Category Archives: Trojan Downloaders

Traffic Sample PCAP of FakeAV Malware and Kazy Trojan Downloader

Two key indicators: FakeAV POST – POST /hrrgkkwhjdwwwww/order.php?pid=390 (attempting to setup a payment for the FakeAV with the pid linking to the current session) Trojan Downloader function – GET /week.exe HTTP/1.1     2015-08-27 11:39:35.045855 ARP, Request who-has 192.168.56.1 tell 192.168.56.10, length 28 …….. .’*….8 ……..8. 2015-08-27 11:39:35.046218 ARP, Reply 192.168.56.1 is-at 0a:00:27:00:00:00, length 46 …….. .’…..8.… Read More »

Share Button

Zemot/Harbinger Rootkit Trojan Downloader Loads Kuluoz/Asprox Malware PCAP Traffic Sample

Download Zemot/Harbinger Kuluoz Trojan Downloader PCAP : zemot.pcap E..(..@….A…..wi..t.P…… .P….=…….. 2014-08-15 09:11:05.358087 IP 172.16.204.128.49268 > 46.119.105.213.80: Flags [P.], seq 1:294, ack 1, win 64240, length 293: HTTP: GET /b/shoe/749634 HTTP/1.1 E..M..@……….wi..t.P…… .P…….GET /b/shoe/749634 HTTP/1.1 Accept: */* Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152;… Read More »

Share Button

HISTORICAL Malware Sample – Kelihos – Traffic Sample Indicators Analysis

2013-02-03 20:35:15.922405 IP 172.16.253.132.1416 > 176.8.210.229.80: Flags [F.], seq 1, ack 1, win 64240, length 0 E..(.^M@….?………..P..t!ZZ..P……. 2013-02-03 20:35:15.922525 IP 176.8.210.229.80 > 172.16.253.132.1416: Flags [.], ack 2, win 64239, length 0 E..(……5……….P..ZZ….t”P…………. 2013-02-03 20:35:15.971042 IP 172.16.253.132.1417 > 94.154.224.58.80: Flags [S], seq 2079267976, win 64240, options [mss 1460,nop,nop,sackOK], length 0 E..0..@….P….^..:…P{…….p….t………. 2013-02-03 20:35:16.243353 IP 176.8.210.229.80 >… Read More »

Share Button

E-mail Spam Upatre Trojan Downloader Loads Dyre SSL/443 Trojan and Pony Downloader Malware PCAP Traffic Sample

2015-01-27 14:21:25.061276 IP 192.168.221.134.49500 > 202.153.35.133.15175: Flags [S], seq 1519016217, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 E..4.G@…_/……#..\;GZ.Y……. …………….. 2015-01-27 14:21:25.559710 IP 202.153.35.133.15175 > 192.168.221.134.49500: Flags [S.], seq 3577950926, ack 1519016218, win 64240, options [mss 1460], length 0 E..,……….#…..;G.\.C2.Z.Y.`…X}…….. 2015-01-27 14:21:25.560035 IP 192.168.221.134.49500 > 202.153.35.133.15175: Flags [.], ack 1, win 64240, length 0 E..(.H@…_:……#..\;GZ.Y..C2.P…p:……..… Read More »

Share Button

Kuluoz Trojan Downloader Loads Microsoft spoofed Medfos Trojan Malware PCAP converted Traffic Sample

2012-10-04 10:29:04.777210 IP 192.168.248.165.1111 > 85.214.114.16.8080: Flags [P.], seq 1:274, ack 1, win 64240, length 273 E..9.t@…x…..U.r..W….aM.H..P…….GET /C338D6D09CA45230980EF28CDAEF57A1E80E725685E70E5ED4088FFB98E21ECC52E0A6FB44B8C30DEA90454BD8E292E523BE43AE9871A36910BACBD3E09B23700FDE12BC8A5F54E0FB8BDC91E6D5B4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 85.214.114.16:8080 2012-10-04 10:29:04.777406 IP 85.214.114.16.8080 > 192.168.248.165.1111: Flags [.], ack 274, win 64240, length 0 E..(……..U.r……..W.H….b^P…………. 2012-10-04 10:29:05.162014 IP 85.214.114.16.8080 > 192.168.248.165.1111: Flags [FP.], seq… Read More »

Share Button