2017-08-16-Blank-Slate-campaign-gets-Locky-from-playvilla.men.pcap

MD5a98e065ccf80c83ee145dd8e7ff9bf9e
Submission Date2017-11-26 10:08:09
Tagslocky lukitus peexe
Alert 14
Showing 1-14 of 14 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2017-08-16T09:20:30.356303-070010.8.16.10147.89.241.198ET CURRENT_EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14 M2*
2
2017-08-16T09:20:38.013873-070010.8.16.101185.75.46.220ET TROJAN Locky CnC checkin Nov 21*
3
2017-08-16T09:20:38.013873-070010.8.16.101185.75.46.220ET TROJAN Locky CnC checkin Nov 21 M2*
4
2017-08-16T09:20:38.013873-070010.8.16.101185.75.46.220ET TROJAN Locky CnC Checkin HTTP Pattern*
5
2017-08-16T09:20:38.013873-070010.8.16.101185.75.46.220ET TROJAN Locky CnC Checkin*
6
2017-08-16T09:21:03.739978-070010.8.16.101185.75.46.220ET TROJAN Locky CnC checkin Nov 21*
7
2017-08-16T09:21:03.739978-070010.8.16.101185.75.46.220ET TROJAN Locky CnC checkin Nov 21 M2*
8
2017-08-16T09:21:03.739978-070010.8.16.101185.75.46.220ET TROJAN Locky CnC Checkin HTTP Pattern*
9
2017-08-16T09:21:03.739978-070010.8.16.101185.75.46.220ET TROJAN Locky CnC Checkin*
10
2017-08-16T09:20:36.231751-070047.89.241.19810.8.16.101ET POLICY PE EXE or DLL Windows file download HTTP*
11
2017-08-16T09:20:36.231751-070047.89.241.19810.8.16.101ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2*
12
2017-08-16T09:20:36.231751-070047.89.241.19810.8.16.101ET TROJAN JS/WSF Downloader Dec 08 2016 M6*
13
2017-08-16T09:20:36.231751-070047.89.241.19810.8.16.101ET INFO Possible EXE Download From Suspicious TLD*
14
2017-08-16T09:20:36.231751-070047.89.241.19810.8.16.101ET INFO EXE - Served Attached HTTP*
DNS 2
Showing 1-2 of 2 items.
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
1
2017-08-16T09:20:27.362806-070010.8.16.10110.8.16.1queryplayvilla.menA(not set)
2
2017-08-16T09:20:27.692908-070010.8.16.110.8.16.101answerplayvilla.menA(not set)
TLS 0
#
TimestampSource IPDestination IPTLS VersionServer Name Indication
No results found.
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 5
Showing 1-5 of 5 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2017-08-16T09:20:38.013873-070010.8.16.101185.75.46.22080POST/imageload.cgi200
2
2017-08-16T09:20:39.354757-070010.8.16.101185.75.46.22080POST/imageload.cgi200
3
2017-08-16T09:20:40.515649-070010.8.16.101185.75.46.22080POST/imageload.cgi200
4
2017-08-16T09:21:03.739978-070010.8.16.101185.75.46.22080POST/imageload.cgi200
5
2017-08-16T09:20:36.231751-070010.8.16.101playvilla.men80GET/admin.php?f=1.dat200
SMB 0
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
No results found.
SMTP 0
#
TimestampSourceDestinationEmail FromEmail ToSubject
No results found.
Flow 3
Showing 1-3 of 3 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
1
2017-08-16T09:20:30.356303-07002108596759005494flow10.8.16.1015286010.8.16.153UDPpcapanalyzer
2
2017-08-16T09:20:36.231751-07001293326066886890flow10.8.16.1014916047.89.241.19880TCPpcapanalyzer
3
2017-08-16T09:20:36.231751-07001023187656957982flow10.8.16.10149161185.75.46.22080TCPpcapanalyzer
File 9
Showing 1-9 of 9 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2017-08-16T09:20:30.358987-070047.89.241.19810.8.16.1011.datPE32 executable (GUI) Intel 80386, for MS Windows9484
2
2017-08-16T09:20:36.426642-070010.8.16.101185.75.46.220/imageload.cgiJPEG 2000 image1124
3
2017-08-16T09:20:38.013873-0700185.75.46.22010.8.16.101/imageload.cgidata535
4
2017-08-16T09:20:38.015268-070010.8.16.101185.75.46.220/imageload.cgiASCII text, with very long lines, with no line terminators821
5
2017-08-16T09:20:39.354757-0700185.75.46.22010.8.16.101/imageload.cgidata1267
6
2017-08-16T09:20:39.356088-070010.8.16.101185.75.46.220/imageload.cgiASCII text, with very long lines, with no line terminators498
7
2017-08-16T09:20:40.515649-0700185.75.46.22010.8.16.101/imageload.cgidata8211
8
2017-08-16T09:21:02.264753-070010.8.16.101185.75.46.220/imageload.cgiASCII text, with very long lines, with no line terminators796
9
2017-08-16T09:21:03.739978-0700185.75.46.22010.8.16.101/imageload.cgidata150

Commentshttp://malware-traffic-analysis.net/2017/08/16/index.html

Update Download PCAP Delete