2017-04-25-Good-man-campaign-Rig-EK-sends-Latentbot.pcap

MD589e2701bfb8551c7b0f03ebc805473f0
Submission Date2017-11-26 20:09:24
Tagsrig-ek
Alert 19
Showing 1-19 of 19 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2017-04-25T06:46:39.137073-070010.4.25.101188.225.72.88ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017*
2
2017-04-25T06:46:39.137073-070010.4.25.101188.225.72.88ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2*
3
2017-04-25T06:46:47.094635-070010.4.25.10137.72.175.221ET INFO Dotted Quad Host ZIP Request*
4
2017-04-25T06:46:48.767738-070010.4.25.10137.72.175.221ET INFO Dotted Quad Host ZIP Request*
5
2017-04-25T06:46:47.734476-070010.4.25.10137.72.175.221ET INFO Dotted Quad Host ZIP Request*
6
2017-04-25T06:46:48.327849-070010.4.25.10137.72.175.221ET INFO Dotted Quad Host ZIP Request*
7
2017-04-25T06:46:39.697593-0700188.225.72.8810.4.25.101ET INFO Obfuscated Split String (Double Q) 4*
8
2017-04-25T06:46:40.204880-070010.4.25.101188.225.72.88ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017*
9
2017-04-25T06:46:40.204880-070010.4.25.101188.225.72.88ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2*
10
2017-04-25T06:46:43.149295-070010.4.25.101188.225.72.88ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017*
11
2017-04-25T06:46:53.088506-070010.4.25.10137.72.175.221ET INFO Dotted Quad Host ZIP Request*
12
2017-04-25T06:46:43.149295-070010.4.25.101188.225.72.88ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2*
13
2017-04-25T06:46:53.651175-070010.4.25.10137.72.175.221ET INFO Dotted Quad Host ZIP Request*
14
2017-04-25T06:46:43.984359-070010.4.25.101188.225.72.88ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017*
15
2017-04-25T06:46:43.984359-070010.4.25.101188.225.72.88ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2*
16
2017-04-25T06:46:55.940408-070010.4.25.10137.72.175.221ET INFO Dotted Quad Host ZIP Request*
17
2017-04-25T06:46:50.527179-0700188.215.92.10410.4.25.101ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 26 2016 T2*
18
2017-04-25T06:46:50.527179-0700188.215.92.10410.4.25.101ET CURRENT_EVENTS Evil Redirect Leading to EK March 07 2017*
19
2017-04-25T06:46:50.527179-0700188.215.92.10410.4.25.101ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017*
DNS 0
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
No results found.
TLS 0
#
TimestampSource IPDestination IPTLS VersionServer Name Indication
No results found.
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 21
Showing 1-20 of 21 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2017-04-25T06:46:39.489641-070010.4.25.101end.chaggama.com80GET/?q=wX_QMvXcJwDQAobGMvrESLtGNknQA0KK2Ij2_dqyEoH9fWnihNzUSkr16B2aC&qtuif=5308&oq=m2A9_cre7pROATmjxOALwQ0m4dVUlkRpq37jEDdwBaf1cXR-haNUTp1u9CWUbI&ct=soul200
2
2017-04-25T06:46:46.127272-070010.4.25.10137.72.175.22180GET/200
3
2017-04-25T06:46:46.484359-070010.4.25.10137.72.175.22180GET/QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzY05kMmcrcWRoVlVlNkw0QXFha0N1TVRjaVBneWpjb3NUb0I0dloxaTVaQ0Nid2hhV0tXNHo1SnhqRDhIZUI5TUh1bVpJOFRpZ3o5dTVSQnB5eEN4MzB2L2lBSG9ZNTNSV0M=200
4
2017-04-25T06:46:47.513723-070010.4.25.10137.72.175.22180GET/200
5
2017-04-25T06:46:47.732432-070010.4.25.10137.72.175.22180GET/QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzY05kMmcrcWRoVlVlNkw0QXFha0N1TVRjaVBneWpjb3NUb0I0dloxaTVaQ0Nid2hhV0tXNHo1SnhqRDhIZUI5TUh1bVpJOFRpZ3o5dTU1aGtwTHFPbDQxOStGbjFwUnA5ZkI=200
6
2017-04-25T06:46:50.507897-070010.4.25.10137.72.175.22180GET/P0rp6w8Xe3nn54ZU8p9Y68/59415304672862634823375661581.zip200
7
2017-04-25T06:46:50.990317-070010.4.25.10137.72.175.22180GET/200
8
2017-04-25T06:46:51.603917-070010.4.25.10137.72.175.22180GET/hqPms44DofpGOqd=A89wG5qC7iH6MB6RhTgp4Lsg0poPKBBPxGeoaQ5J2KfzvbhO2XfbMuvaAVKZKyAr0oOOIEF1fLkZ=7THGsSccMBH2HIpaciK4rUXsxnbuMfSPmMt=+F7SXsHe0WeRckQD63HCkDYUCufejjv=UmkQ0MUEnbpeDSFR0ojFtCY7hZD5HYnZhGryeMjQj4eIVpHn+TpRFjZTFwrnkUAkATWLaGrG1srorf4Ny=DhLkBH4KfmgsqIdpJTPTzJmL6BhWA5PmqKc9OU9B5AIA6poPXHUL1LrxWrLylu4iMpSrnCh6AFe0ly73cDHi4Q2nWzrazBz4qMy200
9
2017-04-25T06:46:52.627675-070010.4.25.10137.72.175.22180GET/F9TJ=9MwKTX0VirzJuoR826mpSRRTGrjyNsyXtDW1dmppLIJ1ZXqFoo9T=tx9LAMy4TmIzCEgHlmZEZ=26UPbvm8f6DlNqEQ7+1re0wNY3IvZ1JaQRHwkOlxHpAHaC1T6iaRyA2Zzgm5=c8Hca0Lg=gxfw14euyf153wjAay7oRPKGEPveJStDIpjZV5dpsCfia8ih0hfJMvLQGIuELuCzcHLAFbmIXEoCBAYpLKf8ZWR0HEIpBugiIAy7yxE9pj4iHcI=LpOS55SpHIK03zWDdrwsfqlowm8K3C3r++UDeNyVAwBxETu2IT9rYjI=9pKqHPP9D4X91=PI6+tSOJ=a200
10
2017-04-25T06:46:40.214551-070010.4.25.101end.chaggama.com80GET/?qtuif=3043&oq=zT86UlKbNVOgS3jRGBLgBmlY5eUAsXoquvhkjVykPO05SC9CWJZQ5C-KLWU7dt&ct=martery&q=z3vQMvXcJwDQDoTIMvrESLtEMU_OHUKK2OH_783VCZz9JHT1vvHPRAP3tgWCeg200
11
2017-04-25T06:46:50.155371-070010.4.25.10137.72.175.22180GET/200
12
2017-04-25T06:46:50.527179-070010.4.25.10137.72.175.22180GET/P0rp6w8Xe3nn54ZU8p9Y68/37238352616711506438321384.zip200
13
2017-04-25T06:46:50.527179-070010.4.25.10137.72.175.22180GET/P0rp6w8Xe3nn54ZU8p9Y68/2515215851426.zip200
14
2017-04-25T06:46:50.527179-070010.4.25.101hurtmehard.net80GET/200
15
2017-04-25T06:46:50.527179-070010.4.25.101end.chaggama.com80GET/?qtuif=2633&q=znjQMvXcJwDQDoHGMvrESLtEMU_QA0KK2OH_766yEoH9JHT1vrPUSkrttgWCelm&oq=A9_V7JbNVOgfm20XUelBmlY1dUVhC8_yshkbcyRXJ0sSB_Ry9YAhN-pWlSbN72w&ct=soul200
16
2017-04-25T06:46:50.527179-070010.4.25.101end.chaggama.com80GET/?qtuif=1160&q=wXnQMvXcJwDQCIbGMvrESLtDNknQA0KK2In2_dqyEoH9f2nihNzUSkr06B2aCm2A&ct=diamond&oq=9_Are7pROATmjxOALwQ0m4dcUlkRpq37jEndwBaf1cXR_BaNUQxC_ZeRE7ILhR32200
17
2017-04-25T06:46:50.527179-070010.4.25.10137.72.175.22180GET/IWldgEl25c8FYUP5v6IXMuDR2SRmleoBHrpXdEHGQzRKH11SHunCqzSRotZEwk3ETF9hvSuIw=LXszg76fxxvdWX4dGjXEE4xQBeZLXws0KaJVIurN7WTPlQs6vZSj6SCFX++nZryS6k4kBMcfufPwgMYewEzVHPT1t1jNyHcb6sfDwLfXataF9s+HIhwUecj371CgOrJ6LkgqoFBMUwWJGQwOdzM6Wr+tcvL61XpAJfma1kdRS4n+rUkNl5qaxI5fJte+BerZYZKNbpU3G7KTaPHKeCpPqKXRcBORnueF=5e3H+JU2dOcl3GevtIjJH1LdhniWoFiLMwCL9gaOTgy(not set)
18
2017-04-25T06:46:50.527179-070010.4.25.10137.72.175.22180GET/P0rp6w8Xe3nn54ZU8p9Y68/59415304672862634823375661581.zip200
19
2017-04-25T06:46:50.527179-070010.4.25.10137.72.175.22180GET/P0rp6w8Xe3nn54ZU8p9Y68/59415304672862634823375661581.zip200
20
2017-04-25T06:46:50.527179-070010.4.25.10137.72.175.22180GET/P0rp6w8Xe3nn54ZU8p9Y68/2515215851426.zip200
SMB 0
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
No results found.
SMTP 0
#
TimestampSourceDestinationEmail FromEmail ToSubject
No results found.
Flow 16
Showing 1-16 of 16 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
1
2017-04-25T06:46:50.527179-070011812557135111flow10.4.25.1014933637.72.175.22180TCPpcapanalyzer
2
2017-04-25T06:46:50.527179-07001141846370647308flow10.4.25.1014934737.72.175.22180TCPpcapanalyzer
3
2017-04-25T06:46:50.527179-07001600563910107666flow10.4.25.1014934637.72.175.22180TCPpcapanalyzer
4
2017-04-25T06:46:50.527179-07001189808269170296flow10.4.25.10149281188.215.92.10480TCPpcapanalyzer
5
2017-04-25T06:46:50.527179-0700520091871968114flow10.4.25.1014933937.72.175.22180TCPpcapanalyzer
6
2017-04-25T06:46:50.527179-0700383524796430292flow10.4.25.10149334188.225.72.8880TCPpcapanalyzer
7
2017-04-25T06:46:50.527179-07001089245905243462flow10.4.25.10149335188.225.72.8880TCPpcapanalyzer
8
2017-04-25T06:46:50.527179-0700808142443808472flow10.4.25.1014934337.72.175.22180TCPpcapanalyzer
9
2017-04-25T06:46:50.527179-07002217241756461597flow10.4.25.1014933737.72.175.22180TCPpcapanalyzer
10
2017-04-25T06:46:50.527179-0700813968567047630flow10.4.25.1014934537.72.175.22180TCPpcapanalyzer
11
2017-04-25T06:46:50.527179-0700399289474611423flow10.4.25.1014934437.72.175.22180TCPpcapanalyzer
12
2017-04-25T06:46:50.527179-0700119195329719051flow10.4.25.1014934237.72.175.22180TCPpcapanalyzer
13
2017-04-25T06:46:50.527179-0700266755372815379flow10.4.25.10149290188.225.72.8880TCPpcapanalyzer
14
2017-04-25T06:46:50.527179-07001956496439380122flow10.4.25.1014933837.72.175.22180TCPpcapanalyzer
15
2017-04-25T06:46:50.527179-07002099463015892734flow10.4.25.1014934137.72.175.22180TCPpcapanalyzer
16
2017-04-25T06:46:50.527179-07001538319096165505flow10.4.25.1014934037.72.175.22180TCPpcapanalyzer
File 16
Showing 1-16 of 16 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2017-04-25T06:46:37.816595-0700188.215.92.10410.4.25.101/HTML document, ASCII text, with very long lines24576
2
2017-04-25T06:46:39.489641-0700188.225.72.8810.4.25.101/data117853
3
2017-04-25T06:46:46.484359-070037.72.175.22110.4.25.101/QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzY05kMmcrcWRoVlVlNkw0QXFha0N1TVRjaVBneWpjb3NUb0I0dloxaTVaQ0Nid2hhV0tXNHo1SnhqRDhIZUI5TUh1bVpJOFRpZ3o5dTVSQnB5eEN4MzB2L2lBSG9ZNTNSV0M=ASCII text, with no line terminators248
4
2017-04-25T06:46:47.732432-070037.72.175.22110.4.25.101/QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzY05kMmcrcWRoVlVlNkw0QXFha0N1TVRjaVBneWpjb3NUb0I0dloxaTVaQ0Nid2hhV0tXNHo1SnhqRDhIZUI5TUh1bVpJOFRpZ3o5dTU1aGtwTHFPbDQxOStGbjFwUnA5ZkI=ASCII text, with no line terminators248
5
2017-04-25T06:46:50.507897-070037.72.175.22110.4.25.101/P0rp6w8Xe3nn54ZU8p9Y68/59415304672862634823375661581.zipdata133123
6
2017-04-25T06:46:49.558001-070037.72.175.22110.4.25.101/P0rp6w8Xe3nn54ZU8p9Y68/59415304672862634823375661581.zipdata91060
7
2017-04-25T06:46:51.603917-070037.72.175.22110.4.25.101/hqPms44DofpGOqd=A89wG5qC7iH6MB6RhTgp4Lsg0poPKBBPxGeoaQ5J2KfzvbhO2XfbMuvaAVKZKyAr0oOOIEF1fLkZ=7THGsSccMBH2HIpaciK4rUXsxnbuMfSPmMt=+F7SXsHe0WeRckQD63HCkDYUCufejjv=UmkQ0MUEnbpeDSFR0ojFtCY7hZD5HYnZhGryeMjQj4eIVpHn+TpRFjZTFwrnkUAkATWLaGrG1srorf4Ny=DhLkBH4KfmgsqIdpJTPTzJmL6BhWA5PmqKc9OU9B5AIA6poPXHUL1LrxWrLylu4iMpSrnCh6AFe0ly73cDHi4Q2nWzrazBz4qMyASCII text, with very long lines, with no line terminators854
8
2017-04-25T06:46:40.214551-0700188.225.72.8810.4.25.101/data16428
9
2017-04-25T06:46:52.627675-070037.72.175.22110.4.25.101/F9TJ=9MwKTX0VirzJuoR826mpSRRTGrjyNsyXtDW1dmppLIJ1ZXqFoo9T=tx9LAMy4TmIzCEgHlmZEZ=26UPbvm8f6DlNqEQ7+1re0wNY3IvZ1JaQRHwkOlxHpAHaC1T6iaRyA2Zzgm5=c8Hca0Lg=gxfw14euyf153wjAay7oRPKGEPveJStDIpjZV5dpsCfia8ih0hfJMvLQGIuELuCzcHLAFbmIXEoCBAYpLKf8ZWR0HEIpBugiIAy7yxE9pj4iHcI=LpOS55SpHIK03zWDdrwsfqlowm8K3C3r++UDeNyVAwBxETu2IT9rYjI=9pKqHPP9D4X91=PI6+tSOJ=aASCII text, with very long lines, with no line terminators1536
10
2017-04-25T06:46:43.515255-0700188.225.72.8810.4.25.101/data72503
11
2017-04-25T06:46:55.000802-070037.72.175.22110.4.25.101/P0rp6w8Xe3nn54ZU8p9Y68/2515215851426.zipdata122196
12
2017-04-25T06:46:44.703697-0700188.225.72.8810.4.25.101/data141535
13
2017-04-25T06:46:50.527179-070037.72.175.22110.4.25.101/P0rp6w8Xe3nn54ZU8p9Y68/37238352616711506438321384.zipdata1341
14
2017-04-25T06:46:50.527179-070037.72.175.22110.4.25.101/P0rp6w8Xe3nn54ZU8p9Y68/59415304672862634823375661581.zipdata1341
15
2017-04-25T06:46:50.527179-070037.72.175.22110.4.25.101/P0rp6w8Xe3nn54ZU8p9Y68/2515215851426.zipdata1341
16
2017-04-25T06:46:50.527179-070037.72.175.22110.4.25.101/P0rp6w8Xe3nn54ZU8p9Y68/59415304672862634823375661581.zipdata1341

Comments

Update Download PCAP Delete