DirtJumper DDoS Malware Botnet Traffic Sample Analysis PCAP

By | January 29, 2016

Download raw PCAP file for DIRTJUMPER : dirtjumper

2011-10-03 20:42:49.094710 IP 172.16.165.128.49770 > 172.16.165.2.53: 17008+ A? asdaddddaaaa.com. (34)
E..>……. ………j.5.*..Bp………..asdaddddaaaa.com…..
2011-10-03 20:42:49.109841 IP 172.16.165.2.53 > 172.16.165.128.49770: 17008 1/0/0 A 195.3.145.87 (50)
E..N.6……………5.j.:.
Bp………..asdaddddaaaa.com………………..W
2011-10-03 20:42:49.114307 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [S], seq 2900643694, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…S……..W…P..On….p.@………….
2011-10-03 20:42:49.232779 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [S.], seq 3750550834, ack 2900643695, win 64240, options [mss 1460], length 0
E..,.7………W…..P…..2..Oo`…9…….
2011-10-03 20:42:49.232916 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [.], ack 1, win 17520, length 0
E..(..@…S……..W…P..Oo…3P.Dp. ..i…..
2011-10-03 20:42:49.233181 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [P.], seq 1:245, ack 1, win 17520, length 244: HTTP: POST /678/index.php HTTP/1.0
E…..@…R……..W…P..Oo…3P.Dpa>..POST /678/index.php HTTP/1.0
Host: asdaddddaaaa.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

k=426924814555748
2011-10-03 20:42:49.233225 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [.], ack 245, win 64240, length 0
E..(.8………W…..P…..3..PcP…P…
2011-10-03 20:42:49.354072 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [P.], seq 1:846, ack 245, win 64240, length 845: HTTP: HTTP/1.1 200 OK
E..u.9…..^…W…..P…..3..PcP…/…HTTP/1.1 200 OK
Server: nginx
Date: Tue, 04 Oct 2011 01:40:42 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 644

02|411|260http://www.tadawulfx.com/public/
http://www.tadawulfx.com/public/trading-accounts/standard-forex-account.html
http://www.tadawulfx.com/public/trading-accounts/premium-forex-account.html
http://www.tadawulfx.com/public/education/gold-and-silver-overview.html
http://www.tadawulfx.com/public/platforms/mt4-mobile.html
http://www.tadawulfx.com/
https://pepperstone.com/
https://pepperstone.com/company-profile/about-us.php
https://pepperstone.com/trading-accounts/accounts-types.php
https://pepperstone.com/forex-news/
http://ukashsepeti.com/ukash.asp
http://ukashsepeti.com/iletisim.html
http://ukashsepeti.com/kurumsal.html

2011-10-03 20:42:49.354485 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [.], ack 246, win 64239, length 0
E..(.:………W…..P……..PdP…MG..
2011-10-03 20:42:49.366629 IP 172.16.165.128.54851 > 172.16.165.2.53: 64012+ A? ukashsepeti.com. (33)
E..=……………..C.5.).-………….ukashsepeti.com…..
2011-10-03 20:42:49.372987 IP 172.16.165.128.60365 > 172.16.165.2.53: 34684+ A? pepperstone.com. (33)
E..=……………….5.)=..|………..pepperstone.com…..
2011-10-03 20:42:49.382578 IP 172.16.165.2.53 > 172.16.165.128.54851: 64012 1/0/0 A 87.251.2.2 (49)
E..M.;……………5.C.9>r………….ukashsepeti.com……………..W…
2011-10-03 20:42:49.385446 IP 172.16.165.128.1036 > 87.251.2.2.80: Flags [S], seq 2467900220, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0. @…N1….W……P..+<….p.@………….
2011-10-03 20:42:49.388837 IP 172.16.165.2.53 > 172.16.165.128.60365: 34684 1/0/0 A 113.20.8.41 (49)
E..M.<……………5…9g>.|………..pepperstone.com……………..q..)
2011-10-03 20:42:49.394732 IP 172.16.165.128.59650 > 172.16.165.2.53: 47838+ A? www.tadawulfx.com. (35)
E..?.
……………..5.+……………www tadawulfx.com…..
2011-10-03 20:42:49.395661 IP 172.16.165.128.1037 > 113.20.8.41.443: Flags [S], seq 215307541, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@………q..)……U…..p.@………….
2011-10-03 20:42:49.403101 IP 172.16.165.128.1038 > 113.20.8.41.443: Flags [S], seq 1514295825, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0..@………q..)….ZBR…..p.@..4……….
2011-10-03 20:42:49.411963 IP 172.16.165.2.53 > 172.16.165.128.59650: 47838 1/0/0 A 199.16.81.167 (51)
E..O.=……………5…;.n………….www tadawulfx.com……………….Q.

2011-10-03 20:42:49.505936 IP 172.16.165.128.1039 > 199.16.81.167.80: Flags [P.], seq 1:196, ack 1, win 17520, length 195: HTTP: GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
E…..@………..Q….P..’…5.P.Dp….GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)

2011-10-03 20:42:49.518546 IP 172.16.165.128.1040 > 199.16.81.167.80: Flags [P.], seq 1:205, ack 1, win 17520, length 204: HTTP: GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
E…..@………..Q….P……..P.DpL…GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Opera/9.00 (Wii; U; ; 1038-58; Wii Shop Channel/1.0; en)

2011-10-03 20:42:49.542686 IP 172.16.165.128.1036 > 87.251.2.2.80: Flags [P.], seq 1:188, ack 1, win 17520, length 187: HTTP: GET /iletisim.html HTTP/1.0
E…. @…Mg….W……P..+=..f.P.Dp….GET /iletisim.html HTTP/1.0
Host: ukashsepeti.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [ru]

2011-10-03 20:42:49.611633 IP 172.16.165.128.1042 > 87.251.2.2.80: Flags [P.], seq 1:139, ack 1, win 17520, length 138: HTTP: GET /ukash.asp HTTP/1.0
E….*@…M…..W……PD…….P.Dp$…GET /ukash.asp HTTP/1.0
Host: ukashsepeti.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Opera/9.0 (Windows NT 5.1; U; en)
2011-10-03 20:42:49.611722 IP 87.251.2.2.80 > 172.16.165.128.1042: Flags [.], ack 139, win 64240, length 0
E..(.J……W……..P……D..PP….G..
2011-10-03 20:42:49.612022 IP 172.16.165.128.1042 > 87.251.2.2.80: Flags [F.], seq 139, ack 1, win 17520, length 0
E..(.+@…N…..W……PD..P….P.Dp7…..Y].r
2011-10-03 20:42:49.612106 IP 87.251.2.2.80 > 172.16.165.128.1042: Flags [.], ack 140, win 64239, length 0
E..(.K……W……..P……D..QP….G..
2011-10-03 20:42:49.614916 IP 199.16.81.167.80 > 172.16.165.128.1040: Flags [FP.], seq 1:154, ack 206, win 64239, length 153: HTTP: HTTP/1.1 302 Found
E….L……..Q……P……….P…….HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /RVikU/public/trading-accounts/premium-forex-account.html

2011-10-03 20:42:49.629254 IP 172.16.165.128.1049 > 199.16.81.167.80: Flags [P.], seq 1:252, ack 1, win 17520, length 251: HTTP: GET /public/education/gold-and-silver-overview.html HTTP/1.0
E..#.0@….\……Q….P.:8.}…P.Dp….GET /public/education/gold-and-silver-overview.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; ; Linux armv5tejl; U) Opera 8.02 [en_US] Maemo browser 0.4.31 N770/SU-18

2011-10-03 20:42:49.640441 IP 172.16.165.128.1044 > 87.251.2.2.80: Flags [P.], seq 1:197, ack 1, win 17520, length 196: HTTP: GET /iletisim.html HTTP/1.0
E….3@…MK….W……P;…7A..P.Dp.Q..GET /iletisim.html HTTP/1.0
Host: ukashsepeti.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

2011-10-03 20:42:50.079782 IP 199.16.81.167.80 > 172.16.165.128.1090: Flags [FP.], seq 1:192, ack 179, win 64239, length 191: HTTP: HTTP/1.1 200 OK
E………….Q……P.B…[.S.eP…….HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
cache-control: no-cache
Content-Type: text/html
Content-Length: 65

<html><head><meta http-equiv=”refresh” content=”0″></head></html>
2011-10-03 20:42:50.080016 IP 172.16.165.128.1090 > 199.16.81.167.80: Flags [R.], seq 179, ack 192, win 0, length 0
E..(..@………..Q..B.P.S.e….P…….GET /
2011-10-03 20:42:50.087749 IP 199.16.81.167.80 > 172.16.165.128.1102: Flags [S.], seq 3183623031, ack 1521396229, win 64240, options [mss 1460], length 0
E..,……….Q……P.N..;wZ…`…0Q……
2011-10-03 20:42:50.087845 IP 199.16.81.167.80 > 172.16.165.128.1103: Flags [S.], seq 2169768478, ack 3313941192, win 64240, options [mss 1460], length 0
E..,……….Q……P.O.T
…..`…”|……
2011-10-03 20:42:50.088218 IP 172.16.165.128.1102 > 199.16.81.167.80: Flags [.], ack 1, win 17520, length 0
E..(..@………..Q..N.PZ…..;xP.Dp……….
2011-10-03 20:42:50.088373 IP 172.16.165.128.1103 > 199.16.81.167.80: Flags [.], ack 1, win 17520, length 0
E..(..@………..Q..O.P…..T
.P.Dp……….
2011-10-03 20:42:50.088872 IP 172.16.165.128.1102 > 199.16.81.167.80: Flags [P.], seq 1:231, ack 1, win 17520, length 230: HTTP: GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
E…..@………..Q..N.PZ…..;xP.Dp8…GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
2011-10-03 20:42:50.088999 IP 199.16.81.167.80 > 172.16.165.128.1102: Flags [.], ack 231, win 64240, length 0
E..(……….Q……P.N..;xZ…P…G(..
2011-10-03 20:42:50.089367 IP 172.16.165.128.1102 > 199.16.81.167.80: Flags [F.], seq 231, ack 1, win 17520, length 0
E..(..@………..Q..N.PZ…..;xP.Dp……….
2011-10-03 20:42:50.089485 IP 199.16.81.167.80 > 172.16.165.128.1102: Flags [.], ack 232, win 64239, length 0
E..(……….Q……P.N..;xZ…P…G(..
2011-10-03 20:42:50.089976 IP 199.16.81.167.80 > 172.16.165.128.1105: Flags [S.], seq 4137033625, ack 3993111522, win 64240, options [mss 1460], length 0
E..,……….Q……P.Q……..`….’……
2011-10-03 20:42:50.090235 IP 172.16.165.128.1105 > 199.16.81.167.80: Flags [.], ack 1, win 17520, length 0
E..(..@………..Q..Q.P……..P.Dp.d..GET /p
2011-10-03 20:42:50.090687 IP 172.16.165.128.1103 > 199.16.81.167.80: Flags [P.], seq 1:220, ack 1, win 17520, length 219: HTTP: GET /public/platforms/mt4-mobile.html HTTP/1.0
E…..@………..Q..O.P…..T
.P.Dp….GET /public/platforms/mt4-mobile.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

2011-10-03 20:42:50.686309 IP 172.16.165.128.1174 > 199.16.81.167.80: Flags [P.], seq 1:221, ack 1, win 17520, length 220: HTTP: GET /public/platforms/mt4-mobile.html HTTP/1.0
E…..@………..Q….P..#..V.bP.Dp….GET /public/platforms/mt4-mobile.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060516 SeaMonkey/1.0.2

2011-10-03 20:42:50.704504 IP 172.16.165.128.1175 > 199.16.81.167.80: Flags [P.], seq 1:256, ack 1, win 17520, length 255: HTTP: GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
E..’..@………..Q….P.
).OA..P.Dp….GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.307.9 Safari/532.9

Share Button

One thought on “DirtJumper DDoS Malware Botnet Traffic Sample Analysis PCAP

  1. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria claim to raise money for charities via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

Leave a Reply

Your email address will not be published. Required fields are marked *