Kelios Malware is back 176.103.55.73 chipdd2.exe PCAP file download traffic sample

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Kelihos-X/detailed-analysis.aspx

 

2016-10-23 01:25:27.341585 IP 192.168.1.102.58900 > 176.103.55.73.80: Flags [P.], seq 0:287, ack 1, win 256, length 287: HTTP: GET /chipdd2.exe HTTP/1.1
E..Gio@……..f.g7I…PY..iH>..P….H..GET /chipdd2.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 176.103.55.73
Connection: Keep-Alive


E..(f6@…>7…f..|….P….e3kbP….1……..
2016-10-23 01:25:33.418284 IP 192.168.1.102.58901 > 23.211.124.129.80: Flags [P.], seq 0:277, ack 1, win 256, length 277: HTTP: GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
E..=f7@…=!…f..|….P….e3kbP…….GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 27 Sep 2016 05:00:38 GMT
If-None-Match: “773de167c18d21:0″
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl.microsoft.com


E..(;<@…n?…f…*.”.P.94..=;.P………….
2016-10-23 01:25:44.058537 IP 192.168.1.102.58914 > 188.27.211.42.80: Flags [P.], seq 0:150, ack 1, win 260, length 150: HTTP: GET /welcome.htm HTTP/1.1
E…;=@…m….f…*.”.P.94..=;.P…….GET /welcome.htm HTTP/1.1
Host: 188.27.211.42
Content-Length: 164
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130331 Firefox/21.0

2016-10-23 01:25:44.217122 IP 192.168.1.102.58914 > 188.27.211.42.80: Flags [P.], seq 150:314, ack 1, win 260, length 164: HTTP
E…;>@…m….f…*.”.P.95..=;.P…A…..GVlUUE..H@……X.a.1.~p5.0F.A..wd./..#.f.Ck}eG.3..4M,……Z ….+.##F….$33/.$.V(.nAa-.U”.`}…h……W….s…..z);.(E&M..08$y92..3..gB.4..L..u.5j..],…….N
2016-10-23 01:25:45.603498 IP 192.168.1.102.58904 > 14.198.77.112.80: Flags [S], seq 658956675, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0