Sunnyday.exe prof.youandmeandmeandyouhihi.com sun21-SunnyDay21 Adware/PUP PCAP file download

https://www.virustotal.com/cs/file/735d2f25819f9fac7d227df01dc76fc851f5719befdf05cec6cb3d4f3dedea16/analysis/

 

2016-09-20 10:18:21.400542 IP 192.168.1.102.59888 > 192.168.1.100.80: Flags [P.], seq 1:339, ack 1, win 256, length 338: HTTP: GET /captured/sunnyday.exe HTTP/1.1
E..z…….T…f…d…P.N…..yP…….GET /captured/sunnyday.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Referer: http://192.168.1.100/captured/
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 192.168.1.100
Connection: Keep-Alive
2016-09-20 10:18:21.400562 IP 192.168.1.100.80 > 192.168.1.102.59888: Flags [.], ack 339, win 237, length 0

/GROUP=”folder name”
Overrides the default folder name.
/NOICONS
Instructs Setup to initially check the Don’t create a Start Menu folder check box.
/TYPE=type name
Overrides the default setup type.
/COMPONENTS=”comma separated list of component names”
Overrides the default component settings.
/TASKS=”comma separated list of task names”
Specifies a list of tasks that should be initially selected.
/MERGETASKS=”comma separated list of task names”
Like the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.
/PASSWORD=password
Specifies the password to use.

2016-09-20 10:18:26.303858 IP 192.168.1.102.59889 > 37.187.148.135.80: Flags [P.], seq 0:267, ack 1, win 256, length 267: HTTP: GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
E..3_…..]….f%……P..V^~b..P…….GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: prof.eorezo.com
Connection: Keep-Alive

……..
2016-09-20 10:18:26.847957 IP 192.168.1.102.59890 > 37.187.152.38.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_INI HTTP/1.1
E..aqq….H6…f%..&…P..I…..P…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_INI HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
2016-09-20 10:18:26.948618 IP 192.168.1.102.59890 > 37.187.152.38.80: Flags [.], ack 882, win 253, length 0
E..(qr….In…f%..&…P..K!…+P….c……..
2016-09-20 10:18:26.948952 IP 192.168.1.102.59890 > 37.187.152.38.80: Flags [F.], seq 313, ack 882, win 253, length 0

2016-09-20 10:18:41.953408 IP 192.168.1.102.54120 > 75.75.75.75.53: 49292+ A? upd.adskyforever.com. (38)
E..B7……z…fKKKK.h.5../…………..upd.adskyforever.com…..
2016-09-20 10:18:42.062375 IP 192.168.1.102.59891 > 37.187.148.115.443: Flags [S], seq 4021469691, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Ns@…0….f%..s………….. .5v…………..
2016-09-20 10:18:42.170135 IP 192.168.1.102.59891 > 37.187.148.115.443: Flags [.], ack 3742442964, win 256, length 0
E..(Nt….p….f%..s……….%.P….S……..
2016-09-20 10:18:42.254381 IP 192.168.1.102.59892 > 37.187.137.144.80: Flags [S], seq 2715376251, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4{@@….*…f%……P..Z{…… ……………..
2016-09-20 10:18:42.357303 IP 192.168.1.102.59892 > 37.187.137.144.80: Flags [.], ack 3195019341, win 256, length 0
E..({A….N5…f%……P..Z|.p MP…x”……..
2016-09-20 10:18:42.359252 IP 192.168.1.102.59892 > 37.187.137.144.80: Flags [P.], seq 0:661, ack 1, win 256, length 661: HTTP: POST /cgi-bin/get_protect.cgi HTTP/1.1
E…{B….K….f%……P..Z|.p MP….f..POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 564053523
x-spidermessenger-length: 280
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 384
Cache-Control: no-cache

ujXl2iaEv38JRlMCJUzLFCyglD0cQAQgE6EF56dWsz5OEBIEPEaaQ4ORDT3wc9vQbsZQLvQLyIGIKjW%2Fl4u3fdbbAMvHSB3Y8rHY6C15iy1v4T3HVwJHvnfvkcvsRH%2FwMwmTE0grv4DsJ%2ByvnMOf49J6q1ePUb8IejjsoHzBt3u6zWDwi57jEdnwDanJbVR9%2FQ6kiGKgMRlYm2VATvtoIPwOsfUNWl0vWIBN8Jv1l6GqoQPzbIlQ4uX3CXq8t%2FnKFQ7kEVKn5oNci4Y0sfo1q0BbvLIMKOaMK6sGeLo5UICfltdHo%2B9ssCpVT%2Bma9qjXa7dja%2B0DdQvaC3%2FGKqQvs0dJO4HHmNY7YgcwTVx6wDg%3D

E..MN…..o….f%..s……….4FP…G……. …Sk.e……w…..?..T..E|.+U.r
2016-09-20 10:18:43.037249 IP 192.168.1.102.59891 > 37.187.148.115.443: Flags [F.], seq 811, ack 3699, win 252, length 0
E..(N…..p….f%..s…….’..4FP…~………
2016-09-20 10:18:44.107324 IP 192.168.1.102.54121 > 75.75.75.75.53: 34602+ A? ads.regiedepub.com. (36)
E..@7……{…fKKKK.i.5.,…*………..ads
regiedepub.com…..
2016-09-20 10:18:44.404854 IP 192.168.1.102.59893 > 151.80.21.143.80: Flags [S], seq 2009014193, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4u.@….E…f.P…..Pw……… .^l…………..
2016-09-20 10:18:44.513032 IP 192.168.1.102.59893 > 151.80.21.143.80: Flags [.], ack 2104602066, win 256, length 0
E..(u…..VP…f.P…..Pw…}q..P………….
2016-09-20 10:18:44.513610 IP 192.168.1.102.59893 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
E..au…..U….f.P…..Pw…}q..P…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive