Category Archives: Sality Family

MALWARE – Sality – Historical Traffic Sample User-Agent: KUKU

2013-02-03 17:24:12.573644 IP 172.16.253.129.1051 > 97.74.182.1.80: Flags [P.], seq 1:135, ack 1, win 64240, length 134 E….S@…9…..aJ…..Pt…OR.LP…….GET /mainh.gif?114ce4=11337960 HTTP/1.1 User-Agent: KUKU v5.06exp =9355466431 Host: www.livelife-eg.com Cache-Control: no-cache     2013-02-03 17:24:12.576583 IP 97.74.182.1.80 > 172.16.253.129.1051: Flags [.], ack 135, win 64240, length 0 E..(……z.aJ…….P..OR.Lt..@P…………. 2013-02-03 17:24:12.623503 IP 4.2.2.2.53 > 172.16.253.129.53: 64245 2/0/0 CNAME livelife-eg.com., A… Read More »

Share Button

Another Sality Family Malware Traffic Example – Using Yahoo Document as TTP Vector

2013-02-03 18:20:55.267923 IP 172.16.253.129.53 > 8.8.8.8.53: 39453+ A? yahoo[.]com. (27) E..7……………..5.5.#_\………….yahoo[.]com….. 2013-02-03 18:20:55.267969 IP 172.16.253.129.53 > 4.2.2.2.53: 39453+ A? yahoo[.]com. (27) E..7……………..5.5.#ih………….yahoo[.]com….. 2013-02-03 18:20:55.294540 IP 4.2.2.2.53 > 172.16.253.129.53: 39453 3/0/0 A 98.139.183.24, A 98.138.253.109, A 206.190.36.45 (75) E..g……………..5.5.SH…………..yahoo[.]com……………..b……………b..m…………..$- 2013-02-03 18:20:55.294559 IP 8.8.8.8.53 > 172.16.253.129.53: 39453 3/0/0 A 206.190.36.45, A 98.138.253.109, A 98.139.183.24 (75) E..g……………..5.5.SP…………..yahoo[.]com……………….$-…………b..m…………b… 2013-02-03… Read More »

Share Button

Infamous Sality Malware Family Trojan Traffic Sample

Sality is a family of file infectors that’s been around for a long time. It seems the virus first appeared back in 2003, originating in Russia.   1970-01-01 -3:-59:-13.423508 IP 46.105.103.219.80 > 10.0.2.15.1071: Flags [P.], seq 1:71, ack 159, win 65535, length 70 E..n.6..@….ig. ….P./……b.P…….HTTP/1.1 404 Not Found Content-Type: text/html Connection: close 1970-01-01 -3:-58:-55.532428 IP… Read More »

Share Button