Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

DirtJumper DDoS Malware Botnet Traffic Sample Analysis PCAP

Download raw PCAP file for DIRTJUMPER : dirtjumper

2011-10-03 20:42:49.094710 IP 172.16.165.128.49770 > 172.16.165.2.53: 17008+ A? asdaddddaaaa.com. (34)
E..>……. ………j.5.*..Bp………..asdaddddaaaa.com…..
2011-10-03 20:42:49.109841 IP 172.16.165.2.53 > 172.16.165.128.49770: 17008 1/0/0 A 195.3.145.87 (50)
E..N.6……………5.j.:.
Bp………..asdaddddaaaa.com………………..W
2011-10-03 20:42:49.114307 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [S], seq 2900643694, win 16384, options [mss 1460,nop,nop,sackOK], length 0
[email protected]…S……..W…P..On…[email protected]………….
2011-10-03 20:42:49.232779 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [S.], seq 3750550834, ack 2900643695, win 64240, options [mss 1460], length 0
E..,.7………W…..P…..2..Oo`…9…….
2011-10-03 20:42:49.232916 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [.], ack 1, win 17520, length 0
E..([email protected]…S……..W…P..Oo…3P.Dp. ..i…..
2011-10-03 20:42:49.233181 IP 172.16.165.128.1035 > 195.3.145.87.80: Flags [P.], seq 1:245, ack 1, win 17520, length 244: HTTP: POST /678/index.php HTTP/1.0
E…[email protected]…R……..W…P..Oo…3P.Dpa>..POST /678/index.php HTTP/1.0
Host: asdaddddaaaa.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

k=426924814555748
2011-10-03 20:42:49.233225 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [.], ack 245, win 64240, length 0
E..(.8………W…..P…..3..PcP…P…
2011-10-03 20:42:49.354072 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [P.], seq 1:846, ack 245, win 64240, length 845: HTTP: HTTP/1.1 200 OK
E..u.9…..^…W…..P…..3..PcP…/…HTTP/1.1 200 OK
Server: nginx
Date: Tue, 04 Oct 2011 01:40:42 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 644

02|411|260http://www.tadawulfx.com/public/
http://www.tadawulfx.com/public/trading-accounts/standard-forex-account.html
http://www.tadawulfx.com/public/trading-accounts/premium-forex-account.html
http://www.tadawulfx.com/public/education/gold-and-silver-overview.html
http://www.tadawulfx.com/public/platforms/mt4-mobile.html
http://www.tadawulfx.com/
https://pepperstone.com/
https://pepperstone.com/company-profile/about-us.php
https://pepperstone.com/trading-accounts/accounts-types.php
https://pepperstone.com/forex-news/
http://ukashsepeti.com/ukash.asp
http://ukashsepeti.com/iletisim.html
http://ukashsepeti.com/kurumsal.html

2011-10-03 20:42:49.354485 IP 195.3.145.87.80 > 172.16.165.128.1035: Flags [.], ack 246, win 64239, length 0
E..(.:………W…..P……..PdP…MG..
2011-10-03 20:42:49.366629 IP 172.16.165.128.54851 > 172.16.165.2.53: 64012+ A? ukashsepeti.com. (33)
E..=……………..C.5.).-………….ukashsepeti.com…..
2011-10-03 20:42:49.372987 IP 172.16.165.128.60365 > 172.16.165.2.53: 34684+ A? pepperstone.com. (33)
E..=……………….5.)=..|………..pepperstone.com…..
2011-10-03 20:42:49.382578 IP 172.16.165.2.53 > 172.16.165.128.54851: 64012 1/0/0 A 87.251.2.2 (49)
E..M.;……………5.C.9>r………….ukashsepeti.com……………..W…
2011-10-03 20:42:49.385446 IP 172.16.165.128.1036 > 87.251.2.2.80: Flags [S], seq 2467900220, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0. @…N1….W……P..+<…[email protected]………….
2011-10-03 20:42:49.388837 IP 172.16.165.2.53 > 172.16.165.128.60365: 34684 1/0/0 A 113.20.8.41 (49)
E..M.<……………5…9g>.|………..pepperstone.com……………..q..)
2011-10-03 20:42:49.394732 IP 172.16.165.128.59650 > 172.16.165.2.53: 47838+ A? www.tadawulfx.com. (35)
E..?.
……………..5.+……………www tadawulfx.com…..
2011-10-03 20:42:49.395661 IP 172.16.165.128.1037 > 113.20.8.41.443: Flags [S], seq 215307541, win 16384, options [mss 1460,nop,nop,sackOK], length 0
[email protected]………q..)……U…[email protected]………….
2011-10-03 20:42:49.403101 IP 172.16.165.128.1038 > 113.20.8.41.443: Flags [S], seq 1514295825, win 16384, options [mss 1460,nop,nop,sackOK], length 0
[email protected]………q..)….ZBR…[email protected]……….
2011-10-03 20:42:49.411963 IP 172.16.165.2.53 > 172.16.165.128.59650: 47838 1/0/0 A 199.16.81.167 (51)
E..O.=……………5…;.n………….www tadawulfx.com……………….Q.

2011-10-03 20:42:49.505936 IP 172.16.165.128.1039 > 199.16.81.167.80: Flags [P.], seq 1:196, ack 1, win 17520, length 195: HTTP: GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
E…[email protected]………..Q….P..’…5.P.Dp….GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)

2011-10-03 20:42:49.518546 IP 172.16.165.128.1040 > 199.16.81.167.80: Flags [P.], seq 1:205, ack 1, win 17520, length 204: HTTP: GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
E…[email protected]………..Q….P……..P.DpL…GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Opera/9.00 (Wii; U; ; 1038-58; Wii Shop Channel/1.0; en)

2011-10-03 20:42:49.542686 IP 172.16.165.128.1036 > 87.251.2.2.80: Flags [P.], seq 1:188, ack 1, win 17520, length 187: HTTP: GET /iletisim.html HTTP/1.0
E…. @…Mg….W……P..+=..f.P.Dp….GET /iletisim.html HTTP/1.0
Host: ukashsepeti.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [ru]

2011-10-03 20:42:49.611633 IP 172.16.165.128.1042 > 87.251.2.2.80: Flags [P.], seq 1:139, ack 1, win 17520, length 138: HTTP: GET /ukash.asp HTTP/1.0
E….*@…M…..W……PD…….P.Dp$…GET /ukash.asp HTTP/1.0
Host: ukashsepeti.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Opera/9.0 (Windows NT 5.1; U; en)
2011-10-03 20:42:49.611722 IP 87.251.2.2.80 > 172.16.165.128.1042: Flags [.], ack 139, win 64240, length 0
E..(.J……W……..P……D..PP….G..
2011-10-03 20:42:49.612022 IP 172.16.165.128.1042 > 87.251.2.2.80: Flags [F.], seq 139, ack 1, win 17520, length 0
E..([email protected]…N…..W……PD..P….P.Dp7…..Y].r
2011-10-03 20:42:49.612106 IP 87.251.2.2.80 > 172.16.165.128.1042: Flags [.], ack 140, win 64239, length 0
E..(.K……W……..P……D..QP….G..
2011-10-03 20:42:49.614916 IP 199.16.81.167.80 > 172.16.165.128.1040: Flags [FP.], seq 1:154, ack 206, win 64239, length 153: HTTP: HTTP/1.1 302 Found
E….L……..Q……P……….P…….HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /RVikU/public/trading-accounts/premium-forex-account.html

2011-10-03 20:42:49.629254 IP 172.16.165.128.1049 > 199.16.81.167.80: Flags [P.], seq 1:252, ack 1, win 17520, length 251: HTTP: GET /public/education/gold-and-silver-overview.html HTTP/1.0
E..#[email protected]….\……Q….P.:8.}…P.Dp….GET /public/education/gold-and-silver-overview.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; ; Linux armv5tejl; U) Opera 8.02 [en_US] Maemo browser 0.4.31 N770/SU-18

2011-10-03 20:42:49.640441 IP 172.16.165.128.1044 > 87.251.2.2.80: Flags [P.], seq 1:197, ack 1, win 17520, length 196: HTTP: GET /iletisim.html HTTP/1.0
E…[email protected]…MK….W……P;…7A..P.Dp.Q..GET /iletisim.html HTTP/1.0
Host: ukashsepeti.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

2011-10-03 20:42:50.079782 IP 199.16.81.167.80 > 172.16.165.128.1090: Flags [FP.], seq 1:192, ack 179, win 64239, length 191: HTTP: HTTP/1.1 200 OK
E………….Q……P.B…[.S.eP…….HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
cache-control: no-cache
Content-Type: text/html
Content-Length: 65

<html><head><meta http-equiv=”refresh” content=”0″></head></html>
2011-10-03 20:42:50.080016 IP 172.16.165.128.1090 > 199.16.81.167.80: Flags [R.], seq 179, ack 192, win 0, length 0
E..([email protected]………..Q..B.P.S.e….P…….GET /
2011-10-03 20:42:50.087749 IP 199.16.81.167.80 > 172.16.165.128.1102: Flags [S.], seq 3183623031, ack 1521396229, win 64240, options [mss 1460], length 0
E..,……….Q……P.N..;wZ…`…0Q……
2011-10-03 20:42:50.087845 IP 199.16.81.167.80 > 172.16.165.128.1103: Flags [S.], seq 2169768478, ack 3313941192, win 64240, options [mss 1460], length 0
E..,……….Q……P.O.T
…..`…”|……
2011-10-03 20:42:50.088218 IP 172.16.165.128.1102 > 199.16.81.167.80: Flags [.], ack 1, win 17520, length 0
E..([email protected]………..Q..N.PZ…..;xP.Dp……….
2011-10-03 20:42:50.088373 IP 172.16.165.128.1103 > 199.16.81.167.80: Flags [.], ack 1, win 17520, length 0
E..([email protected]………..Q..O.P…..T
.P.Dp……….
2011-10-03 20:42:50.088872 IP 172.16.165.128.1102 > 199.16.81.167.80: Flags [P.], seq 1:231, ack 1, win 17520, length 230: HTTP: GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
E…[email protected]………..Q..N.PZ…..;xP.Dp8…GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
2011-10-03 20:42:50.088999 IP 199.16.81.167.80 > 172.16.165.128.1102: Flags [.], ack 231, win 64240, length 0
E..(……….Q……P.N..;xZ…P…G(..
2011-10-03 20:42:50.089367 IP 172.16.165.128.1102 > 199.16.81.167.80: Flags [F.], seq 231, ack 1, win 17520, length 0
E..([email protected]………..Q..N.PZ…..;xP.Dp……….
2011-10-03 20:42:50.089485 IP 199.16.81.167.80 > 172.16.165.128.1102: Flags [.], ack 232, win 64239, length 0
E..(……….Q……P.N..;xZ…P…G(..
2011-10-03 20:42:50.089976 IP 199.16.81.167.80 > 172.16.165.128.1105: Flags [S.], seq 4137033625, ack 3993111522, win 64240, options [mss 1460], length 0
E..,……….Q……P.Q……..`….’……
2011-10-03 20:42:50.090235 IP 172.16.165.128.1105 > 199.16.81.167.80: Flags [.], ack 1, win 17520, length 0
E..([email protected]………..Q..Q.P……..P.Dp.d..GET /p
2011-10-03 20:42:50.090687 IP 172.16.165.128.1103 > 199.16.81.167.80: Flags [P.], seq 1:220, ack 1, win 17520, length 219: HTTP: GET /public/platforms/mt4-mobile.html HTTP/1.0
E…[email protected]………..Q..O.P…..T
.P.Dp….GET /public/platforms/mt4-mobile.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

2011-10-03 20:42:50.686309 IP 172.16.165.128.1174 > 199.16.81.167.80: Flags [P.], seq 1:221, ack 1, win 17520, length 220: HTTP: GET /public/platforms/mt4-mobile.html HTTP/1.0
E…[email protected]………..Q….P..#..V.bP.Dp….GET /public/platforms/mt4-mobile.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060516 SeaMonkey/1.0.2

2011-10-03 20:42:50.704504 IP 172.16.165.128.1175 > 199.16.81.167.80: Flags [P.], seq 1:256, ack 1, win 17520, length 255: HTTP: GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
E..’[email protected]………..Q….P.
).OA..P.Dp….GET /public/trading-accounts/premium-forex-account.html HTTP/1.0
Host: www.tadawulfx.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.307.9 Safari/532.9



This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here

Share the post

DirtJumper DDoS Malware Botnet Traffic Sample Analysis PCAP

×

Subscribe to Computer Security.org - Cybersecurity News, Inform

Get updates delivered right to your inbox!

Thank you for your subscription

×