Vintage Gh0st APT FTP Malware Traffic Sample Download PCAP

By | January 29, 2016

Download the raw PCAP for Gh0st APT here : Gh0st.pcap

 

2012-08-05 22:50:40.647899 IP 192.168.106.141.1068 > 121.63.150.15.21: Flags [R.], seq 266, ack 1, win 0, length 0
E..(.W@…….j.y?…,…..F.J.8P…….
2012-08-05 22:50:40.648984 IP 192.168.106.141.1032 > 192.168.106.2.53: 10854+ A? netuser.dns1.us. (33)
E..=.X…..w..j…j….5.)..*f………..netuser.dns1.us…..
2012-08-05 22:50:40.698458 IP 192.168.106.2.53 > 192.168.106.141.1032: 10854 1/0/0 A 27.22.117.26 (49)
E..M……K)..j…j..5…9N.*f………..netuser.dns1.us……………….u.
2012-08-05 22:50:40.698958 IP 192.168.106.141.1069 > 27.22.117.26.23: Flags [S], seq 1192051896, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.Y@…= ..j…u..-..G.D…..p…<………..
2012-08-05 22:50:43.616747 IP 192.168.106.141.1069 > 27.22.117.26.23: Flags [S], seq 1192051896, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.Z@…=…j…u..-..G.D…..p…<………..
2012-08-05 22:50:49.631968 IP 192.168.106.141.1069 > 27.22.117.26.23: Flags [S], seq 1192051896, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.[@…=…j…u..-..G.D…..p…<………..
2012-08-05 22:51:01.665106 IP 192.168.106.141.1032 > 192.168.106.2.53: 63589+ A? lixht.gnway.net. (33)
E..=.\…..s..j…j….5.)…e………..lixht.gnway.net…..
2012-08-05 22:51:01.701399 IP 27.22.117.26.23 > 192.168.106.141.1069: Flags [R.], seq 1449158985, ack 1192051897, win 64240, length 0
E..(……….u…j….-V`iIG.D.P…….
2012-08-05 22:51:02.663553 IP 192.168.106.141.1032 > 192.168.106.2.53: 63589+ A? lixht.gnway.net. (33)
E..=.]…..r..j…j….5.)…e………..lixht.gnway.net…..
2012-08-05 22:51:02.917445 IP 192.168.106.2.53 > 192.168.106.141.1032: 63589 1/0/0 A 121.63.150.15 (49)
E..M……K’..j…j..5…9…e………..lixht.gnway.net……………..y?..
2012-08-05 22:51:02.919255 IP 192.168.106.141.1072 > 121.63.150.15.21: Flags [S], seq 1013260496, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.a@…….j.y?…0..<e …..p…./……….
2012-08-05 22:51:03.148722 IP 192.168.106.2.53 > 192.168.106.141.1032: 63589 1/0/0 A 121.63.150.15 (49)
E..M……K&..j…j..5…9…e………..lixht.gnway.net……………..y?..
2012-08-05 22:51:03.206990 IP 121.63.150.15.21 > 192.168.106.141.1072: Flags [S.], seq 902974239, ack 1013260497, win 64240, options [mss 1460], length 0
E..,……f.y?….j….05.K.<e .`….4……
2012-08-05 22:51:03.207104 IP 192.168.106.141.1072 > 121.63.150.15.21: Flags [.], ack 1, win 64240, length 0
E..(.d@…….j.y?…0..<e .5.K P…….
2012-08-05 22:51:03.207338 IP 192.168.106.141.1072 > 121.63.150.15.21: Flags [P.], seq 1:266, ack 1, win 64240, length 265: FTP
E..1.e@…….j.y?…0..<e .5.K P….j..v2010 …….f……………(
……Service Pack 2..?..|…|…|0.@…………..4$…………..4$..^…..|…..]…]……{l….$.0%.|…. m2.rSingleO….t…..2………d
….j.DELLXT…………………………………………..00-50-56-3C-F6-41…’…….
2012-08-05 22:51:03.207466 IP 121.63.150.15.21 > 192.168.106.141.1072: Flags [.], ack 266, win 64150, length 0
E..(……f.y?….j….05.K <e!.P….B..
2012-08-05 22:51:12.914202 IP 192.168.106.141.1072 > 121.63.150.15.21: Flags [R.], seq 266, ack 1, win 0, length 0
E..(.g@…….j.y?…0..<e!.5.K P…….
2012-08-05 22:51:12.915240 IP 192.168.106.141.1032 > 192.168.106.2.53: 55396+ A? netuser.dns1.us. (33)
E..=.h…..g..j…j….5.)i..d………..netuser.dns1.us…..
2012-08-05 22:51:12.966299 IP 192.168.106.2.53 > 192.168.106.141.1032: 55396 1/0/0 A 27.22.117.26 (49)
E..M……K#..j…j..5…9…d………..netuser.dns1.us……………….u.

2012-08-05 22:53:09.080514 IP 121.63.150.15.21 > 192.168.106.141.1088: Flags [S.], seq 1519781431, ack 817621598, win 64240, options [mss 1460], length 0
E..,……f.y?….j….@Z..70..^`….d……
2012-08-05 22:53:09.080627 IP 192.168.106.141.1088 > 121.63.150.15.21: Flags [.], ack 1, win 64240, length 0
E..(..@…….j.y?…@..0..^Z..8P….!..
2012-08-05 22:53:09.080837 IP 192.168.106.141.1088 > 121.63.150.15.21: Flags [P.], seq 1:266, ack 1, win 64240, length 265: FTP
E..1..@…….j.y?…@..0..^Z..8P…)6..v2010 …….f……………(
……Service Pack 2..?..|…|…|0.@…………..4$…………..4$..^…..|…..]…]……{l….$.0%.|….(r2.rSingleO….t…..2………d
….j.DELLXT……………………………………….?…00-50-56-3C-F6-41…’…….
2012-08-05 22:53:09.081102 IP 121.63.150.15.21 > 192.168.106.141.1088: Flags [.], ack 266, win 64150, length 0
E..(……f.y?….j….@Z..80..gP….r..
2012-08-05 22:53:18.793233 IP 192.168.106.141.1088 > 121.63.150.15.21: Flags [R.], seq 266, ack 1, win 0, length 0
E..(..@…….j.y?…@..0..gZ..8P…….
2012-08-05 22:53:18.794338 IP 192.168.106.141.1032 > 192.168.106.2.53: 19582+ A? netuser.dns1.us. (33)
E..=…….’..j…j….5.)..L~………..netuser.dns1.us…..
2012-08-05 22:53:18.868371 IP 192.168.106.2.53 > 192.168.106.141.1032: 19582 1/0/0 A 27.22.117.26 (49)
E..M……K…j…j..5…9+.L~………..netuser.dns1.us……………….u.
2012-08-05 22:53:18.868888 IP 192.168.106.141.1089 > 27.22.117.26.23: Flags [S], seq 375479378, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…<…j…u..A…a\R….p…U………..
2012-08-05 22:53:21.883814 IP 192.168.106.141.1089 > 27.22.117.26.23: Flags [S], seq 375479378, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…<…j…u..A…a\R….p…U………..
2012-08-05 22:53:27.900040 IP 192.168.106.141.1089 > 27.22.117.26.23: Flags [S], seq 375479378, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…<…j…u..A…a\R….p…U………..
2012-08-05 22:53:39.892487 IP 27.22.117.26.23 > 192.168.106.141.1089: Flags [R.], seq 1979058949, ack 375479379, win 64240, length 0
E..(……….u…j….Au….a\SP….r..
2012-08-05 22:53:39.893045 IP 192.168.106.141.1032 > 192.168.106.2.53: 28797+ A? lixht.gnway.net. (33)
E..=…….#..j…j….5.).mp}………..lixht.gnway.net…..
2012-08-05 22:53:39.925509 IP 192.168.106.2.53 > 192.168.106.141.1032: 28797 1/0/0 A 121.63.150.15 (49)
E..M……K…j…j..5…94.p}………..lixht.gnway.net……………..y?..
2012-08-05 22:53:39.928325 IP 192.168.106.141.1092 > 121.63.150.15.21: Flags [S], seq 621522833, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…….j.y?…D..%…….p…t………..
2012-08-05 22:53:40.213022 IP 121.63.150.15.21 > 192.168.106.141.1092: Flags [S.], seq 711216724, ack 621522834, win 64240, options [mss 1460], length 0
E..,……f.y?….j….D*dNT%…`………..

2012-08-05 22:59:26.609198 IP 192.168.106.141.1136 > 121.63.150.15.21: Flags [P.], seq 1:266, ack 1, win 64240, length 265: FTP
E..1.g@…….j.y?…p..l..%..W.P…….v2010 …….f……………(
……Service Pack 2..?..|…|…|0.@…………..4$…………..4$..^…..|…..]…]……{l….$.0%.|……2.rSingleO….t…..2………d
….j.DELLXT………………………………………. …00-50-56-3C-F6-41…’…….
2012-08-05 22:59:26.609305 IP 121.63.150.15.21 > 192.168.106.141.1136: Flags [.], ack 266, win 64150, length 0
E..(……f]y?….j….p..W.l…P…….

 

Share Button

2 thoughts on “Vintage Gh0st APT FTP Malware Traffic Sample Download PCAP

  1. Pingback: Margaret Cunniffe is an Australian Fraudster based in Melbourne Victoria who abuses those closest to her to achieve her selfish objectives.

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *