RIG Exploit Kit Malware Traffic Sample Vector

By | June 18, 2015

2015-02-06 12:17:55.655135 IP 192.168.138.158.49166 > 46.182.30.163.80: Flags [P.], seq 1:609, ack 1, win 64240, length 608
E….3@…^…………P.. .|.}3P…….GET /?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu|MzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: booster.daily-mood-booster[.]com
Connection: Keep-Alive

2015-02-06 12:17:55.655185 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [.], ack 609, win 64240, length 0
E..(._……………P..|.}3…)P….W……..
2015-02-06 12:17:57.261526 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [P.], seq 1:1356, ack 609, win 64240, length 1355
E..s.`……………P..|.}3…)P…t…HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 06 Feb 2015 16:17:51 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Vary: Accept-Encoding
Content-Encoding: gzip

1f34

2015-02-06 12:17:58.055207 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [P.], seq 70564:71884, ack 609, win 64240, length 1320
E..P…….r………P..|……)P…”…>.0@..f.
….CzX.v……B-..$P.PLj…….&SO……..v`…{..U……….Z:a.7B….h……..O8vw5.bi.L…..\…….s…..O.3Qx..i_7..s….9..l\..q..N.K..Ym……’….+….q.n……5.-p…L…V..,8g.Q1…b.K….hL..k,…..Y……….uk…….4s…?.b../*_K.!B….;9……g..l!.”..b.P\1 ..[..>…..Z{..vP.R.ej.pA..r,W…];…..-d..q.R..v.c….lm4….%..+…l.3D.2.#/..(mnvX8..:.O…..v……4….S….z}.8Zm..!.ji.Pp…&…O.7`.W…q:D.?………..Y…R.-].{..[..-.$…[).Z.+.b..n……..n……..U..Y+;.7 .O….v…..V.b.d_…..N…..#Gz..I.{…_…%….-y
.0….f../.q……)Rz~ ..
.Iw…..w.U……/..k………….(y.{….O.rp….=yi…….$……&X$.2..|…f…..:…….,”…B..r……k..x.w.l..p………4…./>O….e…>~..g……………..x…._………..~xw…/………..7…/………..8……,….(…|…oo…………w……?…….c7..k………O.U.W..y…?………9…..R..……~……..2.._.f..??….y……o……_……
..|f._~….?.?…………./>……/…….Ka…..i…f.x3…o………………….?….w.}~^…~…………..?~….o._………..=…?|…..>……w…x..o….y…../….}{|s..?…./.~…O……..?}|…_}….7…..{…………y.|<.~]..~{..7............../o??...o....?|..................?.?RB..;... 0 2015-02-06 12:17:58.057942 IP 192.168.138.158.49166 > 46.182.30.163.80: Flags [.], ack 71884, win 39885, length 0
E..(.J@…`…………P…)|…P………….
2015-02-06 12:18:00.208788 IP 192.168.138.158.49166 > 46.182.30.163.80: Flags [.], ack 71884, win 64240, length 0
E..(.L@…`…………P…)|…P………….
2015-02-06 12:18:00.209943 IP 192.168.138.158.49166 > 46.182.30.163.80: Flags [P.], seq 609:1031, ack 71884, win 64240, length 422
E….M@…_=………..P…)|…P…~…GET /index.php?req=mp3&num=81&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJkuHbwvnPVsbu%7CMzE1MWY4MjZhOTZhYTU4NDAwNDhmZjQ4ZjQwNTI0NDU HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: booster.daily-mood-booster[.]com
Connection: Keep-Alive

2015-02-06 12:18:00.209988 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [.], ack 1031, win 64240, length 0
E..(……………..P..|…….P…~………
2015-02-06 12:18:02.824202 IP 46.182.30.163.80 > 192.168.138.158.49166: Flags [P.], seq 71884:73239, ack 1031, win 64240, length 1355
E..s…….L………P..|…….P…y]..HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 06 Feb 2015 16:17:57 GMT
Content-Type: application/x-msdownload
Content-Length: 294912
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14+deb7u14
Accept-Ranges: bytes

Share Button

2 thoughts on “RIG Exploit Kit Malware Traffic Sample Vector

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *