Text Example

Styx EK Exploit Kit Malware Trojan Delivery PCAP file Download Traffic Sample

Download Attachments

  • 1 pcap 20
    Date added: May 24, 2019 12:02 am Added by: admin File size: 5 MB Downloads: 28

2013-11-23 02:55:11.375896 IP 192.168.204.134.50139 > 63.141.137.25.80: Flags [P.], seq 1:523, ack 1, win 64240, length 522: HTTP: GET /cartier-eau-de-cartier-essence-dorange-edt-100ml/ HTTP/1.1
E..2d.@…=…..?……PV..ohB-.P…g&..GET /cartier-eau-de-cartier-essence-dorange-edt-100ml/ HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.perfumelover.co.uk
Connection: Keep-Alive

2013-11-23 02:55:11.375920 IP 63.141.137.25.80 > 192.168.204.134.50139: Flags [.], ack 523, win 64240, length 0
E..(……’)?……..P..hB-.V..yP………….
2013-11-23 02:55:11.792186 IP 192.168.204.134.137 > 192.168.204.2.137: NBT UDP PACKET(137): REFRESH(8); REQUEST; UNICAST
E..d....................L....@......... FHEJEOCNFDENDJDDEHFCFDEGEEFDELAA.. ..... ........…..
2013-11-23 02:55:11.835401 IP 63.141.137.25.80 > 192.168.204.134.50139: Flags [P.], seq 1:1461, ack 523, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………!t?……..P..hB-.V..yP….6..HTTP/1.1 200 OK
Server: nginx
Date: Sat, 23 Nov 2013 06:55:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: SHOP_SESSION_TOKEN=7n1k69m21s2nfn9ru7csmatfl7; expires=Sat, 30-Nov-2013 06:55:11 GMT; path=/; domain=.perfumelover.co.uk; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: RECENTLY_VIEWED_PRODUCTS=1187; expires=Mon, 23-Dec-2013 06:55:11 GMT; path=/; domain=.perfumelover.co.uk
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip

8da7

2013-11-23 02:55:37.128941 IP 185.31.209.83.80 > 192.168.204.134.50195: Flags [P.], seq 11721:13181, ack 6351, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………U….S…..P..g:N…V.P…….HTTP/1.1 200 OK
Date: Sat, 23 Nov 2013 06:55:36 GMT
Content-Type: application/octet-stream; charset=binary
Content-Length: 221971
Connection: keep-alive
Cache-Control: no-cache, must-revalidate
Content-Disposition: attachment; filename=”LbbnV0RmJv.exe”
Content-Transfer-Encoding: binary
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 23 Nov 2013 07:16:01 GMT
P3P: CP=”IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT”
Pragma: no-cache
Server: Microsoft-IIS/6.0
X-AspNetMvc-Version: 1.0
X-Powered-By: ASP.NET
Content-Encoding: gzip

2013-11-23 02:55:11.375510 IP 192.168.204.134.50139 > 63.141.137.25.80: Flags [.], ack 1, win 64240, length 0
E..(d.@…@…..?……PV..ohB-.P………….
2013-11-23 02:55:11.375896 IP 192.168.204.134.50139 > 63.141.137.25.80: Flags [P.], seq 1:523, ack 1, win 64240, length 522: HTTP: GET /cartier-eau-de-cartier-essence-dorange-edt-100ml/ HTTP/1.1
E..2d.@…=…..?……PV..ohB-.P…g&..GET /cartier-eau-de-cartier-essence-dorange-edt-100ml/ HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.perfumelover.co.uk
Connection: Keep-Alive

2013-11-23 02:55:11.375920 IP 63.141.137.25.80 > 192.168.204.134.50139: Flags [.], ack 523, win 64240, length 0
E..(……’)?……..P..hB-.V..yP………….
2013-11-23 02:55:11.792186 IP 192.168.204.134.137 > 192.168.204.2.137: NBT UDP PACKET(137): REFRESH(8); REQUEST; UNICAST
E..d....................L....@......... FHEJEOCNFDENDJDDEHFCFDEGEEFDELAA.. ..... ........…..
2013-11-23 02:55:11.835401 IP 63.141.137.25.80 > 192.168.204.134.50139: Flags [P.], seq 1:1461, ack 523, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………!t?……..P..hB-.V..yP….6..HTTP/1.1 200 OK
Server: nginx
Date: Sat, 23 Nov 2013 06:55:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: SHOP_SESSION_TOKEN=7n1k69m21s2nfn9ru7csmatfl7; expires=Sat, 30-Nov-2013 06:55:11 GMT; path=/; domain=.perfumelover.co.uk; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: RECENTLY_VIEWED_PRODUCTS=1187; expires=Mon, 23-Dec-2013 06:55:11 GMT; path=/; domain=.perfumelover.co.uk
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Encoding: gzip

8da7
……………9r.
…..Ni…..8%.C…..I.I.K…B.#”…..C&…4.F:…<……p.O..’.[..Zf8….........._.tq...,d...N.............................A....76.....4...ol.....=Y................9..._{..5..2...y4y.&.5V...(}......K...}.O.t.\D.....$..Q.R.t4.3.A4. ..>…3.q…x.6..I(<(..nE……..Q.e”….a;.|z……….79..~…,^~y9.|…………….$.HBY….>O.@$./…..L…..F…..I……..&0./.B$.|&.I..z.!……{..<.}../..]-..(z&.d…Wl4.I.7…….&+|…^.}Q......._.......uXg.D...G ….).
..).H……. .x.C..q ..j.Xg{….w..%….8.S..(&s…..>….Zn..H.-……. ..G..hK..waK+K..{..7f{KA….lP.o.G[..2.g3...p.....@.<...x....6...........n............1...z....[..O.=.y...d.....O.7.....>.']....Y.v...I~z.../..S...eq<.g.1v ..(*.k.L.t..RF).a...D.o..x.G.m..l....._....].\e.H.Z5.g~...:R+N..E..3J..ja~.y…,..;>d;.~k0…1…RI.y. 2013-11-23 02:55:11.835904 IP 63.141.137.25.80 > 192.168.204.134.50139: Flags [P.], seq 1461:2921, ack 523, win 64240, length 1460: HTTP E………!s?……..P..hB3PV..yP….!…....|...7../..g.?..|(9.bI....C....C].._....B......g…..^[M….o.0~b….kDx.$.& … u”.c..Y.k._!.k.4N.Q....KR]..J.+.0…[..>.&……b…..i@.PL..{.9es..2>a.T..2J&D..o.L.5.a……. ?….#……h.J….-…..,..)..9.H …..).0k@;C...1.].......A._<fY....B.|.....T.oy.......U%...G.{. <.A/.....e..i..g.%]......X.y...j.........._5rA.|.9...3Pn........mD4..Q.......Y...M..}...................m)....Y0...........w|>|:..|..o?{.l..[b.5~.......M.bg#..y.3......t.4p.. u.n.Q.m4[....!p.u.L...........l../..... .....,.E...<5.....uY .T.b.......C.%.._..)/...A...Hy..._...(.......M....R.rx...s.S..y.....a..<T..........%....Y.!..5..+..” 6L.;..S..1X.q………. M…hBeBS..+Tk0.I.~..g.4.~.v.B..3q.V..n.o>.3:.j}>….}.&.w.0…zA..5I.-…Yw.v!..l.k…9…:(……/.. …%…….x..z..1....N/s|E.j..~..Y...F.>.Fa.S.. ...aY.G7A4.Y>.>.....Stn.3.x….L..)q..a….Qz.f….?.3..9..x.?……..s……?…….…=[.p _......P....j....$[..@....<.H.....f I.^It.M..{Dk....q.U. c)$.z........i.>d.3c) &k...j.....A.(}N..*+..u..LU(.[\. .....q......O ..".aH.I.G3.G...K%.i2..,.q.HF.a..,!..........0.............F…(….b}[… .&…..4….M..I<…..W….s…q..-…rf…D…$…U….$..P…F..G}……&…./. …..z……..DA.
…Fk.’1…^..jM…:..q0Y.L…..8V.5f.B…;/rU#.x…..l.…i>..c->.>e{…..^..)f.~..X……l..f…..T…t. ...-E*........0..k..i..br..H...8. ........>.....rc..k.x........-.]........".t....+.~5........[s<.D.=. 2013-11-23 02:55:11.836100 IP 63.141.137.25.80 > 192.168.204.134.50139: Flags [P.], seq 2921:4381, ack 523, win 64240, length 1460: HTTP E.........!r?........P..hB9.V..yP...*....o..]0y........."..S.s9y..0Q.[.hAy!..d}......7k8...h.._1Ek}}.]... v.A......"a..<0.w.g.".".u-.U..;…H….$p.jndA@...j).......z..|.b.C.2x....A0.X.!a...+....)...V..>E.L.......E5.Z.$.....=._..S.....<.0.G1…..’0..-….s+.#. ;cIf9K5]..N….=..@6.k1{….. .z..@..y.A..o…,…M.I….V.OyV..
…<,{..8.N……/.S..vs{s…..gOvTI.T..l.R.|..K-P….x…+.g..j……Lq… .R.q..|…V..X…Rl…h6d..Z.e./.”)Z..4n&….m0G&….[)…”..@..D$K.h.B…=.$>…..fE.5..L….S.?
..l……a…..x..,O@:.bts..x.^..H…..C>.!…YS h.^{+K.2. t. …X….Y……+…..&5k......K..t..T.y..."+kX@...IZ.M..E...u.....@5..I..l....?..%......u......0.[.i..........}*..g.l1..Q....~.sd.$.....E...D[..i....W. .<a..w)...........LU...:.......VNLR.Jk..iQ...U...A.f.Z_.&..<.(f..MeZcPk.,..LL.d...SU..+#...t.. .....&....18.UyU..L..n*...E.]...0..p...O.....@........A..#...&...=..}w.{..(aQ|:07x.q/.....?. ..3y!.n.....x*f.@a'..I............:.........1.ja".Q.;..#.r.E7So......6.....O._x.Qn.0..#/.g. ...skipping... ..………….
2013-11-23 03:01:05.649307 IP 192.168.204.134.50402 > 151.236.49.136.443: Flags [.], ack 1, win 64240, length 0
E..(qQ@…2…….1…..X
..}d-.P….c……..
2013-11-23 03:01:05.649828 IP 192.168.204.134.50402 > 151.236.49.136.443: Flags [P.], seq 1:170, ack 1, win 64240, length 169
E…qR@…21……1…..X
..}d-.P…/…………..R.R..[I,.J…H{..;7.h.G.K3…… ……B+.y |….k…..P.e………./.5…
….. .
.2.8…….?…………..ml0qpix45a5jhehnr.rwn.cc……….
…………..
2013-11-23 03:01:05.649848 IP 151.236.49.136.443 > 192.168.204.134.50402: Flags [.], ack 170, win 64240, length 0

Leave a Reply