Bindex Malware PUP PUA Pay-Per-Download @19_424481.exe down10.zol.com.cn Malicious PCAP file Download Traffic Sample

https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA%3AWin32%2FBindex&bc7d4b87-6a70-4399-aa61-382cf282dd03=True

https://www.hybrid-analysis.com/sample/61833b3ff749d8582a6b23c7b40cc7129d1fd934223527a0dd29ff2964b796d3?environmentId=4

2016-10-23 01:06:22.123126 IP 192.168.1.102.58823 > 61.160.210.226.80: Flags [P.], seq 0:314, ack 1, win 256, length 314: HTTP: GET /cx/160624/6/@19_424481.exe HTTP/1.1
E..bb.@….`…f=……P……..P…G…GET /cx/160624/6/@19_424481.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 1476976839.xiazaidown.com
Connection: Keep-Alive

2016-10-23 01:06:34.242727 IP 192.168.1.102.58826 > 121.41.10.159.80: Flags [P.], seq 0:178, ack 1, win 256, length 178: HTTP: GET /api.php?id=424481[1]&qid=19&rand=52229065361&title=&t=0 HTTP/1.1
E…E.@…n….fy)
….P(..B..{.P…l…GET /api.php?id=424481[1]&qid=19&rand=52229065361&title=&t=0 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: down.xiald.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-23 01:06:34.572935 IP 192.168.1.102.58826 > 121.41.10.159.80: Flags [.], ack 456, win 254, length 0
E..(E.@…o4…fy)

E..(]#@…&….f{g9B…P.&9.d.7.P….5……..
2016-10-23 01:06:35.377330 IP 192.168.1.102.58827 > 123.103.57.66.80: Flags [P.], seq 0:157, ack 1, win 64240, length 157: HTTP: GET /corp/test/soft.php?id=424481 HTTP/1.1
E…]$@…&W…f{g9B…P.&9.d.7.P….”..GET /corp/test/soft.php?id=424481 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: installer.zol.com.cn
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-23 01:06:35.635663 IP 192.168.1.102.58827 > 123.103.57.66.80: Flags [.], ack 2491, win 64240, length 0
E..(]%@…&….f{g9B…P.&:.d.A.P………….
2016-10-23 01:06:35.845879 IP 192.168.1.102.58826 > 121.41.10.159.80: Flags [P.], seq 178:366, ack 456, win 254, length 188: HTTP: GET /cfg.php?id=424481[1]&qid=19&rand=52229065361&title=&t=0&flag=1024 HTTP/1.1
E…E.@…nw…fy)
….P(…..}aP…….GET /cfg.php?id=424481[1]&qid=19&rand=52229065361&title=&t=0&flag=1024 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: down.xiald.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-23 01:06:40.477407 IP 192.168.1.102.58830 > 112.124.60.81.80: Flags [P.], seq 0:148, ack 1, win 256, length 148: HTTP: GET /xml/LinkConfig1.php HTTP/1.1
E…w.@……..fp|<Q…P#..:..W.P…K…GET /xml/LinkConfig1.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: confignew.3lsoft.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-23 01:06:40.791753 IP 192.168.1.102.58830 > 112.124.60.81.80: Flags [.], ack 702, win 253, length 0
E..(w.@….5…fp|<Q…P#…..ZuP…1………

E..(x.@….c…f…….P..t…..P….r……..
2016-10-23 01:07:40.663531 IP 192.168.1.102.58838 > 220.243.235.201.80: Flags [P.], seq 0:230, ack 1, win 256, length 230: HTTP: GET /sc/xiazaiqi.html HTTP/1.1
E…x.@….|…f…….P..t…..P…`g..GET /sc/xiazaiqi.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: xiazai.xiazai2.net
Connection: Keep-Alive


E..(@.@……..f..PE…P=…….P………….
2016-10-23 01:07:40.883641 IP 192.168.1.102.58837 > 222.163.80.69.80: Flags [P.], seq 0:166, ack 1, win 256, length 166: HTTP: GET /cad/bjbwxwkqd_zolAB.zip HTTP/1.1
E…@.@….\…f..PE…P=…….P….4..GET /cad/bjbwxwkqd_zolAB.zip HTTP/1.1
User-Agent: LXdl_plug-in v15.06.10 (compatible; MSIE 9.0; Windows NT 6.0)
Host: down10.zol.com.cn
Cache-Control: no-cache