Malware Traffic Sample Packet Analysis Rig Exploit Kit EK Delivers Gootkit banking trojan PCAP file download

2016-08-15 11:35:33.718522 IP 192.168.4.29.50266 > 85.25.209.77.80: Flags [P.], seq 1:249, ack 1, win 16537, length 248: HTTP: GE
T / HTTP/1.1
E..  U@….V….U..M.Z.P.5….H.P.@.H(..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: agreen.com.tr
Connection: Keep-Alive


2016-08-15 11:35:34.447061 IP 192.168.4.29.50266 > 85.25.209.77.80: Flags [.], ack 393, win 16439, length 0
E..( W@….L….U..M.Z.P.5….JgP.@7c………
2016-08-15 11:35:34.447936 IP 192.168.4.29.50266 > 85.25.209.77.80: Flags [P.], seq 249:579, ack 393, win 16439, length 330: HTTP
: GET /index.php/tr/ HTTP/1.1
E..r X@………U..M.Z.P.5….JgP.@7….GET /index.php/tr/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: agreen.com.tr
Connection: Keep-Alive
Cookie: c022fb20f86f63211f741215ca2b9328=8b52ln7m1meqlc9ofetro8ieu1


2016-08-15 11:35:37.877683 IP 192.168.4.29.50283 > 85.93.0.12.80: Flags [.], ack 1, win 16537, length 0
E..(%.@………U]…k.Pq.SC….P.@………..
2016-08-15 11:35:37.877847 IP 192.168.4.29.50283 > 85.93.0.12.80: Flags [P.], seq 1:388, ack 1, win 16537, length 387: HTTP: GET
/onkuhinkeeefock-fmrb6nalle-notbc7mp2stltpsnfeeoaao4a-t2acmerkocmdossikpbp4rfe-r9do4dli7rmimdmopefm-ik/ HTTP/1.1
E…%.@….C….U]…k.Pq.SC….P.@…..GET /onkuhinkeeefock-fmrb6nalle-notbc7mp2stltpsnfeeoaao4a-t2acmerkocmdossikpbp4rfe-r9do4d
li7rmimdmopefm-ik/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://agreen.com.tr/index.php/tr/
x-flash-version: 16,0,0,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: rydogu.top
Connection: Keep-Alive

2016-08-15 11:35:40.631805 IP 192.168.4.29.50286 > 185.158.152.118.80: Flags [.], ack 51817, win 16243, length 0
E..(&.@….`…….v.n.PF.)4:…P.?s.a……..
2016-08-15 11:35:40.635400 IP 192.168.4.29.50286 > 185.158.152.118.80: Flags [P.], seq 1122:1750, ack 51817, win 16243, length 628: HTTP: GET /index.php?wXqBcrWaLRvMCYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpOE_BSOZ1lG-cbBE7Ftjgz9x7ITecMizh-E7GUBmbkfQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_a7RjN-1g HTTP/1.1
E…&.@…………v.n.PF.)4:…P.?s’…GET /index.php?wXqBcrWaLRvMCYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpOE_BSOZ1lG-cbBE7Ftjgz9x7ITecMizh-E7GUBmbkfQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_a7RjN-1g HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://free.giftofhair.org/?wXqBcrWaLRvMCYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8
x-flash-version: 16,0,0,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: free.giftofhair.org
Connection: Keep-Alive

2016-08-15 11:35:40.844834 IP 185.158.152.118.80 > 192.168.4.29.50286: Flags [.], ack 1750, win 514, length 0
E..(r.@.5..M…v…..P.n:…F.+.P…._..
2016-08-15 11:35:41.527237 IP 192.168.4.29.50287 > 185.158.152.118.80: Flags [P.], seq 1:438, ack 1, win 16537, length 437: HTTP: GET /index.php?wXqBcrWaLRvMCYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpOE_BSOZ1lG-cbBE7Ftjgz9x7ITecMizh-E7GUBmbkfQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_OzRjlykKM&dfgsdf=2998 HTTP/1.1
E…&.@…………v.o.P9…K..HP.@.}R..GET /index.php?wXqBcrWaLRvMCYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpOE_BSOZ1lG-cbBE7Ftjgz9x7ITecMizh-E7GUBmbkfQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_OzRjlykKM&dfgsdf=2998 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: free.giftofhair.org
Connection: Keep-Alive