

What is Adwind?

Adwind RAT, a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, and which is distributed through a single malware-as-a-service platform. One of the main features that distinguishes Adwind RAT from other commercial malware is that it is distributed openly in the form of a paid service, where the “customer” pays a fee in return for use of the malicious program. There were around 1,800 users of the system by the end of 2015. This makes it one of the biggest malware platforms in existence today.

What it can do?

The malware’s list of functions includes the ability to:

  • collect keystrokes
  • steal cached passwords and grab data from web forms
  • take screenshots
  • take pictures and record video from a webcam
  • record sound from a microphone
  • transfer files
  • collect general system and user information
  • steal keys for cryptocurrency wallets
  • manage SMS (for Android)
  • steal VPN certificates

 

2016-10-29 01:33:10.718213 IP 192.168.1.102.64306 > 209.140.29.13.80: Flags [P.], seq 0:330, ack 1, win 256, length 330: HTTP: GET /host/Western_Union_Agent_Statement_and_summary_pdf.jar HTTP/1.1
E..r,V@……..f…..2.P..+…c.P….K..GET /host/Western_Union_Agent_Statement_and_summary_pdf.jar HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: linamhost.com
Connection: Keep-Alive
2016-10-29 01:33:10.757538 IP 192.168.1.102.64306 > 209.140.29.13.80: Flags [.], ack 2921, win 256, length 0
E..(,W@……..f…..2.P..,…n.P………….

E..(f.@…d….f..hb.3.P..E.C…P….$……..
2016-10-29 01:33:18.611584 IP 192.168.1.102.64307 > 5.135.104.98.80: Flags [P.], seq 0:299, ack 1, win 256, length 299: HTTP: GET /Notifier/?language=English&source=RARLAB&landingpage=firstexpired&version=511&ar
chitecture=32 HTTP/1.1
E..Sf.@…b….f..hb.3.P..E.C…P…?…GET /Notifier/?language=English&source=RARLAB&landingpage=firstexpired&version=511&architecture=32 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: rarlab.com
Connection: Keep-Alive
2016-10-29 01:33:18.731444 IP 192.168.1.102.64307 > 5.135.104.98.80: Flags [.], ack 2890, win 256, length 0
E..(f.@…d….f..hb.3.P..F.C…P………….
2016-10-29 01:33:18.782329 IP 192.168.1.102.64307 > 5.135.104.98.80: Flags [P.], seq 299:658, ack 3393, win 254, length 359: HTTP: GET /Notifier/css/basic.css?20160912 HTTP/1.1
E…f.@…b….f..hb.3.P..F.C. .P…….GET /Notifier/css/basic.css?20160912 HTTP/1.1
Accept: */*
Referer: http://rarlab.com/Notifier/?language=English&source=RARLAB&landingpage=firstexpired&version=511&architecture=32
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: rarlab.com
Connection: Keep-Alive
2016-10-29 01:33:18.784392 IP 192.168.1.102.64308 > 5.135.104.98.80: Flags [S], seq 3160342502, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

E..(f.@…d….f..hb.3.P..H,C…P….W……..
2016-10-29 01:33:18.893281 IP 192.168.1.102.64307 > 5.135.104.98.80: Flags [P.], seq 658:1031, ack 5180, win 256, length 373: HTTP: GET /Notifier/css/default_css_rrlb_en.css?20160912 HTTP/1.1
E…f.@…b….f..hb.3.P..H,C…P…….GET /Notifier/css/default_css_rrlb_en.css?20160912 HTTP/1.1
Accept: */*
Referer: http://rarlab.com/Notifier/?language=English&source=RARLAB&landingpage=firstexpired&version=511&architecture=32
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: rarlab.com
Connection: Keep-Alive

Leave a Reply