pantsoff.exe PUP/Adware/Trojan Downloader Bundler PCAP file download traffic analysis sample

SHA256: d3d6d041ebabc9a9dcf6758a9fa0173bbc5df5de556338bb86a687762866d0f1
File name: pantsoff.exe
Detection ratio: 40 / 56
Analysis date: 2016-10-26 21:50:07 UTC ( 0 minutes ago )

 

AVG Generic.9E1 20161026
AVware DownloadSponsor (fs) 20161026
Ad-Aware Gen:Variant.Application.Bundler.DownloadGuide.24 20161026
AegisLab Win.Troj.Downloaderguide.mDg6 20161026
AhnLab-V3 PUP/Win32.DownloaderGuide.R189455 20161026
Antiy-AVL GrayWare[AdWare]/Win32.DownloadGuide.dd 20161026
Arcabit Trojan.Application.Bundler.DownloadGuide.24 20161026
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9971 20161026
BitDefender Gen:Variant.Application.Bundler.DownloadGuide.24 20161026
Bkav W32.HfsAdware.C530 20161026
CAT-QuickHeal PUA.Freemiumgm2.Gen 20161026
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20160725
Cyren W32/S-58b25de1!Eldorado

 

 

2016-10-26 00:23:13.106483 IP 192.168.1.102.61941 > 72.21.81.200.80: Flags [P.], seq 0:349, ack 1, win 256, length 349: HTTP: GET /downloadguides/e7e12d9d-a7b9-4e36-b817-cc60754ae4b1/pantsoff.exe HTTP/1.1
E…>.@…^….fH.Q….P.*.!.(rgP…….GET /downloadguides/e7e12d9d-a7b9-4e36-b817-cc60754ae4b1/pantsoff.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: az745681.vo.msecnd.net
Connection: Keep-Alive

 

2016-10-26 00:23:27.627080 IP 192.168.1.102.61945 > 104.41.149.192.80: Flags [P.], seq 0:464, ack 1, win 258, length 464: HTTP: POST /config-from-production HTTP/1.1
E…i.@……..fh)…..P..7..r..P…….POST /config-from-production HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: dlg-configs.buzzrin.de
Content-Length: 219
Connection: Close

{“os”:”WinNT”,”osver”:”5.1.2600 (Service Pack 3) SP: 3.0″,”lang”:”en-US”,”uid”:”da241859-9514-46c3-a53f-4844ae058212″,”prod”:”soft-warenet/1.0/campaigns/product+website/”,”expiresOn”:”2116-10-24T00:08:15.2354762+00:00″}
2016-10-26 00:23:27.669270 IP 192.168.1.102.61945 > 104.41.149.192.80: Flags [.], ack 1461, win 258, options [nop,nop,sack 1 {2921:4381}], length 0
E..4i.@……..fh)…..P..9d.r……S……

E..(?.@…_….fH.Q….P….FS.oP….a……..
2016-10-26 00:23:27.933381 IP 192.168.1.102.61946 > 72.21.81.200.80: Flags [P.], seq 0:283, ack 1, win 256, length 283: HTTP: GET /public-source/downloadguide/soft-warenet/1.0/en-us/campaigns/product+website/ui/soft-warenet-flow-5-text-en-us.zip HTTP/1.1
E..C?.@…^….fH.Q….P….FS.oP….k..GET /public-source/downloadguide/soft-warenet/1.0/en-us/campaigns/product+website/ui/soft-warenet-flow-5-text-en-us.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: az687722.vo.msecnd.net
Connection: Close

2016-10-26 00:23:27.948807 IP 192.168.1.102.61947 > 72.21.81.200.80: Flags [.], ack 1140373948, win 256, length 0
E..(?.@…_,…fH.Q….P_..qC…P…0………
2016-10-26 00:23:27.949530 IP 192.168.1.102.61947 > 72.21.81.200.80: Flags [P.], seq 0:257, ack 1, win 256, length 257: HTTP: GET /public-source/downloadguide/soft-warenet/1.0/en-us/campaigns/product+website/ui/last.zip HTTP/1.1
E..)?.@…^*…fH.Q….P_..qC…P…….GET /public-source/downloadguide/soft-warenet/1.0/en-us/campaigns/product+website/ui/last.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: az687722.vo.msecnd.net
Connection: Close

 

2016-10-26 00:23:28.162877 IP 192.168.1.102.61948 > 104.40.188.185.80: Flags [P.], seq 0:605, ack 1, win 258, length 605: HTTP: POST /1/dg/3 HTTP/1.1
E…M+@….W…fh(…..P..xc…6P…._..POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: dlg-messages.buzzrin.de
Content-Length: 375
Connection: Close

{“BuildId”:”e7e12d9d-a7b9-4e36-b817-cc60754ae4b1″,”Client”:”freemium”,”DlgVersion”:”3.1.0.201″,”Culture”:”en-US”,”LocalTime”:”2016-10-26T04:22:21-04:00″,”SessionId”:”1b0cc8c4-e6ee-4d5c-bcda-a6b0baf9d3e9″,”MessageName”:”ApplicationStarted”,”Product”:”soft-warenet”,”ProductVersion”:”1.0″,”Region”:”en-us”,”Campaign”:”product+website”,”Offer”:””,”TrackBackUrl”:””,”SubId”:null}
2016-10-26 00:23:28.186473 IP 192.168.1.102.61946 > 72.21.81.200.80: Flags [.], ack 7301, win 256, length 0
E..(?.@…_*…fH.Q….P….FS..P………….

E..(M/@……..fh(…..Po.u8.2’KP………….
2016-10-26 00:23:28.452450 IP 192.168.1.102.61949 > 104.40.188.185.80: Flags [P.], seq 0:640, ack 1, win 258, length 640: HTTP: POST /1/dg/3 HTTP/1.1
E…M0@…./…fh(…..Po.u8.2’KP…….POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: dlg-messages.buzzrin.de
Content-Length: 410
Connection: Close

{“BuildId”:”e7e12d9d-a7b9-4e36-b817-cc60754ae4b1″,”Client”:”freemium”,”DlgVersion”:”3.1.0.201″,”Culture”:”en-US”,”LocalTime”:”2016-10-26T04:22:21-04:00″,”SessionId”:”1b0cc8c4-e6ee-4d5c-bcda-a6b0baf9d3e9″,”MessageName”:”RequirementsCheckStarted”,”Product”:”soft-warenet”,”ProductVersion”:”1.0″,”Region”:”en-us”,”Campaign”:”product+website”,”Offer”:”irismedia/interstat/1.0/en-us”,”TrackBackUrl”:””,”SubId”:null}
2016-10-26 00:23:28.575984 IP 192.168.1.102.61949 > 104.40.188.185.80: Flags [.], ack 171, win 258, length 0
E..(M1@……..fh(…..Po.w..2′.P………….

E..(M4@……..fh(…..Px.P.-..EP…K………
2016-10-26 00:23:28.711366 IP 192.168.1.102.61950 > 104.40.188.185.80: Flags [P.], seq 0:639, ack 1, win 258, length 639: HTTP: POST /1/dg/3 HTTP/1.1
E…M5@….+…fh(…..Px.P.-..EP…iX..POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: dlg-messages.buzzrin.de
Content-Length: 409
Connection: Close

{“BuildId”:”e7e12d9d-a7b9-4e36-b817-cc60754ae4b1″,”Client”:”freemium”,”DlgVersion”:”3.1.0.201″,”Culture”:”en-US”,”LocalTime”:”2016-10-26T04:22:21-04:00″,”SessionId”:”1b0cc8c4-e6ee-4d5c-bcda-a6b0baf9d3e9″,”MessageName”:”RequirementsCheckFailed”,”Product”:”soft-warenet”,”ProductVersion”:”1.0″,”Region”:”en-us”,”Campaign”:”product+website”,”Offer”:”irismedia/interstat/1.0/en-us”,”TrackBackUrl”:””,”SubId”:null}
2016-10-26 00:23:28.812279 IP 192.168.1.102.61941 > 72.21.81.200.80: Flags [.], ack 557319, win 815, length 0
E..(?.@…_….fH.Q….P.*.~.0.mP../.,……..

2016-10-26 00:24:44.504028 IP 192.168.1.102.61976 > 104.239.247.99.80: Flags [P.], seq 0:300, ack 1, win 256, length 300: HTTP: GET /pages/SWDE/SWTYP.html HTTP/1.1
E..TF.@….z…fh..c…P…`….P…D…GET /pages/SWDE/SWTYP.html HTTP/1.1
Host: piroga.space
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive