Purplehaze Malware Botnet Doing Click Fraud Traffic Sample

By | June 19, 2015

2012-01-30 23:17:47.265333 IP 172.29.0.116.1025 > 75.75.75.75.53: 20155+ A? howtodoitman[.]com. (34)
E..>.E…..B…tKKKK…5.*.vN…………howtodoitman[.]com…..
2012-01-30 23:17:47.284888 IP 75.75.75.75.53 > 172.29.0.116.1025: 20155 1/0/0 A 141.136.16.156 (50)
E@.N..@.9..7KKKK…t.5…:.FN…………howtodoitman[.]com…………..X……
2012-01-30 23:17:47.285176 IP 172.29.0.116.1263 > 141.136.16.156.80: Flags [S], seq 1631912176, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.F@……..t…….PaE……p……………
2012-01-30 23:17:47.423618 IP 141.136.16.156.80 > 172.29.0.116.1263: Flags [S.], seq 1417974632, ack 1631912177, win 65535, options [mss 1460,sackOK,eol], length 0
E .0..@.6.w……..t.P..T..haE..p……………
2012-01-30 23:17:47.423657 IP 172.29.0.116.1263 > 141.136.16.156.80: Flags [.], ack 1, win 64240, length 0
E..(.G@……..t…….PaE..T..iP…….
2012-01-30 23:17:47.423980 IP 172.29.0.116.1263 > 141.136.16.156.80: Flags [P.], seq 1:101, ack 1, win 64240, length 100
E….H@….n…t…….PaE..T..iP….H..GET /2dQQvEcjAB0hsqq5elNGksvpbKG0WVl2lCxI1g== HTTP/1.0
Host: howtodoitman[.]com
Pragma: no-cache

2012-01-30 23:17:47.565273 IP 141.136.16.156.80 > 172.29.0.116.1263: Flags [.], ack 101, win 65535, length 0
E .(..@.6..A…….t.P..T..iaE.UP….X……..
2012-01-30 23:17:47.572307 IP 141.136.16.156.80 > 172.29.0.116.1263: Flags [P.], seq 1:183, ack 101, win 65535, length 182
E ….@.6……….t.P..T..iaE.UP….=..HTTP/1.1 200 OK
Server: nginx
Date: Tue, 31 Jan 2012 03:17:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.8

..g…-…..g…%..v……b1|….A….~..F
2012-01-30 23:17:47.572585 IP 141.136.16.156.80 > 172.29.0.116.1263: Flags [F.], seq 183, ack 101, win 65535, length 0
E .(..@.6.u/…….t.P..T…aE.UP……….M.o
2012-01-30 23:17:47.572627 IP 172.29.0.116.1263 > 141.136.16.156.80: Flags [.], ack 184, win 64058, length 0
E..(.I@……..t…….PaE.UT.. P..:.f..
2012-01-30 23:17:47.573117 IP 172.29.0.116.1263 > 141.136.16.156.80: Flags [F.], seq 101, ack 184, win 64058, length 0
E..(.J@……..t…….PaE.UT.. P..:.e..
2012-01-30 23:17:47.711760 IP 141.136.16.156.80 > 172.29.0.116.1263: Flags [.], ack 102, win 65534, length 0
E .(..@.6.s……..t.P..T.. aE.VP……….=.l
2012-01-30 23:17:48.602793 IP 172.29.0.116.1264 > 141.136.16.156.80: Flags [S], seq 738005285, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.K@……..t…….P+..%….p……………
2012-01-30 23:17:48.745384 IP 141.136.16.156.80 > 172.29.0.116.1264: Flags [S.], seq 1539689447, ack 738005286, win 65535, options [mss 1460,sackOK,eol], length 0
E .0.]@.6.\……..t.P..[…+..&p….J……….
2012-01-30 23:17:48.745454 IP 172.29.0.116.1264 > 141.136.16.156.80: Flags [.], ack 1, win 64240, length 0
E..(.L@……..t…….P+..&[…P…….
2012-01-30 23:17:48.745841 IP 172.29.0.116.1264 > 141.136.16.156.80: Flags [P.], seq 1:141, ack 1, win 64240, length 140
E….M@….A…t…….P+..&[…P….1..GET /2dQQvEcjAAY75aS8NFIOm9S+OPLnP11vx0IfglyfEbUC0xrmTx1I/TbqPxej75uNL4QG7nijcBm4uLw= HTTP/1.0
Host: howtodoitman[.]com
Pragma: no-cache

2012-01-30 23:17:48.902072 IP 141.136.16.156.80 > 172.29.0.116.1264: Flags [.], ack 141, win 65535, length 0
E .(..@.6..3…….t.P..[…+…P………..T.
2012-01-30 23:17:48.912641 IP 141.136.16.156.80 > 172.29.0.116.1264: Flags [P.], seq 1:251, ack 141, win 65535, length 250
E .”..@.6..8…….t.P..[…+…P…<;..HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Jan 2012 03:17:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.8 2012-01-30 23:17:49.072057 IP 172.29.0.116.1265 > 141.136.16.156.80: Flags [P.], seq 1:97, ack 1, win 64240, length 96
E….R@….h…t…….P.fK.PI.hP…# ..GET /dbk1x31ngkuv63yct8bcfna548ran7ac20ca HTTP/1.0
Host: howtodoitman[.]com
Pragma: no-cache

2012-01-30 23:17:49.207190 IP 141.136.16.156.80 > 172.29.0.116.1265: Flags [.], ack 97, win 65535, length 0
E .(..@.6..0…….t.P..PI.h.fK.P…………

2012-01-30 23:17:49.207512 IP 141.136.16.156.80 > 172.29.0.116.1265: Flags [FP.], seq 1:372, ack 97, win 65535, length 371
E ….@.6.Sj…….t.P..PI.h.fK.P…,…HTTP/1.1 200 OK
Server: nginx
Date: Tue, 31 Jan 2012 03:17:49 GMT
Content-Type: application/octet-stream
Content-Length: 152
Last-Modified: Sat, 28 Jan 2012 17:06:42 GMT
Connection: close
Accept-Ranges: bytes

/o…Fn……V.Z…..`.x….[#…._..z…T…Tt..h..\.&…A…f*O….F.|……f…….1&b..y._8.!…..$……g..W/m}/…J……{.UqI..F.y”….9Qn.P…..
2012-01-30 23:17:49.207547 IP 172.29.0.116.1265 > 141.136.16.156.80: Flags [.], ack 373, win 63869, length 0
E..(.S@……..t…….P.fK.PI..P..}….
2012-01-30 23:17:49.207905 IP 172.29.0.116.1265 > 141.136.16.156.80: Flags [F.], seq 97, ack 373, win 63869, length 0
E..(.T@……..t…….P.fK.PI..P..}….
2012-01-30 23:17:49.344513 IP 141.136.16.156.80 > 172.29.0.116.1265: Flags [.], ack 98, win 65534, length 0
E .(.6@.6.Q……..t.P..PI…fK.P….a……..
2012-01-30 23:19:34.299346 IP 172.29.0.116.138 > 172.29.0.255.138: NBT UDP PACKET(138)
E….U………t……….&….E…t…… FIFAFDFADDCNFCDJDDCNEPEGEDDCDACA. ENFDEIEPENEFCACACACACACACACACABO..SMB%…………………………!……………….!.V………2.\MAILSLOT\BROWSE…..
.XPSP3-R93-OFC20………U..
2012-01-30 23:19:57.147236 IP 172.29.0.1.1144 > 172.29.0.116.2869: Flags [R], seq 103747874, win 0, length 0
E..(. ….U……..t.x.5./.”….P…03…..<.] 2012-01-30 23:20:17.298192 IP 172.29.0.116.1025 > 75.75.75.75.53: 56675+ A? x-web[.]in. (26)
E..6.V…..9…tKKKK…5.”.*.c………..x-web[.]in…..
2012-01-30 23:20:17.331255 IP 75.75.75.75.53 > 172.29.0.116.1025: 56675 1/0/0 A 178.238.233.156 (42)
E@.F..@.9..?KKKK…t.5…2.V.c………..x-web[.]in…………………
2012-01-30 23:20:17.331642 IP 172.29.0.116.1266 > 178.238.233.156.80: Flags [S], seq 1952802107, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.W@….T…t…….Ptee;….p…`/……….
2012-01-30 23:20:17.451434 IP 178.238.233.156.80 > 172.29.0.116.1266: Flags [S.], seq 1406441824, ack 1952802108, win 65535, options [mss 1460,sackOK,eol], length 0
E .04W@./..4…….t.P..S..`tee 178.238.233.156.80: Flags [.], ack 1, win 64240, length 0
E..(.X@….[…t…….Ptee 178.238.233.156.80: Flags [P.], seq 1:218, ack 1, win 64240, length 217
E….Y@……..t…….Ptee 172.29.0.116.1266: Flags [.], ack 218, win 65535, length 0
E .(.Z@./..9…….t.P..S..atef.P……….!9.
2012-01-30 23:20:27.216696 IP 172.29.0.116.138 > 172.29.0.255.138: NBT UDP PACKET(138)
E….Z………t……………G…t…… FIFAFDFADDCNFCDJDDCNEPEGEDDCDAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%…………………………0……………….0.V………A.\MAILSLOT\BROWSE…….MSHOME….`….0.
…..0..XPSP3-R93-OFC20.
2012-01-30 23:20:29.806382 IP 178.238.233.156.80 > 172.29.0.116.1266: Flags [P.], seq 1:1369, ack 218, win 65535, length 1368
E …,@./……….t.P..S..atef.P…….HTTP/1.1 200 OK
Server: nginx
Date: Tue, 31 Jan 2012 03:20:30 GMT
Content-Type: text/plain
Connection: close
Content-Length: 1165
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache

http://x-web[.]in/37f80bba0438ea34fadb74cdf4c0b0e1ca440e76/aa60d7185ae5b4d0c9a111589ff82a026ab35bf8/4d5fdfd68fd6c46240f5b20124e67d0f222447ef/|http://getnewzshop[.]com/search?q=bbb+recommended+work+at+home+business+make+money+online&button=Search|1|40
http://x-web[.]in/37f80bba0438ea34fadb74cdf4c0b0e1ca440e76/b1c23e879f68f57d133acdda81071e7ed2747456/110d449cc1d1a89402010ff8592d3451f53a66a1/|http://discoverwebsearch.net/search?q=cheap+insurance+auto&button=Search|1|40
http://x-web[.]in/37f80bba0438ea34fadb74cdf4c0b0e1ca440e76/aa60d7185ae5b4d0c9a111589ff82a026ab35bf8/63403eaad10ed0a5171d55f86f0c4dd17127180e/|http://getnewzshop[.]com/search?q=bbb+recommended+work+at+home+business+make+money+online&button=S
2012-01-30 23:20:29.932079 IP 172.29.0.116.1267 > 178.238.233.156.80: Flags [P.], seq 1:218, ack 1, win 64240, length 217
E…._@….{…t…….P;2.. ..mP…….GET /Y2x8MS42fDZmZjg0MjRmODFlYmNjOTc3YzFkZjIxZjk3ZGRlNjdmfDE2MQ== HTTP/1.0
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: x-web[.]in
Pragma: no-cache

2012-01-30 23:20:32.883531 IP 172.29.0.116.1267 > 178.238.233.156.80: Flags [P.], seq 1:218, ack 1, win 64240, length 217
E….`@….z…t…….P;2.. ..mP…….GET /Y2x8MS42fDZmZjg0MjRmODFlYmNjOTc3YzFkZjIxZjk3ZGRlNjdmfDE2MQ== HTTP/1.0
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: x-web[.]in
Pragma: no-cache

2012-01-30 23:20:33.001352 IP 178.238.233.156.80 > 172.29.0.116.1267: Flags [.], ack 218, win 65535, length 0
E .(.5@./..^…….t.P.. ..m;2 .P….d….F3.)
2012-01-30 23:20:35.913869 IP 172.29.0.116.1025 > 75.75.75.75.53: 32608+ A? webbrowser.hsd1.va[.]comcast.net. (48)
E..L.a………tKKKK…5.8W..`……….
webbrowser.hsd1.va[.]comcast.net…..
2012-01-30 23:20:35.919894 IP 172.29.0.116.1269 > 75.75.75.75.53: 46182+ A? discoverfindsearch.net. (40)
E..D.b………tKKKK…5.0I..f………..discoverfindsearch.net…..
2012-01-30 23:20:35.948686 IP 75.75.75.75.53 > 172.29.0.116.1269: 46182 1/0/0 A 213.174.149.74 (56)
E@.T..@.9..1KKKK…t.5…@.p.f………..discoverfindsearch.net………………..J
2012-01-30 23:20:35.949282 IP 172.29.0.116.1270 > 213.174.149.74.80: Flags [S], seq 2807491464, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.c@……..t…J…P.V……p….~……….
2012-01-30 23:20:35.954638 IP 75.75.75.75.53 > 172.29.0.116.1025: 32608 NXDomain 0/1/0 (128)
E@….@.9…KKKK…t.5….kN.`……….
webbrowser.hsd1.va[.]comcast.net…………..X.D.dns1[.]inflow.pa.bo…dnsadmin.cable[.]comcast[.]com.. 75.75.75.75.53: 61902+ A? webbrowser.hsd1.va[.]comcast.net. (48)
E..L.e………tKKKK…5.8.[…………
webbrowser.hsd1.va[.]comcast.net…..
2012-01-30 23:20:35.969918 IP 213.174.149.74.80 > 172.29.0.116.1270: Flags [S.], seq 2999375404, ack 2807491465, win 5840, options [mss 1460], length 0
E .,..@.7.,”…J…t.P…..,.V..`…H………
2012-01-30 23:20:35.969944 IP 172.29.0.116.1270 > 213.174.149.74.80: Flags [.], ack 1, win 64240, length 0
E..(.f@……..t…J…P.V…..-P…|>..
2012-01-30 23:20:35.970258 IP 172.29.0.116.1270 > 213.174.149.74.80: Flags [P.], seq 1:412, ack 1, win 64240, length 411
E….g@….C…t…J…P.V…..-P….3..GET /search?q=credit+counseling+and+debt+management&button=Search HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: discoverfindsearch.net
Connection: Keep-Alive

2012-01-30 23:20:35.970499 IP 75.75.75.75.53 > 172.29.0.116.1269: 61902 NXDomain 0/1/0 (128)
E@….@.9…KKKK…t.5………………
webbrowser.hsd1.va[.]comcast.net…………….D.dns1[.]inflow.pa.bo…dnsadmin.cable[.]comcast[.]com.. 178.238.233.156.80: Flags [P.], seq 1:562, ack 1, win 64240, length 561
E..Y.n@……..t…….PvU…’..P…….GET /37f80bba0438ea34fadb74cdf4c0b0e1ca440e76/83e099dccf114b30faa1b21c96cb0064b9e78739/d28fb94202e89d2597e59fe380c422508530b353/ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://discoverfindsearch.net/search?q=credit+counseling+and+debt+management&button=Search
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: x-web[.]in
Connection: Keep-Alive

2012-01-30 23:20:36.566984 IP 178.238.233.156.80 > 172.29.0.116.1271: Flags [.], ack 562, win 65535, length 0
E .(..@./……….t.P…’..vU..P………….
2012-01-30 23:20:36.591203 IP 178.238.233.156.80 > 172.29.0.116.1271: Flags [P.], seq 1:594, ack 562, win 65535, length 593
E .y..@./……….t.P…’..vU..P…=?..HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 31 Jan 2012 03:20:36 GMT
Connection: keep-alive
Content-Length: 0
Location: http://184.171.169.130/click.php?c=94d4a08c40c27344eea3f7f5804cdd0d27cc6063f31b6cd14612ebdf96b7d9de89a208c08c37c6afade79b949b03349a7464e130a99e02a760a6157fb29ffc23932d0c1e8434c3ed140fc7a7d2451194bb238c558d73ba77d6d6629d70260d788482b9547b6a6861b24a11d4ace5b9f93d4e7f6ee3db93fdd3f92c66dd41a212af411ccde38cea7f8b32bc269cdd0a48e5c13b28a7a1ae4778d16c706a8d0eb3ffacc45913b574f4eda9162ed7391208
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache

2012-01-30 23:20:36.592479 IP 172.29.0.116.1272 > 184.171.169.130.80: Flags [S], seq 1261710618, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.p@……..t…….PK4-…..p……………
2012-01-30 23:20:36.681869 IP 184.171.169.130.80 > 172.29.0.116.1272: Flags [S.], seq 3136750431, ack 1261710619, win 5840, options [mss 1460], length 0
E .,..@.r……….t.P….._K4-.`…6…….t.
2012-01-30 23:20:36.681905 IP 172.29.0.116.1272 > 184.171.169.130.80: Flags [.], ack 1, win 64240, length 0
E..(.r@……..t…….PK4-….`P…j5..
2012-01-30 23:20:36.682264 IP 172.29.0.116.1272 > 184.171.169.130.80: Flags [P.], seq 1:810, ack 1, win 64240, length 809
E..Q.s@….t…t…….PK4-….`P…’}..GET /click.php?c=94d4a08c40c27344eea3f7f5804cdd0d27cc6063f31b6cd14612ebdf96b7d9de89a208c08c37c6afade79b949b03349a7464e130a99e02a760a6157fb29ffc23932d0c1e8434c3ed140fc7a7d2451194bb238c558d73ba77d6d6629d70260d788482b9547b6a6861b24a11d4ace5b9f93d4e7f6ee3db93fdd3f92c66dd41a212af411ccde38cea7f8b32bc269cdd0a48e5c13b28a7a1ae4778d16c706a8d0eb3ffacc45913b574f4eda9162ed7391208 HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://discoverfindsearch.net/search?q=credit+counseling+and+debt+management&button=Search
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: 184.171.169.130
Connection: Keep-Alive

Share Button

2 thoughts on “Purplehaze Malware Botnet Doing Click Fraud Traffic Sample

  1. Pingback: Margaret Cunniffe is an Australian Fraudster based in Melbourne Victoria who abuses those closest to her to achieve her selfish objectives.

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *