Nuclear Exploit Kit Variant 2015 Traffic Analysis

By | June 17, 2015

2015-04-09 14:07:19.244262 IP 192.168.122.89.49227 > 108.61.188.200.80: Flags [P.], seq 1:588, ack 1, win 16404, length 587
E..s..@….m..zYl=…K.P..<.:.eJP.@.)...GET /VVgGCR4KB0wL.html HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://fdsvmfkldv[.]com/index.html?t=a933392c823b24acd8ef64e57c4dd54b Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Accept-Encoding: gzip, deflate Host: ambasawild[.]ga Connection: Keep-Alive 2015-04-09 14:07:19.405816 IP 108.61.188.200.80 > 192.168.122.89.49227: Flags [.], ack 588, win 493, length 0
E..(..@.5.65l=….zY.P.K:.eJ..?.P…….
2015-04-09 14:07:19.486930 IP 108.61.188.200.80 > 192.168.122.89.49227: Flags [.], seq 1:1368, ack 588, win 493, length 1367
E…..@.5.0.l=….zY.P.K:.eJ..?.P…7…HTTP/1.1 200 OK
Server: nginx
Date: Thu, 09 Apr 2015 18:07:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.33

f53


kbBXxwSJD MrxVaTZ oylLzI pKUnXnfy Vwl koF dDFGWeTq MCc oMXLzuzft vpaDuOJf PlCj natadV