2019-12-16-PCAP analysis 01.pcap

MD53eba7de8ab353ecdfae1c1e904302f9c
Submission Date2020-10-18 05:47:34
Tags
Alert 44
Showing 1-20 of 44 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2019-12-16T12:53:04.420810-080010.12.16.101181.167.35.84ET CNC Feodo Tracker Reported CnC Server group 7*
2
2019-12-16T12:53:14.328366-080010.12.16.1015.189.148.98ET CNC Feodo Tracker Reported CnC Server group 19*
3
2019-12-16T12:52:25.158256-080010.12.16.101190.38.252.45ET TROJAN Win32/Emotet CnC Activity (POST) M5*
4
2019-12-16T12:52:25.158256-080010.12.16.101190.38.252.45ET TROJAN Win32/Emotet CnC Activity (POST) M6*
5
2019-12-16T12:52:25.158256-080010.12.16.101190.38.252.45ET POLICY HTTP traffic on port 443 (POST)*
6
2019-12-16T12:53:01.248556-080010.12.16.101105.225.77.21ET TROJAN Win32/Emotet CnC Activity (POST) M5*
7
2019-12-16T12:53:01.248556-080010.12.16.101105.225.77.21ET TROJAN Win32/Emotet CnC Activity (POST) M6*
8
2019-12-16T12:53:14.934997-080010.12.16.1015.189.148.98ET TROJAN Win32/Emotet CnC Activity (POST) M5*
9
2019-12-16T12:53:16.262816-080010.12.16.10164.207.176.141ET TROJAN Win32/Emotet CnC Activity (POST) M6*
10
2019-12-16T12:53:14.934997-080010.12.16.1015.189.148.98ET TROJAN Win32/Emotet CnC Activity (POST) M6*
11
2019-12-16T12:53:16.638879-080010.12.16.10164.207.176.141ET TROJAN Win32/Emotet CnC Activity (POST) M6*
12
2019-12-16T12:53:48.581067-080010.12.16.10164.207.176.141ET TROJAN Win32/Emotet CnC Activity (POST) M5*
13
2019-12-16T12:53:48.581067-080010.12.16.10164.207.176.141ET TROJAN Win32/Emotet CnC Activity (POST) M6*
14
2019-12-16T12:55:14.506856-080010.12.16.10164.207.176.141ET TROJAN Win32/Emotet CnC Activity (POST) M5*
15
2019-12-16T12:55:14.506856-080010.12.16.10164.207.176.141ET TROJAN Win32/Emotet CnC Activity (POST) M6*
16
2019-12-16T12:56:31.317920-0800192.206.4.17010.12.16.101ET POLICY Signed TLS Certificate with md5WithRSAEncryption*
17
2019-12-16T12:56:31.439732-0800192.206.4.17010.12.16.101ET POLICY Signed TLS Certificate with md5WithRSAEncryption*
18
2019-12-16T12:53:15.993008-080010.12.16.1015.189.148.98ET TROJAN Win32/Emotet CnC Activity (POST) M5*
19
2019-12-16T12:53:15.993008-080010.12.16.1015.189.148.98ET TROJAN Win32/Emotet CnC Activity (POST) M6*
20
2019-12-16T12:53:16.269947-080010.12.16.10164.207.176.141ET TROJAN Win32/Emotet CnC Activity (POST) M6*
DNS 632
Showing 1-20 of 632 items.
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
1
2019-12-16T12:49:32.027532-080010.12.16.10110.12.16.1querywww.simple-it.orgA(not set)
2
2019-12-16T12:50:14.163658-080010.12.16.10110.12.16.1querywww.uaeneeds.comA(not set)
3
2019-12-16T12:49:32.044513-080010.12.16.110.12.16.101answerwww.simple-it.orgA(not set)
4
2019-12-16T12:50:14.169372-080010.12.16.110.12.16.101answerwww.uaeneeds.comA(not set)
5
2019-12-16T12:50:18.152910-080010.12.16.10110.12.16.1queryoki-dental.comA(not set)
6
2019-12-16T12:50:18.158812-080010.12.16.110.12.16.101answeroki-dental.comA(not set)
7
2019-12-16T12:50:18.648232-080010.12.16.10110.12.16.1queryblog.itsaboutnature.netA(not set)
8
2019-12-16T12:50:18.654519-080010.12.16.110.12.16.101answerblog.itsaboutnature.netA(not set)
9
2019-12-16T12:53:16.640518-080010.12.16.10110.12.16.1querysmtp.gmail.comA(not set)
10
2019-12-16T12:53:16.640898-080010.12.16.10110.12.16.1querysmtp.mail.yahoo.comA(not set)
11
2019-12-16T12:53:16.641016-080010.12.16.10110.12.16.1querysmtp.gmail.comA(not set)
12
2019-12-16T12:53:16.641084-080010.12.16.10110.12.16.1querysmtp.gmail.comA(not set)
13
2019-12-16T12:53:16.641151-080010.12.16.10110.12.16.1queryimap.gmail.comA(not set)
14
2019-12-16T12:53:16.641265-080010.12.16.10110.12.16.1querysmtp.gmail.comA(not set)
15
2019-12-16T12:53:16.641553-080010.12.16.10110.12.16.1queryimap-mail.outlook.comA(not set)
16
2019-12-16T12:53:16.641684-080010.12.16.10110.12.16.1querypop.mx2.ttcn.ne.jpA(not set)
17
2019-12-16T12:53:16.646063-080010.12.16.110.12.16.101answersmtp.mail.yahoo.comA(not set)
18
2019-12-16T12:53:16.641603-080010.12.16.10110.12.16.1querybzmail.plala.or.jpA(not set)
19
2019-12-16T12:53:16.647279-080010.12.16.110.12.16.101answerbzmail.plala.or.jpA(not set)
20
2019-12-16T12:53:16.647450-080010.12.16.110.12.16.101answerimap-mail.outlook.comA(not set)
TLS 221
Showing 1-20 of 221 items.
#
TimestampSource IPDestination IPTLS VersionServer Name Indication
1
2019-12-16T12:53:16.721927-080010.12.16.10164.233.184.108TLS 1.2(not set)
2
2019-12-16T12:53:16.720350-080010.12.16.101188.125.73.26TLS 1.2(not set)
3
2019-12-16T12:53:16.739425-080010.12.16.10164.233.184.108TLS 1.2(not set)
4
2019-12-16T12:53:18.357808-080010.12.16.10174.125.140.108TLS 1.2(not set)
5
2019-12-16T12:53:16.831237-080010.12.16.101188.125.73.26TLS 1.2(not set)
6
2019-12-16T12:53:16.831844-080010.12.16.10174.125.140.108TLS 1.2(not set)
7
2019-12-16T12:53:19.221631-080010.12.16.101143.125.221.195TLS 1.2(not set)
8
2019-12-16T12:53:16.921846-080010.12.16.10152.97.144.178TLS 1.2(not set)
9
2019-12-16T12:53:17.129123-080010.12.16.101116.203.151.64TLS 1.2(not set)
10
2019-12-16T12:53:17.167597-080010.12.16.101157.7.188.42TLS 1.2(not set)
11
2019-12-16T12:53:17.200402-080010.12.16.101122.200.219.27TLSv1(not set)
12
2019-12-16T12:53:20.489547-080010.12.16.10127.112.106.21TLS 1.2(not set)
13
2019-12-16T12:53:18.052711-080010.12.16.10164.233.184.108TLS 1.2(not set)
14
2019-12-16T12:53:18.276830-080010.12.16.10152.97.135.114TLS 1.2(not set)
15
2019-12-16T12:53:28.444356-080010.12.16.10164.233.184.108TLS 1.2(not set)
16
2019-12-16T12:53:31.510787-080010.12.16.101153.127.230.53TLSv1(not set)
17
2019-12-16T12:53:34.446495-080010.12.16.101133.130.64.205TLS 1.2(not set)
18
2019-12-16T12:53:38.779624-080010.12.16.10152.97.170.34TLS 1.2(not set)
19
2019-12-16T12:53:39.513870-080010.12.16.10164.233.184.108TLS 1.2(not set)
20
2019-12-16T12:53:19.209257-080010.12.16.101200.78.226.162TLS 1.2(not set)
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 20
Showing 1-20 of 20 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2019-12-16T12:50:18.644807-080010.12.16.101oki-dental.com80GET/sys/upydu-4nmmykhbf-292/403
2
2019-12-16T12:50:19.401659-080010.12.16.101blog.itsaboutnature.net80GET/confabulate-grainy/tad0m4bjt-li6lr-5546823/200
3
2019-12-16T12:53:16.262816-080010.12.16.10164.207.176.1418080POST/lmmBjn200
4
2019-12-16T12:53:16.639590-080010.12.16.10164.207.176.1418080POST/QIrnjidOBG200
5
2019-12-16T12:53:48.581887-080010.12.16.10164.207.176.1418080POST/Qb6Hb0ONYVQ2an200
6
2019-12-16T12:55:14.507638-080010.12.16.10164.207.176.1418080POST/lqcZ9GHhKIkoVPdb200
7
2019-12-16T12:53:15.757626-080010.12.16.1015.189.148.988080POST/DmiI74YHj200
8
2019-12-16T12:53:15.993008-080010.12.16.1015.189.148.988080POST/lmmBjn200
9
2019-12-16T12:53:16.269947-080010.12.16.10164.207.176.1418080POST/lmmBjn200
10
2019-12-16T12:53:17.954209-080010.12.16.10164.207.176.1418080POST/fsIL1F4aeW200
11
2019-12-16T12:56:42.686087-080010.12.16.101149.202.153.2518080POST/1SxH7200
12
2019-12-16T12:55:07.525998-080010.12.16.10164.207.176.1418080POST/Cux8Ia00axEqkIhB2200
13
2019-12-16T12:56:17.457345-080010.12.16.101149.202.153.2518080POST/iEo555d200
14
2019-12-16T12:57:06.170585-080010.12.16.101190.38.252.45443POST/Zm3bDTIjDcE0VBqqFO(not set)
15
2019-12-16T12:57:06.170585-080010.12.16.10164.207.176.1418080POST/VJ9ZrKRKSWYOwNrPCk200
16
2019-12-16T12:57:06.170585-080010.12.16.101164.68.115.1468080POST/dzbBGrkIdBkIqwPjf(not set)
17
2019-12-16T12:57:06.170585-080010.12.16.101105.225.77.2180POST/7rS6p32cGJz6yHNBUKW(not set)
18
2019-12-16T12:57:06.170585-080010.12.16.10182.145.43.1538080POST/PKgFIQr2tR(not set)
19
2019-12-16T12:57:06.170585-080010.12.16.101181.167.35.8480POST/Utmt2SR(not set)
20
2019-12-16T12:57:06.170585-080010.12.16.10164.207.176.1418080POST/xaMc6JN(not set)
SMB 0
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
No results found.
SMTP 1
Showing 1-1 of 1 item.
#
TimestampSourceDestinationEmail FromEmail ToSubject
1
2019-12-16T12:56:41.538406-080010.12.16.101157.7.244.31"Thompson, Amberlea" <miyagi@living-life.jpn.com>"WallaceRE: Thompson, Amberlea Invoice
Flow 812
Showing 1-20 of 812 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
1
2019-12-16T12:53:15.155674-08001069047120455397flow10.12.16.10149207104.27.149.10780TCPpcapanalyzer
2
2019-12-16T12:53:15.155674-08001376291902274184flow10.12.16.10149207104.27.148.10780TCPpcapanalyzer
3
2019-12-16T12:57:06.170585-0800281929956353107flow10.12.16.10153448173.201.192.129587TCPpcapanalyzer
4
2019-12-16T12:57:06.170585-08001830050929020150flow10.12.16.10156167180.37.194.4925TCPpcapanalyzer
5
2019-12-16T12:57:06.170585-0800985651766959263flow10.12.16.1015567964.233.184.108465TCPpcapanalyzer
6
2019-12-16T12:57:06.170585-0800141518890517836flow10.12.16.1015108110.12.16.153UDPpcapanalyzer
7
2019-12-16T12:57:06.170585-0800837240703096flow10.12.16.1015564382.145.43.1538080TCPpcapanalyzer
8
2019-12-16T12:57:06.170585-0800141712156273656flow10.12.16.1015266764.233.184.108465TCPpcapanalyzer
9
2019-12-16T12:57:06.170585-08002112161554579363flow10.12.16.1016519810.12.16.153UDPpcapanalyzer
10
2019-12-16T12:57:06.170585-0800845584282210618flow10.12.16.1015014610.12.16.153UDPpcapanalyzer
11
2019-12-16T12:57:06.170585-08002112492272528487flow10.12.16.1016066110.12.16.153UDPpcapanalyzer
12
2019-12-16T12:57:06.170585-08001606029702487flow10.12.16.1016034510.12.16.153UDPpcapanalyzer
13
2019-12-16T12:57:06.170585-08001268290668067953flow10.12.16.1015270552.97.170.34587TCPpcapanalyzer
14
2019-12-16T12:57:06.170585-0800424394026068685flow10.12.16.10154516204.79.197.212587TCPpcapanalyzer
15
2019-12-16T12:57:06.170585-0800565264662998186flow10.12.16.1015568652.97.232.194587TCPpcapanalyzer
16
2019-12-16T12:57:06.170585-08001409736838422993flow10.12.16.1015496910.12.16.153UDPpcapanalyzer
17
2019-12-16T12:57:06.170585-0800987829316287969flow10.12.16.10155927193.252.22.8425TCPpcapanalyzer
18
2019-12-16T12:57:06.170585-08001128605448895709flow10.12.16.1015603610.12.16.153UDPpcapanalyzer
19
2019-12-16T12:57:06.170585-08001973189303038419flow10.12.16.1015587031.186.28.100587TCPpcapanalyzer
20
2019-12-16T12:57:06.170585-08001973279484805597flow10.12.16.1015266664.233.184.108465TCPpcapanalyzer
File 33
Showing 1-20 of 33 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2019-12-16T12:50:18.644807-0800157.7.106.9710.12.16.101/sys/upydu-4nmmykhbf-292/HTML document, UTF-8 Unicode text, with very long lines1422
2
2019-12-16T12:52:31.287635-080010.12.16.101105.225.77.21/7rS6p32cGJz6yHNBUKWASCII text, with very long lines, with no line terminators500
3
2019-12-16T12:51:55.182558-080010.12.16.101190.38.252.45/Zm3bDTIjDcE0VBqqFOASCII text, with very long lines, with no line terminators503
4
2019-12-16T12:50:19.401659-080065.254.248.8810.12.16.101zlolh5e6806027379.exePE32 executable (GUI) Intel 80386, for MS Windows307528
5
2019-12-16T12:53:04.470305-080010.12.16.101181.167.35.84/Utmt2SRASCII text, with very long lines, with no line terminators494
6
2019-12-16T12:53:15.845415-080010.12.16.10164.207.176.141/lmmBjnASCII text, with no line terminators225
7
2019-12-16T12:53:14.378476-080010.12.16.1015.189.148.98/DmiI74YHjASCII text, with very long lines, with no line terminators500
8
2019-12-16T12:53:10.689392-080010.12.16.101164.68.115.146/dzbBGrkIdBkIqwPjfASCII text, with very long lines, with no line terminators504
9
2019-12-16T12:53:16.262816-080064.207.176.14110.12.16.101/lmmBjndata148
10
2019-12-16T12:53:16.290663-080010.12.16.10164.207.176.141/QIrnjidOBGASCII text, with no line terminators249
11
2019-12-16T12:53:16.639590-080064.207.176.14110.12.16.101/QIrnjidOBGdata5908
12
2019-12-16T12:53:48.144620-080010.12.16.10164.207.176.141/Qb6Hb0ONYVQ2anASCII text, with very long lines, with no line terminators681
13
2019-12-16T12:53:48.581887-080064.207.176.14110.12.16.101/Qb6Hb0ONYVQ2andata4132
14
2019-12-16T12:55:14.083540-080010.12.16.10164.207.176.141/lqcZ9GHhKIkoVPdbASCII text, with very long lines, with no line terminators657
15
2019-12-16T12:55:14.507638-080064.207.176.14110.12.16.101/lqcZ9GHhKIkoVPdbdata3700
16
2019-12-16T12:53:15.757626-08005.189.148.9810.12.16.101/DmiI74YHjdata1449588
17
2019-12-16T12:55:59.338465-080010.12.16.10164.207.176.141/VJ9ZrKRKSWYOwNrPCkASCII text, with very long lines, with no line terminators585
18
2019-12-16T12:53:15.817361-080010.12.16.1015.189.148.98/lmmBjnASCII text, with very long lines, with no line terminators487
19
2019-12-16T12:53:15.845399-080010.12.16.10164.207.176.141/lmmBjnASCII text, with no line terminators229
20
2019-12-16T12:53:15.993008-08005.189.148.9810.12.16.101/lmmBjndata148

Comments

Update Download PCAP Delete