Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>
Idioma: En

Tbot Torbot Tor Malware Bitcoin Mining Trojan Botnet Traffic Sample PCAP Download

Download Tbot pcap sample :            tbot.pcap

2012-10-07 08:37:05.859475 IP 172.16.253.131.53 > 8.8.8.8.53: 21033+ A? checkip.dyndns.org. (36)
E..@……………..5.5.,..R)………..checkip.dyndns.org…..
2012-10-07 08:37:05.859578 IP 172.16.253.131.53 > 4.2.2.2.53: 21033+ A? checkip.dyndns.org. (36)
E..@……………..5.5.,..R)………..checkip.dyndns.org…..
2012-10-07 08:37:05.875096 IP 8.8.8.8.53 > 172.16.253.131.53: 21033 4/0/0 CNAME checkip.dyndns.com., A 216.146.39.70, A 91.198.22.70, A 216.146.38.70 (116)
E……….,………5.5.|+jR)………..checkip.dyndns.org…………..d…checkip.dyndns.com..0…….d….’F.0…….d..[..F.0…….d….&F
2012-10-07 08:37:05.908375 IP 172.16.253.131.1172 > 216.146.39.70.80: Flags [S], seq 3201786150, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…P…….’F…P..a&….p……………
2012-10-07 08:37:05.991942 IP 216.146.39.70.80 > 172.16.253.131.1172: Flags [S.], seq 535521308, ack 3201786151, win 64240, options [mss 1460], length 0
E..,……….’F…..P….h…a’`…F………
2012-10-07 08:37:05.992001 IP 172.16.253.131.1172 > 216.146.39.70.80: Flags [.], ack 1, win 64240, length 0
E..(..@…P…….’F…P..a’..h.P…^…
2012-10-07 08:37:05.992015 IP 172.16.253.131.1172 > 216.146.39.70.80: Flags [P.], seq 1:70, ack 1, win 64240, length 69: HTTP: GET / HTTP/1.1
E..m..@…P…….’F…P..a’..h.P…. ..GET / HTTP/1.1
Host: checkip.dyndns.org
Cache-Control: no-cache

Related Articles

2012-10-07 08:37:05.992351 IP 216.146.39.70.80 > 172.16.253.131.1172: Flags [.], ack 70, win 64240, length 0
E..(……….’F…..P….h…alP…^F……..
2012-10-07 08:37:06.075207 IP 216.146.39.70.80 > 172.16.253.131.1172: Flags [FP.], seq 1:261, ack 70, win 64240, length 260: HTTP: HTTP/1.1 200 OK
E..,……….’F…..P….h…alP…….HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105

Current IP CheckCurrent IP Address: 74.217.91.121

2012-10-07 08:37:06.075295 IP 172.16.253.131.1172 > 216.146.39.70.80: Flags [.], ack 262, win 63980, length 0
E..(..@…P…….’F…P..al..i”P…^E..
2012-10-07 08:37:06.075569 IP 172.16.253.131.1172 > 216.146.39.70.80: Flags [F.], seq 70, ack 262, win 63980, length 0
E..(..@…P…….’F…P..al..i”P…^D..
2012-10-07 08:37:06.075818 IP 216.146.39.70.80 > 172.16.253.131.1172: Flags [.], ack 71, win 64239, length 0
E..(……….’F…..P….i”..amP…]A……..
2012-10-07 08:37:06.553991 IP 172.16.253.131.1179 > 208.83.223.34.80: Flags [S], seq 2347746009, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….”…..S.”…P……..p….o……….
2012-10-07 08:37:06.637365 IP 208.83.223.34.80 > 172.16.253.131.1179: Flags [S.], seq 3263878575, ack 2347746010, win 64240, options [mss 1460], length 0
E..,……(0.S.”…..P……….`…X+……..
2012-10-07 08:37:06.637390 IP 172.16.253.131.1179 > 208.83.223.34.80: Flags [.], ack 1, win 64240, length 0
E..(.S@….r…..S.”…P……..P…o…
2012-10-07 08:37:06.652397 IP 172.16.253.131.1179 > 208.83.223.34.80: Flags [P.], seq 1:216, ack 1, win 64240, length 215: HTTP
E….V@……….S.”…P……..P…g…………..P..lf-..e#8(…6.Z……S…+}….:.
…9.8…..5… …..3.2…………./……………
…..k…#.!…www.cj3vb6e45w2jryxzdnag5y.com………
.4.2…………….. .
………………………….#..
2012-10-07 08:37:06.652677 IP 208.83.223.34.80 > 172.16.253.131.1179: Flags [.], ack 216, win 64240, length 0
E..(……(3.S.”…..P……….P…o………
2012-10-07 08:37:06.739869 IP 208.83.223.34.80 > 172.16.253.131.1179: Flags [P.], seq 1:926, ack 216, win 64240, length 925: HTTP
E………$..S.”…..P……….P….X……0…,..P..lC2S…z.].G…Q.-.3.In0v.. …9….#……………..0…0..#…… …….|.0.. *.H……..0.1.0…U….www.c53yf7zxed2.com0…121224015328Z..131224015328Z0 1.0…U….www.rsf4phfox37l7.net0..0.. *.H…………0…….V..q..~…p.$.<H…g…..@..^T.%[email protected][.lY…..f……..
S…..IU.L/……[….wV..b..?2.&8..N.. .. Q”|r2.n………Z…2.-……..0.. *.H……………..P.T….H/).u^……..?N…..y+……[email protected] ..G.x…..”………..j|.U..<=oB..V….\..g…~.@=..7G1….P|……….&…H,d……………}.@….6…J. ….9._R…t….Q….c.r……~..Z.y.B.*).2JFzc^..Y.7{…3..F..;r….x.[….xt.}…….3…b….t}…..h..9>.$!…….),..9..Y.x. .4.r..8….S…… .o….#.{.+I…….b…b..3…X).~..FW.:=.G…/.<5.<.D..5}…….+f=_…..~…N…………. 2012-10-07 08:37:06.744867 IP 172.16.253.131.1179 > 208.83.223.34.80: Flags [P.], seq 216:414, ack 926, win 63315, length 198: HTTP
E….)@……….S.”…P…….MP..S…………….mb.
?t “p/..x/………..=……(^.uHJ….C…t. . =..S;…G6V.?.^..
.!………….{..C…#……U…M!#.]..k._……………………[email protected].+.q..g….n=V..B..OY.A.{_….8HR]>..>…`.
2012-10-07 08:37:06.745139 IP 208.83.223.34.80 > 172.16.253.131.1179: Flags [.], ack 414, win 64240, length 0
E..(……(1.S.”…..P…..M…wP…j………
2012-10-07 08:37:06.831506 IP 208.83.223.34.80 > 172.16.253.131.1179: Flags [P.], seq 926:1192, ack 414, win 64240, length 266: HTTP
E..2……’&.S.”…..P…..M…wP…Y……………….f.}Z.l.6l.*.”A*..0..$.0…t.]eE…;Z………i…eD…..(…x…s..IS…..7.<….A….C\..VN…%d?…[email protected]…D…..5.b.Q.s..rA..Z.?……2……..m2……..S2.+…_..’.7!…….]}.J..k..(….V……….0W…….|….`…/4X>6.i………q.|….9W
V….
2012-10-07 08:37:06.831745 IP 172.16.253.131.1179 > 208.83.223.34.80: Flags [P.], seq 414:627, ack 1192, win 63049, length 213: HTTP
E….s@….}…..S.”…P…w…WP..I……….L…X.T>.8……..i…….I..%=..E…,…w..\.t…d…i.6s….m.A._}…….L.($.zg….8-f
……….20G!AIw.{gE….A%.0..)….E….rr.\.2…..{..n..F.Z..v.X.M.J|…KZ…K.w~nE..WN.bz……Op..
2012-10-07 08:37:06.831869 IP 208.83.223.34.80 > 172.16.253.131.1179: Flags [.], ack 627, win 64240, length 0
E..(……(/.S.”…..P…..W…LP…h………
2012-10-07 08:37:09.719853 IP 172.16.253.131.3690 > 91.237.88.61.9001: Flags [P.], seq 1:210, ack 1, win 64240, length 209
E…l.@…/Y….[.X=.j#)..V…..P…A…………..P..o]..P7Z.-.5.4mIky..’…..Vi6…:.
…9.8…..5… …..3.2…………./……………
…..e………www.z6hpqbs7mjma6knn.com………
.4.2…………….. .
………………………….#..
2012-10-07 08:37:09.719903 IP 173.246.82.97.9001 > 172.16.253.131.3693: Flags [.], ack 412, win 64240, length 0
E..(…….#..Ra….#).m……OVP………….
2012-10-07 08:37:09.720114 IP 91.237.88.61.9001 > 172.16.253.131.3690: Flags [.], ack 210, win 64240, length 0
E..(……”P[.X=….#).j……WvP….#……..
2012-10-07 08:37:09.725074 IP 172.16.253.131.3677 > 188.40.137.161.9001: Flags [P.], seq 200:398, ack 937, win 63304, length 198
E…l.@……….(…]#)5.%…..P..H.=………….-.]5….;E…/9/..@…..5……….q..`…S….yU..t………h7xC..`n..|*.%3………?.,..NC…%/r.u;….(….Na.:….f1.h.,..p………..0?^.’…..)……..k…|…hP .*LT:…n.’……..
2012-10-07 08:37:09.725116 IP 77.247.181.162.443 > 172.16.253.131.3676: Flags [P.], seq 1:934, ack 204, win 64240, length 933
E……….:M……….\i……,P………..1…-..P..o.`.._.S….”.%.,……%..s.U..9…………………..0…0..*…… …[..W..0.. *.H……..0!1.0…U….www.tfquetcktcxg6z.com0…121224012943Z..131224012943Z0$1″0 ..U….www.dkcmcgqvr47add3tb.net0..0.. *.H…………0……….j……..](.{E…M..>Fh.c.^c……..{I.w…..?..
u…..)…r.R.q.W.N..B(.”..<.k54………..o….BF.q.D<*B..7(T{\.U=t..F`.% …..0.. *.H………….XlQ…-5.AB.a.i..\….. .. \.)…..|w.. ..@Q[%aRVS.is….~.e.+.t@…..u..`..lZI….\wm7.2..\w.%p.4..F$…..%.. …Ki.f.&……………….}.@….6…J. ….9._R…t….Q….c.r……~..Z.y.B.*).2JFzc^..Y.7{…3..F..;r….x.[….xt.}…….3…b….t}…..h..9>.$!…….P#……4…>……4.*l7..%.CxnJ.H.,B….M…7…X..U..@…,.hZ…8.;…..N…b…K[3!I..f..BI………..^…./s1p.? …,.vM……….k:B..}.6.w…(…….L..a..}z…>u…J{……]4.b….!..lu|..A..K<n….d.9…@u>.’e#.,.V.F<.!…E.,..my3.*..1…../I..v..i10……… 2012-10-07 08:37:09.725437 IP 188.40.137.161.9001 > 172.16.253.131.3677: Flags [.], ack 398, win 64240, length 0
E..(………(……#).]….5.&.P…~………
2012-10-07 08:37:09.730151 IP 37.130.227.134.443 > 172.16.253.131.3692: Flags [S.], seq 381746027, ack 3104827029, win 64240, options [mss 1460], length 0
E..,…….j%……….l…k….`…(………
2012-10-07 08:37:09.730181 IP 172.16.253.131.3692 > 37.130.227.134.443: Flags [.], ack 1, win 64240, length 0
E..(l.@….I….%….l………lP…@M..
2012-10-07 08:37:09.730662 IP 172.16.253.131.3676 > 77.247.181.162.443: Flags [P.], seq 204:402, ack 934, win 63307, length 198
E…l.@………M….\…..,i…P..Kc…………..A..lD7!.o.Q.x…..MQ>._..2……MM..J..1.k.E..D…/….,…>.KS.N..L…=…z ..f..p.X\.8.(.9..t.4..%… .Y5…?XA.+……8…o…………0..[..4.OA@…Y..}S…….T…yN.!F.iz.v… ..P.V
2012-10-07 08:37:09.730830 IP 77.247.181.162.443 > 172.16.253.131.3676: Flags [.], ack 402, win 64240, length 0
E..(……..M……….\i…….P….W……..
2012-10-07 08:37:09.731167 IP 172.16.253.131.3692 > 37.130.227.134.443: Flags [P.], seq 1:206, ack 1, win 64240, length 205
E…l.@….z….%….l………lP….$………….P..o..^Y..d.+…… P…..\…….:.
…9.8…..5… …..3.2…………./……………
…..a………www.if72kuoxwhh5.com………
.4.2…………….. .
………………………….#..
2012-10-07 08:37:05.992015 IP 172.16.253.131.1172 > 216.146.39.70.80: Flags [P.], seq 1:70, ack 1, win 64240, length 69: HTTP: GET / HTTP/1.1
E..m..@…P…….’F…P..a’..h.P…. ..GET / HTTP/1.1
Host: checkip.dyndns.org
Cache-Control: no-cache

2012-10-07 08:37:05.992351 IP 216.146.39.70.80 > 172.16.253.131.1172: Flags [.], ack 70, win 64240, length 0
E..(……….’F…..P….h…alP…^F……..
2012-10-07 08:37:06.075207 IP 216.146.39.70.80 > 172.16.253.131.1172: Flags [FP.], seq 1:261, ack 70, win 64240, length 260: HTTP: HTTP/1.1 200 OK
E..,……….’F…..P….h…alP…….HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105

Current IP CheckCurrent IP Address: 74.217.91.121

…skipping…

2012-10-07 08:44:35.182851 IP 172.16.253.131.3755 > 188.173.32.149.91: Flags [P.], seq 1:295, ack 1, win 64240, length 294
E..Nt_@….s…… ….[{.b….KP…….POST / HTTP/1.1
Authorization: Basic dXNlcjQ6VUI5N2FkMg==
Host: 188.173.32.149:91
Accept: */*
Accept-Encoding: identity
Content-type: application/json
X-Mining-Extensions: longpoll midstate rollntime submitold
X-Mining-Hashrate: 1000000
Content-Length: 45
User-Agent: cgminer 2.7.5

2012-10-07 08:44:35.183001 IP 172.16.253.131.3755 > 188.173.32.149.91: Flags [P.], seq 295:340, ack 1, win 64240, length 45
E..Ut`@….k…… ….[{.c….KP….c..{“method”: “getwork”, “params”: [], “id”:0}

2012-10-07 08:44:35.183055 IP 188.173.32.149.91 > 172.16.253.131.3755: Flags [.], ack 295, win 64240, length 0
E..(.U…….. ……[…..K{.c.P………….
2012-10-07 08:44:35.183188 IP 188.173.32.149.91 > 172.16.253.131.3755: Flags [.], ack 340, win 64240, length 0
E..(.V…….. ……[…..K{.d’P………….
2012-10-07 08:44:35.563678 IP 188.173.32.149.91 > 172.16.253.131.3755: Flags [FP.], seq 1:804, ack 340, win 64240, length 803
E..K.W…..~.. ……[…..K{.d’P…….HTTP/1.1 200 OK
X-Roll-Ntime: 1
Content-Type: application/json-rpc
Connection: close
Transfer-Encoding: chunked
Date: Mon, 24 Dec 2012 02:51:23 GMT
Set-Cookie: WEBSERVERID=webserver1; path=/

24f
{“error”:null,”result”:{“hash1″:”00000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000010000″,”data”:”0000000261e4c171ee899c1392010da54443c8c64e6506cbe27844f100000098000000004d0fbdad77b8f7ac435efb4344b7865214c172234fbe5105f2f95190ab05efda50d7c3261a04fa6200000000000000800000000000000000000000000000000000000000000000000000000000000000000000000000000080020000″,”target”:”0000000000000000000000000000000000000000000000000000ffff00000000″,”midstate”:”f0a53335fdd71bedba2fa2becf6bdf0d7a8b1e129c69b601a9bfc3116f4a8bde”},”id”:0}
0



This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here

Share the post

Tbot Torbot Tor Malware Bitcoin Mining Trojan Botnet Traffic Sample PCAP Download

×

Subscribe to Computer Security.org - Cybersecurity News, Inform

Get updates delivered right to your inbox!

Thank you for your subscription

×