Can Someone Help with a Return from a Scammers PC

ScamBaiter Central
ScamBaiter Central 

Over the Last few weeks Ive been getting returns on a particular port I use for receiving connections using 2 Trojans, Around 6 weeks ago I was able to reverse an AnyDesk Connection and managed to transfer and execute a trojan on the target computer, then around a week later, while monitoring network traffic I started to get returns from KolKata India, Its baffled me, because, Over the last 2 days I've spent many hours experimenting with these trojans basically just mastering how they work. I have also tested these trojans on seperate Networks to ensure that the returns are being sent and recieved and sure enough they work fine.
Does anyone have any idea whats going on? 
This is a snapshot of one of the returns in case it help

Frame 26316: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface \Device\NPF_{3C46C9E7-8585-4EE3-9CCD-F4C37BB2C27D}, id 0
    Interface id: 0 (\Device\NPF_{3C46C9E7-8585-4EE3-9CCD-F4C37BB2C27D})
        Interface name: \Device\NPF_{3C46C9E7-8585-4EE3-9CCD-F4C37BB2C27D}
        Interface description: WiFi
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 27, 2021 17:13:11.701673000 GMT Summer Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1619539991.701673000 seconds
    [Time delta from previous captured frame: 0.137790000 seconds]
    [Time delta from previous displayed frame: 5.993558000 seconds]
    [Time since reference or first frame: 2022.261456000 seconds]
    Frame Number: 26316
    Frame Length: 62 bytes (496 bits)
    Capture Length: 62 bytes (496 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: Bad TCP]
    [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update && !tcp.analysis.keep_alive && !tcp.analysis.keep_alive_ack]
Ethernet II, Src: Sagemcom_3c:27:03 (xx:xx:xx:xx:xx:xx), Dst: Alfa_87:4c:d3 xx:xx:xx:xx:xx:xx)
    Destination: Alfa_87:4c:d3 (xx:xx:xx:xx:xx:xx)
        Address: Alfa_87:4c:d3 (00:xx:xx:xx:xx:xx:xx)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Sagemcom_3c:27:03 (xx:xx:xx:xx:xx:xx)
        Address: Sagemcom_3c:27:03 (xx:xx:xx:xx:xx:xx)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 103.217.234.40, Dst: 192.168.1.14
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 48
    Identification: 0x0c42 (3138)
    Flags: 0x40, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment Offset: 0
    Time to Live: 105
    Protocol: TCP (6)
    Header Checksum: 0xf1cd [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 103.217.234.40
    Destination Address: 192.168.1.14
    [Source GeoIP: Kolkata, IN]
        [Source GeoIP City: Kolkata]
        [Source or Destination GeoIP City: Kolkata]
        [Source GeoIP Country: India]
        [Source or Destination GeoIP Country: India]
        [Source GeoIP ISO Two Letter Country Code: IN]
        [Source or Destination GeoIP ISO Two Letter Country Code: IN]
        [Source GeoIP Latitude: 22.5602]
        [Source or Destination GeoIP Latitude: 22.5602]
        [Source GeoIP Longitude: 88.3698]
        [Source or Destination GeoIP Longitude: 88.3698]
Transmission Control Protocol, Src Port: 49973, Dst Port: 1606, Seq: 0, Len: 0
    Source Port: 49973
    Destination Port: 1606
    [Stream index: 243]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 3159867266
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 0
    Acknowledgment number (raw): 0
    0111 .... = Header Length: 28 bytes (7)
    Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 1606]
                [Connection establish request (SYN): server port 1606]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
        [TCP Flags: ··········S·]
    Window: 8192
    [Calculated window size: 8192]
    Checksum: 0x0a11 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (8 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted
        TCP Option - Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - SACK permitted
            Kind: SACK Permitted (4)
            Length: 2
    [SEQ/ACK analysis]
        [TCP Analysis Flags]
            [Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
                [This frame is a (suspected) retransmission]
                [Severity level: Note]
                [Group: Sequence]
            [The RTO for this segment was: 8.994157000 seconds]
            [RTO based on delta from frame: 26282]
    [Timestamps]
        [Time since first frame in this TCP stream: 8.994157000 seconds]
        [Time since previous frame in this TCP stream: 5.993558000 seconds]

 


© 2021 Discommunications LLC. All rights reserved | Design by W3layouts.

Soundboard (skeletonsyskey.net) is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Legal