CS Personal on cloudshark.org

« Back to Threat Assessment « Previous Threat | Next Threat »
Terse Named Filename EXE Download - Possibly Hostile detected in 2017-11-21-traffic-analysis-exercise-6-of-6.pcap

Time	Packet	Protocol	Source	Destination	Additional Threats
2017/11/21 02:00:25 +0000	1486	HTTP / tcp	116.90.60.136:80 (Australia)	192.168.9.155:49754	source \| dest \| ip pair
Payload (2548 bytes) show as: hex | ascii | follow stream

00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000A0
000000B0
000000C0
000000D0
000000E0
000000F0
00000100
00000110
00000120
00000130
00000140
00000150
00000160
00000170
00000180
00000190
000001A0
000001B0
000001C0
000001D0
000001E0
000001F0
00000200
00000210
00000220
00000230
00000240
00000250
00000260
00000270
00000280
00000290
000002A0
000002B0
000002C0
000002D0
000002E0
000002F0
00000300
00000310
00000320
00000330
00000340
00000350
00000360
00000370
00000380
00000390
000003A0
000003B0
000003C0
000003D0
000003E0
000003F0
00000400
00000410
00000420
00000430
00000440
00000450
00000460
00000470
00000480
00000490
000004A0
000004B0
000004C0
000004D0
000004E0
000004F0
00000500
00000510
00000520
00000530
00000540
00000550
00000560
00000570
00000580
00000590
000005A0
000005B0
000005C0
000005D0
000005E0
000005F0
00000600
00000610
00000620
00000630
00000640
00000650
00000660
00000670
00000680
00000690
000006A0
000006B0
000006C0
000006D0
000006E0
000006F0
00000700
00000710
00000720
00000730
00000740
00000750
00000760
00000770
00000780
00000790
000007A0
000007B0
000007C0
000007D0
000007E0
000007F0
00000800
00000810
00000820
00000830
00000840
00000850
00000860
00000870
00000880
00000890
000008A0
000008B0
000008C0
000008D0
000008E0
000008F0
00000900
00000910
00000920
00000930
00000940
00000950
00000960
00000970
00000980
00000990
000009A0
000009B0
000009C0
000009D0
000009E0
000009F0
48 54 54 50 2f 31 2e 31 　20 32 30 30 20 4f 4b 0d
0a 58 2d 50 6f 77 65 72 　65 64 2d 42 79 3a 20 50
48 50 2f 35 2e 35 2e 33 　38 0d 0a 43 61 63 68 65
2d 43 6f 6e 74 72 6f 6c 　3a 20 6e 6f 2d 63 61 63
68 65 2c 20 6e 6f 2d 73 　74 6f 72 65 2c 20 6d 61
78 2d 61 67 65 3d 30 2c 　20 6d 75 73 74 2d 72 65
76 61 6c 69 64 61 74 65 　0d 0a 50 72 61 67 6d 61
3a 20 6e 6f 2d 63 61 63 　68 65 0d 0a 43 6f 6e 74
65 6e 74 2d 54 79 70 65 　3a 20 61 70 70 6c 69 63
61 74 69 6f 6e 2f 6f 63 　74 65 74 2d 73 74 72 65
61 6d 0d 0a 43 6f 6e 74 　65 6e 74 2d 44 69 73 70
6f 73 69 74 69 6f 6e 3a 　20 61 74 74 61 63 68 6d
65 6e 74 3b 20 66 69 6c 　65 6e 61 6d 65 3d 22 72
2e 65 78 65 22 0d 0a 43 　6f 6e 74 65 6e 74 2d 54
72 61 6e 73 66 65 72 2d 　45 6e 63 6f 64 69 6e 67
3a 20 62 69 6e 61 72 79 　0d 0a 54 72 61 6e 73 66
65 72 2d 45 6e 63 6f 64 　69 6e 67 3a 20 63 68 75
6e 6b 65 64 0d 0a 44 61 　74 65 3a 20 54 75 65 2c
20 32 31 20 4e 6f 76 20 　32 30 31 37 20 30 32 3a
30 30 3a 32 35 20 47 4d 　54 0d 0a 41 63 63 65 70
74 2d 52 61 6e 67 65 73 　3a 20 62 79 74 65 73 0d
0a 53 65 72 76 65 72 3a 　20 4c 69 74 65 53 70 65
65 64 0d 0a 43 6f 6e 6e 　65 63 74 69 6f 6e 3a 20
4b 65 65 70 2d 41 6c 69 　76 65 0d 0a 0d 0a 32 30
30 30 0d 0a 4d 5a 90 00 　03 00 00 00 04 00 00 00
ff ff 00 00 b8 00 00 00 　00 00 00 00 40 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
d0 00 00 00 0e 1f ba 0e 　00 b4 09 cd 21 b8 01 4c
cd 21 54 68 69 73 20 70 　72 6f 67 72 61 6d 20 63
61 6e 6e 6f 74 20 62 65 　20 72 75 6e 20 69 6e 20
44 4f 53 20 6d 6f 64 65 　2e 0d 0d 0a 24 00 00 00
00 00 00 00 1d a5 ec 7c 　59 c4 82 2f 59 c4 82 2f
59 c4 82 2f 59 c4 83 2f 　52 c4 82 2f 50 bc 11 2f
52 c4 82 2f 59 c4 82 2f 　58 c4 82 2f 54 96 59 2f
58 c4 82 2f 54 96 5c 2f 　58 c4 82 2f 52 69 63 68
59 c4 82 2f 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 50 45 00 00 　4c 01 05 00 3d 84 13 5a
00 00 00 00 00 00 00 00 　e0 00 03 11 0b 01 0c 00
00 ec 01 00 00 c4 02 00 　00 00 00 00 1e 10 00 00
00 10 00 00 00 00 02 00 　00 00 40 00 00 10 00 00
00 04 00 00 05 00 00 00 　00 00 00 00 05 00 00 00
00 00 00 00 00 e0 04 00 　00 04 00 00 00 00 00 00
02 00 00 81 00 00 10 00 　00 10 00 00 00 00 10 00
00 10 00 00 00 00 00 00 　10 00 00 00 00 00 00 00
00 00 00 00 0c 21 02 00 　78 00 00 00 00 90 03 00
03 43 01 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 20 02 00
0c 01 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 2e 74 65 78
74 00 00 00 f2 e8 01 00 　00 10 00 00 00 ec 01 00
00 04 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
20 00 00 60 2e 64 61 74 　61 00 00 00 b7 19 00 00
00 00 02 00 00 08 00 00 　00 f0 01 00 00 00 00 00
00 00 00 00 00 00 00 00 　40 00 00 c0 2e 69 64 61
74 61 00 00 a0 04 00 00 　00 20 02 00 00 08 00 00
00 f8 01 00 00 00 00 00 　00 00 00 00 00 00 00 00
40 00 00 40 2e 63 6f 64 　65 00 00 00 a5 5a 01 00
00 30 02 00 00 5c 01 00 　00 00 02 00 00 00 00 00
00 00 00 00 00 00 00 00 　41 00 00 40 2e 72 73 72
63 00 00 00 03 43 01 00 　00 90 03 00 00 44 01 00
00 5c 03 00 00 00 00 00 　00 00 00 00 00 00 00 00
40 00 00 40 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 　00 00 00 00 00 00 00 00
00 00 00 00 cc cc cc cc 　cc e9 16 0a 00 00 e9 c1
a3 01 00 e9 8c a2 00 00 　e9 57 01 00 00 e9 02 72
01 00 e9 5d 0b 00 00 e9 　48 2e 00 00 e9 73 b4 01
00 e9 2e 05 00 00 e9 f9 　4d 01 00 e9 44 7a 00 00
e9 6f 02 00 00 e9 ea f8 　00 00 e9 a5 92 01 00 e9
10 1e 00 00 e9 5b 0d 01 　00 e9 f6 40 00 00 e9 b1
02 00 00 e9 9c 02 00 00 　e9 87 c4 01 00 e9 c2 51
00 00 e9 dd 81 01 00 e9 　18 1f 01 00 e9 93 35 01
00 e9 8e d7 00 00 e9 d9 　c5 00 00 e9 f4 5d 01 00
e9 bf 91 00 00 e9 0a d8 　01 00 e9 a5 b3 00 00 e9
e0 05 00 00 e9 eb 03 00 　00 e9 a6 0d 00 00 e9 71
e7 00 00 e9 8c 66 00 00 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc cc cc cc cc 　cc cc cc cc cc cc cc cc
cc cc cc cc 55 89 e5 56 　53 57 83 e4 f8 83 ec 50
8b 45 08 c7 44 24 48 ae 　13 de 74 c7 44 24 24 00
00 00 00 c7 44 24 20 7a 　3e 79 6b 89 44 24 34 c7
44 24 2c 01 00 00 00 c7 　44 24 18 01 00 00 00 83
f8 02 7d 49 c7 44 24 44 　ad 5c b5 ff 8b 44 24 18
8d 65 f4 5f 5b 5e 5d c3 　8b 44 24 1c 8b 4c 24 38
8b 54 24 3c 01 c9 11 d2 　89 4c 24 38 89 54 24 3c
8b 4c 24 14 89 4c 24 34 　8b 4c 24 30 89 4c 24 2c
8b 4c 24 30 89 4c 24 18 　83 f8 03 7c b7 8b 44 24
48 35 7f 46 40 19 8b 4c 　24 34 8b 54 24 2c 89 4c
24 1c 8b 74 24 48 81 f6 　51 ec 21 8b 01 f1 89 4c
24 14 c7 44 24 3c 00 00 　00 00 c7 44 24 38 00 00
00 00 8b 4c 24 20 8b 74 　24 24 c7 44 24 3c 00 00
00 00 c7 44 24 38 00 00 　00 00 8b 7c 24 1c 0f af
fa 89 7c 24 30 8b 54 24 　38 8b 7c 24 3c 01 d2 11
ff 89 54 24 38 89 7c 24 　3c 81 e9 85 d2 f2 35 0f
97 c3 85 f6 0f 95 c7 89 　44 24 10 88 7c 24 0f 89
4c 24 08 88 5c 24 07 74 　08 8a 44 24 0f 88 44 24
07 8a 44 24 07 c7 44 24 　34 85 e7 35 76 8b 4c 24
10 89 4c 24 2c 84 c0 0f 　85 1b ff ff ff e9 4b ff
ff ff 66 90 55 89 e5 57 　56 83 e4 f8 83 ec 10 8b
45 0c 8b 4d 08 8b 54 24 　08 8b 74 24 0c bf 3b b6
92 01 89 44 24 04 89 d0 　f7 e7 69 f6 3b b6 92 01
01 f2 89 44 24 08 89 54 　24 0c 0f af c9 8b 44 24
04 0f af c0 01 c8 8d 65 　f8 5e 5f 5d c3 0f 1f 80
00 00 00 00 55 89 e5 5d 　c3 66 66 2e 0f 1f 84 00
00 00 00 00 55 89 e5 57 　56 53 83 e4 f8 83 ec 58
8b 45 08 8b 4c 24 48 8b 　54 24 4c c7 44 24 4c 00
00 00 00 c7 44 24 48 52 　0a ad 7a c7 44 24 44 00
00 00 00 c7 44 24 40 7c 　0f af 55 89 c3 be 78 21
af 57 89 4c 24 1c 88 d9 　d3 e6 8b 7c 24 3c 89 74
24 3c c7 44 24 34 00 00 　00 00 c7 44 24 30 da 34
c8 28 8b 74 24 1c 81 e6 　66 24 88 29 89 74 24 48
c7 44 24 4c 00 00 00 00 　c7 44 24 28 01 00 00 00
c7 44 24 38 02 00 00 00 　c7 44 24 2c 01 00 00 00
89 d6 8b 4c 24 1c 0f a4 　ce 14 c1 ea 0c 89 54 24
4c 89 74 24 48 83 f8 02 　89 44 24 18 89 7c 24 14
7d 0c 8b 44 24 28 8d 65 　f4 5b 5e 5f 5d c3 8b 44
24 2c 8b 4c 24 18 81 f1 　ef 0c 94 1e 89 4c 24 3c
89 44 24 24 8b 44 24 38 　89 44 24 20 8b 44 24 30
8b 4c 24 34 2d 6e 0f e8 　71 0f 97 c2 85 c9 0f 95
c6 88 74 24 13 89 44 24 　0c 88 54 24 0b 74 08 8a
44 24 13 88 44 24 0b 8a 　44 24 0b c7 44 24 28 53
d8 89 6f 84 c0 75 9b eb 　00 8b 44 24 24 8b 4c 24
20 8b 54 24 1c 88 d3 31 　d2 be 19 43 f5 49 89 4c
24 04 88 d9 0f ad d6 f6 　c3 20 0f 45 f2 0f 45 d2
89 54 24 4c 89 74 24 48 　8b 54 24 20 89 d6 46 8b
7c 24 04 0f af f8 89 7c 　24 28 89 74 24 38 89 7c
24 2c c7 44             　                       
HTTP/1.1　 200 OK.
.X-Power　ed-By: P
HP/5.5.3　8..Cache
-Control　: no-cac
he, no-s　tore, ma
x-age=0,　 must-re
validate　..Pragma
: no-cac　he..Cont
ent-Type　: applic
ation/oc　tet-stre
am..Cont　ent-Disp
osition:　 attachm
ent; fil　ename="r
.exe"..C　ontent-T
ransfer-　Encoding
: binary　..Transf
er-Encod　ing: chu
nked..Da　te: Tue,
 21 Nov 　2017 02:
00:25 GM　T..Accep
t-Ranges　: bytes.
.Server:　 LiteSpe
ed..Conn　ection: 
Keep-Ali　ve....20
00..MZ..　........
........　....@...
........　........
........　........
........　....!..L
.!This p　rogram c
annot be　 run in 
DOS mode　....$...
.......|　Y../Y../
Y../Y../　R../P../
R../Y../　X../T.Y/
X../T.\/　X../Rich
Y../....　........
....PE..　L...=..Z
........　........
........　........
........　..@.....
........　........
........　........
........　........
........　........
.....!..　x.......
.C......　........
........　........
........　........
........　........
........　..... ..
........　........
........　.....tex
t.......　........
........　........
 ..`.dat　a.......
........　........
........　@....ida
ta......　. ......
........　........
@..@.cod　e....Z..
.0...\..　........
........　A..@.rsr
c....C..　.....D..
.\......　........
@..@....　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　.W.....r
...]....　H....s..
........　M...Dz..
.o......　........
.....[..　...@....
........　.......Q
........　......5.
........　.....]..
........　........
........　.......q
.....f..　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
........　........
....U..V　SW.....P
.E..D$H.　..t.D$$.
....D$ z　>yk.D$4.
D$,.....　D$......
..}I.D$D　.\...D$.
.e._[^].　.D$..L$8
.T$<....　.L$8.T$<
.L$..L$4　.L$0.L$,
.L$0.L$.　...|..D$
H5.F@..L　$4.T$,.L
$..t$H..　Q.!....L
$..D$<..　...D$8..
...L$ .t　$$.D$<..
...D$8..　...|$...
..|$0.T$　8.|$<...
..T$8.|$　<.....5.
........　D$..|$..
L$..\$.t　..D$..D$
..D$..D$　4..5v.L$
..L$,...　......K.
..f.U..W　V.......
E..M..T$　..t$..;.
...D$...　..i.;...
...D$..T　$.....D$
.......e　.^_]....
....U..]　.ff.....
....U..W　VS.....X
.E..L$H.　T$L.D$L.
....D$HR　..z.D$D.
....D$@|　..U...x!
.W.L$...　...|$<.t
$<.D$4..　...D$0.4
.(.t$...　f$.).t$H
.D$L....　.D$(....
.D$8....　.D$,....
...L$...　......T$
L.t$H...　.D$..|$.
}..D$(.e　.[^_]..D
$,.L$...　.....L$<
.D$$.D$8　.D$ .D$0
.L$4-n..　q.......
..t$..D$　..T$.t..
D$..D$..　D$..D$(S
..o..u..　..D$$.L$
 .T$...1　...C.I.L
$.......　. .E..E.
.T$L.t$H　.T$ ..F.
|$.....|　$(.t$8.|
$,.D
HTTP/1.1 200 OK
X-Powered-By: PHP/5.5.38
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="r.exe"
Content-Transfer-Encoding: binary
Transfer-Encoding: chunked
Date: Tue, 21 Nov 2017 02:00:25 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive

2000
MZ......................@...............................................!..L.!This program cannot be run in DOS mode.

$..........|Y../Y../Y../Y../R../P../R../Y../X../T.Y/X../T.\/X../RichY../................PE..L...=..Z..........................................@..........................................................................!..x........C........................................................................... ...............................text............................... ..`.data...............................@....idata....... ......................@..@.code....Z...0...\..................A..@.rsrc....C.......D...\..............@..@.......................................................................................................................................................................................................................................................................................................................................................................................
.............W.....r...]....H....s..........M...Dz...o...................[
....@...................Q..............5..............]........
....................
...q.....f..............................................................................................................................................................................................U..VSW.....P.E..D$H...t.D$$.....D$ z>yk.D$4.D$,.....D$........}I.D$D.\...D$..e._[^]..D$..L$8.T$<.....L$8.T$<.L$..L$4.L$0.L$,.L$0.L$....|..D$H5.F@..L$4.T$,.L$..t$H..Q.!....L$..D$<.....D$8.....L$ .t$$.D$<.....D$8.....|$.....|$0.T$8.|$<.....T$8.|$<.....5.........D$..|$..L$..\$.t..D$..D$..D$..D$4..5v.L$..L$,.........K...f.U..WV.......E..M..T$..t$..;....D$.....i.;......D$..T$.....D$.......e.^_]........U..].ff.........U..WVS.....X.E..L$H.T$L.D$L.....D$HR
.z.D$D.....D$@|..U...x!.W.L$......|$<.t$<.D$4.....D$0.4.(.t$...f$.).t$H.D$L.....D$(.....D$8.....D$,.......L$.........T$L.t$H....D$..|$.}..D$(.e.[^_]..D$,.L$........L$<.D$$.D$8.D$ .D$0.L$4-n..q.........t$..D$..T$.t..D$..D$..D$..D$(S..o..u....D$$.L$ .T$...1...C.I.L$........ .E..E..T$L.t$H.T$ ..F.|$.....|$(.t$8.|$,.D
1 Alert

Alerts provided by Emerging Threats 2022-04-08
	Signature	Category	SID.rev	Rule Set
1	Terse Named Filename EXE Download - Possibly Hostile	A Network Trojan was detected	2020202.3	ET POLICY
External References

There are no references available for these alerts.
Community ID

Community ID is an open standard for hashing network flows into identifiers and can be used to correlate connections across different tools.
Zeek: conn.log: 1:7lkoM06RBTkB2mI/bKkyZz72fow=