New Cerber Variant Ransomware Malware sub.exe Traffic Analysis PCAP file download totalwellbeing.com.au

SHA256: 1e04fb872e1a378ea4be2dcbb85314bb5143d00817a4a3f23e2e842aaf79a68d
File name: sub.exe
Detection ratio: 30 / 54
Analysis date: 2017-01-21 23:41:01 UTC ( 1 minute ago )
AhnLab-V3 Trojan/Win32.Cerber.R193988 20170121
Avast Win32:Malware-gen 20170121
Avira (no cloud) TR/Crypt.Xpack.jmqom 20170121
ClamAV Win.Trojan.Generic-5633708-0 20170121
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
Cyren W32/Trojan.ZAYK-2234 20170121
DrWeb Trojan.Encoder.5994 20170121
ESET-NOD32 Win32/Filecoder.Cerber.F 20170121
Fortinet W32/Injector.RJ!tr 20170121
GData Win32.Trojan.Agent.9NJUGL 20170121
Ikarus Trojan.Win32.Filecoder 20170121
K7AntiVirus Trojan ( 005021c61 ) 20170121
K7GW Trojan ( 005021c61 ) 20170121
Kaspersky Trojan-Ransom.Win32.Zerber.bdds 20170121
Malwarebytes Ransom.Cerber 20170121
McAfee Artemis!F52608C97C22 20170121
McAfee-GW-Edition BehavesLike.Win32.ObfusRansom.fc 20170121
Microsoft Ransom:Win32/Cerber

 

2017-01-21 01:39:25.701660 IP 192.168.1.102.50661 > 162.214.17.204.80: Flags [P.], seq 0:314, ack 1, win 256, length 314: HTTP: GET /wp-includes/images/wlw/sub.exe HTTP/1.1
E..b5.@…Mf…f…….P….fQs.P…….GET /wp-includes/images/wlw/sub.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: totalwellbeing.com.au
Connection: Keep-Alive

2017-01-21 01:39:38.634882 IP 192.168.1.102.53770 > 90.2.1.0.6892: UDP, length 25
E..5.x…..0…fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.634960 IP 192.168.1.102.53770 > 90.2.1.1.6892: UDP, length 25
E..5D……….fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635010 IP 192.168.1.102.53770 > 90.2.1.2.6892: UDP, length 25
E..5-&………fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635014 IP 192.168.1.102.53770 > 90.2.1.3.6892: UDP, length 25
E..5c……….fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635061 IP 192.168.1.102.53770 > 90.2.1.4.6892: UDP, length 25
E..5Y……….fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635143 IP 192.168.1.102.53770 > 90.2.1.5.6892: UDP, length 25
E..5………..fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635193 IP 192.168.1.102.53770 > 90.2.1.6.6892: UDP, length 25
E..5.P…..Q…fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635243 IP 192.168.1.102.53770 > 90.2.1.7.6892: UDP, length 25
E..50……….fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635339 IP 192.168.1.102.53770 > 90.2.1.8.6892: UDP, length 25
E..5c……….fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635390 IP 192.168.1.102.53770 > 90.2.1.9.6892: UDP, length 25
E..5-……….fZ..     .
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635439 IP 192.168.1.102.53770 > 90.2.1.10.6892: UDP, length 25
E..5E]…..@…fZ..
.
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635492 IP 192.168.1.102.53770 > 90.2.1.11.6892: UDP, length 25
E..5
……….fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635560 IP 192.168.1.102.53770 > 90.2.1.12.6892: UDP, length 25
E..51m………fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.635609 IP 192.168.1.102.53770 > 90.2.1.13.6892: UDP, length 25

2017-01-21 01:39:38.638059 IP 192.168.1.102.53770 > 90.3.1.23.6892: UDP, length 25
E..5P”…..m…fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638062 IP 192.168.1.102.53770 > 90.3.1.24.6892: UDP, length 25
E..5………..fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638160 IP 192.168.1.102.53770 > 90.3.1.25.6892: UDP, length 25
E..5Rg…..&…fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638163 IP 192.168.1.102.53770 > 90.3.1.26.6892: UDP, length 25
E..5:……….fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638248 IP 192.168.1.102.53770 > 90.3.1.27.6892: UDP, length 25
E..5v-…..^…fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638329 IP 192.168.1.102.53770 > 90.3.1.28.6892: UDP, length 25
E..5N……….fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638379 IP 192.168.1.102.53770 > 90.3.1.29.6892: UDP, length 25
E..5.=…..M…fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638429 IP 192.168.1.102.53770 > 90.3.1.30.6892: UDP, length 25
E..5i……….fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638432 IP 192.168.1.102.53770 > 90.3.1.31.6892: UDP, length 25
E..5&……….fZ….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638514 IP 192.168.1.102.53770 > 91.239.24.0.6892: UDP, length 25
E..5O……#…f[….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638565 IP 192.168.1.102.53770 > 91.239.24.1.6892: UDP, length 25
E..5./………f[….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638568 IP 192.168.1.102.53770 > 91.239.24.2.6892: UDP, length 25
E..5lM…..k…f[….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:38.638615 IP 192.168.1.102.53770 > 91.239.24.3.6892: UDP, length 25
E..57……….f[….
…!..3ed577a5011900684501000ae

…!..3ed577a5011900684501000ae
2017-01-21 01:39:39.648860 IP 192.168.1.102.53770 > 91.239.25.250.6892: UDP, length 25
E..59……….f[….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:39.648958 IP 192.168.1.102.53770 > 91.239.25.251.6892: UDP, length 25
E..5nh…..W…f[….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:39.648961 IP 192.168.1.102.53770 > 91.239.25.252.6892: UDP, length 25
E..5e……….f[….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:39.649045 IP 192.168.1.102.53770 > 91.239.25.253.6892: UDP, length 25
E..5″\…..a…f[….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:39.649099 IP 192.168.1.102.53770 > 91.239.25.254.6892: UDP, length 25
E..5
8………f[….
…!..3ed577a5011900684501000ae
2017-01-21 01:39:40.635979 IP 192.168.1.102.53770 > 91.239.25.255.6892: UDP, length 25
E..5=……9…f[….