2018-01-02-fake-Flash-player-installs-coinminer-malware.pcap

MD5cd4b49bcfe13efbd505c2ae339bcb2be
Submission Date2019-08-12 19:55:50
Tags(not set)
Alert 2
Showing 1-2 of 2 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2018-01-02T14:23:33.904136-0800104.27.152.18310.1.2.102ET CURRENT_EVENTS Possible Keitaro TDS Redirect*
2
2018-01-02T14:23:47.292009-0800138.201.224.910.1.2.102ET CURRENT_EVENTS Possible Keitaro TDS Redirect*
DNS 24
Showing 1-20 of 24 items.
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
1
2018-01-02T14:22:47.260868-080010.1.2.10210.1.2.1query5chrup56.ruA(not set)
2
2018-01-02T14:22:47.447650-080010.1.2.110.1.2.102answer5chrup56.ru(not set)(not set)
3
2018-01-02T14:22:51.217836-080010.1.2.10210.1.2.1querygithub.comA(not set)
4
2018-01-02T14:22:51.376991-080010.1.2.110.1.2.102answergithub.com(not set)(not set)
5
2018-01-02T14:22:46.727640-080010.1.2.10210.1.2.1queryzad33a.ruA(not set)
6
2018-01-02T14:22:46.885164-080010.1.2.110.1.2.102answerzad33a.ru(not set)(not set)
7
2018-01-02T14:22:47.886381-080010.1.2.10210.1.2.1queryadobeflashplayer.ki1ahb.xyzA(not set)
8
2018-01-02T14:22:48.060621-080010.1.2.110.1.2.102answeradobeflashplayer.ki1ahb.xyz(not set)(not set)
9
2018-01-02T14:23:18.256997-080010.1.2.10210.1.2.1querypronetads.comA(not set)
10
2018-01-02T14:23:18.436150-080010.1.2.110.1.2.102answerpronetads.com(not set)(not set)
11
2018-01-02T14:24:08.065984-080010.1.2.10210.1.2.1querypronetads.comA(not set)
12
2018-01-02T14:24:08.231154-080010.1.2.110.1.2.102answerpronetads.com(not set)(not set)
13
2018-01-02T14:30:07.930577-080010.1.2.10210.1.2.1querypronetads.comA(not set)
14
2018-01-02T14:30:08.103132-080010.1.2.110.1.2.102answerpronetads.com(not set)(not set)
15
2018-01-02T14:22:50.688683-080010.1.2.10210.1.2.1query1sjs21891.ruA(not set)
16
2018-01-02T14:22:50.855422-080010.1.2.110.1.2.102answer1sjs21891.ru(not set)(not set)
17
2018-01-02T14:22:52.536566-080010.1.2.10210.1.2.1queryraw.githubusercontent.comA(not set)
18
2018-01-02T14:22:52.696902-080010.1.2.110.1.2.102answerraw.githubusercontent.com(not set)(not set)
19
2018-01-02T14:23:11.296636-080010.1.2.10210.1.2.1query1sjs21891.ruA(not set)
20
2018-01-02T14:23:11.465736-080010.1.2.110.1.2.102answer1sjs21891.ru(not set)(not set)
TLS 2
Showing 1-2 of 2 items.
#
TimestampSource IPDestination IPTLS VersionIssuer
1
2018-01-02T14:22:53.024265-080010.1.2.102151.101.0.133TLS 1.2C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
2
2018-01-02T14:22:51.882123-080010.1.2.102192.30.253.112TLS 1.2C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 7
Showing 1-7 of 7 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2018-01-02T14:22:47.256896-080010.1.2.102zad33a.ru80GET/WW12hz?sub_id_1=zerderusset-hornet&sub_id_2=zv73e4a40af00b11e78d3b063e70912a684ff9bf0a5f8c41ca9867d782a0403934026350c6b3f7e82428&sub_id_3=zerde927508302
2
2018-01-02T14:22:47.880232-080010.1.2.1025chrup56.ru80GET/?W3hmqY&sub_id_2=zv73e4a40af00b11e78d3b063e70912a684ff9bf0a5f8c41ca9867d782a0403934026350c6b3f7e82428302
3
2018-01-02T14:22:51.212036-080010.1.2.1021sjs21891.ru80GET/direct.php?sub2=42-99-201801030022450bcc54d62e&f=flashupdate.exe302
4
2018-01-02T14:22:48.395198-080010.1.2.102adobeflashplayer.ki1ahb.xyz80GET/blocked.php?l=en&c=42-99-201801030022450bcc54d62e&key=35dfb814149925895f643474&reason=update200
5
2018-01-02T14:22:48.570166-080010.1.2.102adobeflashplayer.ki1ahb.xyz80GET/img/logo.png?id=rHaLv200
6
2018-01-02T14:23:11.808054-080010.1.2.1021sjs21891.ru80GET/tnk.php302
7
2018-01-02T14:26:08.573133-080010.1.2.102adobeflashplayer.ki1ahb.xyz80GET/thunderbird/default.mp3?iq=rHaLv200
SMB 0
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
No results found.
SMTP 0
#
TimestampSourceDestinationEmail FromEmail ToSubject
No results found.
Flow 25
Showing 21-25 of 25 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
21
2018-01-02T14:26:08.573133-08001789143893471190flow10.1.2.1024998837.97.225.9080TCPpcapanalyzer
22
2018-01-02T14:26:08.573133-0800110735098777780flow10.1.2.10249991212.224.112.20980TCPpcapanalyzer
23
2018-01-02T14:26:08.573133-0800818678852885080flow10.1.2.1025497510.1.2.153UDPpcapanalyzer
24
2018-01-02T14:26:08.573133-08001389074132512758flow10.1.2.1025084610.1.2.153UDPpcapanalyzer
25
2018-01-02T14:26:08.573133-08001963038529454635flow10.1.2.1026297010.1.2.153UDPpcapanalyzer
File 3
Showing 1-3 of 3 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2018-01-02T14:22:48.395198-080037.97.225.9010.1.2.102/blocked.phpHTML document, UTF-8 Unicode text, with very long lines9542
2
2018-01-02T14:22:48.570166-080037.97.225.9010.1.2.102/img/logo.pngPNG image data, 111 x 110, 8-bit colormap, non-interlaced3910
3
2018-01-02T14:26:08.573133-080037.97.225.9010.1.2.102/thunderbird/default.mp3Audio file with ID3 version 2.3.0, contains: MPEG ADTS, layer III, v1, 320 kbps, 44.1 kHz, JntStereo49505

Comments(not set)

Update Download PCAP Delete