Text Example

LAWRENCE KNACHEL IS A TROGLYODYTE PIECE OF SH!T - 3600 VISITORS DAILY WILL KNOW YOUR DAY IS COMING SOON

Thunder Adware PUP PCAP File Download Traffic Analysis Sample xunlei_118827.exe

Download Attachments

  • 1 pcap xunlei
    Date added: October 28, 2016 3:40 am Added by: admin File size: 1 MB Downloads: 117
SHA256: bf1cf754ad5f5f3560047b8eeb784c72bf79a042dec4d50d033e32912a7b19b6
File name: xunlei_118827.exe
Detection ratio: 35 / 56
Analysis date: 2016-10-28 03:31:01 UTC ( 0 minutes ago )
AVware Trojan.Win32.Generic!BT 20161027
Ad-Aware Adware.Thunder.E 20161028
AegisLab Troj.Gen!c 20161028
AhnLab-V3 PUP/Win32.Helper.R188024 20161027
Arcabit Adware.Thunder.E 20161028
BitDefender Adware.Thunder.E 20161028
Comodo UnclassifiedMalware 20161028
CrowdStrike Falcon (ML) malicious_confidence_76% (W) 20161024
Cyren W32/Adware.AOGL-3044 20161028
DrWeb Adware.Downware.2436 20161028
ESET-NOD32 a variant of Win32/RiskWare.ThunderHelper.A 20161028
Emsisoft Adware.Thunder.E (B) 20161028
F-Prot W32/Adware.ALLT 20161028
F-Secure Adware.Thunder.E 20161028
Fortinet Bfr.FJ!tr 20161028
GData Adware.Thunder.E 20161028
Invincea backdoor.win32.dunsenr.b 20161018
K7AntiVirus Riskware ( 0040eff71 ) 20161025

 

2016-10-27 20:13:00.327418 IP 192.168.1.102.56001 > 61.147.75.43.80: Flags [P.], seq 0:292, ack 1, win 256, length 292: HTTP: GET /xunlei_118827.exe HTTP/1.1
E..L=.@…p….f=.K+…P..wv4)O.P…g<..GET /xunlei_118827.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.pf11.com
Connection: Keep-Alive

2016-10-27 20:13:00.582113 IP 192.168.1.102.56001 > 61.147.75.43.80: Flags [.], ack 1073, win 252, length 0
E..(=.@…r….f=.K+…P..x.4)T.P….”……..

E..(>M@…q….f=.K+…P}./..[..P…]e……..
2016-10-27 20:13:08.057545 IP 192.168.1.102.56002 > 61.147.75.43.80: Flags [P.], seq 0:220, ack 1, win 256, length 220: HTTP: GET /html/index.asp HTTP/1.1
E…>N@…p….f=.K+…P}./..[..P…….GET /html/index.asp HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: m.pf11.com
Connection: Keep-Alive

2016-10-27 20:13:08.307815 IP 192.168.1.102.56002 > 61.147.75.43.80: Flags [P.], seq 220:491, ack 409, win 255, length 271: HTTP: GET /index.html HTTP/1.1
E..7>O@…p….f=.K+…P}.0h.[.=P…….GET /index.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: m.pf11.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSAQBRRAC=JBCFOGDBBPAIPFJMNJCNJFDM

2016-10-27 20:13:08.556954 IP 192.168.1.102.56002 > 61.147.75.43.80: Flags [.], ack 1481, win 256, leng

SHA256: bf1cf754ad5f5f3560047b8eeb784c72bf79a042dec4d50d033e32912a7b19b6
File name: xunlei_118827.exe
Detection ratio: 35 / 56
Analysis date: 2016-10-28 03:31:01 UTC ( 0 minutes ago )

th 0

E..4>\@…q….f=.K+…P.9I……. ..t…………..
2016-10-27 20:13:09.342501 IP 192.168.1.102.56002 > 61.147.75.43.80: Flags [P.], seq 491:803, ack 12265, win 256, length 312: HTTP: GET /homepage.asp HTTP/1.1
E..`>]@…pn…f=.K+…P}.1w.[..P…V…GET /homepage.asp HTTP/1.1
Accept: */*
Referer: http://m.pf11.com/index.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: m.pf11.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSAQBRRAC=JBCFOGDBBPAIPFJMNJCNJFDM

2016-10-27 20:13:09.587021 IP 192.168.1.102.56004 > 61.147.75.43.80: Flags [P.], seq 0:309, ack 1, win 256, length 309: HTTP: GET /json3.asp HTTP/1.1
E..]>_@…po…f=.K+…P.9I…..P…….GET /json3.asp HTTP/1.1
Accept: */*
Referer: http://m.pf11.com/index.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: m.pf11.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSAQBRRAC=JBCFOGDBBPAIPFJMNJCNJFDM


E..(>d@…q….f=.K+…P}.2..[.LP………….
2016-10-27 20:13:09.636681 IP 192.168.1.102.56002 > 61.147.75.43.80: Flags [P.], seq 803:1115, ack 17064, win 251, length 312: HTTP: GET /xl_login.asp HTTP/1.1
E..`>e@…pf…f=.K+…P}.2..[.LP…0…GET /xl_login.asp HTTP/1.1
Accept: */*
Referer: http://m.pf11.com/index.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: m.pf11.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDSAQBRRAC=JBCFOGDBBPAIPFJMNJCNJFDM


E..(AH@….L…f.dJ….PK.2V….P………….
2016-10-27 20:13:09.655618 IP 192.168.1.102.56005 > 202.100.74.200.80: Flags [P.], seq 0:281, ack 1, win 256, length 281: HTTP: GET /stat.php?id=5808533&web_id=5808533 HTTP/1.1
E..AAI@….2…f.dJ….PK.2V….P…)…GET /stat.php?id=5808533&web_id=5808533 HTTP/1.1
Accept: */*
Referer: http://m.pf11.com/index.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: s13.cnzz.com
Connection: Keep-Alive

 

2016-10-27 20:13:40.614387 IP 192.168.1.102.56023 > 66.198.178.112.80: Flags [P.], seq 0:205, ack 1, win 256, length 205: HTTP: GET /down/4682/Browser_V5.7.16173.12_r_4682_(Build1610201330).exe HTTP/1.1
E…..@…5….fB..p…P..W…! P…….GET /down/4682/Browser_V5.7.16173.12_r_4682_(Build1610201330).exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: umcdn.uc.cn
Connection: Keep-Alive

Leave a Reply