2019-MTA-workshop-block-7-01.pcap

MD5d4bcf9e38732bc0f74842eb11620fdfd
Submission Date2019-09-11 00:32:54
Tags(not set)
Alert 70
Showing 1-20 of 70 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2019-05-03T08:18:23.595967-070010.0.40.217104.24.112.109ET TROJAN LokiBot User-Agent (Charon/Inferno)*
2
2019-05-03T08:18:23.595967-070010.0.40.217104.24.112.109ET TROJAN LokiBot Checkin*
3
2019-05-03T08:18:23.595967-070010.0.40.217104.24.112.109ET INFO HTTP POST Request to Suspicious *.cf Domain*
4
2019-05-03T08:18:23.956917-070010.0.40.217104.24.112.109ET TROJAN LokiBot Request for C2 Commands Detected M1*
5
2019-05-03T08:18:23.956917-070010.0.40.217104.24.112.109ET TROJAN LokiBot Request for C2 Commands Detected M2*
6
2019-05-03T08:19:24.118129-070010.0.40.217104.24.112.109ET TROJAN LokiBot User-Agent (Charon/Inferno)*
7
2019-05-03T08:19:24.118129-070010.0.40.217104.24.112.109ET TROJAN LokiBot Checkin*
8
2019-05-03T08:19:24.118129-070010.0.40.217104.24.112.109ET INFO HTTP POST Request to Suspicious *.cf Domain*
9
2019-05-03T08:19:24.452916-070010.0.40.217104.24.112.109ET TROJAN LokiBot Request for C2 Commands Detected M1*
10
2019-05-03T08:19:24.452916-070010.0.40.217104.24.112.109ET TROJAN LokiBot Request for C2 Commands Detected M2*
11
2019-05-03T08:20:24.636752-070010.0.40.217104.24.112.109ET TROJAN LokiBot User-Agent (Charon/Inferno)*
12
2019-05-03T08:20:24.636752-070010.0.40.217104.24.112.109ET TROJAN LokiBot Checkin*
13
2019-05-03T08:20:24.636752-070010.0.40.217104.24.112.109ET INFO HTTP POST Request to Suspicious *.cf Domain*
14
2019-05-03T08:20:24.993396-070010.0.40.217104.24.112.109ET TROJAN LokiBot Request for C2 Commands Detected M1*
15
2019-05-03T08:20:24.993396-070010.0.40.217104.24.112.109ET TROJAN LokiBot Request for C2 Commands Detected M2*
16
2019-05-03T08:17:22.671291-070010.0.40.217104.24.112.109ET TROJAN LokiBot User-Agent (Charon/Inferno)*
17
2019-05-03T08:17:22.671291-070010.0.40.217104.24.112.109ET TROJAN LokiBot Checkin*
18
2019-05-03T08:17:22.671291-070010.0.40.217104.24.112.109ET INFO HTTP POST Request to Suspicious *.cf Domain*
19
2019-05-03T08:17:23.009065-070010.0.40.217104.24.112.109ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1*
20
2019-05-03T08:17:23.009065-070010.0.40.217104.24.112.109ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2*
DNS 70
Showing 1-20 of 70 items.
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
1
2019-05-03T08:15:55.072738-070010.0.40.21710.0.40.4query_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.pizzajukebox.comSRV(not set)
2
2019-05-03T08:15:55.072957-070010.0.40.410.0.40.217answer_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.pizzajukebox.comSRV(not set)
3
2019-05-03T08:15:55.075409-070010.0.40.21710.0.40.4querypizzajukebox-dc.pizzajukebox.comA(not set)
4
2019-05-03T08:15:55.075512-070010.0.40.410.0.40.217answerpizzajukebox-dc.pizzajukebox.comA(not set)
5
2019-05-03T08:15:55.241978-070010.0.40.21710.0.40.4query_ldap._tcp.Default-First-Site-Name._sites.pizzajukebox.comSRV(not set)
6
2019-05-03T08:15:55.242239-070010.0.40.410.0.40.217answer_ldap._tcp.Default-First-Site-Name._sites.pizzajukebox.comSRV(not set)
7
2019-05-03T08:15:55.281343-070010.0.40.21710.0.40.4query_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.pizzajukebox.comSRV(not set)
8
2019-05-03T08:15:55.281511-070010.0.40.410.0.40.217answer_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.pizzajukebox.comSRV(not set)
9
2019-05-03T08:15:58.540466-070010.0.40.21710.0.40.4queryisatap.localdomainA(not set)
10
2019-05-03T08:15:58.540670-070010.0.40.410.0.40.217answerisatap.localdomainA(not set)
11
2019-05-03T08:15:56.318079-070010.0.40.21710.0.40.4query_ldap._tcp.Default-First-Site-Name._sites.PizzaJukebox-DC.pizzajukebox.comSRV(not set)
12
2019-05-03T08:15:56.318323-070010.0.40.410.0.40.217answer_ldap._tcp.Default-First-Site-Name._sites.PizzaJukebox-DC.pizzajukebox.comSRV(not set)
13
2019-05-03T08:15:58.430176-070010.0.40.21710.0.40.4queryPizzaJukebox-DC.pizzajukebox.comA(not set)
14
2019-05-03T08:15:58.430402-070010.0.40.410.0.40.217answerPizzaJukebox-DC.pizzajukebox.comA(not set)
15
2019-05-03T08:16:47.574239-070010.0.40.21710.0.40.4query_ldap._tcp.PizzaJukebox-DC.pizzajukebox.comSRV(not set)
16
2019-05-03T08:16:47.574339-070010.0.40.410.0.40.217answer_ldap._tcp.PizzaJukebox-DC.pizzajukebox.comSRV(not set)
17
2019-05-03T08:16:48.092181-070010.0.40.21710.0.40.4querydns.msftncsi.comA(not set)
18
2019-05-03T08:16:48.111239-070010.0.40.410.0.40.217answerdns.msftncsi.comA(not set)
19
2019-05-03T08:16:03.077064-070010.0.40.21710.0.40.4queryHamburg-1792-PC.pizzajukebox.comSOA(not set)
20
2019-05-03T08:16:03.077318-070010.0.40.410.0.40.217answerHamburg-1792-PC.pizzajukebox.comSOA(not set)
TLS 0
#
TimestampSource IPDestination IPTLS VersionServer Name Indication
No results found.
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 14
Showing 1-14 of 14 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2019-05-03T08:16:00.762569-070010.0.40.217www.msftncsi.com80GET/ncsi.txt200
2
2019-05-03T08:19:08.114431-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
3
2019-05-03T08:19:08.114431-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
4
2019-05-03T08:19:08.114431-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
5
2019-05-03T08:19:08.114431-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
6
2019-05-03T08:19:08.114431-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
7
2019-05-03T08:19:08.114431-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
8
2019-05-03T08:16:00.762569-070010.0.40.217www.msftncsi.com80GET/ncsi.txt200
9
2019-05-03T08:18:23.957037-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
10
2019-05-03T08:18:23.957037-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
11
2019-05-03T08:18:23.957037-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
12
2019-05-03T08:18:23.957037-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
13
2019-05-03T08:18:23.957037-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
14
2019-05-03T08:18:23.957037-070010.0.40.217onyeocha2.cf80POST/sinos/fre.php404
SMB 94
Showing 1-20 of 94 items.
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
1
2019-05-03T08:15:55.295840-070010.0.40.21710.0.40.42.??SMB1_COMMAND_NEGOTIATE_PROTOCOL00
2
2019-05-03T08:15:55.316043-070010.0.40.21710.0.40.42.10SMB2_COMMAND_NEGOTIATE_PROTOCOL00
3
2019-05-03T08:15:55.317583-070010.0.40.21710.0.40.42.10SMB2_COMMAND_SESSION_SETUP43981136200450
4
2019-05-03T08:15:55.318258-070010.0.40.21710.0.40.42.10SMB2_COMMAND_TREE_CONNECT43981136200451
5
2019-05-03T08:15:55.442771-070010.0.40.21710.0.40.42.10SMB2_COMMAND_IOCTL43981136200451
6
2019-05-03T08:15:55.674333-070010.0.40.21710.0.40.42.10SMB2_COMMAND_IOCTL43981136200451
7
2019-05-03T08:15:56.346444-070010.0.40.21710.0.40.42.10SMB2_COMMAND_NEGOTIATE_PROTOCOL00
8
2019-05-03T08:15:56.347759-070010.0.40.21710.0.40.42.10SMB2_COMMAND_SESSION_SETUP43981136200690
9
2019-05-03T08:15:56.348104-070010.0.40.21710.0.40.42.10SMB2_COMMAND_TREE_CONNECT43981136200691
10
2019-05-03T08:15:56.348581-070010.0.40.21710.0.40.42.10SMB2_COMMAND_IOCTL43981136200691
11
2019-05-03T08:15:56.349027-070010.0.40.21710.0.40.42.10SMB2_COMMAND_IOCTL43981136200691
12
2019-05-03T08:15:56.349411-070010.0.40.21710.0.40.42.10SMB2_COMMAND_TREE_CONNECT43981136200695
13
2019-05-03T08:15:56.350021-070010.0.40.21710.0.40.42.10SMB2_COMMAND_CREATE43981136200695
14
2019-05-03T08:15:56.699009-070010.0.40.21710.0.40.42.10SMB2_COMMAND_CREATE43981136200695
15
2019-05-03T08:15:56.715127-070010.0.40.21710.0.40.42.10SMB2_COMMAND_CREATE43981136200695
16
2019-05-03T08:15:56.715596-070010.0.40.21710.0.40.42.10SMB2_COMMAND_CREATE43981136200695
17
2019-05-03T08:16:47.586401-070010.0.40.21710.0.40.42.10SMB2_COMMAND_NEGOTIATE_PROTOCOL00
18
2019-05-03T08:16:47.587785-070010.0.40.21710.0.40.42.10SMB2_COMMAND_SESSION_SETUP43981136200850
19
2019-05-03T08:16:47.588281-070010.0.40.21710.0.40.42.10SMB2_COMMAND_TREE_CONNECT43981136200851
20
2019-05-03T08:16:47.588910-070010.0.40.21710.0.40.42.10SMB2_COMMAND_CREATE43981136200851
SMTP 0
#
TimestampSourceDestinationEmail FromEmail ToSubject
No results found.
Flow 178
Showing 1-20 of 178 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
1
2019-05-03T08:19:08.114431-07001970390791325224flow10.0.40.2174918310.0.40.4389TCPpcapanalyzer
2
2019-05-03T08:19:08.114431-0700845068557307535flow10.0.40.2174917410.0.40.488TCPpcapanalyzer
3
2019-05-03T08:19:08.114431-07001690983841122476flow10.0.40.2174916410.0.40.488TCPpcapanalyzer
4
2019-05-03T08:19:08.114431-0700285659805150153flow10.0.40.2174919310.0.40.488TCPpcapanalyzer
5
2019-05-03T08:19:08.114431-07001412659223179453flow10.0.40.2174918510.0.40.488TCPpcapanalyzer
6
2019-05-03T08:19:08.114431-0700146318180427135flow10.0.40.2175348010.0.40.453UDPpcapanalyzer
7
2019-05-03T08:19:08.114431-0700850089374138150flow10.0.40.2174918110.0.40.488TCPpcapanalyzer
8
2019-05-03T08:19:08.114431-0700709689040750071flow10.0.40.21760189224.0.0.2525355UDPpcapanalyzer
9
2019-05-03T08:19:08.114431-0700428819660069387flow10.0.40.21749207104.24.112.10980TCPpcapanalyzer
10
2019-05-03T08:19:08.114431-0700289815188669717flow10.0.40.2174920010.0.40.488TCPpcapanalyzer
11
2019-05-03T08:19:08.114431-0700997804036996914flow10.0.40.2175490810.0.40.453UDPpcapanalyzer
12
2019-05-03T08:19:08.114431-07001704263889695893flow10.0.40.21749211104.24.112.10980TCPpcapanalyzer
13
2019-05-03T08:19:08.114431-070016090477042722flow10.0.40.2175316910.0.40.453UDPpcapanalyzer
14
2019-05-03T08:19:08.114431-07001564752622409167flow10.0.40.21749223104.24.112.10980TCPpcapanalyzer
15
2019-05-03T08:19:08.114431-07001564988828497026flow10.0.40.2175220610.0.40.453UDPpcapanalyzer
16
2019-05-03T08:19:08.114431-07002128129907435574flow10.0.40.2175348110.0.40.4389UDPpcapanalyzer
17
2019-05-03T08:19:08.114431-0700298718652534034flow10.0.40.2174917610.0.40.488TCPpcapanalyzer
18
2019-05-03T08:19:08.114431-0700724742901059239flow10.0.40.2174916510.0.40.488TCPpcapanalyzer
19
2019-05-03T08:19:08.114431-0700303425936666938flow10.0.40.2175940010.0.40.453UDPpcapanalyzer
20
2019-05-03T08:19:08.114431-07001009295221845121flow10.0.40.21713710.0.40.255137UDPpcapanalyzer
File 34
Showing 1-20 of 34 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2019-05-03T08:18:23.595993-070010.0.40.217104.24.112.109/sinos/fre.phpdata189
2
2019-05-03T08:19:24.118153-070010.0.40.217104.24.112.109/sinos/fre.phpdata189
3
2019-05-03T08:16:00.762569-070023.63.254.14410.0.40.217/ncsi.txtASCII text, with no line terminators14
4
2019-05-03T08:20:24.636799-070010.0.40.217104.24.112.109/sinos/fre.phpdata189
5
2019-05-03T08:17:12.267530-070010.0.40.410.0.40.217pizzajukebox.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.iniASCII text, with CRLF line terminators22
6
2019-05-03T08:17:22.671317-070010.0.40.217104.24.112.109/sinos/fre.phpdata216
7
2019-05-03T08:16:12.160056-070010.0.40.410.0.40.217pizzajukebox.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.infLittle-endian UTF-16 Unicode text, with CRLF, CR line terminators1098
8
2019-05-03T08:17:23.074949-070010.0.40.217104.24.112.109/sinos/fre.phpdata189
9
2019-05-03T08:16:24.177511-070010.0.40.410.0.40.217pizzajukebox.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.iniASCII text, with CRLF line terminators22
10
2019-05-03T08:16:24.177912-070010.0.40.410.0.40.217pizzajukebox.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.poldata2800
11
2019-05-03T08:17:22.246962-070010.0.40.217104.24.112.109/sinos/fre.phpdata216
12
2019-05-03T08:19:08.114431-0700104.24.112.10910.0.40.217/sinos/fre.phpdata23
13
2019-05-03T08:19:08.114431-0700104.24.112.10910.0.40.217/sinos/fre.phpdata23
14
2019-05-03T08:19:08.114431-0700104.24.112.10910.0.40.217/sinos/fre.phpdata23
15
2019-05-03T08:19:08.114431-0700104.24.112.10910.0.40.217/sinos/fre.phpASCII text, with no line terminators15
16
2019-05-03T08:19:08.114431-0700104.24.112.10910.0.40.217/sinos/fre.phpdata23
17
2019-05-03T08:19:08.114431-0700104.24.112.10910.0.40.217/sinos/fre.phpASCII text, with no line terminators15
18
2019-05-03T08:17:22.246962-070010.0.40.217104.24.112.109/sinos/fre.phpdata216
19
2019-05-03T08:17:12.267530-070010.0.40.410.0.40.217pizzajukebox.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.iniASCII text, with CRLF line terminators22
20
2019-05-03T08:16:00.762569-070023.63.254.14410.0.40.217/ncsi.txtASCII text, with no line terminators14

Comments(not set)

Update Download PCAP Delete