HISTORICAL Malware Sample – ZA/ZeroAccess/Sirefef – Traffic Sample Indicators Analysis

By | July 25, 2015

2012-10-04 00:34:27.740841 IP 192.168.106.131.1164 > 91.242.217.247.53: 25352 op6 [b2&3=0x3625] [40600a] [36508q] [18538n] [27703au][|domain]

E..0M………j.[……5…     c.6%….Hjl7(pzb\Y..

2012-10-04 00:34:27.741102 IP 192.168.106.131.1164 > 66.85.130.234.53: 25352 op6 [b2&3=0x3625] [40600a] [36508q] [18538n] [27703au][|domain]

E..0M……`..j.BU…..5….c.6%….Hjl7(pzb\Y..

2012-10-04 00:34:27.743925 IP 192.168.106.131.1166 > 91.242.217.247.53: 25352 op6 [b2&3=0x3625] [40600a] [63388q] [18538n] [27703au][|domain]

E..0M………j.[……5…yc.6%….Hjl7(pzb….

2012-10-04 00:34:27.744167 IP 192.168.106.131.1166 > 66.85.130.234.53: 25352 op6 [b2&3=0x3625] [40600a] [63388q] [18538n] [27703au][|domain]

E..0M……^..j.BU…..5.._$c.6%….Hjl7(pzb….

2012-10-04 00:34:27.778781 IP 192.168.106.131.1168 > 91.242.217.247.53: 25352 op6 [b2&3=0x362

2012-10-04 00:37:34.728407 IP 192.168.106.131.1195 > 81.17.18.18.12757: Flags [P.], seq 1:183, ack 1, win 64240, length 182

E…N.@…….j.Q…..1.s…I.0wP…x….rws`prr’!.p.q?……W@4F\BYZ……….WA0Y?!;7YJ\BWA0Y%……Y<&YG\CWA0Y&……W@4F\BWA0Y\<7&F\B1WA0Y\<7&F\B7WA0Y\<7&Y1> Y@\B\GBE@EWA0Y\<7&Y1> YA\B\BFGBD\DFJWA0Y\<7&Y1> YA\G\@CB@@[r

2012-10-04 00:37:34.728625 IP 81.17.18.18.12757 > 192.168.106.131.1195: Flags [.], ack 183, win 64240, length 0

E..(.l….%.Q…..j.1…I.0ws…P………….

2012-10-04 00:37:34.834438 IP 81.17.18.18.12757 > 192.168.106.131.1195: Flags [P.], seq 1:85, ack 183, win 64240, length 84

E..|.m….$.Q…..j.1…I.0ws…P…tf..prrrwrrr}rrr.rrr..$………..

\..rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

2012-10-04 00:37:34.934982 IP 81.17.18.18.12757 > 192.168.106.131.1195: Flags [P.], seq 1:85, ack 183, win 64240, length 84

E..|.n….$.Q…..j.1…I.0ws…P…tf..prrrwrrr}rrr.rrr..$………..

\..rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

2012-10-04 00:37:34.935009 IP 192.168.106.131.1195 > 81.17.18.18.12757: Flags [.], ack 85, win 64156, length 0

E..(N.@…….j.Q…..1.s…I.0.P…….

2012-10-04 00:37:35.550367 IP 192.168.106.131.1187 > 117.200.22.252.16464: UDP, length 16

E..,N…..3…j.u…..@P…&.QVF(………M.

2012-10-04 00:37:36.230318 IP 81.17.18.18.12757 > 192.168.106.131.1195: Flags [P.], seq 85:1345, ack 183, win 64240, length 1260

E….o…. &Q…..j.1…I.0.s…P….o..>frr9rrr4rrr…………\…]M….O.D….C…..K..J

.G……F……A.D..DC.@…T

ODT.OCET……O………Y…….Y………rKprr….H]]…….\…].\…M.O…W@4..”%#$..7%(.3.W@4.!.@5’=A.(5W@4.$..CFD5D…..B.>5.1G%?’*.$..!……3.#K&”<.(=W@4..4….B’.9..&6F..3..6..5.=.3.69$@.9’+’.W@41J ::.B+C.#$..?..8=7

W@0.:A.$.W@48.#.(.C@.=….4

?9#A&..5.%J….9.>7W@0..3.F.%( 1..”.=1(@W@4+.5J90(.<5740.:..0.;.@3@.1?W@49..G

..*E34B9+W@491=D=E.8.?..

+..’..:.F&..A7..<.D.4.G09A.5&6G.0..W@0.6..?….W@4.<9.

..0@K.9F..$…..?..A@K?@=.D.KJ.=..W@0B@..E.7(..&%=$”&.5&..6…F4FJ…G.7?:E%.F…W@0B;.4”7.FB&5C.A.$4′..<..&J….K.*!?%G….5;.D.#”>….;%;9$@GCW@4D….+.AKD10W@0

.!+>……..A.W@0..W@09..”.9#;$’W@4GW@04.%..9.6*4.5B..”.#..””GF…KFA..:.BE..%…’0.16D ….!.#….F.+..E0’07’.@J”..3%F5@…..

.W@0E$!’7.3+.B.GF.W@4.8*…’..9.8A&…9$.$’.?

 

2012-10-04 00:37:49.028839 IP 192.168.106.131.1200 > 199.115.119.13.80: Flags [.], seq 1:1461, ack 1, win 64240, length 1460

E…O.@…<P..j..sw^M…P….I..QP…

…GET /?p=lk806QwfNfVdqAZnc%2BYIaBKgVdzY3n8w0accMw2b5wy2fFBIVfXwjOFMFGLy%2BvMTNIDs1NffyJaeL%2FppsGtmWy8EgoAobXh0YiVeLtUqkrylPvkVUatIEOdy4kWRekUhlpnvWg5qVs6iaVBB4GffBC

mdopZJNy5WsBqha4wcTh5Q%2F0W3xozHggKrWTgDMP5ZliZuJeovkDkc2jSw95qhdFf3PDYekLfQliZuJeovkDmWJm4l6i%2BQOY4urMbCJxrnUZ15JxKUzn3yhvJBJ5quFihMHIj4SFO9dBQRZaKB89iRIArnKdz3m3cy5

8egtpejC%2BtTi5xliFOfbyHqJWbzO4FM%2F%2BVVnXcr2Kb8jxI6u9WmwXze9PgBqN1lBj%2BCpxUSb3uXCq47E%2FCefRYsWo9tSYr9ZX%2F9motzShY42tXaKjFp9EF08WGwDMPyedqpkcJ5yG%2BqtjSuYzhFh86uy%

2F%2BFzfPeLkN7fdkzinUhx1RvrO4bMKJsoc%2BaSUJuuTu4FOcxWenWgxa5NSpw9OOtE71QlzjdywsDAGru%2BA9Fj0aPv9mTMR4S5%2Ffd8ixZ9crRbJ9IbN3GWCB1%2Bb%2F32aYZgjVbvWIlXi7VKpK8a0vg6kF4Uut

U%2B7MFqnYqe4QSL3QBb%2FpUy7vF3VGDTjGHaZnN44A7oHfPgSM97Spjq9GqQRzBOeUqEsnRSSlWnsh7NmTamGYFgYqHXLj0oVhm03q%2FYk%2B7iyLIolGfQ6hUk4UxNtEgGv9B49vOcCu6ryzeLUrELNZABSEFD7lGLM

HL3phVb2qTsBZUEy0ouE286omhLh6OmlbynOLh9It05acB75gtQj0bKVaRw6b2KcKcNa%2BvjdFAYCnesXV32nJYgpOk%2Fz0UIWTfNbEqmIhOFyhaGJj8Zr52pu7P20FZduYatgyD3BthvJ69pdXYIqDI15NlHcwJXqMIy

7Mj%2FvOsqaPnnvWq%2B%2FuFB9x9EtYvlbzFg79pwA%2FmCH%2Fdrtr9LhifO1ZX7uELy58ebY1MPY5k6l62M5p2Zv5tD8ZcqU3dJOwDWCbohiH4zvic3zvte%2FKO1vJ8zZ%2FrAIBkxe1C2fSw1VhmuYBrsjcCUT1aug

Y7mTWtuIUt%2BLUP%2BT0yVwDDsDJoyXfv7dk7Wk9K41%2FCvAR0WJ6yu9OLm5j4nOvWcyMJBsr5P1lr4kFrBgRx7KUmtZTt1H%2B4HviSvg%2BF9vBrgr1k9mSwGzibWHcb5%2FrFOD0a86z2h%2F6pPO2HUgrV5gqYBfc

qV6S9VXJ3ZNeRCWkUIo%2FfR7%2BxTIEIHTSRPB6X1e6NTO%2FAXWh1q6cUvxL09VK0WvwNONVrwU9qn2Q3FyMmk1FLAq8F1oa32a9880Qck%2FNI94uPKQmyfzWSDU

2012-10-04 00:37:49.028954 IP 192.168.106.131.1200 > 199.115.119.13.80: Flags [P.], seq 1461:1930, ack 1, win 64240, length 469

E…O @…@…j..sw^M…P….I..QP….e..MIW%2Fh%2BxFmZOoen3UZddZP%2BPV%2F%2FIiRLhssl3PM8luJ2pKpOQl55djXvEw6TAx1Wi2zLlct%2FIIwk HTTP/1.1

Accept: */*

Referer: http://sealaboratory.com/?afdt=aqt0w9f0w7u05m6xx18jwx9u2k03p1bidjzoquuc4le4&x=6&y=23&search=gordon+le+bleu

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: 5565.mnstr3.com

Connection: Keep-Alive

2012-10-04 00:37:55.202581 IP 192.168.106.131.1201 > 66.45.56.124.80: Flags [P.], seq 1:1084, ack 1, win 64240, length 1083

E..cO2@…….j.B-8|…P.L[<V.A!P…….GET /results/?partnerid=114396&appid=0&subid=1358612989_1297530&ip=128.164.107.221&cid=259701&entry=gordon%20le%20bleu&ronMin=0.000100&mb=0.000100&qs=IhwIAhVYFXVYB0VNRUJaXlxFRRcxCFlIXFYZfQhFBBweEAYdJ0UcFGRYXUJVQ1Q8HgZPS1YXBgsLHBUWYVxYQF1WBjcPFxdEQFpZX1kREQc3G1BAQlUQcl5TVBoCSVlBXhEWEWNPAxJRVQ51XldASVYXGVJeDxERY1ldDFxLEHVeU0IFQURZQV4RERFjFV1eXFUQdV4fQldARFlfXl0RD2NZWkBcGRZ1QFNCSUBEFVxAERERY1kRQUJVEHVeU1QaGRBUXVsYFhFiTwEZCFgXfV9aRUlCUg0AA0BIT24eGgdCAUEsAhogAV4XBgJIUFUcYlpZSV9QEHFWVVQSB0kbAAAHQkokVEsCCQMdYxwNGURBUh0cHVVARjoNUEJZVRJzWlBBXxcRBhsPRkhFblteRFlSBjAcD08RBAAZSl1ABBM1TF8WGA1PN0AHExAcDRsXQEJOTHZbC1VfA1UxAzwBFgUGCgpLEkUQYl1eSVo6EBpfUEdBRkVbVlYYfhBhUFpFX1UFd1gWBhQvGQwLB1RMBGANXUBdVRA= HTTP/1.1

Accept: */*

Referer: http://sealaboratory.com/?afdt=aqt0w9f0w7u05m6xx18jwx9u2k03p1bidjzoquuc4le4&x=6&y=23&search=gordon+le+bleu

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: redirect.ad-feeds.com

Connection: Keep-Alive

 

2013-02-03 20:30:51.276818 IP 172.16.253.132.1057 > 209.68.32.176.80: Flags [P.], seq 1:159, ack 1, win 64240, length 158

E….?@…^i…..D ..!.P..X…..P….q..GET /count.php?page=952020&style=LED_g&nbdigits=9 HTTP/1.1

Host: www.e-zeeinternet.com

User-Agent: Opera/10 (Windows NT 5.1; US; x86)

Connection: close

2012-10-04 09:30:27.151622 IP 192.168.248.165.1136 > 31.184.245.202.12757: Flags [.], ack 6920, win 64240, length 0

E..(.l@…*……….p1..v<..5..P…Dh..

2012-10-04 09:30:27.152142 IP 31.184.245.202.12757 > 192.168.248.165.1136: Flags [P.], seq 6920:8148, ack 123, win 64240, length 1228

E……….e……..1..p.5…v<.P…0o…+.7B.A…+5<F!;>3>.D!04>.9.._.E.B..;A:C….EG@:9-..GD5….D.5_-….EE-D.(K.KE.+$G.-…<-._:8E_..G.FE._.$…0..78…..AJ”..”

..

._>EA(_A%6..’.”.-.59A.:.(.G…K%.CJ..C…KA..A.K.<.A…>.G.&.BK….;..9!9…….*5:$.D…?.!

..”.;.>..=3.C%…#%#…..4.$ J’4″..*@

‘.;.D3.=B..$.!K7.

.+.(!..+.’.%A0.K…$?_..6.D.B4 9.’K.>.D3…<.+…5.’AB_K(….K$?#.G….9’…%.’8

.13..4G;.”.6.C….

.. 8K4’…B.”8″”@.+41.E>3.._6 4:.@.8*..7D9$!.+…..’..4#(C.8..G-.07*35A”!-‘4B<.1.*F8..:.>=….?8B4$<‘.D.1C.#-$=?:.B&_;>><. !4E.(+#4.(..A……J-+.6#C<8>.<‘.7:??.36E.4@=>%9″J;G.F5…;.%*.C8.EE’.FDB.?…J..E….8E*@<#*..%+(5<…B.*3.J<.”.;’0:8.:.B.”C”.@<.;. %.+!?9$6.0..*..4.0.”=.8 ;.._@.5#8D>.0.(3B$.&..B..’.4…

..==G….3E…= .$_A&D’9BA..:4.@.%>J.&B%?B;8+

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *