HISTORICAL Malware Sample – CryptoLocker Ransomware – Traffic Sample Indicators Analysis

By | July 25, 2015

2012-10-04 09:29:31.118093 IP 192.168.248.165.53 > 4.2.2.2.53: 16567+ A? jbtuehcyosios.info. (36)

E..@.L….y……….5.5.,r\@………..^Mjbtuehcyosios.info…..

2012-10-04 09:29:31.159025 IP 8.8.8.8.53 > 192.168.248.165.53: 16567 NXDomain 0/1/0 (96)

E..|.x……………5.5.h..@………..^Mjbtuehcyosios.info………….. .0.a0.info.afilias-nst…noc.8w.v……….  :…..

2012-10-04 09:29:31.159472 IP 192.168.248.165.53 > 8.8.8.8.53: 60444+ A? jbtuehcyosios.info.localdomain. (48)

E..L.O….n……….5.5.8A………….^Mjbtuehcyosios.info.localdomain…..

2012-10-04 09:29:31.159555 IP 192.168.248.165.53 > 4.2.2.2.53: 60444+ A? jbtuehcyosios.info.localdomain. (48)

E..L.P….x……….5.5.8K………….^Mjbtuehcyosios.info.localdomain…..

2012-10-04 09:29:31.168602 IP 4.2.2.2.53 > 192.168.248.165.53: 60444 NXDomain 0/1/0 (123)

E….y……………5.5..} …………^Mjbtuehcyosios.info.localdomain…………*o.@.a.root-servers.net..nstld.verisign-grs.com.w.}……….       :…Q.

2012-10-04 09:29:31.207603 IP 4.2.2.2.53 > 192.168.248.165.53: 16567 NXDomain 0/1/0 (96)

E..|.z……………5.5.h..@………..^Mjbtuehcyosios.info…………..G.0.a0.info.afilias-nst…noc.8w.v……….  :…..

2012-10-04 09:29:31.236517 IP 8.8.8.8.53 > 192.168.248.165.53: 60444 NXDomain 0/1/0 (123)

E……….w………5.5…7…………^Mjbtuehcyosios.info.localdomain……………@.a.root-servers.net..nstld.verisign-grs.com.w.}……….       :…Q.

2012-10-04 09:29:32.165014 IP 192.168.248.165.53 > 8.8.8.8.53: 54805+ A? ditmupqkdlfdh.com. (35)

E..?.S….n……….5.5.+X………….^Mditmupqkdlfdh.com…..

2012-10-04 09:29:32.165104 IP 192.168.248.165.53 > 4.2.2.2.53: 54805+ A? ditmupqkdlfdh.com. (35)

E..?.T….y……….5.5.+c………….^Mditmupqkdlfdh.com…..

2012-10-04 09:29:32.207764 IP 8.8.8.8.53 > 192.168.248.165.53: 54805 NXDomain 0/1/0 (108)

E……….X………5.5.tL………….^Mditmupqkdlfdh.com…………..!.=.a.gtld-servers.net..nstld.verisign-grs..R].y………      :…Q.

2012-10-04 09:29:32.208233 IP 192.168.248.165.53 > 8.8.8.8.53: 22226+ A? ditmupqkdlfdh.com.localdomain. (47)

E..K.W….n……….5.5.7..V………..^Mditmupqkdlfdh.com.localdomain…..

2012-10-04 09:29:32.208315 IP 192.168.248.165.53 > 4.2.2.2.53: 22226+ A? ditmupqkdlfdh.com.localdomain. (47)

E..K.X….x……….5.5.7..V………..^Mditmupqkdlfdh.com.localdomain…..

2012-10-04 09:29:32.214461 IP 4.2.2.2.53 > 192.168.248.165.53: 22226 NXDomain 0/1/0 (122)

E……….U………5.5…KV………..^Mditmupqkdlfdh.com.localdomain…………*n.@.a.root-servers.net..nstld.verisign-grs.com.w.}……….        :…Q.

2012-10-04 09:29:32.252646 IP 4.2.2.2.53 > 192.168.248.165.53: 54805 NXDomain 0/1/0 (108)

E……….]………5.5.t.6…………^Mditmupqkdlfdh.com…………..}.=.a.gtld-servers.net..nstld.verisign-grs..R]………..      :…Q.

2012-10-04 09:29:32.288520 IP 8.8.8.8.53 > 192.168.248.165.53: 22226 NXDomain 0/1/0 (122)

E……….B………5.5….V………..^Mditmupqkdlfdh.com.localdomain……………@.a.root-servers.net..nstld.verisign-grs.com.w.}……….        :…Q.

2012-10-04 09:29:33.211438 IP 192.168.248.165.53 > 8.8.8.8.53: 52180+ A? exoookmtloauh.net. (35)

E..?.[….n……….5.5.+D0…………^Mexoookmtloauh.net…..

2012-10-04 09:29:33.211543 IP 192.168.248.165.53 > 4.2.2.2.53: 52180+ A? exoookmtloauh.net. (35)

E..?.\….y……….5.5.+N<…………^Mexoookmtloauh.net…..

 

2012-10-04 09:30:23.304883 IP 192.168.248.165.1113 > 176.119.0.216.80: Flags [P.], seq 1:264, ack 1, win 64240, length 263

E../.~@……….w…Y.P..Z..u<dP…W…POST /home/ HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: rwyngtbvunfpk.org

Content-Length: 192

Connection: Close

 

 

2012-10-04 09:30:23.304970 IP 192.168.248.165.1113 > 176.119.0.216.80: Flags [P.], seq 264:456, ack 1, win 64240, length 192

E…..@……….w…Y.P..[..u<dP…S…j<..SX.6_…i…A.CBFF.*..l.,>.=..:_k..h-…J:  ..;.9G……=`..K……^.J!.625.-..1lg. .z.T..5….m….

-n…iL………d[….$%.V….._..^M…P.)…t.q…y.:mNGxo…:…5{e.H.i…+.”.V..9E.. k

2012-10-04 09:30:23.305037 IP 176.119.0.216.80 > 192.168.248.165.1113: Flags [.], ack 264, win 64240, length 0

E..(.f…….w…….P.Y.u<d..[.P….f……..

2012-10-04 09:30:23.305095 IP 176.119.0.216.80 > 192.168.248.165.1113: Flags [.], ack 456, win 64240, length 0

E..(.g…….w…….P.Y.u<d..\mP………….

2012-10-04 09:30:24.072438 IP 176.119.0.216.80 > 192.168.248.165.1113: Flags [P.], seq 1:192, ack 456, win 64240, length 191

E…………w…….P.Y.u<d..\mP…i…HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Tue, 15 Oct 2013 20:11:52 GMT

Content-Type: application/octet-stream

Transfer-Encoding: chunked

Connection: close

 

10

.._…..HfI.h…

Share Button