Bitcoin Cryptocurrency Mining Malware Trojan Traffic Sample

By | June 19, 2015

2012-10-04 10:27:19.504071 IP 192.168.248.165.53 > 8.8.8.8.53: 50660+ A? mine.pool-x.eu. (32)
E..<.a....p..........5.5.(.S.............mine.pool-x.eu..... 2012-10-04 10:27:19.504190 IP 192.168.248.165.53 > 4.2.2.2.53: 50660+ A? mine.pool-x.eu. (32)
E..<.b....z..........5.5.(!_.............mine.pool-x.eu..... 2012-10-04 10:27:19.515476 IP 8.8.8.8.53 > 192.168.248.165.53: 50660 1/0/0 A 178.33.111.19 (48)
E..L……………..5.5.8u…………..mine.pool-x.eu………….?….!o.
2012-10-04 10:27:19.521271 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [S], seq 4120039136, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.d@……….!o..K#(……..p……………
2012-10-04 10:27:19.606863 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [S.], seq 1068904942, ack 4120039137, win 64240, options [mss 1460], length 0
E..,………!o…..#(.K?.1…..`…e………
2012-10-04 10:27:19.606939 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [.], ack 1, win 64240, length 0
E..(.e@……….!o..K#(….?.1.P…|…
2012-10-04 10:27:19.608698 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [P.], seq 1:71, ack 1, win 64240, length 70
E..n.f@……….!o..K#(….?.1.P…B…{“id”: 1, “method”: “mining.subscribe”, “params”: [“suckerrr/2.3.2”]}

2012-10-04 10:27:19.608879 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [.], ack 71, win 64240, length 0
E..(………!o…..#(.K?.1….’P…|………
2012-10-04 10:27:19.695169 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 1:711, ack 71, win 64240, length 710
E…………!o…..#(.K?.1….’P…….{“error”: null, “id”: 1, “result”: [[“mining.notify”, “ae6812eb4cd7735a302a8a9dd95cf71f”], “f80e8a14”, 4]}
{“params”: [63], “id”: null, “method”: “mining.set_difficulty”}
{“params”: [“8de”, “72216db0a2e9151d8b8172470729848cbeecf1080cb8f37f65d047efb2c749f3”, “01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303122606062f503253482f04a5c4035208”, “092f7374726174756d2f000000000100fb422a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000”, [“fc25ce83ea8ce3200ed2f56e7cf1ec43a8837118ddd965759c8fbe4d12a04f82”, “ee78512684f4bb06bcbed1aa01703e10bbb733dc16cccaf387df0b18f656f234”], “00000001”, “1b4e2a39”, “5203c4a4”, true], “id”: null, “method”: “mining.notify”}

2012-10-04 10:27:19.695655 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [P.], seq 71:144, ack 711, win 63530, length 73
E..q.g@……….!o..K#(…’?.4.P..* V..{“id”: 2, “method”: “mining.authorize”, “params”: [“hitmanuk.4”, “123”]}

2012-10-04 10:27:19.698172 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [.], ack 144, win 64240, length 0
E..(………!o…..#(.K?.4….pP…y~……..
2012-10-04 10:27:19.776772 IP 4.2.2.2.53 > 192.168.248.165.53: 50660 1/0/0 A 178.33.111.19 (48)
E..L……………..5.5.8……………mine.pool-x.eu………………!o.
2012-10-04 10:27:19.781656 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 711:752, ack 144, win 64240, length 41
E..Q…….|.!o…..#(.K?.4….pP…….{“error”: null, “id”: 2, “result”: true}

2012-10-04 10:27:19.882237 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 711:752, ack 144, win 64240, length 41
E..Q…….{.!o…..#(.K?.4….pP…….{“error”: null, “id”: 2, “result”: true}

2012-10-04 10:27:19.882265 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [.], ack 752, win 63489, length 0
E..(.h@……….!o..K#(…p?.4.P…|D..
2012-10-04 10:27:54.224215 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 752:1292, ack 144, win 64240, length 540
E..D………!o…..#(.K?.4….pP….+..{“params”: [“8df”, “72216db0a2e9151d8b8172470729848cbeecf1080cb8f37f65d047efb2c749f3”, “01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303122606062f503253482f04e1c4035208”, “092f7374726174756d2f000000000100fb422a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000”, [“fc25ce83ea8ce3200ed2f56e7cf1ec43a8837118ddd965759c8fbe4d12a04f82”, “ee78512684f4bb06bcbed1aa01703e10bbb733dc16cccaf387df0b18f656f234”], “00000001”, “1b4e2a39”, “5203c4e0”, false], “id”: null, “method”: “mining.notify”}

2012-10-04 10:27:54.324804 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 752:1292, ack 144, win 64240, length 540
E..D…….~.!o…..#(.K?.4….pP….+..{“params”: [“8df”, “72216db0a2e9151d8b8172470729848cbeecf1080cb8f37f65d047efb2c749f3”, “01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303122606062f503253482f04e1c4035208”, “092f7374726174756d2f000000000100fb422a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000”, [“fc25ce83ea8ce3200ed2f56e7cf1ec43a8837118ddd965759c8fbe4d12a04f82”, “ee78512684f4bb06bcbed1aa01703e10bbb733dc16cccaf387df0b18f656f234”], “00000001”, “1b4e2a39”, “5203c4e0”, false], “id”: null, “method”: “mining.notify”}

2012-10-04 10:27:54.324831 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [.], ack 1292, win 62949, length 0
E..(.i@……….!o..K#(…p?.6.P…|D..
2012-10-04 10:27:54.794381 ARP, Request who-has 192.168.248.2 tell 192.168.248.179, length 46
……….)……………………………..
2012-10-04 10:27:55.778610 ARP, Request who-has 192.168.248.2 tell 192.168.248.179, length 46
……….)……………………………..
2012-10-04 10:28:10.862198 ARP, Request who-has 192.168.248.177 tell 192.168.248.2, length 46
………PV……………………………..
2012-10-04 10:28:44.288909 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [.], seq 143:144, ack 1292, win 62949, length 1
E..).j@……….!o..K#(…o?.6.P…|D…
2012-10-04 10:28:44.289138 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [.], ack 144, win 64240, length 0
E..(………!o…..#(.K?.6….pP…w9……..
2012-10-04 10:28:54.286912 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 1292:1832, ack 144, win 64240, length 540
E..D…….g.!o…..#(.K?.6….pP…….{“params”: [“8e0”, “72216db0a2e9151d8b8172470729848cbeecf1080cb8f37f65d047efb2c749f3”, “01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303122606062f503253482f041dc5035208”, “092f7374726174756d2f000000000100fb422a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000”, [“7de9093cdba3edecacae7c6ac22f6c77f15ce495718e7e3c9c69763be995b9a1”, “97f61c6f8ba721729d2a76da4217653550550881398fbfaae4500059dfb4c7fc”], “00000001”, “1b4e2a39”, “5203c51c”, false], “id”: null, “method”: “mining.notify”}

2012-10-04 10:28:54.387160 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 1292:1832, ack 144, win 64240, length 540
E..D…….f.!o…..#(.K?.6….pP…….{“params”: [“8e0”, “72216db0a2e9151d8b8172470729848cbeecf1080cb8f37f65d047efb2c749f3”, “01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303122606062f503253482f041dc5035208”, “092f7374726174756d2f000000000100fb422a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000”, [“7de9093cdba3edecacae7c6ac22f6c77f15ce495718e7e3c9c69763be995b9a1”, “97f61c6f8ba721729d2a76da4217653550550881398fbfaae4500059dfb4c7fc”], “00000001”, “1b4e2a39”, “5203c51c”, false], “id”: null, “method”: “mining.notify”}

2012-10-04 10:28:54.387187 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [.], ack 1832, win 64240, length 0
E..(.k@……….!o..K#(…p?.9.P…u…
2012-10-04 10:28:55.210190 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [P.], seq 144:249, ack 1832, win 64240, length 105
E….l@….x…..!o..K#(…p?.9.P…4…{“method”: “mining.submit”, “params”: [“hitmanuk.4”, “8df”, “00000000”, “5203c4e0”, “c0870000”], “id”:4}

2012-10-04 10:28:55.210566 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [.], ack 249, win 64240, length 0
E..(………!o…..#(.K?.9…..P…t………
2012-10-04 10:28:55.299155 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 1832:1873, ack 249, win 64240, length 41
E..Q…….W.!o…..#(.K?.9…..P….O..{“error”: null, “id”: 4, “result”: true}

2012-10-04 10:36:03.818783 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 5315:5923, ack 249, win 64240, length 608
E….m…….!o…..#(.K?.F…..P…….{“params”: [“8e8”, “b35b170f5e794c3c2df54a67be11ef43c2de57df811ac0d5abb6d703794a7746”, “01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303142606062f503253482f04cac6035208”, “092f7374726174756d2f00000000018076242a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000”, [“300b5791839c97d719f058104824131588b656ab3c19a56f361ae87d3bbdb17e”, “1aea3bf8e3245a8cce6537762db69393e28be2096a9fb490884709e994065e4f”, “3677416b0adeba2c63fe5b52404034a9439a473bf639f26fcfbfc00b6b5f1c96”], “00000001”, “1b4e2a39”, “5203c6c9”, false], “id”: null, “method”: “mining.notify”}

2012-10-04 10:36:03.919809 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 5315:5923, ack 249, win 64240, length 608
E….n…..~.!o…..#(.K?.F…..P…….{“params”: [“8e8”, “b35b170f5e794c3c2df54a67be11ef43c2de57df811ac0d5abb6d703794a7746”, “01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303142606062f503253482f04cac6035208”, “092f7374726174756d2f00000000018076242a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000”, [“300b5791839c97d719f058104824131588b656ab3c19a56f361ae87d3bbdb17e”, “1aea3bf8e3245a8cce6537762db69393e28be2096a9fb490884709e994065e4f”, “3677416b0adeba2c63fe5b52404034a9439a473bf639f26fcfbfc00b6b5f1c96”], “00000001”, “1b4e2a39”, “5203c6c9”, false], “id”: null, “method”: “mining.notify”}

2012-10-04 10:36:03.919838 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [.], ack 5923, win 63632, length 0
E..(.{@……….!o..K#(….?.I.P…g…
2012-10-04 10:36:53.741601 IP 192.168.248.165.1099 > 178.33.111.19.9000: Flags [.], seq 248:249, ack 5923, win 63632, length 1
E..).|@……….!o..K#(….?.I.P…g….
2012-10-04 10:36:53.741763 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [.], ack 249, win 64240, length 0
E..(…….k.!o…..#(.K?.I…..P…d………
2012-10-04 10:37:03.735379 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 5923:6531, ack 249, win 64240, length 608
E…………!o…..#(.K?.I…..P….R..{“params”: [“8e9”, “b35b170f5e794c3c2df54a67be11ef43c2de57df811ac0d5abb6d703794a7746”, “01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303142606062f503253482f0406c7035208”, “092f7374726174756d2f00000000018076242a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000”, [“300b5791839c97d719f058104824131588b656ab3c19a56f361ae87d3bbdb17e”, “1aea3bf8e3245a8cce6537762db69393e28be2096a9fb490884709e994065e4f”, “3677416b0adeba2c63fe5b52404034a9439a473bf639f26fcfbfc00b6b5f1c96”], “00000001”, “1b4e2a39”, “5203c705”, false], “id”: null, “method”: “mining.notify”}

2012-10-04 10:37:03.836463 IP 178.33.111.19.9000 > 192.168.248.165.1099: Flags [P.], seq 5923:6531, ack 249, win 64240, length 608
E…………!o…..#(.K?.I…..P….R..{“params”: [“8e9”, “b35b170f5e794c3c2df54a67be11ef43c2de57df811ac0d5abb6d703794a7746”, “01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2303142606062f503253482f0406c7035208”, “092f7374726174756d2f00000000018076242a010000001976a9143c5adb00f1457309f084675941f114b8c09b6af188ac00000000”, [“300b5791839c97d719f058104824131588b656ab3c19a56f361ae87d3bbdb17e”, “1aea3bf8e3245a8cce6537762db69393e28be2096a9fb490884709e994065e4f”, “3677416b0adeba2c63fe5b52404034a9439a473bf639f26fcfbfc00b6b5f1c96”], “00000001”, “1b4e2a39”, “5203c705”, false], “id”: null, “method”: “mining.notify”}

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *