2013-07-21-Blackhole-EK-traffic.pcap

MD592d9c894ba634c4c1ed60fd8c0384b28
Submission Date2020-06-30 06:55:56
Tags(not set)
Alert 34
Showing 1-20 of 34 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2013-07-18T17:45:52.922827-0700173.224.210.244192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
2
2013-07-18T17:45:53.303986-070091.228.53.137192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
3
2013-07-18T17:45:55.693047-0700173.224.210.244192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
4
2013-07-18T17:45:59.266177-070091.228.53.199192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
5
2013-07-18T17:46:07.197544-0700173.224.210.244192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
6
2013-07-18T17:45:34.214813-0700192.168.204.150176.119.5.7ET CURRENT_EVENTS TDS Sutra - request in.cgi*
7
2013-07-18T17:45:46.743729-070091.228.53.137192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
8
2013-07-18T17:45:52.998193-0700173.224.210.244192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
9
2013-07-18T17:45:54.375476-0700173.224.210.244192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
10
2013-07-18T17:46:07.468854-070091.228.53.199192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
11
2013-07-18T17:46:07.570798-0700173.224.210.244192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
12
2013-07-18T17:46:07.935051-070091.228.53.199192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
13
2013-07-18T17:46:36.621373-070091.186.20.51192.168.204.150ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS*
14
2013-07-18T17:47:49.970862-0700173.224.210.244192.168.204.150ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)*
15
2013-07-18T17:45:41.982349-0700192.168.204.150176.119.5.7ET POLICY Vulnerable Java Version 1.6.x Detected*
16
2013-07-18T17:45:42.578845-0700176.119.5.7192.168.204.150ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs*
17
2013-07-18T17:45:42.578845-0700176.119.5.7192.168.204.150ET INFO JAVA - Java Archive Download By Vulnerable Client*
18
2013-07-18T17:45:42.578845-0700176.119.5.7192.168.204.150ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits*
19
2013-07-18T17:45:43.513630-0700192.168.204.150176.119.5.7ET CURRENT_EVENTS BHEK Payload Download (java only alternate method may overlap with 2017454)*
20
2013-07-18T17:45:43.513630-0700192.168.204.150176.119.5.7ET POLICY Vulnerable Java Version 1.6.x Detected*
DNS 0
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
No results found.
TLS 16
Showing 1-16 of 16 items.
#
TimestampSource IPDestination IPTLS VersionServer Name Indication
1
2013-07-18T17:45:52.481128-0700192.168.204.150173.224.210.244TLSv1u7l359jww7v2x3dp.ohtheigh.cc
2
2013-07-18T17:45:53.146582-0700192.168.204.15091.228.53.137TLSv1ar6ehfplcr.ohtheigh.cc
3
2013-07-18T17:45:55.632825-0700192.168.204.150173.224.210.244TLSv1yqitxnvlyjeci.ohtheigh.cc
4
2013-07-18T17:45:59.092479-0700192.168.204.15091.228.53.199TLSv17pk7zf52f7mshkx.ohtheigh.cc
5
2013-07-18T17:46:07.137283-0700192.168.204.150173.224.210.244TLSv1cm34717.ohtheigh.cc
6
2013-07-18T17:45:46.589272-0700192.168.204.15091.228.53.137TLSv1ivl51exuuxu.ohtheigh.cc
7
2013-07-18T17:45:52.949205-0700192.168.204.150173.224.210.244TLSv1yqitxnvlyjeci.ohtheigh.cc
8
2013-07-18T17:45:54.299791-0700192.168.204.150173.224.210.244TLSv1u7l359jww7v2x3dp.ohtheigh.cc
9
2013-07-18T17:46:07.313855-0700192.168.204.15091.228.53.199TLSv1qffcg8yjlo.ohtheigh.cc
10
2013-07-18T17:46:07.505502-0700192.168.204.150173.224.210.244TLSv1cm34717.ohtheigh.cc
11
2013-07-18T17:46:07.760736-0700192.168.204.15091.228.53.199TLSv1qffcg8yjlo.ohtheigh.cc
12
2013-07-18T17:47:49.911759-0700192.168.204.150173.224.210.244TLSv11jskidelt2pg0238du.ohtheigh.cc
13
2013-07-18T17:45:46.130671-0700192.168.204.15091.228.53.137TLSv1ivl51exuuxu.ohtheigh.cc
14
2013-07-18T17:45:55.827587-0700192.168.204.15091.228.53.137TLSv1ar6ehfplcr.ohtheigh.cc
15
2013-07-18T17:45:58.658817-0700192.168.204.15091.228.53.199TLSv17pk7zf52f7mshkx.ohtheigh.cc
16
2013-07-18T17:47:50.072007-0700192.168.204.150173.224.210.244TLSv11jskidelt2pg0238du.ohtheigh.cc
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 9
Showing 1-9 of 9 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2013-07-18T17:45:37.334474-0700192.168.204.150domenicossos.com80GET/favicon.ico200
2
2013-07-18T17:45:33.322090-0700192.168.204.150tonerkozpont.com80GET/wp-content/themes/weaver/lfl/sftxtel.html200
3
2013-07-18T17:45:34.214814-0700192.168.204.150raiwinners.org80GET/sword/in.cgi?2302
4
2013-07-18T17:45:36.004233-0700192.168.204.150domenicossos.com80GET/ngen/controlling/mydb.php200
5
2013-07-18T17:45:36.495115-0700192.168.204.150domenicossos.com80GET/ngen/shrift.php200
6
2013-07-18T17:45:42.564390-0700192.168.204.150domenicossos.com80GET/ngen/controlling/mydb.php?lMugUQWjIXMtBPs=kOYtJQcaB&fumnLe=KFvcpHDMtxET200
7
2013-07-18T17:45:45.483656-0700192.168.204.150domenicossos.com80GET/ngen/controlling/mydb.php?Vf=53322f312h&be=2g522j31302d57302e31&Z=2d&sZ=m&FC=l200
8
2013-07-18T17:45:46.720737-0700192.168.204.150domenicossos.com80GET/ngen/controlling/mydb.php?Hf=53322f312h&ye=2g542d2f2h562j522j56&S=2d&fG=C&Pi=Q200
9
2013-07-18T17:45:47.477132-0700192.168.204.150domenicossos.com80GET/ngen/controlling/mydb.php?ff=53322f312h&le=5552532f2j562h555630&s=2d&Bf=e&Iu=M200
SMB 0
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
No results found.
SMTP 0
#
TimestampSourceDestinationEmail FromEmail ToSubject
No results found.
Flow 27
Showing 1-20 of 27 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
1
2013-07-18T17:46:39.203658-07001126310281087453flow192.168.204.15054626176.119.5.780TCPpcapanalyzer
2
2013-07-18T17:46:39.203658-070017616013901508flow192.168.204.15054633173.224.210.244443TCPpcapanalyzer
3
2013-07-18T17:46:39.203658-0700168073012776375flow192.168.204.1505462791.228.53.137443TCPpcapanalyzer
4
2013-07-18T17:46:39.203658-0700312319492945538flow192.168.204.1505465992.55.86.25116471TCPpcapanalyzer
5
2013-07-18T17:46:39.203658-07001444979673989965flow192.168.204.15054618176.119.5.780TCPpcapanalyzer
6
2013-07-18T17:46:39.203658-07002022077250932220flow192.168.204.15054631173.224.210.244443TCPpcapanalyzer
7
2013-07-18T17:46:39.203658-0700480922729117094flow192.168.204.1505465892.55.86.25116471TCPpcapanalyzer
8
2013-07-18T17:46:39.203658-0700346735063231941flow192.168.204.1505464191.228.53.199443TCPpcapanalyzer
9
2013-07-18T17:46:39.203658-07001332180949363084flow192.168.204.15054638173.224.210.244443TCPpcapanalyzer
10
2013-07-18T17:46:39.203658-07001770924742122909flow192.168.204.1505461691.186.20.5180TCPpcapanalyzer
11
2013-07-18T17:46:39.203658-07001492739711581722flow192.168.204.1505463291.228.53.137443TCPpcapanalyzer
12
2013-07-18T17:46:39.203658-07001215804515512086flow192.168.204.1505463991.228.53.137443TCPpcapanalyzer
13
2013-07-18T17:46:39.203658-07001217024286998413flow192.168.204.1505464691.228.53.199443TCPpcapanalyzer
14
2013-07-18T17:46:39.203658-07001217990654643549flow192.168.204.15054643173.224.210.244443TCPpcapanalyzer
15
2013-07-18T17:46:39.203658-07001223488211939113flow192.168.204.15054636173.224.210.244443TCPpcapanalyzer
16
2013-07-18T17:46:39.203658-0700802499815470913flow192.168.204.1505466092.55.86.25116471TCPpcapanalyzer
17
2013-07-18T17:46:39.203658-0700947592400663795flow192.168.204.1505465792.55.86.25116471TCPpcapanalyzer
18
2013-07-18T17:46:39.203658-0700667040846555219flow192.168.204.15054692173.224.210.244443TCPpcapanalyzer
19
2013-07-18T17:46:39.203658-0700386884416753401flow192.168.204.1505462891.228.53.137443TCPpcapanalyzer
20
2013-07-18T17:46:39.203658-0700817012507331822flow192.168.204.1505464091.228.53.199443TCPpcapanalyzer
File 8
Showing 1-8 of 8 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2013-07-18T17:45:33.322090-070091.186.20.51192.168.204.150/wp-content/themes/weaver/lfl/sftxtel.htmlHTML document, ASCII text, with CRLF line terminators258
2
2013-07-18T17:45:34.214814-0700176.119.5.7192.168.204.150/sword/in.cgiHTML document, ASCII text232
3
2013-07-18T17:45:36.004233-0700176.119.5.7192.168.204.150/ngen/controlling/mydb.phpHTML document, ASCII text, with very long lines, with CRLF line terminators46076
4
2013-07-18T17:45:36.495115-0700176.119.5.7192.168.204.150font.eotEmbedded OpenType (EOT)4170
5
2013-07-18T17:45:42.564390-0700176.119.5.7192.168.204.150/ngen/controlling/mydb.phpZip archive data, at least v2.0 to extract31339
6
2013-07-18T17:45:45.483656-0700176.119.5.7192.168.204.150calc.exePE32 executable (GUI) Intel 80386, for MS Windows348160
7
2013-07-18T17:45:46.720737-0700176.119.5.7192.168.204.150info.exePE32 executable (GUI) Intel 80386, for MS Windows211968
8
2013-07-18T17:45:47.477132-0700176.119.5.7192.168.204.150readme.exePE32 executable (GUI) Intel 80386, for MS Windows102912

Comments(not set)

Update Download PCAP Delete