Filename: 2019-01-22-Hancitor-infection-with-Ursnif.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 21.6354908943 seconds
Hash: 60bddb9dc2a16bb7f83b45fb323aad93
Uploaded: 1548331432

Logfiles


packet_stats.log - (12657 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1326          2652463      548800755     321853285        426.8b   98.58
 IPv4      17            18         13732258      469297001     342667719          6.2b    1.42
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1326            66488       13713535        446346        591.9m   92.11
TMM_FLOWWORKER              IPv4      17            18           321115        5973271        797993         14.4m    2.24
TMM_RECEIVEPCAPFILE         IPv4       6          1323             2531       14104377         24424         32.3m    5.03
TMM_RECEIVEPCAPFILE         IPv4      17            18             2576           9309          3117         56.1k    0.01
TMM_DECODEPCAPFILE          IPv4       6          1323             2645          75359          2936          3.9m    0.60
TMM_DECODEPCAPFILE          IPv4      17            18             2825          29397          4570         82.3k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1323             2757         384503          3796          5.0m  0.88  
flow                    IPv4      17            18             3047          10448          4556         82.0k  0.01  
stream                  IPv4       6          1326             2827         398229         14921         19.8m  3.48  
app-layer               IPv4      17            18             9749          49128         19159        344.9k  0.06  
detect                  IPv4       6          1326            44730       13218451        401069        531.8m  93.61 
detect                  IPv4      17            18           260809         669427        393283          7.1m  1.25  
tcp-prune               IPv4       6          1326             2544          27943          2990          4.0m  0.70  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            28             2969          42341         14958        418.8k  77.41 
dns                     IPv4      17            18             4180          17400          6790        122.2k  22.59 
Proto detect            IPv4      17            18             4174          29443          9629        173.3k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            29            23878          98804         44222          1.3m  7.93  
LOGGER_ALERT_FAST           IPv4      17             1            22928          22928         22928         22.9k  0.14  
LOGGER_UNIFIED2             IPv4       6            29            22847         238163         52811          1.5m  9.47  
LOGGER_UNIFIED2             IPv4      17             1            41089          41089         41089         41.1k  0.25  
LOGGER_JSON_ALERT           IPv4       6            29            45467         157958         72711          2.1m  13.04 
LOGGER_JSON_ALERT           IPv4      17             1            40192          40192         40192         40.2k  0.25  
LOGGER_JSON_DNS             IPv4      17            18            25974        5217403        357716          6.4m  39.83 
LOGGER_JSON_HTTP            IPv4       6            28            33782         168457         69812          2.0m  12.09 
LOGGER_JSON_FILE            IPv4       6            45            45902         125339         61008          2.7m  16.98 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           815             2589         425847         21800        17.8m  12.30 
payload                           IPv4      17            18            13816          74672         33420       601.6k  0.42  
stream                            IPv4       6           815             2538        1943038         37951        30.9m  21.42 
http_uri                          IPv4       6            28             4877          54263         12241       342.8k  0.24  
http_request_line                 IPv4       6            28             4077           8927          5303       148.5k  0.10  
http_client_body                  IPv4       6            30             2937          59812         13018       390.5k  0.27  
http_header (request)             IPv4       6            28            26230         119568         49657         1.4m  0.96  
http_header (request trailer)     IPv4       6            28             2602           3282          2698        75.5k  0.05  
http_header_names (request)       IPv4       6            28             9342          38906         15287       428.1k  0.30  
http_accept (request)             IPv4       6            28             3056          10687          3937       110.3k  0.08  
http_referer (request)            IPv4       6            28             2892           3741          3107        87.0k  0.06  
http_content_len (request)        IPv4       6            28             3175          24110          5065       141.8k  0.10  
http_content_type (request)       IPv4       6            28             3017          11626          5654       158.3k  0.11  
http_protocol (request)           IPv4       6            28             3405           6547          4241       118.8k  0.08  
http_start (request)              IPv4       6            28             7850          25615         11096       310.7k  0.22  
http_raw_header (request)         IPv4       6            30             9428          56316         13918       417.6k  0.29  
http_method                       IPv4       6            28             3634           6768          4597       128.7k  0.09  
http_cookie (request)             IPv4       6            28             2916           5290          3361        94.1k  0.07  
http_raw_uri                      IPv4       6            28             2995          12687          4860       136.1k  0.09  
http_user_agent                   IPv4       6            28            10270          45653         20697       579.5k  0.40  
http_host                         IPv4       6            28             3645          40222          6226       174.3k  0.12  
dns_query                         IPv4      17             9             6443          24464         10548        94.9k  0.07  
http_response_line                IPv4       6            28             4411          35506          6917       193.7k  0.13  
http_header (response)            IPv4       6            28            12317          61109         23103       646.9k  0.45  
http_header (response trailer)    IPv4       6            28             2607          56967          5756       161.2k  0.11  
http_content_type (response)      IPv4       6            28             4513           8797          5519       154.6k  0.11  
http_raw_header (response)        IPv4       6           718             3893          37968          4862         3.5m  2.42  
http_cookie (response)            IPv4       6            28             2904           3812          3199        89.6k  0.06  
http_stat_code                    IPv4       6            28             3063           4618          3474        97.3k  0.07  
file_data (http response)         IPv4       6           690             2570       11019417        123098        84.9m  58.82 
Total                             IPv4                  3741                                         38599       144.4m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            52             3292          83527         31700          1.6m  0.20  
PROF_DETECT_IPONLY          IPv4      17            18             5555          63383         40963        737.3k  0.09  
PROF_DETECT_RULES           IPv4       6          1326             2532        9732794        205451        272.4m  33.40 
PROF_DETECT_RULES           IPv4      17            18            90245         330136        216758          3.9m  0.48  
PROF_DETECT_STATEFUL_START    IPv4       6           655             5108        7565300        219761        143.9m  17.65 
PROF_DETECT_STATEFUL_START    IPv4      17             1            11559          11559         11559         11.6k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6          1326             2512          86086         14544         19.3m  2.36  
PROF_DETECT_STATEFUL_CONT    IPv4      17            18             5874         130168         13346        240.2k  0.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          1222             2552          73355          2940          3.6m  0.44  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            18             2615           3398          2931         52.8k  0.01  
PROF_DETECT_PREFILTER       IPv4       6          1326             7855       11329495        138328        183.4m  22.49 
PROF_DETECT_PREFILTER       IPv4      17            18            45268         108714         70709          1.3m  0.16  
PROF_DETECT_PF_PAYLOAD      IPv4       6           815            15619        1977608         68067         55.5m  6.80  
PROF_DETECT_PF_PAYLOAD      IPv4      17            18            19125          80391         39539        711.7k  0.09  
PROF_DETECT_PF_TX           IPv4       6          1222             2548       11036004         85890        105.0m  12.87 
PROF_DETECT_PF_TX           IPv4      17             9            12042          30178         16378        147.4k  0.02  
PROF_DETECT_PF_SORT1        IPv4       6           565             2555          56283          4333          2.4m  0.30  
PROF_DETECT_PF_SORT1        IPv4      17            18             3244           6121          4211         75.8k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6          1326             2518          40588          3028          4.0m  0.49  
PROF_DETECT_PF_SORT2        IPv4      17            18             2940          18589          4446         80.0k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6          1326             2520          59390          2967          3.9m  0.48  
PROF_DETECT_NONMPMLIST      IPv4      17            18             2707           4154          3166         57.0k  0.01  
PROF_DETECT_ALERT           IPv4       6          1326             2518         758204          3385          4.5m  0.55  
PROF_DETECT_ALERT           IPv4      17            18             2551          11208          3349         60.3k  0.01  
PROF_DETECT_CLEANUP         IPv4       6          1326             2561          84534          3215          4.3m  0.52  
PROF_DETECT_CLEANUP         IPv4      17            18             2872           5027          3512         63.2k  0.01  
PROF_DETECT_GETSGH          IPv4       6          1326             2518          41931          3120          4.1m  0.51  
PROF_DETECT_GETSGH          IPv4      17            18             5422          34717          7573        136.3k  0.02  


unified2.alert.1548331453 - (56586 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
4\GJØü<Ñý/JL
ePÀN\GJØ\GJØü<2E$MÙ/JL
ePÀPsì³÷Þ\ññ‚[îúûø¦¹œr¥'ÈRdÈb¡0a½!‚*Q(ÀãM
5s'
1rágÛ1構üù¾o¾ç¡þôXKSMæ>ñ"®{N’›¢)kôêŠ2&¼¾Ù^Zg»dJ>î^¹µ&=N]Ô;¹Ñâ#[J"ñ{Ý
¥šg©ò>•ZGI–˜Œ fBüQªÔ¢àÖõJ¢¸D™¾ÚÚ6XÌ¡l4òÙ¦ªë.,Ăªlo·xçLê]ÖèB´ŒèŽ‹°þ7ÿùù¬Ùýç\<p_M¨¼É_SS¹bù¢G?Ëézf-‚o¾d J©¦„,®>B…ÜTµÛép…(©’N€l#75ˈHWȸ¯öÔnÝ]ûۛÇD),P
™|ç¡#‹—|T^^ò§5lX $²NçLðŒ9Z—§ÒÀª¡	¤šU;6øè”á™°ÿ®n-Ì4Æl™ƒ•Mã‹Ò=!Á/]_qû¥ƒ*šÝ8,%—ÃNÖîx[‘ÛEÒbc\	›!Ù-|œV‰´zÔI {ÜNqõO^Yñʯ$&s‚h‰‚äã¼V¥@:¤ð_ŸÇC}*Túív*¹ëMñ:g±ºw—µÏ›Ö·®ßUgPÉGôO«mõ	Ø/»•š˜ˆ-?.>Éi·’‰%'"ª^oðB˜¶à~ÂúD¦ã°w4QÊËLæDüJ‘ÐI?ÄbG‡‡³ 7ñ‹MÕ&“rdQŠÕ’c\´±:å4H…'š"y§Ó]S^6ÿ’ÉØ ¤”ˆÍþàƒ¶XÃñ¦¸Í›?:û†ën¾Ujø€Ãåô?ôø“Oý㏉æø(ö[Ë_ø]ÕøfeTW/y¿®ppÔ9iÖ ¯–¿w áW/*ûíÒæ¢ëÕ?=äsû•¡õ¥¶hîžuI?Í@¢t†ºK£g
û!…̍h]1ÆôÆ֜²01wU´”Åxa燚£[옣¬œæ”q„˵Õýn"Q¥±®¶Í¯ÌÞ÷U­§úH–ÚG˜:V¼7²YB>R–FÀgÒ«”‰ÅŠqTêjéRcgý¿£g
=tbt)R7:¨§ÃÏjJìHʚ‰ÇÖŠs ŽK¥S%Ø»„"(ü8ŽwµxXƒF£€•:GÄ3‹xH„H0äõ
=ô."#v2S€Ø"]„ˆ_Å%ú3u"ÑoàN›£ò7ÐO¢¿ô¶fÅÇn§C.‘úƒþâýeëWŠuÌÌ6þÒ»ünläÐ-]TÄ 'r§/‘yls}mUué›/ü-§W1ÅØÜPŸ|¤‹'m±!D½›`›çcæ¨:÷­_½"Μ°mÓl¤ôôœ ±ÿÆ|òæŞÄd+šÀ¸it
!5˜^Áv¡¾“@›˜²ÇÔ¨Ð|¶èåÉç_nmî$€Á¹êÓw®¸é€Ï‹y©TÚ#‡vw´5ϸd¾ËnC®D×Ké&ïÄÈMxó”râÇpRÉDx	õI1J!~KIT{ßnzëïK4Yýz7Ô6ñŲßßûWs\B«Õ£Vh÷I4èӂ!;©TÒÉÒr¦ÑÄoQEÆ%..E;A]"9Ã7Y¶ìmŒ6Ô-ߥºdæL¸…«,¾•Û÷8#ÁüCžY´XfJN\GJØ\GJØü<2E$MÙ/JL
ePÀPŒ4 ¾,ªVКXx),LU«<šŽIÏH4L&BóÖÄmNüÔYLÌN !@EIÕh
Å[×ýå¾»‹r!ð¢Í…5ì£5%0÷Áèƒc…ÀOÝ “qãšÏÿã=q	æ“OˆN4°n·žö×”ÀâÔiê!ƒ@H2%™?ZøÊëÿ{LkԄƒa…Š$ŒžpÒ`Dˤ¤e¼ºx̾¸ zœÈ¥ñÐLJ0™þxïü҃ûUZXŽBo}²ãž›.„8ì÷û:w*ð&õ¹|_uÃÃÿxÊ]Û‚R/(7Œtª5·¦²\ÄSNúêâ/ï¸vš»Éç¹°†L¯Ë{ù
wŽ}êˆu”q
ì›..*nXqƒ“*õuÛîҚf½¢—úò›ïnnjԱ܌/uËU­§¯Ånµµ “ ²HðŸÃ~A•®•h¸ênʟûW­$.ƒ€[W8H»æ`óþÝ	¼™á4zl\A’FHvO•µ¬¾}ò Ì;ŠpuËq»==¿ï/	õÅX+Ém‘È¢—ßn±5Wǧ÷Š7+£uù¾Ýe­þ­ûâ}åëRzu\sÝÍñ™ù|˜Q™ÂUë÷<ö%
…z•Ëc,(º÷šaCÍðÒHÕX†ñûC°'uEEýÈlÔÆ€dgèƒ
+—+Y¸†":•Ê¥ž°`v{%ƌögf¯×ýaî5…ò0Š1AU	֪Ïݹ»¸Ð ´94yY·üêüIf$ƒÀ€€§Â^£Œ·/ä€|Þø1¹

DÁw6	„Ó	-ö¼ú¤ý·/åµÙ#pÛH•ÐëøˆfkžUÈ(g·?‚™§ "tJîN)[ˆäîÆÁÓ'#!À_l­ÈK1åe&¡
Ä^ˆ­Ñ^sÑp¿u”H´+ÜU8
ÒRroùÕ£…£†Pƒ\Tr—xý³NÎ¥%6w‘ïÚn¹$¢Òh‡­£µÿÑ¿ÿdz¶+²Ï]~QüG”^’Qí?ªø8ÖQoÐ75Ô½÷ò·lYHMɘÛoGNœòú‚4húÉ‚A§¨oí¨¬ë˜=‘hkvT¥Äi{¥¡Ž4‰@v&ÍB;摰ª7Ƒ”%bg ¾Ôé
]ñ”ݾðÀê­åWÌ,Š«Ú:¬ÞÆ”7yµ*›Tb•/Âïeì-½pJÿõëÞ¿û曓‘=+xý¡-ôMIЛ}¡4Èt)µ'¼QD²/H6©]~ĈD”
µ8¾|~³óã¥L§Ó‹4Ë8½ÀW»œB® W„Ó³Q‘ƒ²énö,6wBœzwq-Ìó†d#îþ`)?€Ê)ˆ+?PÑ<®º7õÃ+6UÜ4{pu«O.—ÂßÑÞÒ]´²Oùì¼>jŠ”db—Ӂ]0èDƒ™–”l¢°é
š¶–vKk3—?¡ä¹§wÁ@܌ăze£&šˆÿŒ'ªB…¸ñÙºšZH''GÝu0@&¦d¨•’v›ó`yË%“0ڗ{jQ2lX¿¬z‹
öK[k3Œ'¢“’š	=’Ä}"´²KÆA¨BxÍC0âƒ}£¶9á,in½¾¸’S2ëk`ïÕ§@D9¡©îŽ0­8dî
„«+HµºƒsN\GJØ\GJØü<2E$MÙ/JL
ePÀPzLÜó2u§ä™Ãïߺe‡åaßm¸á…f+”7¹N#ÁÿYü‘oˆDÛ÷ïyí¿ÿˆ3¢(G`¯y¿œ?UhÝ rzè¯'GÖ/ܳ½A?õ¶¡C¶^Ýòζææ°ùև.¸b¨ëƒ_oS^7if¾’Ý[m+­k;oPV‹ãeî¢ü
©Ä°‡®ïÜq–ææhãT	 û„=þŸ¯Ý[Wõ]}ËM	Y}¢|ÖM\äвË·(ozqòðƒ@«ÍVH|õöj‹2ß¼D#xk4h©÷±¡% ì“(u¢ÚŸ"Òî“å¥h}MMuŒ!/M—¢‘8-vq™¸ô„¼xÎÝTýòßÈ/>{xzž‰„ô‚¹·–zë–i¯^z9×òòÓëÞwõýÛïúºöV¶FdæTs^"¨.â´…Aºu>I(iôáÉÉHˆ—;·.?°dµkø=¦$ªâdþvWuµÝn0!ÅWnªóId‘†€"7Q­S’°ºc̽ÙâW”iq‡š;\0
²ÄįÝQ“bÊÍHl'nºXì¹)ÎХ֒ª*ð8EÄÏ ¨«‹Ñt1÷8è¢eŽ«-c0êñndLhA|œ“'sdqÏŸhP"nB´ˆ‰"Þ¾[@ÊȨ‚ÀŽ9Àqc%ÊufäôÊÈÎFto·Âû±|£A·­o¶T7Ù΋$&fÃîšd“¦ WZ‹Õ‡¹ª5ºe¼2ý¢k‘‘ˆ	B†õ:˗¼yÍ­w|rµ–Ù·}C]Ť™s=N'Éã=ÅE˜»”#~‚Ý•—ŸWˆ¹—ÔXÀÜgÍ)nÐôϸ#%ì´{¾Ú㸧v¿BÖ.ÊS$„¹ûq"*]Q¹´½eÀ¨\`úØãîX£D'B
ÃÞp(˜ÛŒG­Ǽçk‚A¹§¸>,ðcdâH;PÕÒ/3N©P‚¹ï« fDGƒ¹±¥âúYƒ«Û¼qqÆí›Ö?üëùTr?®>¼ˆsò•‹÷z!R@¹!ʉ¹‡*‡X[†øσæŸyëÅÿhusRÎ—í†ä.I„¹ƒÞ¤Sb—Dõ&þöPRjÜÃ÷ܲuÃç~Ü!D˼õÉ6>à±:ÜÅÕmHbÂh›÷׃¹.ÈD©KFˆÄ'ÆÝ~텥û÷Arǀï/ß{çü(-øîg;aü9šî@94d Ÿ?¨W‘”?lxÑp\\ÜMó¦À¢€ÃšãÞþdÛ͗MƤ|¼Ùé´5Nb[	LšY³qw¥Q¯Ü7Ùî
Ê&f™^(Öe–á8‡Ó]_]uÕìñº‚Þãò2–n™>,}tQÂn 1ù¢Œ/Ä4u7ßs÷ù]bbIÝ$•†‹x‚A¢i »$ŒsPÃŸ‹†ü‘P”UªåðaÁžèuýaV©“¡v.Œïì¾{iM˔Á9­ÎoÃܱÙHà-]+jr&†oǺ¹K
GœªPCÀQçm¯N韗™èvùMFåï—Hã‡Öo9¨Ê1®øb堔s~{[8 †?^¢6…¬Ú½à=Gþ-³<.ÁœÐ/'9YYõÖ?÷mh‹"mY—]òûñ0HVþkî&÷´—!ÿwcü/ß³™T]á£k9øqfÎÅc™Ÿ\GJØ\GJØü<êEÜM!/JL
ePÀP'ö¶ÿ³­‹·µ6GýrIþ]wgU¼¾óÕí-¡$í”ÙçÝ=Á(2÷–’o>e™ùúÜYʶ%¶•4gM›!ûäã½åBT!I½òÒQSÆ9þsþ²ÀüٷϾtÑZß(sy›'`u%͜õèäÀKnÛ
¤ô͛?wÒ½-Ÿ½wxÃ.OµZ~íì×͑<=oUm¼²&¥ïósòQˁÄ@ÃÜÛlcúg[=`îđä$y‚üöƒ
­KK6#;®«pX·E @¼GõFñ8¥±t¨Ü„@}”c—¼¸S›•zRTæäµñùCf£"›;
Ú3To™7¢6y—ùT®Pú=þko½wþ­·w´;IÊß×^¤x©-ãhl¶’ýcס¦8ƒ'Y‡ÓO¤r遽;-­-bbeHÀñEã/àɲózçöÊ¿®ReîÐ{Â;ÖMÓ¿V7ÚíŽÀ¸¡éUÍÊ>)'›þåQž ÆûÄ0v°âì4Åc‰¥hÇj\¥ÂÈûuÌâ"ÊíºÃRiG[ï‰}¢Zh“baO‘õÅP#º@b¿Àé
—¯ÝÊȓý§bîqzEIUòAÉ T6÷Ë0Â@™{øÂ_˜ñ#`ˆ³Ç÷k±ð*¥RiŒ#I'l`Q>µAÆ$¶~ºÓ©ÚA£]ÃfƒÊéV©‰	2>ªÕë´ÄßѝNÁ2–6¯XY„èyoÐ*ÞH—å@ÇdÖ)PæäqH©8¦½Õ	£§Õ᪬³Lž`ö–µ m³ /ú+4v(=æx”LÑôÚÞâ)+=0nÒØöVWWt†ˆÒ®] ƒ¯šå`sǂâñø‚uÅÇ[U•%ã&imB…"’ ÖE¶˜q×á:½Z^›àôfÀÜó3¡“܉~ìõnß¾;9-¡¶¶F»—Aî}e­¹éæa}̕Õ-0+•›Q«yíÝï<û¯„x3"©ð"¨2¤µw#›„VT¢&bZL¥¥¶‰²BêIù,b]¢ÙqÔE¯3`ËԊGl´­Š$SÑì¼Õ¢jcQG%r
oÉt/äöŽœv8¼N/¬%¾vßÐ|î­O×JMªÃ;mÚ8ӗU›ÎÞ(Z`Åé½éî°­]½_ëp)ûʐzðµ}åiyOüsôx×ΉٓišZ ךòc_™¥¬(> 5†\<둦/oyºáΏî¸ò­O^/kÙÍ;©¿<#ÓÂ8×=µw큾¿~l¢mÎrõýW\™Ïxܤ8^K_ÐãÙôeq[uåeîÌ+zÀ«¦qo}y÷öò^ƒÆêMq7"&¢I¶K7hõÿåµoZuÉÅu7^rϟòÿº.øDžc¢ÞK+–ïs]7qêWŸ¬.n<¥ %N(Ëòæm¹Š ßC¸-Q*‰ü.Ś<ÈÏ¢O€ü?Á5µÎÁ	œ¢wå	‹"
ݹPá„O#™}G·6<ا³ˆƒ p‹V×P‘–gÞR\v"!^	ôz”jò(°w÷ݝü:êWÀøzcÄÝHÌÇ v^£Q¾ÿæ3uµ8ED¶H°†+ր¤%w`W>{îà¡··¹hsªIÑ­@˜ɱ=œÔ߄×ÐêFN‚ãü´“Ív7ɒ"19mbY$â“êîY1ï±Q¬1$.ÿ.ñƒµÀx„	’8åne)B˜^ƒR)íÄö©b@§†ÿhE’뀱Pi®¥ÑÛ-˜äwˆ"JEàa˜!ª”:¶S&Àláõ¸ÝNä
tÁtC¨„ô„ ¾d2ˆgd×iFÆqØ\ÄÁsÒ0âaËÖ„;l(%uíâz’r6‹“D‹Ç#yú¿íS°ŠÔΣ¿w]"“ˆî\GJØ\GJØü<êEÜM!/JL
ePÀPŠs(Ü;$‹@|‡ˆ;|	ö_\Ñ´¶cŸ'·ÛD¶í$
LìíŸ8;¥rù«?Ñi5„>i(
ø5UGJy„,‰¨Ë\<j©´N/º¯èN"ª.ÝütèÄ‡šDç”x3]£½5öÃumÓfµœ©äNå5Äì8ÔoPa !hlH¿Ô@@¬õ{&…SF<&ÿ!_¨I‘dP
Ñ@XçkٜŒÄpDž\u%m–òŒ¬¾×Ý~1&“Љ6.rð³íŸ})¿á•ó†"O”3µ¾ùë͖ÂÁ³/ÊL0[?¿z¥å†Ù׍s¿rí¶œÇ.™"¸J^ýk㴅Æ­ýjñÇÂåos?¿êóš„ù
nÝý¿u-V”=b}ã·Í`ß¹~½ôWç_Ö_§"‡+WÂæ^üÔï67«¼\Ñøá·Ï14¯ÛûêúÆ:Aªj/ºhêý7Å}2…{îôëg_¿ò«ì¿_:9Yð;ªß}ðÈÀ—çäÚþêëö‰ÿºhFbǶÅû¼ß¬á¼|ÚÐQwÍS¯½g•cÆøK&'#˅¸Ã("DžÙ½‹craF‡'Ü`EÊAd@V’+ÙUږž OK0"ÃíŒ'ä Bc_Ȥ‘ÿ'ז9%¤{尃‰zª€v*¨Å$‘“/"gåibUÈÖO£Å:¶(Oì>Җ`Ðä¤ÅYœAbEáù”T-ÐNaß&^‚ƒ™±vxÀžèvèþ‘Œ\Œ]Åõç
ËÀ}5ÍN„-¢em;›b\lP/‡a™äžú¢‡Q4*hrüQ*ñÂÛí½"D÷•£ÒÃKY·=éO÷
J0–S6îÇ!|ÈÇ·?òd$!	qòÝJî0>µªÒZ	蕶·»²¹(#õ… ¹ïªhš\˜æ
ÃÙ~¸uö˜ü¦3ô·‰ÀãõÃ~bT9á#8–ٝÑÄNhԖÁa1ë”p<œ‘ÒΈpR›Óvã¦a¼ýˆºé›•€ZÐ'¾€)©êæ&ïÉ^
qxü!4NÁ	†z-'M‡Ä¶'¥(›ÁEjQ!v'’ãêÝ¥Mz5Û'#Îá
¢’;"SEɝ¸héj•
*2)+Ð)Ô@Žqv¥t
Œïmv·x2Æ.éãì¾ZÇᚖiƒsQ"üLù€F8߇_X¿»©Ò8Žn¾dÈà~H!Ñ¢gzQËXL¨n—<R‘ÙÇd4û-Ȋ	1Îgݍºßœ§Š™qù57›ã´4ä
Ì2‘’å;–¬ÎÿÛ䢀Û•™Ó%ëYº)¡àž»†Ž¾ôŽ’7N¾híś¶§üùâ¹9k]ñ«ÿ×0ùÓ¶lzs1?oÁ¤ÈK+–4eÿn>ó્“®›óð°–ûoüÌ3eæ½sù×.ÿ*õ¯ÜY‘Ü©Y¦øÀ»ÏÛæ¼=gªj‰Hõå»ïZÜ7cî‹çÙÿ~߇%ÙþðkÓ'óWº/™:ZpÁu›
̾¼¯ÌÓzäÅ?Võ¢œ}›ßX¾âÍYcYûê76~Ñw×c‡1ŒÓt+Ú^¿óK由WNOё䖘nú½:ÀÜÛûgÂ,Óhqaýs’P6÷‘vƒF1¸W2±áœÉ©J†•°v/‚ÀH^Ätµœöò‰{Ãæ	&èåX“X\èi?þ7b•VYlnïèÂܼ·¼]!•ë›BK‰è!1íT\›„“#´¤;~íEÐ]ßî>TÕ:eh:Øl]›»¥ÃwÞÐ,ŒÏG*óÀÆn ZŠ”‘P2"œ´EEþh÷RLJÔj‡-‡#Ñ7¾A¼Gê``®&:÷)Î)¾õpbgúçÅá@ØSÙT˜aF:eî
“
3Sæ¾ù`ˌaÙ
¨hgH6¢YHRâÞ\GJØ\GJØü<ÂE´OI/JL
ePÀP)TžÀ·dî0*`ىDôä¤_‹l‡Â²ÅuÖf‹küÀTàóP•ë;º0-Üéð<a¨&¤ŽüIÊ»À顏’Žå“˜»ˆóni2ûåþúƒ¦Œ30Sÿކêޙq"sïÚSDNð|ÍqÌt{rŸ.	âÛ_c?H$÷l<#æNâ­Hø‘$9NýÊÇ»·h|pþ¨¢ü”ê&§Q#ß´º‘š¢UwɲpŁ‘ã
ŒÂïªmw5I5Ô¾¸ªe[óä{ÿõªI§A$;‘bðžÓć÷øÕ»Ÿ1W¼<{˜ß‰äK©LëoÚõú›µNS²ÙS¼7{âß.ÈÍÐWýmΖ짯žß‹m¯ÚÿßßÔÎú|^æÚÕϼÎß¼òüà-,ËøÝsW?¶y›M5 ¿fÍ¢ƒƒîºèÁK>»c᪄Ìf»¨ŸӒ«…¦ƒ»Ÿy´yê‚yS`Ï©R”mï¼¾gu©tØ(݆Å3æNýë½	ïÿ±óڋî˜xnƚø^u]¡ÜÕrðß·•NüèúQÕûžøÇfßìñ·ŽïS(©~ñƒ%>}r¼º`ÔÀ¹3¢¯_¼¤cö´[çdè¡
ÄÜë-ìL0÷˜äžÒáñ»=áêV·Q£Ô(I£»ãtίgf´òl¯(²öwFÏv
L£Ïп&Ï”ßo7H·`Š#<»ÛŸ™¬§­ïÐ÷§ºÙ¥S£Œœh	gĖN
1 »¯ÕæM1k‹-
óke“’
ÑMù쎧¹µ¨VŽ|Wx Ô*Ràì8E†¤@´ŸSh9Ýc†°c1¦ñÄ#ÃtË/Êò䥴jÄIwW4õË@Hº-ñv–7M*Ls‡(PÓâ†Þ–j֞Ѫ‰Àã„z@¯Â8ßbÄA '‘à.¥ŒU§{ˆ‹G¬NF’Þc`ÁíW69µ*”?3ÂÉG‚¯ˆ.x&D…pkH]6tÌ	ó½Ò5"ùÂÝâ/kzgÀ79=æ’<MÊùoã~uß,NéprRäžþ‡`²ÊN铜š Ò/½cЄ‰‚ÎüCͱDDbZ­ÅƬØnϒÖjå&uí3˽kê§ßÿ‡Gã@R"¨¢5×sr„©dgêT8 7…Cú¬„TFbsº;L©7ÍÌÏ6¢S«ÒrzÇÇ¡:84\GJê|$*ÅS	/JL
ePÀN\GJê\GJê|$2E$MÙ/JL
ePÀP‚üCs¨j[¥'u¬×bLžG’ìã?ݯ£eÝ7ÁK
JöI®.uû‰õGiâ’ z
¡p)ó‡)ž¾	Î8ý)G‚¸è?*õqás´çéOägð£œ\§“ÿ»úW	ñãâ]‡À
/H¸½Ñ5Ý~ã]¼66vZL<  [‰d\ð{¾“ÿ„Hz~•ã¿´ÞŠšgů‚¬òÇn¯âyǙ$‚5èrÿÀ9‡)Ë|ñΕñÇC»º±²Ôt{Ý6so¦jQˆ¯,_¨/`G ×_ÿR‘•x_=
º°?Lu¯"ý¡uëÛ/||ñƒÞá´ý+LÑg¹ýž[Ɛ¤ ºõڒ|Ì3€zñXø1âŸÙGáN…âO]è6öV:ë+]S{ëXm®­±µ¤rI&DVÁ麗´)ï‡Áaq¹á\ð7H è3Ôû
Àðö§§øŸÆþ!ðýºL·Þ0-ãH¡c>l{×iúu¯ø›ð'Ç¿µÿ‡žÑ@ûM·†G‰Öã_Ôä³0^Ï9/$dæ:à<cÚ|R±Ôt}gã5¬’”–öÿÃz^­<,WË·žŽw>èÚO=ºÓuÊ{'ü!JÀð2ŸâY¯æ8¤	VW‰Çª:°R:WÏ¿>X|$øcñ_Á~Ô¯,¼¢ê^–Êí/á¬ä¹™áe$“Î	â­ø·Ãû9øs㦍ðæéîô‹
'L»ƒÎºk˜mïnä)r|̒)€~P{Röƒå=Üx%Ȓ§ø„ŠWóéGü!Øç¸äùéfOü<øáøšóD³ÒüGãí4ÙÃáÝVK¸á¶’6Ý•˜¶X‚HÏzûcIøwo iV¶‘4v¶1,£ÅQF$òxîió‰£ËG‚±ŽÔKà£å78ô¯Zÿ„Gý“ùR?„2Œ6žG¥.p³?#¾:[ýºëўI½ŸÿD5qVÜFF
÷û_Ùã_øéâ/iÞÓ§×|C]k’XÇ" Kch\“ü^s(úW_gÿçøÍlÜü9¿?K¨ÿÆ¿3ã³2¯˜:˜J.qåJé­ÕôÕ£òÎ%Éq،s«B“”ZZ¯Cæ½?À¹ÇÊsô®›CÓõÍBÕ4›
Fkm]ò¿´­FË¿,’™úM}	eûüa·å¾ê?øøÖµ§ì=ñjó|5ÔÎ?éê*øédYúwŽKç¿öñãRÈsznñ£%÷™ó߇5OøÊÖÓD×®ôÛ+
Eu{xcPDWj»D£=ÂñWü5ñ/â?<3­hÚWŠ.mô¯I$ú³À’¬òHwÚXÈÅ}Ÿ±?Ån‡á¶§ÿQÑ'ì3ñVù§šŠçÖæ:TòŽ$…¹hM[ûÑÿäŽÈåÙäRQ§%o?ø'ÇwžÙOñX÷þ	ُ—­}¡sÿùø¯xÿ„ñ3ëqQ¹ÿ‚iüY»Î<:gÖtÿÒx·ÃKïÿ$p>Í[þ¿ó>wý|;ö/Ûá1õñ€ôîõûqá³|x¾º*ŸüŽkóá'ü›âÇÿŒÞ
ñDÞš[oëöº½Ä):	'Ž"ۑÚ9â¿F~Ûë^%ñÆ¡âMSD¸ðì/h¶Y\º¼ç¼¹+Æ9À¯Ò¸C	ŠÃàç\$äݛ[Yvlýƒ0N\GJê\GJê|$2E$MÙ/JL
ePÀP	QŒ&¤10qnWWídzMcßxHÔ¼maâ9ìb“ZÒíå´µº9ßR.£¶	Uü«bŠú‹Ÿfqž!ýžüâ¯ø§J¿Ðín,|i/Ÿ¬ÆK¶ÉµWy ä*ŒŒtªžý—ü	à‡ÚW…´ßZÛèz-òjvvŝü«”rë.æ%‹9É&»ê)ó0²9
;à7„´NÊòßDµŠçNÔ®u{ysÕÀ"iG?yÁ ÖÃïÙwÀ¿>&ë~1Ð4tßx‹wÛî"–M³î`Çä-±r@<]ýs0°Wšükµû_Ä¡ô¼?øâW¥Wñ›AÕ&Õü?¬éÖO©ÿdË*Oi–D•TnRxùvþ´ã¸¥±›ý‚¾ÿ•VÖ<i¯éV‰çZ_DÐOvïFa‘ÈÈ¥ÿ„“Zÿ¡]ÿÀˆèÿ„Zÿ¡\ÿÀˆêˆ8¿…ÿ²7Ãÿ‚ŸÙ¿ð‹xv
$èðÍodVFsoÎUFe𪚯ìMðÓ]‡Ã±]øb)bð•Ä—zLK;¬v²Èû݊ƒ‡Ëó†Íwßðk_ô#ëŸø(ñ´8ÿ„\ÿÀˆèÇø›öIð>0i5-&ñŽŠYê);ÄcÚI]Ȥ+ã'ïSk¿²¯|MðëRðÿ‡àŸÃšÅãê–[ÙD×æF—pä1rOÔ·‰u¥Æ|®òqþ¾3Kÿ	&µßÀúïþG@‡èÞ´ðþ‘kaiŠÒÊ%†Émˆ£dòx«?ØkTÿá$ÖèG×ð":?á$ÖèG×ð":5ßöÑý„µSþMgþ„}wÿ#£þMgþ„}wÿ# 
‡áFŒ|r¾&6Q}l¿³…æ~qo¿—Ž˜ÝÍqÞ3ý‰~|Dø—ÿ	Ž¹ák}CĤB
ÛLà%ƒDJ´• qšïG‰µ 1ÿ>¹ÿÑÿ	>µÿB>¹ÿÐËß´'üß_øûûQÙø’m/ÀÖ>I­^ïSŠi—[¸ŽÞ#1çË9p¼‘œf½ÏÄ?²7Ãÿ|dÓþ!^øy_ÆZRªZê	;ÆP.vî@v¶<°5×ÂO­Џ®àDtÂO­Џ®àDtÎGã—ì‘àÚ^ÏMƒÇZ×#Ñ¥iìOžðµ»°ˆd ò¬‹ßØ/áN¡ã{Oá&׬ã·H.^âBìày®pJ`ry¯Eÿ„ŸZÿ¡\ÿÀˆèÿ„ŸZÿ¡\ÿÀˆèÌfïÙÇ]øâßx³Æ“h÷^(ñÍú<ɦå­!´…J@ƒwñ?7½n|"ýþü¿Ö®¼#á¸t›1mE¼Ö›ÏÉ$¸ªK×eÿ	>µÿB>¹ÿÒëG¯õßüŽ€<óá¿ì%ð«àÿ‰æÖ¼7á(4íR´nœÎò'™T1!CÊêþüð¿À߶‰á=-t)ç{Ÿ³¬"‰åˆÜxö
Øÿ„“Yÿ¡]ÿÀˆéá'Ö¿èG×?ð":åÏìe¤þÅZ©ÿ	>µÿB>¹ÿÑÿ	>µÿB>¹ÿÐ¿ì4ÇJÊñgǑéé¬X%òéW±ê6ÉEÄyÙ ÷?Zÿ„ŸZÿ¡\ÿÀˆèÿ„ŸZÿ¡\ÿÀˆèâÿìùá_¾\GJê\GJê|$êEÜM!/JL
ePÀP$Ð
—þ1ÒWYѦ•&h‡*Á—¤{‹Eýœ<á½+Âö6:$Zø(³hˆ“`̅êÄ© “Ítð“ë_ô#ëŸøð“ë_ô#ëŸøsÑ~Íþ‡TŽùtKqw¯&¾’n9ò!GŸý⤊ÂñŸìMðËÇÞÓ|3«ø^G»kû+tâ6ó³—g¤Y‰#89®÷þMkþ„}wÿ#£þMgþ„}wÿ# Gò—€|a¤Úi¾µµ·ÐRê;H¶[‘‰ÀÏ]ã®kÁ_°7Âo‡F­c¡øJ+}vÉôÛà·R3ÍlìY¢ÜNTn$ðx¯Kÿ„“Yÿ¡]ÿÀˆèÿ„“Zÿ¡]ÿÀˆè°\ÈøcðCÃükáÏéË¥hÖEŒ6á̅K’Y²X“ÜÖ÷öÔð’k?ô#ë¿øð‘ë_ô#ëŸøNt=i?°¡ÿ„“Zïà}wÿ#£þ=kþ„}sÿ#¦?ñoà…~;ø"ãÃ^/ғYÐî%–ٝ£èw#^Až+á÷ì‡ð÷áWÃ}K‡ ²ðî²$[ëf•¥{‘ щb0p9ãµvçÄ:Ñëà}sÿ#¦ÿÂC¬îÿF»“ÏúøñHgšøWöøQàk>Òü#oo£xŠÙ,õ(wÝ™؅˜–ùrp{T>!ÿ‚|$ñf¡¥Ýê~‚òãE²M´g¹„··"0Îks–ɯQþßÖ¿èH×?ð":?·õ¯ú5ÏüŽ€‡"Š5ETTzN

‹ûZÿ¡#\ÿÀˆèþßÖ¿èH×?ð":b%þÃZrè¨?ƒûZÿ¡#\ÿÀˆèþßÖ¿èH×?ð":C('Â]xÂóÄ?`ˆëZ…’é·7G–šÙKˆŽ˜›ó®'Åÿ°Â¿xDÒµ
EscáˇºÓ#K™"kI·6H%IçiàW£ëKÿ2F¹ÿÒÿÂG­Џ®àDt’Ÿ<4ž>ÿ„¨ipÿÂEýŸý•öܝæ×9òÿ>ýk•ñ¿ì?ðÃâ?Ãí#šׅ!ºÐ4	Lúu²Nð›W$’UԆÁ,xÎ9¯@ÿ„Zÿ¡\ÿÀˆèÿ„Zÿ¡\ÿÀˆè_ÙïÂsøÇEñš4Rkž°}/M»f%í­˜(hǨ!G'ž*Çς>ø?á¡£xgLJÒÄò\ùK2G.í“Ï,I­oøHõ¯úõÏüŽøHõ¯úõÏüŽ€,`¯¿åGö
ûþU_þ=kþ„}sÿ#£þ=kþ„}sÿ# DçÃéÔæšÚr1Fj/øHõ£ÿ2>¹ÿÒëG¯õÏüŽ€9‹oÙ¯Á¶_o¼!…o†u'’K«HIšI<Ç$õåù¬ßþÇ¿¼{ñCñ~­áä¹ñ/†ÕN½IÞ&PåAU >÷³]ÇöþµÿBF¹ÿÑý¿­Б®àDtä5oÙWÀÚõ׋g¼ðý¼Óxò·×رRj«zaN8®§Að
…ô;=3O€[Xið­½¼+Ȋ5UüMý¿­Б®àDtoë_ô$kŸøKÿúz€£Ö¢þßÖ¿èH×?ð":?·õ¯ú5ÏüŽ€&þÁ_ʸύ¿²×‚iZi>8Ñ\°°¸ûU¼fg…¡—i]Á‚	Öÿoë_ô$kŸøÛú×ý	çþG@τ¿f¯øákx#IЭí|,𽼖$—óQÁ
¹ÏÌÄç©9¬/þÃÿ¼ð¢ïÀºw†?	ß\-Üú|·2J¯*•!·1$`ªð=+Ðÿ·õ¯ú5ÏüŽíýkþ„sÿ# 'ãì‡à–\GJê\GJê|$zElN‘/JL
ePÀP§wßØçÅþMY´	<Í=ÖgíŽ¡ŽŠÔÔg	êðø’;­	“Åð%¶²	9¾#òÐB€G5Ñoë_ô$kŸøÛú×ý	çþG@øûxmf«Ï‡Ól¼?§^êv·òÇq+ʲîIC;ĕR<f»o‡¿²G€~xTð¾áÛ{-\i$Ô-šF›ím ÖfÉç·§jí·õ¯ú5ÏüŽƒ¯kDcþsÿ# gŸøö+øoð¿Â6š‡á´´Òl54Öm­ÞæI„7ˆ0²‚ÄœÛ¥z'ö
OZ‹ûsYÿ¡#]ÿÀˆèþÜÖèH×ð":—û(o¡R=j/íÍgþ„wÿ#¤msY
Oü úé?õñ>2ÿ‚Qsûdٟ_†·ÿú|Š¿J+óWþ	<Û¿l{NsÿÚÿÿO‘WéU~&¾•ã_é¿<5s«ê÷+kch’B	<œä’{
ñoú¾«yñ‚K$Öõm7N±ÓàqŒÞY’I@XŸ@W„éÿô]bÓÃZ÷~0C¦Ø.±4ë _Ì'›6²K¬ 2B¸ÏPExØLޞ'SJ-ʝœ½Ö;ñIQÃÇ7e-³¾ü_ðÿÅ»G¾ÜXmûDÐîRÈÀäz×M_—z‡ÅíሢÖ4¿¶ú׈fÓ¤‡X¼‰LRêò‰KÄ3ÐL öì¿
~:k¾!ð§‚üSm®káµW¶šæÖòç͍ÒFÚW­FuœÓË=‹ÅA¥U¨ÇfùšÙúw_ƒxÏi2MÁ6ûYuGÛôTv“ý¦Ú9?¾ Ô•ì3Žämw\¬&XÄÎ*ˆÀëŠX®£žI%GxNU(qœÚ¼;ö¸øÁ|=ñ¥Ô‚:Òò}?R‘›
°KäöÈ#"«Á;þ$·Ç„š÷Ž.¾$ñ ÖòsûÛh¦h¡8ÿukWM¨s‘ÏïržûEsßþ'i_~k(×&htÍÙ®g*¥€*ÉbpIæ_³¯í5ãoŠ
¨_xãá•ÇÃ?E
Oc©j:Ô-⻁•pc$8nçk(ûÍÅtþ¾ý6ܹh“}vü?Í\öê+Ì¿joڛÃß²ÇÁýwÅz­Í•ËèÅ1°ûlpÏ8’@‹Ç¿$qÎÓé]ç„|UcãØêÚmյ햡
ÍÖò¬±¸#<2ði­Sk¦--~··Ê×üÑ£ER¢Š(¢Š(¢Š(¾ å|žO2V*¦¬Å~ÍיÔT>!ñU§†vÒpÅP",@Éà{Sš4W9ÿOJÿ§ßüð£þž•ÿO¿øÿáE˜\èè®sþž•ÿO¿øÿáGü-=+þŸðÿ‹0¹ÑÑ\çü-=+þŸðÿøZ4\GJüÚ*â3/JL
ePÀN\GJü\GJüÚ2E$MÙ/JL
ePÀP1Éÿÿÿÿÿÿÿÿÿÿÿÿÿÿ@„zÿÿÿÿÿÿÿÿÿÿÿÿÿÿ†€ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ		„@„vÿÿÿÿÿÿÿÿÿÿÿÿÿÿ@„zÿÿÿÿÿÿÿÿÿÿÿÿÿÿ+€ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿØÿÿÿÿ„iƒˆÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ„ø „Šÿÿÿÿÿÿÿÿÿÿÿÿ8% „ŽÿÿÿÿÿÿÿÿÿÿÿÿX%ø€pÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿxÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ`—Ô%^
ßþÊ1"€	ÿÿÿÿ€ (H€	ÿÿÿÿ"P€	ÿÿÿÿ€X`€px€	ÿÿÿÿŒ€€	ÿÿÿÿ€	ÿÿÿÿ"€	ÿÿÿÿ€ (€8@BH€	ÿÿÿÿB˜€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€ €¨€	ÿÿÿÿ€	ÿÿÿÿ
°ÀØð€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ ÿÿÿÿ0–]õX p'n_ÿÿ`\GJü\GJüÚêEÜM!/JL
ePÀPTßA@„ p¹s¬ n$r½üoÿÿ0–p]õÈ h!x!d'v]õà v'z¹4Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA==$€ ‚$~ z$€ ‚$~$B¹XDYuZXhl$€ ‚$~ „A@|txoÿÿ–ø]õP h!x!d'v]õh v'z v$€ ‚$~$B¹XDYuZXhl$€ ‚$~ „A@|oÿÿˆ–€]õ ]õ@ðÉ.Šz}ð¹b64 Š%’.Ž¹
bin.base64 Ž(” ˆ Ž(d Ž!–'€ð².Žð².ŠiÿÿÿÿÿÿÿÿÿÿR²Attribute VB_Nam@e = "n"
Sub cek()

  Dim t A@s Date@ A8= NowD
o DoEvents"Loo€p UntilZ >=„Add("s", 3, ÂtcEnd rl1ysisywla0ax
¡UserForm3.TextBox2‰
)asd))6„Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="),  vbUni$) & Enviro|n(1G
FX€DYuZXhl0‘6Hid»
“þaœÃH2T?22ˆ1PrivÀ” Fu€nction ÊgByVal strÀaÁŸNingÂ)ByteħÁ‚ž€©objXML	MS2.DOÀMDocumÀ¤ƒ¤ÛŠ@	N€ˆ	I€
EleG
ÅSetÆ Ä½ew •
…‚=„.cre@8("b64"€¼‹Á+D!.A7Typ‚ààbin.bB§€á		¼ÀµC„2

This file has been truncated. Go here to download in full.


suricata-report-2019-01-24-T-12-04-14-01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap.txt - (17828 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/60bddb9dc2a16bb7f83b45fb323aad9356b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap -vvv -k none
elapsedtime:20.713136
stderr:
stdout:
24/1/2019 -- 12:03:53 - <Info> - Configuration node 'rule-files' redefined.
24/1/2019 -- 12:03:53 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/1/2019 -- 12:03:53 - <Info> - CPUs/cores online: 1
24/1/2019 -- 12:03:53 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32754 and 'request-body-inspect-window' set to 16858 after randomization.
24/1/2019 -- 12:03:53 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32977 and 'response-body-inspect-window' set to 16895 after randomization.
24/1/2019 -- 12:03:53 - <Config> - DNS request flood protection level: 500
24/1/2019 -- 12:03:53 - <Config> - DNS per flow memcap (state-memcap): 524288
24/1/2019 -- 12:03:53 - <Config> - DNS global memcap: 16777216
24/1/2019 -- 12:03:53 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/1/2019 -- 12:03:53 - <Config> - preallocated 1000 hosts of size 136
24/1/2019 -- 12:03:53 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/1/2019 -- 12:03:53 - <Config> - using magic-file /usr/share/file/magic
24/1/2019 -- 12:03:53 - <Config> - Core dump size is unlimited.
24/1/2019 -- 12:03:53 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/1/2019 -- 12:03:53 - <Config> - preallocated 1000 defrag trackers of size 168
24/1/2019 -- 12:03:53 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/1/2019 -- 12:03:53 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/1/2019 -- 12:03:53 - <Config> - stream "memcap": 33554432
24/1/2019 -- 12:03:53 - <Config> - stream "midstream" session pickups: disabled
24/1/2019 -- 12:03:53 - <Config> - stream "async-oneside": disabled
24/1/2019 -- 12:03:53 - <Config> - stream "checksum-validation": disabled
24/1/2019 -- 12:03:53 - <Config> - stream."inline": disabled
24/1/2019 -- 12:03:53 - <Config> - stream "bypass": disabled
24/1/2019 -- 12:03:53 - <Config> - stream "max-synack-queued": 5
24/1/2019 -- 12:03:53 - <Config> - stream.reassembly "memcap": 134217728
24/1/2019 -- 12:03:53 - <Config> - stream.reassembly "depth": 0
24/1/2019 -- 12:03:53 - <Config> - stream.reassembly "toserver-chunk-size": 2441
24/1/2019 -- 12:03:53 - <Config> - stream.reassembly "toclient-chunk-size": 2657
24/1/2019 -- 12:03:53 - <Config> - stream.reassembly.raw: enabled
24/1/2019 -- 12:03:53 - <Config> - stream.reassembly "segment-prealloc": 2048
24/1/2019 -- 12:03:53 - <Config> - Delayed detect disabled
24/1/2019 -- 12:03:53 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/1/2019 -- 12:03:53 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/1/2019 -- 12:03:53 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/1/2019 -- 12:03:53 - <Config> - prefilter engines: MPM
24/1/2019 -- 12:03:53 - <Config> - IP reputation disabled
24/1/2019 -- 12:03:53 - <Perf> - Registered 148 keyword profiling counters.
24/1/2019 -- 12:03:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
24/1/2019 -- 12:03:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
24/1/2019 -- 12:03:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
24/1/2019 -- 12:03:58 - <Config> - No rules loaded from ET-icmp.rules.
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
24/1/2019 -- 12:03:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
24/1/2019 -- 12:03:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
24/1/2019 -- 12:03:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
24/1/2019 -- 12:03:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
24/1/2019 -- 12:04:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
24/1/2019 -- 12:04:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
24/1/2019 -- 12:04:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
24/1/2019 -- 12:04:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
24/1/2019 -- 12:04:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
24/1/2019 -- 12:04:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
24/1/2019 -- 12:04:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
24/1/2019 -- 12:04:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
24/1/2019 -- 12:04:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
24/1/2019 -- 12:04:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
24/1/2019 -- 12:04:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
24/1/2019 -- 12:04:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
24/1/2019 -- 12:04:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
24/1/2019 -- 12:04:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
24/1/2019 -- 12:04:05 - <Config> - No rules loaded from local.rules.
24/1/2019 -- 12:04:05 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
24/1/2019 -- 12:04:05 - <Info> - Threshold config parsed: 0 rule(s) found
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for tcp-packet
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for tcp-stream
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for udp-packet
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for other-ip
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_uri
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_client_body
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_accept
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_accept_enc
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_accept_lang
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_referer
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_connection
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_method
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_raw_uri
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_user_agent
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_host
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_raw_host
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_stat_msg
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_stat_code
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for dns_query
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for tls_sni
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 12:04:06 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 12:04:06 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
24/1/2019 -- 12:04:06 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/1/2019 -- 12:04:06 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
24/1/2019 -- 12:04:06 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
24/1/2019 -- 12:04:06 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
24/1/2019 -- 12:04:06 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
24/1/2019 -- 12:04:06 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
24/1/2019 -- 12:04:06 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/1/2019 -- 12:04:11 - <Perf> - Unique rule groups: 104
24/1/2019 -- 12:04:11 - <Perf> - Builtin MPM "toserver TCP packet": 35
24/1/2019 -- 12:04:11 - <Perf> - Builtin MPM "toclient TCP packet": 17
24/1/2019 -- 12:04:11 - <Perf> - Builtin MPM "toserver TCP stream": 33
24/1/2019 -- 12:04:11 - <Perf> - Builtin MPM "toclient TCP stream": 19
24/1/2019 -- 12:04:11 - <Perf> - Builtin MPM "toserver UDP packet": 27
24/1/2019 -- 12:04:11 - <Perf> - Builtin MPM "toclient UDP packet": 17
24/1/2019 -- 12:04:11 - <Perf> - Builtin MPM "other IP packet": 3
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_uri": 14
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_header": 10
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toclient http_header": 6
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_header_names": 2
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_protocol": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_start": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_method": 5
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver http_host": 2
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver tls_sni": 2
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toserver file_data": 1
24/1/2019 -- 12:04:11 - <Perf> - AppLayer MPM "toclient file_data": 7
24/1/2019 -- 12:04:13 - <Perf> - Registered 39590 rule profiling counters.
24/1/2019 -- 12:04:13 - <Info> - fast output device (regular) initialized: alert
24/1/2019 -- 12:04:13 - <Info> - eve-log output device (regular) initialized: eve.json
24/1/2019 -- 12:04:13 - <Config> - enabling 'eve-log' module 'alert'
24/1/2019 -- 12:04:13 - <Config> - enabling 'eve-log' module 'http'
24/1/2019 -- 12:04:13 - <Config> - enabling 'eve-log' module 'dns'
24/1/2019 -- 12:04:13 - <Config> - enabling 'eve-log' module 'tls'
24/1/2019 -- 12:04:13 - <Config> - enabling 'eve-log' module 'files'
24/1/2019 -- 12:04:13 - <Config> - enabling 'eve-log' module 'ssh'
24/1/2019 -- 12:04:13 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/1/2019 -- 12:04:13 - <Info> - stats output device (regular) initialized: stats.log
24/1/2019 -- 12:04:13 - <Config> - AutoFP mode using "Hash" flow load balancer
24/1/2019 -- 12:04:13 - <Info> - reading pcap file /var/pcap/01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap
24/1/2019 -- 12:04:13 - <Co

This file has been truncated. Go here to download in full.


stats.log - (2545 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
------------------------------------------------------------------------------------
Date: 1/24/2019 -- 12:04:14 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 1341
decoder.bytes                              | Total                     | 991279
decoder.ipv4                               | Total                     | 1341
decoder.ethernet                           | Total                     | 1341
decoder.tcp                                | Total                     | 1323
decoder.udp                                | Total                     | 18
decoder.avg_pkt_size                       | Total                     | 739
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 26
flow.udp                                   | Total                     | 9
tcp.sessions                               | Total                     | 26
tcp.syn                                    | Total                     | 26
tcp.synack                                 | Total                     | 26
tcp.rst                                    | Total                     | 1
detect.alert                               | Total                     | 30
detect.mpm_list                            | Total                     | 6
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 6
app_layer.flow.http                        | Total                     | 26
app_layer.tx.http                          | Total                     | 28
app_layer.flow.dns_udp                     | Total                     | 9
app_layer.tx.dns_udp                       | Total                     | 9
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074880


eve.json - (65119 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{"timestamp":"2019-01-22T16:54:36.836689+0000","flow_id":1470662481593425,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.22.101","src_port":64104,"dest_ip":"10.1.22.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49099,"rrname":"sjkboating.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:54:37.247521+0000","flow_id":1470662481593425,"pcap_cnt":2,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":64104,"proto":"UDP","dns":{"type":"answer","id":49099,"rcode":"NOERROR","rrname":"sjkboating.com","rrtype":"A","ttl":5,"rdata":"47.74.24.76"}}
{"timestamp":"2019-01-22T16:54:48.523324+0000","flow_id":1006320682392801,"pcap_cnt":48,"event_type":"alert","src_ip":"47.74.24.76","src_port":80,"dest_ip":"10.1.22.101","dest_port":49159,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2019-01-22T16:55:06.097316+0000","flow_id":1006320682392801,"pcap_cnt":192,"event_type":"alert","src_ip":"47.74.24.76","src_port":80,"dest_ip":"10.1.22.101","dest_port":49159,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2803027,"rev":6,"signature":"ETPRO WEB_CLIENT Microsoft Excel Malformed Selection (type 0x1D) BIFF record","category":"Attempted User Privilege Gain","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:55:24.918746+0000","flow_id":1006320682392801,"pcap_cnt":334,"event_type":"alert","src_ip":"47.74.24.76","src_port":80,"dest_ip":"10.1.22.101","dest_port":49159,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810419,"rev":1,"signature":"ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:55:25.091255+0000","flow_id":1006320682392801,"pcap_cnt":338,"event_type":"alert","src_ip":"47.74.24.76","src_port":80,"dest_ip":"10.1.22.101","dest_port":49159,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810419,"rev":1,"signature":"ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:55:50.475906+0000","flow_id":1006320682392801,"pcap_cnt":550,"event_type":"http","src_ip":"10.1.22.101","src_port":49159,"dest_ip":"47.74.24.76","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"sjkboating.com","url":"\/?8u7e375i=FAQzRQVUCFQXGMPPBSJAEFTtY3CQi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2019-01-22T16:55:50.476104+0000","flow_id":1006320682392801,"pcap_cnt":552,"event_type":"fileinfo","src_ip":"47.74.24.76","src_port":80,"dest_ip":"10.1.22.101","dest_port":49159,"proto":"TCP","http":{"hostname":"sjkboating.com","url":"\/?8u7e375i=FAQzRQVUCFQXGMPPBSJAEFTtY3CQi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468992},"app_proto":"http","fileinfo":{"filename":"invoice_105247.xls","gaps":false,"state":"CLOSED","stored":false,"size":468992,"tx_id":0}}
{"timestamp":"2019-01-22T16:57:59.916566+0000","flow_id":738763560451158,"pcap_cnt":553,"event_type":"dns","src_ip":"10.1.22.101","src_port":62103,"dest_ip":"10.1.22.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":22581,"rrname":"api.ipify.org","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":738763560451158,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"api.ipify.org","rrtype":"CNAME","ttl":5,"rdata":"nagano-19599.herokussl.com"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":738763560451158,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"nagano-19599.herokussl.com","rrtype":"CNAME","ttl":5,"rdata":"elb097307-934924932.us-east-1.elb.amazonaws.com"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":738763560451158,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"23.21.121.219"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":738763560451158,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.243.123.39"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":738763560451158,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"50.16.248.221"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":738763560451158,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"50.19.247.198"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":738763560451158,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.204.36.156"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":738763560451158,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"107.22.215.20"}}
{"timestamp":"2019-01-22T16:58:00.250253+0000","flow_id":1935399431122243,"pcap_cnt":561,"event_type":"alert","src_ip":"10.1.22.101","src_port":49176,"dest_ip":"23.21.121.219","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021997,"rev":3,"signature":"ET POLICY External IP Lookup api.ipify.org","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:58:00.250253+0000","flow_id":1935399431122243,"pcap_cnt":561,"event_type":"http","src_ip":"10.1.22.101","src_port":49176,"dest_ip":"23.21.121.219","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"api.ipify.org","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-22T16:58:00.254906+0000","flow_id":717187792298938,"pcap_cnt":562,"event_type":"dns","src_ip":"10.1.22.101","src_port":57372,"dest_ip":"10.1.22.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37656,"rrname":"felighevengna.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:58:00.622804+0000","flow_id":717187792298938,"pcap_cnt":563,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":57372,"proto":"UDP","dns":{"type":"answer","id":37656,"rcode":"NOERROR","rrname":"felighevengna.com","rrtype":"A","ttl":5,"rdata":"81.171.7.39"}}
{"timestamp":"2019-01-22T16:58:01.379905+0000","flow_id":1961409753154674,"pcap_cnt":570,"event_type":"alert","src_ip":"10.1.22.101","src_port":49177,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2819978,"rev":5,"signature":"ETPRO TROJAN Tordal\/Hancitor\/Chanitor Checkin","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:58:01.379905+0000","flow_id":1961409753154674,"pcap_cnt":570,"event_type":"http","src_ip":"10.1.22.101","src_port":49177,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"felighevengna.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:58:01.379905+0000","flow_id":1961409753154674,"pcap_cnt":570,"event_type":"fileinfo","src_ip":"10.1.22.101","src_port":49177,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","http":{"hostname":"felighevengna.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":830},"app_proto":"http","fileinfo":{"filename":"\/4\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":122,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:01.381276+0000","flow_id":922798614237532,"pcap_cnt":571,"event_type":"dns","src_ip":"10.1.22.101","src_port":61972,"dest_ip":"10.1.22.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56504,"rrname":"rushnewmedia.de","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:58:01.481457+0000","flow_id":922798614237532,"pcap_cnt":572,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":61972,"proto":"UDP","dns":{"type":"answer","id":56504,"rcode":"NOERROR","rrname":"rushnewmedia.de","rrtype":"A","ttl":5,"rdata":"82.165.41.17"}}
{"timestamp":"2019-01-22T16:58:02.516441+0000","flow_id":818426613947531,"pcap_cnt":627,"event_type":"alert","src_ip":"82.165.41.17","src_port":80,"dest_ip":"10.1.22.101","dest_port":49178,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2824549,"rev":2,"signature":"ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:58:02.518610+0000","flow_id":818426613947531,"pcap_cnt":640,"event_type":"http","src_ip":"10.1.22.101","src_port":49178,"dest_ip":"82.165.41.17","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"rushnewmedia.de","url":"\/wp\/wp-content\/plugins\/really-simple-captcha\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-22T16:58:08.227067+0000","flow_id":818426613947531,"pcap_cnt":641,"event_type":"fileinfo","src_ip":"82.165.41.17","src_port":80,"dest_ip":"10.1.22.101","dest_port":49178,"proto":"TCP","http":{"hostname":"rushnewmedia.de","url":"\/wp\/wp-content\/plugins\/really-simple-captcha\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":46347},"app_proto":"http","fileinfo":{"filename":"\/wp\/wp-content\/plugins\/really-simple-captcha\/1","gaps":false,"state":"CLOSED","stored":false,"size":46347,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:08.390186+0000","flow_id":1780428421788714,"pcap_cnt":643,"event_type":"dns","src_ip":"10.1.22.101","src_port":64199,"dest_ip":"10.1.22.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51089,"rrname":"felighevengna.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:58:08.698126+0000","flow_id":1780428421788714,"pcap_cnt":644,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":64199,"proto":"UDP","dns":{"type":"answer","id":51089,"rcode":"NOERROR","rrname":"felighevengna.com","rrtype":"A","ttl":5,"rdata":"81.171.7.39"}}
{"timestamp":"2019-01-22T16:58:09.021111+0000","flow_id":1541939625242713,"pcap_cnt":650,"event_type":"alert","src_ip":"10.1.22.101","src_port":49179,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014411,"rev":11,"signature":"ET TROJAN Fareit\/Pony Downloader Checkin 2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:58:09.578318+0000","flow_id":1541939625242713,"pcap_cnt":653,"event_type":"fileinfo","src_ip":"10.1.22.101","src_port":49179,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","http":{"hostname":"felighevengna.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/mlu\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":205,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:09.579473+0000","flow_id":1541939625242713,"pcap_cnt":655,"event_type":"http","src_ip":"10.1.22.101","src_port":49179,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"felighevengna.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:58:09.579473+0000","flow_id":1541939625242713,"pcap_cnt":655,"event_type":"fileinfo","src_ip":"81.171.7.39","src_port":80,"dest_ip":"10.1.22.101","dest_port":49179,"proto":"TCP","http":{"hostname":"felighevengna.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/mlu\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":20,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:10.801052+0000","flow_id":1352022613917178,"pcap_cnt":705,"event_type":"alert","src_ip":"82.165.41.17","src_port":80,"dest_ip":"10.1.22.101","dest_port":49180,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2824549,"rev":2,"signature":"ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:58:10.802725+0000","flow_id":1352022613917178,"pcap_cnt":719,"event_type":"http","src_ip":"10.1.22.101","src_port":49180,"dest_ip":"82.165.41.17","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"rushnewmedia.de","url":"\/wp\/wp-content\/plugins\/really-simple-captcha\/2","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-22T16:58:10.820019+0000","flow_id":1352022613917178,"pcap_cnt":721,"event_type":"fileinfo","src_ip":"82.165.41.17","src_port":80,"dest_ip":"10.1.22.101","dest_port":49180,"proto":"TCP","http":{"hostname":"rushnewmedia.de","url":"\/wp\/wp-content\/plugins\/really-simple-captcha\/2","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":47402},"app_proto":"http","fileinfo":{"filename":"\/wp\/wp-content\/plugins\/really-simple-captcha\/2","gaps":false,"state":"CLOSED","stored":false,"size":47402,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:11.037464+0000","flow_id":1352022613917178,"pcap_cnt":770,"event_type":"alert","src_ip":"82.165.41.17","src_port":80,"dest_ip":"10.1.22.101","dest_port":49180,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2824549,"rev":2,"signature":"ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1)","category":"A Network Trojan

This file has been truncated. Go here to download in full.


keyword_perf.log - (16427 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/24/2019 -- 12:04:14
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             22082937        4709            4709            7590006         4689.00         4689.00         0.00           
  content          56307347        6548            3471            431695          8599.00         8541.00         8664.00        
  pcre             11603797        3539            291             78684           3278.00         4970.00         3127.00        
  byte_test        758386          216             77              54577           3511.00         3285.00         3635.00        
  byte_jump        3628            1               0               3628            3628.00         0.00            3628.00        
  isdataat         28144           10              0               3000            2814.00         0.00            2814.00        
  flowbits         2014143         704             70              25608           2860.00         3091.00         2835.00        
  urilen           2063173         646             125             33899           3193.00         3510.00         3117.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             22082937        4709            4709            7590006         4689.00         4689.00         0.00           
  flowbits         1959708         692             58              25608           2831.00         2792.00         2835.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4913634         666             301             408505          7377.00         9005.00         6035.00        
  pcre             146622          23              1               28183           6374.00         4699.00         6451.00        
  byte_test        758386          216             77              54577           3511.00         3285.00         3635.00        
  byte_jump        3628            1               0               3628            3628.00         0.00            3628.00        
  isdataat         25547           9               0               3000            2838.00         0.00            2838.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         54435           12              12              8080            4536.00         4536.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2545408         734             502             22586           3467.00         3483.00         3434.00        
  pcre             1652885         358             135             78684           4616.00         4586.00         4635.00        
  isdataat         2597            1               0               2597            2597.00         0.00            2597.00        
  urilen           2063173         646             125             33899           3193.00         3510.00         3117.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1043754         302             85              17196           3456.00         3307.00         3514.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          79462           27              0               3650            2943.00         0.00            2943.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          36807450        1809            437             431695          20346.00        39009.00        14402.00       
  pcre             8343839         2852            0               48943           2925.00         0.00            2925.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7885470         2101            1505            69323           3753.00         3824.00         3573.00        
  pcre             1100461         227             95              22257           4847.00         5558.00         4336.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          769623          222             135             21974           3466.00         3332.00         3674.00        
  pcre             50529           6               4               23141           8421.00         10257.00        4750.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7183            2               2               3599            3591.00         3591.00         0.00           
  pcre             56136           17              0               4016            3302.00         0.00            3302.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6119            2               2               3209            3059.00         3059.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          206284          65              63              5165            3173.00         3150.00         3906.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_protocol
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          15995           4               4               4411            3998.00         3998.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6586            2               2               3306            3293.00         3293.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1139356         349             307             27669           3264.00         3191.00         3800.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          712764          207             116             19515           3443.00         3492.00         3380.00        
  pcre             253325          56              56              17058           4523.00         4523.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3378            1               1               3378            3378.00         3378.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          160835          54              8               3918            2978.00         3358.00         2912.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4046            1               1               4046            4046.0

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-01-24-T-12-04-14-01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap.txt - (69462 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/24/2019 -- 12:04:14. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2022547      1        1        9892276      3.98   95       0        9620612     104129.22   0.00        104129.22  
  2        2019345      1        2        8469738      3.40   65       0        7604800     130303.66   0.00        130303.66  
  3        2819664      1        2        15472732     6.22   51       0        6445237     303386.90   0.00        303386.90  
  4        2816924      1        4        7270083      2.92   28       0        6444764     259645.82   0.00        259645.82  
  5        2811745      1        4        20741118     8.34   59       0        669981      351544.37   0.00        351544.37  
  6        2809306      1        4        9213484      3.70   48       0        580120      191947.58   0.00        191947.58  
  7        2819930      1        2        9013215      3.62   51       0        505435      176729.71   0.00        176729.71  
  8        2801929      1        7        927614       0.37   11       0        434339      84328.55    0.00        84328.55   
  9        2810481      1        4        1859525      0.75   67       0        400788      27754.10    0.00        27754.10   
  10       2820157      1        2        6254552      2.51   39       0        374067      160373.13   0.00        160373.13  
  11       2820158      1        2        6047457      2.43   39       0        371846      155063.00   0.00        155063.00  
  12       2020865      1        3        4475168      1.80   33       0        308721      135611.15   0.00        135611.15  
  13       2819940      1        3        5095480      2.05   30       0        282630      169849.33   0.00        169849.33  
  14       2816510      1        3        5190413      2.09   30       0        249357      173013.77   0.00        173013.77  
  15       2815263      1        3        1523633      0.61   10       0        185909      152363.30   0.00        152363.30  
  16       2802035      1        4        888375       0.36   8        0        164232      111046.88   0.00        111046.88  
  17       2018342      1        2        4108475      1.65   32       0        164011      128389.84   0.00        128389.84  
  18       2802987      1        5        1531759      0.62   31       0        163407      49411.58    0.00        49411.58   
  19       2012520      1        7        163109       0.07   1        1        163109      163109.00   163109.00   0.00       
  20       2819993      1        2        900713       0.36   17       0        157759      52983.12    0.00        52983.12   
  21       2803027      1        6        1039241      0.42   19       1        154544      54696.89    115599.00   51313.44   
  22       2824549      1        2        198350       0.08   3        3        138706      66116.67    66116.67    0.00       
  23       2802067      1        6        196732       0.08   2        0        135215      98366.00    0.00        98366.00   
  24       2804906      1        3        331806       0.13   8        0        133962      41475.75    0.00        41475.75   
  25       2024769      1        2        1975027      0.79   19       0        129129      103948.79   0.00        103948.79  
  26       2809363      1        3        849071       0.34   19       0        127914      44687.95    0.00        44687.95   
  27       2021418      1        9        873868       0.35   19       0        117031      45993.05    0.00        45993.05   
  28       2804911      1        3        189418       0.08   9        0        116370      21046.44    0.00        21046.44   
  29       2801930      1        7        520110       0.21   11       0        115820      47282.73    0.00        47282.73   
  30       2020855      1        3        1283808      0.52   26       0        115516      49377.23    0.00        49377.23   
  31       2021774      1        2        728855       0.29   8        0        108045      91106.88    0.00        91106.88   
  32       2819939      1        2        204361       0.08   2        0        105873      102180.50   0.00        102180.50  
  33       2804907      1        3        489954       0.20   15       0        105183      32663.60    0.00        32663.60   
  34       2022303      1        3        721836       0.29   8        0        100874      90229.50    0.00        90229.50   
  35       2816940      1        2        1613290      0.65   28       0        94976       57617.50    0.00        57617.50   
  36       2013250      1        3        94316        0.04   1        0        94316       94316.00    0.00        94316.00   
  37       2816910      1        2        1521208      0.61   28       0        91144       54328.86    0.00        54328.86   
  38       2816509      1        2        178427       0.07   2        0        90726       89213.50    0.00        89213.50   
  39       2804927      1        2        114605       0.05   10       0        89560       11460.50    0.00        11460.50   
  40       2823488      1        2        450004       0.18   18       0        88145       25000.22    0.00        25000.22   
  41       2022054      1        3        157106       0.06   2        0        88079       78553.00    0.00        78553.00   
  42       2819978      1        5        1015012      0.41   17       17       83654       59706.59    59706.59    0.00       
  43       2816922      1        5        852785       0.34   28       0        82460       30456.61    0.00        30456.61   
  44       2022502      1        4        1303230      0.52   27       0        81610       48267.78    0.00        48267.78   
  45       2024606      1        2        490700       0.20   19       0        79800       25826.32    0.00        25826.32   
  46       2815254      1        7        226504       0.09   4        0        79632       56626.00    0.00        56626.00   
  47       2022609      1        2        716639       0.29   23       0        78419       31158.22    0.00        31158.22   
  48       2829397      1        2        383799       0.15   6        0        77385       63966.50    0.00        63966.50   
  49       2816928      1        3        866812       0.35   28       0        77214       30957.57    0.00        30957.57   
  50       2017948      1        2        662809       0.27   21       0        76608       31562.33    0.00        31562.33   
  51       2816909      1        2        1537200      0.62   28       0        75006       54900.00    0.00        54900.00   
  52       2816929      1        4        1092949      0.44   28       0        74199       39033.89    0.00        39033.89   
  53       2014380      1        4        768946       0.31   38       0        72139       20235.42    0.00        20235.42   
  54       2821839      1        2        186236       0.07   3        0        70463       62078.67    0.00        62078.67   
  55       2024771      1        1        3103737      1.25   551      0        68856       5632.92     0.00        5632.92    
  56       2811277      1        7        396254       0.16   18       0        66980       22014.11    0.00        22014.11   
  57       2019230      1        2        202876       0.08   10       0        66665       20287.60    0.00        20287.60   
  58       2016858      1        10       115890       0.05   2        0        66632       57945.00    0.00        57945.00   
  59       2814883      1        3        691249       0.28   17       0        66045       40661.71    0.00        40661.71   
  60       2815483      1        6        64871        0.03   1        0        64871       64871.00    0.00        64871.00   
  61       2024141      1        2        96364        0.04   2        0        63844       48182.00    0.00        48182.00   
  62       2017748      1        6        574807       0.23   67       0        63768       8579.21     0.00        8579.21    
  63       2820983      1        5        792135       0.32   17       0        63353       46596.18    0.00        46596.18   
  64       2014411      1        11       123821       0.05   2        2        63188       61910.50    61910.50    0.00       
  65       2821561      1        2        605156       0.24   21       0        62732       28816.95    0.00        28816.95   
  66       2810991      1        4        786117       0.32   17       0        62484       46242.18    0.00        46242.18   
  67       2017259      1        12       807613       0.32   17       0        61890       47506.65    0.00        47506.65   
  68       2018575      1        3        433394       0.17   20       0        61610       21669.70    0.00        21669.70   
  69       2025064      1        5        1086712      0.44   28       0        61044       38811.14    0.00        38811.14   
  70       2807793      1        4        556719       0.22   19       0        60926       29301.00    0.00        29301.00   
  71       2022220      1        2        91073        0.04   2        0        60535       45536.50    0.00        45536.50   
  72       2830425      1        1        198890       0.08   4        0        59878       49722.50    0.00        49722.50   
  73       2016537      1        2        5676541      2.28   389      0        59353       14592.65    0.00        14592.65   
  74       2816356      1        2        938236       0.38   24       0        59316       39093.17    0.00        39093.17   
  75       2019343      1        3        755033       0.30   26       0        59263       29039.73    0.00        29039.73   
  76       2017261      1        3        777111       0.31   19       0        58850       40900.58    0.00        40900.58   
  77       2816525      1        10       950418       0.38   28       0        57667       33943.50    0.00        33943.50   
  78       2022901      1        2        796589       0.32   19       0        56900       41925.74    0.00        41925.74   
  79       2014519      1        7        1018500      0.41   49       0        56452       20785.71    0.00        20785.71   
  80       2807970      1        8        777134       0.31   19       0        56425       40901.79    0.00        40901.79   
  81       2802177      1        3        56201        0.02   1        0        56201       56201.00    0.00        56201.00   
  82       2816055      1        2        461390       0.19   17       0        55954       27140.59    0.00        27140.59   
  83       2815886      1        2        547392       0.22   21       0        55122       26066.29    0.00        26066.29   
  84       2815751      1        2        390512       0.16   18       0        55046       21695.11    0.00        21695.11   
  85       2829398      1        2        286393       0.12   6        0        54488       47732.17    0.00        47732.17   
  86       2824971      1        3        98119        0.04   2        0        54433       49059.50    0.00        49059.50   
  87       2804158      1        3        54405        0.02   1        0        54405       54405.00    0.00        54405.00   
  88       2810607      1        8        162906       0.07   4        0        54195       40726.50    0.00        40726.50   
  89       2820851      1        5        1003154      0.40   28       0        54015       35826.93    0.00        35826.93   
  90       2804157      1        4        53645        0.02   1        0        53645       53645.00    0.00        53645.00   
  91       2802043      1        3        53643        0.02   1        0        53643       53643.00    0.00        53643.00   
  92       2021075      1        2        52835        0.02   1        1        52835       52835.00    52835.00    0.00       
  93       2021413      1        2        677408       0.27   19       0        52576       35653.05    0.00        35653.05   
  94       2821471      1        2        751418       0.30   19       0        52499       39548.32    0.00        39548.32   
  95       2828008      1        2        622693       0.25   28       0        52488       22239.04    0.00        22239.04   
  96       2021308      1        2        489492       0.20   17       0        52305       28793.65    0.00        28793.65   
  97       2816927      1        3        851038       0.34   28       0        51959       30394.21    0.00        30394.21   
  98       2816925      1        3        779471       0.31   28       0        51773       27838.25    0.00        27838.25   
  99       2829848      1        2        655234       0.26   23       0        51571       28488.43    0.00        28488.43   
  100      2020181      1        8        658219       0.26   19       0        51220       34643.11    0.00        34643.11   
  101      2815568      1        2        587148       0.24   19       0        51195       30902.53    0.00        30902.53   
  102      2815817      1        5        830681       0.33   28       0        50160       29667.18    0.00        29667.18   
  103      2018496      1        9        89490        0.04   2        0        49694       44745.00    0.00        44745.00   
  104      2816165      1        5        600464       0.24   28       0        48991       21445.14    0.00        21445.14   
  105      2023315      1        2        95754        0.04   2        0        48565       47877.00    0.00        47877.00   
  106      2024133      1        2        82000        0.03   2        0        47776       41000.00    0.00        41000.00   
  107      2811041      1        3        217101       0.09   10       0        47524       21710.10    0.00        21710.10   
  108      2806132      1        3        509638       0.20   17       0        47344       29978.71    0.00        29978.71   
  109      2816895      1        2        47237        0.02   1        0        47237       47237.00    0.00        47237.00   
  110      2806802      1        2        2602029      1.05   129      0        47224       20170.77    0.00        20170.77   
  111      2815750      1        2        81572        0.03   2        0        47213       40786.00    0.00        40786.00   
  112      2812433      1        2        649103       0.26   19       0        47027       34163.32    0.00        34163.32   
  113      2816327      1        4        980477       0.39   28       0        46484       35017.04    0.00        35017.04   
  114      2017552      1        6        6039794      2.43   417      0        46211       14483.92    0.00        14483.92   
  115      2018055      1        3        1028192      0.41   184      0        46182       5588.00     0.00        5588.00    
  116      2819694      1        2        249158       0.10   49       0        45359       5084.86     0.00        5084.86    
  117      2011894      1        19       73704        0.03   2        0        44926       36852.00    0.00        36852.00   
  118      2816899      1        2        396285       0.16   19       0        44887       20857.11    0.00        20857.11   
  119      2816526      1        13       755008       0.30   28       0        44785       26964.57    0.00        26964.57   
  120      2822979      1        3        128623       0.05   3        0        44672       42874.33    0.00        42874.33   
  121      2802044      1        4        44564        0.02   1        0        44564       44564.00    0.00        44564.00   
  122      2012707      1        5        597306       0.24   27       0        44443       22122.44    0.00        22122.44   
  123      2024142      1        2        78107        0.03   2        0        44402       39053.50    0.00        39053.50   
  124      2819931      1        2        86187        0.03   2        0        44262       43093.50    0.00        43093.50   
  125      2811399      1        2        1

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1181 bytes) - download
1
2
3
4
5
6
7
8
2019-01-24 12:03:52,818 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-24 12:03:53,545 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-24 12:03:53,545 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-24 12:03:53,546 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-24 12:03:53,546 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-24 12:03:53,546 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/60bddb9dc2a16bb7f83b45fb323aad9356b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap -vvv -k none
2019-01-24 12:04:14,261 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-24 12:04:14,261 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.4621510506


suricata-4.0.0-etpro-all-alert-2019-01-24-T-12-04-14-01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap.txt - (6179 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
01/22/2019-16:54:48.523324  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 47.74.24.76:80 -> 10.1.22.101:49159
01/22/2019-16:55:06.097316  [**] [1:2803027:6] ETPRO WEB_CLIENT Microsoft Excel Malformed Selection (type 0x1D) BIFF record [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 47.74.24.76:80 -> 10.1.22.101:49159
01/22/2019-16:55:24.918746  [**] [1:2810419:1] ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 47.74.24.76:80 -> 10.1.22.101:49159
01/22/2019-16:55:25.091255  [**] [1:2810419:1] ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 47.74.24.76:80 -> 10.1.22.101:49159
01/22/2019-16:58:00.250253  [**] [1:2021997:3] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.1.22.101:49176 -> 23.21.121.219:80
01/22/2019-16:58:01.379905  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49177 -> 81.171.7.39:80
01/22/2019-16:58:02.516441  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 82.165.41.17:80 -> 10.1.22.101:49178
01/22/2019-16:58:09.021111  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49179 -> 81.171.7.39:80
01/22/2019-16:58:10.801052  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 82.165.41.17:80 -> 10.1.22.101:49180
01/22/2019-16:58:11.037464  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 82.165.41.17:80 -> 10.1.22.101:49180
01/22/2019-16:58:11.148532  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49181 -> 81.171.7.39:80
01/22/2019-16:58:47.058578  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.22.101:54736 -> 192.71.245.208:53
01/22/2019-16:59:08.186366  [**] [1:2016803:4] ET TROJAN Known Sinkhole Response Header [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.42.119.41:80 -> 10.1.22.101:49190
01/22/2019-17:00:12.293969  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49197 -> 81.171.7.39:80
01/22/2019-17:02:13.154542  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49198 -> 81.171.7.39:80
01/22/2019-17:04:13.992930  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49199 -> 81.171.7.39:80
01/22/2019-17:06:14.541569  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49200 -> 81.171.7.39:80
01/22/2019-17:08:15.174645  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49201 -> 81.171.7.39:80
01/22/2019-17:10:15.794300  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49202 -> 81.171.7.39:80
01/22/2019-17:12:16.351490  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49203 -> 81.171.7.39:80
01/22/2019-17:14:16.911550  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49204 -> 81.171.7.39:80
01/22/2019-17:16:17.501027  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49205 -> 81.171.7.39:80
01/22/2019-17:18:18.219939  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49206 -> 81.171.7.39:80
01/22/2019-17:20:18.770279  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49207 -> 81.171.7.39:80
01/22/2019-17:22:19.333185  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49208 -> 81.171.7.39:80
01/22/2019-17:24:20.119812  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49209 -> 81.171.7.39:80
01/22/2019-17:26:20.752448  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49210 -> 81.171.7.39:80
01/22/2019-17:28:21.499540  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49211 -> 81.171.7.39:80
01/22/2019-17:30:22.059056  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49212 -> 81.171.7.39:80
01/22/2019-17:31:37.062174  [**] [1:2016803:4] ET TROJAN Known Sinkhole Response Header [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.42.119.41:80 -> 10.1.22.101:49190