Zegost/Bjlog 43.252.163.135.8086 www.5173book.com Malware Crimeware PCAP file download Traffic Sample Analysis

2017-05-21 15:47:58.953388 IP 192.168.1.102.55351 > 192.168.1.100.55555: Flags [P.], seq 1:400, ack 1, win 2053, length 399
E…..@…m@…f…d.7….+..n..P….i..GET /he.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 192.168.1.100:55555
Connection: Keep-Alive

2017-05-21 15:47:58.953406 IP 192.168.1.100.55555 > 192.168.1.102.55351: Flags [.], ack 400, win 237, length 0
E..(.X@.@..\…d…f…7.n….,.P….5..
2017-05-21 15:47:58.953674 IP 192.168.1.100.55555 > 192.168.1.102.55351: Flags [.], seq 1:2921, ack 400, win 237, length 2920
E….Y@.@……d…f…7.n….,.P…….HTTP/1.1 200 OK
Date: Sun, 21 May 2017 19:47:58 GMT
Server: Apache/2.4.18 (Debian)
Last-Modified: Sun, 21 May 2017 19:47:36 GMT
ETag: “331e8-5500e06c39ad1”
Accept-Ranges: bytes
Content-Length: 209384
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program

2017-05-21 15:48:21.851176 IP 192.168.1.102.55771 > 75.75.75.75.53: 45666+ A? www.5173book.com. (34)
E..>”……p…fKKKK…5.*…b………..www.5173book.com…..
2017-05-21 15:48:21.912078 IP 192.168.1.102.55772 > 75.75.75.75.53: 14531+ A? conf.f.360.cn. (31)
E..;”……r…fKKKK…5.’..8…………conf.f.360.cn…..
2017-05-21 15:48:22.172662 IP 192.168.1.102.55352 > 43.252.163.135.8086: Flags [S], seq 3341920473, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….s…f+….8…1…….. .U……………
2017-05-21 15:48:22.941885 IP 192.168.1.102.55352 > 43.252.163.135.8086: Flags [S], seq 3341920473, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….r…f+….8…1…….. .U……………
2017-05-21 15:48:23.712863 IP 192.168.1.102.55352 > 43.252.163.135.8086: Flags [S], seq 3341920473, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0j.@….u…f+….8…1……p. .i………..
2017-05-21 15:48:24.462699 IP 192.168.1.102.55353 > 43.252.163.135.8086: Flags [S], seq 1743823324, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….p…f+….9..g……… ……………..
2017-05-21 15:48:25.232407 IP 192.168.1.102.55353 > 43.252.163.135.8086: Flags [S], seq 1743823324, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….o…f+….9..g……… ……………..
2017-05-21 15:48:26.018872 IP 192.168.1.102.55353 > 43.252.163.135.8086: Flags [S], seq 1743823324, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0j.@….r…f+….9..g…….p. ………….
2017-05-21 15:48:26.768121 IP 192.168.1.102.55354 > 43.252.163.135.8086: Flags [S], seq 2200689634, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….m…f+….:…+…….. .f……………
2017-05-21 15:48:27.522776 IP 192.168.1.102.55354 > 43.252.163.135.8086: Flags [S], seq 2200689634, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….l…f+….:…+…….. .f……………
2017-05-21 15:48:28.271503 IP 192.168.1.102.55354 > 43.252.163.135.8086: Flags [S], seq 2200689634, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0j.@….o…f+….:…+……p. .z………..