e

Purple Fox Exploit Kit EK Fileless Malware PCAP Download Traffic Sample

f

Download Attachments

2019-12-05 15:20:54.943651 IP 192.168.1.145.56441 > 18.214.175.230.80: Flags [P.], seq 1:328, ack 1, win 258, length 327: HTTP: GET /go/230299/477450 HTTP/1.1
E..o..@…b4………y.PbgP.JC:.P….e..GET /go/230299/477450 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ps.popcash.net
Connection: Keep-Alive
Cookie: __cfduid=d41395b56de571502f14a5704988a2fdb1575573653

2019-12-05 15:20:54.944386 IP 192.168.1.145.56442 > 18.214.175.230.80: Flags [.], ack 1, win 258, length 0
E..(..@…cz………z.P.T….”.P…C………
2019-12-05 15:20:55.250974 IP 18.214.175.230.80 > 192.168.1.145.56441: Flags [.], ack 328, win 237, length 0
E..(^.@.?.U……….P.yJC:.bgR5P…….
2019-12-05 15:20:55.763441 IP 18.214.175.230.80 > 192.168.1.145.56441: Flags [P.], seq 1:479, ack 328, win 237, length 478: HTTP: HTTP/1.1 200 OK
E…^.@.?.S4………P.yJC:.bgR5P…….HTTP/1.1 200 OK
Date: Thu, 05 Dec 2019 19:20:55 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Vary: Accept-Encoding
Content-Encoding: gzip

2019-12-05 15:20:55.809099 IP 192.168.1.145.56441 > 18.214.175.230.80: Flags [P.], seq 328:748, ack 479, win 257, length 420: HTTP: GET /ad/ad?p=230299&w=477450&t=4acc0220c1827579&r=&vw=1024&vh=674 HTTP/1.1
E…..@…a……….y.PbgR5JC<.P…NM..GET /ad/ad?p=230299&w=477450&t=4acc0220c1827579&r=&vw=1024&vh=674 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Referer: http://ps.popcash.net/go/230299/477450
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ps.popcash.net
Connection: Keep-Alive
Cookie: __cfduid=d41395b56de571502f14a5704988a2fdb1575573653

2019-12-05 15:20:56.069774 IP 18.214.175.230.80 > 192.168.1.145.56441: Flags [.], ack 748, win 245, length 0
E..(^.@.?.U……….P.yJC<.bgS.P……. 2019-12-05 15:20:56.594347 IP 18.214.175.230.80 > 192.168.1.145.56441: Flags [P.], seq 479:738, ack 748, win 245, length 259: HTTP: HTTP/1.1 303 See Other
E..+^.@.?.T……….P.yJC<.bgS.P…[…HTTP/1.1 303 See Other
Date: Thu, 05 Dec 2019 19:20:56 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 56
Connection: keep-alive
Server: nginx
Location: https://squeakycarworld.store

2019-12-05 15:20:57.710180 IP 192.168.1.145.56443 > 104.24.120.105.443: Flags [P.], seq 1:173, ack 1, win 258, length 172
E….$@…E…..h.xi.{….p..sE.P…%…………..].X…..ha.L..0.Wf…..S………..<./.=.5… .’…..+.#.,.$. . .@.2.j.8…….P…………..squeakycarworld.store………. ……………………………. 2019-12-05 15:20:57.710646 IP 192.168.1.145.56444 > 104.24.120.105.443: Flags [.], ack 1, win 258, length 0 E..(.%@…E…..h.xi.|..v…..8.P…………. 2019-12-05 15:20:57.710940 IP 192.168.1.145.56444 > 104.24.120.105.443: Flags [P.], seq 1:173, ack 1, win 258, length 172 E….&@…D…..h.xi.|..v…..8.P………………].X.”Q ..n/x@..+…+66.X^..yu.Q….<./.=.5…
.’…..+.#.,.$. .
.@.2.j.8…….P…………..squeakycarworld.store……….
…………………………….

2019-12-05 15:20:58.032130 IP 104.24.120.105.443 > 192.168.1.145.56444: Flags [.], seq 1:1327, ack 173, win 237, length 1326
E..V_.@.?.1.h.xi…….|..8.v..3P….a………[..].X.{.X[d..w… 3…..Q p..vx .!y… … ..+……………………………….0…0………. Tj.OM]5’…N7..0 …H.=…0o1.0 ..U….US1.0 ..U….CA1.0…U….San Francisco1.0…U. ..CloudFlare, Inc.1 0…U….CloudFlare Inc ECC CA-20…191105000000Z..201009120000Z0m1.0 ..U….US1.0 ..U….CA1.0…U….San Francisco1.0…U. ..Cloudflare, Inc.1.0…U….sni.cloudflaressl.com0Y0….H.=…..H.=….B..j…..s…..)F}.6.:…E.”.O(…-D.L.’..=Q.{f.<.,..’..n….9?~…..0…0…U.#..0…>t-..Eu.~?…>LC.Q..0…U……….N.m|.
…..w;#..0P..U…I0G..*.squeakycarworld.store..squeakycarworld.store..sni.cloudflaressl.com0…U………..0…U.%..0…+………+…….0y..U…r0p06.4.2.0http://crl3.digicert.com/CloudFlareIncECCCA2.crl06.4.2.0http://crl4.digicert.com/CloudFlareIncECCCA2.crl0L..U. .E0C07. .H...l..0*0(..+.........https://www.digicert.com/CPS0...g.....0v..+........j0h0$..+.....0...http://ocsp.digicert.com0@..+.....0..4http://cacerts.digicert.com/CloudFlareIncECCCA-2.crt0...U.......0.0.... +.....y............w... ...X......gp <5.......w.........n<........H0F.!...7.........j.L$r...B<.Q?.....Q..!...S.b..B...J.... ..b....ZW.7.P,q.v.^.s..V...6H}.I.2z.........u..qEX...n<........G0E.!...."[..i..Yt:).1..y]5.[.[. ...BM. \KB............XG3...to.c.U.h.j.0 ..*.H.=....G.0D. . 2019-12-05 15:20:58.032734 IP 104.24.120.105.443 > 192.168.1.145.56444: Flags [P.], seq 1327:1461, ack 173, win 237, length 134 E..._.@.?.5.h.xi.......|..=.v..3P...\F....=v.'...(:....YE…...=….@. …[o.M.I…;f.|5.z.z#.g.Vw..2<…0…0…………..9.=..e…4..0.. *.H……..0Z1.0 ..U….IE1.0.. 2019-12-05 15:20:58.032862 IP 192.168.1.145.56444 > 104.24.120.105.443: Flags [.], ack 1327, win 258, length 0
E..(.’@…E…..h.xi.|..v..3..=.P………….
2019-12-05 15:20:58.033243 IP 104.24.120.105.443 > 192.168.1.145.56444: Flags [P.], seq 1461:2786, ack 173, win 237, length 1325
E..U_.@.?.1.h.xi…….|..>lv..3P…?x…U.
. Baltimore1.0…U…
CyberTrust1″0 ..U….Baltimore CyberTrust Root0…151014120000Z..201009120000Z0o1.0 ..U….US1.0 ..U….CA1.0…U….San Francisco1.0…U.
..CloudFlare, Inc.1 0…U….CloudFlare Inc ECC CA-20Y0….H.=…..H.=….B…V….1…R…z…..^..Y…N.d.U...K.xT.HP....Xu..7D.MU….3z#….0…0…U…….0…….0…U………..04..+……..(0&0$..+…..0…http://ocsp.digicert.com0:..U…3010/.-.+.)http://crl3.digicert.com/Omniroot2025.crl0=..U. .60402..U. .0*0(..+………https://www.digicert.com/CPS0…U……>t-..Eu.~?…>LC.Q..0…U.#..0…..Y0.GX….T6.{:..M.0.. *.H………….8_…

2019-12-05 15:21:21.159841 IP 192.168.1.145.56455 > 38.75.137.14.9000: Flags [P.], seq 1:50, ack 1, win 258, length 49
E..Y..@…t…..&K….#(…l…P…….GET /preview HTTP/1.1
Host: bestip.tech:9000

2019-12-05 15:21:21.567030 IP 38.75.137.14.9000 > 192.168.1.145.56455: Flags [.], ack 50, win 331, length 0
E..(.O@.4…&K……#(…..….P..K.z..
2019-12-05 15:21:21.567380 IP 38.75.137.14.9000 > 192.168.1.145.56455: Flags [P.], seq 1:233, ack 50, win 331, length 232
E….P@.4…&K……#(…..….P..K,l..HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: /msg/notify/?token=gqF0zl3pWLGha84AAI2B
Date: Thu, 05 Dec 2019 19:21:21 GMT
Content-Length: 62

2019-12-05 15:21:21.954322 IP 192.168.1.145.56456 > 38.75.137.14.9000: Flags [P.], seq 1:271, ack 1, win 258, length 270
E..6..@…s…..&K….#(n[…o..P…-…GET /msg/notify/?token=gqF0zl3pWLGha84AAI2B HTTP/1.1
Host: bestip.tech:9000
Connection: upgrade
Upgrade: tunsocket
Sec-TunSocket-Key: twnF3SxoqWygGsSEbpfYzg==
X-Client: eNprWp6XWlKeX5Q9cfJaQ0sjPUMzCz0TPSND47VGpqZ6MGywGiFnuKS0NDPliIDxhLC07jlWVrJLau7OnXczDQCIjBmB

2019-12-05 15:21:21.968828 IP 38.75.137.14.9000 > 192.168.1.145.56455: Flags [R.], seq 233, ack 51, win 331, length 0
E..(.Q@.4…&K……#(….]…..P..K….
2019-12-05 15:21:22.387859 IP 38.75.137.14.9000 > 192.168.1.145.56456: Flags [.], ack 271, win 330, length 0
E..(}”@.4.T.&K……#(…o..n[..P..Jj…
2019-12-05 15:21:22.388384 IP 38.75.137.14.9000 > 192.168.1.145.56456: Flags [P.], seq 1:126, ack 271, win 330, length 125
E…}#@.4.TY&K……#(…o..n[..P..J….HTTP/1.1 101 Switching Protocols
Upgrade: tunsocket
Sec-Tunsocket-Accept: Sxixkmx9yAhA7IzcVH7XWmPehSs=
X-Keepalive: 30

2019-12-05 15:21:22.893170 IP 192.168.1.145.60101 > 192.168.1.1.53: 32714+ A? www.topvipsr.xyz. (34)
E..>……………….5.*.}………….www.topvipsr.xyz…..
2019-12-05 15:21:23.105345 IP 192.168.1.1.53 > 192.168.1.145.60101: 32714 1/13/0 A 193.108.118.167 (261)
E..!……/……….5….=7………….www.topvipsr.xyz…………..<…lv………….h.root-servers.net………….g.?…………k.?…………m.?…………f.?…………a.?…………d.?…………c.?…………j.?…………e.?…………l.?…………i.?…………b.? 2019-12-05 15:21:23.105506 IP 192.168.1.1.53 > 192.168.1.145.60101: 32714 1/13/0 A 193.108.118.167 (261)
E..!……/……….5….I+………….www.topvipsr.xyz…………..<…lv………….g.root-servers.net………….a.?…………j.?…………e.?…………c.?…………m.?…………b.?…………h.?…………i.?…………l.?……..

2019-12-05 15:21:36.930645 IP 192.168.1.145.56458 > 18.214.175.230.80: Flags [P.], seq 1:421, ack 1, win 64974, length 420: HTTP: GET
/ad/ad?p=230299&w=477450&t=4acc0220c1827579&r=&vw=1024&vh=674 HTTP/1.1
E…./@……………P...4.rHP…….GET /ad/ad?p=230299&w=477450&t=4acc0220c1827579&r=&vw=1024&vh=674 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Referer: http://ps.popcash.net/go/230299/477450
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ps.popcash.net
Connection: Keep-Alive
Cookie: __cfduid=d41395b56de571502f14a5704988a2fdb1575573653

2019-12-05 15:21:37.235126 IP 18.214.175.230.80 > 192.168.1.145.56458: Flags [.], ack 421, win 30016, length 0
E..(.=@.?..X………P..4.rH._ *P.u@(…
2019-12-05 15:21:37.848725 IP 38.75.137.14.9000 > 192.168.1.145.56456: Flags [.], ack 271, win 330, length 0
E..(}%@.4.T.&K……#(…o.on[..P..Jj3..
2019-12-05 15:21:37.849071 IP 192.168.1.145.56456 > 38.75.137.14.9000: Flags [.], ack 134, win 258, length 0
E..(.6@…t…..&K….#(n[…o.pP…jz……..
2019-12-05 15:21:37.886595 IP 18.214.175.230.80 > 192.168.1.145.56458: Flags [P.], seq 1:256, ack 421, win 30016, length 255: HTTP: H
TTP/1.1 303 See Other
E..’.>@.?..X………P..4.rH._ *P.u@m…HTTP/1.1 303 See Other
Date: Thu, 05 Dec 2019 19:21:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 54
Connection: keep-alive
Server: nginx
Location: https://mt.coolsite.best/?u

See Other.

See Other.

Please follow and like us:

Written By

admin

Leave a Reply