Underminer Exploit Kit EK Delivers Unknown shorico.club Malware Drop PCAP file Download Traffic Analysis

2020-02-16 10:55:07.432210 IP 192.168.4.88.49367 > 35.168.149.183.80: Flags [P.], seq 1:259, ack 1, win 258, length 258: HTTP: GET /go/255951/527805 HTTP/1.1
E..*..@…k….X#……P..hzS.;tP….
..GET /go/255951/527805 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ps.popcash.net
Connection: Keep-Alive

2020-02-16 10:55:07.432941 IP 192.168.4.88.49368 > 35.168.149.183.80: Flags [.], ack 1, win 258, length 0
E..(..@…l….X#……P.SY8..u.P………….
2020-02-16 10:55:07.632809 IP 35.168.149.183.80 > 192.168.4.88.49367: Flags [.], ack 259, win 237, length 0
E..(..@.?.7.#……X.P..S.;t..i|P…H…
2020-02-16 10:55:07.933694 IP 35.168.149.183.80 > 192.168.4.88.49367: Flags [P.], seq 1:480, ack 259, win 237, length 479: HTTP: HTTP/1.1 200 OK
E…..@.?.5.#……X.P..S.;t..i|P….s..HTTP/1.1 200 OK
Date: Sun, 16 Feb 2020 14:55:06 GMT
Content-Type: text/html
Transfer-Encoding: chunked

2020-02-16 10:55:08.004425 IP 192.168.4.88.49367 > 35.168.149.183.80: Flags [P.], seq 259:610, ack 480, win 257, length 351: HTTP: GET /ad/ad?p=255951&w=527805&t=33313f818c658993&r=&vw=1024&vh=674 HTTP/1.1
E…..@…ks…X#……P..i|S.=SP…wH..GET /ad/ad?p=255951&w=527805&t=33313f818c658993&r=&vw=1024&vh=674 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Referer: http://ps.popcash.net/go/255951/527805
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ps.popcash.net
Connection: Keep-Alive

2020-02-16 10:55:08.260806 IP 35.168.149.183.80 > 192.168.4.88.49367: Flags [.], ack 610, win 245, length 0
E..(..@.?.7.#……X.P..S.=S..j.P…E~..
2020-02-16 10:55:08.902319 IP 35.168.149.183.80 > 192.168.4.88.49367: Flags [P.], seq 480:735, ack 610, win 245, length 255: HTTP: HTTP/1.1 303 See Other
E..’..@.?.6.#……X.P..S.=S..j.P…….HTTP/1.1 303 See Other
Date: Sun, 16 Feb 2020 14:55:07 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 54
Connection: keep-alive
Server: nginx
Location: https://mt.coolsite.best/?u

2020-02-16 10:55:12.115085 IP 167.88.61.197.443 > 192.168.4.88.49370: Flags [.], seq 1:1327, ack 168, win 237, length 1326
E..V:.@.?.Q..X=….X……….;.P………..]…Y..3gec.A.6*…b.C…s4….DOWNGRD. .6.Q.W..k……sqZ.q….h…K….’…………………..
… .. …]0..Y0..A……….}..J1!…..B]”.0.. *.H……..0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30…200215024411Z..200515024411Z0.1.0…U….mt.coolsite.best0..”0.. *.H………….0..

2020-02-16 10:55:19.276699 IP 192.168.4.88.49371 > 38.114.114.125.443: Flags [P.], seq 1:169, ack 1, win 258, length 168
E…..@….m…X&rr}….XlVq..#.P…Tg………….^IW…2..2W.N.._.S`n….-…!p.}...<./.=.5… .’…..+.#.,.$. . .@.2.j.8…….L…………..user.shorico.club………. ……………………………. 2020-02-16 10:55:19.277226 IP 192.168.4.88.49372 > 38.114.114.125.443: Flags [.], ack 1, win 258, length 0 E..(..@……..X&rr}…….q..O P….|…….. 2020-02-16 10:55:19.277488 IP 192.168.4.88.49372 > 38.114.114.125.443: Flags [P.], seq 1:169, ack 1, win 258, length 168 E…..@….k…X&rr}…….q..O P………………^IW.O.~…….&.a..N….Im……...<./.=.5…
.’…..+.#.,.$. .
.@.2.j.8…….L…………..user.shorico.club……….

Please follow and like us: