2017-11-12-Mercury-Text-pop-sends-coinminer.pcap

MD5674f53d5a096e920cd3cba8bd4c3fd23
Submission Date2017-11-26 09:12:28
Tagspeexe monero bitcoinminer
Alert 5
Showing 1-5 of 5 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2017-11-12T13:30:22.301623-0800162.254.150.3410.11.12.101ET WEB_CLIENT SocEng Fake Font Download Template Nov 14 2017*
2
2017-11-12T13:34:02.037364-080010.11.12.101185.202.103.26ET POLICY Cryptocurrency Miner Checkin*
3
2017-11-12T13:59:18.064453-080010.11.12.101185.202.103.26ET POLICY Cryptocurrency Miner Checkin*
4
2017-11-12T13:33:03.349820-0800162.254.150.3410.11.12.101ET POLICY PE EXE or DLL Windows file download HTTP
5
2017-11-12T13:33:03.349820-0800162.254.150.3410.11.12.101ET INFO EXE - Served Attached HTTP
DNS 5
Showing 1-5 of 5 items.
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
1
2017-11-12T13:30:12.631080-080010.11.12.10110.11.12.1querywww.lcmarkets.com.auA(not set)
2
2017-11-12T13:30:12.753195-080010.11.12.110.11.12.101answerwww.lcmarkets.com.auA(not set)
3
2017-11-12T13:30:20.953818-080010.11.12.10110.11.12.1querybmooc.netA(not set)
4
2017-11-12T13:30:20.984513-080010.11.12.10110.11.12.1querybmooc.netA(not set)
5
2017-11-12T13:30:21.032404-080010.11.12.110.11.12.101answerbmooc.netA(not set)
TLS 0
#
TimestampSource IPDestination IPTLS VersionServer Name Indication
No results found.
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 4
Showing 1-4 of 4 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2017-11-12T13:33:02.291033-080010.11.12.101bmooc.net80GET/wp-content/service/cat.php?m=j200
2
2017-11-12T13:30:21.301103-080010.11.12.101bmooc.net80GET/wp-content/service/cat.php?m=f200
3
2017-11-12T13:33:03.349820-080010.11.12.101www.lcmarkets.com.au80GET/200
4
2017-11-12T13:33:03.349820-080010.11.12.101bmooc.net80GET/wp-content/service/cat.php?m=e200
SMB 0
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
No results found.
SMTP 0
#
TimestampSourceDestinationEmail FromEmail ToSubject
No results found.
Flow 7
Showing 1-7 of 7 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
1
2017-11-12T13:33:03.349820-0800140641882177951flow10.11.12.10151047162.254.150.3480TCPpcapanalyzer
2
2017-11-12T13:33:03.349820-0800854920712716771flow10.11.12.1015103923.229.211.13180TCPpcapanalyzer
3
2017-11-12T13:33:03.349820-08001168848473480597flow10.11.12.10151051162.254.150.3480TCPpcapanalyzer
4
2017-11-12T13:33:03.349820-08001456259097744743flow10.11.12.10151052162.254.150.3480TCPpcapanalyzer
5
2017-11-12T13:33:03.349820-08001082931937054170flow10.11.12.1015382710.11.12.153UDPpcapanalyzer
6
2017-11-12T13:33:03.349820-08001084851801884823flow10.11.12.10151069185.202.103.265000TCPpcapanalyzer
7
2017-11-12T13:33:03.349820-08002070774414614824flow10.11.12.1014917510.11.12.153UDPpcapanalyzer
File 4
Showing 1-4 of 4 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2017-11-12T13:30:21.301103-0800162.254.150.3410.11.12.101/wp-content/service/cat.phpUTF-8 Unicode text, with very long lines, with CRLF line terminators108722
2
2017-11-12T13:33:02.291033-0800162.254.150.3410.11.12.101ttf.jsASCII text, with very long lines, with CRLF, LF line terminators10455
3
2017-11-12T13:33:45.534994-0800162.254.150.3410.11.12.101data.binPE32 executable (GUI) Intel 80386, for MS Windows305309
4
2017-11-12T13:33:03.349820-080023.229.211.13110.11.12.101/HTML document, ASCII text, with very long lines, with CRLF, LF line terminators18627

Commentshttp://www.malware-traffic-analysis.net/2017/11/12/index.html

Update Download PCAP Delete