Jump to content
Sign in to follow this  
Sturmgewehr

Suspicious traffic to different IPs

Recommended Posts

We see suspicious traffic to many IP addresses. To internal IPs like 192.168.x.x and also to "UK Ministry of Defence" ("25.44.14.112","25.45.0.4") .

 

Payload Hex: "56 6f 15 27 00 59 00 01 00 00 00 00 00 00 00 00 00 00 00"

 

The payload is everytime the same.

 

0000   34 31 c4 2c b4 49 6c 62 6d 25 6e 02 08 00 45 00  41.,.Ilbm%n...E.
0010   00 2f 60 1b 00 00 80 11 00 00 c0 a8 b2 32 19 2d  ./`..........2.-
0020   00 04 09 00 09 00 00 1b 8c 38 56 6f 15 27 00 59  .........8Vo.'.Y
0030   00 01 00 00 00 00 00 00 00 00 00 00 00           .............

 

0000   34 31 c4 2c b4 49 6c 62 6d 25 6e 02 08 00 45 00  41.,.Ilbm%n...E.
0010   00 2f 60 1c 00 00 80 11 00 00 c0 a8 b2 32 19 2d  ./`..........2.-
0020   00 04 09 00 09 00 00 1b 8c 38 56 6f 15 27 00 59  .........8Vo.'.Y
0030   00 01 00 00 00 00 00 00 00 00 00 00 00           .............

 

This traffic will be generated by joining ANY Gameserver.

 

3xpXgDZ.png

 

CHEIqku.png

 

Can someone tell me why the ArmA3 Client do this?

  • Like 2

Share this post


Link to post
Share on other sites

Why arma3.exe launches Local Security Authority Process (lsass.exe) and that process try to connect to 50.63.243.228 aka GoDaddy.com?

Share this post


Link to post
Share on other sites

Well the UK ministery of defences interest in arma would probably be linked to -

http://www.dailymail.co.uk/news/article-2937641/ISIS-fighters-distributing-video-game-allows-players-play-role-Islamist-kill-Westerners.html

Arma was also at the centre of an embarrassing story released about the activities of the IRA . Seems arma 2's visuals were so good. the press in question believed the in game footage was of the IRA attempting to shoot down a British helicopter. Wooomp womp woomp.

Share this post


Link to post
Share on other sites

@Wizard Sorry, I misspoke.

lsass.exe already running but every time when I start the game LSASS trying to connect to GoDaddy.com.

Share this post


Link to post
Share on other sites

So let me get this straight: 

 

 

 

Steam is secretly routing Arma game servers' internet communication data to the UK Ministry of Defence

 

And the Arma program itself upon startup is secretly trying to create secure connection to what is ostensibly a GoDaddy webserver?

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×