FusionCore Trojan/Malware/PUP Downloader Bundled SecureStudies.com Adware PCAP file download traffic sample

Download Attachments

  • 1 pcap hotspot
    Date added: October 28, 2016 1:43 am Added by: admin File size: 267 KB Downloads: 107
SHA256: ab5da9478d76221b534e4847e6968b7977771916ce81ac2810c3917f6ce5a48c
File name: PCTuneUpWiFiHotspotCreator_IS.exe
Detection ratio: 23 / 55
Analysis date: 2016-10-28 01:34:21 UTC ( 1 minute ago )
AVware Trojan.Win32.Generic!BT 20161027
AegisLab Script.Application.Gen!c 20161027
AhnLab-V3 Malware/Gen.Generic.N2102538991 20161027
CAT-QuickHeal PUA.Techevolve.Gen 20161027
ClamAV Win.Trojan.Generic-2682 20161027
Comodo Application.Win32.FusionCore.~J 20161028
Cyren W32/Trojan.IFZA-1289 20161028
DrWeb Trojan.InstallCore.2673 20161028
ESET-NOD32 a variant of Win32/FusionCore.J potentially unwanted 20161028
Fortinet Riskware/FusionCore 20161028
GData Script.Application.FusionCore.B 20161028
Invincea trojan.win32.dorv.b!rfn 20161018
K7AntiVirus Trojan ( 004fb4121 ) 20161025
K7GW Trojan ( 004fb4121 ) 20161027
McAfee Artemis!FC4E7C56C226 20161028
McAfee-GW-Edition BehavesLike.Win32.Dropper.vc 20161028
NANO-Antivirus Trojan.Win32.InstallCore.egpdia 20161028
Symantec Trojan.Gen.2 20161028
TrendMicro TROJ_GEN.F0CBC0UJJ16 20161028
TrendMicro-HouseCall TROJ_GEN.F0CBC0UJJ16 20161028
VIPRE Trojan.Win32.Generic!BT 20161027

d

2016-10-27 19:39:26.628074 IP 192.168.1.102.55768 > 184.173.227.119.80: Flags [P.], seq 0:348, ack 1, win 256, length 348: HTTP: GET /pctuneupsuite.com/filesdownload/PCTuneUpWiFiHotspotCreator_IS.exe HTTP/1.1
E…/V@…k….f…w…P&……|P…….GET /pctuneupsuite.com/filesdownload/PCTuneUpWiFiHotspotCreator_IS.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.downloadonic.com
Connection: Keep-Alive

2016-10-27 19:39:26.684291 IP 192.168.1.102.55768 > 184.173.227.119.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {1461:2921}], length 0
E..4/W@…m9…f…w…P&..+…|….b……

E..(F.@…uY…f4.H….P..|….gP… ………
2016-10-27 19:39:40.320312 IP 192.168.1.102.55769 > 52.2.72.151.80: Flags [P.], seq 0:214, ack 1, win 256, length 214: HTTP: POST /?v=2.0&subver=6.21&pcrc=2064493350 HTTP/1.1
E…F.@…t….f4.H….P..|….gP…n3..POST /?v=2.0&subver=6.21&pcrc=2064493350 HTTP/1.1
Accept: */*
Host: rp.didided1.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 2064
Cache-Control: no-cache

2016-10-27 19:39:40.321074 IP 192.168.1.102.55769 > 52.2.72.151.80: Flags [P.], seq 214:1674, ack 1, win 256, length 1460: HTTP
E…F.@…o….f4.H….P..}….gP…C……3E.Q)_l.y…K…(..J’…….$u..m…….O.T..        .K3….7.hK…..Q4^.Ky……..3r)2.u…….CUa…o…5……h….l..U_-.a…..lu…Na.Ii.|..qr._…Rx.1x.PA.j……’8…z…m…BS…y….%>..+.)….j.:}_.l.’…..B    l`………m).%.!.^….}=d;..#V;..W.c,Z…..C].;..z…]………..8.M.8.1….E..<..S………u…u…..0…3.u.u.%.W.%..fl4.,^.
}.M.D……5\9……?…Z..\.W(..=7@s…..p\…xC….-U8…D.N.P…avZ..@z.._i.h.(..x..9…….T.,..I…s:F.Y.6…./….Q….&^…TF]..Q.’…Yd..P>>……Q….I..=……

E..(..@…s….f6Ds….P.]…9..P………….
2016-10-27 19:39:40.889276 IP 192.168.1.102.55770 > 54.68.115.170.80: Flags [P.], seq 0:168, ack 1, win 256, length 168: HTTP: POST /FusionFreeAudioVideo/?v=6.0&c=610669024&t=398890 HTTP/1.1
E…./@…r….f6Ds….P.]…9..P…JA..POST /FusionFreeAudioVideo/?v=6.0&c=610669024&t=398890 HTTP/1.1
Accept: */*
Host: os.didided1.com
User-Agent: ICAS
Content-Length: 1600
Cache-Control: no-cache

2016-10-27 19:39:40.889297 IP 192.168.1.102.55770 > 54.68.115.170.80: Flags [P.], seq 168:1628, ack 1, win 256, length 1460: HTTP
E….0@…m….f6Ds….P.]…9..P…_m…^.S…N)Tw?.G{&…..F….{…D..|U.%…’|~.6.a.7B.g.:(………?.*.7″..VKx..h.#]..G… I.W.n….[.f….p…&.I.y..L..G%8^… ..p……._……h…[Xe.bRGl’R.1.[o.n:..M..!..SD.m..jc..15w….~..y1….S0a..G……%.#`$.:ql..e..{.t.T……w…..X.m..(..|..646…u.!.KE..^.=…….A..:.U\.:…Fr..~.:C…ts..0`……..%.n….y.}<……R>..dK..H.O?,B.cu.j.A…..nN.nL.j..u.
.rN.e.c…..<……..Ku..x”.S}.h…;.]….%X.u.1…L…….t..[.7…44……YH.0.U.U…../…}.. -..d..2&1\.HG~………..Ga2.2Co.b>.Vl…lU……x3.4g.’…IG..{.v….X…z.W..#.b…e.%..H.FD.%…k . Cc..    .s……}.32…..<……..Y./..lB…-@.JrOJ{.5..*…j…u. =.rC.)…&(p..O.Nh..fg….1.J………..8……$iQ^..XC..9……=I….k.]O…o.CH.*,…..y.5.+&…$.O~..&hFC……,.)CW7.v.w.S}*.T.[.L.0….={._oK..T..`~q..8.%.X.T.p…..H….J…z..6… .V.X..”.7..q1……..8.eB….,.(….Z:.m..OIG#………ak|8~.     lM.mTDZ.o..m}.9…S.:…………….;]………….Aa*)…..”..A.kn..5..5..gLc….\..esI..vN.#._……….o.+…~…|.3..s.(5.(6…”…;l…..Q..B..”6

E..(..@…=….f..N….P.n…   ~.P…q………
2016-10-27 19:39:40.932824 IP 192.168.1.102.55771 > 165.193.78.234.80: Flags [P.], seq 0:106, ack 1, win 256, length 106: HTTP: GET /packages/VR/PackageV.exe HTTP/1.0
E…..@…=….f..N….P.n…   ~.P….E..GET /packages/VR/PackageV.exe HTTP/1.0
Host: post.securestudies.com
User-Agent: InnoTools_Downloader

2016-10-27 19:42:47.932326 IP 192.168.1.102.55785 > 165.193.78.234.80: Flags [P.], seq 0:257, ack 1, win 256, length 257: HTTP: POST /TapAction.aspx?campaign_id=835&tpi=PCTuneUpWiFiHotspotCreator_IS&action_id=1&uid=jfk_YD1kku5Hj7W9N55555 HTTP/1.0
E..)..@…;….f..N….Pn..F…wP…….POST /TapAction.aspx?campaign_id=835&tpi=PCTuneUpWiFiHotspotCreator_IS&action_id=1&uid=jfk_YD1kku5Hj7W9N55555 HTTP/1.0
Host: post.securestudies.com
User-Agent: InnoTools_Downloader
Content-Type: Application/octet-stream
Content-Length: 11

RK web call
2016-10-27 19:42:47.991700 IP 192.168.1.102.55785 > 165.193.78.234.80: Flags [.], ack 241, win 255, length 0
E..(..@…<….f..N….Pn..G…gP………….
2016-10-27 19:42:47.992217 IP 192.168.1.102.55785 > 165.193.78.234.80: Flags [F.], seq 257, ack 241, win 255, length 0
E..(..@…<….f..N….Pn..G…gP………….

E..(e.@….g…f.:W….P…..6..P………….
2016-10-27 19:42:48.909219 IP 192.168.1.102.55787 > 199.58.87.155.80: Flags [P.], seq 0:230, ack 1, win 256, length 230: HTTP: GET /ofr/Nininininon/Nininininon_11Apr16.cis HTTP/1.1
E…e.@……..f.:W….P…..6..P…….GET /ofr/Nininininon/Nininininon_11Apr16.cis HTTP/1.1
Range: bytes=0-19488
Accept: */*
Host: cdnus.didided1.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Connection: Keep-Alive

2016-10-27 19:42:48.932162 IP 192.168.1.102.55787 > 199.58.87.155.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {540:2000}], length 0
E..4e.@….Y…f.:W….P…..6………….
.6…6..

E..({W@……..f…-…PH……>P….H……..
2016-10-27 19:42:52.983717 IP 192.168.1.102.55787 > 199.58.87.155.80: Flags [P.], seq 230:456, ack 20029, win 254, length 226: HTTP: GET /ofr/Malaromoro/Malaromoro_170515.cis HTTP/1.1
E..
e.@….{…f.:W….P…..6f.P…….GET /ofr/Malaromoro/Malaromoro_170515.cis HTTP/1.1
Range: bytes=0-8736
Accept: */*
Host: cdnus.didided1.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Connection: Keep-Alive

 

Leave a Reply