Detecting PureLogs traffic with CapLoader
CapLoader通过Port Independent Protocol Identification (PIPI)功能识别PureLogs恶意软件的C2协议,无需依赖端口号。该功能在2.0版本中添加,并使用来自malware-traffic-analysis.net的数据进行分析,提供了相关IOC指标。 2025-6-9 14:26:0 Author: www.netresec.com(查看原文) 阅读量:15 收藏

Monday, 09 June 2025 14:26:00 (UTC/GMT)


Detecting PureLogs traffic with CapLoader

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the C2 protocol used by the PureLogs Stealer malware.

The PureLogs protocol detection was added to CapLoader in the recent 2.0 release.

The PCAP file analyzed in the video is from Brad Duncan’s fantastic malware-traffic-analysis.net website.

Indicators of Compromize (IOC):

  • mxcnss.dns04.com:7702
  • 176.65.144.169:7702

Posted by Erik Hjelmvik on Monday, 09 June 2025 14:26:00 (UTC/GMT)

Tags: #CapLoader#malware-traffic-analysis.net#PIPI

Short URL: https://netresec.com/?b=256a8c4


文章来源: https://www.netresec.com/?page=Blog&month=2025-06&post=Detecting-PureLogs-traffic-with-CapLoader
如有侵权请联系:admin#unsafe.sh