Malware Traffic Packet Sample Analysis Rig Exploit Kit EK Smokebot Malware PCAP file download

016-08-25 01:45:10.814346 IP 192.168.4.78.49197 > 66.175.58.9.80: Flags [P.], seq 1:253, ack 1, win 16537, length 252: HTTP: GET
/ HTTP/1.1
E..$.^@……..NB.:     .-.P.\.E,..RP.@..v..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: artmedinsight.org
Connection: Keep-Alive


2016-08-25 01:45:15.297752 IP 192.168.4.78.49213 > 85.93.0.13.80: Flags [.], ack 1, win 16537, length 0
E..(..@……..NU]…=.P..K..l..P.@………..
2016-08-25 01:45:15.297828 IP 192.168.4.78.49213 > 85.93.0.13.80: Flags [P.], seq 1:397, ack 1, win 16537, length 396: HTTP: GET
/xaqatio8k1ffreedefi0pco4f6lketnteorasi8mr7pp8o-i-fp-0oabta2tbi-mnpdoprln6ospkparrrectfd3sip9leralprn7fbkerr4rcbdbrt0trd/ HTTP/1.
1
E…..@….3…NU]…=.P..K..l..P.@..I..GET /xaqatio8k1ffreedefi0pco4f6lketnteorasi8mr7pp8o-i-fp-0oabta2tbi-mnpdoprln6ospkparrrec
tfd3sip9leralprn7fbkerr4rcbdbrt0trd/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://artmedinsight.org/
x-flash-version: 16,0,0,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: oveced.xyz
Connection: Keep-Alive

2016-08-25 01:45:15.659220 IP 192.168.4.78.49213 > 85.93.0.13.80: Flags [F.], seq 397, ack 5603, win 16487, length 0
E..(..@……..NU]…=.P..MN.l%~P.@g……….
2016-08-25 01:45:15.780451 IP 192.168.4.78.49214 > 85.93.0.13.80: Flags [P.], seq 1:417, ack 1, win 16537, length 416: HTTP: GET
/xaqatio8k1ffreedefi0pco4f6lketnteorasi8mr7pp8o-i-fp-0oabta2tbi-mnpdoprln6ospkparrrectfd3sip9leralprn7fbkerr4rcbdbrt0trd/cwbhrwlp
ux.jpeg HTTP/1.1
E…..@……..NU]…>.P(.S…..P.@…..GET /xaqatio8k1ffreedefi0pco4f6lketnteorasi8mr7pp8o-i-fp-0oabta2tbi-mnpdoprln6ospkparrrec
tfd3sip9leralprn7fbkerr4rcbdbrt0trd/cwbhrwlpux.jpeg HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://artmedinsight.org/
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: oveced.xyz

2016-08-25 01:48:31.744341 IP 192.168.4.78.49244 > 104.36.80.16.80: Flags [P.], seq 292:588, ack 296, win 16463, length 296: HTTP: GET /57D5-D0AA-258F-007E-DB8E/intro?nst HTTP/1.1
E..P..@…k….Nh$P..\.P=5…..?P.@O …GET /57D5-D0AA-258F-007E-DB8E/intro?nst HTTP/1.1
Connection: Keep-Alive
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-GB
Host: 4kqd3hmqgptupi3p.8kcfnk.bid
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

2016-08-25 01:48:32.440462 IP 192.168.4.78.49244 > 104.36.80.16.80: Flags [.], ack 1518, win 16537, length 0
E..(..@…l….Nh$P..\.P=5……P.@.Cx……..
2016-08-25 01:48:32.468800 IP 192.168.4.78.49244 > 104.36.80.16.80: Flags [P.], seq 588:974, ack 1518, win 16537, length 386: HTTP: GET /57D5-D0AA-258F-007E-DB8E/language?t=42481438 HTTP/1.1
E…..@…kp…Nh$P..\.P=5……P.@…..GET /57D5-D0AA-258F-007E-DB8E/language?t=42481438 HTTP/1.1
Connection: Keep-Alive
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-GB
Host: 4kqd3hmqgptupi3p.8kcfnk.bid
Referer: http://4kqd3hmqgptupi3p.8kcfnk.bid/57D5-D0AA-258F-007E-DB8E/intro?nst
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Leave a Reply