PCAP - Contagio - DarkComet



PCAP Analysis

##################
# MetaData Stuff #
##################

File name:
Darkcomet_DC98ABBA995771480AECF4769A88756E.pcap

MD5|SHA1|SHA256 Hash:
da57f797c78e4ccc18233affee7d855f
501af9915762a167b5a8b934ece86cfcfd47051a
c67e19f8d60deca49ab1b9f800367c944ee65c91abe330c35e1b0235cf2e741b

Size:
3907

Packets:
33

#####################
# High Level Review #
#####################

An internal system, 172.16.253[.]130, initiated a network communication with an external system, 64.235.43[.]131, which resolved to the IP resolves to LASVEGAS-NV-DATACENTER[.]COM on March 5th, 2018. At the time of this PCAP's recording, September 8, 2013, the details of the registrant system is currently unknown, due to lack of historical data regarding this IP address.



The internal system performed an HTTP GET request to the URL, "http://64.235.43[.]131/a.php?id=c2ViYWxpQGxpYmVyby5pdA==". The id value within the URL GET request, "c2ViYWxpQGxpYmVyby5pdA==", is a base64 encoded value which decodes to the email address "sebali@libero[.]it".



The domain libero.it has a very long resolution history, dating back to at least September 2, 2009 which it resolved to the IP address 195.210.91[.]83. At the time of this PCAPs recording, September 8, 2013, the domain resolved to the netrange, 151.1.66[.]0/23, and was seen using at four unique IP addresses: 151.1.67[.]215|216|221|227. All four of the IP addressed were Italian IP addresses under the ITNET-WAN Organization, based out of Rome, Italy. These IP address are not currently listed on any blacklisted lists, although it is not known if they were at the time of this recording.

Upon successful receipt of the HTTP GET request the external system, 64.235.43[.]131, returned the text value '0'. This value is currently unknown, however it could represent a confirmation setting alerting the initiating process on the internal system that the email address is accepted, however this is simply speculation.

This marks the end of the PCAPs data.

############
# Analysis #
############

# Communicators #
0.0.0[.]0 - 2 - 6.06%
64.235.43[.]131 - 10 - 30.3%
172.16.253[.]130 - 26 - 78.78%
172.16.253[.]254 - 4 - 12.12%
224.0.0[.]22 - 12 - 36.36%
255.255.255[.]255 - 2 - 6.06%

# Analysis of Events #

Internal system, 172.16.253[.]130, initiates communication with the external system, 64.235.43[.]131, today this IP resolves to LASVEGAS-NV-DATACENTER[.]COM, it is currently unknown what domain resolved to at the time of this PCAPs recording.

The internal system performs an HTTP GET request for the following URL:
- http://64.235.43[.]131/a.php?id=c2ViYWxpQGxpYmVyby5pdA==

The id value 'c2ViYWxpQGxpYmVyby5pdA==' is a base64 encoded value.
- Decodes to = sebali@libero[.]it

The domain libero.it has a very long resolution history, dating back to at least Sept 2nd, 2009 in which it resolved to the IP address 195.210.91[.]83. At the time of this PCAPs recording, Sept 8, 2013, the domain resolved to the netrange, 151.1.66[.]0/23, and was seen using at 4 unique IP addresses: 151.1.67[.]215|216|221|227. All four of the IP addressed were Italian IP addresses under the ITNET-WAN Organization, based out of Rome, Italy. These IP address are not currently listed on any blacklisted lists, although it is not known if they were at the time of this recording.

The external system, 64.235.43[.]131, received the GET request successfully and returned the text value '0'

There is no additional data.

Comments