Alert Table for 2017-11-21-traffic-analysis-exercise-2-of-6.pcap

Relative Time Packet Source Source Port Destination Dest Port Category Rule Set Signature Severity
100.0 4098 170.231.127.136 80 10.192.1.157 49272 Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP 1
100.0 4098 170.231.127.136 80 10.192.1.157 49272 Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 2
933.0 7768 10.192.1.157 49276 104.31.92.140 80 Potential Corporate Privacy Violation ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile 1
933.0 7768 10.192.1.157 49276 104.31.92.140 80 A Network Trojan was detected ET INFO AutoIt User Agent Executable Request 1
933.0 7768 10.192.1.157 49276 104.31.92.140 80 A Network Trojan was detected ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 1
933.0 7815 104.31.92.140 80 10.192.1.157 49276 Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP 1
942.0 14580 10.192.1.157 49277 104.20.17.242 80 Potential Corporate Privacy Violation ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile 1
942.0 14580 10.192.1.157 49277 104.20.17.242 80 Attempted Information Leak ET POLICY IP Check Domain (icanhazip. com in HTTP Host) 2
943.0 14587 10.192.1.157 55958 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
949.0 15155 10.192.1.157 50063 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
956.0 15168 10.192.1.157 49420 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
962.0 15183 10.192.1.157 59447 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
963.0 15193 10.192.1.157 49288 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot User-Agent (Charon/Inferno) 1
963.0 15193 10.192.1.157 49288 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Checkin 1
963.0 15198 10.192.1.157 49288 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 1
963.0 15198 10.192.1.157 49288 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 1
963.0 15207 10.192.1.157 49291 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot User-Agent (Charon/Inferno) 1
963.0 15207 10.192.1.157 49291 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Checkin 1
964.0 15213 10.192.1.157 49291 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 1
964.0 15213 10.192.1.157 49291 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 1
964.0 15224 10.192.1.157 49292 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot User-Agent (Charon/Inferno) 1
964.0 15224 10.192.1.157 49292 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Checkin 1
965.0 15229 10.192.1.157 49292 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Request for C2 Commands Detected M1 1
965.0 15229 10.192.1.157 49292 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Request for C2 Commands Detected M2 1
968.0 15237 10.192.1.157 65222 10.192.1.1 53 Potentially Bad Traffic ET INFO Observed DNS Query to .biz TLD 2
968.0 15247 10.192.1.157 49293 37.48.82.212 80 A Network Trojan was detected ET MALWARE KINS/ZeusVM Variant Retrieving Config 1
969.0 15342 37.48.82.212 80 10.192.1.157 49293 A Network Trojan was detected ET MALWARE Zberp/ZeusVM receiving config via image file (steganography) 1
969.0 15348 10.192.1.157 54628 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
971.0 15383 10.192.1.157 49298 37.48.82.212 80 A Network Trojan was detected ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) 1
971.0 15383 10.192.1.157 49298 37.48.82.212 80 A Network Trojan was detected ET MALWARE Trojan Generic - POST To gate.php with no referer 1
971.0 15383 10.192.1.157 49298 37.48.82.212 80 Potentially Bad Traffic ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) 2
973.0 15389 10.192.1.157 58636 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
976.0 15391 10.192.1.157 52452 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
978.0 15402 10.192.1.157 50856 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
983.0 15454 10.192.1.157 64259 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
983.0 15457 10.192.1.157 58595 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
988.0 15478 10.192.1.157 56263 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
989.0 15720 10.192.1.157 58537 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
993.0 16005 10.192.1.157 50145 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
996.0 16018 10.192.1.157 51772 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
998.0 16025 10.192.1.157 59601 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
998.0 16028 10.192.1.157 52333 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1003.0 16039 10.192.1.157 49678 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1003.0 16040 10.192.1.157 60204 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1005.0 16050 10.192.1.157 54488 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1008.0 16058 10.192.1.157 51090 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1010.0 16063 10.192.1.157 57979 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1013.0 16080 10.192.1.157 60267 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1016.0 16085 10.192.1.157 50247 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1018.0 16094 10.192.1.157 63390 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1023.0 16101 10.192.1.157 52997 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1023.0 16104 10.192.1.157 50027 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1025.0 16110 10.192.1.157 63543 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1025.0 16122 10.192.1.157 49344 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot User-Agent (Charon/Inferno) 1
1025.0 16122 10.192.1.157 49344 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Checkin 1
1026.0 16127 10.192.1.157 49344 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Request for C2 Commands Detected M1 1
1026.0 16127 10.192.1.157 49344 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Request for C2 Commands Detected M2 1
1028.0 16132 10.192.1.157 57517 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1030.0 16134 10.192.1.157 51502 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1031.0 16146 10.192.1.157 49348 37.48.82.212 80 A Network Trojan was detected ET MALWARE KINS/ZeusVM Variant Retrieving Config 1
1032.0 16159 10.192.1.157 49349 37.48.82.212 80 A Network Trojan was detected ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) 1
1032.0 16159 10.192.1.157 49349 37.48.82.212 80 A Network Trojan was detected ET MALWARE Trojan Generic - POST To gate.php with no referer 1
1034.0 16168 10.192.1.157 51209 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1037.0 16170 10.192.1.157 55505 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1039.0 16439 10.192.1.157 54348 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1041.0 16713 10.192.1.157 49298 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1044.0 16734 10.192.1.157 62546 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1045.0 16743 10.192.1.157 50946 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1049.0 16760 10.192.1.157 62007 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1050.0 16766 10.192.1.157 51963 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1054.0 16780 10.192.1.157 54359 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1054.0 16782 10.192.1.157 59660 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1059.0 16812 10.192.1.157 58719 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1061.0 16819 10.192.1.157 51081 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1064.0 16839 10.192.1.157 65306 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1065.0 16845 10.192.1.157 55899 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1069.0 16867 10.192.1.157 53742 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1070.0 16869 10.192.1.157 58658 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1074.0 17132 10.192.1.157 51177 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1075.0 17155 10.192.1.157 57775 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1077.0 17220 10.192.1.157 61930 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1080.0 17250 10.192.1.157 64747 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1081.0 17254 10.192.1.157 50868 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1085.0 17273 10.192.1.157 50020 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1085.0 17276 10.192.1.157 60559 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1090.0 17303 10.192.1.157 56630 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1090.0 17320 10.192.1.157 58849 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1092.0 17569 10.192.1.157 49445 37.48.82.212 80 A Network Trojan was detected ET MALWARE KINS/ZeusVM Variant Retrieving Config 1
1093.0 17683 10.192.1.157 49446 37.48.82.212 80 A Network Trojan was detected ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) 1
1093.0 17683 10.192.1.157 49446 37.48.82.212 80 A Network Trojan was detected ET MALWARE Trojan Generic - POST To gate.php with no referer 1
1095.0 17859 10.192.1.157 53534 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1095.0 17866 10.192.1.157 56341 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1100.0 17897 10.192.1.157 57715 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1100.0 17901 10.192.1.157 49616 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1105.0 17931 10.192.1.157 52341 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1105.0 17934 10.192.1.157 60281 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1110.0 17966 10.192.1.157 63054 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1110.0 17969 10.192.1.157 64369 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1113.0 17989 10.192.1.157 49487 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot User-Agent (Charon/Inferno) 1
1113.0 17989 10.192.1.157 49487 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Checkin 1
1114.0 17996 10.192.1.157 49487 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 1
1114.0 17996 10.192.1.157 49487 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 1
1114.0 18005 10.192.1.157 49491 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot User-Agent (Charon/Inferno) 1
1114.0 18005 10.192.1.157 49491 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Checkin 1
1115.0 n/a 185.118.166.155 80 10.192.1.157 49344 A Network Trojan was detected ET MALWARE LokiBot Fake 404 Response 1
1115.0 n/a 185.118.166.155 80 10.192.1.157 49292 A Network Trojan was detected ET MALWARE LokiBot Fake 404 Response 1
1115.0 n/a 185.118.166.155 80 10.192.1.157 49496 A Network Trojan was detected ET MALWARE LokiBot Fake 404 Response 1
1115.0 18014 10.192.1.157 49491 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 1
1115.0 18014 10.192.1.157 49491 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 1
1115.0 18026 10.192.1.157 49496 185.118.166.155 80 A Network Trojan was detected ET MALWARE LokiBot User-Agent (Charon/Inferno) 1
1115.0 18026 10.192.1.157 49496 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Checkin 1
1115.0 18030 10.192.1.157 55159 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1115.0 18033 10.192.1.157 51372 10.192.1.1 53 Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net 2
1115.0 18038 10.192.1.157 49496 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Request for C2 Commands Detected M1 1
1115.0 18038 10.192.1.157 49496 185.118.166.155 80 Malware Command and Control Activity Detected ET MALWARE LokiBot Request for C2 Commands Detected M2 1
Alerts provided by Emerging Threats 2022-04-08
Open in new window Done