css.jipinfeiche.cn Alman Trojan Malware PCAP file download traffic sample installad_304.dat c2

SHA256: a3b7e3fd4c709cc40be1b7114b109bc16228374f31f692311348abf2ea4d09b8
File name: fcjingdianyouxihejizhongwenban.exe
Detection ratio: 31 / 48
Analysis date: 2016-10-29 07:26:36 UTC ( 1 minute ago )
ESET-NOD32 Win32/Alman.NAB 20161029
Emsisoft Worm.Generic.532532 (B) 20161029
F-Secure Worm.Generic.532532 20161029
GData Worm.Generic.532532 20161029
Ikarus Virus.Win32.Alman 20161028
Invincea virus.win32.ramnit.a 20161018
Jiangmin Win32/Almana.c 20161029
Kaspersky Virus.Win32.Alman.b 20161029
Malwarebytes Trojan.ChinAd 20161029
McAfee-GW-Edition Artemis 20161029
eScan Worm.Generic.532532 20161029
NANO-Antivirus Virus.Win32.Alman.xyevp 20161029
Panda Generic Suspicious 20161028
Qihoo-360 Win32/Trojan.323 20161029
Sophos Mal/Generic-S 20161029
Symantec Heur.AdvML.B 20161029
Tencent Win32.Virus.Alman.Ahem 20161029
TheHacker Trojan/.Agent.bt 20161028
VBA32 Virus.Win32.Alman.B 20161028
Zoner Win32.Alman.NAB 20161029

2016-10-29 01:50:41.235203 IP 192.168.1.102.64692 > 218.77.77.34.80: Flags [P.], seq 0:316, ack 1, win 256, length 316: HTTP: GET /fcjingdianyouxihejizhongwenban.exe HTTP/1.1
E..d`Y@……..f.MM”…PXFF.3.  yP…7 ..GET /fcjingdianyouxihejizhongwenban.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: down7.downyouxi.com
Connection: Keep-Alive

2016-10-29 01:50:41.536118 IP 192.168.1.102.64692 > 218.77.77.34.80: Flags [.], ack 2921, win 256, length 0
E..(`Z@……..f.MM”…PXFH73…P….;……..

E..(4;@……..fh_…..Pk{.(.Q..P………….
2016-10-29 01:54:47.322248 IP 192.168.1.102.64712 > 104.95.25.151.80: Flags [P.], seq 0:214, ack 1, win 256, length 214: HTTP: GET /Market.svc/AppTileV3?symbols=29.10.%40CCO.29.COMP&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
E…4<@……..fh_…..Pk{.(.Q..P…(…GET /Market.svc/AppTileV3?symbols=29.10.%40CCO.29.COMP&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
Connection: Keep-Alive
User-Agent: Microsoft-WNS/10.0
Host: finance.services.appex.bing.com

2016-10-29 01:54:47.355866 IP 192.168.1.102.64714 > 104.95.25.151.80: Flags [.], ack 3234256246, win 256, length 0
E..(4=@……..fh_…..P…….vP………….
2016-10-29 01:54:47.355886 IP 192.168.1.102.64713 > 104.95.25.151.80: Flags [.], ack 3299911539, win 256, length 0
E..(4>@……..fh_…..P.       .y…sP………….
2016-10-29 01:54:47.355890 IP 192.168.1.102.64715 > 23.34.0.76.80: Flags [.], ack 2971165570, win 256, length 0
E..(&.@……..f.”.L…PI..i..c.P…z………
2016-10-29 01:54:47.356814 IP 192.168.1.102.64714 > 104.95.25.151.80: Flags [P.], seq 0:217, ack 1, win 256, length 217: HTTP: GET /Market.svc/AppTileV3?symbols=30.10.%21DJI.30.%24INDU&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
E…4?@……..fh_…..P…….vP…?…GET /Market.svc/AppTileV3?symbols=30.10.%21DJI.30.%24INDU&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
Connection: Keep-Alive
User-Agent: Microsoft-WNS/10.0
Host: finance.services.appex.bing.com

2016-10-29 02:12:07.225822 IP 192.168.1.102.64792 > 120.132.92.122.80: Flags [P.], seq 0:206, ack 1, win 259, length 206: HTTP: GET /advert/get.php?type=1&name=FC%C2%BE%C2%AD%C2%B5%C3%A4%C3%93%C3%8E%C3%8F%C2%B7%C2%BA%C3%8F%C2%BC%C2%AF+%C3%96%C3%90%C3%8E%C3%84%C2%B0%C3%A6&site=1 HTTP/1.1
E…gh@……..fx.\z…P…..>.`P…fX..GET /advert/get.php?type=1&name=FC%C2%BE%C2%AD%C2%B5%C3%A4%C3%93%C3%8E%C3%8F%C2%B7%C2%BA%C3%8F%C2%BC%C2%AF+%C3%96%C3%90%C3%8E%C3%84%C2%B0%C3%A6&site=1 HTTP/1.1
Host: www.qq5.com
Connection: Keep-Alive

2016-10-29 02:12:07.541884 IP 192.168.1.102.64792 > 120.132.92.122.80: Flags [.], ack 518, win 257, length 0
E..(gi@….Y…fx.\z…P…..>.eP………….
2016-10-29 02:12:08.022699 IP 192.168.1.102.63007 > 75.75.75.75.53: 24044+ A? css.jipinfeiche.cn. (36)
E..@8P………fKKKK…5.,S.]…………css.jipinfeiche.cn…..
2016-10-29 02:12:09.030304 IP 192.168.1.102.63008 > 75.75.75.75.53: 24044+ A? css.jipinfeiche.cn. (36)
E..@8Q………fKKKK. .5.,S.]…………css.jipinfeiche.cn…..

E..(WB@….o…f.=…..P<.H ….P………….
2016-10-29 02:12:10.718966 IP 192.168.1.102.64793 > 183.61.19.211.80: Flags [P.], seq 0:213, ack 1, win 256, length 213: HTTP: GET /advert/get.php?type=1&name=FC%C2%BE%C2%AD%C2%B5%C3%A4%C3%93%C3%8E%C3%8F%C2%B7%C2%BA%C3%8F%C2%BC%C2%AF+%C3%96%C3%90%C3%8E%C3%84%C2%B0%C3%A6&site=1 HTTP/1.1
E…WC@……..f.=…..P<.H ….P…./..GET /advert/get.php?type=1&name=FC%C2%BE%C2%AD%C2%B5%C3%A4%C3%93%C3%8E%C3%8F%C2%B7%C2%BA%C3%8F%C2%BC%C2%AF+%C3%96%C3%90%C3%8E%C3%84%C2%B0%C3%A6&site=1 HTTP/1.1
Host: css.jipinfeiche.cn
Connection: Keep-Alive

2016-10-29 02:12:10.964277 IP 192.168.1.102.64792 > 120.132.92.122.80: Flags [P.], seq 206:320, ack 518, win 257, length 114: HTTP: GET /advert/manage/runtime/dat/installad/installad_304.dat HTTP/1.1
E…gj@……..fx.\z…P…..>.eP…R…GET /advert/manage/runtime/dat/installad/installad_304.dat HTTP/1.1
Host: www.qq5.com
Connection: Keep-Alive

2016-10-29 02:12:11.020155 IP 192.168.1.102.64793 > 183.61.19.211.80: Flags [.], ack 547, win 254, length 0
E..(WD@….m…f.=…..P<.H…..P………….
2016-10-29 02:12:11.035916 IP 192.168.1.102.63008 > 75.75.76.76.53: 24044+ A? css.jipinfeiche.cn. (36)
E..@0……0…fKKLL. .5.,R.]…………css.jipinfeiche.cn…..
2016-10-29 02:12:11.216819 IP 192.168.1.102.64793 > 183.61.19.211.80: Flags [P.], seq 213:334, ack 547, win 254, length 121: HTTP: GET /advert/manage/runtime/dat/installad/installad_304.dat HTTP/1.1
E…WE@……..f.=…..P<.H…..P…….GET /advert/manage/runtime/dat/installad/installad_304.dat HTTP/1.1
Host: css.jipinfeiche.cn
Connection: Keep-Alive