LURK0 Remote Access Trojan Malware Traffic Sample Hard to Detect – port 9494

By | June 18, 2015

2012-10-07 02:59:50.712242 IP 172.16.253.132.1083 > 216.176.190.44.9494: Flags [P.], seq 1:152, ack 1, win 64240, length 151
E….|@….J…….,.;%…..Z…P…q…LURK0……..x.kf.e.apgpbpa0c..#……..
L.>…!`1..f.rF…….$..#….
………..fHe(b(c.dH………l ..:..r..”…!..P
….v…V`z0d0`0…/.T…..g.)
2012-10-07 02:59:50.712552 IP 216.176.190.44.9494 > 172.16.253.132.1083: Flags [.], ack 152, win 64240, length 0
E..(0y………,….%..;Z…….P………….
2012-10-07 02:59:51.262392 IP 216.176.190.44.9494 > 172.16.253.132.1083: Flags [P.], seq 1:23, ack 152, win 64240, length 22
E..>0z………,….%..;Z…….P…….LURK0……..x.c……
2012-10-07 02:59:51.363241 IP 216.176.190.44.9494 > 172.16.253.132.1083: Flags [P.], seq 1:23, ack 152, win 64240, length 22
E..>0{………,….%..;Z…….P…….LURK0……..x.c……
2012-10-07 02:59:51.363279 IP 172.16.253.132.1083 > 216.176.190.44.9494: Flags [.], ack 23, win 64218, length 0
E..(.}@…………,.;%…..Z…P…….
2012-10-07 03:02:09.348274 ARP, Reply 172.16.253.254 is-at 00:50:56:e9:70:ec, length 46
………PV.p…….)..m………………….
2012-10-07 03:02:09.348283 IP 172.16.253.132.68 > 172.16.253.254.67: BOOTP/DHCP, Request from 00:0c:29:8f:d5:6d, length 301
E..I.~……………D.C.5q…..j…………………….)..m………………………………………………………………………………………………………………………………………………………………………………….c.Sc5..=….)..m..DellXTQ
…DellXT.<.MSFT 5.07.....,./.!.++..... 2012-10-07 03:02:09.352480 IP 172.16.253.254.67 > 172.16.253.132.68: BOOTP/DHCP, Reply, length 300
E..H……U……….C.D.4Gp….j…………………….)..m………………………………………………………………………………………………………………………………………………………………………………….c.Sc5..6…..3………….localdomain…………,………….
2012-10-07 03:02:51.283899 ARP, Reply 172.16.253.2 is-at 00:50:56:f2:7a:09, length 46
………PV.z ……)..m………………….
2012-10-07 03:02:51.283908 IP 172.16.253.132.1083 > 216.176.190.44.9494: Flags [.], seq 151:152, ack 23, win 64218, length 1
E..)..@…………,.;%…..Z…P……..
2012-10-07 03:02:51.284129 IP 216.176.190.44.9494 > 172.16.253.132.1083: Flags [.], ack 152, win 64240, length 0
E..(0……….,….%..;Z…….P………….
2012-10-07 03:05:51.314934 IP 172.16.253.132.1083 > 216.176.190.44.9494: Flags [.], seq 151:152, ack 23, win 64218, length 1
E..)..@…………,.;%…..Z…P……..
2012-10-07 03:05:51.315103 IP 216.176.190.44.9494 > 172.16.253.132.1083: Flags [.], ack 152, win 64240, length 0
E..(0……….,….%..;Z…….P………….
2012-10-07 03:08:51.346272 ARP, Reply 172.16.253.2 is-at 00:50:56:f2:7a:09, length 46
………PV.z ……)..m………………….
2012-10-07 03:08:51.346285 IP 172.16.253.132.1083 > 216.176.190.44.9494: Flags [.], seq 151:152, ack 23, win 64218, length 1
E..)..@…………,.;%…..Z…P……..
2012-10-07 03:08:51.346376 IP 216.176.190.44.9494 > 172.16.253.132.1083: Flags [.], ack 152, win 64240, length 0
E..(0……….,….%..;Z…….P………….
2012-10-07 03:09:49.881251 IP 216.176.190.44.9494 > 172.16.253.132.1083: Flags [R.], seq 23, ack 152, win 64240, length 0
E..(0……….,….%..;Z…….P………….
2012-10-07 03:09:50.835687 IP 172.16.253.132.53 > 8.8.8.8.53: 2215+ A? messsagermail.dynamicdns.org.uk. (49)
E..M…….x………5.5.9C…………..messsagermail
dynamicdns.org.uk…..
2012-10-07 03:09:50.835792 IP 172.16.253.132.53 > 4.2.2.2.53: 2215+ A? messsagermail.dynamicdns.org.uk. (49)
E..M……………..5.5.9M…………..messsagermail
dynamicdns.org.uk…..
2012-10-07 03:09:50.926424 IP 4.2.2.2.53 > 172.16.253.132.53: 2215 1/0/0 A 216.176.190.44 (65)
E..]0…..ZI………5.5.I……………messsagermail
dynamicdns.org.uk………………..,
2012-10-07 03:09:50.926935 IP 172.16.253.132.1086 > 216.176.190.44.9494: Flags [S], seq 3287605276, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…………,.>%………p…zV……….
2012-10-07 03:09:50.950082 IP 8.8.8.8.53 > 172.16.253.132.53: 2215 1/0/0 A 216.176.190.44 (65)
E..]0…..P<.........5.5.I...............messsagermail dynamicdns.org.uk...................., 2012-10-07 03:09:51.017925 IP 216.176.190.44.9494 > 172.16.253.132.1086: Flags [S.], seq 2056539527, ack 3287605277, win 64240, options [mss 1460], length 0
E..,0……….,….%..>z.M…..`….0……..
2012-10-07 03:09:51.017980 IP 172.16.253.132.1086 > 216.176.190.44.9494: Flags [.], ack 1, win 64240, length 0
E..(..@…………,.>%…..z.M.P…….
2012-10-07 03:09:51.019320 IP 172.16.253.132.1086 > 216.176.190.44.9494: Flags [P.], seq 1:152, ack 1, win 64240, length 151
E…..@….>…….,.>%…..z.M.P…2…LURK0……..x.kf.e.apgpbpa0c..#……..
L.>…!`1..f.rF…….$..#….
………..fHe(b(c.dH………l ..:..r..”…!..P
….v…V`z0d0`0…/.T…..g.)
2012-10-07 03:09:51.019610 IP 216.176.190.44.9494 > 172.16.253.132.1086: Flags [.], ack 152, win 64240, length 0
E..(0……….,….%..>z.M…..P….V……..
2012-10-07 03:09:51.573722 IP 216.176.190.44.9494 > 172.16.253.132.1086: Flags [P.], seq 1:23, ack 152, win 64240, length 22
E..>0……….,….%..>z.M…..P…r…LURK0……..x.c……
2012-10-07 03:09:51.674790 IP 216.176.190.44.9494 > 172.16.253.132.1086: Flags [P.], seq 1:23, ack 152, win 64240, length 22
E..>0……….,….%..>z.M…..P…r…LURK0……..x.c……
2012-10-07 03:09:51.674819 IP 172.16.253.132.1086 > 216.176.190.44.9494: Flags [.], ack 23, win 64218, length 0
E..(..@…………,.>%…..z.M.P….V..
2012-10-07 03:12:51.533841 ARP, Reply 172.16.253.2 is-at 00:50:56:f2:7a:09, length 46
………PV.z ……)..m………………….
2012-10-07 03:12:51.533852 IP 172.16.253.132.1086 > 216.176.190.44.9494: Flags [.], seq 151:152, ack 23, win 64218, length 1
E..)..@…………,.>%…..z.M.P….V…
2012-10-07 03:12:51.534015 IP 216.176.190.44.9494 > 172.16.253.132.1086: Flags [.], ack 152, win 64240, length 0
E..(0……….,….%..>z.M…..P….@……..
2012-10-07 03:15:51.565306 IP 172.16.253.132.1086 > 216.176.190.44.9494: Flags [.], seq 151:152, ack 23, win 64218, length 1
E..)..@…………,.>%…..z.M.P….V…
2012-10-07 03:15:51.565586 ARP, Reply 172.16.253.132 is-at 00:0c:29:8f:d5:6d, length 28
……….)..m…..PV.z ….
2012-10-07 03:15:51.565649 IP 216.176.190.44.9494 > 172.16.253.132.1086: Flags [.], ack 152, win 64240, length 0
E..(0……….,….%..>z.M…..P….@……..
2012-10-07 03:17:09.364180 ARP, Reply 172.16.253.254 is-at 00:50:56:e9:70:ec, length 46
………PV.p…….)..m………………….
2012-10-07 03:17:09.364189 IP 172.16.253.132.68 > 172.16.253.254.67: BOOTP/DHCP, Request from 00:0c:29:8f:d5:6d, length 301
E..I…….s………D.C.5.z…….C………………….)..m………………………………………………………………………………………………………………………………………………………………………………….c.Sc5..=….)..m..DellXTQ
…DellXT.<.MSFT 5.07.....,./.!.++..... 2012-10-07 03:17:09.368095 IP 172.16.253.254.67 > 172.16.253.132.68: BOOTP/DHCP, Reply, length 300
E..H……U……….C.D.4.#…….C………………….)..m………………………………………………………………………………………………………………………………………………………………………………….c.Sc5..6…..3………….localdomain…………,………….
2012-10-07 03:18:51.595856 ARP, Reply 172.16.253.2 is-at 00:50:56:f2:7a:09, length 46
………PV.z ……)..m………………….
2012-10-07 03:18:51.595867 IP 172.16.253.132.1086 > 216.176.190.44.9494: Flags [.], seq 151:152, ack 23, win 64218, length 1
E..)..@…………,.>%…..z.M.P….V…
2012-10-07 03:18:51.595973 IP 216.176.190.44.9494 > 172.16.253.132.1086: Flags [.], ack 152, win 64240, length 0
E..(0……….,….%..>z.M…..P….@……..
2012-10-07 03:19:49.912062 IP 216.176.190.44.9494 > 172.16.253.132.1086: Flags [R.], seq 23, ack 152, win 64240, length 0
E..(0……x…,….%..>z.M…..P….<........ 2012-10-07 03:19:50.537806 IP 172.16.253.132.53 > 8.8.8.8.53: 50368+ A? messsagermail.dynamicdns.org.uk. (49)
E..M…….l………5.5.9……………messsagermail
dynamicdns.org.uk…..
2012-10-07 03:19:50.538023 IP 172.16.253.132.53 > 4.2.2.2.53: 50368+ A? messsagermail.dynamicdns.org.uk. (49)
E..M…….w………5.5.9……………messsagermail
dynamicdns.org.uk…..
2012-10-07 03:19:50.627745 IP 4.2.2.2.53 > 172.16.253.132.53: 50368 1/0/0 A 216.176.190.44 (65)
E..]0…..Z……….5.5.I……………messsagermail
dynamicdns.org.uk………………..,
2012-10-07 03:19:50.628180 IP 172.16.253.132.1089 > 216.176.190.44.9494: Flags [S], seq 1844832120, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…………,.A%.m..x….p……………
2012-10-07 03:19:50.643566 IP 8.8.8.8.53 > 172.16.253.132.53: 50368 1/0/0 A 216.176.190.44 (65)
E..]0…..P……….5.5.I……………messsagermail
dynamicdns.org.uk………………..,
2012-10-07 03:19:50.719687 IP 216.176.190.44.9494 > 172.16.253.132.1089: Flags [S.], seq 216339604, ack 1844832121, win 64240, options [mss 1460], length 0
E..,0……q…,….%..A….m..y`….s……..
2012-10-07 03:19:50.719730 IP 172.16.253.132.1089 > 216.176.190.44.9494: Flags [.], ack 1, win 64240, length 0
E..(..@…………,.A%.m..y….P….0..
2012-10-07 03:19:50.721078 IP 172.16.253.132.1089 > 216.176.190.44.9494: Flags [P.], seq 1:152, ack 1, win 64240, length 151
E…..@….2…….,.A%.m..y….P…’…LURK0……..x.kf.e.apgpbpa0c..#……..
L.>…!`1..f.rF…….$..#….
………..fHe(b(c.dH………l ..:..r..”…!..P
….v…V`z0d0`0…/.T…..g.)
2012-10-07 03:19:50.721318 IP 216.176.190.44.9494 > 172.16.253.132.1089: Flags [.], ack 152, win 64240, length 0
E..(0……t…,….%..A….m…P………….
2012-10-07 03:19:51.369398 IP 216.176.190.44.9494 > 172.16.253.132.1089: Flags [P.], seq 1:23, ack 152, win 64240, length 22
E..>0……]…,….%..A….m…P…g…LURK0……..x.c……
2012-10-07 03:19:51.470568 IP 216.176.190.44.9494 > 172.16.253.132.1089: Flags [P.], seq 1:23, ack 152, win 64240, length 22
E..>0……\…,….%..A….m…P…g…LURK0……..x.c……
2012-10-07 03:19:51.470601 IP 172.16.253.132.1089 > 216.176.190.44.9494: Flags [.], ack 23, win 64218, length 0
E..(..@…………,.A%.m…….P…….
2012-10-07 03:22:51.346217 ARP, Reply 172.16.253.2 is-at 00:50:56:f2:7a:09, length 46
………PV.z ……)..m………………….
2012-10-07 03:22:51.346231 IP 172.16.253.132.1089 > 216.176.190.44.9494: Flags [.], seq 151:152, ack 23, win 64218, length 1
E..)..@…………,.A%.m…….P……..
2012-10-07 03:22:51.346330 IP 216.176.190.44.9494 > 172.16.253.132.1089: Flags [.], ack 152, win 64240, length 0
E..(0……c…,….%..A….m…P………….
2012-10-07 03:25:51.377832 ARP, Reply 172.16.253.2 is-at 00:50:56:f2:7a:09, length 46
………PV.z ……)..m………………….
2012-10-07 03:25:51.377844 IP 172.16.253.132.1089 > 216.176.190.44.9494: Flags [.], seq 151:152, ack 23, win 64218, length 1
E..)..@…………,.A%.m…….P……..
2012-10-07 03:25:51.377912 IP 216.176.190.44.9494 > 172.16.253.132.1089: Flags [.], ack 152, win 64240, length 0
E..(1 …..T…,….%..A….m…P………….
2012-10-07 03:28:51.409006 ARP, Reply 172.16.253.2 is-at 00:50:56:f2:7a:09, length 46
………PV.z ……)..m………………….
2012-10-07 03:28:51.409021 IP 172.16.253.132.1089 > 216.176.190.44.9494: Flags [.], seq 151:152, ack 23, win 64218, length 1
E..)..@…………,.A%.m…….P……..
2012-10-07 03:28:51.409144 IP 216.176.190.44.9494 > 172.16.253.132.1089: Flags [.], ack 152, win 64240, length 0
E..(1……E…,….%..A….m…P………….
2012-10-07 03:29:50.002892 IP 216.176.190.44.9494 > 172.16.253.132.1089: Flags [R.], seq 23, ack 152, win 64240, length 0
E..(1……@…,….%..A….m…P………….
2012-10-07 03:29:50.846561 IP 172.16.253.132.53 > 8.8.8.8.53: 5921+ A? messsagermail.dynamicdns.org.uk. (49)
E..M…….a………5.5.95Z.!………..messsagermail
dynamicdns.org.uk…..
2012-10-07 03:29:50.846685 IP 172.16.253.132.53 > 4.2.2.2.53: 5921+ A? messsagermail.dynamicdns.org.uk. (49)
E..M…….l………5.5.9?f.!………..messsagermail
dynamicdns.org.uk…..
2012-10-07 03:29:50.899554 IP 8.8.8.8.53 > 172.16.253.132.53: 5921 1/0/0 A 216.176.190.44 (65)
E..]1…..O……….5.5.I.a.!………..messsagermail
dynamicdns.org.uk………………..,
2012-10-07 03:29:50.900093 IP 172.16.253.132.1090 > 216.176.190.44.9494: Flags [S], seq 1307230513, win 64240, options [mss 1460,nop,nop,sackOK], length 0
:

Share Button

One thought on “LURK0 Remote Access Trojan Malware Traffic Sample Hard to Detect – port 9494

  1. Pingback: Margaret Cunniffe is an Australian Fraudster based in Melbourne Victoria who is a lying drunkard who creates the facade of a rich person by drinking champagne and living the highlife.

Leave a Reply

Your email address will not be published. Required fields are marked *