Dapato Malware WisdomEyes Trojan Dropper Click Fraud PCAP file download traffic sample

SHA256:	aaba7017a475552902d747b430c8c3effb23dd9713976fe279485bcfc4d357ec
File name:	2015020704.exe
Detection ratio:	24 / 56
Analysis date:	2016-10-28 00:28:11 UTC ( 0 minutes ago )

AVware	Trojan.Win32.Generic!BT	20161027
AegisLab	Troj.Dropper.W32.Dapato.exbc!c	20161027
AhnLab-V3	ASD.Reputation.N1432989411	20161027
Avira (no cloud)	TR/Agent.2337663	20161027
Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9747	20161027
CrowdStrike Falcon (ML)	malicious_confidence_68% (D)	20161024
Cyren	W32/Trojan.UQPX-5961	20161028
DrWeb	Trojan.Click3.8961	20161028
GData	Win32.Trojan.Agent.YLNA6J	20161027
K7AntiVirus	Riskware ( 0040eff71 )	20161025
K7GW	Riskware ( 0040eff71 )	20161027
Kaspersky	Trojan-Dropper.Win32.Dapato.exbc	20161028
McAfee	Artemis!A6BA7BE5D243	20161028
McAfee-GW-Edition	BehavesLike.Win32.Downloader.vc	20161028
NANO-Antivirus	Trojan.Win32.Click3.dgkmxz	20161028

2016-10-27 18:32:14.653178 IP 192.168.1.102.55182 > 162.159.210.98.80: Flags [P.], seq 0:315, ack 1, win 256, length 315: HTTP: GET /soft/UploadFile/201502/win7/2015020704.exe HTTP/1.1
E..c0.@……..f…b…Pz.Ep^…P….?..GET /soft/UploadFile/201502/win7/2015020704.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: pic.pp3.cn
Connection: Keep-Alive

2016-10-27 18:32:14.727264 IP 192.168.1.102.55161 > 104.211.224.23.80: Flags [.], ack 2, win 255, length 0
E..(Vc@….s…fh….y.PA.j\'[e.P………….
—
E..(Kc@……..f4……P….7.a!P…o………
2016-10-27 18:32:45.485148 IP 192.168.1.102.55191 > 52.203.206.16.80: Flags [P.], seq 0:704, ack 1, win 256, length 704: HTTP: GET /?product=firefox-48.0.2-complete&os=win&lang=en-US HTTP/1.1
E…Kd@……..f4……P….7.a!P….I..GET /?product=firefox-48.0.2-complete&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=1200000-1499999
Cookie: optimizelyEndUserId=oeu1467151488014r0.33409587144074915; optimizelySegments=%7B%22245875585%22%3A%22direct%22%2C%222427280098%22%3A%22true%22%2C%22245617832%22%3A%22none%22%2C%22246048108%22%3A%22false%22%2C%22245677587%22%3A%22ff%22%2C%22869421433%22%3A%22true%22%2C%221867940538%22%3A%22true%22%7D; optimizelyBuckets=%7B%7D; _ga=GA1.2.1371564214.1467151489
Connection: keep-alive

2016-10-27 18:32:45.558251 IP 192.168.1.102.55191 > 52.203.206.16.80: Flags [.], ack 419, win 255, length 0
—
E..(U.@….~…fh..B…P.(.k:…P…&………
2016-10-27 18:32:49.817217 IP 192.168.1.102.55194 > 104.31.221.66.80: Flags [P.], seq 0:293, ack 1, win 256, length 293: HTTP: GET /xp/index.htm HTTP/1.1
E..MU.@….X…fh..B…P.(.k:…P…$…GET /xp/index.htm HTTP/1.1
Host: www.51ztzj.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2016-10-27 18:32:49.845524 IP 192.168.1.102.53306 > 75.75.75.75.53: 65354+ AAAA? www.51ztzj.com.cname.yunjiasu-cdn.net. (55)
E..S&……l…fKKKK.:.5.?n,.J………..www.51ztzj.com.cname.yunjiasu-cdn.net…..
—
E..(d.@…1a…fH.[….P..}.m.y.P………….
2016-10-27 18:32:50.337334 IP 192.168.1.102.55196 > 72.21.91.29.80: Flags [P.], seq 0:428, ack 1, win 256, length 428: HTTP: POST / HTTP/1.1
E…d/@…/….fH.[….P..}.m.y.P….(..POST / HTTP/1.1
Host: ocsp.digicert.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 83
Content-Type: application/ocsp-request
Connection: keep-alive

2016-10-27 18:35:22.174529 IP 192.168.1.102.55287 > 58.251.139.142.80: Flags [P.], seq 0:395, ack 1, win 261, length 395: HTTP: GET /index.php?c=follow&a=quick&name=ztzj51&style=5&t=1363834801736&f=1 HTTP/1.1
E…4.@…;….f:……PG.W..#.2P….y..GET /index.php?c=follow&a=quick&name=ztzj51&style=5&t=1363834801736&f=1 HTTP/1.1
Host: follow.v.t.qq.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.51ztzj.com/xp/index.htm
Connection: keep-alive

2016-10-27 18:35:26.741122 IP 192.168.1.102.55288 > 58.251.139.142.80: Flags [F.], seq 0, ack 1, win 261, length 0
E..(4.@…=N…f:……P.’.6..3.P………….
2016-10-27 18:35:28.559727 IP 192.168.1.102.55287 > 58.251.139.142.80: Flags [P.], seq 0:395, ack 1, win 261, length 395: HTTP: GET /index.php?c=follow&a=quick&name=ztzj51&style=5&t=1363834801736&f=1 HTTP/1.1
E…4.@…;….f:……PG.W..#.2P….y..GET /index.php?c=follow&a=quick&name=ztzj51&style=5&t=1363834801736&f=1 HTTP/1.1
Host: follow.v.t.qq.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.51ztzj.com/xp/index.htm
Connection: keep-alive

2016-10-27 18:35:39.413757 IP 192.168.1.102.55288 > 58.251.139.142.80: Flags [F.], seq 0, ack 1, win 261, length 0
E..(4.@…=L…f:……P.’.6..3.P………….
2016-10-27 18:35:41.328020 IP 192.168.1.102.55287 > 58.251.139.142.80: Flags [P.], seq 0:395, ack 1, win 261, length 395: HTTP: GET /index.php?c=follow&a=quick&name=ztzj51&style=5&t=1363834801736&f=1 HTTP/1.1
E…4.@…;….f:……PG.W..#.2P….y..GET /index.php?c=follow&a=quick&name=ztzj51&style=5&t=1363834801736&f=1 HTTP/1.1
Host: follow.v.t.qq.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.51ztzj.com/xp/index.htm
Connection: keep-alive