Text Example

LAWRENCE KNACHEL IS A TROGLYODYTE PIECE OF SH!T - 3600 VISITORS DAILY WILL KNOW YOUR DAY IS COMING SOON

QQ1.exe api.baizhu.cc Adware/PUP/Malware Riskware Traffic Analysis PCAP file download sample

Download Attachments

  • 1 pcap qq
    Date added: October 26, 2016 5:32 am Added by: admin File size: 1 MB Downloads: 93
SHA256: 775c7bd9e820c4dfd0fabdfeade2de901414bd46d2691ea5020a818f6a42eb83
File name: QQ1.exe
Detection ratio: 42 / 56
Analysis date: 2016-10-26 22:04:27 UTC ( 0 minutes ago )
Antivirus Result Update
ALYac Gen:Variant.Strictor.112384 20161026
AVG AdPlugin.UTN 20161026
AVware Trojan.Win32.Generic!BT 20161026
Ad-Aware Gen:Variant.Strictor.112384 20161026
AegisLab Gen.Variant.Strictor!c 20161026
AhnLab-V3 PUP/Win32.Qjwmonkey.R187306 20161026
Antiy-AVL RiskWare[Downloader:not-a-virus]/Win32.Agent 20161026
Arcabit Trojan.Strictor.D1B700 20161026

 

2016-10-26 00:13:19.381515 IP 192.168.1.102.61873 > 222.186.161.72.80: Flags [P.], seq 0:289, ack 1, win 256, length 289: HTTP: GET /down/QQ1.exe HTTP/1.1
E..I}.@…:….f…H…PuMz.XKi.P…….GET /down/QQ1.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: url.d9soft.com
Connection: Keep-Alive

2016-10-26 00:13:19.488419 IP 192.168.1.102.61664 > 75.75.76.76.53: 941+ A? url.d9soft.com. (32)
E..<

E..(.;@…Y….f…….P…{F.L/P….I……..
2016-10-26 00:13:39.775088 IP 192.168.1.102.61874 > 8.254.208.158.80: Flags [P.], seq 0:240, ack 1, win 256, length 240: HTTP: GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
E….<@…X….f…….P…{F.L/P….7..GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: www.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

2016-10-26 00:13:57.277804 IP 192.168.1.102.61879 > 120.26.109.229.80: Flags [P.], seq 0:212, ack 1, win 256, length 212: HTTP: POST /api/getdown HTTP/1.1
E…7.@……..fx.m….P…….FP….U..POST /api/getdown HTTP/1.1
Host: api.baizhu.cc
Content-Length: 22
Connection:close
Accept-Language: zh-cn
Cache-Conbtrol:no-cache
Content-Type:application/x-www-form-urlencoded

&appid=1&sid=360&ver=2

2016-10-26 00:13:57.677329 IP 192.168.1.102.65166 > 75.75.76.76.53: 64390+ A? api.baizhu.cc. (31)

E..(.o@…_….fh.l….PX.p..AN.P………….
2016-10-26 00:13:58.656691 IP 192.168.1.102.61880 > 104.192.108.18.80: Flags [P.], seq 0:290, ack 1, win 256, length 290: HTTP: GET /partner/Inst13__3112087__3f7372633d6c6d266c733d6e31343463316364383939__68616f2e3336302e636e__0c70.exe HTTP/1.1
E..J.p@…^]…fh.l….PX.p..AN.P…ux..GET /partner/Inst13__3112087__3f7372633d6c6d266c733d6e31343463316364383939__68616f2e3336302e636e__0c70.exe HTTP/1.1
Host: dl2.360safe.com
Accept:*/*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Connection:close
Cache-Control: no-cache
Cookie:

2016-10-26 00:13:58.765153 IP 192.168.1.102.61880 > 104.192.108.18.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {293:1753}], length 0
E..4.q@…_r…fh.l….PX.q..AN…… …..

E..(Y.@…]….fy……PvGa…0&P………….
2016-10-26 00:14:00.071491 IP 192.168.1.102.61881 > 121.29.8.212.80: Flags [P.], seq 0:188, ack 1, win 256, length 188: HTTP: GET /baizhu.zip HTTP/1.1
E…Y   @…]….fy……PvGa…0&P…a…GET /baizhu.zip HTTP/1.1
Host: cdn.baizhu.cc
Accept:*/*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Connection:close
Cache-Control: no-cache

 

2016-10-26 00:14:39.157576 IP 192.168.1.102.61886 > 125.76.247.199.80: Flags [P.], seq 861:1148, ack 3846, win 251, length 287: HTTP: GET /core.php?web_id=1259684198&t=z HTTP/1.1
E..GT.@…m….f}L…..P. ….e.P…u…GET /core.php?web_id=1259684198&t=z HTTP/1.1
Accept: */*
Referer: http://cdn.baizhu.cc/youxi/index_1_2.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: c.cnzz.com
Connection: Keep-Alive

2016-10-26 00:14:39.158505 IP 192.168.1.102.61894 > 42.156.140.84.80: Flags [S], seq 3498221479, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

E..(1.@…P….f*..T…P+.”8…aP..<……….
2016-10-26 00:14:39.174516 IP 192.168.1.102.61893 > 42.156.140.84.80: Flags [P.], seq 0:373, ack 1, win 65340, length 373: HTTP: GET /stat.htm?id=1259961501&r=&lg=en-us&ntime=none&cnzz_eid=1085063149-1477454399-
&showp=1920×1080&t=&h=1&rnd=1356346624 HTTP/1.1
E…1.@…N….f*..T…P+.”8…aP..<….GET /stat.htm?id=1259961501&r=&lg=en-us&ntime=none&cnzz_eid=1085063149-1477454399-&showp=1920×1080&t=&h=1&rnd=1356346624 HTTP/1.1
Accept: */*
Referer: http://cdn.baizhu.cc/youxi/index_1_2.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: z4.cnzz.com
Connection: Keep-Alive

 

Leave a Reply