Traffic Analysis Packet Sample RIG Exploit Kit EK loading Andromeda Malware PCAP file download

2016-08-31 14:22:21.163167 IP 192.168.4.52.50437 > 91.215.216.7.80: Flags [P.], seq 1:253, ack 1, win 16537, length 252: HTTP: GE
T / HTTP/1.1
E..$.#@……..4[……P/.@.|l..P.@..J..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: carstvo-maloe.com
Connection: Keep-Alive


2016-08-31 14:22:27.312188 IP 192.168.4.52.50453 > 194.165.16.202.80: Flags [.], ack 1, win 16537, length 0
E..(..@…G….4…….P.Fw&.4w}P.@..k……..
2016-08-31 14:22:27.312289 IP 192.168.4.52.50452 > 194.165.16.202.80: Flags [P.], seq 1:392, ack 1, win 16537, length 391: HTTP:
GET /solkqktkreefic9ne-lpd-1oc0lmemotbcmp0sp-ltpfnbflnoa-e4a9macmdrn-ofmdoa4s0pk6p1a-ipefftnt7ci4omcrfl9ert8akomrrpmapfa/ HTTP/1.
1
E…..@…F4…4…….P.[.HM..~P.@…..GET /solkqktkreefic9ne-lpd-1oc0lmemotbcmp0sp-ltpfnbflnoa-e4a9macmdrn-ofmdoa4s0pk6p1a-ipef
ftnt7ci4omcrfl9ert8akomrrpmapfa/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://carstvo-maloe.com/
x-flash-version: 16,0,0,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: usymi.xyz
Connection: Keep-Alive

 

2016-08-31 14:22:30.298732 IP 192.168.4.52.50458 > 185.117.72.55.80: Flags [.], ack 2320, win 16537, length 0
E..(.T@……..4.uH7…P…,…hP.@………..
2016-08-31 14:22:30.313117 IP 192.168.4.52.50458 > 185.117.72.55.80: Flags [P.], seq 454:1097, ack 2320, win 16537, length 643: HTTP: GET /index.php?xXqAdLSdJRfPAoY=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpaB9BGNN1tC_ZOVHLA-3Vqkx7gWcM0gwheE7jdVz-ofQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_CyRzh-1g HTTP/1.1
E….U@….o…4.uH7…P…,…hP.@.o…GET /index.php?xXqAdLSdJRfPAoY=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpaB9BGNN1tC_ZOVHLA-3Vqkx7gWcM0gwheE7jdVz-ofQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_CyRzh-1g HTTP/1.1
Accept: */*
Referer: http://ucllxmt62.top/?xXqAdLSdJRfPAoY=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpaB9BGNN1tC_ZOVHLA-3Vqkx7gWcM0gwheE7jdVz-ofQFFd
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ucllxmt62.top
Connection: Keep-Alive


2016-08-31 14:22:33.586623 IP 192.168.4.52.50458 > 185.117.72.55.80: Flags [.], ack 48489, win 16470, length 0
E..(.y@……..4.uH7…P……Z.P.@V#………
2016-08-31 14:22:33.752678 IP 192.168.4.52.50458 > 185.117.72.55.80: Flags [P.], seq 1097:1526, ack 48489, win 16470, length 429: HTTP: GET /index.php?xXqAdLSdJRfPAoY=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpaB9BGNN1tC_ZOVHLA-3Vqkx7gWcM0gwheE7jdVz-ofQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_a9QTJykKM&dfgsdf=25 HTTP/1.1
E…..@……..4.uH7…P……Z.P.@VQ…GET /index.php?xXqAdLSdJRfPAoY=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpaB9BGNN1tC_ZOVHLA-3Vqkx7gWcM0gwheE7jdVz-ofQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_a9QTJykKM&dfgsdf=25 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: ucllxmt62.top
Connection: Keep-Alive

2016-08-31 14:23:29.642323 IP 192.168.4.52.50462 > 46.183.216.182.80: Flags [P.], seq 1:345, ack 1, win 16537, length 344: HTTP: POST /210/gate.php HTTP/1.1
E…..@……..4…….P……u.P.@.0>..POST /210/gate.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Content-Length: 73
Host: utoftor.com


2016-08-31 14:32:31.244329 IP 192.168.4.52.50466 > 46.183.216.182.80: Flags [.], ack 1, win 16537, length 0
E..(.’@…._…4…..”.P..Y.k…P.@.M………
2016-08-31 14:32:31.244495 IP 192.168.4.52.50466 > 46.183.216.182.80: Flags [P.], seq 1:345, ack 1, win 16537, length 344: HTTP: POST /210/gate.php HTTP/1.1
E….(@……..4…..”.P..Y.k…P.@.!…POST /210/gate.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Content-Length: 73
Host: utoftor.com

 

Leave a Reply