2015-03-03-traffic-analysis-exercise.pcap

MD560bbbf280f3700d64a674dcd8614d26d
Submission Date2017-11-26 09:31:42
Tagsangler-ek zeus encrypted-peexe
Alert 4
Showing 1-4 of 4 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2015-03-03T11:09:12.798875-0800192.186.248.36172.16.101.196ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 29 2016*
2
2015-03-03T11:09:18.028881-0800172.16.101.1172.16.101.196ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses*
3
2015-03-03T11:09:16.831413-0800172.16.101.196208.113.226.171ET TROJAN Possible Bedep Connectivity Check (2)*
4
2015-03-03T11:09:16.831413-0800172.16.101.196208.113.226.171ET POLICY External Timezone Check (earthtools.org)*
DNS 418
Showing 1-20 of 418 items.
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
1
2015-03-03T11:08:40.454029-0800172.16.101.196172.16.101.1querywpad.mshome.netA(not set)
2
2015-03-03T11:08:40.454724-0800172.16.101.1172.16.101.196answerwpad.mshome.netA(not set)
3
2015-03-03T11:08:44.543720-0800172.16.101.196172.16.101.1querywww.google.co.ukA(not set)
4
2015-03-03T11:08:44.544135-0800172.16.101.196172.16.101.1queryssl.gstatic.comA(not set)
5
2015-03-03T11:08:44.701573-0800172.16.101.1172.16.101.196answerwww.google.co.ukA(not set)
6
2015-03-03T11:08:44.706500-0800172.16.101.1172.16.101.196answerssl.gstatic.comA(not set)
7
2015-03-03T11:08:40.625892-0800172.16.101.196172.16.101.1querywww.bing.comA(not set)
8
2015-03-03T11:08:40.774566-0800172.16.101.1172.16.101.196answerwww.bing.comA(not set)
9
2015-03-03T11:08:40.626890-0800172.16.101.196172.16.101.1querywww.bing.comA(not set)
10
2015-03-03T11:08:40.777163-0800172.16.101.1172.16.101.196answerwww.bing.comA(not set)
11
2015-03-03T11:08:44.543721-0800172.16.101.196172.16.101.1querywww.gstatic.comA(not set)
12
2015-03-03T11:08:44.544137-0800172.16.101.196172.16.101.1queryapis.google.comA(not set)
13
2015-03-03T11:08:44.544588-0800172.16.101.196172.16.101.1querywww.google.comA(not set)
14
2015-03-03T11:08:44.544590-0800172.16.101.196172.16.101.1querygoogle.comA(not set)
15
2015-03-03T11:08:44.704923-0800172.16.101.1172.16.101.196answerwww.gstatic.comA(not set)
16
2015-03-03T11:08:45.552313-0800172.16.101.196172.16.101.1queryapis.google.comA(not set)
17
2015-03-03T11:08:45.552315-0800172.16.101.196172.16.101.1querygoogle.comA(not set)
18
2015-03-03T11:08:45.552316-0800172.16.101.196172.16.101.1querywww.google.comA(not set)
19
2015-03-03T11:08:46.566354-0800172.16.101.196172.16.101.1querywww.google.comA(not set)
20
2015-03-03T11:08:46.566356-0800172.16.101.196172.16.101.1querygoogle.comA(not set)
TLS 17
Showing 1-17 of 17 items.
#
TimestampSource IPDestination IPTLS VersionServer Name Indication
1
2015-03-03T11:08:45.092495-0800172.16.101.196173.194.116.159TLS 1.2ssl.gstatic.com
2
2015-03-03T11:08:45.073156-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
3
2015-03-03T11:08:45.076876-0800172.16.101.196173.194.116.151TLS 1.2www.gstatic.com
4
2015-03-03T11:08:48.068547-0800172.16.101.196173.194.116.145TLS 1.2www.google.com
5
2015-03-03T11:08:48.076113-0800172.16.101.196173.194.116.130TLS 1.2apis.google.com
6
2015-03-03T11:08:45.092126-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
7
2015-03-03T11:08:48.964254-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
8
2015-03-03T11:08:49.031562-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
9
2015-03-03T11:08:50.008537-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
10
2015-03-03T11:08:59.603567-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
11
2015-03-03T11:08:59.598529-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
12
2015-03-03T11:09:03.051218-0800172.16.101.196173.194.116.159TLS 1.2ssl.gstatic.com
13
2015-03-03T11:09:02.274437-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
14
2015-03-03T11:09:03.344974-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
15
2015-03-03T11:09:03.235444-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
16
2015-03-03T11:09:03.244727-0800172.16.101.196173.194.116.159TLS 1.2www.google.co.uk
17
2015-03-03T11:09:11.356894-0800172.16.101.19674.125.136.95TLS 1.2ajax.googleapis.com
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 145
Showing 1-20 of 145 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2015-03-03T11:08:48.422716-0800172.16.101.196www.google.co.uk80GET/?gfe_rd=cr&ei=wAb2VIrQKOag8wfC3YDoAQ302
2
2015-03-03T11:08:48.251099-0800172.16.101.196google.com80GET/302
3
2015-03-03T11:09:10.840572-0800172.16.101.196www.google.co.uk80GET/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CCMQFjAA&url=http%3A%2F%2Fwww.awesomeapartments.com%2F&ei=0Ab2VIzcBYrnaIbKgNgF&usg=AFQjCNGUyaF6JGmuq24fQBN8XhJtcIF7zg&bvm=bv.87269000,d.d2s200
4
2015-03-03T11:09:11.008673-0800172.16.101.196www.google.co.uk80GET/favicon.ico200
5
2015-03-03T11:09:12.507517-0800172.16.101.196www.awesomeapartments.com80GET/200
6
2015-03-03T11:09:13.258924-0800172.16.101.196ajax.googleapis.com80GET/ajax/libs/jquery/1.9.1/jquery.min.js200
7
2015-03-03T11:09:13.567458-0800172.16.101.196moonstoneafgelekte.onewide.co.uk80GET/lists/21464825379144707411200
8
2015-03-03T11:09:14.553762-0800172.16.101.196maps.googleapis.com80GET/maps/api/js?v=3&language=en&sensor=false&libraries=geometry200
9
2015-03-03T11:09:12.801280-0800172.16.101.196www.awesomeapartments.com80GET/modules/comment/comment.css?nerb2o200
10
2015-03-03T11:09:16.589578-0800172.16.101.196www.awesomeapartments.com80GET/modules/system/system.base.css?nerb2o200
11
2015-03-03T11:09:12.801613-0800172.16.101.196www.awesomeapartments.com80GET/sites/all/modules/date/date_api/date.css?nerb2o200
12
2015-03-03T11:09:15.396145-0800172.16.101.196moonstoneafgelekte.onewide.co.uk80GET/R1kIcmqyPTEiPARlfB_rx3Yg9uwUhVs0GJteISJQzS3BYASf200
13
2015-03-03T11:09:13.099610-0800172.16.101.196www.awesomeapartments.com80GET/sites/all/modules/date/date_popup/themes/datepicker.1.7.css?nerb2o200
14
2015-03-03T11:09:13.100296-0800172.16.101.196www.awesomeapartments.com80GET/modules/field/theme/field.css?nerb2o200
15
2015-03-03T11:09:13.393471-0800172.16.101.196www.awesomeapartments.com80GET/modules/node/node.css?nerb2o200
16
2015-03-03T11:09:13.397300-0800172.16.101.196www.awesomeapartments.com80GET/modules/search/search.css?nerb2o200
17
2015-03-03T11:09:13.685854-0800172.16.101.196www.awesomeapartments.com80GET/modules/user/user.css?nerb2o200
18
2015-03-03T11:09:13.692245-0800172.16.101.196www.awesomeapartments.com80GET/sites/all/modules/views/css/views.css?nerb2o200
19
2015-03-03T11:09:13.984135-0800172.16.101.196www.awesomeapartments.com80GET/sites/all/modules/ckeditor/ckeditor.css?nerb2o200
20
2015-03-03T11:09:13.989068-0800172.16.101.196www.awesomeapartments.com80GET/sites/all/modules/ctools/css/ctools.css?nerb2o200
SMB 0
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
No results found.
SMTP 0
#
TimestampSourceDestinationEmail FromEmail ToSubject
No results found.
Flow 179
Showing 1-20 of 179 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
1
2015-03-03T11:08:45.037866-0800531165146910008flow172.16.101.19668172.16.101.167UDPpcapanalyzer
2
2015-03-03T11:12:59.253883-08001795869806906399flow172.16.101.19658375224.0.0.2525355UDPpcapanalyzer
3
2015-03-03T11:12:59.253883-08001236903449369705flow172.16.101.19668255.255.255.25567UDPpcapanalyzer
4
2015-03-03T11:12:59.253883-08001802389581001490flow172.16.101.19651981224.0.0.2525355UDPpcapanalyzer
5
2015-03-03T11:12:59.253883-0800845558914256100flow172.16.101.19662757172.16.101.153UDPpcapanalyzer
6
2015-03-03T11:12:59.253883-08001831266794838142flow172.16.101.19649419173.194.116.159443TCPpcapanalyzer
7
2015-03-03T11:12:59.253883-0800564889247003869flow172.16.101.1964945369.64.32.15180TCPpcapanalyzer
8
2015-03-03T11:12:59.253883-0800987297146941474flow172.16.101.19649510173.194.116.15480TCPpcapanalyzer
9
2015-03-03T11:12:59.253883-08001269328308176525flow172.16.101.19649476173.194.116.14380TCPpcapanalyzer
10
2015-03-03T11:12:59.253883-0800847117989738908flow172.16.101.1964945123.214.131.22380TCPpcapanalyzer
11
2015-03-03T11:12:59.253883-0800424993585976361flow172.16.101.1964950064.147.114.5580TCPpcapanalyzer
12
2015-03-03T11:12:59.253883-08001270672631662969flow172.16.101.19655297172.16.101.153UDPpcapanalyzer
13
2015-03-03T11:12:59.253883-08001975047269440010flow172.16.101.19649456173.194.116.13180TCPpcapanalyzer
14
2015-03-03T11:12:59.253883-08001693782744978991flow172.16.101.19649434173.194.116.15980TCPpcapanalyzer
15
2015-03-03T11:12:59.253883-0800990318641979263flow172.16.101.19661302172.16.101.153UDPpcapanalyzer
16
2015-03-03T11:12:59.253883-0800146909471631305flow172.16.101.19659310172.16.101.153UDPpcapanalyzer
17
2015-03-03T11:12:59.253883-08001835860267014348flow172.16.101.1964948637.59.5.21880TCPpcapanalyzer
18
2015-03-03T11:12:59.253883-08001132254425811842flow172.16.101.1964944395.211.192.22280TCPpcapanalyzer
19
2015-03-03T11:12:59.253883-08001555093970643758flow172.16.101.19649495174.129.196.7180TCPpcapanalyzer
20
2015-03-03T11:12:59.253883-0800712305421645969flow172.16.101.1964948823.214.166.23180TCPpcapanalyzer
File 133
Showing 1-20 of 133 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2015-03-03T11:08:48.422716-0800173.194.116.159172.16.101.196/HTML document, ASCII text, with CRLF, LF line terminators277
2
2015-03-03T11:08:48.251099-0800173.194.116.142172.16.101.196/HTML document, ASCII text, with CRLF, LF line terminators261
3
2015-03-03T11:09:10.840572-0800173.194.116.159172.16.101.196/urlHTML document, ASCII text, with very long lines1076
4
2015-03-03T11:09:11.008673-0800173.194.116.159172.16.101.196/favicon.icoMS Windows icon resource - 2 icons, 16x165430
5
2015-03-03T11:09:12.507517-0800192.186.248.36172.16.101.196/HTML document, ASCII text, with very long lines47115
6
2015-03-03T11:09:13.258924-080074.125.136.95172.16.101.196/ajax/libs/jquery/1.9.1/jquery.min.jsASCII text, with very long lines92629
7
2015-03-03T11:09:13.567458-080095.211.192.222172.16.101.196/lists/21464825379144707411HTML document, ASCII text, with very long lines, with CRLF, LF line terminators86616
8
2015-03-03T11:09:14.553762-080074.125.136.95172.16.101.196/maps/api/jsASCII text, with very long lines4304
9
2015-03-03T11:09:16.589578-0800192.186.248.36172.16.101.196/modules/system/system.base.cssASCII text5350
10
2015-03-03T11:09:12.801280-0800192.186.248.36172.16.101.196/modules/comment/comment.cssASCII text184
11
2015-03-03T11:09:15.396145-080095.211.192.222172.16.101.196/R1kIcmqyPTEiPARlfB_rx3Yg9uwUhVs0GJteISJQzS3BYASfdata319148
12
2015-03-03T11:09:12.801613-0800192.186.248.36172.16.101.196/sites/all/modules/date/date_api/date.cssASCII text3528
13
2015-03-03T11:09:13.099610-0800192.186.248.36172.16.101.196/sites/all/modules/date/date_popup/themes/datepicker.1.7.cssASCII text3722
14
2015-03-03T11:09:13.100296-0800192.186.248.36172.16.101.196/modules/field/theme/field.cssASCII text550
15
2015-03-03T11:09:13.393471-0800192.186.248.36172.16.101.196/modules/node/node.cssASCII text144
16
2015-03-03T11:09:13.397300-0800192.186.248.36172.16.101.196/modules/search/search.cssASCII text564
17
2015-03-03T11:09:13.685854-0800192.186.248.36172.16.101.196/modules/user/user.cssASCII text1827
18
2015-03-03T11:09:13.692245-0800192.186.248.36172.16.101.196/sites/all/modules/views/css/views.cssASCII text707
19
2015-03-03T11:09:13.984135-0800192.186.248.36172.16.101.196/sites/all/modules/ckeditor/ckeditor.cssASCII text3395
20
2015-03-03T11:09:13.989068-0800192.186.248.36172.16.101.196/sites/all/modules/ctools/css/ctools.cssASCII text509

Commentshttp://malware-traffic-analysis.net/2015/03/03/index.html

Update Download PCAP Delete