RIG Web-based Exploit Kit EK Exploits Flash and loads Ransomware Variant CryptMic Malware PCAP file download 91.121.74.154

2016-09-26 00:40:25.886473 IP 192.168.1.18.51426 > 5.196.126.167.80: Flags [P.], seq 1:512, ack 1, win 16475, length 511: HTTP: GET /index.php?wX6OcbiYLRbND4M=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJYFhC_5DEELY70Qj3zucccs4lkxfTv2JWz-IdUFxE5RgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTF0kufJ8_w5 HTTP/1.1 E..’.R@………..~….P..W..2.VP.@[….GET /index.php?wX6OcbiYLRbND4M=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJYFhC_5DEELY70Qj3zucccs4lkxfTv2JWz-IdUFxE5RgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTF0kufJ8_w5 HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; rv:11.0) like Gecko Host: chink12alzona.cyclemanagementassociates.info 2016-09-26 00:40:26.295112 IP 5.196.126.167.80 > 192.168.1.18.51426: Flags [.], ack 512, win 237, length 0 E..(..@.:…..~……P…2.V..Y.P….H.. 2016-09-26 00:40:27.640845 IP 5.196.126.167.80 > 192.168.1.18.51426: Flags [.], seq 1:1319, ack 512, win 237, length 1318: HTTP: HTTP/1.1 200 OK E..N..@.:…..~……P…2.V..Y.P…….HTTP/1.1 200 OK Server: nginx Date: Mon, 26 Sep 2016 00:40:57 GMT […]

GootKit Banking Trojan Malware Delivered by RIG Exploit Kit EK PCAP file download traffic sample

2016-09-21 10:01:56.988869 IP 192.168.1.7.49212 > 31.184.193.179.80: Flags [P.], seq 1:282, ack 1, win 16537, length 281: HTTP: G ET / HTTP/1.1 E..A._@…N……….<.P…’.iR.P.@…..GET / HTTP/1.1 Accept: */* Accept-Language: en-US Referer: http://www.hairaddict.fr/ x-flash-version: 19,0,0,245 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: myorderdesk.top Connection: Keep-Alive 2016-09-21 10:01:57.203904 IP 31.184.193.179.80 > 192.168.1.7.49212: Flags [.], ack 282, win 123, length 0 E..(“.@.8.y……….P.<.iR….@P..{L… 2016-09-21 10:01:57.204021 IP 31.184.193.179.80 > 192.168.1.7.49212: Flags [.], seq 1:1351, ack 282, win 123, length 1350: HTTP: HTTP/1.1 200 OK E..n”.@.8.tK………P.<.iR….@P..{….HTTP/1.1 200 OK Date: Wed, 21 Sep 2016 14:02:36 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: […]

RIG Exploit Kit EK Delivers Ransomware Variant CryptFile2 Malware C2 PCAP file download

2016-09-19 09:49:33.246002 IP 192.168.4.57.49469 > 192.185.52.124.80: Flags [P.], seq 1:303, ack 1, win 16537, length 302: HTTP: GET / HTTP/1.1 E..V4 @….k…9..4|.=.P’…….P.@..F..GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: photos2tile.com Connection: Keep-Alive Cookie: PHPSESSID=11621c75d998a91f4a371effa2d932a8 — 2016-09-19 09:49:40.123529 IP 192.168.4.57.49490 > 31.184.193.187.80: Flags [.], ack 1, win 16537, length 0 E..(D.@……..9…..R.P.U/~.I..P.@……….. 2016-09-19 09:49:40.123610 IP 192.168.4.57.49491 > 31.184.193.187.80: Flags [P.], seq 1:282, ack 1, win 16537, length 281: HTTP: GET / HTTP/1.1 E..AD.@……..9…..S.P…….ZP.@.p<..GET / HTTP/1.1 Accept: */* Accept-Language: en-US Referer: http://photos2tile.com/ x-flash-version: 16,0,0,235 Accept-Encoding: gzip, deflate User-Agent: […]

Packet Analysis Rig Exploit Kit EK Delivers URSNIF Banking Trojan Malware PCAP file download sample

2016-09-02 10:26:46.478966 IP 192.168.4.200.49222 > 194.165.16.204.80: Flags [P.], seq 1:391, ack 1, win 16537, length 390: HTTP: GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9ss1din5pme6r6clcm9leeno4pnmf/ HTTP/1.1 E…..@…[……….F.Pbe.c….P.@..P..GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9s s1din5pme6r6clcm9leeno4pnmf/ HTTP/1.1 Accept: */* Accept-Language: en-US Referer: http://www.gaapasa.com.au/ x-flash-version: 19,0,0,245 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: sivupig.top Connection: Keep-Alive — 2016-09-02 10:26:46.774522 IP 192.168.4.200.49222 > 194.165.16.204.80: Flags [F.], seq 391, ack 5942, win 16402, length 0 E..(..@…\……….F.Pbe…..(P.@./&…….. 2016-09-02 10:26:47.007595 IP 192.168.4.200.49221 > 194.165.16.204.80: Flags [P.], seq 1:403, ack 1, win 16537, length 402: HTTP: GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9ss1din5pme6r6clcm9leeno4pnmf/njr.gif HTTP/1.1 E….!@…[;………E.P$W…YA*P.@…..GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9ss1din5pme6r6clcm9leeno4pnmf/njr.gif HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://www.gaapasa.com.au/ Accept-Language: en-US User-Agent: Mozilla/5.0 […]

Fake Adobe Flash Player Update Binary Loads Qadars & Tor Bot Malware PCAP file download Traffic Sample

016-09-01 18:42:39.848166 IP 192.168.4.175.49440 > 82.194.88.80.80: Flags [P.], seq 1:250, ack 1, win 64800, length 249: HTTP: GET / HTTP/1.1 E..!/0@…Z=….R.XP. .Py…… P..  {..GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: sinlabajos.com Connection: Keep-Alive 2016-09-01 18:42:40.094526 IP 82.194.88.80.80 > 192.168.4.175.49440: Flags [.], ack 250, win 15544, length 0 E..(M.@.4…R.XP…..P. … y…P.<….. 2016-09-01 18:42:42.211314 IP 82.194.88.80.80 > 192.168.4.175.49440: Flags [.], seq 1:1351, ack 250, win 15544, length 1350: HTTP: HTTP/1.1 200 OK E..nM.@.4..eR.XP…..P. … y…P.<.o…HTTP/1.1 200 OK Date: Thu, 01 Sep 2016 20:42:47 GMT Server: Apache […]