Magnitude Exploit Kit Flash Vulnerability Payload Cerber Ransomware Traffic Analysis PCAP file download

2016-06-27 11:40:50.947569 IP 192.168.2.56.49300 > 91.134.161.33.80: Flags [P.], seq 1:284, ack 1, win 16537, length 283: HTTP: GET / HTTP/1.1
E..C.f@…,….8[..!…P.=..N…P.@..d..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-GB,en-US;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: money-supermarket.org
Connection: Keep-Alive
Cookie: Array


2016-06-27 11:40:51.925360 IP 192.168.2.56.49302 > 91.134.161.33.80: Flags [.], ack 1, win 16537, length 0
E..(.n@…-….8[..!…P….0..PP.@.4………
2016-06-27 11:40:51.925448 IP 192.168.2.56.49301 > 91.134.161.33.80: Flags [P.], seq 1:354, ack 1, win 16537, length 353: HTTP: GET /?f8g93rb50lfb5ak=24&6a96c53by=1024&3dzap2bfke3o=768 HTTP/1.1
E….o@…,x…8[..!…P”…_=ivP.@…..GET /?f8g93rb50lfb5ak=24&6a96c53by=1024&3dzap2bfke3o=768 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://money-supermarket.org/
Accept-Language: en-GB,en-US;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: terportalbe.vip
Connection: Keep-Alive


2016-06-27 11:40:52.751244 IP 192.168.2.56.49303 > 51.255.105.22.80: Flags [.], ack 1, win 16537, length 0
E..(.w@….c…83.i….P.m+…o.P.@………..
2016-06-27 11:40:52.751398 IP 192.168.2.56.49303 > 51.255.105.22.80: Flags [P.], seq 1:310, ack 1, win 16537, length 309: HTTP: GET / HTTP/1.1
E..].x@….-…83.i….P.m+…o.P.@..A..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://money-supermarket.org/
Accept-Language: en-GB,en-US;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: dd1d0b29o.baditems.gdn

2016-06-27 11:40:53.267793 IP 192.168.2.56.49303 > 51.255.105.22.80: Flags [F.], seq 310, ack 982, win 16292, length 0
E..(.|@….^…83.i….P.m,O..s.P.?..k……..
2016-06-27 11:40:53.306024 IP 192.168.2.56.49304 > 51.255.105.22.80: Flags [P.], seq 1:309, ack 1, win 16537, length 308: HTTP: GET /b24814c8312ad4d2ec21307d85102598 HTTP/1.1
E..\.}@….)…83.i….P.w^..rCTP.@.Q…GET /b24814c8312ad4d2ec21307d85102598 HTTP/1.1
Accept: */*
Referer: http://dd1d0b29o.baditems.gdn/
Accept-Language: en-GB,en-US;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: dd1d0b29o.baditems.gdn
Connection: Keep-Alive


2016-06-27 11:40:54.075632 IP 192.168.2.56.49306 > 51.255.105.22.80: Flags [.], ack 1, win 16537, length 0
E..(..@….T…83.i….PW.M…6TP.@………..
2016-06-27 11:40:54.075734 IP 192.168.2.56.49305 > 51.255.105.22.80: Flags [P.], seq 1:343, ack 1, win 16537, length 342: HTTP: GET /6abc7256d01ee1a0849e6c24b16b136b HTTP/1.1
E..~..@……..83.i….Py. .r..uP.@…..GET /6abc7256d01ee1a0849e6c24b16b136b HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://dd1d0b29o.baditems.gdn/
Accept-Language: en-GB,en-US;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: dd1d0b29o.baditems.gdn
Connection: Keep-Alive

2016-06-27 11:40:54.154558 IP 192.168.2.56.49306 > 51.255.105.22.80: Flags [P.], seq 1:375, ack 1, win 16537, length 374: HTTP: GET /e4a3758e459fba0c643be60124c37baa?win%2018,0,0,160 HTTP/1.1
E…..@……..83.i….PW.M…6TP.@.O…GET /e4a3758e459fba0c643be60124c37baa?win%2018,0,0,160 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://dd1d0b29o.baditems.gdn/b24814c8312ad4d2ec21307d85102598
x-flash-version: 18,0,0,160
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: dd1d0b29o.baditems.gdn
Connection: Keep-Alive

2016-06-27 11:40:54.892244 IP 192.168.2.56.49308 > 51.255.105.22.80: Flags [.], ack 1, win 16537, length 0
E..(..@….;…83.i….P..jq,3..P.@.DN……..
2016-06-27 11:40:54.892393 IP 192.168.2.56.49308 > 51.255.105.22.80: Flags [P.], seq 1:211, ack 1, win 16537, length 210: HTTP: GET /favicon.ico HTTP/1.1
E…..@….h…83.i….P..jq,3..P.@…..GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: dd1d0b29o.baditems.gdn
Connection: Keep-Alive

 

2016-06-27 11:40:56.997037 IP 192.168.2.56.49310 > 51.255.105.22.80: Flags [P.], seq 1:72, ack 1, win 16537, length 71: HTTP: GET /ef0de20d241ff17bf3023d6367d74897 HTTP/1.1
E..o..@……..83.i….Pg.|u…4P.@…..GET /ef0de20d241ff17bf3023d6367d74897 HTTP/1.1
Host: 51.255.105.22

2016-06-27 11:40:56.997893 IP 192.168.2.56.49311 > 51.255.105.22.80: Flags [S], seq 1799579794, win 8192, options [mss 1464,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@……..83.i….PkCh……. .ZW…………..
2016-06-27 11:40:57.252374 IP 51.255.105.22.80 > 192.168.2.56.49310: Flags [.], ack 72, win 58, length 0
E..(.6@.7…3.i….8.P…..4g.|.P..:.7..
2016-06-27 11:40:57.259600 IP 51.255.105.22.80 > 192.168.2.56.49311: Flags [S.], seq 523539285, ack 1799579795, win 29200, options [mss 1350,nop,wscale 9], length 0

2016-06-27 11:40:57.259737 IP 192.168.2.56.49311 > 51.255.105.22.80: Flags [.], ack 1, win 16537, length 0
E..(..@……..83.i….PkCh..4.VP.@………..
2016-06-27 11:40:57.259916 IP 192.168.2.56.49311 > 51.255.105.22.80: Flags [P.], seq 1:72, ack 1, win 16537, length 71: HTTP: GET /ef0de20d241ff17bf3023d6367d74897 HTTP/1.1
E..o..@……..83.i….PkCh..4.VP.@.*…GET /ef0de20d241ff17bf3023d6367d74897 HTTP/1.1
Host: 51.255.105.22