Mikey PUP Trojan Adware Downloader CNC PCAP file download Traffic Sample hplaserjetm1136@151_11446.exe

SHA256: e7e729e9d23aeac5ff826c5d3389f5c1cc2982d3d43168e2f5af705709db47da
File name: hplaserjetm1136@151_11446.exe
Detection ratio: 39 / 54
Analysis date: 2016-10-28 01:48:35 UTC ( 1 minute ago )
AVG Generic37.CELZ 20161028
AVware Trojan.Win32.Generic!BT 20161027
Ad-Aware Gen:Variant.Application.Mikey.34859 20161028
AegisLab Adware.W32.Agent!c 20161027
AhnLab-V3 PUP/Win32.Installer.R185010 20161027
Antiy-AVL Trojan/Win32.PackedNsisMod.o 20161027
Arcabit Trojan.Application.Mikey.D882B 20161028
Avast Win32:Malware-gen 20161027
BitDefender Gen:Variant.Application.Mikey.34859 20161028
CAT-QuickHeal Heur.Downloader 20161027
ClamAV Win.Trojan.Agent-1726718 20161027
Comodo Application.Win32.NSISmod.~O 20161028
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20161024
Cyren W32/Mikey.U.gen!Eldorado 20161028
DrWeb Trojan.Winlock.13291 20161028
ESET-NOD32 a variant of Win32/Packed.NSISmod.O suspicious 20161028
F-Prot W32/Mikey.U.gen!Eldorado 20161028
F-Secure Gen:Variant.Application.Mikey 20161028
Fortinet Adware/Agent 20161028

 

 

2016-10-27 19:13:52.690393 IP 192.168.1.102.55661 > 61.172.246.236.80: Flags [P.], seq 0:329, ack 1, win 256, length 329: HTTP: GET /cx/160624/6/hplaserjetm1136@151_11446.exe HTTP/1.1
E..qn.@….W…f=….m.Pc.(s..A.P….g..GET /cx/160624/6/hplaserjetm1136@151_11446.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 1476500920.xiazaidown.com
Connection: Keep-Alive

2016-10-27 19:14:16.551335 IP 192.168.1.102.55664 > 121.43.113.145.80: Flags [P.], seq 0:193, ack 1, win 256, length 193: HTTP: GET /api.php?id=11446[1]&qid=151&rand=52229065361&title=hplaserjetm1136&t=0 HTTP/1.1
E…..@…L….fy+q..p.P..~;.p=LP…:W..GET /api.php?id=11446[1]&qid=151&rand=52229065361&title=hplaserjetm1136&t=0 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: down.xiald.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-27 19:14:16.805491 IP 192.168.1.102.55319 > 75.75.75.75.53: 43761+ A? www.drvsky.com. (32)
E..<‘……D…fKKKK…5.(r…………..www.drvsky.com…..
2016-10-27 19:14:16.852510 IP 192.168.1.102.55664 > 121.43.113.145.80: Flags [.], ack 430, win 254, length 0
E..(..@…MN…fy+q..p.P..~..p>.P………….

E..(‘P@……..fy(…q.P>…]..;P….x……..
2016-10-27 19:14:17.354802 IP 192.168.1.102.55665 > 121.40.20.195.80: Flags [P.], seq 0:144, ack 1, win 256, length 144: HTTP: GET /down_api.asp?id=11446 HTTP/1.1
E…’Q@……..fy(…q.P>…]..;P…y…GET /down_api.asp?id=11446 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: www.drvsky.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-27 19:14:17.910185 IP 192.168.1.102.55665 > 121.40.20.195.80: Flags [.], ack 937, win 252, length 0
E..(‘R@……..fy(…q.P>…]…P….D……..
2016-10-27 19:14:18.794922 IP 192.168.1.102.55664 > 121.43.113.145.80: Flags [P.], seq 193:396, ack 430, win 254, length 203: HTTP: GET /cfg.php?id=11446[1]&qid=151&rand=52229065361&title=hplaserjetm1136&t=0&flag=1024 HTTP/1.1
E…..@…L….fy+q..p.P..~..p>.P…….GET /cfg.php?id=11446[1]&qid=151&rand=52229065361&title=hplaserjetm1136&t=0&flag=1024 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: down.xiald.com
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-27 19:14:19.088333 IP 192.168.1.102.55664 > 121.43.113.145.80: Flags [.], ack 3350, win 256, length 0
E..(..@…ML…fy+q..p.P…..pJaP………….
2016-10-27 19:14:19.327336 IP 192.168.1.102.55664 > 121.43.113.145.80: Flags [.], ack 6270, win 256, length 0
E..(..@…MK…fy+q..p.P…..pU.P………….

E..({.@….L…f…..r.P..dZ..lpP………….
2016-10-27 19:14:20.661122 IP 192.168.1.102.55666 > 220.243.235.201.80: Flags [P.], seq 0:116, ack 1, win 256, length 116: HTTP: GET /shichangbu/ico/haitao1hao.ico HTTP/1.0
E…{.@……..f…..r.P..dZ..lpP…….GET /shichangbu/ico/haitao1hao.ico HTTP/1.0
Host: down.shg20.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

2016-10-27 19:19:56.406517 IP 192.168.1.102.55689 > 221.204.226.184.80: Flags [P.], seq 0:224, ack 1, win 256, length 224: HTTP: GET /yunpan/LaserJet_M1130_M1210_All.zip HTTP/1.1
E…..@…o….f…….P.
._&eCdP… y..GET /yunpan/LaserJet_M1130_M1210_All.zip HTTP/1.1
Referer: http://www.drvsky.com/hp/HP_M1136.htm
User-Agent: LXdl_plug-in v15.06.10 (compatible; MSIE 9.0; Windows NT 6.0)
Host: dvip.drvsky.com
Cache-Control: no-cache

2016-10-27 19:19:56.461246 IP 192.168.1.102.55690 > 42.156.140.84.80: Flags [.], ack 3635846172, win 65340, length 0
E..(1.@…O….f*..T…P..N…..P..<……….
2016-10-27 19:19:56.461899 IP 192.168.1.102.55690 > 42.156.140.84.80: Flags [P.], seq 0:374, ack 1, win 65340, length 374: HTTP: GET /stat.htm?id=1256279146&r=&lg=en-us&ntime=none&cnzz_eid=1850689330-1477607248-&showp=1920×1080&t=&h=1&rnd=139741822 HTTP/1.1
E…1.@…Nz…f*..T…P..N…..P..<.F..GET /stat.htm?id=1256279146&r=&lg=en-us&ntime=none&cnzz_eid=1850689330-1477607248-&showp=1920×1080&t=&h=1&rnd=139741822 HTTP/1.1
Accept: */*
Referer: http://xiazai.xiazai2.net/sc/xiazaiqi.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: z4.cnzz.com
Connection: Keep-Alive