RIG Exploit Kit Flash Vulnerability Cerber Ransomware Callback C2 Traffic Sample PCAP file download

2016-06-25 10:46:51.683110 IP 192.168.2.202.49202 > 95.39.26.205.80: Flags [P.], seq 1:280, ack 1, win 16537, length 279: HTTP: GET / HTTP/1.1
E..?..@………_’…2.P…X…GP.@…..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://www.bing.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: oxitgrup.com
Connection: Keep-Alive

2016-06-25 10:46:51.842650 IP 95.39.26.205.80 > 192.168.2.202.49202: Flags [.], ack 280, win 123, length 0
EH.(..@.0..:_’…….P.2…G…oP..{….
2016-06-25 10:46:52.210169 IP 95.39.26.205.80 > 192.168.2.202.49202: Flags [.], seq 1:1351, ack 280, win 123, length 1350: HTTP: HTTP/1.1 200 OK
EH.n..@.0…_’…….P.2…G…oP..{….HTTP/1.1 200 OK
Date: Sat, 25 Jun 2016 14:46:58 GMT
Server: Apache
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 300e12e77226845accd9533abad68620=ht6cn2ajtppkcnfvoeqneu49s2; path=/; HttpOnly
Set-Cookie: cookiesDirective=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Last-Modified: Sat, 25 Jun 2016 14:46:58 GMT
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

2016-06-25 10:46:57.700992 IP 192.168.2.202.49268 > 46.30.47.137.80: Flags [P.], seq 1137:1774, ack 27835, win 16484, length 637: HTTP: GET /index.php?xHiNdbSYJRzOCoY=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cbHEbk63F6kybhCc8p2xUSK7TNUmrkcBwlDs1kWnvvIBKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_PB8mJAmmA HTTP/1.1
E….F@………../..t.P….@..]P.@d….GET /index.php?xHiNdbSYJRzOCoY=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cbHEbk63F6kybhCc8p2xUSK7TNUmrkcBwlDs1kWnvvIBKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_PB8mJAmmA HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://ht.gone2vape.org/?xHiNdbSYJRzOCoY=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0v
x-flash-version: 19,0,0,245
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: ht.gone2vape.org
Connection: Keep-Alive

E..(
.@………../..s.P.1.  mr.P.@………..
2016-06-25 10:46:57.882734 IP 192.168.2.202.49267 > 46.30.47.137.80: Flags [P.], seq 1:446, ack 1, win 16537, length 445: HTTP: GET /index.php?xHiNdbSYJRzOCoY=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cbHEbk63F6kybhCc8p2xUSK7TNUmrkcBwlDs1kWnvvIBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_P58nZMu3lM&dfgsdf=293 HTTP/1.1
E….}@….|……/..s.P.1.  mr.P.@…..GET /index.php?xHiNdbSYJRzOCoY=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cbHEbk63F6kybhCc8p2xUSK7TNUmrkcBwlDs1kWnvvIBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_P58nZMu3lM&dfgsdf=293 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: ht.gone2vape.org
Connection: Keep-Alive

2016-06-25 10:48:08.586417 IP 192.168.2.202.49330 > 54.84.252.139.80: Flags [P.], seq 1:40, ack 1, win 16537, length 39: HTTP: GET /json HTTP/1.1
E..O.&@….0….6T…..PHT.*.I..P.@…..GET /json HTTP/1.1
Host: ipinfo.io

2016-06-25 10:48:08.668116 IP 54.84.252.139.80 > 192.168.2.202.49330: Flags [.], ack 40, win 71, length 0
E..(&.@.3.*.6T…….P…I..HT.QP..G….
2016-06-25 10:48:08.909084 IP 54.84.252.139.80 > 192.168.2.202.49330: Flags [P.], seq 1:456, ack 40, win 71, length 455: HTTP: HTTP/1.1 200 OK
E…&.@.3.(.6T…….P…I..HT.QP..G….HTTP/1.1 200 OK
Access-Control-Allow-Origin: *

2016-06-25 10:48:19.477757 IP 192.168.2.202.49332 > 115.28.36.224.80: Flags [.], ack 1, win 16537, length 0
E..(<.@…cI….s.$….P..+.N[\!P.@………..
2016-06-25 10:48:19.477972 IP 192.168.2.202.49332 > 115.28.36.224.80: Flags [P.], seq 1:414, ack 1, win 16537, length 413: HTTP: GET /copyright/files/c.c HTTP/1.1
E…<.@…a…..s.$….P..+.N[\!P.@…..GET /copyright/files/c.c HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://ht.gone2vape.org/index.php?xHiNdbSYJRzOCoY=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdCh
x-flash-version: 19,0,0,245
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.doswf.com
Connection: Keep-Alive

2016-06-25 10:51:35.971048 IP 192.168.2.202.49338 > 45.35.86.57.80: Flags [P.], seq 1:287, ack 1, win 16537, length 286: HTTP: GET /G59D-E2E4-93B4-0073-BF32 HTTP/1.1
E..F..@………-#V9…Pr..Zsz.WP.@…..GET /G59D-E2E4-93B4-0073-BF32 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: cerberhhyed5frqa.as13fd.win
Connection: Keep-Alive


2016-06-25 10:51:36.675816 IP 192.168.2.202.49338 > 45.35.86.57.80: Flags [.], ack 346, win 16451, length 0
E..(..@….#….-#V9…Pr..xsz..P.@C……….
2016-06-25 10:51:36.676840 IP 192.168.2.202.49338 > 45.35.86.57.80: Flags [P.], seq 287:621, ack 346, win 16451, length 334: HTTP: GET /G59D-E2E4-93B4-0073-BF32/language HTTP/1.1
E..v..@………-#V9…Pr..xsz..P.@C.o..GET /G59D-E2E4-93B4-0073-BF32/language HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: cerberhhyed5frqa.as13fd.win
Connection: Keep-Alive
Cookie: _s=ve5c2lagnvhth5i7g21fdq6eo4

 

Share

Leave a Reply