Notice: JavaScript is not enabled. Please Enable JavaScript so Functions Can work correctly.

Malware Traffic Analysis, Traffic Samples and Indicators

NCAT Netcat SSL Encrypted Reverse Shell Traffic Sample

| | No comments yet | Tags:

2016-05-01 23:11:41.692557 IP 192.168.1.100.45234 > 192.168.1.146.4444: Flags [P.], seq 3069619205:3069619722, ack 3074840645, win 229, options [nop,nop,TS val 653342430 ecr 1226892542], length 517
E..9..@.@……d…….\…..FXE…..r…..
&.6.I ………….Mjw…0….e7….s..J&.._..>p…….0.,.(.$…
………k.j.i.h.9.8.7.6………..2…*.&…….=.5…/.+.’.#…       ………g.@.?.>.3.2.1.0………E.D.C.B…1.-.).%…….<./…A………………………….
…..#………192.168.1.146………
………………………     .
.#….. …………………………………………………………………………………………………………………………………………………………………………………………………..
2016-05-01 23:11:41.696528 IP 192.168.1.146.4444 > 192.168.1.100.45234: Flags [P.], seq 1:604, ack 517, win 260, options [nop,nop,TS val 1226892544 ecr 653342430], length 603
E…b-@…………d.\…FXE…
….Uw…..
I ..&.6…..5…1..W&.j….KyI…..f.*;..k.<.P…….5..        ……#……………. 0…0..n………Q20..  *.H……..0.1.0…U… localhost0…160502031122Z..170502031122Z0.1.0…U…   localhost0..0.. *.H…………0…….i………K.&…….Y…..d…..(…y….,*.O.{……*2….p..!.&9E…..4I……:.+.,….o.5……e..;G.*l..ty.m.2,..t…..;………d0b0…U….0..     localhost0J.    `.H…B…=.;Automatically generated by Ncat. See http://nmap.org/ncat/.0..     *.H…………m…<..`..n=…+.DRx[..~.d..Y..W…..]..n.CA….v…i..9..q7 .-….%…#……&t&.”;.X….n…:…P..%.l.m…@…..\….Z.6].L………..
2016-05-01 23:11:41.697293 IP 192.168.1.100.45234 > 192.168.1.146.4444: Flags [P.], seq 517:715, ack 604, win 238, options [nop,nop,TS val 653342431 ecr 1226892544], length 198
E…..@.@……d…….\…
.FZ……3…..
&.6.I ………….R.p. ~/X..Z…/…d.(..X.o..9.M.     ….k1;pI.b…..O.0].#<O.O6….k……/.m[.u……>.,……..)|.o…..W…….(N.1@..B…@0a$b,……….0…..H..V….2_.+
F..Rv…..<.3…l.g.g..X……
2016-05-01 23:11:41.699126 IP 192.168.1.146.4444 > 192.168.1.100.45234: Flags [P.], seq 604:854, ack 715, win 259, options [nop,nop,TS val 1226892547 ecr 653342431], length 250
E…b.@….U…….d.\…FZ………M[…..
I ..&.6………………..nV.Or…….G.7.3._Y.N.[.C.l.q…!h..e…..s..D..z.&..w..\…s..G…-…..”..~X.i.D4….AW.#a…]…..H..x^N…z…..}U.&~@o..8…;f…..    …q..”..v..K2…..F….).T…<………….0.3’_..T,g…….`.=D<&…xc…..9.+.u.nZ…hN.4.
2016-05-01 23:11:41.736136 IP 192.168.1.146.4444 > 192.168.1.100.45234: Flags [P.], seq 854:1135, ack 715, win 259, options [nop,nop,TS val 1226892586 ecr 653342441], length 281
E..Mb/@….5…….d.\…F[………p<…..
I .*&.6…..@F7..b..P……….*….3.S.-/.     KJ..&-……y.B5.b
8″:.kr+….g…… x.T….      I.9…tN.&0….}…$.m.q….PP.z..O.._.D%.| 0…..:.Zs.v….7_..k…e,;..<o;%.D}..
x…K..yS0*…(B…mPC…….. .w{..[.1$X……..”.(…%..+g..%….0=.S.>..f.`a.W.?.S2.9MX…]X……!….e.).U…..
2016-05-01 23:11:53.192742 IP 192.168.1.100.45234 > 192.168.1.146.4444: Flags [P.], seq 715:752, ack 1135, win 257, options [nop,nop,TS val 653345305 ecr 1226892586], length 37
E..Y..@.@..w…d…….\…..F\…………
&.B.I .*…. .Y^.q….oQ.=;…Jd…Dq.”qL..h1
2016-05-01 23:11:53.193277 IP 192.168.1.146.4444 > 192.168.1.100.45234: Flags [P.], seq 1135:1172, ack 752, win 259, options [nop,nop,TS val 1226904043 ecr 653345305], length 37
E..YbD@…………d.\…F\………sP…..
I!..&.B….. ..5hn.&7y.H.PM9…u….n.Fi…k.
2016-05-01 23:11:53.194868 IP 192.168.1.146.4444 > 192.168.1.100.45234: Flags [P.], seq 1172:1225, ack 752, win 259, options [nop,nop,TS val 1226904045 ecr 653345305], length 53
E..ibE@…………d.\…F\……….P…..
I!..&.B…..0`j.\’C>..jy.KKQ..CB…-6..<..Y*d).”….s…#D@4l
2016-05-01 23:11:53.195448 IP 192.168.1.146.4444 > 192.168.1.100.45234: Flags [P.], seq 1225:2113, ack 752, win 259, options [nop,nop,TS val 1226904045 ecr 653345305], length 888
E…bF@…………d.\…F]……….e…..
I!..&.B…..`.I…..X..j… ..E.G….F!…………..
……P…=.jg…..>A~…..?..S.u…..}.t…_..o.z…L’….@f5.i.V……..6..G%c.Z.$….X.Q.}/)b.B..(s.;y…H..ZU…N.6..:.g…. …G……{…7.1..|.%.R…… …..@)R.\{>..”.K./wj}P…4iS..Lw….H…..
..Q.:.XK:r.B}….X.%….w………..&zpKN…`Kr.’9….0&…o.]:.[..M.=………w…..D…+…._R./..>….0..{.O..cr..l…4.S.(..Q….[@..Z ;…….u….d”.q.j…….$UTJ;…(r…. ..B….H.uh]….-“.L!d@…+..P……P.pl.;….Z…7.0.^..Q.]..!.*.$$J.a     .a.^…….^..Z.O.x>;…..:Y.JE…..f.G……….PMfc..!;Y.n.&….R.t…<.&=.|..[Vq2x..|….?….g0W…[.m4.F.V.)..D_k.1..dE…F..M|.#..4…….]q.F.&..Y..b.|Z….y.X…;…[.5…3.F…..3.:B..bi….^…..,….s.y.Kf…\R…..+.3.J…..’…i..\.8..Ui..Mk@.;…\2.Iy..K..d8/.
q;.n.   .q(…>…m.nx.&..M…..8….O…’…6jk3…R..`.(..>.C#@……a,.V..H..]s..>.K…..u.&{.T.e;..1…90…M

Switchblade DoS Denial of Service Layer 7 Resource Attack Traffic Sample

| | No comments yet | Tags:

2016-05-10 22:42:09.215763 IP 192.168.1.107.51123 > 192.168.1.100.80: Flags [P.], seq 2441012886:2441013126, ack 2566902875, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~;….7….k…d…P.~…..[P….y..GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.215787 IP 192.168.1.107.51124 > 192.168.1.100.80: Flags [P.], seq 1175003156:1175003396, ack 2268571509, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~<….7….k…d…PF        ..7.uP…….GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.215796 IP 192.168.1.107.51121 > 192.168.1.100.80: Flags [P.], seq 1185786743:1185786983, ack 360193692, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~=….7….k…d…PF..w.x..P…r…GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.215804 IP 192.168.1.107.51122 > 192.168.1.100.80: Flags [P.], seq 237675000:237675240, ack 1513912401, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~>….7….k…d…P.*..Z<xQP….;..GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.216062 IP 192.168.1.107.51125 > 192.168.1.100.80: Flags [P.], seq 610675203:610675443, ack 4174676622, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~B….7~…k…d…P$f*…..P…….GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.216073 IP 192.168.1.107.51126 > 192.168.1.100.80: Flags [P.], seq 3544985761:3544986001, ack 2603433011, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~C….7}…k…d…P.L0..-<3P…….GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.216574 IP 192.168.1.107.51129 > 192.168.1.100.80: Flags [P.], seq 2597075967:2597076207, ack 2645658918, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~J….7v…k…d…P..;….&P….@..GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.216584 IP 192.168.1.107.51127 > 192.168.1.100.80: Flags [P.], seq 3209355082:3209355322, ack 101300570, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~K….7u…k…d…P.J.J.   .ZP…:…GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.216591 IP 192.168.1.107.51128 > 192.168.1.100.80: Flags [P.], seq 2337681360:2337681600, ack 3205798122, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~L….7t…k…d…P.V/…..P…….GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.217102 IP 192.168.1.107.51132 > 192.168.1.100.80: Flags [P.], seq 361717823:361718063, ack 1458507734, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~S….7m…k…d…P..`?V…P….M..GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.217110 IP 192.168.1.107.51130 > 192.168.1.100.80: Flags [P.], seq 655984093:655984333, ack 929914276, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~T….7l…k…d…P’…7m].P…V…GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.217115 IP 192.168.1.107.51131 > 192.168.1.100.80: Flags [P.], seq 1065898732:1065898972, ack 1279660067, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~U….7k…k…d…P?.R.LF.#P…….GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.217622 IP 192.168.1.107.51133 > 192.168.1.100.80: Flags [P.], seq 1020294499:1020294739, ack 638015077, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~[….7e…k…d…P<.uc&.VeP…j@..GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.217631 IP 192.168.1.107.51134 > 192.168.1.100.80: Flags [P.], seq 2099351153:2099351393, ack 396822356, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~\….7d…k…d…P}!.q…TP…nQ..GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42

2016-05-10 22:42:09.218177 IP 192.168.1.107.51137 > 192.168.1.100.80: Flags [P.], seq 2088746492:2088746732, ack 3244054754, win 256, length 240: HTTP: GET /index.html HTTP/1.1
E…~c….7]…k…d…P|….\X.P…D!..GET /index.html HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Content-Length: 42