HISTORICAL Malware Sample – TBOT TORNET – Traffic Sample Indicators Analysis

By | July 25, 2015

2012-10-07 08:37:05.992015 IP 172.16.253.131.1172 > 216.146.39.70.80: Flags [P.], seq 1:70, ack 1, win 64240, length 69

E..m..@…P…….’F…P..a’..h.P….   ..GET / HTTP/1.1

Host: checkip.dyndns.org

Cache-Control: no-cache

 

 

2012-10-07 08:37:05.992351 IP 216.146.39.70.80 > 172.16.253.131.1172: Flags [.], ack 70, win 64240, length 0

E..(……….’F…..P….h…alP…^F……..

2012-10-07 08:37:06.075207 IP 216.146.39.70.80 > 172.16.253.131.1172: Flags [FP.], seq 1:261, ack 70, win 64240, length 260

E..,……….’F…..P….h…alP…….HTTP/1.1 200 OK

Content-Type: text/html

Server: DynDNS-CheckIP/1.0

Connection: close

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 105

 

<html><head><title>Current IP Check</title></head><body>Current IP Address: 74.217.91.121</body></html>

 

2012-10-07 08:37:06.075295 IP 172.16.253.131.1172 > 216.146.39.70.80: Flags [.], ack 262, win 63980, length 0

E..(..@…P…….’F…P..al..i”P…^E..

2012-10-07 08:37:06.075569 IP 172.16.253.131.1172 > 216.146.39.70.80: Flags [F.], seq 70, ack 262, win 63980, length 0

E..(..@…P…….’F…P..al..i”P…^D..

2012-10-07 08:37:06.075818 IP 216.146.39.70.80 > 172.16.253.131.1172: Flags [.], ack 71, win 64239, length 0

E..(……….’F…..P….i”..amP…]A……..

2012-10-07 08:37:06.553991 IP 172.16.253.131.1179 > 208.83.223.34.80: Flags [S], seq 2347746009, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0..@….”…..S.”…P……..p….o……….

2012-10-07 08:37:06.637365 IP 208.83.223.34.80 > 172.16.253.131.1179: Flags [S.], seq 3263878575, ack 2347746010, win 64240, options [mss 1460], length 0

E..,……(0.S.”…..P……….`…X+……..

2012-10-07 08:37:06.637390 IP 172.16.253.131.1179 > 208.83.223.34.80: Flags [.], ack 1, win 64240, length 0

E..(.S@….r…..S.”…P……..P…o…

2012-10-07 08:37:06.652397 IP 172.16.253.131.1179 > 208.83.223.34.80: Flags [P.], seq 1:216, ack 1, win 64240, length 215

E….V@……….S.”…P……..P…g…………..P..lf-..e#8(…6.Z……S…+}….:.

…9.8…..5… …..3.2…………./………^M…..

…..k…#.!…www.cj3vb6e45w2jryxzdnag5y.com………

.4.2……………..   .

2012-10-07 08:37:09.633328 IP 172.16.253.131.3683 > 109.105.109.163.44945: Flags [P.], seq 1:216, ack 1, win 64240, length 215

E…l.@………mim..c…e.w.D+QP…c…………..P..o”).Idw…U…..B..I..6[..L{Z..:.

…9.8…..5… …..3.2…………./………^M…..

…..k…#.!…www.5qik4mvxyrhrvkhfqjsfpe.com………

.4.2……………..   .

…..^M…………………….#..

2012-10-07 08:37:09.633486 IP 109.105.109.163.44945 > 172.16.253.131.3683: Flags [.], ack 216, win 64240, length 0

E..(……..mim……..c.D+Q.e.NP…N………

2012-10-07 08:37:09.638527 IP 188.40.51.146.8443 > 172.16.253.131.3686: Flags [S.], seq 3212805145, ack 2293830499, win 64240, options [mss 1460], length 0

E..,………(3….. ..f…….c`………….

2012-10-07 08:37:09.638626 IP 172.16.253.131.3694 > 31.172.30.1.443: Flags [S], seq 3450977323, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0l.@…………..n…..+….p……………

2012-10-07 08:37:09.638669 IP 172.16.253.131.3686 > 188.40.51.146.8443: Flags [.], ack 1, win 64240, length 0

E..(l.@……….(3..f ….c….P….}..

2012-10-07 08:37:09.641530 IP 193.107.85.31.9001 > 172.16.253.131.3684: Flags [S.], seq 2755083500, ack 3016244667, win 64240, options [mss 1460], length 0

E..,………kU…..#).d.7<…=.`………….

2012-10-07 08:37:09.641571 IP 172.16.253.131.3695 > 38.229.70.61.443: Flags [S], seq 1155400593, win 64240, options [mss 1460,nop,nop,sackOK], length 0

E..0l.@…wl….&.F=.o..D…….p……………

2012-10-07 08:37:09.641614 IP 172.16.253.131.3684 > 193.107.85.31.9001: Flags [.], ack 1, win 64240, length 0

E..(l.@….

…..kU..d#)..=..7<.P…….

2012-10-07 08:37:09.642012 IP 172.16.253.131.3686 > 188.40.51.146.8443: Flags [P.], seq 1:217, ack 1, win 64240, length 216

E…l.@……….(3..f ….c….P………………P..o…..N?…p.Q….&vp….D..A..:.

…9.8…..5… …..3.2…………./………^M…..

…..l…$.”…www.lady4l6bof3jvzzkqqa7a2m.com………

.4.2……………..   .

…..^M…………………….#..

2012-10-07 08:37:09.642121 IP 188.40.51.146.8443 > 172.16.253.131.3686: Flags [.], ack 217, win 64240, length 0

E..(………(3….. ..f…….;P………….

2012-10-07 08:37:09.642650 IP 172.16.253.131.3684 > 193.107.85.31.9001: Flags [P.], seq 1:200, ack 1, win 64240, length 199

E…l.@….=…..kU..d#)..=..7<.P………………P..o..O……;H…..6?[q.    RP……:.

…9.8…..5… …..3.2…………./………^M…..

…..[………www.66ukjy.com………

.4.2……………..   .

2012-10-07 08:37:09.653337 IP 172.16.253.131.3685 > 94.254.1.254.22: Flags [P.], seq 1:200, ack 1, win 64240, length 199

E…l.@………^….e..P….TV’P…]…………..P..o.n..B..<….’…POLv..PHfw….:.

…9.8…..5… …..3.2…………./………^M…..

…..[………www.bphjcw.com………

.4.2……………..   .

…..^M…………………….#..

 

 

Share Button

One thought on “HISTORICAL Malware Sample – TBOT TORNET – Traffic Sample Indicators Analysis

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *